network intrusion detection on the cheap...network intrusion detection on the cheap why • many of...

Network Intrusion Detection on the Cheap

___________________________________Kevin Savoy, CPA, CISA, CISSP

Audit Director and ISOBrad Hypes, CPA, CISA

Audit Manager and Deputy ISO


Who we are

• 115 total auditors (11 teams)• ISS (dedicated IT auditors): 10• IT Data Analysis auditors: 10• IT Project Management auditors: 8• Two part time Information Sec. Officers• Audits: State CAFR, Financial

Statement, Statewide Single Audit, Courts, Performance

http://www.apa.virginia.gov


Types of IT Audits

• Policies and Procedures• Compliance• Network (firewalls, routers, VPNs etc.)• Application• Database• Operating Systems (UNIX, Widows,

etc.)



Agenda

• Why• Tools and how• Findings• Examples• Conclusion



Why

• We all agree that security monitoring of IT systems is a best practice and a compliance issue as well.

• There are many vendor solutions to address network traffic security, server access, log archiving and inspection.

• However sometimes an agency does not have financial resources for a robust Security Information Event Manager (SIEM) solution.



Why

Virginia’s security standard alone mentions:• audit logs from information systems may assist organizations in identifying

examples of suspicious behavior or supporting evidence of such behavior

• Designate individuals responsible for the development and implementation of information security logging capabilities, as well as detailed procedures for reviewing and administering the logs.

• Monitor IT system event logs in real time, correlate information with other automated tools, identifying suspicious activities, and provide alert notifications.

• VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.



Why

• Many of you have probably audited an agency that when asked what they do with their logs they point to a pile of paper or an electronic file and reply they don’t look at them.

• Many sys admins (not all) claim that log files are for after action forensics.

• They know deep in their hearts that there is gold in the logs (syslogs), after all that’s how vendor solutions started.

• Log analysis can act as a preventive control if issues are caught early or can be used to tighten up other controls such as the firewall.



Why

• If your audit shop or agency that you are auditing has a full blown SIEM solution, great!

• What we are about to show you is what we developed to look at our own particular firewall syslog and results!



Why

• We run our process every other week.

• The software solutions we developed use nothing more than Windows.

• Two of us actually meet and look at the outliers and entries that pique our curiosity



Why

• Yeah, yeah, yeah, this is so “old school”.

• It actually feels good to get back under the hood of the car and see raw data.

• One or two IT pros reviewing logs can’t be a bad thing….here’s what we do…..



Attendance Check

• Wake up!!



Step 1 – Link to the Network Log

• In Virginia, we have used data analysis tools for audit techniques including SQL Developer, Oracle Discoverer, Tableau & others

• For this first attempt, we decided to use good old-fashioned Microsoft Access



Step 2 – Brainstorm & Write Queries

• What type of activity is a risk to the organization’s data?

• Off-hours authentication attempts• Multiple denied connection attempts• Direct connection attempts to sensitive servers• Connection attempts from known culprits• Direct connections to servers with known sensitive

data



Step 4 – Analyze and Investigate

• Pull out records from the logs that meet the criteria identified as high risk

• We put together our own log to send over to Network Operations to see if any action is necessary

• We contact users who appear on the off-hours queries



Step 4 – Familiarize Yourself with Your Logs

• These records are not exactly plain English

• :Jul 07 00:00:28 EDT: %ASA-session-6-302015: Built outbound UDP connection 136416112 for Outside:38.229.71.1/123 (38.229.71.1/123) to dmz: xx.xx.xxxx/58811



Step 4 – Analyze and Investigate Cont’d

• Research –



Step 4 – Analyze and Investigate Cont’d

• IP Address Research



Step 5 – Compile Results

• Select highest risk entries which meet the criteria of what was identified as “high risk”

• Work with Network Operations to identify “true positives” or if anything needs to be changes with the queries



Example of Entries Sent



Step 6 – Take Action

• Block IP addresses with illegitimate connection attempts

• Block whole ranges of IP addresses• Zero in on known culprits (ie similar

ranges/geographic locations regularly appear) to refine future analyses

• Exclude known connections which do not pose risk



Step 7 – Repeat

• After refining the queries every two weeks, we then began to automate queries– You can create macros to link to the log

files, which are your data sources– We have also created queries on queries to

run multiple queries with one process



Statistics and Results

What did we find?



Caveats

• Not intended to be a full audit of network activity

• Not a representative sample or coverage to conclude on overall risk

• We are okay with some connections made

• Virginia has a broad standard for monitoring for unusual activity



Statistics

• Our VPN generates between ~7M to ~10M log entries in a 24-hour period

• <1M of these occur between 12am-4am• ~30%-40% of these entries represent

built TCP/UDP connections• ~20% are denied connection attempts



Geography

• Connections/Attempted Connections traced back to IP addresses in:

• Italy, United Kingdom, India, Korea, Netherlands, Taiwan, China, Indonesia, Seychelles, Russia, Bulgaria



Progress Made

• We have blocked dozens of IP addresses and ranges identified as higher risk– So far, no one has complained to us about not

being able to legitimately access our publicly facing data

• The number of unique IP addresses attempting to access our network over 10k times in 24 hours has decreased by 50%



Unintended Observations

• We have some hard workers!– People logged on after midnight and before

5am• We learned which servers are higher

risk and what normal connections look like

• We learned where Seychelles is



Conclusion

• Not intended for protection against all risk

• Not a full audit of all network activity• Interesting to gather statistics on

connections, blocked attempts, and geographical data

• Fulfills Virginia’s Security Standard



Questions?


network intrusion detection on the cheap...network intrusion detection on the cheap why • many of...

Documents