"UBA-González-MC2"
VAST 2012 Challenge
Mini-Challenge 2:
Team
Members:
Lina María
González Rivera, University of Buenos Aires,
lina_gonza@hotmail.com
Student Team: Yes
Tool(s):
Tableau
Video:
Answers to Mini-Challenge 2 Questions:
MC 2.1 Using your visual analytics tools, can you identify
what noteworthy events took place for the time period covered in the firewall
and IDS logs? Provide screen shots of your visual analytics tools that
highlight the five most noteworthy events of security concern, along with
explanations of each event.
Through
the Analysis of the firewall logs I see that top traffic comes from two region workstations : 172.23.252.10 and 172.23.0132. The principal
destination IP is 10.32.0.100, that belongs to the firewall located in the
bank’s data center, where are installed some critical financial servers.
Also,
the report shows some stranger ports like 6667, 22, 1026, 137. That ports were allowed by the
firewall.
Port
6667 running isn’t a good signal. In that port runs the service called
“Internet Relay Chat” (IRC). This service is used by botnets for control purposes. It could
be the way to do an DoS
(denial of service) attack, to distribute spam or to operate file sharing
networks.
On
Port 1026 usually runs messenger services, but has
vulnerabilities that could be used by trojans. It
allows anonymous pop-up messages to be displayed on any Windows system running
the messenger service
Port
22 indicates that some machines had attempted to use the SSH service for remote administration,
which is a risk if there aren’t
workstation with permissions to use that kind of utilities.
The
traffic on Port 137 is a concern issue because is used by Windows file sharing
Through
the Analysis of the firewall logs I see that top number of alarms comes from websites : 10.32.5.56 and 10.32.5.54. The principal destinations IP are Region DNS, 172.23.0.10, and Region Firewall, 172.23.0.1 that belongs to the firewall
located in the bank’s data center, where are installed some critical financial
servers.
On the right side of the following report, we could filter
the main events informed by the IDS, selecting the classification more
appropriate to analyze. When the message “Potentially bad traffic” is selected,
the graphs show that the region firewall
Was receiving attacks over the following ports, related to DataBase services: 1433, 1521, 3306,5432, from
5 region workstation. This situation indicates a probably infection of that
machines with some virus trying to saturate the region firewall.
Summarizing, the five events could be:
1. An infection
using the botnet attack through the IRC service
2. Attack of Pop-up
messages using the 1026 port
3. The traffic
on Port 137 is a concern issue because is used by Windows file sharing
4. Port 22
indicates that some machines had attempted to use the SSH service for remote administration
5. Some machines
are trying to saturate the firewall attempting to access some database ports.
MC 2.2 What security
trend is apparent in the firewall and IDS logs over the course of the two days
included here? Illustrate the identified trend with an informative and
innovative visualization.
The report shows an inusual
traffic on port 6667, that has a permanent activity, with a constant level of
records, during 3 days. Also the IDS shows that port
445 and 139 has traffic, which wasn’t detected by the firewall. That ports has vulnerabilities that can be exploited by a Trojan
because is used by windows for file sharing, and can saturate the network
resources.
MC 2.3 What do you
suspect is (are) the root cause(s) of the events identified in MC 2.1? Understanding that you cannot shut down the corporate
network or disconnect it from the internet, what actions should the network
administrators take to mitigate the root cause problem(s)?
1.
The
network administrator should close the unsecured ports like 137, 22 on all the
company servers and investigate whether any attacks have been successful over
this holes.
2.
Update
the antivirus signatures and execute a deeper scan to find any malware in
network.
3.
Execute
a security scan and apply security patch in all systems that requires updates.
4.
Update
the ACL rules in both firewalls to remedy the findings the report above showed.