ASC Network Forensics

Embed Size (px)

Citation preview

  • 8/6/2019 ASC Network Forensics

    1/13

    Network Forensics:

    SIEM, the Investigations Triad, andSANS Top-20 Vulnerabilities

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    2/13

    By:

    Albert Caballero CISSP, GSEC, BA MIS Security

    Stanley Fidge MCSA, CCNA, Security +, BA MIS Security

    Abstract

    Vulnerability assessments, forensic investigations, and incident responses are the

    cornerstones for building a secure and compliant computing environment. Information

    Technology professionals have a need to monitor and correlate all of their network andsystem security events; otherwise it is difficult to effectively manage and maintain

    relative security. Network forensics is basically the investigation of all of the packets and

    events generated on any given network. The better these events can be understood andcorrelated, the better the possibility of detecting an incident, in the past or present.,

    Security events are at the root of all incidents, and in the digital world, without some

    combination of correlated security events, it is nearly impossible to know if an incidenthas actually occurred. Network events are generated by almost every system, application

    or device on a network.I If there is no monitoring of these events, incidents can occurquite often and go completely unnoticed, or worse, become untraceable. In this case,

    what you dont know WILL hurt you! The importance of responding to incidents,

    identifying anomalous or unauthorized behavior, and securing intellectual property hasnever been more important.

    Without security event and vulnerability monitoring, identifying threats and

    attacks to confidentiality, integrity, or availability becomes much more difficult.Furthermore, there is a limited chance that any network forensic investigation will be

    properly conducted, much less successfully, without the retention and correlation ofnetwork security event logs. Ideally, an organization should develop clear and conciselog management policies, continually train staff in security awareness, and implement

    new and effective technologies to successfully detect and respond to security incidents.

    This will also ease the burden of network forensic investigations. Our focus is SecurityInformation and Event Management (SIEM), as it pertains to network forensic

    investigations, vulnerability management and incident response. Modern voice and data

    networks integrate past, present, and future technologies in ways that have revolutionizedall methods of conducting business in our global economy. This IT revolution has posed

    some significant challenges to network forensics, including:

    New multi-vendor vulnerabilities are discovered everyday, and many unknownvulnerabilities are exploited without ever being detected.

    Tons of dynamic, network event data from disparate devices is rarely audited,easily lost, and inadequately stored, making maintaining log integrity difficult.

    High IDS/IPS false positive rates and information overload from millions of eventlogs every day haze the accuracy with which IT staff can detect true incidents.

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    3/13

    Correlation of security events to vulnerabilities isnt easy to understand orimplement, always requires significant computer security expertise, and is usually

    quite expensive and time consuming.

    Our goal as a research group is to reveal that before conducting a network

    forensics investigation, it is critical to assess vulnerabilities and correlate them to

    intrusion detection alerts using new technologies such as SIEM. We will be usingActiveworx Security Center as our network forensic tool of choice.

    Network Forensics The Problem

    According to CSO magazine, 46% of CISOs spend up to 33% of their day reading and

    analyzing reports generated from their security applications, and in some cases,

    CISOs spend up to seven hours per day analyzing such reports!

    Issues surrounding network forensics and SIEM tools include obtaining the event

    data in the first place. Many times intrusions occur, and the events get deleted by theperpetrator on the system that was compromised. If these events have not been stored or

    sent to another location then they are usually gone forever. Another obstacle to actually

    obtaining network or system events is that appliances and applications that provide thistype of capability are usually extremely expensive and difficult to implement, in essence

    becoming cost prohibitive in regards to ROI. To compound the pressures organizations

    face in regards to implementing proper network forensics and log management

    techniques, federal regulations are now requiring organizations keep all network eventdata, in some cases for as long as seven years! In that situation there is no other choice

    but to procure expensive archiving equipment and analysis software to monitor andarchive network security events, or face ridiculously expensive fines. Organizations canonly hope they can prove at some future date that the network security events gathered

    have not been altered. Assuming, of course, they even have any events at all.

    Up to 35% of CIOs state that network security improvements topped the to-do lists in

    2005 and 2006. 22% of organizations in the United States are not meeting federal

    regulatory compliance guidelines for incident response, business continuity, disaster

    recovery, information security or electronic records retentions.

    Other network forensic problems are due to the deployment of enterprise wide

    security hardware appliances and applications from different manufacturers and vendors,implemented at various levels to provide layered security. This defense strategy is

    effective but provides little rhyme or reason to what is actually happening. Numerous

    types of disparate devices and event log formats exist making them difficult to monitor,manage, or correlate for any action, typically requiring a combination of tools and

    consoles for an incident to materialize. Also, until recently there has not been an easy

    way to correlate IDS alerts with firewall logs, system logs, or vulnerability scans. Beingnotorious for high false positive rates, a correlated IDS alert is much more meaningful.

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    4/13

    Finally, there is general information overload with millions of appliance, application and

    system event logs being generated everyday. The final result and primary problem with

    network forensics is the dynamic nature of network event data, and the fact that it israrely audited, inadequately archived, and easily lost, deleted, or copied.

    65% of organizations report that they do not have established any Return on

    Investment (ROI) metrics for security risk management regarding their enterprise

    networks. 56% of organizational upper management and decision makers rarely or

    never discuss policies and the need for procedures regarding access to critical

    information, leaving the tasks solely to IT Security Management and IT Security

    Technicians to comply with Federal regulations.

    The Investigations Triad

    All network forensic investigations revolve around what is known as theInvestigations Triad. To meet the goals of the Investigations Triad, as it pertains to

    network forensics, we will use a commercial, software-based, SIEM and log management

    tool called Activeworx Security Center, and we will discuss three main topics:

    Vulnerabilities: Using the SANS/FBI Top 20 Internet Vulnerabilities as ourframework, we will use ASC to automate correlation of IDS events tovulnerability scans, in an effort to minimize false positives.

    Intrusion Response: Through event correlation we will see how we can identifyif any of these 20 vulnerabilities is being attacked in real-time, and hope tothereby improve incident response times and mitigate risk to our assets.

    Investigations: Discuss the importance of archiving and retrieving forensicallysound network logs and proving their integrity at a future date.

    Figure 1 The Investigations Triad

    Implementing real-time network forensic techniques is an effective method of

    initially identifying and responding to computer crimes and policy violations. With a

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    5/13

    Security Information and Event Management tool an analyst can monitor, automate and

    investigate network forensic event data, as well as respond much quicker to IDS events

    by minimizing false positives. Correlating security events, investigating and actingaccording to policy, and properly archiving network and system events over time, arecritical elements of preparing an organization to be successful in current and future

    network forensic investigations. In tandem, vulnerability assessment and risk

    management are required elements of any investigation, to test and verify the integrity ofcomputer systems, servers, and enterprise networks. SIEM, as used to monitor network

    IDS and provide incident response functions, is desirable because it helps identify

    anomalies, such as covert channels and intruder attacks using automated tools, and ofcourse helps in correlating these anomalies on the network with system and firewall logs.

    Computer investigative functions are necessary to manage, protect and maintain the

    forensic integrity of network-based systems and devices.

    Tools of the Trade

    As each day passes in our new information society the complexity increases. Asthe data made available through these advanced computing technologies becomes more

    vulnerable to all forms of attack, we need to ensure that we conduct our business and

    personal lives through safe and secure technological channels. The consolidation ofcurrent and future computer technologies in an intelligent way is paramount to safely

    integrate and utilize the potential of these technologies in e-business, on-line banking,

    and the rest of our personal communications. A necessary measure is to keep a close eyeon your assets, in case of any unauthorized behavior from insiders or outsiders. We have

    found through our research that a Security Information and Event Management (SIEM)

    tool such as those provided by CrossTec Corp., Cisco, Arcsight, and a handful of others,

    has attempted to provide a solution that allows security administrators to manage securityevents quickly and intelligently. Most SIEM tools can correlate, monitor, analyze, and

    alert technicians about the different information security events and what they are telling

    them. They also help security analysts and forensic specialists to visualize, query, andexamine what is happening in different areas of the network in real-time, or analyze an

    incident which has occurred in the past. In tandem, reports, diagrams, and the ability toreplay security events can also be used for intrusion response or forensic analysis of an

    incident.

    Figure 2 Activeworx Security Center

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    6/13

    Activeworx Security Center (ASC) is a SIEM software tool that can monitor,

    analyze, and alert on almost any event generated on your network to ascertain securityand forensic information. ASC can also correlate events from different assets with

    vulnerability scanners in real-time. To ease the pain of compliance, the enterpriseversion of ASC can collect; MD5 checksum and rotate audit logs for every network

    device, system or application on a network. This helps organizations meet regulatory

    compliance and be ready for future audits and investigations. Specifically, ASC makes iteasy to be compliant and also gives you the power to analyze network events in the way

    you think is important. When trying to make heads or tails out of how to cover the core

    components of the Investigation Triad, it becomes difficult to translate these ideas intoactual technologies that can do the job. We will provide an example of how each

    component can be addressed by ASC and SIEM in general.

    Vulnerabilities are a crucial and often neglected component of all security

    programs. Without current vulnerability information of systems, applications and

    network devices it is impossible to know where the systems of highest risk or those most

    susceptible to attack are. It is difficult to run vulnerability scans on a consistent basis,primarily because they are time consuming, require a certain level of expertise, and

    really: What are you going to do with them once you have them anyway? Who even

    knows which vulnerabilities are important and which ones arent? Who can tell me when

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    7/13

    one of these vulnerabilities is being exploited? Well the answers are: ASC will correlate

    them with IDS events, ASC knows what your vulnerabilities are, SANS/FBI knows

    which are important, and your IDS/IPS devices are the ones that know when youre beingattacked! The SANS Institute combined with the FBI maintains a list of the Top 20Internet Vulnerabilities. Using this as our framework, we can use ASC and its

    Correlation Engine to automate the correlation of IDS events to Vulnerability Scans by

    CVE Reference to alert us of important events in real time. (To find out more aboutCVE Reference, see below under Sans Top 20 Vulnerabilities.)

    Figure 3 ASC Built-in IDS Event to High Risk Vulnerability Correlation Rule

    Intrusion Response (IR) is not typically associated with network forensicinvestigations; however, in reality, it remains one of its most important components.

    Proper IR techniques are what network forensics are all about, and they can make or

    break an investigation according to how a first response is handled. IR is made moreefficient by three main SIEM components: the use of automated Event to Vulnerability

    correlation as described above, visualization and diagramming of events with drill-down

    analysis capabilities, and correlation of Event to Event activity on the network.

    Figure 4 Event Diagram and Visualization of High Priority Security Events Helps IR

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    8/13

    In scenarios where it is necessary to immediately correlate certain types of events

    to other events which are happening on the network, there needs to be a quick and

    effective way to be able to get more related information from other devices.

    Figure 5 ASC Event to Event Correlation Rule Helps Finds Anomalies

    Investigations many times are conducted after the incident occurred. To show

    that the information you have is forensically sound, the network logs of all assets need tobe handled correctly as they are generated on the network. No longer is it sufficient to

    store logs on end systems and let them overwrite themselves every few days. Regulatory

    compliance and the need to forensically analyze events is forcing organizations to store

    network event data over long periods of time and find a mechanism that will allow them

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    9/13

    to prove their integrity at a future date. ASC allows for this capability in its new v4

    ASCe, which is an enterprise version of the SIEM tool that includes complete log

    management. Interestingly enough, although SIEM and Log Management are so tightlyrelated, their purposes are completely opposed. Whereas SIEM allows an analyst todiscard tons of unnecessary events to pick out the few that are important, the goal of a

    good Log Management solution is to log every single event from every single device or

    system on the network and store them to disk for regulatory compliance and futureanalysis. ASCe will be released this Summer according to the manufacturer, and it will

    support the logging of over 20,000 30,000 Events Per Second (EPS), 20 to 1

    compression of all logs daily, MD5 check summing and rotation of log files, easy searchcapabilities on archived audit data, and full integration with its SIEM tool so you can

    import events that occurred in the past and analyze them today.

    Figure 6 ASCe Version 4 Complete Log Management with SIEM Integration

    SANS Top 20 Vulnerabilities

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    10/13

    Six years ago the SANS Institute and the National Infrastructure Protection

    Center (NIPC) at the FBI created a Top10 list of most exploited vulnerabilities on the

    Internet. In the past several years thousands of organizations, public and private, havehelped enhance this list to include the Top-20 Internet Security Attack Vectors. Everyyear SANS and the FBI update this list with the latest vulnerabilities, and it has become

    the Incident Handlers point of reference when attempting to define a starting point for

    tracking and monitoring vulnerabilities on any given network. Vulnerable servicesleading to worms like Blaster, Slammer, and Code Red were all on SANS Top-20 lists

    before the worms hit the Net, and indeed couldve been prevented, or at least detected,

    should these vulnerabilities have been monitored for activity on a network. The SANSTop-20 2006 is a consensus list of vulnerabilities that require immediate remediation and

    can be found here http://www.sans.org/top20/ The idea of this document is to effectively

    monitor events coming from IDS/IPS sensors to see if one of these Top-20 vulnerabilities

    is being attacked, furthermore, they will be compared to these events only if we know thevulnerability exists on our network. Activeworx Security Center will begin to include

    these rules built into the product in v4 by using CVE references. CVEs are Common

    Vulnerabilities and Exposures that are provided by the National Institute of Standards andTechnologies (NIST), in list format, to help keep track of all the significant

    vulnerabilities that are discovered throughout the year. Both IDS/IPS sensors and most

    Vulnerability Scanners have CVE references built into their events already which givesecurity teams the ability to correlate, index and easily reference common vulnerabilities

    and threats on their network as they are happening. The National Vulnerability Database

    where you can look up these CVEs is found here http://nvd.nist.gov/

    Figure 7 SANS Top-20 Vulnerability Correlation to IDS/IPS Event

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

    http://www.sans.org/top20/http://nvd.nist.gov/http://nvd.nist.gov/http://www.sans.org/top20/
  • 8/6/2019 ASC Network Forensics

    11/13

    Network Forensics The Solution

    An effective information security program needs specific policies and procedures

    in place to assist with managing information risks, basically a Plan, Do, Act, and Checklifecycle for defined security and forensic policies. Then, technical controls and tools

    should provide the automated implementation, enablement, enforcement, and monitoringof these policies and procedures. In order to achieve compliance with a number ofregulations, organizations must monitor both successful and unsuccessful attempts to

    access their computer systems. Organizations following these strict policies and

    regulations constantly seek efficient and cost effective operational tools to manageinformation on their network. As the requirements for IT Risk Management become

    paramount, there will be an increase in the variety of solutions with different cost

    structures which will meet federal regulations and ensure the secure monitoring of

    network information. ASC can assist organizations in collecting appropriate networkevent data and maintain it in a form that can be easily utilized for analysis and reporting

    during audits, security incidents, or forensic investigations. ASC helps to ensure that

    policies and procedures are in place to safeguard sensitive data and audits that event datais accessed only by those with a need to know. ASC also assists in analyzing

    vulnerability scans to ensure that all flaws in an organization are detected and correlated

    to possible intrusions. Finally, ASC establishes a baseline of network and system activityfor organizational computing environments.

    Figure 8 Major Components of SIEM and Log Management

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    12/13

    SIEM and Log Management solutions in general, like ASC, can assist in security

    information and log management as well as regulatory compliance by:

    Aggregating and normalizing event data from unrelated network devices, securitydevices, and application servers into useable information.

    Analyze and correlate information from various devices to identify attacks assoon as possible and help respond quicker to intrusions.

    Conduct network forensic analysis on historical or real-time events throughvisualization and replay of events.

    Create customized report formats to adhere to specific compliance regulations. Increase the value and performance of existing security devices by providing a

    consolidated event management and analysis platform.

    Improve the effectiveness and help focus IT Risk Management personnel on whatevents are important.

    Conclusion

    As enterprise networks, voice and data traffic, and the amount of end users

    continue to grow, the need and requirements for stable and all inclusive SIEM and Log

    Management also grows. Tools such as these are rising to the forefront of informationwarfare as one of the best methods of strategically detecting and responding to attacks.

    Integrating the layers of security devices already in place with any future information

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

  • 8/6/2019 ASC Network Forensics

    13/13

    assurance technologies is not an easy task. In order to efficiently monitor and understand

    your attackers, a SIEM tool is a huge help. Many surveys reveal that 60% of security

    breaches are internal, but 70% of the IT and IT security staff is more concerned aboutattackers on the outside. Some organizations even spend 90% of their security efforts onfirewalls alone. Project Management and Cost/Benefit Analysis need to be implemented

    in order to save time and money in deciding at which layer to implement new information

    assurance measures, what policies and procedures to create, and what software andhardware to purchase. SIEM and Log Management help to focus IT security measures to

    more effectively protect hosts as well as the network perimeter, perform and automate

    network forensic analysis, automate regulatory compliance as it pertains to log retentionand help you visualize and report on your network in real-time.

    Network forensics is a real world method of initially identifying and responding

    to computer crimes and policy violations, not just investigating historical incidents.Major advances in event analysis and correlation allow Information Assurance

    technicians to counteract threats quicker than ever, and these advances have been made

    available for the benefit of all Information Technology (IT) staff, especially IT SecurityManagers, Auditors, and CISOs who are the ones held accountable. With a SIEM an

    analyst can analyze, replay, and investigate network forensic data for analysis.

    Moreover, the correlation and proper storage of these network security events is a crucialpart of preparing an organization to be successful in present and future forensic

    investigations. A substantial amount of suspicious security events occur and go

    undetected within most enterprise networks and computer systems every day.

    CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431

    www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820