8/6/2019 ASC Network Forensics
1/13
Network Forensics:
SIEM, the Investigations Triad, andSANS Top-20 Vulnerabilities
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
2/13
By:
Albert Caballero CISSP, GSEC, BA MIS Security
Stanley Fidge MCSA, CCNA, Security +, BA MIS Security
Abstract
Vulnerability assessments, forensic investigations, and incident responses are the
cornerstones for building a secure and compliant computing environment. Information
Technology professionals have a need to monitor and correlate all of their network andsystem security events; otherwise it is difficult to effectively manage and maintain
relative security. Network forensics is basically the investigation of all of the packets and
events generated on any given network. The better these events can be understood andcorrelated, the better the possibility of detecting an incident, in the past or present.,
Security events are at the root of all incidents, and in the digital world, without some
combination of correlated security events, it is nearly impossible to know if an incidenthas actually occurred. Network events are generated by almost every system, application
or device on a network.I If there is no monitoring of these events, incidents can occurquite often and go completely unnoticed, or worse, become untraceable. In this case,
what you dont know WILL hurt you! The importance of responding to incidents,
identifying anomalous or unauthorized behavior, and securing intellectual property hasnever been more important.
Without security event and vulnerability monitoring, identifying threats and
attacks to confidentiality, integrity, or availability becomes much more difficult.Furthermore, there is a limited chance that any network forensic investigation will be
properly conducted, much less successfully, without the retention and correlation ofnetwork security event logs. Ideally, an organization should develop clear and conciselog management policies, continually train staff in security awareness, and implement
new and effective technologies to successfully detect and respond to security incidents.
This will also ease the burden of network forensic investigations. Our focus is SecurityInformation and Event Management (SIEM), as it pertains to network forensic
investigations, vulnerability management and incident response. Modern voice and data
networks integrate past, present, and future technologies in ways that have revolutionizedall methods of conducting business in our global economy. This IT revolution has posed
some significant challenges to network forensics, including:
New multi-vendor vulnerabilities are discovered everyday, and many unknownvulnerabilities are exploited without ever being detected.
Tons of dynamic, network event data from disparate devices is rarely audited,easily lost, and inadequately stored, making maintaining log integrity difficult.
High IDS/IPS false positive rates and information overload from millions of eventlogs every day haze the accuracy with which IT staff can detect true incidents.
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
3/13
Correlation of security events to vulnerabilities isnt easy to understand orimplement, always requires significant computer security expertise, and is usually
quite expensive and time consuming.
Our goal as a research group is to reveal that before conducting a network
forensics investigation, it is critical to assess vulnerabilities and correlate them to
intrusion detection alerts using new technologies such as SIEM. We will be usingActiveworx Security Center as our network forensic tool of choice.
Network Forensics The Problem
According to CSO magazine, 46% of CISOs spend up to 33% of their day reading and
analyzing reports generated from their security applications, and in some cases,
CISOs spend up to seven hours per day analyzing such reports!
Issues surrounding network forensics and SIEM tools include obtaining the event
data in the first place. Many times intrusions occur, and the events get deleted by theperpetrator on the system that was compromised. If these events have not been stored or
sent to another location then they are usually gone forever. Another obstacle to actually
obtaining network or system events is that appliances and applications that provide thistype of capability are usually extremely expensive and difficult to implement, in essence
becoming cost prohibitive in regards to ROI. To compound the pressures organizations
face in regards to implementing proper network forensics and log management
techniques, federal regulations are now requiring organizations keep all network eventdata, in some cases for as long as seven years! In that situation there is no other choice
but to procure expensive archiving equipment and analysis software to monitor andarchive network security events, or face ridiculously expensive fines. Organizations canonly hope they can prove at some future date that the network security events gathered
have not been altered. Assuming, of course, they even have any events at all.
Up to 35% of CIOs state that network security improvements topped the to-do lists in
2005 and 2006. 22% of organizations in the United States are not meeting federal
regulatory compliance guidelines for incident response, business continuity, disaster
recovery, information security or electronic records retentions.
Other network forensic problems are due to the deployment of enterprise wide
security hardware appliances and applications from different manufacturers and vendors,implemented at various levels to provide layered security. This defense strategy is
effective but provides little rhyme or reason to what is actually happening. Numerous
types of disparate devices and event log formats exist making them difficult to monitor,manage, or correlate for any action, typically requiring a combination of tools and
consoles for an incident to materialize. Also, until recently there has not been an easy
way to correlate IDS alerts with firewall logs, system logs, or vulnerability scans. Beingnotorious for high false positive rates, a correlated IDS alert is much more meaningful.
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
4/13
Finally, there is general information overload with millions of appliance, application and
system event logs being generated everyday. The final result and primary problem with
network forensics is the dynamic nature of network event data, and the fact that it israrely audited, inadequately archived, and easily lost, deleted, or copied.
65% of organizations report that they do not have established any Return on
Investment (ROI) metrics for security risk management regarding their enterprise
networks. 56% of organizational upper management and decision makers rarely or
never discuss policies and the need for procedures regarding access to critical
information, leaving the tasks solely to IT Security Management and IT Security
Technicians to comply with Federal regulations.
The Investigations Triad
All network forensic investigations revolve around what is known as theInvestigations Triad. To meet the goals of the Investigations Triad, as it pertains to
network forensics, we will use a commercial, software-based, SIEM and log management
tool called Activeworx Security Center, and we will discuss three main topics:
Vulnerabilities: Using the SANS/FBI Top 20 Internet Vulnerabilities as ourframework, we will use ASC to automate correlation of IDS events tovulnerability scans, in an effort to minimize false positives.
Intrusion Response: Through event correlation we will see how we can identifyif any of these 20 vulnerabilities is being attacked in real-time, and hope tothereby improve incident response times and mitigate risk to our assets.
Investigations: Discuss the importance of archiving and retrieving forensicallysound network logs and proving their integrity at a future date.
Figure 1 The Investigations Triad
Implementing real-time network forensic techniques is an effective method of
initially identifying and responding to computer crimes and policy violations. With a
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
5/13
Security Information and Event Management tool an analyst can monitor, automate and
investigate network forensic event data, as well as respond much quicker to IDS events
by minimizing false positives. Correlating security events, investigating and actingaccording to policy, and properly archiving network and system events over time, arecritical elements of preparing an organization to be successful in current and future
network forensic investigations. In tandem, vulnerability assessment and risk
management are required elements of any investigation, to test and verify the integrity ofcomputer systems, servers, and enterprise networks. SIEM, as used to monitor network
IDS and provide incident response functions, is desirable because it helps identify
anomalies, such as covert channels and intruder attacks using automated tools, and ofcourse helps in correlating these anomalies on the network with system and firewall logs.
Computer investigative functions are necessary to manage, protect and maintain the
forensic integrity of network-based systems and devices.
Tools of the Trade
As each day passes in our new information society the complexity increases. Asthe data made available through these advanced computing technologies becomes more
vulnerable to all forms of attack, we need to ensure that we conduct our business and
personal lives through safe and secure technological channels. The consolidation ofcurrent and future computer technologies in an intelligent way is paramount to safely
integrate and utilize the potential of these technologies in e-business, on-line banking,
and the rest of our personal communications. A necessary measure is to keep a close eyeon your assets, in case of any unauthorized behavior from insiders or outsiders. We have
found through our research that a Security Information and Event Management (SIEM)
tool such as those provided by CrossTec Corp., Cisco, Arcsight, and a handful of others,
has attempted to provide a solution that allows security administrators to manage securityevents quickly and intelligently. Most SIEM tools can correlate, monitor, analyze, and
alert technicians about the different information security events and what they are telling
them. They also help security analysts and forensic specialists to visualize, query, andexamine what is happening in different areas of the network in real-time, or analyze an
incident which has occurred in the past. In tandem, reports, diagrams, and the ability toreplay security events can also be used for intrusion response or forensic analysis of an
incident.
Figure 2 Activeworx Security Center
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
6/13
Activeworx Security Center (ASC) is a SIEM software tool that can monitor,
analyze, and alert on almost any event generated on your network to ascertain securityand forensic information. ASC can also correlate events from different assets with
vulnerability scanners in real-time. To ease the pain of compliance, the enterpriseversion of ASC can collect; MD5 checksum and rotate audit logs for every network
device, system or application on a network. This helps organizations meet regulatory
compliance and be ready for future audits and investigations. Specifically, ASC makes iteasy to be compliant and also gives you the power to analyze network events in the way
you think is important. When trying to make heads or tails out of how to cover the core
components of the Investigation Triad, it becomes difficult to translate these ideas intoactual technologies that can do the job. We will provide an example of how each
component can be addressed by ASC and SIEM in general.
Vulnerabilities are a crucial and often neglected component of all security
programs. Without current vulnerability information of systems, applications and
network devices it is impossible to know where the systems of highest risk or those most
susceptible to attack are. It is difficult to run vulnerability scans on a consistent basis,primarily because they are time consuming, require a certain level of expertise, and
really: What are you going to do with them once you have them anyway? Who even
knows which vulnerabilities are important and which ones arent? Who can tell me when
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
7/13
one of these vulnerabilities is being exploited? Well the answers are: ASC will correlate
them with IDS events, ASC knows what your vulnerabilities are, SANS/FBI knows
which are important, and your IDS/IPS devices are the ones that know when youre beingattacked! The SANS Institute combined with the FBI maintains a list of the Top 20Internet Vulnerabilities. Using this as our framework, we can use ASC and its
Correlation Engine to automate the correlation of IDS events to Vulnerability Scans by
CVE Reference to alert us of important events in real time. (To find out more aboutCVE Reference, see below under Sans Top 20 Vulnerabilities.)
Figure 3 ASC Built-in IDS Event to High Risk Vulnerability Correlation Rule
Intrusion Response (IR) is not typically associated with network forensicinvestigations; however, in reality, it remains one of its most important components.
Proper IR techniques are what network forensics are all about, and they can make or
break an investigation according to how a first response is handled. IR is made moreefficient by three main SIEM components: the use of automated Event to Vulnerability
correlation as described above, visualization and diagramming of events with drill-down
analysis capabilities, and correlation of Event to Event activity on the network.
Figure 4 Event Diagram and Visualization of High Priority Security Events Helps IR
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
8/13
In scenarios where it is necessary to immediately correlate certain types of events
to other events which are happening on the network, there needs to be a quick and
effective way to be able to get more related information from other devices.
Figure 5 ASC Event to Event Correlation Rule Helps Finds Anomalies
Investigations many times are conducted after the incident occurred. To show
that the information you have is forensically sound, the network logs of all assets need tobe handled correctly as they are generated on the network. No longer is it sufficient to
store logs on end systems and let them overwrite themselves every few days. Regulatory
compliance and the need to forensically analyze events is forcing organizations to store
network event data over long periods of time and find a mechanism that will allow them
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
9/13
to prove their integrity at a future date. ASC allows for this capability in its new v4
ASCe, which is an enterprise version of the SIEM tool that includes complete log
management. Interestingly enough, although SIEM and Log Management are so tightlyrelated, their purposes are completely opposed. Whereas SIEM allows an analyst todiscard tons of unnecessary events to pick out the few that are important, the goal of a
good Log Management solution is to log every single event from every single device or
system on the network and store them to disk for regulatory compliance and futureanalysis. ASCe will be released this Summer according to the manufacturer, and it will
support the logging of over 20,000 30,000 Events Per Second (EPS), 20 to 1
compression of all logs daily, MD5 check summing and rotation of log files, easy searchcapabilities on archived audit data, and full integration with its SIEM tool so you can
import events that occurred in the past and analyze them today.
Figure 6 ASCe Version 4 Complete Log Management with SIEM Integration
SANS Top 20 Vulnerabilities
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
10/13
Six years ago the SANS Institute and the National Infrastructure Protection
Center (NIPC) at the FBI created a Top10 list of most exploited vulnerabilities on the
Internet. In the past several years thousands of organizations, public and private, havehelped enhance this list to include the Top-20 Internet Security Attack Vectors. Everyyear SANS and the FBI update this list with the latest vulnerabilities, and it has become
the Incident Handlers point of reference when attempting to define a starting point for
tracking and monitoring vulnerabilities on any given network. Vulnerable servicesleading to worms like Blaster, Slammer, and Code Red were all on SANS Top-20 lists
before the worms hit the Net, and indeed couldve been prevented, or at least detected,
should these vulnerabilities have been monitored for activity on a network. The SANSTop-20 2006 is a consensus list of vulnerabilities that require immediate remediation and
can be found here http://www.sans.org/top20/ The idea of this document is to effectively
monitor events coming from IDS/IPS sensors to see if one of these Top-20 vulnerabilities
is being attacked, furthermore, they will be compared to these events only if we know thevulnerability exists on our network. Activeworx Security Center will begin to include
these rules built into the product in v4 by using CVE references. CVEs are Common
Vulnerabilities and Exposures that are provided by the National Institute of Standards andTechnologies (NIST), in list format, to help keep track of all the significant
vulnerabilities that are discovered throughout the year. Both IDS/IPS sensors and most
Vulnerability Scanners have CVE references built into their events already which givesecurity teams the ability to correlate, index and easily reference common vulnerabilities
and threats on their network as they are happening. The National Vulnerability Database
where you can look up these CVEs is found here http://nvd.nist.gov/
Figure 7 SANS Top-20 Vulnerability Correlation to IDS/IPS Event
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
http://www.sans.org/top20/http://nvd.nist.gov/http://nvd.nist.gov/http://www.sans.org/top20/8/6/2019 ASC Network Forensics
11/13
Network Forensics The Solution
An effective information security program needs specific policies and procedures
in place to assist with managing information risks, basically a Plan, Do, Act, and Checklifecycle for defined security and forensic policies. Then, technical controls and tools
should provide the automated implementation, enablement, enforcement, and monitoringof these policies and procedures. In order to achieve compliance with a number ofregulations, organizations must monitor both successful and unsuccessful attempts to
access their computer systems. Organizations following these strict policies and
regulations constantly seek efficient and cost effective operational tools to manageinformation on their network. As the requirements for IT Risk Management become
paramount, there will be an increase in the variety of solutions with different cost
structures which will meet federal regulations and ensure the secure monitoring of
network information. ASC can assist organizations in collecting appropriate networkevent data and maintain it in a form that can be easily utilized for analysis and reporting
during audits, security incidents, or forensic investigations. ASC helps to ensure that
policies and procedures are in place to safeguard sensitive data and audits that event datais accessed only by those with a need to know. ASC also assists in analyzing
vulnerability scans to ensure that all flaws in an organization are detected and correlated
to possible intrusions. Finally, ASC establishes a baseline of network and system activityfor organizational computing environments.
Figure 8 Major Components of SIEM and Log Management
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
12/13
SIEM and Log Management solutions in general, like ASC, can assist in security
information and log management as well as regulatory compliance by:
Aggregating and normalizing event data from unrelated network devices, securitydevices, and application servers into useable information.
Analyze and correlate information from various devices to identify attacks assoon as possible and help respond quicker to intrusions.
Conduct network forensic analysis on historical or real-time events throughvisualization and replay of events.
Create customized report formats to adhere to specific compliance regulations. Increase the value and performance of existing security devices by providing a
consolidated event management and analysis platform.
Improve the effectiveness and help focus IT Risk Management personnel on whatevents are important.
Conclusion
As enterprise networks, voice and data traffic, and the amount of end users
continue to grow, the need and requirements for stable and all inclusive SIEM and Log
Management also grows. Tools such as these are rising to the forefront of informationwarfare as one of the best methods of strategically detecting and responding to attacks.
Integrating the layers of security devices already in place with any future information
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
8/6/2019 ASC Network Forensics
13/13
assurance technologies is not an easy task. In order to efficiently monitor and understand
your attackers, a SIEM tool is a huge help. Many surveys reveal that 60% of security
breaches are internal, but 70% of the IT and IT security staff is more concerned aboutattackers on the outside. Some organizations even spend 90% of their security efforts onfirewalls alone. Project Management and Cost/Benefit Analysis need to be implemented
in order to save time and money in deciding at which layer to implement new information
assurance measures, what policies and procedures to create, and what software andhardware to purchase. SIEM and Log Management help to focus IT security measures to
more effectively protect hosts as well as the network perimeter, perform and automate
network forensic analysis, automate regulatory compliance as it pertains to log retentionand help you visualize and report on your network in real-time.
Network forensics is a real world method of initially identifying and responding
to computer crimes and policy violations, not just investigating historical incidents.Major advances in event analysis and correlation allow Information Assurance
technicians to counteract threats quicker than ever, and these advances have been made
available for the benefit of all Information Technology (IT) staff, especially IT SecurityManagers, Auditors, and CISOs who are the ones held accountable. With a SIEM an
analyst can analyze, replay, and investigate network forensic data for analysis.
Moreover, the correlation and proper storage of these network security events is a crucialpart of preparing an organization to be successful in present and future forensic
investigations. A substantial amount of suspicious security events occur and go
undetected within most enterprise networks and computer systems every day.
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431
www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820