Little Learn: Data Monitoring and Analysis (19)

Hackers and virus attacks are increasing due to the expansion of the Internet and a growing number of easy-to-use hacker tools. About 95% of web attack events are caused by the failure to fix known security vulnerabilities in computer network systems. The most fundamental cause is the vulnerabilities of penetrated computer network systems (known as security vulnerabilities). Therefore, evaluating vulnerabilities is of great importance.

To combat network security risks, there must be accessible solutions for customers to improve their information security architecture based on security assessments. The aim is to help customers strengthen security but still maintain a high level of performance.

Criteria:

SSE-CMM: Systems Security Engineering Capability Maturity Model
ISO 17799 (BS7799): Information security code of practice
ISO 7498-2: Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture
ISO 13335: Information technology (IT) – security technology – IT security management guide
ISO 27001: Standard for information security management
IATF: Information assurance technical framework

Security assessment methods:

Security scan: To fully understand network security vulnerabilities of the target system, use the scanning analysis and assessment tool.
Manual audit: Manually inspect target systems, including the host system, service system, database, network device, and security device.
Penetration test: Simulate hacker attack and vulnerability discovery techniques to test the target system and find the most vulnerable components.
Questionnaire: Check the services, assets, threats, and vulnerabilities by collecting information from network system administrators, security administrators, and technical directors.
Interview survey: Confirm the questionnaire results, obtain management enforcement details, and be open to users' opinions and comments.

Nmap command parameter rule:

nmap [Scan Type(s)] [Options] {target specification}
-sT TCP connect() scan
-sn/sP Ping scan
-sU UDP scan
-sR RPC scan
-P0 no attempt to ping hosts before scan
-O obtains the fingerprint using TCP/IP to determine the OS type of the host
-v detailed mode. This option is strongly recommended.
-h This is a quick help option.
-o Specify a parameter for the file saving the scanning result.
-D Scan with deceit patterns and write down all deceptive addresses you have specified in the connection record of the remote host.
-n No DNS resolution, which speeds up the scan.

The following commands can be used to collect information:

nmap –sn [IP section]: performs fast ping scan on a network segment.
nmap –sT IP: performs TCP scan on an IP address.
nmap –sU IP: performs UDP scan on an IP address.
nmap –sV IP: performs RPC scan on an IP address.
nmap –A IP: performs scan to determine the operating system of the host.

Sparta is an easy-to-use GUI tool. It integrates port scanning and brute-force cracking functions.

Configure Burp Suite and set the browser proxy before using Burp Suite. Additionally, ensure that the domains and URLs to be scanned are present on the site map of Burp Target so that full or partial scan can be performed.

During security assessment and scan, carry out a penetration test authorized by customers on key IP addresses. Simulate the attack and vulnerability discovery technologies that may be used by hackers to perform an in-depth test on the security of target systems and find out the most vulnerable areas. Try to carry out a thorough and accurate test on these key IP addresses. If a major or critical vulnerability is found, fix it in a timely manner.

Carry out penetration test as required by customers.

Capture packets to analyze all packet information. As for image and log files, you may need to configure monitoring devices or log servers and use dedicated software to obtain data reports and determine threats or vulnerabilities.

Mirrored port: a monitored port. All the packets that pass through a mirrored port are copied to an observing port, which is connected to a monitoring device.

Observing port: connected to a monitoring device and used to send packets from the mirrored port to the monitoring device.

Logs are stored in hard disks or SD cards. If no hard disk or SD card is available, logs cannot be viewed or exported. Different device models support different logs and reports. For details, see Huawei product documentation.

Log type:

System logs: The administrator can obtain operational logs and hardware logs to locate and analyze faults.
Service logs: The administrator can obtain relevant network information to locate and analyze faults.
Alarms: Alarm information, including the alarm severity, source, and description, can be displayed on the WebUI.
Traffic logs: The administrator can obtain traffic characteristics, used bandwidth, and validity of security policies and traffic policies.
Threat logs: The administrator can obtain detection and defense details about network threats, such as viruses, intrusion, DDoS, Trojan horses, botnets, worms, and APT. Threat logs help understand historical and new threats, and adjust the security policies to improve defense.
URL logs: The administrator can obtain the URL accessing status (permitting, alerting, or blocking) and relevant causes.
Content logs: The administrator can check the alarm and block events generated when users transfer files or data, send and receive email, and access websites to obtain behavior security risks and relevant causes.
Operational logs: The administrator can view operation information, such as login, logout, and device configuration, to learn the device management history.
User activity logs: The administrator can obtain the online records of a user, for example, login time, online duration or freezing duration, and IP address used for login. The administrator can also study user activities on the current network, identify abnormal user login or network access behaviors, and take the corresponding countermeasures.
Policy matching logs: The administrator can obtain the security policies matched by the traffic to determine whether the security policies are configured correctly and meet the requirements. Policy matching logs can be used to locate faults.
Sandbox detection logs: The administrator can view sandbox detection information, such as the file name, file type, source security zone, and destination security zone. Based on the sandbox detection information, the administrator can handle exceptions in a timely manner.
Mail filtering logs: The administrator can check the mail sending and receiving protocols, number and size of mail attachments, and causes of mail blocking, and then take measures.
Audit logs: The administrator can learn FTP behavior, HTTP behavior, and mail sending/receiving behavior, QQ online/offline behavior, keyword searching, and validity of audit policies. (QQ is an instant messaging software service developed by a Chinese company.)

The firewall outputs system logs through the information center. The information center is the information hub for system software modules on the firewall. System information can be filtered to find specific information.

Information is graded by eight levels based on its severity. The more critical the information, the lower its level.

Emergency (0): A fault causes the device to malfunction. The system can recover only after the device is restarted. For example, the device is restarted because of program exceptions or memory usage errors.
Alert (1): A fault needs to be rectified immediately. For example, the memory usage of the system reaches the upper limit.
Critical (2): A fault needs to be analyzed and handled. For example, the memory usage exceeds the lower limit, the temperature exceeds the lower limit, BFD finds that a device is unreachable, or an error message is detected (the message is sourced from the device).
Error (3): An improper operation is performed or a service exception occurs. The fault does not affect services but needs to be analyzed. For example, incorrect commands or passwords are entered; error protocol packets are received from other devices.
Warning (4): Some events or operations may affect device running or cause service failures and require full attention. For example, a routing process is disabled; packet loss is detected using BFD; error protocol packets are detected.
Notice (5): Key operations that are required to keep the device functioning properly, such as shutdown command execution, neighbor discovery, or the protocol status change.
Informational (6): A routine operation is performed to keep the device running properly.
Debugging (7): Common information is generated during normal operation of the device, which requires no attention.

The firewall can output security service logs. The administrator can view these logs on the WebUI or log server.

Service logs on the firewall include threat logs, content logs, policy matching logs, mail filtering logs, URL filtering logs, and audit logs.

The firewall can output service logs on the WebUI, log server, or information center. The administrator can view the service logs to obtain the service running status and network status.

Windows event log files are in essence databases that include system, security, and application records. The recorded event contains nine elements: date/time, event type, user, computer, event ID, source, category, description, and data.

The header field includes the source, time, event ID, task type, and event result (success or failure) in fixed formats.

The description field varies according to events. This field consists of fixed description information and varying information.

As discussed, proactive analysis uses security assessment methods, such as security scan, manual audit, penetration test, questionnaire, and interview survey, to obtain valuable information and work out a security assessment report.

Log information is analyzed during passive collection. The log records the key events that occur. To analyze the events, check Who, When, Where, What, and How

Key Log Analysis Points

Who: user or guest.
When: time.
Where: location, such as location information, login device information, access interface information, and accessed services.
How: access mode, such as wired, wireless, or VPN access.
What: action, such as operation, device access, and resource/service access.

For IP spoofing attacks, source detection technology is used to identify the peer, permit the data sent by the real source, and discard the data from the counterfeited source.

For User Datagram Protocol (UDP) attacks, fingerprint learning technology is used to analyze and obtain the characteristics of attack packets and provide a basis for defense. Sessions can also be created to permit the UDP packets from the real source and discard the UDP packets from the counterfeited source.

The figure shows how to filter security logs. For Event Level, select Critical or Warning, in the Event sources field, enter Application Error, and in the Keywords field, enter Audit Failure.

For Windows event logs, we can quickly obtain required information based on Event ID. Each event ID indicates a unique meaning.

Event 1 records the old system time, new system time, and the name of the user who changed the system time.

Event 4616 records the old system time, new system time, the name of the user who changed the system time, and the process used to change the time.

Event 20001 records the drive installation of plug-and-play devices (such as USB flash drive and hard disk). The recorded information includes the device brand, model, and SN. The event can be used to locate the USB storage media inserted by users.

Ref : [1]