Základní info
The Enterprise Intrusion Analysis course provides students with the skills needed to discover and analyze enterprise intrusions in a UNIX environment. Students who can benefit from this course:Systems Administrators and Security Administrators who are responsible for detecting and analyzing enterprise system intrusionsThis course counts towards the Hands-on course requirement for the Oracle Solaris 10 Security Administrator Certification. Only instructor-led inclass or instructor-led online formats of this course will meet the Certification Hands-on Requirement. Self Study CD-Rom and Knowledge Center courses DO NOT meet the Hands-on Requirement.
Prerequisites:
- System Administration for the Solaris 10 Operating System Part 2 (SA-202-S10)
- Demonstrate basic UNIX system and network administration skills
- Demonstrate a basic understanding of Transmission Control Protocol/Internet Protocol (TCP/IP) networking
- Demonstrate an intermediate understanding of network services: DNS, DHCP, SMTP, HTTP, and firewalls
Objectives:
- Detect an enterprise system intrusion
- Analyze a compromised system for crucial information: attack time, attacker location, attacker modifications to the system
- Correlate multiple log files from different parts of the enterprise to determine attacker usage
- Conduct an audit of file systems to determine attacker modifications
- Describe modern attacker methodology with proof of concept examples
Topics:
Enterprise Footprinting
- Describe the principals of least privilege and disclosure
- Describe how attackers use active fingerprinting using port scans, DNS and ICMP
- Describe how attackers use passive fingerprinting using search engines
- Describe how attackers enumerate services by collecting banner messages and protocol information
- Describe how attackers use social engineering methods to gather information about an enterprise
Unauthorized System Access
- Describe how attackers gain unauthorized access through user accounts
- Describe how attackers gain unauthorized access through software flaws
- Explain the attacker methodology for locating vulnerable enterprise services and creating exploits
- Describe a buffer overflow
- Describe privilege escalation
- Describe a Trojan horse as a means to escalate privileges
Securing root Access
- Describe how attackers secure root access through backdoors on a system
- Describe the following back doors: SUID shell, bound shell, and trusted hosts
- Describe a file system root kit
- Demonstrate how a file system root kit hides files, processes, and connections
- Describe a kernel root kit
- Demonstrate how a kernel rootkit captures all system activity
Encrypting and Hiding Data on a System
- Review encryption technology
- Describe how attackers use cryptography to encrypt files
- Demonstrate encryption using GnuPGP and OpenSSL
- Describe digital steganography
- Demonstrate how attackers hide files within files using digital steganography
- Describe how attackers hide data within unexpected parts of the file system
- Demonstrate how attackers hide a file in file system metadata
- Demonstrate how attackers use the loopback file system and extended attributes to hide data
Enterprise Log Analysis
- Identify the different types of enterprise services: like DNS, DHCP, SMTP, HTTP, and Firewalls
- Identify available log files for enterprise services
- Describe the relevant intrusion information in each log file
- Examine enterprise log files to locate suspicious activity
- Correlate information from multiple log files to determine an intrusion
Unauthorized System Access Intrusion Analysis
- Identify default system access log files in the /var directory structure
- Identify optional Basic Security Module (BSM) and system accounting log files
- Describe log file formats and tools available to read the formats
- Describe the relevant information in each log file
- Correlate information from multiple log files to determine unauthorized system access
- Demonstrate how attackers modify log files to hide their presence on a system
File System Intrusion Analysis
- Define systems and utility trust
- Locate backdoors on a UNIX System: alternate root accounts, bound shells, SUID shells, trusted host files
- Locate file system root kits on a UNIX System
- Discover hidden directories, replaced system commands, remote command utilities, and network sniffers
- Describe automated file system analysis tools
- Implement the rkhunter, chkrootkit, and Solaris Fingerprint Database to locate root kits
System Memory Analysis
- Describe the important types of intrusion data that resides in memory
- Describe techniques to capture volatile memory data to a file system
- Introduce memory analysis tools mdb and gdb
- Demonstrate how to recovery data from memory using the mdb and gdb tools
Incident Investigation Methodologies
- Identify different types of intrusion scenarios
- Apply a methodology based on an intrusion scenario
- Collect the appropriate data (log files, file systems, and memory images) based on the intrusion scenario