Is your network compromised? Network scans, illegal applications? Want to view the top ten Conversations across your network? How about setting DNS resolution to occur automatically on a regular basis? Or send a syslog when a set threshold is exceeded based on criteria set in a saved report?

With Scrutinizer v7 and Flow Analytics as your network management tool, all of the above can easily be managed and reported on.

Read more »

The Russian Business Network (commonly abbreviated as RBN) is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale.

Family Business Robbed On-Line
Patco Construction a family owned company was impacted by a cyber crime that may have involved the RBN. Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

A common problem for network administrators is when end users get in the habit of blaming the network for slowness on their workstations. For this reason it’s important for network administrators to not only prove, but sometimes disprove, issues with the network. Sometimes the issue is a combination of both.

Read more »

It was a cold afternoon here in the city, colder then your normal spring afternoon. Things had been hectic here in the office lately, but I had a feeling that things were going to get much much busier.

A tall man walked through the door.

“Are you the Cisco NetFlow detective?” he asked.

“Yes, I am. What can I do for you?’

‘I’m in trouble, big trouble!” he said.

“What kind of trouble?” I knew that he was in trouble from the second I saw him; it’s the kind of trouble the haunts a man, the kind that brings them to a guy like me.

“Jimmy, I’m getting logs from the IDS and firewalls notifying me of an intrusion attempt. They are trying to communicate to a local IP, but I don’t know who that local IP is or who else they were talking to.”

“What’s even worse is that our school district was awarded a technology grant that makes us a beacon school for technology. These hacks are getting out to the news and my job is on the line. The school board is calling for an investigation into my actions. I don’t know what else I can do!”

“Don’t worry Joe, I’ve seen this before and I can help you out. Let’s look at your network. What do you have behind that firewall?”

“We have multiple Cisco routers and three Catalyst switches.” said Joe.

“Good news Joe, they support Cisco NetFlow. This will be easy.”

Joe looked confused. “What’s Cisco NetFlow?”

“NetFlow is a protocol developed by Cisco to help you manage your network traffic. It gives you a record of each conversation. It can tell you who is talking on your network, who they are talking to and what they are saying. We’ll use Scrutinizer to help us manage and report on it. It will find out where the issue is.”

After a few minutes Jimmy D and Joe had set up Scrutinizer and were successfully sending flows from all the switches and routers.

“Now we need to let it gather some data. Let’s get together in the morning.”

The Next Day:

“First, let’s take a look at the firewall logs.”

As we browsed through the list something caught my attention. It appeared the attacks were coming from a 66.122.5.200 address. We then created a custom report in Scrutinizer to reveal who was attempting to communicate with this address. We already knew that the internal machine wasn’t getting to the IP in question, but we still wanted to know who is trying to communicate with it. It could be a virus or worse.

We first resolved the outside IP of 66.122.5.200 and it returned the host www.hackedquiznotes.tv. We then created a custom report that generated all conversations to and from that IP. On a hunch, I decided to report on the router that served the student level of the campus.

We ran the report and found the issue.

“Look, from here we can see that this workstation is trying to communicate with that IP. We can also see that they were using port 6609. Let’s go down to that lab and look at that machine.”

Soon Jimmy D and Joe were in the computer lab face-to-face with a student.

“Ben, this is Detective Jimmy D and he is looking at some issues with our network,” said Joe.

“Excuse me for a moment Ben, I need to check something on that computer.” Joe and I sat down at the computer while Ben stood over by the door.

“Haven’t I seen him before?” I asked.

“You might have seen Ben in the paper. He and his father helped break ground on the new CBA Network Management building. CBA Network is one of the companies asking the school district to outsource their network solutions to them. They are trying to cut costs.”

I started typing and the pieces started to come together… The picture wasn’t good.

“Joe, it looks like Ben added an app that monitors certain folders for any activity. Once activity is detected it uploads that file to a remote site. In this case, it is www.hackedquiznotes.tv, via port 6609.”

“That’s not right. Ben wouldn’t have access like that…”

Joe quickly sat down at the computer and checked on the user name that was running that service. The users name is abcnm and it was created two weeks ago by Jon, the Jr. Admin.

Joe turned to me and had a horrible look on his face.

“What wrong Joe?” I said.

“I can’t believe it,” said Joe. Two weeks ago Jon, my Jr Admin was passed up for the Admin position. He was very upset that I had gotten the job. He wanted it, and wanted it bad.

“Why do you think he did this?” asked Joe.

Joe quickly turned to Ben and asked, “What do you have to say about this?”

All of a sudden a look of anger came over Ben’s face. The kind of anger you see when you see the senior quarterback missing the last touch down during the last second of his last game ever.

“Arggg, I would of gotten away with it, if it wasn’t for him!” yelled Ben.  “My dad was going to buy me a new car, if he won this contract. So I made sure Jon would take over your job in the new building. The district
would have gotten rid of you by then!”

“Ahh I see,” said Joe. “Well I think that you need to speak with Vice Principal Flanagan. I’ll bet he
will want to contact the District and your father!”

“Thank you Jimmy D. You have saved my position!”

“Not a problem Joe, that is my job.”

Although quite a bit of this story is fictional, it is based on a real life call. Some of the names have been changed to protect the innocent.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

Every morning begins the same way: I come into the office, boot up my laptop, get my coffee and then start on my daily responsibilities.

As I’m sitting at my desk replying to various e-mails and such, Milton decides to talk to himself.

Now when I say that he’s talking to himself, I really mean that he’s talking to everyone in a 10-foot radius, but he’s the only one who understands what he’s talking about.

Here’s a sample of how it goes:

Milton: “There are two girls on the page now…”
Me: “I’m sorry, what?”
Milton: “Who is the new girl on the website?”
Me: “What are you talking about? What girls, what website?”
Milton: “For our blogs…”
Me: “mhrmmmm.” (This is me trying to terminate the conversation)

I’m going to stop there…

That is a common morning conversation scenario with my buddy Milton. If you are confused about this conversation, you are not alone. With Milton starting conversations like we’ve been talking for an hour, he always manages to get a reply out of me, even if it is one of confusion.

I use Milton as an example of how a FIN port scan works.

First think of Milton as a port scan designed for Linux boxes. Milton will first send a conversation to the port using the FIN TCP flag to trick the port into thinking that Milton has been speaking to it all along. After all, the FIN flag is the tag used to FINISH a conversation.

If the port that Milton is talking to is closed, the port replies to Milton with a RST flag. That’s like me saying “mhmmm” just to end the conversation.

However, if the port is open, the conversation packet is quietly discarded, since the conversation is over. But this is exactly what Milton is looking for. If he doesn’t get that RST flag he knows there is a service listening in on that port.

Now that he’s found an open port, he can say what he wants and your server will listen.

Now that you understand how the FIN port scan works; does anyone have an Aspirin?

-Nate

Over the weekend I spent quite a bit of time watching some of the awesome IT security videos that are offered on The Academy Pro web site. I couldn’t believe all the valuable step by step information that this site offers.  Believe it or not, I had a goal. I needed to learn more about “Conficker“.

We have already covered how to detect “Conficker” traffic via Scrutinizer’s Flow Analytics application from my buddy Milton’s blog back in March. In the NetworkWorld article titled “Downadup/Conflicker worm: When will the next shoe fall? “, Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks is quoted as saying,  “It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs”. So how can we prevent this from happening?

My goal was to conduct a security audit for such a vulnerability. That is where TheAcademyPro comes in. TheAcademyPro web site was created by Peter Giannoulis, a well know information security consultant and author. Check out this awesome interview with Peter on Hak5. They just started a series on how to conduct vulnerability scans for Conficker:

Conficker vulnerabilities with Core Impact – Posted on April 20th, 2009

“Everybody’s had to deal with Conficker over the last little while, but many don’t realize exactly how easy it is to exploit a system using the targeted vulnerability. Let’s begin the week by manually exploiting Conficker vulnerabilities with Core Impact 8 modules.”

Now I have a bit more information and might be able to conduct a security audit soon. I will keep you posted.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

Cyberspies
I read this article the other day: Electricity Grid in U.S. Penetrated By Spies. At first, I was annoyed that these Cyberspies were able to sneak into our utility companies and leave software tools behind that could be used to reek havoc with our electrical grid. But then I was more surprised that our utility companies are crazy enough to put our electric grids onto the Internet.

Our Government will Protect us?
What should we do? Our government was unable to forecast the financial crises we are in. How could a bunch of politicians possibly see a potential electronic takeover of our utilities? Kind of Scary.

Network Behavior Analysis won’t save you
I started thinking about ways we can use Cisco NetFlow or sFlow to catch these perpetrators. In doing so, I listed a bunch of things we might watch for:

• Excessive traffic from a host? Won’t work, these hackers don’t cause lots of traffic.
• Communication on strange ports? Won’t work, the bad guys use ports used by most applications (e.g. TCP port 80, etc.).
• Network scans? These guys operate at a much more stealthy level then scanning for open ports.
• NULL scan, XMAS, SYN, RST/ACK, ICMP unreachable? No way, we’re not going to catch them looking for these behaviors. Don’t get me wrong, I think monitoring for these communications is helpful, but don’t rely on these patterns to catch all nefarious traffic.

What about NBA (Network Behavior Analysis)? Using Cisco NetFlow, NBA can baseline end-system behaviors and alert when a host talks outside its normal traffic pattern. This probably won’t help. Most NBA systems don’t baseline every unique host in the world a computer communicated with, especially when it comes to using the Internet. Contact with a host in another country, in most cases, won’t raise any flags; and if it does, the customer is probably tired of the false positives caused by the crazy amount of alarms innocent Internet browsing can produce.

Internet Threats Algorithm in Flow Analytics
In some cases, our Internet Threats Algorithm can help. Most of our Scrutinizer customers are running the FA (Flow Analytics) module. Several times per day, each Scrutinizer installation connects to one of our web sites and downloads the latest list of known Internet compromised hosts that are participating in questionable behaviors. The specific piece of FA that does this is called the “Internet Threats Monitor”. It monitors ALL connections in and out of the Internet for any internal computer communicating with an Internet host that is on the list. If communication occurs, an alert is triggered and the host’s Unique Index is raised. It has proven to be very effective, but not perfect. How does it work?

Flow Analytics Overview

Below is a partial list of the algorithms FA uses for Network Behavior Analysis. The time trend displays how long the algorithm takes to run each time it executes. The count column trends how frequently the algorithm is triggered.

Thresholds can be set per algorithm. For example, the default threshold for Internet Threats is 1. Some threats that could appear for this algorithm include:

• RBN host: The host listed could be part of the Russian Business Network.
• TOR host: The host listed could be participating as an Onion Router.
• Compromised Internet host: The host listed could be participating in activities resembling the Storm Worm.
• Botnet C & C server: The host could be participating as a Botnet or in a command and control operation.

Example Alarm

Preach Abstinence
It seems to me that the best security measure these electrical companies could take might be ‘abstinence’ from the Internet. Why do they need to be on the web anyway?

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

The world has become a pretty crazy place in the last few years.

I was reading this Networkworld.com article: “China denies cyberattacks on the U.S. power grid“, and it reminded me of my childhood.

Remember when we were kids and we got caught doing something we weren’t supposed to? My favorite rebuttal was “It wasn’t me” and “Nope, I didn’t do it”.

I remember one time when me and my no-good friends decided to pull a prank on my neighbor. We thought they would appreciate 10 pizzas delivered to them COD. My buddy called and made the order and we sat back and laughed because we were just so smart. I don’t know how they caught us but they did, and I got the blame because the call came from my house even though, “It wasn’t me”. I didn’t end up paying for pizzas, but I did pay.

I thought to myself, “What if Chinese IP addresses are being used to conceal the true identity of the attacker?” Network World has another really interesting article explaining “10 ways the Chinese Internet is different from yours“.

That sure is a lot of control over Internet traffic by the Chinese government to not know or be involved with, but it’s possible that it doesn’t know or isn’t involved. On the flip side, I’m pretty sure that the U.S. government knows a lot more than it’s saying.

Scrutinizer with Flow Analytics has several tools to show you exactly where attacks are coming from.

The Internet Threats algorithm analyzes your network traffic for communications with known threats on the Internet.  We also have other algorithms that will inform you of threats regardless of whether they are known or not.

When Flow Analytics tells me I have a problem, I just click on the name of the algorithm to check out who’s causing trouble.

Upon investigation, I see a cute little scan.

OK, now where are you from?

Ah…  China.  I love Cantonese Chinese food.

Regardless of whether it’s the Chinese government, a script kiddie, or one of their friends making the call, it’s coming from their house, and they’re going to end up paying for the 10 pizzas.

Raul J Duran

After reviewing the SANS Top-20 2007 Security Risks, I started asking myself and the rest of our security team how the behavior analysis features of Flow Analytics accurately detects such Internet threats. This is especially important as these concerns are constantly changing making it difficult to stay on top of topics such as the latest on Conficker.

Back to security basics
We decided to go back and answer the question “What is computer security?”. We pretty much agreed that it is the unauthorized use – even if only attempted – of any computer. We then asked “How do we assist companies in this area?”. We all agreed that our solution detects problems that have already gotten past traditional security practices such as antivirus software on desktops, firewalls and intrusion detection systems.

Who is watching for strange behaviors?
I think everyone would agree that infected machines will make it onto the network. Our goal is to detect, flag and even stop host behaviors that could cause problems locally or for other hosts on the network.

Related read: Downadup/Conficker Worm caught by using Flow Analytics, NetFlow Analyzer

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter