Data Center Risk - Tell us how you manage it and enter to win iPad

SANSFIRE 2013

Washington, DC | Fri Jun 14 - Sat Jun 22, 2013
 

SEC503: Intrusion Detection In-Depth

If you have an inkling of awareness of security (even my elderly aunt knows about the perils of the Interweb!), you often hear the disconcerting news about another high-profile company getting compromised. The security landscape is continually changing from what was once only perimeter protection to a current exposure of always-connected and often-vulnerable. Along with this is a great demand for security savvy employees who can help to detect and prevent intrusions. That is our goal in the Intrusion Detection In-Depth course - to acquaint you with the core knowledge, tools, and techniques to prepare you to defend your networks.

This track spans a wide variety of topics from foundational material such as TCP/IP to detecting an intrusion, building in breadth and depth along the way. It's kind of like the "soup to nuts" or bits to bytes to packets to flow of traffic analysis.

Industry expert Mike Poor has created a VMware distribution, Packetrix, specifically for this course. As the Packetrix name implies, the distribution contains many of the tricks of the trade to perform packet and traffic analysis. Packetrix is supplemented with demonstration "pcaps" -files that contain network traffic. This allows the student to follow along on her/his laptop with the class material and demonstrations. Additionally, these pcaps provide a good library of network traffic to use when reviewing the material, especially for certification.

There are several hands-on exercises each day to reinforce the course book material, allowing you to transfer the knowledge in your head to execution at your keyboard.

Exercises have two different approaches - a more basic one that assists you by giving hints for answering the questions. Students who feel that they would like more guidance can use this approach. The second approach provides no hints, permitting a student who may already know the material or who has quickly mastered new material a more challenging experience. Additionally, there is an "extra credit" stumper question for exercises intended to challenge the most advanced student.

By week's end, your head should be overflowing with newly gained knowledge and skills; and your luggage should be swollen with course book material that didn't quite get absorbed into your brain during this intense week of learning. This track will enable you to "hit the ground running" once returning to a live environment.

This is a fast-paced track, and students are expected to have a basic working knowledge of TCP/IP (see www.sans.org/conference/tcpip_quiz.php ) in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection/prevention analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts.

The challenging hands-on exercises are specially designed to be valuable for all experience levels. The Packetrix VMware used in class is a Linux distribution so we strongly recommend that you spend some time getting familiar with a Linux environment that uses the command line for entry, along with learning some of the core Unix commands before coming to class.

Fundamentals of Traffic Analysis

  • TCP/IP Concepts
  • Using tcpdump and Wireshark
  • Link layer, IPv4, IPv6, and fragmentation
  • Transport layers TCP, UDP, and ICMP

Application protocols

  • HTTP
  • SMTP
  • Microsoft protocols
  • DNS
  • IDS evasions
  • Examination or real-world traffic

Hands-On Snort and Bro Usage

  • Running, installing, configuring, customizing Snort
  • Writing Snort rules
  • Running, installing, configuring, customizing Bro
  • Writing Bro scripts, signatures, and raising Bro notices

Network traffic forensics and monitoring

  • Analyst toolkit
  • Using SiLK open source network flow tool
  • Network forensics
  • Using logs for correlation
  • OSSEC open source HIDS/SIM

Course Syllabus
Course Contents InstructorsSchedule
  SEC503.1: Fundamentals of Traffic Analysis: Part I Mike Poor Mon Jun 17th, 2013
9:00 AM - 5:00 PM
Overview

Day 1 provides a refresher or introduction, depending on your background, to TCP/IP covering the essential foundations such as the TCP/IP communication model, theory of bits, bytes, binary and hexadecimal, an introduction to Wireshark, the IP layer, both IPv4 and IPv6 and packet fragmentation in both. We describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender.

All traffic is discussed and displayed using the two open source tools Wireshark and tcpdump. Students can follow along with the instructor viewing the sample traffic capture files supplied. Six hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

CPE/CMU Credits: 6

Topics

Concepts of TCP/IP

  • TCP/IP communications model
  • Data encapsulation/de-encapsulation
  • Discussion of bits, bytes, binary, and hex

Introduction to Wireshark

  • Navigating around Wireshark
  • Examination of Wireshark statistics
  • Stream reassembly
  • Finding content in packets

Network access/link layer:Layer 2

  • Introduction to 802.x link layer
  • Address Resolution Protocol
  • ARP spoofing

IP Layer:Layer 3

  • IPv4
    • Examination of fields in theory and practice
    • Checksums and their importance especially for an IDS/IPS
    • Fragmentation
      • IP header fields involved in fragmentation
      • Composition of the fragments
      • Fragmentation attacks
  • IPv6
    • Comparison with IPv4
    • IPv6 addresses
    • Neighbor Discovery Protocol
    • Extension headers
    • IPv6 in transition
 
  SEC503.2: Fundamentals of Traffic Analysis: Part II Mike Poor Tue Jun 18th, 2013
9:00 AM - 5:00 PM
Overview

Day 2 continues where Day1 ended in understanding TCP/IP. Two essential tools - Wireshark and tcpdump are explored to give you the skills to analyze your own traffic. The focus of these tools on Day 2 is filtering traffic of interest in Wireshark using display filters and in tcpdump using Berkeley Packet Filters. We proceed with our exploration of the TCP/IP layers covering TCP, UDP, and ICMP. Once again, we describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender.

Once again, we describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender. All traffic is discussed and displayed using the two open source tools Wireshark and tcpdump. Students can follow along with the instructor viewing the sample capture files supplied. Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

Topics

Wireshark display filters

  • Examination of some of the many ways that Wireshark facilitates creating display filters
  • Composition of display filters

Writing tcpdump filters

  • Format of tcpdump filters
  • The use of bit masking

TCP

  • Examination of fields in theory and practice
  • Packet dissection
  • Checksums
  • Normal and abnormal TCP stimulus and response
  • Importance of TCP reassembly for IDS/IPS

UDP

  • Examination of fields in theory and practice
  • UDP stimulus and response

ICMP

  • Examination of fields in theory and practice
  • When ICMP messages should not be sent
  • Use in mapping and reconnaissance
  • Normal ICMP
  • Malicious ICMP

 
  SEC503.3: Application Protocols and Traffic Analysis Mike Poor Wed Jun 19th, 2013
9:00 AM - 5:00 PM
Overview

Day 3 culminates the examination of TCP/IP with an exploration of the application protocol layer. The concentration is on some of the most widely used, and sometimes vulnerable, crucial application protocols - HTTP, SMTP, DNS, and Microsoft communications. Our focus is on traffic analysis, a key skill in intrusion detection.

We'll take a brief foray into packet crafting and nmap remote OS identification so that you can analyze and recognize telltale signs of each. Packet crafting is a handy skill for an analyst to possess, especially for testing IDS/IPS rules. IDS/IPS evasions are the bane of the analyst so the theory and possible implications of evasions at different protocol layers are examined. The day concludes with examination and analysis of some real world traffic captures.

Once again, we describe the applications not just in theory and function, but from the perspective of an attacker and defender. All traffic is discussed and displayed using the two open source tools Wireshark and tcpdump. Students can follow along with the instructor viewing the sample traffic capture files supplied. Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

Topics

Advanced Wireshark

  • Exporting web objects
  • Extracting SMTP attachment content
  • Sample Wireshark investigation of an incident
  • Tshark

Detection methods for application protocols

  • Pattern matching, protocol decode, and anomaly detection
  • Detection challenges

Microsoft Protocols

  • SMB/CIFS
  • MSRPC
  • Detection challenges

HTTP

  • Protocol format
  • Sample of attacks
  • Detection challenges

SMTP

  • Protocol format
  • Sample of attacks
  • Detection challenges

DNS

  • Its vital role in the Internet
  • The resolution process
  • Caching
  • DNSSEC
  • Malicious DNS

    • Cache poisoning

Packet crafting and nmap OS identification

  • Why packet crafting is done
  • Some of the tools used
  • How nmap performs remote OS identification
  • Signs of remotes OS identification

IDS/IPS evasion theory

  • Theory and implications of evasions at different protocol layers
  • Sampling of evasions
  • Necessity for target-based detection

Real world traffic analysis

  • Client attacks
  • DDoS attacks
  • Four-way handshake
  • TCP reset attack
  • Malformed DNS DoS

 
  SEC503.4: Intrusion Detection Snort Style Mike Poor Thu Jun 20th, 2013
9:00 AM - 5:00 PM
Overview

Install, configure, and use the powerful and versatile freeware intrusion detection system Snort. In addition, learn to customize Snort for many special uses. Hands-on exercises that will challenge both the novice and seasoned Snort user are included so that students will feel confident in their ability to effectively utilize Snort for their site's specific needs when they get back to the office.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

Topics

Introduction

  • Installation
  • Getting Started with Snort

Modes of Operation

  • Sniffer Mode
  • IDS Mode
  • Deployment Options

Writing Snort Rules

  • Rule Anatomy
  • Rule Syntax
  • Rule Options
  • Rule Keywords

Configuring Snort as an IDS

  • Configuration File Options
  • Using Variables
  • Preprocessor Configuration
  • Output Configuration Options

Miscellaneous

  • Dealing with False Positives and False Negatives
  • Writing Efficient Rules
  • Examining a Buffer Overflow and Writing a Snort Rule to Detect it

Snort GUIs and Analysis

 
  SEC503.5: Network Traffic Forensics and Monitoring Mike Poor Fri Jun 21st, 2013
9:00 AM - 5:00 PM
Overview

On the penultimate day, you'll become familiar with other tools in the "analyst toolkit" to enhance your analysis skills and give you alternative perspectives of traffic. The open source network flow tool SiLK is introduced. It offers the capability to summarize network flows to assist in anomaly detection and retrospective analysis, especially at sites where the volume is so prohibitively large that full packet captures cannot be retained for very long, if at all. The topic of network forensics is examined to show you how to investigate an incident using multiple approaches including log analysis. Finally, you can see how your forensic data can be correlated and analyzed by open source tools, with a concentration on the OSSEC that acts as a host-based IDS and Security Information and Event Manager (SIEM).

Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

Topics

Analyst toolkit

  • Ngrep, tcpflow, p0f, Chaosreader, tcpreplay, NetWitness

SiLK

  • Introduction of concept of network flow
  • Understand the uses for flow

Network Forensics

  • Learn what it is
  • Become aware of indicators of network issues
  • Learn to investigate incidents using some sample traffic of:
    • Exploited host
    • Phishing attack

Network architecture for monitoring

  • Become familiar with hardware used with and for monitoring

Correlation of indicators

  • Examination of log files
  • OSSEC
  • Understand different methods of correlation
 
  SEC503.6: IDS Challenge Mike Poor Sat Jun 22nd, 2013
9:00 AM - 5:00 PM
Overview

The week culminates with a fun hands-on Challenge where you find and analyze traffic to a vulnerable honeynet host using many of the same tools you mastered during the week. Students can work alone or in groups with or without workbook guidance. This is a great way to end the week since it reinforces what you've learned by challenging you to think analytically, gives you a sense of accomplishment, and strengthens your confidence to employ what you've learned in the Intrusion Detection In-Depth track in a real world environment.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

 
Additional Information
 
  Laptop Required

LAPTOP REQUIRED

IMPORTANT - BRING YOUR OWN LAPTOP

You will need to run a Linux VMware image, supplied at the conference, on your laptop for the hands-on exercises that will be performed in class. Some familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises.

VMware

VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion.

You must have either the free VMware Player 3 or later or the commercial VMware Workstation 6 or later installed on your system prior to coming to class. You can download VMware Player for free at www.vmware.com.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from www.vmware.com. VMware will send you a time-limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.

Macintosh users must have VMware Fusion 3 or later installed on your system prior to coming to class. It is available for a free 30-day trial copy at www.vmware.com/products.fusion/overview.html.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 1.5 GHz CPU minimum or higher
  • DVD Drive (not a CD drive)
  • 2 Gigabyte RAM minimum with 4 GB or higher recommended
  • 12 Gigabyte available hard drive space
  • Windows XP/Vista/7/8, Mac OS X, and Linux any types
  • Any Service Pack level is acceptable for your Windows XP/Vista/Win 7/8

Do not bring a laptop with sensitive data stored on it. SANS is not responsible if your laptop is stolen or compromised.

By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Intrusion detection analysts (all levels)
  • Network engineers
  • System, security, and network administrators
  • Hands-on security managers

 
  Prerequisites

Students must possess at least a working knowledge of TCP/IP and hexadecimal. To test your knowledge, see our TCP/IP & Hex Quizzes at www.sans.org/conference/tcpip_quiz.php.

 
  You Will Be Able To
  • Identify the security solutions that are most important for protecting your perimeter
  • Understand attacks that affect security for the network
  • Understand the complexities of IP and how to identify malicious packets
  • Understand the risks and impacts related to cloud Computing and security solutions to manage the risks
  • Understand the process for properly securing your perimeter
  • Identify and understand how to protect against application and database risks
  • Use tools to evaluate the packets on your network and identify legitimate and illegitimate traffic

 

Author Statement

When I was invited to be a member of a computer incident response team in the late 1990's (just after Al Gore invented the Internet), there was no formal cybersecurity training available. Consequently, I learned on the job and made my share, and then some, of mistakes. I was so naive that I tried to report an attack on our network by a host with an IP address in the 192.168 reserved private network, available for use by anyone. Needless to say, I got a very embarrassing enlightenment when someone clued me in.

With the benefit of experience and the passage of time, there are many lessons to be shared with you. This knowledge affords you the opportunity to learn and practice in the classroom to prepare you for the fast-paced always-interesting job of intrusion detection analysts.

- Judy Novak