SI 2007 Project Team “Packet Storm”Matthew BaronCharlie HughesMatt Mayberry
Bryce Theobald
Project LeadersPrasad CalyamAaron Lafferty
Network Forensics
Topics of Discussion
Background on Cyber Crimes Our Network Forensic Investigation Case Investigation Methodology Forensic Evidence Expert Opinion upon Investigation Conclusion (Animation)
“Hackers”
• Hackers are intruders who compromise or incapacitate computer systems using the Internet– A.k.a. “Cyber-criminals”
• Motivations of a Hacker to perform Cyber-crimes– Sabotage for Money (Blackmail)– Hatred towards victim (Government cyber-wars)– Social acceptance (Redirect websites)– “FOR FUN!”
• Hackers are difficult to track-down– Hide behind the world-wide Internet
• USA-Border jurisdiction issues for FBI or CIA
Hackers use “Botnets”
• “Bot” – a simple program planted on a computer that accesses a “Command Center” (E.g. IRC Channel)
• A huge group of bots on the Internet is called a “Botnet”• Botnets are rented out for launching cyber attacks and
spam services
Internet
Hacker controls all the Bots using the Internet
To Victim
Botnet of Bots
Distributed Denial of Service attacks (DDoS attacks)
• Coordinated attacks from botnets that slow down victim servers– Ping Flood, Smurf (slow down servers)
• Companies hire “DDoS mafias” to attack competitors and attract their customers
Victim
Adopted from www.networkdictionary.com
SMURF ATTACK
Attacker
Broadcast
Network
DDoS Attack Investigation Case
• “Cyber Games, Ltd.” (fictional) is maliciously cyber-attacked by “Not-So-Good Cyber Games Inc.”– Not-So-Good Cyber Games Inc. employs DDoS
“Mafia”– Cyber Games, Ltd. customers experience slow
response and service disruptions from servers during Gaming
– Customers unsubscribe from Cyber Games, Ltd. services and signup for Not-So-Good Cyber Games Inc. services
• Due to month long DDoS attacks, Cyber Games Ltd., lost customers, reputation and revenue
Network Forensic Experts
• Cyber Games, Ltd. hired us - the Network Forensics Experts
• We investigate the DDoS attacks, identify the cyber-criminals and prosecute them
• Network Forensic Science is complex!– Hackers are one-step ahead always– Required diverse expertise in areas:
• Networking• Software Programming• Legal Procedures• Criminal Psychology
Investigation Methodology
• Technologies Used– Honey Pot
• A network setup to trap DDoS attacks at Cyber Games, Ltd.
– Snort• An Intrusion detection tool
– Perl• A Programming language
– MySQL • A Database
Honey Pot
• Honey Pot is a network of computers that need to be protected– It appears to a hacker as a real-system while in fact, it
carefully monitors the hacker attacks – Collects clues to trace the hacker’s location on the
Internet
• It includes a “Network Monitor” that hosts Snort, MySql, etc.– Snort rules need to be configured for creating logs that
contain:• Alert Timestamp• Source and Destination IPs• Alert Signature (E.g. could be DDoS attack, Port-scanning)
Honey Honey PotPot
Snort, Mysql
Packet Decoder
PreprocessorsDetection Engine
Logging andAlertingSystem
Packets Are Dropped
2007-07-13 07:15:47 Ping_Flood 250.52.15.4----------------------------2007-07-13 07:55:00DNS_Poisoning 19.80.124.164----------------------------2007-07-13 08:39:44Buffer_Overflow19.89.174.34----------------------------2007-07-13 08:57:59SSL_Auth127.166.92.101
Snort Workflow
Perl and MySql• We wrote Perl script “log_analysis.pl”
to parse Snort log data into MySql database• Based on Source IP address, geographic
location of Hacker can be determined– Every IP address has network part and local part
2007-07-13 07:15:472007-07-13 07:55:002007-07-13 08:39:442007-07-13 08:57:592007-07-13 08:59:292007-07-13 09:38:13
250.52.15.419.80.124.16419.89.174.34
127.166.92.1014.5.131.1721.96.72.163
15.160.2.10015.160.2.10015.160.2.10015.160.2.10015.160.2.10015.160.2.100
Timestamp Attack Type Source IP Destination IP
Ping_FloodDNS_PoisoningBuffer_Overflow
SSL_AuthVNC_Auth
DNS_Poisoning
Forensic Evidence• Forensic Evidence includes anything used in
court to prove the validity or falsity of a statement– Cannot be “Hearsay” (E.g. monitor 1 or 2 days and
point fingers at attack sources)– Routine monitoring is hence vital
• Promotes custody of regular records of cyber activity– Has to present information beyond reasonable doubt
• We wrote a Perl script “db_reader.pl” to query the daily-attacks data from MySQL
• We use the queried data to create a visualization which we present as our evidence– DDoS Mafia hired by Not-so-good Gaming, Inc.
captured by FBI in Antarctica!
Expert Opinion upon Investigation • No network is fully secure• Cyber Games, Ltd. did several
good things– Had a Honey Pot installed with
Firewall– Maintained clear records of attack
logs• Both weak and severe
– Ensured no attacks had source within their network
– Notified us and co-operated to trace the attackers
• Hence, they deserve to be compensated for the damages caused by Not-so-good Cyber Games, Inc.
Super-smart Hacker
Variables for Compensation
• Does the hacker live in the USA?
• Money to prosecute the hacker in court
• Revenue, Customers, Reputation lost due to the DDoS attacks
• Staff time and services of Network Forensic Experts for the investigation
Damages Compensation
Expenses for 3 FTE staff for assisting in 2 weeks of forensic investigation
Expense for hiring the Network Forensic Experts from SI 2007
Lost revenue during the 5 days of decreased performance or loss of service
Loss of customers, reputation and subscriber recruiting/advertisement
Court costs + Attorney cost for civil trial proceedings
COST
$15,000
$100,000
$250,000
$500,000
$300,000
Total Cost $1,165,000
ITEM