Five Code RED Security Threats to Windows Servers – How to ... · Five Code RED Security Threats...

Five Code RED Security Threats to Windows Servers – How to Detect them The Importance of Consolidation, Detection – Enterprise Security Series

White Paper

White Paper

Five Code RED Security Threats to Windows Servers

Abstract How important is it for your organization to stop an intrusion? How important is it for your organization

to keep critical applications available at all times? The purpose of this white paper is to identify and

demonstrate how to detect five of the most significant indications that a security breach is being

attempted or is under way. Critical alert notifications and an effective resolution strategy will reduce IT

costs, while increasing service availability and enhancing the security of your enterprise.

The information contained in this document represents the current view of EventTracker on the

issues discussed as of the date of publication. Because EventTracker must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of EventTracker,

and EventTracker cannot guarantee the accuracy of any information presented after the date of

publication.

This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS

OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, this paper may be freely distributed without permission from EventTracker,

if its content is unaltered, nothing is added to the content and credit to EventTracker is provided.

EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from EventTracker, the furnishing of this document does not give you

any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or should

be inferred.

© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and products

mentioned herein may be the trademarks of their respective owners.

White Paper


Introduction For a secure corporate network, firewalls and anti-virus software are absolute requirements but they are

still not enough to stop all of the critical security threats to your network. In addition, while the greater

quantity of computer attacks come from the outside, the most serious and costliest to an organization

often come from inside, from your own users – and firewalls and anti-virus can do little to prevent these

types of attacks. With the proliferation of USB flash drives sometimes the biggest risk an organization can

face is as simple as insiders copying sensitive information onto a portable drive.

Even attacks from the outside can evade firewall security. Hackers that have procured a user list and are

attacking through a password-guessing scheme are sophisticated enough to realize that systems will lock

them out after a certain amount of unsuccessful login attempts and they will rotate their attempts through

different accounts and different machines until they find a combination that gets them in. Each of these

actions alone will not trigger suspicion; only by associating these seemingly disconnected events can a

connection be made that an attack is in progress.

Malware and Spyware is another problem facing organizations today. Anti-virus companies are in a

constant race to keep up with the release of new threats into the wild; however, there is a delay from

detection to fix and in that time the damage can be done. Most threats out there do two things: first, get

installed on the host system – that requires a new file or a change to an existing file and the file registry;

second, most malware starts to communicate to the outside world, sending information and asking for

instructions. These symptoms can be detected through change monitoring and network connection

monitoring.

To proactively detect and prevent these types of security threats, you need to consolidate and mine your

event log information using Security Information and Event Management solutions such as EventTracker.

White Paper


Threat 1: Intrusion Attempts Intrusion attempts by hackers or internal users occur frequently in many mediums to large sized

organizations, especially universities and financial institutions.

A hacker, from their workstation, can run an automated script, and attempt to logon to different servers

with different username and password combinations. The hacker is well aware that most systems will lock

them out after three failed attempts with the same username. To avoid this, they will use different

usernames and passwords on different network servers until they gain unauthorized entry. Once in the

server, they can access critical data or compromise security.

The Windows operating system records each user attempt to login to the individual server in its event

logs. However, it is only possible to detect the above scenario by methodical analysis of each server log.

This type of intensive analysis is generally only performed post mortem, after the user has damaged the

system and security is compromised. According to security experts, this can cost an organization from

$100K to $1M, based on the value of the data compromised and the size of the company.

EventTracker can help EventTracker identifies the source of logon attempts, and detects hacks before it is too late. EventTracker

monitors real-time user activity events from all systems at a central location, and maps all user activity to

the IP address.

White Paper


The example event shows the suspicious IP address because dozens of logon attempts are initiated from

this IP address in less than two minutes. This event is generated in real-time and is a clear indication that

an intrusion is in progress. In a large organization where there is always a significant volume of login

failures due to user error, this ability to trace to a single login point is invaluable. EventTracker can also

alert on a simple threshold of overall failed logins.

What happens if the Hacker is able to gain access? Often an easy way to detect a successful penetration

is to monitor for unusual user logon-logoff activity.

Most users have common logon-logoff patterns. Users are responsible for certain numbers of events

shown in the event log per day, including a number of logons, logoffs, logon failures and other common

events. The number of events logged per user generally varies between 50 and 100 events per day in most

organizations.

If you continuously monitor user activity patterns, it is possible to detect when this behavior pattern

changes. When a user begins to have unusual login patterns this requires the immediate attention of IT

security. Worst-case scenario: Someone is trying to gain unauthorized access to the system by using

specific user rights. It is also possible that it is not malicious activity by a user, but a faulty application

generating large numbers of events with a specific username. While it may not be a security issue, it is an

operational issue, which requires the system administrator’s attention to identify why and which

application is generating the extreme number of events.

EventTracker can help EventTracker monitors activities performed by each normal and administrative user in real-time. If

activities performed by a user appear to be outside the predefined normal pattern, EventTracker

immediately identifies the user and sends an alert in real-time. The alert also includes a trace to all of the

user activities.

White Paper


The example alert indicates the user John.Smith has over 6,000 logon-logoff related activities since 12

A.M. ---unusually high by any standard. Further investigation is warranted to trace log activities by

John.Smith to find out which workstation or process is logging these events.

Threat- 2: Excessive access failures by a user Identifying repeated and persistent attempts by a user to gain unauthorized access to files and directories

is another first step to detection of a potential attack. It could be an attempt by an inside user to access

the resources for which they do not have permission or even worse, somebody purposely trying to find a

weak spot.

An attacker rarely will gain access to directories or files on the first attempt. Multiple access failures by a

user can indicate a potential hacking attempt, and an investigation is warranted. If the security officer can

be warned in real-time, they immediately can catch the likely threat.

EventTracker can help

EventTracker maintains a list of all access failures by user and by IP address. When access failure counts

are exceeded within a predefined time, EventTracker generates an alert and identifies the user or IP

address. You can also run a report of all access failure attempts by user to identify which resources they

tried to access.

White Paper


The above event identifies the user Jagat as attempting to gain unauthorized access to data in real-time.

The system administrator can run a report to identify which file or resource the user Jagat is trying to

access and decide the correct course of action.

The example report indicates which files the user Jagat unsuccessfully tried to access and at what time.

Threat- 3: Suddenly emerged listening ports or

services on a server The most common sense approach to security is to know, watch and protect all entry points into a system,

and to ensure that before anyone gains entry, credentials are checked. One entry point to the server is

system logons. In most organizations, logons are well watched and well protected. However, users also

gain entry to applications running on a server through well-known TCP ports, which listen for incoming

requests from users. Before users get access to an application, it is the application’s responsibility to check

the credentials of the user.

White Paper


It is common for a new application or an update in an existing application to introduce new TCP ports and

listen for new connections. If this is not an approved change, you might have opened a gate for hackers

to come in to your server.

TCP ports represent a backdoor entry to the server and hackers know that these entry points are generally

not closely watched or well protected. Additionally, Malware and Spyware in an attempt to communicate

to the outside world will also turn on different ports on a system.

Two critical questions an IT security team must ask themselves: 1) Do they know all the entry points to

user systems? 2) Do they have a way to track when a new entry point is opened on a critical server?

EventTracker can help EventTracker monitors all incoming and outgoing TCP connections. It also maintains the baseline listening

ports for each system. If an application starts a new listening port, EventTracker immediately generates

an alert in real-time to inform the security manager or system administrator.

Threat- 4: Data Leak Prevention Flash Drives are huge productivity enhancers, but a security nightmare. Small devices with large capacity

that can slip into a pocket and inserted in a machine in seconds enable large quantities of sensitive data

to be copied quickly. For the mobile worker they make taking work home a snap, but in cases that are

more sinister, they allow large amounts of sensitive data to move quickly off premises. Even in a more

innocent use case, the accidental loss of a knowledge worker’s USB can have significant impact.

White Paper


Flash Drives, because of their usefulness, cannot simply be banned in most cases, so monitoring their use

is crucial, especially on server systems.

EventTracker can help Within EventTracker’s policy console, security personnel can define a list of permitted USB devices (by

their serial numbers) for each Windows machine or group of machines. Using the EventTracker Windows

agent, this list of permitted devices is pushed out to the local machines so access can be controlled

immediately with no requirement to look up policy on an EventTracker Console.

Every time a USB is inserted, the EventTracker agent looks at its permission list, and if there is no violation

of policy, permits the device access, while logging the insert activity. If a violation of policy is detected,

access is prevented and the violation is immediately sent to the EventTracker Console. In cases where

access is permitted, EventTracker also begins to actively monitor all activity on the device, and every file

that is written to or deleted from the device is recorded. A complete audit trail that consists of the user,

device type, serial number, time and all the file activity is captured and sent as an event to the

EventTracker Console for processing.

Sample Report #1: USB Activity Report by Machine

Sample Report #2: Summary Report

White Paper


Threat-5: Unexpected changes to exe, .dll and .ini

files On the Windows platform, change is constant. Applications are updated, patches are downloaded and

installed. Every piece of software installed, intentionally or not, adds, deletes or changes exe’s, dll’s or ini

files. There are two potential ways of dealing with this. On critical production servers, the policy is often

to lock the machine down. Nothing is changed on these systems other than data files, log files and error

files. Any necessary changes are performed after careful review and during planned maintenance

windows.

On systems that are not completely locked down this constantly changing environment can lead to the

introduction of malware or spyware, or simply destabilize the system. Regardless whether the system is

locked down or not, it is critical to monitor for changes on servers. On the locked down machines any

change warrants investigation where on the less locked down system it is a good idea to review changes

for potential anomalies.

EventTracker can help EventTracker tracks all changes on Windows platforms and can automatically generate a daily report for

alEXE/DLL/INI changes on the servers. System and Security administrators can review the report to verify

authorized or unauthorized changes. Unexpected, surprise changes may require an investigation or

rollback.

The example change report shows system file changes for the last 24 hours.

White Paper


Conclusion Consolidating and mining system and application event logs represents a powerful tool to detect the

subtle signs around the corporate network that indicate either there is an increased security risk or an

actual security breach in progress.

Event Log Management is recognized as a critical requirement to meet corporate compliance objectives,

but the investment made for compliance can also be leveraged to substantially increase the overall

security of the network, decrease expensive system downtime by preventing security breaches, and

increase overall operational efficiency of the IT department.

The EventTracker Solution The EventTracker solution is a scalable, enterprise-class Security Information and Event Management

(SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2,

legacy systems, applications and databases. EventTracker enables “defense in depth”, where log data is

automatically collected, correlated and analyzed from the perimeter security devices down to the

applications and databases. To prevent security breaches, event log data becomes most useful when

interpreted in near real time and in context. Context is vitally important because often the critical

indications of impending problems and security violations are only detected by watching patterns of

events across multiple systems. EventTracker enables complex rules to be run on the event stream to

detect signs of such a breach. EventTracker also provides real-time alerting capability in the form of an

email, page or SNMP message to proactively alert security personnel to an impending security breach.

The original event log data is also securely stored in a highly compressed event repository for compliance

purposes and later, forensic analysis. For compliance, EventTracker provides a powerful reporting

interface, scheduled or on-demand report generation, automated compliance workflows that prove to

auditors that reports are being reviewed and many other features. With pre-built, auditor grade reports

included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, and NISPOM); EventTracker

represents a compliance solution that is second to none. EventTracker also provides advanced forensic

capability where all the stored logs can be quickly searched through a powerful Google-like search

interface to perform quick problem determination.

EventTracker lets users completely meet the logging requirements specified in the National Institute for

Standards and Technology (NIST) Special Publication 800-92 Guide to Computer Security Log

Management, which has emerged as a well-recognized guide for Log Management. EventTracker also

includes Host-based Intrusion Prevention, Change Monitoring and USB activity tracking on Windows

systems, all in a turnkey, off the shelf, affordable, software solution.

White Paper


EventTracker provides the following benefits

A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2,

legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat

Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices.

Automated archival mechanism that stores activities over an extended period to meet auditing

requirements. The complete log is stored in a highly compressed (>90%), secured archive that is

limited only by the amount of disk storage.

Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and

failed attempts to access restricted information.

Full support for monitoring of virtualized enterprises.

Alerting interface that generates custom alert actions via email, pager, beep, console message,

etc.

Event correlation to constantly monitor for malicious hacking activity. In conjunction with alerts,

this is used to inform network security officers and security administrators in real time. This helps

minimize the impact of breaches.

Various types of network activity reports, which can be scheduled or generated as required for any

investigation or meeting audit compliances.

Host-based Intrusion Detection (HIDS).

Role-based, secure event and reporting console for data analysis.

Change Monitoring on Windows machines

USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all

files copied to the removable device.

About EventTracker EventTracker’s advanced security solutions protect enterprises and small businesses from data breaches

and insider fraud, and streamline regulatory compliance. The company’s EventTracker platform comprises

SIEM, vulnerability scanning, intrusion detection, behavior analytics, a honeynet deception network and

other defense in-depth capabilities within a single management platform. The company complements its

state-of-the-art technology with 24/7 managed services from its global security operations center (SOC)

to ensure its customers achieve desired outcomes—safer networks, better endpoint security, earlier

detection of intrusion, and relevant and specific threat intelligence. The company serves the retail,

hospitality, healthcare, legal, banking and financial services, utilities and government sectors.

EventTracker is a division of Netsurion, a leader in remotely-managed IT security services that protect

multi-location businesses’ information, payment systems and on-premise public and private Wi-Fi

networks. www.eventtracker.com.

https://www.eventtracker.com/

Five Code RED Security Threats to Windows Servers – How to ... · Five Code RED Security Threats...

Documents

Transcript of Five Code RED Security Threats to Windows Servers – How to ... · Five Code RED Security Threats...