Packet Capture and Intrusion Detection/Prevention Systems

Malicious Network Activity Report

Event

A client detected suspicious network activity, and feared a breach and this resulted in this cyber forensic investigation. In this malicious network activity report, there is a target profile of the bank network over their network architecture. This report also contains a summary of the investigation results, methodologies, findings and remediation plans for the largest vulnerabilities discovered.

Target and Profile

FS-ISAC

FS-ISAC is the Financial Services-Information Sharing and Analysis Center. The organization was founded in 1999 by her financial services sector. FS-ISAC is the Financial Services-Information Sharing and Analysis Center. The goal of the directives was for information sharing to occur between public and private sectors on cyber security and physical threats and vulnerabilities to ensure the safety of U.S. critical infrastructure. FS-ISAC was headquartered in Vienna Virginia.

FS-ISAC approved a charter extension to share information among financial services organization around the world in 2013.This allowed information and intelligence gathering from a number of worldwide sources. These sources include law enforcement agencies, government agencies and other private information sources (FS-ISAC, 2018).The overall goal of the directives were for information sharing to occur between public and private sectors on cyber security and physical threats and vulnerabilities to ensure the safety of U.S. critical infrastructure.  (FS-ISAC, 2018).

Client-

The client is a member od FCID and a registered under the companiesAct of 2013. The name of the client is Harbor bank of Baltimore county , the bank serves the community through savings and loans to customer at competitive rates.

The client is a relatively well-known bank. It offers multiple loan and other finance vehicles, such as savings, checking, and money market accounts. The bank offers mortgages, vehicle, and personal loans, secured and unsecured credit card. The bank also offers online and in-person banking services and ATM points.

Overview of Network Architecture

During the investigation, we examined and review the bank network architecture. All the bank branch office was connected by several layers to external central network. Harbor bank workstations are divided into two main categories. There are corporate level workstations that use Windows Operating Systems (OS). The other category is processing machines, which use commercial, off the shelf (COTS), or proprietary banking transaction software, running on variations of Linux or Unix OS.

The bank network comprised of:

1. Branch Office contains-

– work station

– Internal DNC server

– Website Server (Host –based server)

 - Network IDS

  -Router

All external network of office connect through Bank ISP

2. External Network –

– Internal Banking

– Phone Wireless Broadband

Harbor Bank network structure of Intrusion Detection/ Prevention System (IDS)/ (IPS) is similar to that of most banks. Most bank branches use IDS instead of IPS on the outer DMZ because of other intrusion prevention mitigating controls but Harbor Bank use ISP Systems. Data Loss Prevention (DLP) The client uses a DLP to help prevent data loss and comply with certain Sarbanes Oxley Act (SOX) controls requirements, Harbor bank Remote Authentication Dial-In User Service (RADIUS) server.

The RADIUS server allows the bank to use several user profiles in a central repository/ database that all bank servers can utilize. Harbor bank Lightweight Directory Access Protocol (LDAP) server. The LDAP server allows sharing of directory and application access for the bank.  

Figure 1 

(www.bing.com/discover/banking-system, 2018)

Text Description of Figure 1-

This diagram illustrates the transaction flow for a network configuration in which the Harbor bank hosts the Internet banking application. The bank banking customer sends an e-banking transaction through their Internet Service Provider (ISP) via a phone, wireless, or broadband connection.

Also, Harbor Bank uses firewalls to help monitor and assist in intrusion detection and prevention by an attacker. Firewalls are mainly passive and help with white and blacklisting of application and blocking threats from exploiting vulnerabilities on the internal networks. Though the firewall helps in detection and prevention, the bank uses IDS/IPS to actively monitor, log and respond to attackers and threats. When combined with a SIEM tool, the bank can get a picture of the threats facing its network, and create its vulnerability management program and plans.               Moreover, Harbor bank has multiple Internet application servers that include a website server, e-mail server, proxy server, and domain name server (DNS) in addition to the Internet banking application server. Network IDS software resides at different points within the network to analyze the message for potential attack characteristics that suggest an unauthorized intrusion attempt.

Finally, Harbor Bank used the same basic protocols to send messages throughout its network. Each workstation sends messages and transactions in multiple packets, which are encoded and broken up through segmentation. The portions of the communication are then multiplexed from several senders, which is an interweaving of the message portions, and dedication of a portion of network bandwidth to them. The portions of each message are also labelled for order, and reassembly and decoding once reaching their destination.  (Na, Kim, & Lee, 2014)

IP Address-

  Harbor bank uses multiple IP address for most of their workstation. The bank IP address is allocated by its internet Service Provider (ISP). Harbor bank IT Administrator allocate the bank IP address and  the IP address information help the bank know the online customer city, region and show a numerical label assigned to devices use to navigate the bank network systems. An IP address has two different versions. The first is called IPv4, it consist of 4 numbers that are separated by dots e.g. – 212.78.1.25. Each of this numbers can only be from 0 through 25. The other version is IPv6, this is longer e.g. – 3001:0db7:85a3:0042:8a2e:0370:7334. IP address serves two functions, firstly, it host and secondly it network interface identification and location addressing. Harbor Bank uses 128-bit IPV6 address.

(Severance, C, 2015), (IP Location, 2018)

User Datagram Protocol (UDP)

Harbor bank uses UDP to provide specific port numbers to help distinguish specific transactions and user requests from different banks and applications. The bank also uses UDP because of its lower bandwidth when compared with TCP/ IP transmissions. UDP is part of the internet protocol suite used by programs running on different computers on harbor bank network.

Transmission Control Protocol/Internet protocol (TCP/IP)

The transmission control protocol/ internet protocol (TCP/IP) is the method and transmission layer the client’s computers use to communicate. Harbor bank transmits information using internet packets. These small bits of information are sent, transported, received, and transferred back across the networks internally and externally. Each packet contains a small part of the total information the client sends.

Some of the most well-known ports that the client and most other organizations use are as follows:

(Meridian outpost)

Network Traffic Monitoring and Results

When taking Harbor bank network and architecture into consideration, network monitoring was conducted using Snort, Wireshark, and other investigation methods. The results are as follows:

A-

Increased port activity on TCP ports 25 and 110 – These ports are Simple Mail, Transfer Protocol (SMTP), and Post Office Protocol version 3 (POP3) ports. This indicates that an attacker is assessing the viability of or attempting to execute an email hack. By intercepting emails, or even email lists, an attacker may receive sensitive information that can be exploited, or used for a phishing attack. 

B-

Increased number of requests on TCP 1433, UDP 1434 – These TCP and UDP ports are Microsoft Structured Query Language (MS SQL) Server. This most likely indicates a specific attempt to conduct, or test for the viability of a SQL injection attack.

The investigation tested for false positives and negatives, and found a statistically insignificant number. These numbers were gathered from tests on IDS, and IPS. In general, the method for reducing false positives and negatives is to first establish a good baseline for network traffic and activity.  Figures below are result of various tools (IDS AND Firewalls) used in UMUC VM Workspace to analyze false negatives and false positives

A dialog box Using TCP,

HTTP HEADER IN DETAIL

Running Snort- Against a recorded pcap file that simulates malicious traffic

Log Directory

Running  Snort on the pcap file

Potential Attacks

Harbor Bank nature of services is prone to the following cyberattacks-

1. IP Addess Spoofing Attacks– These attacks occur when a malicious program tricks a user into using it, by disguising itself as a legitimate program or site. These attacks are hard to spot by an average end-user because packet replies is not necessary from the target since the packet can be observe while in transit. IP address spoofing attack is a network layer attack.
2. Session hijacking- There were no indications of hijacking, but there are possible cases of backdoor hosting, unless the system is giving false positives. Through a backdoor host spear phishing file can get in to the systems.
3. Man-in-the-middle attacks- This type of attack that happens when between the two end points links packets is been sniffs on. The key to this attack is that the users or endpoints believe they are communicating directly with each other. 

           (K. Phalguna Rao, Ashish B. Sasankar, Vinay Chavan (2013)

 Recommended Remediation Strategies

There are many risks to network traffic analysis and remediation. Some of these risks are false positives, false negatives, missed analysis, and inability to remediate. To reduce risk of false positives and analysis of the network, will use a good analysis tool, and calibrate and get a baseline for regular network activity. This baseline should tell the normal traffic flows, patterns, and be cross references with times and volumes of data. Determine the use of SIEM tool, or other monitoring and event tool. This will help establish triggers to responses. Create a robust network operations and threat vulnerability program.

Moreover, these programs will help analyze new and old traffic to keep data flows and patterns updated, and help determine orders of importance in remediation of vulnerabilities, and investigation and remediation of incidents. Strategy for remediation will be is based around people, processes and technologies. Taking the potential attacks and specifically detected activity into account, the following remediation strategies are recommended.

Filtering Router-

 The best approach to prevent the Bank IP Spoofing problem is to install a filtering router that will limited or restrict the input of packet to the bank external interface and by denial packet through the network it the packet source is from the bank internal network.

  (K. Phalguna Rao, Ashish B. Sasankar, Vinay Chavan (2013)

Configuring Firewall, Switches & Routers-

 Because of the fact that packet spoofing is a very serious attack to mitigate, the best approach to prevent loss of sensitive data is to detect it on time and stop it by configure firewalls, switches and router within the network .( Prashant Phatak, 2016)

Consider the use of honeypot –

A honeypot is a system that is specifically designed and used as a plot to attract and trap, detect, or deter, and even gather information on attackers, and attacks. To use a honeypot, use outdated, or simulated critical data, or folders otherwise disguised as critical data. In general set the attack path along a well-known attack path, a heavily attacked port for instance. Set SIEM and IDS to monitor the honeypot. Care must be taken to use data that is not critical, and establish mitigating controls to limit the attacker’s movements. If Wireshark picks up an increased number of packets along the network pathway to the honeypot, it can be assumed to be working properly.

Close or obfuscate ports. –

Close all ports that are not absolutely necessary for bank business. If ports are needed, block all ports by default and allow by exception, and change management request.

Conduct training and awareness programs. –

One of the first lines of defense is training and awareness for employees. Phishing attempts work because targets are unaware of what to look for. Establishing a training and awareness program that includes defenses against social engineering, especially phishing attack.

Use other detection tools and techniques –

Use tools such as Microsoft network monitor, and System Center Configuration Manager (SCCM) to create a robust network monitoring system, and include host based intrusion detection and prevention systems. Use a product like Tanium that can help with both network and systems monitoring and configuration, and even vulnerability management.

The forensic analysis examinations of the Harbor bank overall network found the bank’s exposure to cyberattacks were average to minimal.  However, due to outdated operating systems, firewalls, and IDS/IPS systems, this added vulnerability to the network is increased to the risk of cyberattacks. 

 Therefore, it is recommended that the bank’s IT team do a thorough inspection of current network software and upgrade as appropriate. Honey pot is a good solution to the issues in the bank’s cyber security concerns. Typically, a honey pot is used as a defensive tool and is used to (sort of) trap attackers. It is designed to fool them into thinking they are on a real system (though most good attackers can quickly detect it’s a honeypot). By fooling the attacker, the “honeypot owner” is hoping to learn more about the attacker’s motives and techniques.

In integrating a honeynet into the IDS/IPS strategy involving artificial intelligence, the honeynet provides a defense in depth” allowing the honeypot to be another facet that complements the other layers allowing the bank’s network to detect the changes in real-time, and act proactively on the malicious detections. 

 The overall network must be regularly updated to increase risk mitigation providing a security strategy such as a Honeynet and Snort IDS artificial intelligence, which would enable detection of new attacks and anomalies and adapt to networks. “The introduction of Artificial Intelligence alleviates some of the security professionals’ workload by first learning about a network and gauging reactions from a security professional to reduce false positives, and second, by adapting to changes in the network to identify new attacks.” (Seelammal, 2016). 

 In addition, the use of legitimate IP address owners can reduce the risk of being attacked by insider threats. (Yu, Qian, & Li, 2014, August)

References

• Crovella, M., & Lakhina, A. (2014). U.S. Patent No. 8,869,276. Washington, DC: Retrieved U.S. Patent and Trademark Office
• Giotis, K., Androulidakis, G., & Maglaris, V. (2014, September). Leveraging SDN for
• Efficient anomaly detection and mitigation on legacy networks, Retrieved from In Software Defined Networks (EWSDN), 2014 Third European Workshop on (pp. 85-90). IEEE.
• Montazer, G. A., & ArabYarmohammadi, S. (2015). Retrieved from Detection of phishing attacks in Iranian e-banking using a fuzzy–rough hybrid system. Applied Soft Computing, 35, 482-492.
• Na, S. Y., Kim, H., & Lee, D. H. (2014). Prevention schemes against phishing attacks on internet banking systems. Retrieved form-International Journal of Advances in Soft Computing & Its Applications, 6(1).
• Yu, Y., Qian, C., & Li, X. (2014, August). Distributed and collaborative traffic monitoring in software defined networks. Retrieved from the Proceedings of the third workshop on hot topics in software defined networking (pp. 85-90). ACM
• Prashant Phatak (2016) – Cyber Attacks Explained: Packet Spoofing- Retrieved from Creative Commons Attribution-Non-Commercial 3.0 Unpotted license. © 2016, EFY Enterprise Pvt. Ltd.
• FS-ISAC (2018). About FS-ISAC. Retrieved from FS-ISAC: https://www.fsisac.com/about
• C. Seelammal, K. Vimala Devi, “Computational intelligence in intrusion detection system for snort log using Hadoop”, Retrieved from-
• Control Instrumentation Communication and Computational Technologies (ICCICCT) 2016 International Conference on, pp. 642-647, 2016
• Nader F. Mir- 2015- Introduction to Packet Switched Network- Retrieved from https//: www.informit.com
• K. Phalguna Rao, Ashish B. Sasankar, Vinay Chavan (2013) –Spoofing Attacks on Packets And Methods for Detection and Prevention of Spoofed Packets Retrieved from
• International Journal of Science Engineering and Advance Technology is available under a Creative Commons Attribution 3.0 Unported license. , IJSEAT.com.
• Prashant Phatak- (2016)-Cyber Attacks Explained: Packet Spoofing Retrieved from Creative Commons Attribution-NonCommercial 3.0 Unported license.  EFY Enterprise Pvt. Ltd.
• FFIEC IT Examination Handbook InfoBase- 2018 –Retrieved from https://www.bing.com/images/search?view=detailV2&ccid=64rkvpvo&id=BB4EFC8BF6C229B497AA13098AC8A953313E869C&thid=OIP.64rkvpvom87l7Uj2hKUIIwHaFY&mediaurl=https%3A%2F%2Fithandbook
• MeridianOutpost, 2018-Gigital Business & IT Support Services- Retrieved from http://www.meridianoutpost.com/