WB-Analysis of the Nakula & Antareja Incident

Similar documents
WB-Analysis of the attack on the Nakula and Antareja machines in January 2002 RVS-RR-05-02

Overview Intrusion Detection Systems and Practices

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

intelop Stealth IPS false Positive

2. INTRUDER DETECTION SYSTEMS

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Chapter 2. Switch Concepts and Configuration. Part II

Cyber Security Audit & Roadmap Business Process and

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Firewalls 1. Firewalls. Alexander Khodenko

Feasibility study of scenario based self training material for incident response

CSE 565 Computer Security Fall 2018

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Linux Network Administration

Securing CS-MARS C H A P T E R

Introduction to Security

Network Security. Course notes. Version

NetDetector The Most Advanced Network Security and Forensics Analysis System

Security report Usuario de Test

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Securing Devices in the Internet of Things

CNIT 121: Computer Forensics. 9 Network Evidence

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks*

A. The portal will function as an identity provider and issue an authentication assertion

SYLLABUS. Title: Unix Network Administration II

Securing Wireless Networks by By Joe Klemencic Mon. Apr

CIRT: Requirements and implementation

Network Security Issues and New Challenges

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

BUILT TO STOP BREACHES. Cloud-Delivered Endpoint Protection

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Introduction to UNIX/LINUX Security. Hu Weiwei

The GenCyber Program. By Chris Ralph

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Certified Ethical Hacker (CEH)

WEB HOSTING SERVICE OPERATING PROCEDURES AND PROCESSES UNIVERSITY COMPUTER CENTER UNIVERSITY OF THE PHILIPPINES DILIMAN

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

EE 122: Network Security

The fast track to top skills and top jobs in cyber. Guaranteed.

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Ethical Hacking and Prevention

Guide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

A Data Driven Approach to Designing Adaptive Trustworthy Systems

Protect Your End-of-Life Windows Server 2003 Operating System

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Strategic Infrastructure Security

CyberSecurity Training and Capacity Building: A Starting Point for Collaboration and Partnerships. from the most trusted name in information security

The following virtual machines are required for completion of this lab: Exercise I: Mapping a Network Topology Using

Protect Your End-of-Life Windows Server 2003 Operating System

What a Honeynet Is H ONEYPOTS

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Fuzzy Intrusion Detection

Active defence through deceptive IPS

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring


SECURING DEVICES IN THE INTERNET OF THINGS

10 FOCUS AREAS FOR BREACH PREVENTION

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

SECURING DEVICES IN THE INTERNET OF THINGS

and the Forensic Science CC Spring 2007 Prof. Nehru

Pyrite or gold? It takes more than a pick and shovel

Why Firewalls? Firewall Characteristics

Detecting Signs of Intrusion

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

A (sample) computerized system for publishing the daily currency exchange rates

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

ProCurve Network Immunity

Honeynets. Chris Brenton Dartmouth College Institute for Security Technology Studies (ISTS) ABSTRACT

Introduction to Computer Security

Motorola AirDefense Retail Solutions Wireless Security Solutions For Retail

Evolution Of The Need For IAM. Securing connections between people, applications, and networks

External Supplier Control Obligations. Cyber Security

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Information Security Training Needs Assessment Study. Dr. Melissa Dark CERIAS Assistant Professor Continuing Education Director

Design your network to aid forensics investigation

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

The detailed content and format of the http log files is discussed in Apache s web pages starting at:

Automation the process of unifying the change in the firewall performance

Hands-On Hacking Course Syllabus

Russ McRee Bryan Casper

e-commerce Study Guide Test 2. Security Chapter 10

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

CompTIA E2C Security+ (2008 Edition) Exam Exam.

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

2.1 A Primer on Network Sniffing Reconstructing TCP Streams Reconstructing Fragmented Packets 14

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Incident Response & Evidence Management

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Transcription:

WB-Analysis of the Nakula & Antareja Incident A WB-Analysis of a system security-related incident 5.5th Bieleschweig Workshop Bielefeld, June 6-7 2005

Overview Introduction The WB-Analysis Conclusion Discussion

Introduction Summary of the Incident 18th January 2002 Student koko from Jakarta was working on Nakula He noticed users made and root working on the system So he tried to contact made but got no response After several tries he informed the RVS 18th January 2002, 22:56 made logged in on Nakula remotely and found anomalies: sshd delivered no service to clients outside the RVS network sendmail was getting down frequently Remote connection through ARCOR-ISP was very slow made informed avinanta

Introduction Summary of the Incident 18th January 2002, 23:05 avinanta logged in on Nakula remotely and tried to find the source of the abnormal behaviour He logged in on Antareja and realized that sendmail was influenced by a strange.procmail in /home/avinanta containing a program, which was used to gain root access He also discovered several strange files, including root kit files avinanta and made both agreed that the systems must have been cracked

Introduction Summary of the Incident 19th January 2002, 00:40 Check of /var/log showed that all log files had been deleted Both machines were shutdown immediately to prevent the intruder from deleted any evidence he had left on the machines 19th January 2002, 00:50 RVS received notification about mass-scans: From Techfak administrator about scans targeting hosts belonging to the Techfak network

Introduction Presentation of the systems Nakula Profile of the Nakula machine Operating System: SuSE Linux 7.2, Kernel 2.4.4 Apache 1.3.12, PHP 4.2.06 Sendmail, SMTP, POP3, IMAP OpenSSH, ProFTP MySQL Not more than 10 active users One of the most popular sites about information technology in Indonesia

Introduction Presentation of the systems Antareja Profile of the Antareja machine Operating System: SuSE Linux 7.3, Kernel 2.4.10 Apache 1.3.12, PHP 4.2.06 Sendmail, SMTP, POP3, IMAP OpenSSH, ProFTP PostgreSQL New machine, active since December 2001 Used to test video conference connection between Bielefeld and Jakarta Not well known, few active users

Introduction Presentation of the systems Infrastructure Both machines are directly connected to the Internet via switches provided by the Hochschulrechenzentrum (HRZ) No central perimeter firewall No Intrusion Detection System HRZ guarantee: Sniffing of network traffic in the switched universities network environment not possible!

Introduction Problems performing the forensics Lack of valid evidence Intruder deleted log-files Log-files could only be partially recovered Intruder tried to cover his traces Intruders motivation not obvious Leads to different possible attack scenarios Analysts tried to reconstruct the chain of events by simulating the attack based on the tools and evidences found on the machines Results in the conviction, that only one attack scenario was possible

Introduction Only possible attack scenario Getting started Intruder had access to universities network He was able to use techniques that forced the switch to forwarding all traffic to his machine (ARP spoofing and sniffing) He found login/password combination for Nakula machine in unencrypted FTP traffic He used this information to login on Nakula

Introduction Only possible attack scenario On Nakula machine No applicable SuSE 7.2 remote exploit was known at that time (e.g. no lpd installed) He must have used an local exploit to gain root access (suid exploit) Installed root kit Launched sniffer attack on the network Gained login/password combination for Antareja machine On Antareja machine He tried to use same exploits also used on Nakula, but was not successful due to usage of SuSE 7.3 on Antareja He was not successful to gain root access on Antareja, although he tried until he was discovered

Introduction Conclusion of the forensic analysis Probable motivation of the intruder: Use machines as launching pads for further attacks Gain root access to as many hosts as possible Sniff credit card numbers Prepare distributed denial-of-service attack Switched network environments Do not always guarantee sniffing protection Probable intruders identity: Romanian hacker tazmania using his own root kit

Introduction Conclusion of the forensic analysis Suggested improvements: University level Intrusion Detection System Better log-mechanisms, e.g. usage of an external log-server Mechanism to notify system administrator Development of proper security policies

The WB-Analysis Part II: The WB-Analysis

The WB-Analysis What makes this WB-Analysis different? Security-related incident Most WB-Analyses have been safety-related Many facts are not clearly observable and are based on plausible and coherent assumptions (including the attackers motivations) Behaviour of the system precipitated by intruder High level of human interaction Intruders motivation was necessary for this incident to happen Missing of rule-based behaviour makes the modelling of the human agent difficult Intruder able to adapt his procedures System worked as specified

The WB-Analysis What is considered to be the accident? Possibilities: Loss of system-resources? Cost of money? Loss of manpower? Infiltration of systems by Intruder? Choice: Loss of (RVS-) resources (in general) But: This abstract definition of the accident leads to several WBGraphs, as we will see

The WB-Analysis The Nakula graph Accident: Loss of (system) resources Necessary causal factor for the accident: 1.1: Unauthorized use of Nakula alone is a sufficient causal factor for a not further specified Loss of resources All other graphs require a more specific definition of Loss of resources

The WB-Analysis The Antareja graph Accident: Loss of (specific amount of system) resources Necessary causal factors for the accident 1.1: Unauthorized use of Nakula 1.2: Unauthorized use of Antareja form a set of sufficient causal factors for this Loss of resources

The WB-Analysis The RVS-Loss graph Loss of several RVS resources Necessary causal factors for the accident 1.1: Unauthorized use of Nakula 1.2: Unauthorized use of Antareja 1.3: Specific loss of manpower resources 1.4: Temporary loss of Nakula machine and services 1.5: Temporary loss of Antareja machine and services form a set of sufficient causal factors for the Loss of several RVS resources

The WB-Analysis The complete graph Accident: Loss of resources (complete) Necessary causal factors for the accident 1.1: Unauthorized use of Nakula 1.2: Unauthorized use of Antareja 1.3: Specific loss of manpower resources 1.4: Temporary loss of Nakula machine and services 1.5: Temporary loss of Antareja machine and services form a set of sufficient causal factors for this Loss of resources Colouring marks sub graphs

The WB-Analysis Many graphs Where to look at? Identifying key-nodes (NCFs): Quantity of in- and out- going edges: Nodes with many edges must obviously exert important causal influence Single point of failure : The chain of events runs through one node, so it must be a significant factor Leaves: Nodes without precursors are the root causes for the accident Nodes with these properties should be further inspected

The WB-Analysis Dropping even more nodes Not all factors can be mitigated Due to lack of control Idea: Mark out the control areas Attacker control area (yellow) Human (defender) control area (blue) Technical control area (green) Attacker controlled areas can be blinded out You can t change anything there Also check for facts you can t or don t want to change (intuition)

The WB-Analysis Applying the criteria If we focus on factors which Are not attacker controlled or not controlled at all Meet at least one of the criteria (note: In/Out > 3), the more the better We get the most important nodes like: Insufficient Network security provided by HRZ (1.1.1.1.1.1.2.1.1.1) HRZ guaranteed protection against sniffer attacks (1.1.1.1.2.1.3) Attacker gained valid login/password combination (1.1.1.1/2) Need for FTP service in the RVS (1.1.1.1.2.1.2) RVS decision: FTP-Login equals SSH login (1.1/2.1.1.3)

The WB-Analysis OK what does that mean? If we examine the identified nodes, we may find possibilities to prevent a similar accident in the future: 1.1.1.1/1.2.1.1: Attacker gained valid login/password combination The attacker was able to gain login data by sniffing from the unencrypted FTP traffic. 1.1.1.1.2.1.3: HRZ guaranteed protection against sniffer attacks in the switched environment This is a rely condition. The RVS trusted the HRZ and arranged their infrastructure according to their needs based on this assurance.

Conclusion Taking precautions Mitigate these two causes 1.1.1.1/1.2.1.1: Attacker gained valid login/password combination No unencrypted FTP-service should be offered by RVS machines. An attacker could sniff for weeks and not gain a valid login. 1.1.1.1.2.1.3: HRZ guaranteed protection against sniffer attacks in the switched environment The HRZ-guarantee was obviously not reliable. Rely-conditions should be checked thoroughly and more discerning in the future. This example leads to a successful prevention of a similar accident with little effort.

Conclusion Comparison with the forensic analysis Recall: Suggested improvements in the forensic analysis: University level Intrusion Detection System Better log-mechanisms Mechanism to notify system administrator Development of proper security policies The conclusions drawn from the WB-Analysis are missing Though forensics were performed by experienced investigators Intuition may suggest right steps but why should these be the right ones? The WBA-method leads to objective conclusions in securityrelated cases just by following the method!

Conclusion Comparison with the forensic analysis WBA is a proper method not only for safety analyses Leads to objective conclusions Conclusions hard to counter No sophisticated mathematical skills or similar necessary Just following the method Can lead to other conclusions than intuitive judgement

Thanks for your attention! And now, time for questions and discussions What about: Formalisms for the finding of important nodes Colouring? Grouping? Modelling human behaviour in WB-analyses How to cope with the Counterfactual-Test? Modelling unknown facts / assumptions with no rule-base available

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback