Foreword by Todd Heberlein

Transcription

1 ConteNTS in Detail About the Author Foreword by Todd Heberlein xvii xix Preface xxv Audience... xxvi Prerequisites... xxvii A Note on Software and Protocols... xxvii Scope.... xxviii Acknowledgments... xxix Part I Getting Started 1 Network Security Monitoring Rationale 3 An Introduction to NSM... 4 Does NSM Prevent Intrusions?... 5 What Is the Difference Between NSM and Continuous Monitoring? How Does NSM Compare with Other Approaches?... 9 Why Does NSM Work? How NSM Is Set Up When NSM Won t Work Is NSM Legal? How Can You Protect User Privacy During NSM Operations? A Sample NSM Test The Range of NSM Data Full Content Data Extracted Content Data Session Data Transaction Data Statistical Data Metadata Alert Data What s the Point of All This Data? NSM Drawbacks Where Can I Buy NSM? Where Can I Go for Support or More Information? Conclusion... 32

2 2 Collecting Network Traffic: Access, Storage, and Management 33 A Sample Network for a Pilot NSM System Traffic Flow in a Simple Network Possible Locations for NSM IP Addresses and Network Address Translation Net Blocks IP Address Assignments Address Translation Choosing the Best Place to Obtain Network Visibility Location for DMZ Network Traffic Locations for Viewing the Wireless and Internal Network Traffic Getting Physical Access to the Traffic Using Switches for Traffic Monitoring Using a Network Tap Capturing Traffic Directly on a Client or Server Choosing an NSM Platform Ten NSM Platform Management Recommendations Conclusion Part II Security Onion Deployment 3 Stand-alone NSM Deployment and Installation 55 Stand-alone or Server Plus Sensors? Choosing How to Get SO Code onto Hardware Installing a Stand-alone System Installing SO to a Hard Drive Configuring SO Software Choosing the Management Interface Installing the NSM Software Components Checking Your Installation Conclusion Distributed Deployment 75 Installing an SO Server Using the SO.iso Image SO Server Considerations Building Your SO Server Configuring Your SO Server Installing an SO Sensor Using the SO.iso Image Configuring the SO Sensor Completing Setup Verifying that the Sensors Are Working Verifying that the Autossh Tunnel Is Working x Contents in Detail

3 Building an SO Server Using PPAs Installing Ubuntu Server as the SO Server Operating System Choosing a Static IP Address Updating the Software Beginning MySQL and PPA Setup on the SO Server Configuring Your SO Server via PPA Building an SO Sensor Using PPAs Installing Ubuntu Server as the SO Sensor Operating System Configuring the System as a Sensor Running the Setup Wizard Conclusion SO Platform Housekeeping 99 Keeping SO Up-to-Date Updating via the GUI Updating via the Command Line Limiting Access to SO Connecting via a SOCKS Proxy Changing the Firewall Policy Managing SO Data Storage Managing Sensor Storage Checking Database Drive Usage Managing the Sguil Database Tracking Disk Usage Conclusion Part III Tools 6 Command Line Packet Analysis Tools 113 SO Tool Categories SO Data Presentation Tools SO Data Collection Tools SO Data Delivery Tools Running Tcpdump Displaying, Writing, and Reading Traffic with Tcpdump Using Filters with Tcpdump Extracting Details from Tcpdump Output Examining Full Content Data with Tcpdump Using Dumpcap and Tshark Running Tshark Running Dumpcap Running Tshark on Dumpcap s Traffic Using Display Filters with Tshark Tshark Display Filters in Action Contents in Detail xi

4 Running Argus and the Ra Client Stopping and Starting Argus The Argus File Format Examining Argus Data Conclusion Graphical Packet Analysis Tools 135 Using Wireshark Running Wireshark Viewing a Packet Capture in Wireshark Modifying the Default Wireshark Layout Some Useful Wireshark Features Using Xplico Running Xplico Creating Xplico Cases and Sessions Processing Network Traffic Understanding the Decoded Traffic Getting Metadata and Summarizing Traffic Examining Content with NetworkMiner Running NetworkMiner Collecting and Organizing Traffic Details Rendering Content Conclusion NSM Consoles 159 An NSM-centric Look at Network Traffic Using Sguil Running Sguil Sguil s Six Key Functions Using Squert Using Snorby Using ELSA Conclusion Part Iv NSM in Action 9 NSM Operations 185 The Enterprise Security Cycle The Planning Phase The Resistance Phase The Detection and Response Phases xii Contents in Detail

5 Collection, Analysis, Escalation, and Resolution Collection Analysis Escalation Resolution Remediation Using NSM to Improve Security Building a CIRT Conclusion Server-side Compromise 207 Server-side Compromise Defined Server-side Compromise in Action Starting with Sguil Querying Sguil for Session Data Returning to Alert Data Reviewing Full Content Data with Tshark Understanding the Backdoor What Did the Intruder Do? What Else Did the Intruder Do? Exploring the Session Data Searching Bro DNS Logs Searching Bro SSH Logs Searching Bro FTP Logs Decoding the Theft of Sensitive Data Extracting the Stolen Archive Stepping Back Summarizing Stage Summarizing Stage Next Steps Conclusion Client-side Compromise 235 Client-side Compromise Defined Client-side Compromise in Action Getting the Incident Report from a User Starting Analysis with ELSA Looking for Missing Traffic Analyzing the Bro dns.log File Checking Destination Ports Examining the Command-and-Control Channel Initial Access Improving the Shell Summarizing Stage Pivoting to a Second Victim Installing a Covert Tunnel Contents in Detail xiii

6 Enumerating the Victim Summarizing Stage Conclusion Extending SO 263 Using Bro to Track Executables Hashing Downloaded Executables with Bro Submitting a Hash to VirusTotal Using Bro to Extract Binaries from Traffic Configuring Bro to Extract Binaries from Traffic Collecting Traffic to Test Bro Testing Bro to Extract Binaries from HTTP Traffic Examining the Binary Extracted from HTTP Testing Bro to Extract Binaries from FTP Traffic Examining the Binary Extracted from FTP Submitting a Hash and Binary to VirusTotal Restarting Bro Using APT1 Intelligence Using the APT1 Module Installing the APT1 Module Generating Traffic to Test the APT1 Module Testing the APT1 Module Reporting Downloads of Malicious Binaries Using the Team Cymru Malware Hash Registry The MHR and SO: Active by Default The MHR and SO vs. a Malicious Download Identifying the Binary Conclusion Proxies and Checksums 289 Proxies Proxies and Visibility Dealing with Proxies in Production Networks Checksums A Good Checksum A Bad Checksum Identifying Bad and Good Checksums with Tshark How Bad Checksums Happen Bro and Bad Checksums Setting Bro to Ignore Bad Checksums Conclusion Conclusion 303 Cloud Computing Cloud Computing Challenges Cloud Computing Benefits xiv Contents in Detail

7 Workflow, Metrics, and Collaboration Workflow and Metrics Collaboration Conclusion Appendix SO Scripts and Configuration 311 SO Control Scripts /usr/sbin/nsm /usr/sbin/nsm_all_del /usr/sbin/nsm_all_del_quick /usr/sbin/nsm_sensor /usr/sbin/nsm_sensor_add /usr/sbin/nsm_sensor_backup-config /usr/sbin/nsm_sensor_backup-data /usr/sbin/nsm_sensor_clean /usr/sbin/nsm_sensor_clear /usr/sbin/nsm_sensor_del /usr/sbin/nsm_sensor_edit /usr/sbin/nsm_sensor_ps-daily-restart /usr/sbin/nsm_sensor_ps-restart /usr/sbin/nsm_sensor_ps-start /usr/sbin/nsm_sensor_ps-status /usr/sbin/nsm_sensor_ps-stop /usr/sbin/nsm_server /usr/sbin/nsm_server_add /usr/sbin/nsm_server_backup-config /usr/sbin/nsm_server_backup-data /usr/sbin/nsm_server_clear /usr/sbin/nsm_server_del /usr/sbin/nsm_server_edit /usr/sbin/nsm_server_ps-restart /usr/sbin/nsm_server_ps-start /usr/sbin/nsm_server_ps-status /usr/sbin/nsm_server_ps-stop /usr/sbin/nsm_server_sensor-add /usr/sbin/nsm_server_sensor-del /usr/sbin/nsm_server_user-add SO Configuration Files /etc/nsm/ /etc/nsm/administration.conf /etc/nsm/ossec/ /etc/nsm/pulledpork/ /etc/nsm/rules/ /etc/nsm/securityonion/ /etc/nsm/securityonion.conf /etc/nsm/sensortab /etc/nsm/servertab /etc/nsm/templates/ /etc/nsm/$hostname-$interface/ /etc/cron.d/ Contents in Detail xv

8 Bro CapMe ELSA Squert Snorby Syslog-ng /etc/network/interfaces Updating SO Updating the SO Distribution Updating MySQL INDEX 335 xvi Contents in Detail