Organizations today face the challenge of developing a safe environment for information systems. Most business operations take place online which increases the risk of intrusion and exploitation through hacking. A network exploration can take place within or from outside the organization. Network forensics reinforce an organization’s security and defense strategies. An investigator can analyze a network by reviewing firewall logs and using network analysis tools (Bullock & Parker, 2017). The given case study involves a large organization that has been the victim of a network intrusion. An intrusion detection software detected unauthorized access to a sensitive file. The Wireshark forensic tool was used to analyze the intrusion. This incident report analyzes network forensics, the organization’s incident response, the organization’s network traffic, Wireshark Lab results, and provides a recommendation for the organization to strengthen its infrastructure.
Step 1: Exploring Network Forensics
Existing Network Protocols
Organizations have to develop a robust approach to limit their exposure and exploitation. Network forensics capture, record, and analyze events in a network to identify incidents and sources of attacks (Forshaw, 2017). The investigator uses various tools that generate reports of firewall logs that show the activity of interest. The examiner can review multiple types of protocols used in the system. Network protocols are a set of guidelines that regulate a network's characteristics such as the access method, types of cabling, speed of data, and physical topologies (Forshaw, 2017). Some examples of network protocols are Ethernet, FDDI, Token Ring, ATM, and Local Talk. Protocols use standard procedures and format where two data communication devices should understand and accept to communicate efficiently with each other.
Delegate your assignment to our experts and they will do the rest.
Attack Techniques and Attack Vectors
Network intrusion will involve different types of attacks on a system. The most common types of attacks on a system are malware, phishing, and denial of service. Malware describes any software purposefully designed to attack networks, computers, servers, and clients. Malware can include various attacks such as spyware, adware, worm, virus, Trojan, and ransomware (Qamar et al., 2019). A spyware functions like a spy as it tracks a system’s activities and reports to the attacker. Adware shows advertisements and tricks users into clicking on a link and installing software. A worm and virus are similar as they attach to a system and replicate themselves. A Trojan is a hazardous malware that provides useful functionality but steals information and can install other malware. Ransomware is used by attackers who lock users of their system and ask for money.
Brute force is a rather old-fashioned attack on a system that tries to gain entry to a system by trying all username or password character combinations. Brute force attacks are quite common and account for approximately 25% of attacks on a network (Lee et al., 2016). Such an attack can involve an attacker guessing an accounts username and password pair to get access. A denial of service (DDoS) attack is one of the most prevalent cybercrime attacks. DDoS involves TCP flood attacks on a network that consume its bandwidth, exhaust cloud resources, and damage the entire cloud project (Sahi et al., 2017). A timely detection prevents a DDoS attack.
The understanding of different attack vectors can help organizations to formulate countermeasures to protect their system. Attack vectors are methods and pathways used by hackers to gain access and penetrate a system. Hackers start by investigating the possible attack vectors and exploiting the existing vulnerabilities in a system before gaining access. Attackers target a system for money and to steal information such as credit card credentials for online banking. Ullah et al. (2018) observed that hackers could use data exfiltration as an attack vector. Data exfiltration involves the leakage of private data or sensitive information to unauthorized entities.
Digital Forensic Tools
Network forensics makes use of various tools when analyzing a system. The tools used by network administrators and investigators are referred to as Network Forensic Analysis Tools (NFATs). There is no standard tool for digital forensics, forensic investigators can use different tools with different functions. Network analysis tools include NetDetector, OmniPeek, PyFlag, and Nmap, while vulnerability assessment tools consist of Nessus, Metasploit, and Nikto. Other tools such as Wireshark, Kismet, and NetworkMiner are used for network and packet sniffing to capture and analyze packets (Joshi & Pilli, 2016). All these tools have their merits and demerits when analyzing various activities in the network.
Wireshark is one of the most common tools used to analyze data captured from a network. The captured data is usually presented and interpreted in the form of individual packets for analysis. Packets are defined as sections of data streaming in a network (Bullot & Parker, 2017). Wireshark functions as an open-source protocol and network analyzer used primarily on Windows and Unix operating systems. The program first captures data from a network and breaks it into packets and segments to understand where they begin and end. It then interprets and analyzes the data in the context protocols and analyzing. The user is granted the ability to critically analyze the packets through filtration and analysis of data that has been transferred (Hashim et al., 2017). Wireshark can thus be used to analyze the root cause of a problem, understand the devices' protocols, and follow the conversations between devices.
Procedures for Analyzing Network Traffic
Network forensics strives to collect evidence regarding traffic data from different sites and network equipment. It follows a series of steps to analyze the attacker's activity. The first step is the identification where an incident is determined based on its network indicators. The next step is preservation, physical and logical evidence are isolated to prevent them from being altered. The network evidence is then collected by recording and duplicating digital evidence through standardized procedures and methods. The evidence is then examined by an in-depth systematic search of the evidence in the network attack. The analysis phase involves determining the significance, reconstructing the packets of networking, and drawing conclusions from the evidence. The evidence is then summarized and provided for an explanation in a presentation to draw conclusions. The final part is the incident response where a response to the intrusion is initiated based on the information gathered to validate and assess the incident (“Computer forensics: Network forensics analysis and examination steps”, 2019). The use of these procedures to analyze the network traffic provides a thorough analysis of the network intrusion and provides the correct approach to respond to a system.
Step 2: Analysis of the Organization’s Incident Response
The incident response analyzes the first response of the organization after an intrusion. The given case showed that the intrusion detection system alerted unauthorized access to a sensitive file. The intrusion detection system's presence showed that the organization had a robust incident response structure and could protect itself against policy violations and malicious activity (Begli et al., 2019). The next part of the incident response will involve searching and seizing information regarding the system. The assumption is that the system runs on Windows Server. The investigator should understand the windows events to collect digital evidence. The process of gathering evidence will involve detecting the traffic flows and analyzing patterns in the attack.
Windows events logs contain critical evidence to determine whether the system was secure or vulnerable against specific threats. Log files are defined as a record of events created by system processes or the user (Yao et al., 2020). The system logs can also be used by the forensic investigator to identify data regarding critical issues and events in digital forensic investigations. The Linux operating system contains application logs and system logs. Application functions are stored in system logs while system functions are stored in system logs.
The incident response will also involve an analysis of user accounts that may have been compromised. User accounts are used to provide exclusive access to people that use a system. A username and password is usually assigned to access the network’s services and resources. User accounts need to have unique username and combinations to prevent unauthorized access (Shay et al., 2016). The existence of an inactive account is a sign of vulnerability in the network system. The incident response should involve the network administrator analyzing the policies in the user account creation.
Step 3: Network Traffic Analysis
The Wireshark Tool was used to analyze the captured network packets and to conduct a packet sniffing. A series of questions were used as a guide to investigate the attack and analyze the data breach.
Scanning and Vulnerability Analysis
Unique IP Addresses Communicating.
The source address is 192.168.0.7 and the destination is 192.168.0.1.
Figure 1
Source and Destination IP Address
Attacker and target IP address.
The attacker is IP address is 192.168.0.7 and the victim is 192.168.0.1. Wireshark uses a color-coding to ease the detection of networks. The packets highlighted in red are an indication of an attack on the server.
Figure 2
Attacker and Victim IP Address
Traffic and TCP handshake.
The information on frame 72 was analyzed and observed to make use of the TCP SYN packets. Therefore, the Nmap scan type was the default SYN. The attacker IP address sent SYN packets to the IP address of the victim. The victim IP then sent RST and ACK back showing that they were open. The coloring name of SYN/FIN indicated a FIN scan that was not sent in any packet.
Figure 3
TCP Handshake and Nmap Scan
Open port numbers and associated services.
To determine the open ports, the command tcp.flags.syn ==1 and tcp.flags.ack ==1 filtered Wireshark for TCP SYN and ACK Flags . The open ports were then identified through the functions Statistics, Conversations, and TCP tab . The ports that were open along with their common service name were port 21 (FTP), port 23 (Telnet), port 80 (HTTP), port 135 (Microsoft EPMAP), port 139 (NetBIOS Datagram Service, and port 445 (Microsoft-DS).
Figure 4
Open Ports
Brute-Force Password Attack
Port and service target of Brute-force attack.
The port that was the target for attack was port 445. The SMB protocol was used to carry the attack as seen in the protocol column. The packet's information shows the message “Error: STATUS_LOGON_FAILURE,” indicating that someone tried to log in unsuccessfully.
Figure 5
Target Port and Service Used
Username used in the Brute-force attack.
The username was \admin as indicated in packet 3011.
Figure 6
Username Identification
Packet number showing successful request.
Packet 5256 showed a successful password attempt. The system responds successfully to the login attempt without the error message.
Figure 7
Successful Password Request
Data Breach
Port and service target of file download and data breach.
Port 21 was the open port that was the target for the data breach and file download. The service used was the FTP protocol.
Figure 8
Port and Service Target for Data Breach and File Download
Username and password used for data breach.
The username to breach the data was “312ville\admin” and the password was “iloveyou2”.
Figure 9
Username, Password, and File Identification
Name of file downloaded.
The name of the file downloaded by the victim was “secretfile.rtf.”
Four bytes of the hexadecimal signature of the downloaded file.
The file with the RTF format had the hexadecimal signature of 7B 5C 72 74 66.
Packet containing stolen information.
The packet that contained the stolen information was packet 5397.
Figure 10
Packet Containing Stolen Information
Contents of downloaded file.
Figure 11
File Contents
Encoding used in the downloaded file.
The Base64 online decoder successfully decoded the message. The message in the file was, “This was encrypted with base64. Congratulations!”
Remote Session Attack
Service and port used to connect to the victim.
The port used to connect to the victim was Port 23, and the service was Telnet.
Figure 12
Port and Service for Remote Connection
Username and password used to connect.
The login username was “aaddmmiinn”, and the password used was “iloveyou2”.
Figure 13
Username and Password for Remote Connection
Operating system commands used to carry out the attack.
The operating system commands used by the attacker were as shown.
Figure 14
Operating System Commands
Purpose of the commands in the attack.
The purpose of the attack was to add a new user and a new administrator and to have backdoor access to the system with administrative rights.
Step 4: Examination of Wireshark Lab Results
Packets
The findings from the lab examination showed the threats and vulnerabilities of the organization’s network infrastructure. The attacker's IP address was 192.168.0.7 and the destination IP address was 192.168.0.1. The use of Wireshark for analysis of the captured packets provided an overview of the attack. Wireshark uses a color-coding to ease the identification of the network attacks. The program highlights packets with a red color to indicate an attack on the server which are then reset as they have closed ports (“Wireshark User’s Guide”, 2019). In such an incidence, the TCP handshake is incomplete, and the user does not have access to the system. For the given case, the user sent multiple packets to the target IP address indicating a brute force attack.
The Nmap scan revealed that the packet used was the default SYN. The color-coded frames showed that the computer sent an RST and ACK after the SYN scan. The SYN scanning is used by hackers to determine the state of communications in a port without having a full connection. The SYN scan was used to identify open ports through a TCP 3 way-handshake. First, the source sends an SYN to the destination. The destination responds by sending an SYN-ACK to the source indicating that the port is open. In case the port is closed, it responds with an RST (“Forshaw”, 2017). The source finally sends ACK response to the destination and sends the RST, ACK packets to the destination address. The open ports that the source identified were identified through the “Conversation Statistics” function in Wireshark.
Server Images and Log review
A Brute Force attempt was made on the different services on the network. Applying a filter on the column showed that the attack used the Server Message Block (SMB) protocol. The message that followed was “Error_LOGON_FAILURE,” indicating an unsuccessful login attempt. The log information analysis further revealed peer-to-peer traffic, which showed that the attacker attempted to scan the ports.
User Account and Privilege Escalation
The investigation showed that the attacker made a successful login into the system. The user account that experienced a data breach had the username “312ville\admin” and the password was “iloveyou2”. The user then successfully downloaded a file from the system. The attacker successfully used brute force to generate the user's username and password, one of the user accounts was thus compromised. The attacker then used a username of “aaddmmiinn” and a password “iloveyou2” to gain access to the system and created a new administrator account. The privilege was a dangerous privilege escalation as the user could launch an attack on the system as they had administrative rights.
Account Weaknesses
The incident revealed various vulnerabilities in the system caused by account weaknesses. The passwords used contained short words and did not have numbers or any unique character making a brute force attack easy and successful (Lee et al., 2016). The attacker also quickly gained administrative rights showing weaknesses in setting up administrative privileges. Normal account users could have administrative privileges and this was an indication of account weaknesses.
Recommendations
The first recommendation to the organization is that it should strive to improve its password-composition policies. Passwords used should not be easily guessed passwords but should be complicated passwords that attackers cannot guess. All passwords should be required to have at least eight characters and have multiple character classes such as numbers, uppercase letters, and symbols (Shay et al., 2016). The organization can also introduce a two-point authentication through having smart cards, badges, or phone verification to gain entry to the system.
The organization should also implement access control software to limit the privileges of user accounts. The roles of each user account should be assigned based on their role and function in the organization. For instance, a normal account should not have administrative rights. Information that is considered highly sensitive should have limited access and require administrative privileges (Ullah et al., 2018). Such a structural model will facilitate better control of users that have access to critical information. In case of a data breach, this will ensure that attackers do not have administrative privileges or access essential organization information.
The organization’s security should strive to close all its open ports and improve security policies to reduce any further attacks on the system. Open ports are configured to accept packets and can provide a platform for attackers to exploit. The use of open ports on a network with inadequate security rules can be especially dangerous. The WannaCry ransomware made use of such vulnerabilities by taking advantage of open ports in the SMB protocol by the zero-day exploit (Ganame et al., 2017). The organization can further improve its network security procedures by using Ethernet switches to reduce packet sniffing. Improving the organization’s key security features will prevent any future intrusion.
Conclusion
The network forensics analysis, the organization’s incident response, the network traffic analysis, and Wireshark Lab results showed vulnerabilities in the network. A system or network is always at risk to attack through malware, DDoS attacks, or brute force. The Wireshark tool was used to analyze the network intrusion, identifying that brute force was used to access the system. The attacker gained access to sensitive files and gained administrative privileges. The intrusion was an indication of the need to improve security policies. Password-creation policies should be implemented to strengthen passwords. Access control should limit administrative rights. The organization should also strengthen its network security procedures by closing all open ports. The attack showed critical vulnerabilities in the system which should be acted upon promptly.
References
Begli, M., Derakhshan, F., & Karimipour, H. (2019, August). A layered intrusion detection system for critical infrastructure using machine learning. In 2019 IEEE 7th International Conference on Smart Energy Grid Engineering (SEGE) (pp. 120-124). IEEE. https://doi.org/10.1109/SEGE.2019.8859950
Bullock, J., & Parker, J. T. (2017). Wireshark for Security Professionals: Using Wireshark and the Metasploit Framework . John Wiley & Sons.
Computer forensics: Network forensics analysis and examination steps (2019). Infosec Institute. https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/digital-forensics/network-forensics-analysis-and-examination-steps/
Forshaw, J. (2017). Attacking network protocols: a hacker's guide to capture, analysis, and exploitation . No Starch Press.
Ganame, K., Allaire, M. A., Zagdene, G., & Boudar, O. (2017, October). Network behavioral analysis for zero-day malware detection–a case study. In International Conference on Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments (pp. 169-181). Springer, Cham. https://doi.org/10.1007/978-3-319-69155-8_13
Hashim, M. A., Abd Halim, I. H., Ismail, M. H., Noor, N. M., Fuzi, M. F. M., Mohammed, A. H., & Gining, R. A. J. (2017). Digital Forensic Investigation of Trojan Attacks in Network using Wireshark, FTK Imager and Volatility. Computing Research & Innovation (CRINN) Vol 2, October 2017 , 205.
Joshi, R. C., & Pilli, E. S. (2016). Network forensic tools. In Fundamentals of Network Forensics (pp. 71-93). Springer, London.
Lee, J. K., Kim, S. J., & Hong, T. (2016). Brute-force attacks analysis against ssh in HPC multi-user service environment. Indian Journal of Science and Technology , 9 (24), 1-4. 10.17485/ijst/2016/v9i24/96070
Qamar, A., Karim, A., & Chang, V. (2019). Mobile malware attacks: Review, taxonomy & future directions. Future Generation Computer Systems , 97 , 887-909. https://doi.org/10.1016/j.future.2019.03.007
Sahi, A., Lai, D., Li, Y., & Diykh, M. (2017). An efficient DDoS TCP flood attack detection and prevention system in a cloud environment. IEEE Access , 5 , 6036-6048. https://doi.org/10.1109/ACCESS.2017.2688460
Shay, R., Komanduri, S., Durity, A. L., Huh, P., Mazurek, M. L., Segreti, S. M., ... & Cranor, L. F. (2016). Designing password policies for strength and usability. ACM Transactions on Information and System Security (TISSEC) , 18 (4), 1-34. https://doi.org/10.1145/2891411
Ullah, F., Edwards, M., Ramdhany, R., Chitchyan, R., Babar, M. A., & Rashid, A. (2018). Data exfiltration: A review of external attack vectors and countermeasures. Journal of Network and Computer Applications , 101 , 18-54. https://doi.org/10.1016/j.jnca.2017.10.016
Wireshark user’s guide. (2019). Wireshark. https://www.wireshark.org/download/docs/user-guide.pdf
Yao, K., Li, H., Shang, W., & Hassan, A. E. (2020). A study of the performance of general compressors on log files. Empirical Software Engineering , 25 (5), 3043-3085. https://doi.org/10.1007/s10664-020-09822-x
