Data Loss Prevention 2. Data in-motion Magic Numbers/Discriminators. Detecting from network traffic. Regular Expressions. Extracting Content from traces. Converted formats. http://asecuritysite.com/dlp Author: Prof Bill Buchanan
Data in-motion DLP Data in-motion, data in-use and data at-rest Eve Switch Firewall Domain name server Bob Intrusion Detection System Data inmotion Internet Firewall Router Database server Data inuse Data atrest Web server Email server DMZ Intrusion Detection System Alice FTP server Proxy server
DLP Data in-motion Before Incident (Setting up/ Switch preventing) Switch During Incident (Responding) After Incident Firewall (Forensics) Firewall Eve Domain name server Domain name server Detector/ preventer Bob Bob Intrusion Detection Intrusion System Detection System Data inmotion Data inmotion Internet Internet Detector/ preventer Detector/ preventer Firewall Firewall Router Detector/ preventer Detector/ preventer Router Database server Database server Detector/ preventer Detector/ preventer Detector/ preventer Detector/ preventer Web server Web server Email server Email server Detector/ preventer Detector/ preventer FTP server FTP Proxy server server Proxy server DMZ DMZ Detector/ Detector/ preventer preventer Intrusion Detection Intrusion System Detection System Detector/ preventer Detector/ preventer Alice Alice Data in-motion, data in-use and data at-rest Data in-motion, data in-use and data at-rest
DLP Data in-motion Network Forensics Author: Prof Bill Buchanan
DLP Data in-motion Network Packet Analysis Author: Prof Bill Buchanan
Adv Net For. Cracking usernames ftp.response.code Correct login: ftp.response.code==230 Incorrect login: ftp.response.code==530 ftp contains "PASS" Administrator search: ftp contains "Administrator" http://asecuritysite.com/log/hydra_ftp.zip Hydra (FTP) Author: Prof Bill Buchanan
Adv Net For. Cracking usernames Telnet.data contains login Bad Login: Telnet.data contains unknown http://asecuritysite.com/log/hydra_telnet.zip Hydra (Telnet) Author: Prof Bill Buchanan
Adv Net For. Detecting Scanning tcp.flags.syn && tcp.flags.ack==0 ip.src==192.168.75.132 && tcp.flags.reset && tcp.flags.ack ip.src==192.168.75.132 && tcp.flags.syn==1 && tcp.flags.ack==1 Ports not open: [RST, ACK] Ports not open: [SYN, ACK] http://asecuritysite.com/log/nmap.zip NMAP (Port Scanning) Author: Prof Bill Buchanan
Adv Net For. Detecting Scanning ICMP/ARP Scan arp.opcode==2 http://asecuritysite.com/log/ping_sweep.zip http://asecuritysite.com/log/arp_scan.zip Author: Prof Bill Buchanan
Advanced Network Forensics Signature Detection Author: Prof Bill Buchanan
Adv Net For. File Types http contains "\x25\x50\x44\x46" http contains %PDF http contains "GIF89a" http contains "GIF89a" http contains "\x47\x49\x46\x38" PNG: http contains "\x89\x50\x4e\x47" ZIP: http contains "\x50\0x4b\0x030\x04" http://asecuritysite.com/log/hydra_ftp.zip Detecting File Types in Payloads Author: Prof Bill Buchanan
Advanced Network Forensics Converted Formats Author: Prof Bill Buchanan
Adv Net For. File Types MIME Encoding Email message ------=_NextPart_001_0005_01CF0A5E.E9FFC210-- ------=_NextPart_000_0004_01CF0A5E.E9FFC210 Content-Type: image/jpeg;.name="ehealth.jpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment;.filename="ehealth.jpg" /9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAICAgICAgICAgICAgICAwMDAgIDAwQDAwMDAwQFBAQE BAQEBQUGBgcGBgUHBwgIBwcKCgoKCgoKCgoKCgoKCgr/2wBDAQMDAwQDBAcFBQcLCQcJCwwLCwsL DAwKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgr/wAARCABeALQDAREA.. ki0dl8iylfhb6xkc9uw9ynvugsjdpw0wnx1dbomiur2fby/3ypsrkrsiktjhkpdirlnsehsehseh SEHSEHSEHSEHSEHSEHSEf//Z ------=_NextPart_000_0004_01CF0A5E.E9FFC210 Content-Type: image/gif;.name="cat01_with_hidden_text.gif" Content-Transfer-Encoding: base64 Content-Disposition: attachment;.filename="cat01_with_hidden_text.gif" smtp contains "/9j/4AAQSkZJRgABAQEA" smtp contains "image/gif" R0lGODlhZABVAOYAAP////f39vH08u7u7+fn5+Hk5t/e39fa3e/OztXV1dXT0NnRoczMzMTIzGhl bgxvwnhghmc/vb27uli2tbwzrqqxtqusrauppaampqelnquockycn5mzmzsaoiuvnjosjoynioam lpilzpchgoodg3qeistexvtisij8c3x6fiv6xnn8gplmznr1cmgazmpzghtytx1uumtqbndjx/gq... AMb5Ca3QER7Rn/75nwDqn8bZGwFAEsR5AAh6FAWwoPhpehHJERAaoRI6oRCKkx/ICuiZoaAQLxza or66cieaads= ------=_NextPart_000_0004_01CF0A5E.E9FFC210--. Author: Prof Bill Buchanan
Adv Net For. PCRE PCRE - Perl Compatible Regular Expressions alert tcp any any <> any 25 (pcre:"/[a-za-z0-9._%+-]+@[a-za-z0-9._%+-]/"; \ msg:"email in message";sid:9000000;rev:1;) [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.648260 192.168.47.171:2826 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:13590 IpLen:20 DgmLen:78 DF ***AP*** Seq: 0xB1484585 Ack: 0xFB0FDF97 Win: 0xFF71 TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.649220 192.168.47.134:25 -> 192.168.47.171:2826 TCP TTL:128 TOS:0x0 ID:2017 IpLen:20 DgmLen:88 DF ***AP*** Seq: 0xFB0FDF97 Ack: 0xB14845AB Win: 0xFAB5 TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.649568 192.168.47.171:2826 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:13591 IpLen:20 DgmLen:66 DF ***AP*** Seq: 0xB14845AB Ack: 0xFB0FDFC7 Win: 0xFF41 TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.650165 192.168.47.134:25 -> 192.168.47.171:2826 TCP TTL:128 TOS:0x0 ID:2018 IpLen:20 DgmLen:66 DF ***AP*** Seq: 0xFB0FDFC7 Ack: 0xB14845C5 Win: 0xFA9B TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.655157 192.168.47.171:2826 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:13593 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xB14845CB Ack: 0xFB0FE00F Win: 0xFEF9 TcpLen: 20 [**] [1:9000000:1] Email in message [**] [Priority: 0] 01/05-21:41:38.861083 192.168.47.134:25 -> 192.168.47.171:2826 TCP TTL:128 TOS:0x0 ID:2030 IpLen:20 DgmLen:125 DF ***AP*** Seq: 0xFB0FE00F Ack: 0xB148AE2E Win: 0xFAEB TcpLen: 20 smtp matches "[a-za-z0-9._%+-]+@[a-za-z0-9._%+-]" Author: Prof Bill Buchanan
Adv Net For. PCRE PCRE for Credit Card Details alert tcp any any <> any any (pcre:"/5\d{3}(\s -)?\d{4}(\s -)?\d{4}(\s -)?\d{4}/"; \ msg:"mastercard number detected in clear text";content:"number";nocase;sid:9000003;rev:1;) alert tcp any any <> any any (pcre:"/3\d{3}(\s -)?\d{6}(\s -)?\d{5}/"; \ msg:"american Express number detected in clear text";content:"number";nocase;sid:9000004;rev:1;) alert tcp any any <> any any (pcre:"/4\d{3}(\s -)?\d{4}(\s -)?\d{4}(\s -)?\d{4}/"; \ msg:"visa number detected in clear text";content:"number";nocase;sid:9000005;rev:1;) [**] [1:9000005:1] Visa number detected in clear text [**] [Priority: 0] 01/06-21:20:26.755456 192.168.47.171:1061 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCA178C7B Ack: 0x91870925 Win: 0xFEF9 TcpLen: 20 [**] [1:9000003:1] MasterCard number detected in clear text [**] [Priority: 0] 01/06-21:20:26.755456 192.168.47.171:1061 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:628 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCA178C7B Ack: 0x91870925 Win: 0xFEF9 TcpLen: 20 smtp matches "5\\d{3}(\\s -)?\\d{4}(\\s -)?\\d{4}(\\s -)?\\d{4}" Author: Prof Bill Buchanan
DLP Data in-motion Magic Numbers Author: Prof Bill Buchanan
DLP Image files.gif GIF89 MD5(c:\assets\cat01_with_hidden_text.gif)= 10117e6475c78b74b3a1a18f8d1c0d66 [00000000] 47 49 46 38 39 61 64 00 55 00 E6 00 00 FF FF FF GIF89ad.U... [00000016] F7 F7 F6 F1 F4 F2 EE EE EF E7 E7 E7 E1 E4 E6 DF... [00000032] DE DF D7 DA DD EF CE CE D5 D5 D5 D5 D3 D0 D9 D1... [00000048] A1 CC CC CC C4 C8 CC 68 65 6C 6C 6F C0 D1 C6 84...hello... [00000064] C0 BF BD BD BB B8 B8 B6 B5 B5 B3 AE AA B1 B6 AB... [00000080] AC AD AB A9 A5 A6 A6 A6 A7 A5 9E AB A8 70 AC 9C...p.. [00000096] 9F 99 99 99 94 9A A0 8B 95 9C 93 92 8E 8C 8D 8A....JPG \0xFF\0xD8 [00000000] FF D8 FF E0 00 10 4A 46 49 46 00 01 00 01 00 C8...JFIF... [00000016] 00 C8 00 00 FF FE 00 1F 4C 45 41 44 20 54 65 63...LEAD.Tec [00000032] 68 6E 6F 6C 6F 67 69 65 73 20 49 6E 63 2E 20 56 hnologies.inc..v [00000048] 31 2E 30 31 00 FF DB 00 43 00 19 11 12 16 12 0F 1.01...C... [00000064] 19 16 14 16 1C 1A 19 1E 25 3F 29 25 22 22 25 4D...%?)%""%M [00000080] 37 3A 2D 3F 5B 50 60 5E 5A 50 58 56 65 71 91 7B 7:-?[P`^ZPXVeq.{ [00000096] 65 6B 89 6D 56 58 7E AC 7F 89 96 9A A2 A4 A2 61 ek.mvx~...a.png \0x89\0x50\0x4E\0x47 MD5(c:\assets\file04.jpg)= d82e64b5ba09960eb3e23aaf46644f45 MD5(c:\assets\bg.png)= 07f4bc9c7d4c36a864dce5c8ad108d82 [00000000] 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52.PNG...IHDR [00000016] 00 00 00 F3 00 00 00 C3 08 06 00 00 00 57 8C 27...W.' [00000032] 92 00 00 00 04 67 41 4D 41 00 00 AF C8 37 05 8A...gAMA...7.. [00000048] E9 00 00 00 19 74 45 58 74 53 6F 66 74 77 61 72...tEXtSoftwar [00000064] 65 00 41 64 6F 62 65 20 49 6D 61 67 65 52 65 61 e.adobe.imagerea [00000080] 64 79 71 C9 65 3C 00 00 0A EB 49 44 41 54 78 DA dyq.e<...idatx. [00000096] EC DD DD 6F 54 69 1D C0 F1 E7 9C 33 2F 7D D9 E9...oTi...3/}.. Magic Numbers
DLP Data in-motion Timelining Author: Prof Bill Buchanan
Timelining DLP NetWitness Who why when when? Pcap file IP/MAC addresses Geolocation Timeline Assets Timeline Start of incident End of incident
Data Loss Prevention 2. Data in-motion Magic Numbers/Discriminators. Detecting from network traffic. Regular Expressions. Extracting Content from traces. Converted formats. http://asecuritysite.com/dlp Author: Prof Bill Buchanan