Global
Security Analyst White Papers
Featured White Papers
As a baseline for security expertise, all SecureWorks Security Analysts are required to hold the GIAC Certified Intrusion Analyst certification. The following white papers were written by Security Analysts to fulfill part of their GIAC certification requirements.
A Multi-Perspective View of PHP Remote File Include AttacksIf you look at the logs of just about any production web server, you are bound to find signs of a remote file include (RFI) attack. It is easy to disregard them as low hanging Internet broadscan noise, but attackers would not be scanning the Internet for vulnerable hosts if they were not also successfully exploiting them. This paper describes the mechanics of a RFI attack by doing a code analysis and an attack walk through on a vulnerable application. Detecting an attack is discussed by writing sample IDS signatures and looking at related log files. The threat landscape is examined by taking a look at the tools attackers use to find and exploit vulnerable hosts—this is coupled with an actual attack transcript from a monitored RFI botnet. Multiple mitigation techniques are discussed ranging from secure programming practices to defenses at the network layer. Tags: RFI Attack | Author: Dennis Schwartz |
VoIP Security VulnerabilitiesSince the dawn of time, humans have tried to communicate with each other. As languages and dialects prospered, the forms of communication became more advanced by using letters in various alphabets and writing messages on papers or letters. Tags: voip security | Author: David Persky |
Fundamental HoneypottingThis document is intended to guide an individual through a basic honeypot software install, identify traffic analysis and management techniques, and illustrate how data from a honeypot can be utilized to formulate valuable information. Tags: Honeypot | Author: Justin Mitchell |
University Security AssessmentThis report contains the analysis of network traffic for University XYZ from March 25th through March 27th 2004. Log files were obtained from the University in order to identify threats to the security and performance of the network. Included in the set of logs to be analyzed were signature alert logs, port scanning logs, and out of specification (OOS) logs. Signature alert logs identify traffic that has patterns similar to behavior that may be malicious or detrimental to the performance of the network. Port scanning logs record probes both to and from the local network and may identify information gathering attempts or host misconfigurations as well as assisting in profiling the University Network. OOS logs provide information on network traffic that may not match the specified networking protocols which can sometimes be an indication of malicious activity or a broken application. Tags: logs signatures | Author: Rudy Ristich |
Defeating SQL Injection IDS EvasionThis paper will explore the continuing rising threat of SQL injection as techniques are developed making it more difficult to detect this form of attack vector. More recent forms of SQL injection capitalize on an IDS's innate weakness of being rule-based, and gives attackers room to craft an attack in a way to avoid detection. Techniques of SQL injection will be presented for those unfamiliar with this threat. Current state of IDS detection for this vector will be explored. Different methods of evasion will be covered, depicting how snort rules were misled. It will also be shown how Defense In Depth is the only true protection there is against these attacks, through separation of privileges, application log analysis, and event correlation Tags: SQL IDS | Author: Brad Warneck |
Wireless Attacks from an Intrusion Detection PerspectiveSecurity professionals commonly implement wired intrusion detection systems, but wireless intrusion detection systems (WIDS) are not as prevalent. Many security professionals simply do not understand the nature of wireless networks or the attacks they are prone to. Intrusion detection is available for wireless networks, but just how does wireless intrusion detection work and why is it different from wired IDS. In this paper I will discuss wireless intrusion detection systems and explain how to detect common wireless attacks Tags: WIDS IDS | Author: Gary Deckerd |
Nmap - The tool, its author, and its implicationsNmap (available at http://www.insecure.org) is the commonly accepted authority in information gathering tools. It is the first tool that both an attacker and a defender reach for, for a reason. It is an extremely versatile and useful information gathering tool that yields much of the necessary information about a machine and it's possible weaknesses. Care must be taken when using Nmap Tags: NMAP | Author: Brent Deterding |
For Online Beta NAPSTER ISSUES (and the alternatives)This incident occurred at the University of Missouri at Columbia. A single student in a residence hall was using Napster to an excessive degree, which led to a partial denial-of-service for other students. The use was discovered and terminated. However, problems continued to arise with regards to Napster and a more permanent solution had to be devised Tags: Napster | Author: Brent Deterding |
Mastering the Haystack Or Finding the Needle: A Three Part GuideThe files analyzed in this report are from Prestigious University (P.U.), and are for the dates June 25, 26, and 27, 2003. These files allowed (and hindered, to a degree) the gathering of information regarding P.U.'s network and security posture. From this information, an overview of the way the network is laid out can be determined, and details such as university computers that are infected with viruses and computers that are trying to attack the university can also become known Tags: network and security | Author: Jason Pinkey |
An Analysis of Buffer OverflowsThis paper is being written as a demonstration of my understanding of current security topics as well as the ability to analyze and understand alerts generated by intrusion detection systems. Part 1 discusses buffer overflows. It explains how they work and how to detect a buffer overflow attack. Part 2 is an analysis of three separate log files. In the first file a suspected buffer overflow attack is analyzed. Port 0 traffic is analyzed in the second file. A possible trojan is analyzed in the third file. Part 3 is an analysis of five days worth of logs from a university. Tags: buffer overflows | Author: Kevin Cryan |
Prelude as a Hybrid IDS FrameworkOrganizations both Large and Small are constantly looking to improve their posture on security. While most organizations deploy security equipment, they still encounter the challenge of monitoring and reviewing the security events. Due to the nature of network security events, they require analysis as close to real time as possible. In this paper, I will discuss the Open Source Security Information Management (SIM) system known as Prelude. Tags: security events | Author: Curt Yasm |
EVTX and Windows Event LoggingAuditing and compliance are far more important to an organization than ever before due to security incidents and digital threats. Security professionals are under increasing pressure to understand the changes that occur in increasingly complex IT environments. The collection and aggregation capability of the technology in these complex environments is constantly changing to adapt to the auditing and compliance requirements that many organizations must meet. Many organizations use Microsoft's Windows platform for desktop, workstation, or server environments. Microsoft has recently reworked the log collection and aggregation functionality of Windows Vista based platforms. The new Windows Event Logging framework and EVTX log format include increased functionality for security professionals to collect and correlate logs Tags: auditing and compliance | Author: Brandon Charter |
Network Security Model - The definition of a Network Security modelThe Open Systems Interconnection model (OSI), developed in 1983 by the International Organization for Standardization (ISO), has been used as a framework to teach networking basics and troubleshoot networking issues for the last 25 years. It has been so influential in network development and architecture that even most of the network communication protocols in use today have a structure that is based on it. But just as the OSI model never fails us, we find that we are lacking a standard that all network security professionals can adhere to, a Network Security Model (NSM). Today's sophisticated and complex networks provide the fundamental need for the NSM Tags: network security | Author: Josh Backfield |
Web Based AttacksAttacks upon information security infrastructures have continued to evolve steadily overtime; legacy network based attacks have largely been replaced by more sophisticated web application based attacks. This paper will introduce and address web based attacks from attack to detection. Information security professionals new to application layer attacks will be in a better position to understand the underlying application attack vectors and methods of mitigation after reading this paper. Tags: web attacks | Author: Justin Crist |
Passive Application MappingTracking and correlating data concerning hosts on a network is an arduous task, but it is immensely beneficial in many aspects. Knowing the version of the software a server is running can tell you if it's vulnerable to exploits. Knowing the types of software a host is offering can help determine what the host is used for. To know this information you have to actively run scans on your network. Although scanning is a solution for testing your applications for security updates, it can have undesirable effects. Nmap is known to cause a system to crash. You also run the risk of utilizing an excessive amount of network bandwidth. Passive Application Mapping (PAM) is a solution for this problem. In this paper I cover the topics that are vital to understanding and utilizing PAM. I also cover the commercial and public efforts that incorporate PAM to better aid in Intrusion Analysis and network maintenance Tags: application mapping | Author: Benjamin Small |
A Beginners Guide to tcpdumpThe primary goal for this paper is to explain packet sniffing using tcpdump. A short general explanation of how data is transmitted over a network will be covered as well as some important reasons a person may want to sniff network traffic. We will cover what packet sniffing is at an introductory level as well as where to find further resources for additional study. Two installation scenarios will be demonstrated in a systematic fashion. Different methods of sniffing traffic will be shown as well as how to analyze the data packets that have been captured. Practical examples with real data are used to demonstrate types of traffic that can be captured and analyzed on a network. This is will solidify a basic understanding of packet sniffing. A light introduction to other applications for sniffing traffic will be provided as well. Other applications will be covered at a higher level with enough detail to entice the reader to investigate and experiment Tags: packet sniffing | Author: Andy Wagoner |
