- 1 Overview
- 2 Ensure That the Software Used to Examine Systems Has Not Been Compromised
- 3 Monitor and Inspect Network Activities
- 4 Monitor and Inspect System Activities
- 5 Inspect Files and Directories for Unexpected Changes
- 6 Investigate Unauthorized Hardware Attached to the Network
- 7 Look for Signs of Unauthorized Access to Physical Resources
- 8 Review Reports of Suspicious System and Network Behavior and Events
- 9 Take Appropriate Actions
- Chapter 6 Checklist
6.3 Monitor and Inspect Network Activities
Data about network activities (traffic, performance, etc.) can be collected from a variety of sources, including the following:
Administrator probes (Internet control message protocol [ICMP] pings, port probes, simple network management protocol [SNMP] queries)
Log files (routers, firewalls, other network hosts and devices)
Network performance statistics reports
The outputs of tools used to support in-depth analysis
You should watch for unexpected network behavior, such as the following:
Unexpected changes in network performance such as variations in traffic load at specified times
Traffic coming from or going to unexpected locations
Connections made at unusual times
Repeated, failed connection attempts
Unauthorized scans and probes
Nonstandard or malformed packets (protocol violations)
Monitoring messages as they traverse your network gives you the ability to identify intrusive activity as it is occurring or soon afterwards. By catching suspicious activity as early as possible, you can immediately begin to investigate the activity and hopefully minimize and contain any damage.
Logs of network traffic may contain evidence of unusual, suspicious, or unexpected activities, indicating that someone has compromised or tried to compromise a system on your network. By inspecting log files on a regular basis, you may be able to identify intruder reconnaissance in advance of an intrusion. You may also identify attempted or successful intrusions soon after they occur. However, if an intruder has altered log files, the data may no longer be present.
If you permit access to your systems and networks by third parties (vendors, contractors, suppliers, partners, customers, etc.), you must monitor their access to ensure that all their actions are authentic and authorized. This step includes monitoring and inspecting their network activities.
6.3.1 Notify Users
Inform authorized users of your systems about the scope and kinds of monitoring you will be doing and the consequences of unauthorized behavior.
A common method for communicating this message is the presentation of a banner message immediately before user login.
Without the presentation of a banner message or other warning, you probably cannot use log files and other collected data in any action you may choose to take against a user.
For further information on setting up monitoring banners for Windows NT, refer to the implementation Setting Up a Logon Banner on Windows NT 4.0.2 Here's one example of banner language taken from this implementation:
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.
6.3.2 Review Network Alerts
Review and investigate notification from network-specific alert mechanisms (such as e-mail, voice mail, or pager messages), for example:
Users and other administrators, via e-mail or in person
Operating system alert mechanisms
Network and system management software traps, such as those that can be set via SNMP (simple network management protocol)
Intrusion detection systems
Custom alert mechanisms from service or application programs (including tools)
6.3.3 Review Network Error Reports
These types of notifications are typically produced by one of the following devices:
Operating system error reporting mechanisms
Log file filtering tools
Vendor or custom-developed management software
Custom error-reporting mechanisms from service or application programs (including tools)
Often an administrator will be able to configure error reporting at a number of criticality, severity, or priority levels when installing the network system, service and application programs, and supporting tools.
6.3.4 Review Network Performance
Statistics are generally produced by vendor or custom performance-monitoring tools. Typical statistics include the following (refer to Section 5.3, Table 5.2):
Total traffic load in and out over time (packet, byte, and connection counts) and by event (such as new product or service release)
Traffic load (percentage of packets, bytes, connections) in and out over time sorted by protocol, source address, destination address, other packet header data
Error counts on all network interfaces
Comparison of previous network performance statistics with current statistics for the same time frame
Look for the following extraordinary occurrences:
Unexpected changes in performance between current and previously captured statistics, for example, unusually high or low network traffic compared with expected levels for the day of the week and time of day
Unexpected deviations from authoritative network traffic characterization information, for example (refer to Section 5.3):
traffic coming from unexpected source addresses or using unexpected ports or protocols
traffic going to unexpected destination addresses or using unexpected ports or protocols
excessively high or low traffic volume for the day of the week and time of day
Unexpected loss of connectivity
Unusual modem activity or availability, which can indicate intruder access through overlooked entry points (ports) or intruder use of daemon dialers
6.3.5 Review Network Traffic
Identify any unexpected, unusual, or suspicious network traffic and the possible implications. From network log files and other network traffic collection mechanisms, look for the following extraordinary occurrences:
Reconnaissance (probes, scans, use of mapping tools) in advance of an attack. These activities can indicate attempts to identify your configuration (hosts, operating systems, network topology, externally accessible paths into your systems, etc.) and your Internet service provider(s) (ISP), along with their configuration.
Connections to or from unusual locations. For example, if a server host is dedicated to a single service (such as serving a public web site), any requests it makes for outbound connections are suspicious. Such requests may indicate that an intruder has compromised the server and that it is being used to launch an attack on another host.
Protocol violations. These include, but are not limited to, invalid option bits in a transmission control protocol (TCP) packet, invalid sequence numbers in a TCP packet, invalid flags in a TCP packet (ACK before SYN), and invalid fragments. There is no good reason to violate the Internet protocol (IP), TCP, ICMP, and user datagram protocol (UDP) specifications. These types of protocol violations often result when an intruder uses a network scanner in an attempt to bypass your firewall (that may just check for an established bit set on a packet) and to identify the type of systems on your networks (since different host IP stacks will respond to the error in different ways). A DoS condition can occur, for example, when an intruder's host creates TCP half-open connections by sending a flood of SYN packets with no corresponding ACK packets.3
Packets with source and destination addresses external to your network. Your firewall should always be configured to prevent this. If it occurs, it may indicate that an intruder has bypassed the firewall, possibly by compromising the firewall host, and is routing his or her traffic through your network, perhaps to take advantage of a network-level trust relationship. It may also indicate the presence of an inside intruder.
Packets with an internal source address that actually originate from an external source. This can indicate an IP spoofing attack that may have bypassed your firewall.
Unusual port combinations in TCP and UDP packets. This type of traffic could indicate an unexpected service running on the network (such as a backdoor program). It could also indicate that the intruder has bypassed your firewall. Packets with the same source address and a sequence of destination ports often indicate that an intruder is trying to discover both the firewall policy and what services are available on your systems.
Unusual address resolution protocol (ARP) traffic. In a switched network, an intruder can alter the ARP cache on one or more hosts so that any host on the same segment can see traffic on that segment (similar to a network interface card in promiscuous mode on a shared Ethernet segment). The intruder can then gain access to passwords and other unencrypted information sent over the network.
Unusual dynamic host configuration protocol/boot protocol (DHCP/BOOTP) traffic. An intruder can cause a host to send bogus DHCP replies and convince other hosts that it is their default gateway. The compromised host will then receive all of the traffic for outbound networks and gain access to unencrypted information sent over the network.
Packets with unusual protocol or port numbers sent to broadcast addresses. This type of traffic can indicate a DoS attack.
An unusually high number of ICMP port unreachable packets from a single host. This indicates that an intruder is scanning the host looking for available services.
Connections made at unusual times
Unusual use of Internet Relay Chat (IRC), a common means of communication used by intruders
If you are reviewing network traffic on a system other than the one being monitored, ensure that the connection between them is secure, as described in Section 2.13.
6.3.6 Policy Considerations
Your organization's networked systems security policy should specify the following:
The need for users to be notified that you will monitor network activities
Your objectives for monitoring
Which data streams will be monitored and for what purposes
The responsibilities and authority of system administrators for handling notifications generated by monitoring and logging software
What forms of unexpected network behavior users should watch for and the need to report any such behavior to their designated security officials and system administrators
6.3.7 Additional Information
For further UNIX- and NT-specific network monitoring and network data collection guidance, refer to CERT tech tips at the CERT web site, including the Intruder Detection Checklist and Steps for Recovering from a UNIX or NT System Compromise. A list of network-monitoring tools is presented in Section 5.3.15, and Table 5.3.
When possible, analyze and correlate data collected from multiple sources (as described in the other practices of this chapter). Performing some level of correlation analysis during the intrusion detection process, such as determining when suspicious activity occurring in one part of your infrastructure may be related to suspicious activity in another part, will assist you in determining the full extent of any compromise and its characteristics. Refer to Section 7.2 for further guidance.