HoneyNets, Intrusion Detection Systems, and Network Forensics

1
HoneyNets, Intrusion Detection Systems, and
Network Forensics
2
Introduction

• Definition of a Honeynet
• Concept of Data Capture and Data Control
• Generation I vs. Generation II Honeynets
• Description of the Georgia Tech Campus Network
• Current Vulnerabilities on the Internet
• Current Tools to Protect Networks
• Firewalls
• Intrusion Detection Systems (IDS)

3
Shortcomings Associated with Firewalls

• 1. The firewall cannot protect against attacks
  that bypass it, such as a dialin or dial-out
  capability.
• 2. The firewall at the network interface does not
  protect against internal threats.
• 3. The firewall cannot protect against the
  transfer of virusladen files and programs

4
Shortcomings Associated with Intrusion Detection
Systems

1. Increase Complexity of Security Management of
   Network
2. High Level of False Positive and False Negative
   Alerts
3. Must Know Signature or Anomoly Detection Pattern

5
Definition of a Honeynet

• Network Established Behind a Reverse Firewall
• Captures All In-Bound and Out-Bound Traffic
• Any Type of System
• Network is Intended To Be Compromised
• All Honeynet traffic is suspicious

6
Data Capture and Data Control

• Data Capture
• Collect all information entering and leaving the
  Honeynet covertly for future analysis
• Data Control
• Covertly protect other networks from being
  attacked and compromised by computers on the
  Honeynet

7
Generation I vs. Generation II

• GEN I Honeynet
• Simple Methodology, Limited Capability
• Highly effective at detecting automated attacks
• Use Reverse Firewall for Data Control
• Can be fingerprinted by a skilled hacker
• Runs at OSI Layer 3
• GEN II Honeynet
• More Complex to Deploy and Maintain
• Examine Outbound Data and make determination to
  block, pass, or modify data
• Runs at OSI Layer 2

8
Georgia Tech Campus Network

• 15000 Students, 5000 Staff, 69 Departments
• 30000-35000 networked computers on campus
• Average data throughput 600Mbps/4 terabytes per
  day
• NO FIREWALL BETWEEN CAMPUS INTERNET!
• Why? Requirement for Academic Freedom, high
  throughput
• However, individual enclaves within Georgia Tech
  use firewalls
• IDS is run at campus gateway
• Out of band monitoring and follow-on
  investigation

9
Establishment of the Honeynet on the Georgia Tech
Campus

• Established in Summer of 2002
• Uses Open Source Software
• Initially Established As One Honeynet Machine
  behind the firewall
• IP Address Range Provided by Georgia Tech Office
  of Information Technology (OIT)

10
Georgia Tech Honeynet
11
Hardware and Software

• No Requirement for State of the Art Equipment
  (Surplus Equipment)
• No Production Systems
• Minimum Traffic
• Use Open Source Software (SNORT, Ethereal, MySQL
  DB, ACID)
• Use Reverse Firewall Script Developed by
  Honeynet.org

12
Intrusion Detection System Used with HoneyNet

• SNORT
• Open Source
• Signature-Based, with Anomaly-Based Plug-in
  Available
• Can Write Customized Signatures
• Run Two Separate SNORT Sessions
• One Session to Check Against Signature Database
• One Session to Capture All Inbound/Outbound
  Traffic

13
Analysis Console for Intrusion Detection (ACID)
14
Logging and Review of Data

• Honeynet Data is stored in two separate locations
• Alert Data is stored in SQL database
• Packet Capture Data is stored in a daily archive
  file
• Data Analysis is a time consuming process
  In our Experience
• One hour/day to analyze traffic
• One hour of attack traffic can result up to one
  week of analysis

15
Ethereal Analysis Tool
16
Exploitations Detected on the Georgia Tech
Honeynet

• 36 possible exploited machines have been detected
  at Georgia Tech in previous 9 months (through
  June 2003)
• A report is made to OIT on each suspected
  compromise

17
Identification of a System with a Compromised
Password

• Previously Compromised Honeynet Computer
  Continued to Operate as Warez Server
• Another Georgia Tech Computer Connected to the
  Warez Server
• Investigation Revealed that Password had been
  Compromised on Second Georgia Tech Computer

18
Detection of Worm Type Exploits

• GEN I Honeynet Well-Suited to Detect Worm Type
  Exploits
• Repeated Scans targeting specific ports
• Analyze captured data for time lapses
• Ability to Deploy Specific Operating System on
  Honeynet

19
Exploitation Pattern of Typical Internet Worm

• Target Vulnerabilities on Specific Operating
  Systems
• Localized Scanning to Propagate (Code Red)
• 3/8 of time within same /16 network
• 1/2 of time within same /8 network
• 1/8 of time random address
• Allows for Quick Infection Within Internal
  Networks with High Concentration of Vulnerable
  Hosts

20
Georgia Tech Honeynet Gen II
21
Initial Observations of Gen II Honeynet

• Configuration is more complex than Gen I
• Must use variants of Linux 2.4 kernel in order to
  run Sebek keystroke logger capability
• Data must continue to be monitored on a daily
  basis

22
Honeynet Portscan Activity

• Date Public 7/24/02 Date Attack 1/25/03

23
Honeynet Portscan Activity

• Date Public 7/16/03 Date Attack 8/11/03

24
Honeynet Portscan Activity

• Date Public 8/15/2003 Date Attack 8/22/03

25
Conclusions on HoneyNets

• Honeynet Assists in Maintaining Network Security
• Provides Platform for Research in Information
  Assurance and Intrusion Detection

26
IDS - Purpose

• Misuse detection
• Anomaly detection
• Conduct forensics
• Network traffic recording and analysis
• Intellectual property protection

27
IDS Strategies

• Signature-based (misuse detection)
• pattern matching
• cannot detect new attacks
• low false positive rate
• Anomaly-based (statistical-based)
• activity monitoring
• has the ability to detect new attacks
• higher false positive rate

28
IDS Deployment

• Network-based
• Inspect network traffic
• Monitor user activity (packet data)
• Host-based
• Inspect local network activity
• OS audit functionality
• Monitor user activity (function calls)

29
Example IDSSnort

• Sniffer
• Packet logger
• IDS

30
Snort Rules

• Example 1 log tcp traffic from any port going
  to ports less than or equal to 6000
• log tcp any any -gt 192.168.1.0/24 6000
• Example 2 RPC alert call
• alert tcp any any -gt 192.168.1.0/24 111 (rpc
  100000, ,3 msgRPC getport (TCP))
• see Snort Users Manual for more information

31
Defeating the IDS

• Encryption
• Insertion/evasion attacks (requires complete
  reassembly of packets and knowledge of end system
  exception handling)
• DoS attack (CPU, memory, bandwidth, false
  positives)

32
Signs of Intrusion

• Unaccountable disk utilization
• Unaccountable file system modification
• Unaccountable CPU utilization
• Network saturation
• Unknown process using sockets
• Abnormal network/system activity

33
Forensics

• After the attack
• Obtain
• Attacker(s) IP(s)
• Time of attack
• Victim IP, OS, and targeted service
• Attackers activity
• Attackers objective
• Damage assessment

34
Forensic Guidance

• Photograph complete system
• Take detailed notes
• ID and secure all compromised systems
• Preserve evidence (UNIX)
• who (who logged on)
• ls (list of files)
• ps (list of processes)
• lsof (open file handles)
• find (modified files)

35
Forensic Guidance

• System operations can lie (rootkits)
• Retain a provable chain of custody for evidence
• Make bit-image copy of hard drive and verify it
• Analyze