Tag Archives: NetWitness Investigator

July 25, 2012

RSA NetWitness: An Anatomy Of An Attack

Here is a post from my friend Aamir Lakhani’s blog about RSA NetWitness. The original can be found at Cloud Centrics (http://www.cloudcentrics.com/). Really good post on NetWitness.

RSA NetWitness

RSA NetWitness is a unique solution that captures, store and analyze network data traffic. This gives you the able to see exactly what comes in and goes out of the network in real time . In simple terms, RSA offers to you a Network CCTV. Not only that, NetWitness also allows you to see the traffic in action as it reconstructs the data that flows through the network into its original format according to its own type or application. This helps you strengthen your security measures by taking appropriate action. On top of that, since all traffic is captured and stored, you will be able to go back to a particular period of time and conduct historical data analysis. Nothing escapes undetected.

RSA NetWitness delivers an innovative fusion of hundreds of log data sources with external threat intelligence to enterprises; enabling extraordinary broad and high-speed visibility into the critical information needed to help detect targeted, dynamic and stealthy attack techniques.

Why is it important?

NetWitness records all network activity. The benefits of this forensic analysis cannot be matched by any other product. NetWitness will truly allow you to investigate what happened on the network.

More importantly, since NetWitness sees and records everything on the network, it is very easy for the product to detect threats as they are occurring. This gives administrators an opportunity to stop attacks before they cause damage on the network.

Recording all network activity with forensic accuracy and analyzing current threats in real time provides situational awareness and insight for threats on existing infrastructure devices. Typically, when systems are discovered to be compromised, the systems are imaged, and software is reinstalled. However, many people don’t actually figure out the root cause of the problem. How did the system originally get compromised and what measures should be used to prevent it from happening again? In addition, if one machine is compromised, chances are high that others will be as well.

Why are these attacks difficult to detect? The answer is that these threats originate from the inside, or trusted areas of the network. The most common network threats involve a failure in internal security. This includes APTs, Botnets, Phishing attacks, social network information leakage, and product patches.

Security fails and systems get breached because many people do not take the threat seriously or make an effort to learn about it. It takes a proactive approach to be secure and protected against threats.

Furthermore, many organizations have processes in place that actually do more harm than good. These procedures that are supposed to help an organization’s security posture degrade it instead. This is partly to do with people and attitude, but also partly to do with outdated ways of thinking about security mixed with inadequate technologies.

Anatomy of an attack

Here is an example: Zeus was a popular attack last year that stole and spread through internal networks. Zeus is a Trojan horse that steals banking information by Man-in-the-browser, keystroke logging and Form Grabbing. Zeus spread mainly through drive-by downloads and phishing schemes.

Zeus was successful because it was a well-crafted phishing attack. Victims received an email that looked interesting to them. They were instructed to download a report from what appeared to be a legitimate website. In reality, the report was a Trojan horse that allowed attackers to control the victim’s system. The hosting website was in China.

A capture (report) from NetWitness showed that the originating server of Zeus went to a command and control server in China. The program that the user downloaded allowed attackers from the Chinese server to have control of the users’ system. From that point on, it was trivial for them to exploit other systems on the users’ network.

Most anti-virus agents did not detect Zeus. Later, Zeus disabled anti-virus agents using a variety of schemes – mostly by redireiting anti-virus updates to a 127.0.0.1 IP address.

Since NetWitness recorded all network traffic, it recorded what systems were compromised, communications with systems in China, and what was being transferring. When internal systems initiate a connection and transfer files, NetWitness captures that traffic.

NetWitness is the only security tool that provides complete visibility on a network. It shows when attacks are occurring in real-time and gives an organization the ability to detect and stop those attacks.

Rating: 5.0/5 (2 votes cast)

3 Comments

Filed under Security Management & Analysis

Tagged as Aamir Lakhani, advanced persistent threat, APT, botnets, CCTV, Cloud Centrics, Compliance, Continuous Controls Monitoring, continuous monitoring, Continuous Monitoring Architecture, Continuous Monitoring Solution, Data Loss Prevention, data traffic, DLP, EMC security, end point management, forensics, Home, http://www.cloudcentrics.com/, information leakage, Informer, Investigator, Joey, Joey Muniz, joseph, joseph muniz, keyloggers, lan security, malware, malware defense, Muniz, NetWitness, NetWitness Investigator, network forensic, network forensics, network security, nextgen, pen testing, Penetration Testing, phishing, phishing attack, phishing defense, RSA, Security, Security Information And Event Management, SEM, SIEM Technology, siemlink, SIM, Spectrum, trojan horse, visualize, World Wide Technology, world wide technology inc., wwt

July 20, 2012

Defending Against Distributed Denial Of Services DDoS Attacks

If you are internet facing, you are vulnerable to Distributed Denial of Services or DDoS attacks. Attacking network services is on the rise as the price for computing power decreases and people become more dependent on technology. Studies from leading service providers show DDoS attacks have grown from 9 to 500 Gbps in the last five years. Botnets are becoming an underground commodity that can be rented for as low as 10 dollars an hour to launch strategic DDoS attacks. Governments are investing in military strategies based on the ability to interrupt enemy computer services through targeted DDoS attacks. These attacks are indeed a weapon of mass disruption.

Most customers who survive a DDoS attack will experience serious downtime and lost revenue. Older DDoS attacks primary involved saturating bandwidth and network services with bogus traffic. The latest trend of DDoS attacks are targeting applications, which are harder to detect and require less computing power to execute. Some DDoS attacks focus on security tools (example overloading TCP state tables) so the security defenses become bottlenecks and eventually the source of network failure. Other DDoS attacks target key infrastructure such as DNS or other critical services. The area of risk for DDoS is pretty much your entire network.

Companies tend to point blame at their service provider for external DDoS attacks. Service providers offer limited protection due to regulations and unable to deal with data once it leaves their control. There are companies such as Neustar, Prolexic and VeriSign that provide 24/7 DDoS monitoring services and help leading service providers battle DDoS attacks. While monitoring services is a good option, the best approach is to invest in your own DDoS defenses against insider threats, external flooding and targeted application attacks.

Advanced insider threats are difficult to identify. Standard security solutions leverage signature and behavior based technologies however most attackers have knowledge of these defenses. To bypass these solutions, attackers develop day zero targeted threats that throttle their activity to stay under the radar. One way to catch this behavior is leveraging NetFlow using tools like Lancope (more found HERE). Another way is monitoring packets on the wire using tools like NetWitness (more found HERE). Security Information and Event Management (SIEM) tools are a popular way to view events from multiple security solutions so administrators can quickly identify an attack (more found HERE). Best practice is monitoring the wire along with leveraging a management system aggregating events from all internal security devices.

External threats such as targeted DDoS attacks are tougher to deal with. Large vendors like Junipor and Cisco have partnered with the leader for this space, Arbor Networks to address the DDoS landscape (Example Cisco and Arbor released “Clean Pipes” explained HERE.) Arbor offers perimeter and cloud based solutions that address flooding and application attacks. They also offer correlation between their products, cloud updates from their security center and reputation scoring from their large client base. Their flagship solution is Prevail (see screenshots). Prevail makes it easy to understand traffic patterns, identify threats and react to attacks by switching from low to high interrogation of traffic for specific protection groups. Check out their website for more information on their solutions.

MAIN DASHBOARD

Viewing Protection Groups

Viewing Top Talkers

DDoS is a serious threat vector since standard security solutions focus on Integrity and Confidentiality but not Availability. My expectation is there will be a lot more DDoS attacks in the news. Hopefully it’s not your organization on the front page.

Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Internet Defense, Security Management & Analysis

Tagged as Access Control, advanced persistent threat, application attacks, APT, arbor, Arbor networks, ASERT, ATF, ATLAS, attackers, behavior, bogus traffic, Botnet Threat Mitigation, Cisco, Clean Pipes, Cloud Signaling, Compliance, cyber, DDoS, denial of service, Distributed Denial Of Services, DoS, EMC, EMC security, external attack, flooding, hacker, hackers, Home, Investigator, isp, Joey, Joey Muniz, joseph, joseph muniz, LanCope, mass disruption, Muniz, netflow, NetWitness, NetWitness Investigator, network security, Neustar, Peakflow, pravail, prevail aps, Prolexic, RSA, saturating bandwidth, Security, service provider security, signature, Spectrum, VeriSign, volumetric, World Wide Technology, world wide technology inc., wwt

November 25, 2011

Test The Strength Of Your Security

Many agencies spend millions on security each year. Security investments range from firewalls to contractors, which spending is typically based on weighing risk of loss against cost to protect. Sometimes it’s difficult to evaluate the return on investment for security since the desired end result is not being compromised rather than a particular outcome that can be measured. Studies show regardless of the level of spending for security, the majority of IT management doesn’t know how effective their defenses are against today’s threat landscape. Here are some ways to evaluate the strength of your security.

Secure all access points to your network

* Security is as strong as your weakest link. Make sure all access points are secured or you will eventually be compromised. The common access points are Email, Web, LAN, Wireless, VPN, Data Center, Endpoint (laptops, desktops, etc.) and Mobile Devices.

Scan desktops and servers for vulnerabilities

* Tools are available for penetration testing such as Saint, Tenable, Core Impact and Rapid 7. The concept is simple … test for the same vulnerabilities hackers use to access your network. Penetration tools look for open ports, unpatched servers and other means hackers could use to compromise your equipment. The industry leaders typically can test all network nodes and include recommendations for remediation.

Evaluate network traffic for malicious intent

* Network forensic tools are available for capturing and categorizing network traffic (Example HERE). You will not know you are compromised if none of your security devices are triggered. Looking at traffic at the packet level can identify unknown communication through unrecognized ports, traffic with foreign entities or other red flags that indicate you have been compromised. Typically forensic skillsets are required to identify threats however manufactures like NetWitness offer great tools for simplifying packet level analytics.

Include failsafe security solutions that rate your existing toolsets

* Best practice is to test the effectiveness of your existing security toolsets. The most popular method is placing honeypots on your network with the goal of luring hackers who bypass your security into highly monitored systems. Other toolsets are available for testing your signature and behavior based tools such as Spectrum by NetWitness that can flag if specific threats could bypass your security. Another interesting tool is by FireEye that runs threats in a virtualized honeypot to identify malicious behavior.

Standardize and monitor your network device configurations

* Enforce a baseline template for all network devices to avoid vulnerable configurations and software. Network management tools by SolarWinds, Cisco, EMC, etc. can enforced standardized code and configurations as well as monitor if changes are made. I personally like 360GRC’s ConfigScan for evaluating configurations for vulnerabilities specified by industry standards.

Profile all devices on the network.

* Use a profiling tool such as Cisco ISE or Greatbay to identify what types of devices are on your network based on how they communicate. You may be surprised to find a few Xboxes hidden in a corner office.

Categorize Sensitive Data.

* Data Loss Prevention (DLP) leaders such as RSA and Symantec offer various tools that locate and categorize sensitive data. Make sure sensitive data is controlled and protected.

Test your staff with social engineering attacks.

* People will always be your weakest link. The only way to improve this is through training. I’ve seen customers use social engineering attacks on their users and show the results as a means of training. There are many online forums that can assist with developing your social engineering training strategy.

Periodically audit your network.

* Use unbiased consultants to help you understand how vulnerable you are.

Rating: 0.0/5 (0 votes cast)

4 Comments

Filed under General Security, Security Management & Analysis

Tagged as 360GRC, Access Control, ATP, audit your network, Categorize Sensitive Data, Cisco, Cisco Network Compliance Manager, ConfigScan, core impact, Data Loss Prevention, DLP, EMC, EMC Voyence, end point management, fireeye, Greatbay, honeypot, Identity Services Engine, ISE Profiling, Joey, Joey Muniz, joseph, joseph muniz, mobile, mobile device, mobile device management, mobile device security, NAC, NCM, NetWitness, NetWitness Investigator, network access control, Network Compliance Manager, network forensic, network security, Opsware, rapid 7, RSA, Saint, Security, security audit, Security investments, social engineering, Spectrum, Symantec, Tenable, test security, Voyence, vulnerabilities, wireless security, World Wide Technology, world wide technology inc., wwt

October 3, 2011

What Malicious Traffic Is On Your Network? Use Free Tools To Find Out : Wireshark and NetWitness

How secure is your home or corporate network? Many administrators believe they are protected behind layers of security solutions such as firewalls, IPS/IDS appliances, endpoint security products, content filters, SIEMs, etc. Regardless of your investment in security technology there will always be risk, which dramatically increases as soon as people are included in the equation. One way to verify your risk level is to become the hunter rather than hunted by scanning all traffic on your network for malicious behavior. You may be surprised to find an unpatched server leaking sensitive information through hidden ports or bots hidden on your personal computer phoning home in the middle of the night!

There are vendors and consultants that can offer scanning services, which usually are extremely pricey but worth every penny. Regardless, some of us don’t have the budget or would like to test our home network and can’t justify purchasing enterprise level technology for one or two computers. For those use cases, there are open source tools available for performing packet captures. One of the most widely used open source tools is Wireshark. Wireshark provides detailed information about network traffic down to the packet level. Unfortunately many administrators don’t understand the information being displayed by protocol analyzers such as Wireshark. For some people it’s like staring at the matrix code, which only trained security analyst are capable of seeing the blond, brunette and redheads. NetWitness offers a free threat analysis tool called NetWitness Investigator that quickly translates a large packet capture session into readable data. For example, Investigator may reveal your home network is sending large amounts of data to other countries, which is a pretty good indicator that you have a problem.

Using WireShark:

You can download WireShark from HERE

Once downloaded and installed, open WireShark
Click capture from the top menu.
You will see the capture options
Choose the interface you want to capture (Ethernet, wireless, etc.)
Tune things as you see fit or leave them default and click start
You should see packets flowing on the screen. If not, you have not selected a live interface.
One way to see which interfaces are seeing data is clicking capture followed by capture interfaces. You will see which interfaces see packets via the counters.
Once your done, save your capture and move to NetWitness.

Using NetWitness Investigator:

You can download NetWitness Investigator from HERE

Once downloaded and installed, open NetWitness Investigator
Right click the left column under Demo Collection and select new local collection
Give it a name and click OK
Click your new folder and select import packets
Select your wireshark capture.
Double click the folder and your capture will be presented
Click any selection on the left to dive deeper into your capture.
Look for odd behavior such as weird ports, destinations, countries, etc.

It’s important to test the security status of your network. Many malicious applications are designed by hackers to be hidden using stealthy techniques that can’t be seen without a packet capture tool. Both Wireshark and NetWitness Investigator are free yet powerful tools you can use to detect communication from hidden malicious applications.

Rating: 3.0/5 (2 votes cast)

2 Comments

Filed under Security Management & Analysis

Tagged as botnets, bots, contextual analysis, ethereal, Investigator, Joey, Joey Muniz, joseph, joseph muniz, Live capture, malicious applications, malware, Muniz, NetWitness, NetWitness Investigator, network assessment, network protocol analyzer, open source, open source tools, packet capture, packet capture tool, protocol analyzer, protocol analyzers, riverbed technology, RSA, scan for malware, scan for viruses, threat analysis, threat analysis application, virus, viruses, Wireshark, World Wide Technology, world wide technology inc., wwt

Tag Archives: NetWitness Investigator

What Malicious Traffic Is On Your Network? Use Free Tools To Find Out : Wireshark and NetWitness

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll