SlideShare uma empresa Scribd logo

Discovery of Compromised Machines

Anton Chuvakin
Anton Chuvakin

This document discusses methods for reliably detecting compromised machines on a corporate network. It outlines signs that a machine may be compromised, such as the presence of backdoors, malware, or unauthorized access. It then evaluates different detection methods based on the resources and data available, ranging from low reliability (firewall data) to high reliability (system administrator access). Complex patterns and correlation of data sources can increase detection quality over single sensors. Commercial security information management platforms can automate this analysis. Manual review of logs and system files can also be effective at compromise detection.

Tecnologia
1 de 6
Discovery of Compromised Machines Dr. Anton Chuvakin WRITTEN: 2003 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. One of the latest security books I read had a fascinating example in the preface. The authors, well-known and trustworthy experts in the field of security, made an outrageous claim that most of the Fortune 2000 companies are already penetrated by hackers (and have been in that state for years!). Hackers move in and out at will through the backdoors and other covert channels without the security personnel knowing or even suspecting it. Without being able to verify whether this claim is true or false, I decided to look at the problem of reliably discovering the compromised machines on corporate networks. Reliability is of key importance here as there are lots of ways to obtain a suspicion that the machine is “owned” or infected, but sadly there are few truly reliable ways to discover that short of full forensic analysis, likely requiring physical access to a machine as well as shutting it down for a potentially long time. In addition, as advanced blackhat community moves beyond buffer overflows into new exploit type areas and zero-days attacks (with non-public exploits against non-public vulnerabilities) have a chance of becoming more common, traditional intrusion detection rates might decrease even further, giving defenders no chance to detect, let along stop the attack. Obviously, in case of a zero-day, detecting a second order (i.e. after-exploit) traces becomes the only option, as the attack itself will most likely fly through most network security monitoring gear, by the very nature of being a “zero-day”. Some of the existing attacks can also be mutated and optimized to pass through some of the detection filters. First, let us outline what we mean by a “compromised” machine. A machine is considered “compromised” if: • It was successfully exploited and used by attackers • It has a backdoor or other malicious software running without the knowledge of the system owner • It was configured to allow access to unauthorized parties without the owner knowing it Here are some examples of the above that most people running the real-world networks can identify with:
Example 1 A system is infected by a worm and then starts sending out humongous amounts of malicious traffic, trying to spread the infection in the organization’s network and beyond Example 2 System access privileges on the exposed FTP server are abused and it is then taken over by amateur attackers to store and share their stash of porn and pirated software Example 3 A server is exploited by attackers and a rootkit is deployed. Several system binaries are trojaned for easier and more covert attacker access. Also installed is an IRC bot that “calls home“ to a specific channel for commands. The above example might give the reader some hints on how to detect a compromise in those specific cases, but we will treat the problem in a more general fashion. Let us first look at the current technologies used for detecting the activities of the attackers. There are attack detection systems (often mislabeled as “intrusion detection”) that look for various attack attempts and probes. Then, there are intrusion detection systems that look for known intrusion methods utilized by hackers. Here, however, we are talking about reliable compromise detection - detecting the machines that were attacked, intruded and are now used by either human attackers or their automated aides – malware. As noted above, reliability of detection is critical since stakes here are much higher than in attack and intrusion detection; the alerts we will raise will be immediately actionable (unlike what is coming from most deployed NIDS). It will be “your machine was hacked and is now used by attackers, run there and do something” vs “it seems like somebody might be attacking you or something of that sort, you might want to pay attention.” How can we detect that the machine is indeed compromised? The answer heavily depends upon what kind of information and tools are available as well as the position of the user. It is one thing to only go by the firewall data relevant to the potentially compromised machine and it is completely different if we have full access to the hardware, OS and application for such system in the forensics environment. Realizing the benefits from the latter case obviously requires access to a skilled computer forensics professional as well as significant time investment. To get some background let’s briefly review some common activities occurring on the systems compromised by attackers. These signs were discovered by the author over the years of the honeypot research with the Honeynet Project as well as by other related efforts. Obviously, they refer to activities by the outside attackers and not by malicious insiders. 1. A backdoor daemon can be launched by an attacker on a high-numbered port or an existing daemon trojaned. This is observed in most compromise cases. 2. Installing an IRC bot or bouncer is a popular choice. Several IRC channels dedicated entirely for communication of the servers compromised by a particular group were observed on several occasions 3. In this age of DDoS and reflexive DoS, the classic point-to-point DoS tools are not laid to rest. They are commonly used on some compromised machines to deal quick damage against the opponents on slower connections
4. Many attackers will use the compromised system for vulnerability scanning and widespread exploitation. Used scanners and auto-rooters are capable of discovering and exploiting massive (thousands and more) numbers of systems within a short time period. Such large networks can be (and are!) used for devastating denial of service attacks 5. Using a compromised machine to store pirated software or media is common as well. On a high bandwidth servers, people are known to store gigabytes of “stuff” with active download and uploads occurring all the time. It is worthwhile to note that one is often not required to exploit the server to use it for storage, since enough servers are misconfigured with extra privileges given to all connecting users. 6. “Earning” some cash by getting involved in stolen credit card trade (see http://www.honeynet.org/papers/profiles/cc-fraud.pdf for detailed reference) is a new choice, rapidly growing in popularity. Such activity utilized IRC with specially modified “trading” bots 7. Another money-making “venture” is sending spam or “loaning” a compromised box to spammers for a reasonable fee. 8. Another ominous activity is using the compromised machine for a “phishing” site. Attackers were observed to deploy a fake bank site and then launch waves of spam emails attracting visitors to be separated from their cash. In light of the above, we can summarize some of the compromise detection methods, given different available resources (both technical and human). Last column in the tables below indicates detection reliability in the absence of any other information, ranging from highly uncertain (‘low’) to immediately actionable (‘high’). This subjecting rating, originating in author’s experience with compromised systems, still provides a useful metric of how much trust should be put into each event. We will start from simple compromise-related events and indicators. Security technology/ Method Example Reliability resource NIDS Compromise Shell commands on Medium signature SSL port TCP 443 NIDS Post exploit activity ‘whoami’ in Medium command flow NIDS Volume of Lots of SSL hits out Medium outbound exploits (same or different) NIDS Volume of Lots of SSL hits out High outbound exploits after the system is after a similar hit by SSL exploit inbound exploit NIDS, firewall Outbound massive Many connections Medium port scanning, DoS, to port 1434 UDP etc from a single system HIDS Abuse-related New account Medium system log records created HIPS Application Connections, Medium
behaving registry access, file significantly replacements different from known good The above provides a surprising conclusion: event if your system spews forth- malicious exploits, everything might be totally OK with it and no risk will exist. The reasons is simple: ‘false alarms’ (and, specifically, their most famous variety – ‘false positives’). For example, it is rather common to see a corporate HTTP proxy generate an inordinate number of web exploits (such as long URLs, suspicious characters and strings in URLs, etc) just because a large number of web users tries to access various web sites. Now we will look at other, more circumstantial and complex patterns: Security technology/ Method Example Reliability resource Firewall, router, switch Connections to new Multiple systems Medium ports on the system connecting to port TCP 12345 on the same box Firewall, router, switch New connections or IRC (TCP 6667) High attempts from connections from machine to outside system Vulnerability scanner New open ports 12345 TCP open Medium (known backdoors) Network monitoring Unusual Lots of connections High system connectivity from an to port 6667 TCP to internal system to a set of servers outside from a single internal system Network monitoring An unusually high A SYN flood from Medium system volume of traffic an internal system from an internal system Anti-virus or anti- A warning message Backdoor.IRC.Bot High spyware software about a Trojan that running cannot be cleaned or stopped However, even anti-virus solutions have false positives! Thus, even the supposedly unambiguous ‘Trojan or backdoor alert from an AV might well be a false alarm. It is worthwhile to note that some of the above are facilitating by correlating NIDS data with other kinds of data (such as firewall or host or a different NIDS) and thus arriving to a conclusion that the target is compromised via automated rule-based correlation. Also, correlation technology can automate investigative process by looking at other related activities occurring at the time of the attack. As a result, we arrive at higher compromise
detection quality than using the output of a single NIDS sensor. However, if lacking a good correlation engine, the analyst can perform the same steps manually, even if not in real-time. A recent security book by Richard Bejtlich “Tao of Network Security Monitoring” covers some of the techniques. We will now look at the most reliable indicators, with larger resource constraints: Security technology/ Method Example Reliability resource System admin New files, accounts, New ‘rewt’ account High processes (see “SANS Intrusion Discovery Cheatsheet”) More of such techniques are summarized in SANS Intrusion Discovery sheets (available at www.sans.org for Linux and Windows systems). The techniques do require a console access to a system and thus are hard to scale to a large environment. Now we will discuss how one can use the above methodology in production environments. The ideal way to apply most of the above guidance in an automated fashion is to set up a some kind of multi-vendor database with events, alerts, log records from various installed security devices and then to apply rules (also known as “correlation rules”) across those events either historically across stored events or in real- time across the event feed. For example, one can easily look for events from a network IDS indicating exploitation attempts that are then shortly followed by multiple outbound connections (such as IRC, see above examples) Commercial SIM (Security Information Management) products have that capability. A budding open source product of the same kind (OSSIM www.ossim.org ) starts to develop it as well. The techniques can also be applied manually by looking through the logs, To conclude, various techniques to discover compromised machines are a very handy tool to deal with attackers of all skill levels. Contrary to popular wisdom, it doesn’t not always require expensive forensics services, but can be performed using collected network and system logs and other sources of information. ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management
(see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.

Recomendados

Ransomware all locked up book
Ransomware all locked up bookRansomware all locked up book
Ransomware all locked up bookDiego Souza
 
Denial of Service Attacks: The Complete Guide
Denial of Service Attacks: The Complete GuideDenial of Service Attacks: The Complete Guide
Denial of Service Attacks: The Complete GuideImperva
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS AttackRedZone Technologies
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkSalam Shah
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
Cyber security
Cyber security Cyber security
Cyber security ankit yadav
 

Recomendados

Ransomware all locked up book
Ransomware all locked up bookRansomware all locked up book
Ransomware all locked up bookDiego Souza
 
Denial of Service Attacks: The Complete Guide
Denial of Service Attacks: The Complete GuideDenial of Service Attacks: The Complete Guide
Denial of Service Attacks: The Complete GuideImperva
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS AttackRedZone Technologies
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkSalam Shah
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningeSAT Publishing House
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
Cyber security
Cyber security Cyber security
Cyber security ankit yadav
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKSShaurya Gogia
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dosleminhvuong
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksVitor Jesus
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 
Sophos a-to-z
Sophos a-to-z Sophos a-to-z
Sophos a-to-z Cheng Olayvar
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threatsKishore Kumar
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecErfan Mallick
 
Network Security
Network SecurityNetwork Security
Network SecurityPuneet Abichandani
 
Denail of Service
Denail of ServiceDenail of Service
Denail of ServiceRamasubbu .P
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of RansomwareTharindu Edirisinghe
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacksijdmtaiir
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guideMatt Ford
 
Project Managing For AWS Cloud
Project Managing For AWS CloudProject Managing For AWS Cloud
Project Managing For AWS CloudChris Kasten
 
TUESDAY Business Network - Akce podzim 2009
TUESDAY Business Network - Akce podzim 2009TUESDAY Business Network - Akce podzim 2009
TUESDAY Business Network - Akce podzim 2009TUESDAY Business Network
 
Ashish Pandya | 3D Visualization
Ashish Pandya | 3D VisualizationAshish Pandya | 3D Visualization
Ashish Pandya | 3D VisualizationG P
 
Comunicazione interna aziendale - scheda corso [R246]
Comunicazione interna aziendale - scheda corso [R246]Comunicazione interna aziendale - scheda corso [R246]
Comunicazione interna aziendale - scheda corso [R246]LEN Learning Education Network
 

Mais conteúdo relacionado

Mais procurados

Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threatsKishore Kumar
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecErfan Mallick
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacksijdmtaiir
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cnsmmubashirkhan
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guideMatt Ford
 

Mais procurados (18)

DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
 
Sophos a-to-z
Sophos a-to-z Sophos a-to-z
Sophos a-to-z
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threats
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
Network Security
Network SecurityNetwork Security
Network Security
 
Denail of Service
Denail of ServiceDenail of Service
Denail of Service
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Drive by downloads-cns
Drive by downloads-cnsDrive by downloads-cns
Drive by downloads-cns
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guide
 

Destaque

Project Managing For AWS Cloud
Project Managing For AWS CloudProject Managing For AWS Cloud
Project Managing For AWS CloudChris Kasten
 
TUESDAY Business Network - Akce podzim 2009
TUESDAY Business Network - Akce podzim 2009TUESDAY Business Network - Akce podzim 2009
TUESDAY Business Network - Akce podzim 2009TUESDAY Business Network
 
Ashish Pandya | 3D Visualization
Ashish Pandya | 3D VisualizationAshish Pandya | 3D Visualization
Ashish Pandya | 3D VisualizationG P
 
Top 7 Benefits of 3D Visualization for Pharma Marketing and Training
Top 7 Benefits of 3D Visualization for Pharma Marketing and TrainingTop 7 Benefits of 3D Visualization for Pharma Marketing and Training
Top 7 Benefits of 3D Visualization for Pharma Marketing and TrainingAdam Frey
 
Production of biopestcides
Production of biopestcidesProduction of biopestcides
Production of biopestcidesDeepika Rana
 

Destaque (8)

Project Managing For AWS Cloud
Project Managing For AWS CloudProject Managing For AWS Cloud
Project Managing For AWS Cloud
 
TUESDAY Business Network - Akce podzim 2009
TUESDAY Business Network - Akce podzim 2009TUESDAY Business Network - Akce podzim 2009
TUESDAY Business Network - Akce podzim 2009
 
Ashish Pandya | 3D Visualization
Ashish Pandya | 3D VisualizationAshish Pandya | 3D Visualization
Ashish Pandya | 3D Visualization
 
Comunicazione interna aziendale - scheda corso [R246]
Comunicazione interna aziendale - scheda corso [R246]Comunicazione interna aziendale - scheda corso [R246]
Comunicazione interna aziendale - scheda corso [R246]
 
Top 7 Benefits of 3D Visualization for Pharma Marketing and Training
Top 7 Benefits of 3D Visualization for Pharma Marketing and TrainingTop 7 Benefits of 3D Visualization for Pharma Marketing and Training
Top 7 Benefits of 3D Visualization for Pharma Marketing and Training
 
Seminario di web content - Scheda corso LEN
Seminario di web content - Scheda corso LENSeminario di web content - Scheda corso LEN
Seminario di web content - Scheda corso LEN
 
Raheel sharif
Raheel sharifRaheel sharif
Raheel sharif
 
Production of biopestcides
Production of biopestcidesProduction of biopestcides
Production of biopestcides
 

Semelhante a Discovery of Compromised Machines

EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecCMR WORLD TECH
 
Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Nicholas Davis
 
CyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicCyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicpiyushkamble6
 
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...ShivamSharma909
 
Top Interview Questions for CompTIA Security +
Top Interview Questions for CompTIA Security +Top Interview Questions for CompTIA Security +
Top Interview Questions for CompTIA Security +infosec train
 
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking - Mark - Fullbright
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hackingparag101
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 

Semelhante a Discovery of Compromised Machines (20)

EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy
 
basic knowhow hacking
basic knowhow hackingbasic knowhow hacking
basic knowhow hacking
 
CyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topicCyberSecurity presentation for basic knowledge about this topic
CyberSecurity presentation for basic knowledge about this topic
 
cybersecurity
cybersecuritycybersecurity
cybersecurity
 
System-Security-acit-Institute
System-Security-acit-InstituteSystem-Security-acit-Institute
System-Security-acit-Institute
 
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
 
Top Interview Questions for CompTIA Security +
Top Interview Questions for CompTIA Security +Top Interview Questions for CompTIA Security +
Top Interview Questions for CompTIA Security +
 
CompTIA Security+
CompTIA Security+CompTIA Security+
CompTIA Security+
 
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
 
News Bytes - May 2015
News Bytes - May 2015News Bytes - May 2015
News Bytes - May 2015
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 

Mais de Anton Chuvakin

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 

Mais de Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 

Último

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Último (20)

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Discovery of Compromised Machines

  • 1. Discovery of Compromised Machines Dr. Anton Chuvakin WRITTEN: 2003 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. One of the latest security books I read had a fascinating example in the preface. The authors, well-known and trustworthy experts in the field of security, made an outrageous claim that most of the Fortune 2000 companies are already penetrated by hackers (and have been in that state for years!). Hackers move in and out at will through the backdoors and other covert channels without the security personnel knowing or even suspecting it. Without being able to verify whether this claim is true or false, I decided to look at the problem of reliably discovering the compromised machines on corporate networks. Reliability is of key importance here as there are lots of ways to obtain a suspicion that the machine is “owned” or infected, but sadly there are few truly reliable ways to discover that short of full forensic analysis, likely requiring physical access to a machine as well as shutting it down for a potentially long time. In addition, as advanced blackhat community moves beyond buffer overflows into new exploit type areas and zero-days attacks (with non-public exploits against non-public vulnerabilities) have a chance of becoming more common, traditional intrusion detection rates might decrease even further, giving defenders no chance to detect, let along stop the attack. Obviously, in case of a zero-day, detecting a second order (i.e. after-exploit) traces becomes the only option, as the attack itself will most likely fly through most network security monitoring gear, by the very nature of being a “zero-day”. Some of the existing attacks can also be mutated and optimized to pass through some of the detection filters. First, let us outline what we mean by a “compromised” machine. A machine is considered “compromised” if: • It was successfully exploited and used by attackers • It has a backdoor or other malicious software running without the knowledge of the system owner • It was configured to allow access to unauthorized parties without the owner knowing it Here are some examples of the above that most people running the real-world networks can identify with:
  • 2. Example 1 A system is infected by a worm and then starts sending out humongous amounts of malicious traffic, trying to spread the infection in the organization’s network and beyond Example 2 System access privileges on the exposed FTP server are abused and it is then taken over by amateur attackers to store and share their stash of porn and pirated software Example 3 A server is exploited by attackers and a rootkit is deployed. Several system binaries are trojaned for easier and more covert attacker access. Also installed is an IRC bot that “calls home“ to a specific channel for commands. The above example might give the reader some hints on how to detect a compromise in those specific cases, but we will treat the problem in a more general fashion. Let us first look at the current technologies used for detecting the activities of the attackers. There are attack detection systems (often mislabeled as “intrusion detection”) that look for various attack attempts and probes. Then, there are intrusion detection systems that look for known intrusion methods utilized by hackers. Here, however, we are talking about reliable compromise detection - detecting the machines that were attacked, intruded and are now used by either human attackers or their automated aides – malware. As noted above, reliability of detection is critical since stakes here are much higher than in attack and intrusion detection; the alerts we will raise will be immediately actionable (unlike what is coming from most deployed NIDS). It will be “your machine was hacked and is now used by attackers, run there and do something” vs “it seems like somebody might be attacking you or something of that sort, you might want to pay attention.” How can we detect that the machine is indeed compromised? The answer heavily depends upon what kind of information and tools are available as well as the position of the user. It is one thing to only go by the firewall data relevant to the potentially compromised machine and it is completely different if we have full access to the hardware, OS and application for such system in the forensics environment. Realizing the benefits from the latter case obviously requires access to a skilled computer forensics professional as well as significant time investment. To get some background let’s briefly review some common activities occurring on the systems compromised by attackers. These signs were discovered by the author over the years of the honeypot research with the Honeynet Project as well as by other related efforts. Obviously, they refer to activities by the outside attackers and not by malicious insiders. 1. A backdoor daemon can be launched by an attacker on a high-numbered port or an existing daemon trojaned. This is observed in most compromise cases. 2. Installing an IRC bot or bouncer is a popular choice. Several IRC channels dedicated entirely for communication of the servers compromised by a particular group were observed on several occasions 3. In this age of DDoS and reflexive DoS, the classic point-to-point DoS tools are not laid to rest. They are commonly used on some compromised machines to deal quick damage against the opponents on slower connections
  • 3. 4. Many attackers will use the compromised system for vulnerability scanning and widespread exploitation. Used scanners and auto-rooters are capable of discovering and exploiting massive (thousands and more) numbers of systems within a short time period. Such large networks can be (and are!) used for devastating denial of service attacks 5. Using a compromised machine to store pirated software or media is common as well. On a high bandwidth servers, people are known to store gigabytes of “stuff” with active download and uploads occurring all the time. It is worthwhile to note that one is often not required to exploit the server to use it for storage, since enough servers are misconfigured with extra privileges given to all connecting users. 6. “Earning” some cash by getting involved in stolen credit card trade (see http://www.honeynet.org/papers/profiles/cc-fraud.pdf for detailed reference) is a new choice, rapidly growing in popularity. Such activity utilized IRC with specially modified “trading” bots 7. Another money-making “venture” is sending spam or “loaning” a compromised box to spammers for a reasonable fee. 8. Another ominous activity is using the compromised machine for a “phishing” site. Attackers were observed to deploy a fake bank site and then launch waves of spam emails attracting visitors to be separated from their cash. In light of the above, we can summarize some of the compromise detection methods, given different available resources (both technical and human). Last column in the tables below indicates detection reliability in the absence of any other information, ranging from highly uncertain (‘low’) to immediately actionable (‘high’). This subjecting rating, originating in author’s experience with compromised systems, still provides a useful metric of how much trust should be put into each event. We will start from simple compromise-related events and indicators. Security technology/ Method Example Reliability resource NIDS Compromise Shell commands on Medium signature SSL port TCP 443 NIDS Post exploit activity ‘whoami’ in Medium command flow NIDS Volume of Lots of SSL hits out Medium outbound exploits (same or different) NIDS Volume of Lots of SSL hits out High outbound exploits after the system is after a similar hit by SSL exploit inbound exploit NIDS, firewall Outbound massive Many connections Medium port scanning, DoS, to port 1434 UDP etc from a single system HIDS Abuse-related New account Medium system log records created HIPS Application Connections, Medium
  • 4. behaving registry access, file significantly replacements different from known good The above provides a surprising conclusion: event if your system spews forth- malicious exploits, everything might be totally OK with it and no risk will exist. The reasons is simple: ‘false alarms’ (and, specifically, their most famous variety – ‘false positives’). For example, it is rather common to see a corporate HTTP proxy generate an inordinate number of web exploits (such as long URLs, suspicious characters and strings in URLs, etc) just because a large number of web users tries to access various web sites. Now we will look at other, more circumstantial and complex patterns: Security technology/ Method Example Reliability resource Firewall, router, switch Connections to new Multiple systems Medium ports on the system connecting to port TCP 12345 on the same box Firewall, router, switch New connections or IRC (TCP 6667) High attempts from connections from machine to outside system Vulnerability scanner New open ports 12345 TCP open Medium (known backdoors) Network monitoring Unusual Lots of connections High system connectivity from an to port 6667 TCP to internal system to a set of servers outside from a single internal system Network monitoring An unusually high A SYN flood from Medium system volume of traffic an internal system from an internal system Anti-virus or anti- A warning message Backdoor.IRC.Bot High spyware software about a Trojan that running cannot be cleaned or stopped However, even anti-virus solutions have false positives! Thus, even the supposedly unambiguous ‘Trojan or backdoor alert from an AV might well be a false alarm. It is worthwhile to note that some of the above are facilitating by correlating NIDS data with other kinds of data (such as firewall or host or a different NIDS) and thus arriving to a conclusion that the target is compromised via automated rule-based correlation. Also, correlation technology can automate investigative process by looking at other related activities occurring at the time of the attack. As a result, we arrive at higher compromise
  • 5. detection quality than using the output of a single NIDS sensor. However, if lacking a good correlation engine, the analyst can perform the same steps manually, even if not in real-time. A recent security book by Richard Bejtlich “Tao of Network Security Monitoring” covers some of the techniques. We will now look at the most reliable indicators, with larger resource constraints: Security technology/ Method Example Reliability resource System admin New files, accounts, New ‘rewt’ account High processes (see “SANS Intrusion Discovery Cheatsheet”) More of such techniques are summarized in SANS Intrusion Discovery sheets (available at www.sans.org for Linux and Windows systems). The techniques do require a console access to a system and thus are hard to scale to a large environment. Now we will discuss how one can use the above methodology in production environments. The ideal way to apply most of the above guidance in an automated fashion is to set up a some kind of multi-vendor database with events, alerts, log records from various installed security devices and then to apply rules (also known as “correlation rules”) across those events either historically across stored events or in real- time across the event feed. For example, one can easily look for events from a network IDS indicating exploitation attempts that are then shortly followed by multiple outbound connections (such as IRC, see above examples) Commercial SIM (Security Information Management) products have that capability. A budding open source product of the same kind (OSSIM www.ossim.org ) starts to develop it as well. The techniques can also be applied manually by looking through the logs, To conclude, various techniques to discover compromised machines are a very handy tool to deal with attackers of all skill levels. Contrary to popular wisdom, it doesn’t not always require expensive forensics services, but can be performed using collected network and system logs and other sources of information. ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management
  • 6. (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.