Security
Reader small image

You're reading from  Learning Network Forensics

Product typeBook
Published inFeb 2016
Publisher
ISBN-139781782174905
Edition1st Edition
Tools
WiresharkSplunk
Concepts
Forensics
Right arrow
Author (1)
Samir Datt
Samir Datt
author image
Samir Datt

Samir Datt has been dabbling with digital investigations since 1988, which was around the time he solved his first case with the help of an old PC and Lotus 123. He is the Founder CEO of Foundation Futuristic Technologies (P) Ltd, better known as ForensicsGuru.com. He is widely credited with evangelizing computer forensics in the Indian subcontinent and has personally trained thousands of law enforcement officers in the area. He has the distinction of starting the computer forensics industry in South Asia and setting up India's first computer forensic lab in the private sector. He is consulted by law enforcement agencies and private sector on various technology-related investigative issues. He has extensive experience in training thousands of investigators as well as examining a large number of digital sources of evidence in both private and government investigations.
Read more about Samir Datt

Right arrow

Chapter 5. Tracking an Intruder on the Network

 

"Beware the intentions of Uninvited Guests."

 
 --Samir Datt

Intruders on a network are any network administrators' worst nightmare. Survey after survey conducted by the world's most trusted organizations point indisputably to the fact that, statistically, when it comes to network breaches, it is not a matter of if my network gets breached, but a matter of when my network gets breached. Some of the famous sites and networks that have been attacked in the past include the Pentagon, NATO, White House, and so on. As a network forensics investigator, it is critical to understand ways and means of intrusion detection and prevention.

Intrusion detection/prevention systems come in a multitude of flavors. There can be a host-based IDS/IPS or network-based IDS/IPS. Host-based systems monitor activity on the host computer, whereas network-based systems monitor activity based on network traffic captures.

This chapter focuses on detecting and preventing intrusions...

Understanding Network Intrusion Detection Systems

A Network Intrusion Detection System (NIDS) is a bit like the early warning alarm sirens that we see and hear in prison escape movies. These are triggered by a predefined event (such as an attempted break in/out) that is identified by a rule set enabled by the administrator/investigator. Just like a burglar alarm in a house, the NIDS is designed to detect an intruder and issue an alert to an authorized person.

Normally, a NIDS is able to detect intrusions in the network segment that it is monitoring. The key to its effective functioning is the correct placement of the NIDS device to enable it to monitor all network traffic entering and leaving the system. One way to do this is by placing it on the network and passing mirrored traffic through it. This is done to ensure that all the network traffic passes through the NIDS device.

The NIDS will monitor all inbound and outbound traffic and identify attempted intrusions by detecting anomalous...

Understanding Network Intrusion Prevention Systems

In the earlier section, we spent considerable time understanding NIDS. This has built a solid foundation, which we will find useful when moving on toward understanding NIPS.

Unlike a NIDS, which is a passive system, a NIPS is an active system that monitors network traffic and takes immediate preemptive action when a threat is detected. Intrusions are normally followed very quickly by vulnerability exploits. These are usually in the form of a malicious injection of data into an application or service with the objective of interrupting and gaining control of a machine or application. This could result in a denial of service (disabling applications or services), misusing existing privileges (rights and permissions) or escalating them for misuse, and gaining control of systems or resources.

In the information security world, most exploits come with an expiration date. This is because the moment an exploit has been identified, software vendors...

Modes of detection

NIDS and NIPS use different methods to detect suspected intrusions. The two most common detection methods are pattern matching and anomaly detection.

Pattern matching

Intruder detection using pattern matching is also known as misuse detection or signature-based detection. Basically, this is used to detect known attacks by their patterns—this includes specific actions that happen as part of the attack or their "signatures".

This is similar to identifying criminals from the fingerprints they have left at the scene of a crime. However, to be able to accurately pinpoint the identity of the criminal who was present at the scene of the crime, we need to have his/her fingerprints available in our database. In the same fashion, we need to have the pattern or signature of possible attacks in our database before our IDS/IPS can detect such an event.

Hence, the effectiveness of an IDS that relies on pattern matching is completely dependent on the signature database. Therefore, in an...

Differentiating between NIDS and NIPS

At first sight, both the solutions seem quite similar; however, there is a clear difference in that one is a passive monitoring and detection system that limits itself to raising an alarm at an anomaly or signature match, and the other is an active prevention system that takes proactive action when detecting a malicious packet by dropping it.

Usually, a NIPS is inline (between the firewall and rest of the network) and takes proactive action based on the set of rules provided to it. In the case of a NIDS, the device/computer is usually not inline but may get mirrored traffic from a network tap or mirrored port.

The network overhead in the case of a NIPS is more than that of a NIDS.

Another issue with a NIDS is that by the time an intruder hits the system and the administrator is informed, the intruder has already infiltrated the system to a good extent, thereby making a simple situation extremely dire.

While stability is paramount in both systems, the consequences...

Using SNORT for network intrusion detection and prevention

SNORT is an open source intrusion detection/prevention system that is capable of real-time traffic analysis and packet logging. Extremely popular, SNORT is the tool of choice for the open source community. While there are a number of other NIDS and NIPS out there, we will stick to SNORT for the purposes of this section.

SNORT is available from the https://www.snort.org/ website:

It makes a lot of sense to go through the documentation available on the website as this information is updated on a fairly regular basis.

At the time of writing, SNORT is available in flavors that run on some Linux distributions as well as Windows.

The download link will guide us to the correct flavor as per our requirements:

After the download, we need to install SNORT as per the following process:

We start by agreeing to the GNU Public License (GPL) so that we can proceed with the installation of SNORT:

We then proceed to selecting the components that we need...

Summary

In this chapter, you learned about network intrusion detection and prevention systems. We also explored how each has a different role to play and the different ways in which each performs its task. We have also been exposed to SNORT, which is a very versatile tool that can be used for both packet capture and network intrusion detection and prevention. You learned the importance of creating rules for NIDS/NIPS and explored how we can use these rules to identify intruders in our network.

In the next chapter, you will learn about a very important aspect of network forensics—connecting the dots using network logs. Just as a murderer leaves traces next to the victim's body, an intruder leaves traces of his/her activity in a network's log. Hence, the importance of network logs in any investigation is paramount. The next chapter will prepare us from this perspective.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 11 of 17
Next Chapter
You have been reading a chapter from
Learning Network Forensics
Published in: Feb 2016Publisher: ISBN-13: 9781782174905
© 2016 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Samir Datt

Samir Datt has been dabbling with digital investigations since 1988, which was around the time he solved his first case with the help of an old PC and Lotus 123. He is the Founder CEO of Foundation Futuristic Technologies (P) Ltd, better known as ForensicsGuru.com. He is widely credited with evangelizing computer forensics in the Indian subcontinent and has personally trained thousands of law enforcement officers in the area. He has the distinction of starting the computer forensics industry in South Asia and setting up India's first computer forensic lab in the private sector. He is consulted by law enforcement agencies and private sector on various technology-related investigative issues. He has extensive experience in training thousands of investigators as well as examining a large number of digital sources of evidence in both private and government investigations.
Read more about Samir Datt

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages