CCIS 2125

Intrusion Detection & Incident Response

The Mystery Syllabus


There will be 15 class sessions.


First, some comments. You will see the same chapters assigned as reading more than once. That means the class session will depend on information from those chapters. It doesn't hurt to actually read them again, and I encourage you to do so.


Next, this syllabus is a living document. I will revise it. You can always see the latest copy at http://ccis2125.linux-classes.com/ids.html


  1. Introduction

  2. Networking Fundamentals I

    1. The ISO 7-Layer Reference Model

    2. How the model maps to TCP/IP, the protocol of the Internet, aka, the series of tubes.

    3. Unicast/Broadcast/Multicast

    4. Layer 2 (Ethernet)

    5. Mapping layer 2 to IP – ARP

    6. IP Datagrams

      1. Version differences

      2. Malformed packets

      3. Fragmentation

      4. Stealth Channels

    7. Routing

      1. Address class

      2. Subnetting

      3. CIDR

      4. Route tables

    8. Internet Control Message Protocol (ICMP)

      1. Why it is important

      2. Why it is often shut off

    9. Commands to examine configuration and state of TCP/IP on Linux

      1. ifconfig

      2. arp

      3. route

      4. ping

    10. What I'm not telling you: We are not talking about the manifold routing update protocols (RIP, BGP, OSPF, many others, Comer Chapters 13-15). These are important security protocols, especially when it comes to the “Availability” and “Authorization” “As” of security. We will not discuss MPLS (Comer Chapter 17) or mobile IP (Comer Chapter 18).

    11. Lab 2: (15 minutes, give or take). Use the command line tools and provide to me:

      1. Your MAC address, IP address, netmask, and broadcast address.

      2. Current entries in your arp cache

      3. Ping the address of the person to your right (if there is no one to your right, ping the person in front of you, if there is no one in front of you, ping me)

      4. Immediately after, dump your arp cache again. State the difference.

      5. I will ask each of you to say your information aloud.

      6. Discussion/Questions

    12. Reading for next time: Comer, Chapter 11, 12

  3. Networking Fundamentals II – Transport protocols

    1. Introducing wireshark

    2. UDP

    3. TCP

    4. Services

      1. UDP Services

        1. Sun RPC

        2. NFS

        3. Sun RPC

        4. Streaming and Multicast

      2. TCP Services

        1. HTTP

        2. SMTP

        3. IMAP

        4. POP3

        5. Finger

        6. Telnet

        7. SSH

        8. Many others

    5. What I'm not telling you

    6. Lab 3: Start wireshark and begin collecting all data on your ethernet interface. Start firefox. Visit google.com. Stop collecting packets. Find the first TCP conversation of the google visit and display the TCP stream. Call me over to show me. Once that is done, play with wireshark for at least 15 minutes. Ask me any questions you like.

    7. Assignment: I can't make you install anything on your home computer, but if you have a Linux box at home, fire up wireshark and collect traffic on your home network for a while. Browse it. Examine it. Drill down in to it. If you don't have a Linux box, wireshark is available for Windows. See http://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html for details.

    8. Reading for next time: Northcutt & Novak, Chapters 4-9

  4. Learning to analyze network traffic

    1. tcpdump

    2. Wireshark

      1. Capture filters

      2. Viewing filters

      3. Using wireshark to view tcpdump captures

    3. Recording EVERYTHING and why it is a good idea

      1. Disk is cheap

      2. Successful intrusions are expensive

      3. Configuring an (almost) impenetrable network monitor

    4. What I'm not telling you

    5. Lab 4: Fire up wireshark and apply capture filters to get only traffic bound for port 80 (http). Visit some web sites and use other network protocols to access other features. Stop the capture and view the result. Now start a capture of all traffic on the interface. Visit a number of web sites. Use ftp, icq, or pop3/imap to view some mail. See me if you need help setting this up. Now apply viewing filters to see only each kind of traffic.

    6. Reading for next time: Northcutt & Novak Chapter 4, 10. nmap man page.

  5. Think like the enemy: Reconnaissance

    1. ping

      1. Lab 5: Ping. Use ping to ping your neigbor to the right (if there is no one to your right, ping your neighbor to the front. If there is no student to the front, ping me). Use ping arguments to ping ten times and stop. Use ping arguments to flood your target with pings.

    2. finger

    3. traceroute

      1. Lab 6: Traceroute. Do a traceroute to your neighbor. Do a traceroute to your favorite (legal, acceptable to HTC acceptable use policies) web site. E-mail the results to me.

    4. nmap

      1. Lab 7: nmap yourself (use the loopback address). nmap scan me. nmap scan your neighbor. nmap scan the room. E-mail the results to me.

    5. dumpster diving

    6. Google their proverbial backsides

    7. nslookup/public records

    8. What I'm not telling you

    9. Reading for next time: Comer chapters 2, 5, and 6. Northcutt & Novak chapter 15.

  6. Think like the enemy II: Exploiting trusted systems

    1. ARP trickery

    2. Layer 2 trickery

    3. Bypassing firewalls

      1. VPNs

      2. SSH

      3. httptunnel

      4. icmptunnel

      5. smtptunnel

    4. DNS trickery

    5. The Mitnick attack as a class

    6. Sniffing maliciously

      1. tcpdump/wireshark

      2. dsniff

    7. What I'm not telling you

    8. Review for midterm

  7. Midterm

    1. Reading for next time: National Vulnerability Database http://nvd.nist.gov/, (I don't expect you to read the whole database! But I do expect you to know how to search the site and make use of the information.), nmap man page. Review nessus documentation (if you have time) at http://www.nessus.org/documentation/

  8. Think like the enemy III: Exploiting vulnerable systems and software

    1. Google is your friend

    2. nmap is also your friend: Using the more evil features of nmap

      1. Lab

    3. Introduction to nessus

    4. The “telnet” client's only real use

    5. Exploiting the vulnerabilities

    6. What I'm not telling you

    7. Reading for next time

  9. Think like the enemy IV: Social Engineering, or exploiting trusting people, aka “lying like a cheap K-Mart rug.”

  10. Think like a defender I: Secure the perimeter

    1. Put up a firewall

    2. Make your hosts unreachable

    3. Shut down unneeded services

    4. Lock down the remaining services

    5. Thinking securely

  11. Think like a defender II: Defense in depth

    1. Audit, Repair, Repeat

    2. Monitor the outside and the inside

      1. Using snort to alert on the high level

      2. Using tcpdump to record everything (at least everything inside)

    3. Detect penetration

      1. tripwire, acid, others

    4. Security policies

      1. Password policies

        1. Password strength

        2. Password expiration

      2. Public key policies

    5. Countermeasures

      1. Manual

      2. Automatic

  12. Think like a defender III: When the worst happens

    1. No response plan?

      1. What do you do?

    2. Implement response plan

      1. Mistakes

      2. Blame

      3. Self-examination

    3. Document

    4. Revise

    5. Practicalities

      1. You will work somewhere that has no plan and you will experience a security incident.

      2. What do you want to do? Fix it and pretend it never happened? Stop it, learn from it, and then fix it? Catch the perpetrator, learn from it, fix it?

      3. Factors that affect this decision include legal, regulatory, or fiduciary responsibilities, the nature of the compromised system (e.g., does it contain just public information, or private corporate data? Does it contain bank account, credit card, medical data, or other client data that would be a serious legal problem if compromised or disclosed? Do you even know what the system contains?)

  13. Think like a defender IV: Plan for the worst

    1. Create an incident planning team

      1. Should include management, IT, legal, accounting

      2. Should meet regularly. Frequently when creating plan, less frequently when plan is in place, more frequently when an incident occurs.

    2. Create an incident response team

      1. How should the membership be different from the planning team?

      2. The focus of this group is entirely on the incident, implementing the incident plan, and documenting the incident and plan issues.

    3. Create an incident response plan

      1. Shutdown or observe

        1. Mitigate or prosecute?

        2. Risk of incident

        3. Benefit of capture

      2. Notification

        1. Managers

        2. Corporate officers

        3. Law enforcement

        4. Customers?

      3. Forensics

        1. Chain of evidence

        2. Analysis, pinpoint penetration

      4. Recovery

        1. Restore, rebuild?

        2. Loss assessment

      5. Post-mortem

        1. The response and planning teams meet, review incident, discuss plan issues.

        2. The planning team should begin a revision of the plan based on the incident, including or soliciting input from the response team to do so.

  14. Panic about the big test. Review, questions, discussion, and possibly the most enjoyable lab EVER!

    1. Your questions

    2. Discussion

    3. Lab: Divide into teams of 4. Take over or crash each server box. A crash is worth 1 point. A successful access of data or non-admin shell prompt is 2 points. Root or admin access is 3 points. The winning team will get a prize, donated by me.

  15. Final exam