Saturday, September 24, 2011

Using Event Logs (Event 4624) to troubleshoot an alleged illicit login

At the company, I'm considered the Incident Response / Forensics Guru.  I'm certainly not a guru, but I'm the only employee (that I know of) with both the SANS GCIH and GCFA certifications.  Both of those certs are what I'm passionate about.  And I think it is a rule, all incidents have to occur just before you are leaving for the weekend.

So, it was 4:45 when the company internal security officer (and pen-tester) came to me with an issue.  He had been going through the Splunk logs when he found curious connections to his machine from one one the admins in the IT department.  I asked why he thought one of the admins might have been connecting to his machine, and he thought it might be retaliation for a sanctioned pen-test.  It seems the security officer had snagged the admin's credentials and had been using them during his pen-test.  The admin found out about it at least once and was trying to shut the security officer down.

So, it was off to look at some logs.  Our security officer was using OSSEC to aggregate all of the logs on his machine and was sending them to a log server.  He could correlate those logs with Splunk.  My first question was "What are we trying to prove?"  And the answer was:  "Did the admin "illicitly" log onto the security officer's machine?"  Fortunately, the security officer had EnCase on the machine.  The first thing we did was build a timeline, and look at the dates in question.  (Personally, I prefer the SleuthKit for this activity.)  The activity certainly showed a profile for another user being built.  But, there were no extraneous files accessed, created or deleted.  I thought maybe the admin was logging on to see what processes were running, or what activity was taking place.

My next step was to look at the Splunk logs.  Splunk showed a login, with the corporate id during the night.  I asked our security officer, why night?  He replied that he was running the pen-test at that time, and he might have used the id at that time.  So, now I was thinking, how can we prove whether or not this was truly an incident or the machine showing activity from the pen-test.  What I found interesting in the logs were that there was a login by the admin, but no logoff.  Why would that occur?

Looking at the log, I noticed that the EvenID was a 4624.  We Googled 4624, and found a great page with the fields laid out.  There were no entries for the Network Information so I was beginning to think that this might not be an incident.  We looked up the Logon Type and found a 2, which meant that this was a login through the keyboard.  Further, there was no Kerberos information, so no real authentication was occurring across the network.  I asked the security officer how he conducted the pen-test with the admin's credentials. He showed me a "run-as" batch script he had created, where he passed it the credentials of the admin.  It opened a shell with the credentials of the admin.  When he demoed it, it created the exact same log entry we were using to troubleshoot.

I was fairly confident that this was not an incident, merely a log entry created by opening the shell up with a different user.  Why were there no logoffs?  I posited that when the pen-test was over for the night, the security officer shut down his machine and never really "logged out" his shell script with the admin's credentials.

I suggested looking at the VPN logs, but apparently, our VPN ip address leases are not long, and we don't actively log their issuances and revocations.

So, it appeared to be no-harm-no-foul.  That kind of disturbed the security officer, I think he really wanted to catch the admin.  But the log and timeline evidence did not point to any nefarious activity.

Friday, September 23, 2011

September 2011 STIG updates - IIS 7 and IAVM benchmarks

I was cruising through DISA's site looking for a particular STIG when I noticed the announcement on the top of their STIG page.  DISA has released a couple of STIGs and benchmarks:

IIS 7.0 Server STIG - Version 1, Release 1 - Updated September 20, 2011
IIS 7.0 Site STIG - Version 1, Release 1 - Updated September 20, 2011
Web Policy - Manual STIG, Version 7, Release 1 - Updated September 20, 2011
IAVM 2009 Benchmarks - Updated September 7, 2011
IAVM 2010 Benchmarks - Updated September 7, 2011
IAVM 2011 Benchmarks - Updated September 7, 2011

It appears that the IAVM benchmark files are for HBSS only and they are intended for the HBSS Policy Auditor tool only.  The IAVM benchmark files are contained in the PKI-enabled repository.  It's nice to see the IIS 7.0 STIG officially released.  The note I received from DISA stated:  "The requirements of the STIG become effective immediately."

New issue of (In)Secure Magazine - Issue 31

I just realized that I missed passing along that the new issue of (In)Secure magazine, issue 31, is out.  I really like this magazine as it has a good mix of articles; some technical, and some theory.  (In)Secure has been around for a while and they produce a good product.

For a while, there were a whole bunch of magazines filling this niche, but I see less and less of them as time marches on.

From an IA prospective, I read the article on looking at Domino applications, and already I have learned a couple of new tricks to use when looking at those types of apps.  Fortunately, I just don't see many of those applications.

Tuesday, September 6, 2011

A question on creating a log management program

At one of the establishments where I donate my services, the need for log management and security incident management has been discussed.  To put it in a nutshell, the establishment wants to open up the wi-fi to "partially" vetted users.  The wi-fi is locked down pretty good.  I think the question that wants to be answered is "who logged into the network, from where?"  Also, should there some kind of incident, they want to know when and where it occurred.

Here's a mini-description of the network.  Broadband comes into the building, and DHCP addresses are given out from this router.  The router is an Actiontec MI424WR.  There is a scope of the first 50 hosts reserved for static IPs and the static IPs are used for the central file server, access points, an internal HVAC computer, and part of the HVAC/solar system to broadcast results (like how much electricity has been generated.)

Down the line, I have plans to add a commercial firewall and a router, in order to create VLANs.  However, as the infrastructure is improved, I want to add log management and incident management into the network.

So, for right now, I'm looking for ideas on how to capture:
firewall logs from the Actiontec
DHCP logs from the Actiontec
Windows logs from the file server (Windows 2000)
maybe wireless access logs

I found a great page here: 

My question is:  what's a good recommendation? How to best capture the information?  Open source would be great as I'm sure money is going to be an issue.

As this project progresses, I'll post updates.