Analysis

This document entails to explain suspicion of intrusion of Top gear systems as reported by Head of Engineering at Top Gear Industries, whereby schematics of their new project codenamed ‘’Swordfish’’ had been mysteriously deleted and replaced with a digital calling card. Furthermore, they discovered a number of their servers had been infected with malware. To make matters worse, log files from affected servers had been deleted. Fortunately, Top Gear Industries had installed an advanced Wireless Intrusion Detection System (WIDS) just for the Engineering Department which collects all wireless traffic and saves it in a secure location for further analysis. Upon further analysis it was discovered that the WIDS was not involved in the attack and was not compromised

The use of Wireshark aided immensely on gathering of facts and conclusive documentation after analysis of the live packet capture of handed over. The document contains three parts mainly Analysis, Report findings and Conclusion. 

According to the human resource the suspect by the name Flynn Griffen was reported to have resigned immediately after the incident had occurred   obviously raising suspicion. On that regard the investigation was focused on gathering evidence on the suspect such as by,

Conducting an investigation on the Websites accessed by the suspect on the time period.

By using the payload from the live packets, the source ip and destination ip determined

From which computer they originated and the destination address of the data by use of packet sniffing. Using Wireshark basically: Go to Statistics | HTTP | Load Distribution and type http. host. Now look at the “HTTP Requests by HTTP Hosts’ This shows you detailed traffic description coming to and from your network.

Investigations on the kind of media accessed by the suspect were done again using Wireshark whereby to Determine how much data has been downloaded from the suspect client PC through TCP protocol and through port 445 (Default port used by SMB/SMB2).

Basically to see which files are downloaded from the Core Server via UNC, go in Wireshark > File > Export Objects > Choose SMB/SMB2 this shows

“Packet num”: which is the reference of the packet (It will tell you which client IP is concerned if you go on this packet number)

“Hostname” / “Filename”: It gives you the root of the shared drive concerned and the rest of the path

“Content Type”: This shows the full size of the file to be downloaded and also the percentage downloaded during the trace

Report Findings

Using the above techniques, it could now be easier to determine whether for all websites, files downloaded and videos accessed, any of those were involved in hacking. Furthermore, whether the suspect was involved and aware of the intrusion and data theft at the company. On that regard it can now be determined:

As to how the suspect gained access to the FTP server.

If the suspect downloaded any media it must have been over FTP hence captured over by the log file of the server, since ideally you use an FTP client to log on an FTP server, basically   during an FTP session the address username and password are required to as protocol this data is stored out at the log file embedded in the server.

NB: FTP is an acronym for File Transfer Protocol. As the name suggests, FTP is used to transfer files between computers on a network. You can use FTP to exchange files between computer accounts, transfer files between an account and a desktop computer, or access online software archives. (“Use FTP to transfer files”, n.d.)

The FTP log is a text record of all manner of activities that go one during a n FTP session.

This information with addition to the port number can be used to pin down the client at that session.

On printing the log file, the log simply shows my client connecting to the server logging in the server and asking for a list of files in the main directory through various commands, of which raise further suspicion. Here is an excerpt of the log file

On detailed examination of the entire document the suspect is seen to be primarily  focused on the “swordfish” project according to the commands in the time period of the log file .For instance the command :

Command:LIST *Sword fish

Response:150 Opening ASCII mode data connection for file list. 

The client sends a command requesting access to a specified file the server again sends back requested response, such suspicious commands are found all through the log entries.

On the question as to whether the suspect was working alone or as part of a team, further cross examination of the live packet feed using Wireshark indicates a significant number of packets intended to a PC that does not exist anymore in the network sent by the file server

So again why is  the file server with the ip address 11.x.x.3is sending NBNS queries (NetBIOS Name Service) to the host PAUL-XP asking for his IP address?

Conclusion

WireShark shows us packets sent from the file server to the specific host, but it can’t tell which routine or service running in the file server that is responsible for this traffic.

Now to find this program or service we used Process Monitor from SysInternals tool. So I started the capture for a few seconds, then I did a search on the string “PAUL-XP”. In the result we can see the process name at the origine of the query, in this case it’s spoolsv.exe. Next we applied a filter to have only the traces related to spoolsv.exe

On applying the filter, we can see also the spoolsv.exe process accessing the “TGCUPrintersConnections, PAUL-XP, Microsoft XPS Document Writer” registry key. This means that there is a connection to the printer “Microsoft XPS Document Writer” on the host PAUL-XP. It can be verified by opening printer’s location in the control panel. 

Regarding email spoofing enquiries from the Human Resource department indicated scams in the form of phishing, whereby the department suffered an email attack impersonating the CEO, requesting a copy of the ‘’swordfish’’ program sent to him in word format after copying the massage to the manager as well. This can be categorized as whaling.

Report Findings

After conducting research on websites accessed by the suspect by use of Wireshark the payload on the data showed the suspect had visited a number of competitor websites in the recent time period. This not only excites suspicion but also makes it more clear on the suspects intent. This can be illustrated by the IP addresses on the live capture stored on the server which indicates the particular traffic having emanated from the suspects computer

Investigations on the kind of media accessed by the suspect was traced on the via TCP on the file server, this indicated traces of confidential files uploaded on the client’s computer that had been later deleted, for instance a file containing the names and basic information of the team put up to develop the ‘Swordfish ’program as well as various employee email address info was downloaded from the client computer.

This kind of data is particularly useful in email spoofing. Email spoofing is   the creation of email messages with a forged sender address for the purpose of bluffing the recipient into providing money or sensitive information.
The suspect as well tried to access training videos which were luckily archived and encrypted , this  was done suspiciously with intent to gain access to videos on the product .

An FTP (File protocol server) by default stores log files, this log files provide a record of anything that happens on the FTP during the session.

According to the log file excerpt got from the FTP the client accessed the server a number of times for instance the client sends a command to the server requesting access to all filenames with the tag ‘Swordfish’ obviously with intent to have information on the intellectual property.

There are several commands that a client can send to an FTP server to find out information, switch directories, or request files. In the sample log the client’s main aim was information regarding the swordfish project. (Smith, Greenbaum, Douglas, Long & Gerstein, 2005)

It could however not be possible to determine the extent of information requested from the client, since all the other affected servers had their log files deleted.

The log file accessed at the engineering department shows traces of IP addresses that emanated outside the network. Such ip addresses raised suspicion as to how such sessions on the FTP were authenticated. On further investigation it was noticed presence of third party applications on the suspect’s computer, although it could not be established how the apps might have been used ,this was a breach of security measures on the institutions policy . 

Evidence as to whether it could have been an inside job or a team including outsider’s indicates  presence or aid from a team of hackers as well because

There were reports on loss of bandwidth especially during the midday and early evening, as a result, normal functions that need an Internet connection slowed down significantly.

Strange requests recorded on the server whereby along similar lines, users all of a sudden start receiving requests from strange programs asking for permission to access your network. This is almost always proof that your server has been hacked.

File size especially the mail queue had increased again provides clear proof that there was a spamming attack on the network .This was recorded on the mail fail server at the engineering department.

Files were lost and some all of a sudden became encrypted. Files cannot be encrypted by anyone that does not have authentication from   the server. As a result, files that appear encrypted is a clear indication that the network is compromised. This as well as edited information on files such as dates, user-ids, or inventory trackers were easily recognized as inaccurate.  

Conclusions and Recommendations 

The investigation finds significant evidence all indicating involvement by the suspect as well as aid from a team of outsiders this can be used to take further legal actions or necessary measures as may be outlined by the management.

Various recommendations on regard to security polices however need to be implemented with haste .This is include but not limited to

Authentication should be a two-factor authenticationfor users to gain successful access.

Consider adding time and location of accessas additional authentication factors

Deploy all updatesfrom vendors to your software immediately.

Follow appropriate change control proceduresevery time configurations are changed or updated.

Initiate behaviorally-driven training and metrics to measure the results of your awareness programs.

Create comprehensive access governance policiesto ensure users have the minimum degree of necessary access. 

References

Use FTP to transfer files. Retrieved from https://kb.iu.edu/d/aerg 

Smith, A., Greenbaum, D., Douglas, S., Long, M., & Gerstein, M. (2005). Genome Biology, 6(9), 119. https://dx.doi.org/10.1186/gb-2005-6-9-119