Event Analysis Training

Event Analysis: Detecting Compromises, Javascript, Backdoors, and more!

by Paul Asadoorian on March 3, 2011

There are a variety of indicators that a system has been compromised, ranging from the obvious to the very subtle. If your web site looks like the above image, you may have been compromised Less obvious indications of a compromise include increased bandwidth, subtle IDS alerts (such as those indicating anomalous behavior) and mysterious configuration changes on systems. The questions that are typically asked include "How did they get in?" and "What did they do?" Tenable's Passive Vulnerability Scanner (PVS) provides useful information for answering these questions. Following are some of the alerts PVS may generate during an intrusion:

Analyzing the Compromise - without Going Hungry

by Paul Davis on February 21, 2011

It's 4:55 PM on a Friday and you are looking forward to an enjoyable dinner with your family. Your Blackberry starts buzzing from across your desk while your inbox starts filling up with alerts from your SecurityCenter along with frantic emails from Human Resources. It seems a disgruntled employee named Jack Black quit today and nobody remembered to tell the IT group to disable his accounts until after important files started disappearing. Suddenly, you are stuck in Incident Response mode, gathering data on the user's activities. Do you cancel your reservations? Fortunately, you have deployed Tenable Network Security's Unified Security Monitoring products, and have a wide array of resources[1] at hand to streamline the response process. These resources include SecurityCenter, the Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). At a high level, what can these resources do for you? SecurityCenter SecurityCenter provides a unified view of both vulnerability and event data along with the alerting, ticketing and reporting required for thorough user forensics. Passive Vulnerability Scanner PVS not only tracks vulnerabilities, but logs user and network activities detected in real-time on the wire. These activities include:

Event Analysis Training - Analyzing Outbound SQL Queries

by Ron Gula on June 30, 2010

If you have a SQL server on your network, you know how important it is to monitor transactions to identify suspicious activity. The Passive Vulnerability Scanner (PVS) can sniff SQL traffic in real-time and then send SYSLOG data to the Log Correlation Engine (LCE) that looks like this: <36> Jun 21 08:34:05 pvs: 149.X.X.X:0|149.X.X.X:0|7019|Database command logging|version: 1.19 PVS has observed the following command from a database client to the database server (206.X.X.X): SELECT COUNT(CASE WHEN e.EmailType = ‘User’ OR t.ProcessType = ‘Borrowing’ THEN 1 ELSE null end) as Borrowing,|INFO

Event Analysis Training – Passive Worm Detection

by Ron Gula on April 16, 2010

This blog entry describes a basic worm detection that triggers multiple types of correlation rules. All detections were done passively using the Passive Vulnerability Scanner (PVS) and by observing network session traffic using the Log Correlation Engine (LCE). The principals in this blog entry and others in our ‘ Event Analysis Training ’ blog series can be used with a variety of NBAD, IDS and SIM solutions.

Event Analysis Training – Analyzing Blacklisted Web Traffic

by Ron Gula on January 5, 2010

Previously, we’ve blogged about the various advantages and disadvantages of using reputation based analysis of NetFlow, firewall and network sessions for event analysis. The basic concept is to use an external source of “badguy” IP addresses from commercial providers or free providers such as the SANS Internet Storm Center and see if any of your network IP addresses communicate with them.

Event Analysis Training- Basic Virus Analysis

by Ron Gula on October 27, 2009

I recently worked with a customer who asked for advice on the following “virus” events: They were seeing “virus” traffic more or less continually. If you run a network IDS, and operate a busy email server, you will likely sniff virus traffic contained in inbound email messages.

Event Analysis Training – More SSH Worm Analysis

by Ron Gula on October 13, 2009

I recently observed a SSH worm in progress at one of the research sites running our suite of products. I was looking into a spike of SSH events that had been alerted on by the Log Correlation Engine’s stats daemon. Filtering on the remote IP address (that came from the 240.0.0.0/8 Class A address space) that was causing the anomalies, displayed this screen:

Cyberdawn - A Diverse Cyber Exercise - Part II

by Paul Asadoorian on October 9, 2009

Passwords are just so easy to abuse... It was interesting to see that the top scorer in the game (who went by the handle of "ftp", and coincidentally had 21 scores in the first day of game play!) did not use fancy new exploits, 0day attacks or a wide range of open-source or even commercial tools. He was able to gain access to systems because the teams left default or easily guessable passwords set on some of the Linux servers. He used SSH to login to the systems, then SCP to upload some Python code, that was used to update the scoring engine. From there he was able to maintain access, not by rootkit technology or anything sophisticated, but just hiding in plain sight. The Python script makes a TCP connection to the scoring server and sends a message. It was moved into a file called "/dev/vfat", to make it look like a system file. Next, a shell script was written to call the python script every ten minutes. This file was called "getty" and ran in the background, and was also inserted into the startup scripts to ensure it kept running. The teams never found these processes running and "ftp" won the game, no exploits required. Hacker "ftp" at work, winning the game using built-in tools such as bash, python and SSH.

Cyberdawn - A Diverse Cyber Exercise - Part I

by Paul Asadoorian on October 7, 2009

Cyber Exercise Over this past weekend I attended Cyberdawn, a cyber exercise that was hosted by Battlefield High School in Haymarket, Virginia. Sidebar: What is a Cyber Exercise? “A cyber exercise is a live computer network attack and defense event. A typical exercise runs at least one day for a small team and up to five days for large organizations or multiple teams. Teams generally fall into two categories: attackers (Red Team) and defenders (Blue Team). Defenders are scored on their ability to keep their IT systems up and functional in support of their business processes. Attackers are scored on their ability to disrupt business operations.” See http://www.whitewolfsecurity.com for more information.

Event Analysis Training – “Could you look at some odd IRC Connections?”

by Ron Gula on July 29, 2009

At one of the research sites that we monitor, an analyst noted that a few servers were consistently making a large number of IRC connections. These connections occurred in a periodic manner and appeared to be automated. This blog entry describes the various steps taken in analyzing the connections and historical data. We used Tenable’s log analysis, network monitoring and passive profiling solutions to perform this analysis, but the principals could be applied to various SIMs, NBADs and analytical tools.

Pages