Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1, Security Threat Response Manager User Manual

Security Threat Response Manager

Category Offense Investigation Guide

Release 2008.2

Juniper Networks, Inc.

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000

www.juniper.net

Part Number: 530-025609-01, Revision 1

Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to chang e without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publicati on without notice.

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, i t may cause interference wi th radio and tele vision reception. This equip ment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipmen t does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipme nt and receive r. Consult t he dealer o r an experienced ra dio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warrant y and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Category Offense Investigation Guide

Release 2008.2 Copyright © 2008, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History June 2008—Revision 1 The information in this document is current as of the date listed in the revision history.

2 

CONTENTS

ABOUT THIS GUIDE

Documentation Feedback 1 Requesting Support 1

1 ACCESS OFFENSES

What is an Access Offense? 3 How do I Investigate an Access Offense? 4 How do I Tune an Access Offense? 7

2 SIM AUDIT OFFENSES

What is SIM Audit? 9 How do I Investigate a SIM Audit Offense? 9 How do I Tune a SIM Audit Offense? 12

Tuning Using False Positive Function 12 Tuning Using Custom Rules Wizard 14

3 AUTHENTICATION OFFENSES

What is an Authentication Offense? 17 How do I Investigate an Authentication Offense? 17 How do I Tune an Authentication Offense? 21

4 CRE OFFENSES

What is a CRE Offense? 23 How do I Investigate a CRE Offense? 23 How do I Tune a CRE Offense? 26

5 DENIAL OF SERVICE (DOS) OFFENSES

What is a DoS Offense? 27

What is a DoS Flood Attack? 27

What is a DoS Service Exploit? 28 How do I Investigate a DoS Offense? 28 How do I Tune a DoS Offense? 32

Tuning Using False Positive Function 32

Tuning Using Sentries 33

Tuning Using Custom Rules Wizard 33

How Can I Verify If STRM is Receiving Valid DoS Offenses? 34

6 EXPLOIT OFFENSES

What is an Exploit Attack? 35 How do I Investigate an Exploit Offense 35 How do I Tune an Exploit Offenses? 39 How Can I Verify That STRM is Receiving Valid Exploit Offenses? 40

7 MALWARE OFFENSES

What is Malware? 41

What is a Malware Offense? 41 How do I Investigate a Malware Offense? 42 How do I Tune a Malware Offense? 45

8 NETWORK ANOMALIES OFFENSES

What is an Network Anomaly Offense? 47

Policy 47

Threshold 47

Anomaly 48

Behavior 48 How do I Investigate a Network Anomaly Offense 48 How do I Tune a Network Anomaly Offense? 50

9 POLICY OFFENSES

What is a Policy Offense? 51 How do I Investigate a Policy Offense? 51 How do I Tune a Policy Offense? 54

Tuning Using False Positive Function 54

Tuning Using Custom Rules Wizard 55 How Can I Verify That STRM is Receiving Valid Offenses? 55

10 POTENTIAL EXPLOIT OFFENSES

What is a Potential Exploit Offense? 57 How do I Investigate a Potential Exploit Offense? 57 How do I Tune a Potential Exploit Offense? 59

11 RECONNAISSANCE OFFENSES

What is Reconnaissance? 61

What is Network Reconnaissance? 6 1

What is a Reconnaissances Offense? 61 How do I Investigate a Reconnaissance Offense? 62 How do I Tune a Reconnaissance Offense? 65

Tuning Using False Positive Function 65

Tuning Using Custom Rules Wizard 67

12 SUSPICIOUS ACTIVITY OFFENSES

What is a Suspicious Attack? 69

What is Suspicious Traffic? 69

What is a Suspicious Offense? 69 How do I Investigate Suspicious Offense 70 How do I Tune a Suspicious Offenses? 73

13 SYSTEM OFFENSES

What is a System Offense? 77 How do I Investigate a System Offense? 77 How do I Tune a System Offense? 80 How Can I Verify That STRM is Receiving Valid Offenses? 81

14 USER DEFINED OFFENSES

What is a User Defined Offense? 83 How do I Investigate a User Defined Offense? 83 How do I Tune a User Defined Offense? 86

ABOUT THIS GUIDE

This preface provides the following guidelines for using the Category Offense Investigation Guide:

• Documentation Feedback

• Requesting Support

Documentation Feedback

Requesting Support

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. Send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be sure to include the following information with your comments:

• Document name

• Document part number

• Page number

• Software release version

Open a support case using the Case Management link at http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States, Canada, or Mexico) or 1-408-745-9500 (from elsewhere).

Category Offense Investigation Guide

ACCESS OFFENSES

This chapter provides information on access offenses including:

• What is an Access Offense?

• How do I Investigate an Access Of fense?

• How do I Tune an Access Offense?

What is an Access Offense?

Limiting access to your network and networked resources is an essential component of any network security strategy. In most cases, this is accomplished using firewalls. Monitoring the activity of the firewalls in your network is a massive undertaking for most organizations since the amount of logs generated can be overwhelming. STRM intelligently collects and analyzes firewall logs and then automatically reports any abnormal and/or suspicious behavior.

STRM generates offenses based on access related behavior when a user is attempting to gain illegal access to your network. By analyzing the firewall and other intrusion prevention device logs, STRM determines when a particular IP address has been denied access in a manner that requires investigation. STRM can also detect suspicious failed access to the same destination as well as multiple attempts across many distributed destinations.

Offense Category Investigation Guide

4 ACCESS OFFENSES

How do I Investigate an Access Offense?

To investigate an access offense:

Step 1 Click the Offense Manager tab.

The Offense Manager window appears.

Step 2 Click By Category from the navigation menu.

The By Category view appears displaying high-level categories. The counts for each category are accumulated from the values in the low-level categories.

Hint: Only low-level categories with associated offenses appear with an arrow. You can click the arrow to view the associated low-level categories. If you wish to view all categories, click Show Inactive Categories.

Step 3 To view additional low-level category information for the Access category , click the

arrow icon next to Access.

Step 4 Double-click any low-level category to view the list of associated offenses.

The list of offenses appear.

Offense Category Investigation Guide

How do I Investigate an Access Offense? 5

Step 5 Double-click the offense you wish to view.

The details panel appears.

Step 6 To investigate the attacker , view the Attacker Summary box:

• Location - Allows you to determine if the attacker is local or remote:

- Local - This field specifies the network (group) in which it is located.

Offense Category Investigation Guide

6 ACCESS OFFENSES

Step 7 Determine if the user associated with the offense was attempting to illegally gain

STRM, use the Event Viewer to investigate firewall logs to make sure it is probably configured. For more information on the Event Viewer, see the STRM Users Guide.

• User - If the attacker is local or a VPN user and STRM is receiving user identity

logs, this field indicates user identity information. This allows you identify the user who is the source of the traffic. To obtain further information about the user, right-click on the IP address in the Description field to access additional menu options. From the menu, select use the Select Information > Asset Profile. The Asset Profile window allows you to determine additional information regarding the identify of the source user. You can also determine if the user associated to the offense is a valid user on the device they are attempting to access.

STRM generates access events when the same source IP address causes multiple failed access attempts, such as, from a firewall. If you determine that this is normal behavior, you can tune STRM to no longer create offenses for this behavior. For information, see How do I Tune an Access Offense?.

access to the network or a restricted area of the network. If you determine that the user had malicious intent:

a Click Flows to further the user’s activity to make sure that the user did not

obtain access to a restricted area of the network. The Flow Search window appears.

b Use the Event Viewer to search for events relating to this user associated with

firewall accept messages. For more information on the Event Viewer, see Using the Event Viewer in the STRM Users Guide.

Offense Category Investigation Guide

How do I Tune an Access Offense? 7

Step 8 Once you have determined the impact of the offense, you must perform the

necessary steps to rectify the source of the activity. If you have determined this behavior is normal, you can tune STRM to no longer detect this activity. For more information, see How do I Tune an Access Offense?.

Step 9 Once you are satisfied that you have resolved the offense, you can close or hide

the offense. For more information on closing or hiding an offense, see Investigating Offenses in

the STRM Users Guide.

How do I Tune an Access Offense?

Step 1 In the offense details interface, click Events.

If you determine that the access activity is normal and STRM is creating false positive offenses, you can tune STRM to make sure no more offenses are created due to this activity.

To tune access activity using the false positive function:

The List of Events window appears.

Step 2 Select the event that includes the known source IP address that is repo r te d to

produce suspicious activity.

Step 3 Click False Positive.

The False Positive window appears with information derived from the selected event.

Offense Category Investigation Guide

8 ACCESS OFFENSES

Step 4 Select the necessary event properties to tune as a false positive. Step 5 Click Tune.

STRM will no longer create additional offense for this source IP address when this type of activity occurs.

Offense Category Investigation Guide

SIM AUDIT OFFENSES

This chapter provides information on SIM audit offenses including:

• What is SIM Audit?

• How do I Investigate a SIM Audit Offense?

• How do I Tune a SIM Audit Offense?

What is SIM Audit? STRM generates an records SIM audit events for system and configuration

changes occurring within the STRM deployment. This information may be required for compliance regulations, troubleshooting, or internal tracking.

When STRM detects suspicious or unapproved SIM audit events, a SIM audit offense is created. STRM is able to monitor SIM audit activity for many different aspects of the STRM product. In certain situations, this data may also be combined with other events and flows associated to the attacker, and correlated into one offense. If an attacker does gain access to the STRM system, they may try and de-activate certain features or turn monitoring off on certain areas of the network. These suspicious changes would generate an offense in STRM.

How do I Investigate a SIM Audit Offense?

Step 1 Click the Offense Manager tab.

Step 2 Click By Category from the navigation menu.

This section provides information on further investigating SIM audit offenses. To investigate SIM audit offenses:

The Offense Manager window appears.

The By Category view appears displaying high-level categories. The counts for each category are accumulated from the values in the low-level categories.

Category Offense Investigation Guide

10 SIM AUDIT OFFENSES

Step 3 To view additional low-level category information for the SIM Audit category, click

Step 4 Double-click any low-level category to view the list of associated offenses.

the arrow icon next to SIM Audit.

The list of offenses appear.

Step 5 Double-click the offense you wish to view.

The details panel appears.

Step 6 View the Attacker Summary box to understand the attacker:

• Location - Allows you to determine if the attacker is local or remote:

- Local - This field specifies the network (group) in which it is located.

- Remote - This field specifies the geographic location of the attacker, for example, Asia. We recommend that you investigate the traffic from the remote source IP address to make sure that your firewalls are probably configured to block any threatening traffic. If firewall logs are being sent to STRM, use the Event Viewer to investigate firewall logs to make sure it is probably configured. For more information on the Event Viewer, see the

STRM Users Guide.

Category Offense Investigation Guide

How do I Investigate a SIM Audit Offense? 11

• User - If the attacker is local or a VPN user and STRM is receiving user identity

logs, this field indicates user identity information. This allows you identify the user who is the source of the suspicious traffic. To obtain further information about the user, right-click on the IP address in the Description field to access additional menu options. From the menu, select use the Select Information > Asset Profile. The Asset Profile window allows you to determine additional information regarding the identify of the source user.

If the activity is normal (for example, a valid user is making approved configuration changes to the STRM deployment), then you can use the Rules function in the Offense Manager to tune out this activity. For more information, see How do I Tune

a SIM Audit Offense?.

Step 7 In the Attacker Summary box, place your mouse over the Description text. If the

number of offenses is greater than 1, we recommend that you investigate the attacker to determine if the attacker is attempting to disguise his activities from other offenses. Unauthorized changes to your STRM deployment can lead to serious threats and attacks to the network being undetected.

Step 8 Click Events.

The List of Events appears for the selected offense.

The Device column provides the device that detected the event. If multiple devices are reporting similar events, the credibility value for this offense increases.

Step 9 To further investigate the target, right-click on an IP address in the Source column.

The right-click menu appears.

Step 10 Select Information > Asset Profile.

The Asset Profile appears.

Category Offense Investigation Guide

12 SIM AUDIT OFFENSES

Step 11 Once you have determined the impact of the offense, you must either block the

Step 12 Once you have resolved the offense, close or hide the offense.

source of the unauthorized configuration activity, then take the desired action against the offense.

How do I Tune a SIM Audit Offense?

Tuning Using False

Positive Function

Step 1 In the SIM audit offense details interface, click Events.

For more information on closing or hiding an offense, see the STRM Users Guide.

If you determine that the SIM audit activity is normal and STRM is creating false positive offenses, you ca n tu ne STR M t o make sure no more offenses are created due to this activity.

You can tune STRM using one of the following methods:

• Tuning Using False Positive Function

• Tuning Using Custom Rules Wizard

To tune SIM audit activity using the false positive function:

The List of Events appears for the selected offense.

Category Offense Investigation Guide

How do I Tune a SIM Audit Offense? 13

Step 2

Select the event with the source IP address known to be producing the SIM audit activity.

Step 3 Click False Positive.

The False Positive window appears with information derived from the selected event.

Step 4 Select the necessary event properties to tune as a false positive.

For example, in the window above, the Events with specific QID option is selected to tune the specific IP address and the event high-level category that is creating the false positive SIM audit event.

For additional information on using the False Positive tuning function, see the STRM Users Guide.

Step 5 Click Tune.

STRM will no longer create additional offenses for this source IP address when performing normal VA or network management tasks.

Category Offense Investigation Guide

14 SIM AUDIT OFFENSES

T uning Using Custom

Rules Wizard

Step 1 In the navigation bar of the Offense Manager, click Rules.

Step 2 Using the Display drop-down list box, select Building Blocks. Step 3 In the Block Name list, locate the Default-BB-HostDefinition: VA Scanner

To tune SIM audit activity using the custom rules wizard:

The Rules interface appears.

Source IP building block.

Step 4 From the Actions drop-down list box, select Edit.

The Rules Wizard appears.

Step 5 In the Building Block section, click the IP address that appears.

A configuration window appears.

Category Offense Investigation Guide

How do I Tune a SIM Audit Offense? 15

Step 6

In the Enter an IP address or CIDR and click ‘Add’ field, enter the IP address of the VA scanner or IP address that is producing false positives.

Step 7 Click Add. Step 8 Repeat for all VA scanners or IP address(es). Step 9 Click Submit.

Step 10 Complete the rules wizard.

For more information on using the Custom Rules Wizard, see the STRM Administration Guide.

Category Offense Investigation Guide

AUTHENTICATION OFFENSES

This chapter provides information on authentication offenses including:

• What is an Authentication Offense?

• How do I Investigate an Authentication Offense?

• How do I Tune an Authentication Offense?

What is an Authentication Offense?

How do I Investigate an Authentication Offense?

Typically, the first level of network security starts with authentication. When a user navigates a protected network, the network generally requires authentication at various level of the network infrastructure. STRM supports the monitoring of many authentication points throughout a network, including host machines, firewalls, databases, application servers, and authentication servers.

While analyzing authentication events from devices, STRM detects any abnormal or potentially threatening activity, for example, when there are multiple log in failures followed by a successful login. Since authentication activity is based on access to the network, STRM creates offenses when invalid users are attempting to, or more importantly, have already gained access to the network. STRM features intelligent security event logic capable of filtering authentication-bas e d activity and creating offenses on truly suspicious behavior.

To investigate an authentication offense:

Step 1 Click the Offense Manager tab.

The Offense Manager window appears.

Step 2 Click By Category from the navigation menu.

The By Category view appears displaying high-level categories. The counts for each category are accumulated from the values in the low-level categories.

Offense Category Investigation Guide

18 AUTHENTICATION OFFENSES

Step 3 To view additional low-level category information for the Authentication cate gory,

click the arrow icon next to Authentication.

Step 4 Double-click any low-level category to view the list of associated offenses.

The list of offenses appear.

Offense Category Investigation Guide

How do I Investigate an Authentication Offense? 19

Step 5

Double-click the offense you wish to view. The details panel appears.

Step 6 To investigate the attacker , view the Attacker Summary box:

• Location - Allows you to determine if the attacker is local or remote:

- Local - This field specifies the network (group) in which it is located.

Offense Category Investigation Guide

20 AUTHENTICATION OFFENSES

• User - If the attacker is local or a VPN user and STRM is receiving user identity

Authentication offenses occur when the same source IP address causes multiple log in failures. This may be ca used b y many users using the same network p ath to reach a particular server. Your network may also include an entire development team accessing a Windows server from the same Linux or Solaris server. In this case, false positive offenses may be generated when multiple users attempt to log in to different servers from the same server incorrectly. If this is the case, you can tune STRM to no longer create offenses for this behavior. For more information, see How do I Tune an Authentication Offense?.

Step 7 Determine if the user associated with the offense was attempting to illegally gain

access to the network with malicious intent or a user who has forgotten their password. If you determine that the user had malicious intent, we recommend that you restrict this user’s access to the network. We also recommend that you use the Event Viewer to search for events relating to this user to determine if your network was successfully breached. For more information on the Event Viewer, see the STRM Users Guide.

STRM, use the Event Viewer to investigate firewall logs to make sure it is probably configured. For more information on the Event Viewer, see the STRM Users Guide.

Step 8 Once you have determined the impact of the offense, you must perform the

Step 9 Once you are satisfied that you have resolved the offense, you can close or hide

the offense. For more information on closing or hiding an offense, see Investigating Offenses in

the STRM Users Guide.

Offense Category Investigation Guide

How do I Tune an Authentication Offense? 21

How do I Tune an Authentication Offense?

Step 1 In the offense details interface, click Events.

If you determine that the authentication activity is normal and STRM is creating false positive offenses, you can tune STRM to make sure no more offenses are created due to this activity.

To tune authentication activity using the false positive function:

The List of Events window appears.

Step 2 Select the event that includes the known source IP address that is repo r te d to

produce suspicious activity.

Step 3 Click False Positive.

The False Positive window appears with information derived from the selected event.

Offense Category Investigation Guide

22 AUTHENTICATION OFFENSES

Step 4 Select the necessary event properties to tune as a false positive. Step 5 Click Tune.

STRM will no longer create additional offense for this source IP address when this type of activity occurs.

Offense Category Investigation Guide

CRE OFFENSES

This chapter provides information on CRE offenses including:

• What is a CRE Offense?

• How do I Investigate a CRE Offense?

What is a CRE Offense?

How do I Investigate a CRE Offense?

Step 1 Click the Offense Manager tab.

Step 2 Click By Category from the navigation menu.

Custom Rule Engine (CRE) offenses are generated through user defined custom rules or sentries. A CRE offense appears in the Offense Manager by a custom rule when a user attempts to map an event to a category not supported by STRM. You should not receive CRE events in offenses or reports using the standard templates with STRM.

For more information on rules, sentries, or templates, see the STRM Administration Guide.

To investigate a CRE offense:

The Offense Manager window appears.

The By Category view appears displaying high-level categories. The counts for each category are accumulated from the values in the low-level categories.

Category Offense Investigation Guide

+ 65 hidden pages

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1, Security Threat Response Manager User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual