First they briefly discussed potential legal issues. For instance, one should be aware of the local and national laws concerning computer technology and cyber security. One must have permission to capture and review traffic for purposes of troubleshooting, optimization, security, and application analysis. I do believe that has to be permission in writing too...
One must know their chain of custody and create SHA1, RIPEMD160, or MD5 hashes of trace files one plans on using as evidence with capinto - the command line for Wireshark.
I also learned that most bot-infected hosts and their Command and Control (C and C) servers can be detected by capturing and analyzing DNS responses.
One of the key points that is important to note is that to know whether or not your server is being attacked is to know how your servers normally behave in the first place.
Another point discussed was the responses of host-based firewalls. Many of them simply come back with an ICMP reponse when it detects an invalid host attempting to access it. However, a host-based firewall should NEVER actually send anything back, but just drop the connection if it is suspicious. In other words, do not violate the #1 rule of the internet - do not feed the trolls.
Also, ARP does not get past routers for a lack of an IP header - no identification, no access.
Some Active Discovery Processes were discussed here:
- ARP Scan - local only; can find << hidden >> hosts
- Ping scan - ICMP type 8/0
- ACK Scan - TCP ACK - check firewall rules
- FIN Scan - FIN - illogical TCP fram
- Xmas Scan - FIN PUSH URG
- Null Scan - No flags set
- Maimon Scan - FIN/ACK
- Idle Scan - Uses zombie; watches IP ID value
- TCP Port Scan - stealth of full
- UDP Port Scan - listening for ICMP responses
- OS Fingerprinting Scan - TCP, UDP, ICMP Probes
Remember, the difference between reconnaissance and a breach is what they are used for.
- Here are some of the signatures of traffic:
- Unusual ports in use
- Unusual protocols in use
- High TCP "data" rate/Undissected traffic
- Unusual conversation pairs
- Unusual endpoints
- High number of application failures/error responses
- Higher-than-normal traffic rates
- Higher-than-normal conversations per user
- Traffic to/from illegal MAC or IP address
I also learned that a dark MAC address or dark IP address is a bogus address packet treated as a broadcast. Consequently, the router simply keeps flooding the network in search of a machine that matches the MAC and/or IP address, but of course, never finds it.
I also learned how to create Coloring Rules. Essentially, you tell it to find certain packets that meet a certain condition. If it does, then you will notice it highlighted as the color you assign to that. One suggestion is to assign your largest threats the color(s) that is/are most aggravating and/or certain to catch your attention.
And finally, I leave you with two pieces of advice:
More to come later today!