DOCSLIB.ORG

Implementing Cisco Cyber Security Operations

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

2019 CLUS

Implementing

Cisco Cyber Security Operations

Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers

LTRCRT-2222

2019 CLUS

Cisco Webex Teams

Questions?

Use Cisco Webex Teams to chat

with the speaker after the session

How

Find this session in the Cisco Live Mobile App

12

3

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

4 Enter messages/questions in the team space

Webex Teams will be moderated by the speaker until June 16, 2019.

  • cs.co/ciscolivebot#
  • LTRCRT-2222

3

2019 CLUS

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda

• Goals and Objectives

• Prerequisite Knowledge & Skills (PKS)

• Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training
Environment

• Lab Evaluation • Cisco Cybersecurity Certification and Education
Offerings

4

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Goals and Objectives:

Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to

effectively respond to security incidents. Cybersecurity provides the critical foundation

organizations require to protect themselves, enable trust, move faster, add greater value and

grow.

Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye

on network security monitoring systems designed to protect their organizations by detecting

and responding to cybersecurity threats.

The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a

threat centric security operations center. This session will provide the student with an understanding of Security Onion as an open source

network security monitoring tool (NSM). The student will also explore common attack vectors,

malicious activities, and patterns of suspicious behaviors typically encountered within a threatcentric Security Operation Center (SOC).

••

We will provide you 30 days of continued access to the SECFND and SECOPS Training Portal.

This training is NOT focused on Cisco’s family of security products and solutions.

5

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Prerequisite Knowledge & Skills (PKS)

• This topic lists the skill, knowledge, and attitudes that students must possess to benefit fully from

the labs. It includes recommended Cisco learning offerings that the learner may complete to

benefit fully from the labs.
Recommended Prerequisite Skills • The knowledge, skills, and attitudes that a student is expected to have before attending this

course are as follows:

Understanding Cisco Cybersecurity Fundamentals (SECFND)
Learning Resources for Prerequisite Skills • Cisco learning offerings that contribute to recommended knowledge, skills, and attitudes:

CCNA Cyber Ops SECFND #210-250 Official Cert Guide, by Omar Santos, Joseph Muniz,

Stefano De Crescenzo

CCNA Cyber Ops SECOPS #210-255 Official Cert Guide, by Omar Santos, Joseph Muniz

6

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Introduction to Security Onion

Video

Cisco 2018 Annual Cybersecurity Report Highlights

The Cisco 2018 Annual Cybersecurity Report, highlights findings and insights derived from

threat intelligence and cybersecurity trends observed over the past 12-18 months from threat researches and six technology partners: Anomali, Lumeta, Qualys, Radware, SAINT, and TrapX.

Also, included in the report are results of the annual Security Capabilities Benchmark Study (SCBS), which this year surveyed 3,600 chief security officers (CSOs) and security

operations (SecOps) managers from 26 countries about the state of cybersecurity in their organizations.

The financial cost of attacks is no longer a hypothetical number:

• According to study respondents, more than half of all attacks resulted in financial damages of more

than US $500,000, including, but not limited to, lost revenue, customers, opportunities, and out-

of-pocket costs.

Source: https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1911494

10

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco 2018 Annual Cybersecurity Report Highlights

Supply chain attacks are increasing in velocity, complexity

These attacks can impact computers on a massive scale and can persist for months or even years. Defenders should be aware of the potential risk of using software or hardware from organizations that

do not appear to have a responsible security posture.

• Two such supply chain attacks in 2017, Nyetya and Ccleaner, infected users by attacking trusted

software.

o Nyetya (also known as NotPetya) arrived in June 2017 This wiper malware also masqueraded

as ransomware and it used the remote code execution vulnerability nicknamed “EternalBlue,”

as well as the remote code execution vulnerability “EternalRomance” (also leaked by Shadow

Brokers), and other vectors involving credential harvesting o Ccleaner arrived in September 2017, involved the download servers used by a software vendor to distribute a legitimate software package known as CCleaner.7 CCleaner’s

binaries, which contained a Trojan backdoor, were signed using a valid certificate, giving

users false confidence that the software they were using was secure.

Source: https://newsroom.cisco.com/press-release content?type=webcontent&articleId=1911494

11

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco 2018 Annual Cybersecurity Report Highlights

Security is getting more complex, scope of breaches is expanding

Defenders are implementing a complex mix of products from a cross-section of vendors to protect against breaches. This complexity and growth in breaches have many downstream effects on an

organization's ability to defend against attacks, such as increased risk of losses.

• In 2017, 25 percent of security professionals said they used products from 11 to 20 vendors, compared with

18 percent of security professionals in 2016.
• Security professionals said 32 percent of breaches affected more than half of their systems, compared

with 15 percent in 2016.

Trends in malware volume have an impact on defenders' time to detection (TTD)

• The Cisco median TTD of about 4.6 hours for the period from November 2016 to October 2017 — well below

the 39-hour median TTD reported in November 2015, and the 14-hour median reported in the Cisco 2017

o Annual Cybersecurity Report for the period from November 2015 to October 2016.

• The use of cloud-based security technology has been a key factor in helping Cisco to drive and keep its median

TTD to a low level. Faster TTD helps defenders move sooner to resolving breaches.

Source: https://www.cisco.com/c/dam/m/digital/elq-

cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005

679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2

12

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Network Security Monitoring Tool

• A Network Security Monitoring (NSM) tool is software that collects, maintains, processes, and presents network security monitoring data (security related events).

• The Security Operations Center (SOC) analyst will examine data produced by the network security monitoring tool. Without NSM data, SOC analysts could not perform their job effectively. Without

NSM tools, SOC analysts would not have network data to analyze.

• An NSM can enhance network visibility by using context-rich telemetry and threat-based intelligence collected from within the

network infrastructure.

13

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Network Security Monitoring Using Security Onion

• Security Onion is an open source Linux distribution that focuses on NSM. Security

Onion is used for log management, intrusion detection and network security event

monitoring. The distribution is managed by Security Onion Solutions. Many of the tools that comprise the Security Onion NSM have broad community support.

• Security Onion Solutions provides a straightforward package to install the network

security monitoring space. Security Onion Solutions also offers training and support

services for the distribution.

• Security Onion can be deployed as a simple standalone system where one network

interface card (NIC) is used for management and one or more additional NICs are used for monitoring security events on the network.

• Security Onion can also scale using a distributed deployment where one system acts

as the master server and the monitoring duties are spread across multiple sensor

systems.

14

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Security Onion Core Components

Core Primary Functions:

Full packet captures:

Netsniff-ng

Network-based(NIDS) and Host-based(HIDS)Intrusion Detection Systems:

• NIDS:

• Rules-driven NIDS Alerts from Snort or Suricatain passivemode (not NIPS inline mode)

• Analysis-drivenNIDS from Zeek(Bro)Network Security Monitor (traffic is captured via SPAN, TAP port or packet broker)

- Zeek v2.6.2 (Bro) is a protocol parsing engine that provides three key network security capabilities:

Traffic Logging (generates comprehensive, protocol specific network traffic logs for 35+ protocols: DNS, HTTP, files), Automated Analysis (traffic analysis using Bro scripts), and FileExtraction (extracts & re-assembles any file type off the wire)

• HIDS: Wazuh (wah-zoo) replaced OSSEC and is used to monitor/defendSecurity Onion. Add Wazuh agents to endpoint hosts

Syslog data received by Zeek (Bro)or syslog-ng

Powerful DataAnalysisTools:

Sguil Analyst Console / Squert PHP Web Interface / Kibana (Squert & Kibana can pivot to CapMeto retrieve full packet captures) • Wireshark

NetworkMiner ELSA / ElasticStack®(ELK)

CyberChef

Source: https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion

15

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Simplified Security Onion Architecture

The Security Onion architecture is more robust than is conveyed in the figure above. The figure serves to

introduce the complexity of and interactions between the NSM tools in Security Onion. The tools in the

bottom row are largely dedicated to the collection and production of raw NSM data. The tools/components in the middle row are associated with the optimization and maintenance of the data. For example, Zeek

(Bro), Wazuh (OSSEC), and syslog-ng all produce flat files with one log entry per line. The ELSA system

takes this raw data and organizes it into a relational MySQL database, using high-performance Sphinx indexing. The tools listed in the top row are responsible for the presentation of the data to the SOC analyst.

16

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Security Onion with Elastic Stack®

Security Onion Migrated from ELSA to the Elastic Stack® (“Hybrid Hunter”) The new Elastic Stack® components are comprised from Docker container images

based on CentOS 7:

Elastic Stack® Core Components:

Beats® - lightweight data shipper server agent

that sends specific types of operational data

to Logstash and Elasticsearch

Elastic Stack® Auxiliary Components:

Curator - Manage indices through scheduled maintenance. ElastAlert - Query Elasticsearch and alert on user-defined

anomalous behavior or other interesting bits of information.

Logstash® - Data ingestion engine, parsing and format logs.

FreqServer -Detect DGAs and find random file names, script

names, process names, service names, workstation names,

TLS certificate subjects and issuer subjects, etc.

Elasticsearch® - Ingest and index logs, large

scalable search engine based on Apache Lucene.

DomainStats - Get additional info about a domain by providing additional context, such as creation time, age, reputation, etc.

Kibana® - offers web based visualizations of

ingested log data and data exploration.

ELSA reached End Of Life status on October 9, 2018. Security Onion will not provide any updates or

support for ELSA.

Source: https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture

17

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Security Onion with Elastic Stack®

A Very Brief Introduction to Linux (Docker) Containers

Linux containers are standalone, lighter virtualization alternatives to virtual machines that include code,

system tool libraries, and settings in a ‘portable’ capsule or bottle.

• Containers are isolated from each other and bundle their own application, tools, libraries, and

configuration files.
• Containers can communicate with each other through overlay network subsystems.

• All containers are run by a single host operating-system kernel and are thus, more lightweight

than virtual machine images. Containers rely on the host kernel's functionality and use resource isolation for CPU and memory resources and separate namespaces to isolate the application's view of

the operating system.

• Unlike a virtual machine image, which requires a hypervisor (VMware, Virtual Box), containers do not

utilize a hypervisor. Containers are created from images that can either be stateful (using persistent storage) or stateless.

• Why the change from Ubuntu DEB packages (used in Security Onion) to Docker images?

o Docker images are easier to build & maintain and will allow support for other distros, like CentOS.

Fun Fact: there is no formal definition of a Linux “container.” Most people identify a Linux container with

keywords like: LXC, libvirt, Docker, Kubernetes, namespaces, cgroups, CoreOS rkt, BDS jails, Zones

Source: https://en.wikipedia.org/wiki/Docker_(software)

18

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Security Onion with Elastic Stack®

Security Onion Architecture using Elastic Stack® (ELK)

19

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Security Onion / Open Source Tools

argus - http://www.qosient.com/argus/

"Argus is a data network transaction auditing tool that categorizes network packets that match the

libpcap filter expression into a protocol-specific network flow transaction model. Argus reports on the

transactions that it discovers, as periodic network flow data, that is suitable for historical and near real-

time processing for forensics, trending and alarm/alerting."

barnyard2 - http://www.securixlive.com/barnyard2/

"Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is

allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic."

Bro (Zeek) - http://zeek.org/

”Zeek (Bro) provides a comprehensive HIDS/NIDS platform for network traffic analysis."

https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro
CapME - http://chaosreader.sourceforge.net/

CapMe will download a pcap file and view a pcap transcript rendered with tcpflow and Zeek

(Bro) (especially helpful for dealing with gzip encoding)

Source: https://github.com/Security-Onion-Solutions/security-onion/wiki/Tools

20

2019 CLUS

  • LTRCRT-2222
  • © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Recommended publications
  • A Decryption Process for Android Database Forensics

    A Decryption Process for Android Database Forensics

    International Journal of Computer Sciences and Engineering Open Access Research Paper Vol.-7, Issue-3, March 2019 E-ISSN: 2347-2693 A Decryption Process for Android Database Forensics Nibedita Chakraborty1*, Krishna Punwar2 1,2Dept. of Information Technology and Telecommunication, Raksha Shakti University, Ahmedabad, India *Corresponding Author: [email protected], Tel.: 7980118774 DOI: https://doi.org/10.26438/ijcse/v7i3.2326 | Available online at: www.ijcseonline.org Accepted: 18/Mar/2019, Published: 31/Mar/2019 Abstract— Nowadays, Databases are mostly usable in business applications and financial transactions in Banks. Most of the database servers stores confidential and sensitive information of a mobile device. Database forensics is the part of digital forensics especially for the investigation of different databases and the sensitive information stored on a database. Mobile databases are totally different from the major database and are very platform independent as well. Even if they are not attached to the central database, they can still linked with the major database to drag and change the information stored on this. SQLite Database is mostly needed by Android application development. SQLite is a freely available database management system which is specially used to perform relational functional and it comes inbuilt with android to perform database functions on android appliance. This paper will show how a message can be decrypted by using block cipher modes and which mode is more secured and fast. Keywords—Database Forensics,Mobile Device ,Android,SQLite, Modes, Tools I. INTRODUCTION In android mobile phone device, SQLite is mainly based on ACID properties docile relational database management Database is an assemble form of interrelated data which is system.
  • Design Document for IP Fabrics

    Design Document for IP Fabrics

    Design Document for IP Fabrics Author: May06-15 (Network Forensic UI) Andy Heintz (Communication Leader) Abraham Devine (Webmaster) Altay Ozen (Team Leader and Team Key Concept Holder) Dr. Joseph Zambreno (Adviser) Curt Schwaderer (Client) Version Date Author Change 1.0 10/26 AH Created initial version of design document 2.0 11/23 AH Created final version of design document Table of Contents 1 Problem Statement.................................................................................................................... 3 2 System Design ........................................................................................................................... 4 2.1 System Requirements................................................................................................................................ 4 2.2 Functional Requirements .......................................................................................................................... 4 2.3 Functional Decomposition ........................................................................................................................ 5 2.4 System Analysis ....................................................................................................................................... 6 3 Detailed Design ......................................................................................................................... 7 3.1 Input / Output Specification .....................................................................................................................
  • Hands-On Network Forensics, FIRST 2015

    Hands-On Network Forensics, FIRST 2015

    2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Workshop Preparations: 1. Unzip the virtual machine from NetworkForensics_ VirtualBox.zip on your EXTENSIVE USE OF USB thumb drive to your local hard drive COMMAND LINE 2. Start VirtualBox and run the Security Onion VM IN THIS WORKSHOP 3. Log in with: user/password 1 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Erik Hjelmvik, Swedish Armed Forces CERT FIRST 2015, Berlin 2 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Workshop Preparations: 1. Unzip the virtual machine from NetworkForensics_ VirtualBox.zip on your EXTENSIVE USE OF USB thumb drive to your local hard drive COMMAND LINE 2. Start VirtualBox and run the Security Onion VM IN THIS WORKSHOP 3. Log in with: user/password 3 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE ”Password” Ned 4 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE SysAdmin: Homer 5 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE PR /Marketing: Krusty the Clown 6 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Password Ned AB = pwned.se 7 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE pwned.se Network [INTERNET] | Default Gateway 192.168.0.1 PASSWORD-NED-XP www.pwned.se | 192.168.0.53 192.168.0.2 [TAP]--->Security- | | | Onion -----+------+---------+---------+----------------+------- | | Homer-xubuntu Krustys-PC 192.168.0.51 192.168.0.54 8 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Security Onion 9 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Paths (also on Cheat Sheet) • PCAP files: /nsm/sensor_data/securityonion_eth1/dailylogs/ • Argus files:
  • Network Intell: Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic

    Network Intell: Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic

    Chapter 1 NETWORK INTELL: ENABLING THE NON- EXPERT ANALYSIS OF LARGE VOLUMES OF INTERCEPTED NETWORK TRAFFIC Erwin van de Wiel, Mark Scanlon and Nhien-An Le-Khac Abstract In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wire- tapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully inter- cepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic cap- tured. The advent of Internet-of-Things further complicates the pro- cess for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an arXiv:1712.05727v2 [cs.CR] 27 Jan 2018 insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data. Keywords: Network Investigation, Big Data Forensics, Intercepted Network Traffic, Internet tap, Network Metadata Analysis, Non-Technical Investigator. 1. Introduction Lawful interception is a method that is used by the police force in some countries in almost all middle-to high-level criminal investigations.
  • Securing Infrastructure-As-A-Service Public Clouds Using Security Onion

    Securing Infrastructure-As-A-Service Public Clouds Using Security Onion

    Securing Infrastructure-as-a-Service Public Clouds Using Security Onion MIKAIL, Abdullahi and PRANGGONO, Bernardi <http://orcid.org/0000-0002- 2992-697X> Available from Sheffield Hallam University Research Archive (SHURA) at: http://shura.shu.ac.uk/23927/ This document is the author deposited version. You are advised to consult the publisher's version if you wish to cite from it. Published version MIKAIL, Abdullahi and PRANGGONO, Bernardi (2019). Securing Infrastructure-as-a- Service Public Clouds Using Security Onion. Applied System Innovation, 2 (1). Copyright and re-use policy See http://shura.shu.ac.uk/information.html Sheffield Hallam University Research Archive http://shura.shu.ac.uk Article Securing Infrastructure-as-a-Service Public Clouds Using Security Onion Abdullahi Mikail and Bernardi Pranggono * Department of Engineering and Mathematics, Sheffield Hallam University, Howard Street, Sheffield S1 1WB, UK; [email protected] * Correspondence: [email protected] Received: 17 December 2018; Accepted: 23 January 2019; Published: 30 January 2019 Abstract: The shift to Cloud computing has brought with it its specific security challenges concerning the loss of control, trust and multi-tenancy especially in Infrastructure-as-a-Service (IaaS) Cloud model. This article focuses on the design and development of an intrusion detection system (IDS) that can handle security challenges in IaaS Cloud model using an open source IDS. We have implemented a proof-of-concept prototype on the most deployed hypervisor—VMware ESXi—and performed various real-world cyber-attacks, such as port scanning and denial of service (DoS) attacks to validate the practicality and effectiveness of our proposed IDS architecture.
  • CIT 485: Network Forensics

    CIT 485: Network Forensics

    CIT 485/585 Network Forensics The primary objective of this assignment is to learn a process for investigating security incidents and to give students practice analyzing such an incident using captured network data. 1S TUDENT LEARNING OUTCOMES 1. Describe digital evidence and how the type of legal dispute affects evidence used to resolve it. 2. Describe the steps of the OSCAR network forensics methodology. 3. Identify and decode protocols used on non-standard ports. 4. Investigate suspicious network data for malicious activity. 2D IGITAL EVIDENCE Digital evidence refers to any data collected in digital form from any computer, whether that computer is a desktop, mobile device, game console, printer, or IoT device. A primary goal of digital forensics is ensuring evidence integrity, the preservation of evidence in its original form. Evidence integrity is supported by a chain of custody, a set of documentation that describes the acquisition, copying, and analysis of digital evidence. As analysis of digital data often changes that data (reading a file will not modify the file itself but will change the last accessed time on the file), cryptographic checksums such as SHA-256 are often used to ensure that copies of digital evidence match the original evidence. Details of digital evidence handling are discussed in CIT 430: Computer Forensics. Digital evidence in a criminal case is returned through an inventory of items take through a search warrant. Any devices that may contain an embedded computer can contain digital evidence. Defense attorneys can request an invetory of items and obtain forensic copies of the data from those devices.
  • Network Forensics

    Network Forensics

    Network Forensics Michael Sonntag Institute of Networks and Security What is it? Evidence taken from the “network” In practice this means today the Internet (or LAN) In special cases: Telecommunication networks (as long as they are not yet changed to VoIP!) Typically not available “after the fact” Requires suspicions and preparation in advance Copying the communication content At the source (=within the suspects computer): “Online search” This could also be a webserver, e.g. if it contains illegal content “Source” does NOT mean that this is the client/initiator of communication/… At the destination: See some part of the traffic Only if unavoidable or the only interesting part Somewhere on the way of the (all?) traffic: ISP, physically tapping the wires, home routers etc. Network Forensics 2 Problems of network forensics “So you have copied some Internet traffic – but how is it linked to the suspect?” The IP addresses involved must be tied to individual persons This might be easy (location of copying) or very hard “When did it take place?” Packet captures typically have only relative timestamps But there may be lots of timestamps in the actual traffic! As supporting evidence to some external documentation “Is it unchanged?” These are merely packets; their content can be changed Although it is possible to check e.g. checksums, this is a lot of work and normally not done Treat as any other digital evidence Hash value + Chain of Custody; work on copies only Network Forensics 3 Scenario Suspect: Mallory Malison; released
  • Guide to Computer Forensics and Investigations Fourth Edition

    Guide to Computer Forensics and Investigations Fourth Edition

    Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions Objectives • Describe primary concerns in conducting forensic examinations of virtual machines • Describe the importance of network forensics • Explain standard procedures for performing a live acquisition • Explain standard procedures for network forensics • Describe the use of network tools Guide to Computer Forensics and Investigations 2 Virtual Machines Overview • Virtual machines are important in today’s networks. • Investigators must know how to detect a virtual machine installed on a host, acquire an image of a virtual machine, and use virtual machines to examine malware. Virtual Machines Overview (cont.) • Check whether virtual machines are loaded on a host computer. • Check Registry for clues that virtual machines have been installed or uninstalled. Network Forensics Overview • Network forensics – Systematic tracking of incoming and outgoing traffic • To ascertain how an attack was carried out or how an event occurred on a network • Intruders leave trail behind • Determine the cause of the abnormal traffic – Internal bug – Attackers Guide to Computer Forensics and Investigations 5 Securing a Network • Layered network defense strategy – Sets up layers of protection to hide the most valuable data at the innermost part of the network • Defense in depth (DiD) – Similar approach developed by the NSA – Modes of protection • People • Technology • Operations Guide to Computer Forensics and Investigations
  • Contents in Detail

    Contents in Detail

    CONTENTS IN DETAIL ACKNOWLEDGMENTS xv INTRODUCTION xvii Why This Book? .....................................................................................................xvii Concepts and Approach ........................................................................................xviii How to Use This Book ............................................................................................. xix About the Sample Capture Files ................................................................................ xx The Rural Technology Fund ....................................................................................... xx Contacting Me ........................................................................................................ xx 1 PACKET ANALYSIS AND NETWORK BASICS 1 Packet Analysis and Packet Sniffers ............................................................................. 2 Evaluating a Packet Sniffer ............................................................................ 2 How Packet Sniffers Work............................................................................. 3 How Computers Communicate.................................................................................... 4 Protocols ..................................................................................................... 4 The Seven-Layer OSI Model .......................................................................... 5 Data Encapsulation .....................................................................................
  • Comparing SSD Forensics with HDD Forensics

    Comparing SSD Forensics with HDD Forensics

    St. Cloud State University theRepository at St. Cloud State Culminating Projects in Information Assurance Department of Information Systems 5-2020 Comparing SSD Forensics with HDD Forensics Varun Reddy Kondam [email protected] Follow this and additional works at: https://repository.stcloudstate.edu/msia_etds Recommended Citation Kondam, Varun Reddy, "Comparing SSD Forensics with HDD Forensics" (2020). Culminating Projects in Information Assurance. 105. https://repository.stcloudstate.edu/msia_etds/105 This Starred Paper is brought to you for free and open access by the Department of Information Systems at theRepository at St. Cloud State. It has been accepted for inclusion in Culminating Projects in Information Assurance by an authorized administrator of theRepository at St. Cloud State. For more information, please contact [email protected]. Comparing SSD Forensics with HDD Forensics By Varun Reddy Kondam A Starred Paper Submitted to the Graduate Faculty of St. Cloud State University in Partial Fulfillment of the Requirements for the Degree Master of Science in Information Assurance May 2020 Starred Paper Committee: Mark Schmidt, Chairperson Lynn Collen Sneh Kalia 2 Abstract The technological industry is growing at an unprecedented rate; to adequately evaluate this shift in the fast-paced industry, one would first need to deliberate on the differences between the Hard Disk Drive (HDD) and Solid-State Drive (SSD). HDD is a hard disk drive that was conventionally used to store data, whereas SSD is a more modern and compact substitute; SSDs comprises of flash memory technology, which is the modern-day method of storing data. Though the inception of data storage began with HDD, they proved to be less accessible and stored less data as compared to the present-day SSDs, which can easily store up to 1 Terabyte in a minuscule chip-size frame.
  • Linux Networking Cookbook.Pdf

    Linux Networking Cookbook.Pdf

    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
  • Wireshark & Ethereal Network Protocol Analyzer

    Wireshark & Ethereal Network Protocol Analyzer

    377_Eth2e_FM.qxd 11/14/06 1:23 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations.