network intrusion detection on the cheap...network intrusion detection on the cheap why • many of...
TRANSCRIPT
Network Intrusion Detection on the Cheap
___________________________________Kevin Savoy, CPA, CISA, CISSP
Audit Director and ISOBrad Hypes, CPA, CISA
Audit Manager and Deputy ISO
Network Intrusion Detection on the Cheap
Who we are
• 115 total auditors (11 teams)• ISS (dedicated IT auditors): 10• IT Data Analysis auditors: 10• IT Project Management auditors: 8• Two part time Information Sec. Officers• Audits: State CAFR, Financial
Statement, Statewide Single Audit, Courts, Performance
Page 2http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Types of IT Audits
• Policies and Procedures• Compliance• Network (firewalls, routers, VPNs etc.)• Application• Database• Operating Systems (UNIX, Widows,
etc.)
Page 3http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Agenda
• Why• Tools and how• Findings• Examples• Conclusion
Page 4http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Why
• We all agree that security monitoring of IT systems is a best practice and a compliance issue as well.
• There are many vendor solutions to address network traffic security, server access, log archiving and inspection.
• However sometimes an agency does not have financial resources for a robust Security Information Event Manager (SIEM) solution.
Page 5http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Why
Virginia’s security standard alone mentions:• audit logs from information systems may assist organizations in identifying
examples of suspicious behavior or supporting evidence of such behavior
• Designate individuals responsible for the development and implementation of information security logging capabilities, as well as detailed procedures for reviewing and administering the logs.
• Monitor IT system event logs in real time, correlate information with other automated tools, identifying suspicious activities, and provide alert notifications.
• VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.
Page 6http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Why
• Many of you have probably audited an agency that when asked what they do with their logs they point to a pile of paper or an electronic file and reply they don’t look at them.
• Many sys admins (not all) claim that log files are for after action forensics.
• They know deep in their hearts that there is gold in the logs (syslogs), after all that’s how vendor solutions started.
• Log analysis can act as a preventive control if issues are caught early or can be used to tighten up other controls such as the firewall.
Page 7http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Why
• If your audit shop or agency that you are auditing has a full blown SIEM solution, great!
• What we are about to show you is what we developed to look at our own particular firewall syslog and results!
Page 8http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Why
• We run our process every other week.
• The software solutions we developed use nothing more than Windows.
• Two of us actually meet and look at the outliers and entries that pique our curiosity
Page 9http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Why
• Yeah, yeah, yeah, this is so “old school”.
• It actually feels good to get back under the hood of the car and see raw data.
• One or two IT pros reviewing logs can’t be a bad thing….here’s what we do…..
Page 10http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Attendance Check
• Wake up!!
Page 11http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Step 1 – Link to the Network Log
• In Virginia, we have used data analysis tools for audit techniques including SQL Developer, Oracle Discoverer, Tableau & others
• For this first attempt, we decided to use good old-fashioned Microsoft Access
Page 12http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Step 2 – Brainstorm & Write Queries
• What type of activity is a risk to the organization’s data?
• Off-hours authentication attempts• Multiple denied connection attempts• Direct connection attempts to sensitive servers• Connection attempts from known culprits• Direct connections to servers with known sensitive
data
Page 13http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Step 4 – Analyze and Investigate
• Pull out records from the logs that meet the criteria identified as high risk
• We put together our own log to send over to Network Operations to see if any action is necessary
• We contact users who appear on the off-hours queries
Page 14http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Step 4 – Familiarize Yourself with Your Logs
• These records are not exactly plain English
• :Jul 07 00:00:28 EDT: %ASA-session-6-302015: Built outbound UDP connection 136416112 for Outside:38.229.71.1/123 (38.229.71.1/123) to dmz: xx.xx.xxxx/58811
Page 15http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Step 4 – Analyze and Investigate Cont’d
• Research –
Page 16http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Step 4 – Analyze and Investigate Cont’d
• IP Address Research
Page 17http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Step 5 – Compile Results
• Select highest risk entries which meet the criteria of what was identified as “high risk”
• Work with Network Operations to identify “true positives” or if anything needs to be changes with the queries
Page 18http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Example of Entries Sent
Page 19http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Step 6 – Take Action
• Block IP addresses with illegitimate connection attempts
• Block whole ranges of IP addresses• Zero in on known culprits (ie similar
ranges/geographic locations regularly appear) to refine future analyses
• Exclude known connections which do not pose risk
Page 20http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Step 7 – Repeat
• After refining the queries every two weeks, we then began to automate queries– You can create macros to link to the log
files, which are your data sources– We have also created queries on queries to
run multiple queries with one process
Page 21http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Statistics and Results
What did we find?
Page 22http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Caveats
• Not intended to be a full audit of network activity
• Not a representative sample or coverage to conclude on overall risk
• We are okay with some connections made
• Virginia has a broad standard for monitoring for unusual activity
Page 23http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Statistics
• Our VPN generates between ~7M to ~10M log entries in a 24-hour period
• <1M of these occur between 12am-4am• ~30%-40% of these entries represent
built TCP/UDP connections• ~20% are denied connection attempts
Page 24http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Geography
• Connections/Attempted Connections traced back to IP addresses in:
• Italy, United Kingdom, India, Korea, Netherlands, Taiwan, China, Indonesia, Seychelles, Russia, Bulgaria
Page 25http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Progress Made
• We have blocked dozens of IP addresses and ranges identified as higher risk– So far, no one has complained to us about not
being able to legitimately access our publicly facing data
• The number of unique IP addresses attempting to access our network over 10k times in 24 hours has decreased by 50%
Page 26http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Unintended Observations
• We have some hard workers!– People logged on after midnight and before
5am• We learned which servers are higher
risk and what normal connections look like
• We learned where Seychelles is
Page 27http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Conclusion
• Not intended for protection against all risk
• Not a full audit of all network activity• Interesting to gather statistics on
connections, blocked attempts, and geographical data
• Fulfills Virginia’s Security Standard
Page 28http://www.apa.virginia.gov
Network Intrusion Detection on the Cheap
Questions?
Page 29http://www.apa.virginia.gov