Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output from security technologies 2 Protocol Analyzer Switched Port Analyzer n A protocol analyzer is simply a tool (either hardware or software) that can be used to capture and analyze traffic n Must have the capability to place a network interface in promiscuous mode n From a security perspective, protocol analyzers are very useful and effective tools n Most organizations have multiple points in the network n Switched Port Analyzer (SPAN) or port mirroring or port monitoring is a special setup on a switch n A SPAN has the ability to copy network traffic passing through one or more ports on a switch or one or more VLANs on a switch and forward that copied traffic to a port designated for traffic capture and analysis n Capacity planning for traffic where traffic can be sniffed 3 4 CIS 3500 1
Network Scanners Network Scanners n A network scanner is a tool to probe a network or systems for open ports and machines that are on the network. n Network scanners can work on any IP network because they operate by examining network connections n Search for live hosts n Search for any open ports n Search for specific ports n Identify services on ports n When you find open services, you ll need to determine if those services should be running at all n Network scanning activity can trigger an incident response activity when detected - notify sys admins/security team n Open open ports accept connections n Closed scanned target returns an RST packet. n Filtered ICMP unreachable error is returned n Additional types dropped, blocked, denied, timeout 5 n Look for TCP/UDP services 6 Rogue System Detection Network Mapping n Rogue systems are unauthorized systems and fall outside of the enterprise operations umbrella, adding risk to a system. n You have to know the authorized software and hardware in your environment n You should do rogue system detection n active scans of the network to detect any devices not authorized n Network mapping tools are another name for network scanners n They create network diagrams of how machines are connected n Network mapping tools identify the nodes of a network and characterize them as to OS, purpose, systems, etc. - also great for inventory n passive scan via an examination of packets to see if anyone is 7 communicating who is not authorized 8 CIS 3500 2
Wireless Scanners/Cracker KisMAC n You can use wireless scanners/crackers to perform network analysis of the wireless side of your networks n Who is connecting to them? n What are they accessing? n Is everything in conformance with your security plan? n There are a wide variety of wireless scanners that can assist in developing this form of monitoring 9 10 Password Cracker Vulnerability Scanner n Password crackers are used by hackers to find weak passwords n Sysadmin should also check n Password crackers work using dictionary lists and brute force n A vulnerability scanner is a program designed to probe a system for weaknesses, misconfigurations, old versions of software etc. n Three main categories of vulnerability scanners: network, host, and application 11 12 CIS 3500 3
Configuration Compliance Scanner Exploitation Frameworks n Automate configuration checks n SCAP (Security Content Automation Protocol) is a protocol to manage information related to security configurations and the automated validation of them n There is a wide variety of configuration compliance scanners n These tools require that there is a baseline set of defined n Exploitation frameworks assist hackers with exploiting vulnerabilities in a system n The most commonly used framework is Metasploit, a set of tools designed to assist a penetration teste n These frameworks can be used by security personnel as well, specifically to test the exploitability of a system based on existing vulnerabilities and employed security controls configurations and then the tools can track changes 13 14 Data Sanitization Tools Steganography Tools n Data sanitization tools are tools used to destroy, purge, or otherwise identify for destruction specific types of data n Before a system can be retired and disposed of, you need to sanitize the data n Use self-encrypting disks and destroy keys n Identify the sensitive data and deal with it specifically n It is not the tool that provides the true value, but rather the processes and procedures that ensure the work is done and done correctly n Steganography is the science of hidden writing, or more specifically the hiding of messages in other content n Digital images, videos, and audio files and the excess coding capacity in the stream, it is possible to embed additional content in the file n If this content is invisible to the typical user, then it is considered to be steganography n The same techniques are used to add visible (or invisible) watermarks to files 15 16 CIS 3500 4
Honeypot Backup Utilities n A honeypot is a server that is designed to act like the real server on a corporate network n Honeypots serve as attractive targets to attackers - traffic can be assumed to be malicious n A honeynet is a network designed to look like a corporate network n A honeynet is a collection of honeypots n Extensive logging so we can learn from it n Backup utilities one of the most important tools n Backing up a single system isn t that hard n Backing up an enterprise full of servers and workstations is a completely different problem n segregating data n scale, and n management of the actual backup files n Critical security task 17 18 Banner Grabbing Passive vs. Active n Banner grabbing is a technique used to gather information from a service that publicizes information via a banner n identify services by type n version n Warnings n Attackers can use banners to determine what services are running, and typically do for common banner-issuing services such as HTTP, FTP, SMTP, and Telnet n Passive tools are those that do not interact with the system n Wireshark performs OS mapping by analyzing TCP/IP traces n Active tools interact with a target system in a fashion where their use can be detected n Nmap is an active interaction that can be detected when sending packages n When choosing attackers may consider how much time they have available 19 20 CIS 3500 5
Command-Line Tools ping n These are built into the operating system itself, or are common programs that are used by system administrators and security professionals on a regular basis n The ping command sends echo requests to a designated machine to determine if communication is possible n The syntax is ping [options] targetname/address n The options include items such as name resolution, how many pings, data size, TTL counts, and more n Many sysadmins disable it or filter on the firewall too much to give away 21 22 netstat tracert n netstat a n netstat - at n netstat an n netstat l n netstat l n n netstat l p - all open ports - all active TCP connections - all active UDP connections - all listening ports - does not resolve names - listening programs with PID n The tracert command is a Windows command for tracing the route that packets take over the network n List of the hosts, switches, and routers in the order that a packet passes by them n It uses ICMP, if ICMP is blocked n On Linux and MacOS systems, the command with similar functionality is traceroute 23 24 CIS 3500 6
nslookup/dig arp n The nslookup command can be used to examine a DNS query n A nonauthoritative answer typically means the result is from a cache as opposed to a server that has an authoritative answer n The arp command interfaces with the operating system s Address Resolution Protocol (ARP) caches on a system n Device sometimes needs to know where to send a packet using the MAC or layer 2 address n Four basic message types: n ARP request Who has this IP address? n ARP reply I have that IP address; my MAC address is n Reverse ARP (RARP) request Who has this MAC address? 25 26 n RARP reply I have that MAC address; my IP address is ipconfig/ip/ifconfig tcpdump n ipconfig (for Windows) and ifconfig (for Linux) are to manipulate the network interfaces on a system n List the interfaces and connection parameters, alter parameters, and refresh/renew connections n The tcpdump utility is designed to analyze network packets either from a network connection or a recorded file n You also can use it to create files of packet captures (pcap) and perform filtering n The ip command in Linux is used to show and manipulate routing, devices, policy routing, and tunnels 27 28 CIS 3500 7
nmap netcat n Nmap is a standard network mapping utility for Windows and Linux since 1999 n The nmap command is the command-line command to launch and run the nmap utility n Netcat is the network utility designed for Linux environments n It has Windows version, but is not regularly used in windows environments n netcat is nc options address n The netcat utility is the tool of choice in Linux for reading from and writing to network connections using TCP or UDP n Has a wide range of functions 29 30 Security Technologies HIDS/HIPS n There are several security technologies that you can employ to analyze security situations and interpret output from security technologies n Both a host-based intrusion detection system (HIDS) and a host-based intrusion prevention system (HIPS) alert on behaviors that match specified behavioral patterns n They have significant false positive rates depending upon the specificity of the ruleset n They serve to act as an alerting mechanism to provide a signal to start incident response activities 31 32 CIS 3500 8
Antivirus File Integrity Check n Antivirus (AV) applications check files for matches to known viruses and other forms of malware n Quarantine the file or erase it using the AV utility n Perform a file integrity check to ensure that the file has not been tampered n This will alert you to a changed binary n They take a hash of the file and compare this value to an offline store of correct values - if the hashes match, then the file is unaltered n On Windows machines the commandis sfc /scannow 33 34 Host-Based Firewall Application Whitelisting n A host-based firewall is a firewall located on a host system n You can tune it to the exact specifications of that machine n If properly tuned, a host-based firewall will have a very low false positive rate n Application whitelisting marks files as safe to run on a system based upon their hash values n Only specified binaries to be run on a system n On Microsoft Windows machines using the Enterprise version of the OS, whitelisting can be done natively in the OS via a tool called applocker 35 36 CIS 3500 9
Removable Media Control Advanced Malware Tools n Removable media controls are designed to prevent the transfer of data from a system to a removable media n Encryption! n Block physical access n Advanced malware tools e.g. Yara, a command-line pattern matcher that looks for indicators of compromise n Hunting down malware infections based on artifacts in memory n Another type is a threat prevention platform that checks a system and its traffic in real time for common malware artifacts such as callbacks to external devices 37 38 Patch Management Tools UTM n Patch management tools assist administrators by keeping lists of the software on a system and alerting users when patches become available n Some can even assist in the application of the patches n Alert users is only part of the necessary solution n ensure that the patches are installed n alert administrators when patches have not been updated n Unified threat management (UTM) devices typically provide a wide range of services, including switching, firewall, IDS/IPS, anti-malware, anti-spam, content filtering, and traffic shaping n Simplify security administration n Typically located at the edge of the network, managing traffic in and out of the network 39 40 CIS 3500 10
DLP Data Execution Prevention n Data loss prevention (DLP) to detect and prevent transfers of data across an enterprise n Can scan packets for specific data patterns n account numbers, n secrets, n specific markers, or n Data execution protection (DEP) is the protection of specific memory areas as nonexecutable in a Windows system n Prevent attackers from changing the operation of a program through code injection n The OS will kill the program n files n The system can block the transfer n Challenge is the placement of the sensor 41 42 Web Application Firewall n A web application firewall (WAF) is a device that performs restrictions based on rules associated with HTTP/HTTPS n Form of content filter to provide significant capability and There is no 100 percent secure system, and there is nothing that is foolproof! protections n WAFs can detect and block disclosure of critical data n Can also be used to protect websites from common attack vectors such as cross-site scripting, fuzzing, and buffer Stay Alert! overflow attacks 43 CIS 3500 11