Are there Rogue Hosts in my Network? Student Guide With Lab
Table of Contents Preface ....................................................................................................................................3 Teaching Tools: WebEx Training Center ........................................................................ 4 Teaching Tools: ReadyTech Lab Management .............................................................. 5 Course Materials ............................................................................................................... 6 Lab 00: Access ReadyTech Lab Environment.....................................................................7 Activity 1: Log into the ReadyTech Lab .......................................................................... 7 Activity 2: Register the Lab Access Code and Send a Chat Message and a Green Checkmark to the Instructor ............................................................................................ 8 Activity 3: Launch Management Console Java Client ................................................... 9 Run Script to begin Workshop............................................................................................11 Introduction ..................................................................................................................... 11 Workshop Introduction........................................................................................................15 Workshop Overview ........................................................................................................ 15 Workshop Objectives...................................................................................................... 16 Workshop Assumptions ................................................................................................. 17 Workshop Agenda........................................................................................................... 18 Why are Rogues bad in my Network ............................................................................. 19 Brute Force Detection..........................................................................................................21 Introduction ..................................................................................................................... 21 Enable Brute Force to Alarm .......................................................................................... 22 Run Brute Force Script ................................................................................................... 26 Viewing Brute Force Alarms in the WebUI.................................................................... 28 Viewing Brute Force Alarms in the Desktop Client...................................................... 35 Using the Domain Dashboard to Identify Rogues.............................................................37 Introduction ..................................................................................................................... 37 Identify Rogues using the Domain Dashboard............................................................. 38 Rogue DHCP Server Discovery...........................................................................................43 Introduction ..................................................................................................................... 43 Rogue DHCP Custom Flow Table Filter ........................................................................ 44 Workshop Learning Outcomes ...........................................................................................51 Workshop Outcomes for Are there Rogue Hosts in my Network ............................... 51 Wrap Up ................................................................................................................................53 Customer Success .......................................................................................................... 53 Implementing Stealthwatch System Use Case Solutions............................................ 54 Questions or Feedback? ................................................................................................ 55<(c)> page i
This page intentionally left blank.<(c)> page ii
Lesson 1PrefaceThe purpose of the preface is to provide details about the Virtual Workshopexperience, including a review of the available course materials and how theinformation is organized.<(c)> page 3
PrefaceTeaching Tools: WebEx Training CenterThe WebEx Training Center is used as the online collaboration space whereinstructors and students gather for the workshop. Using the WebEx Training Centerfeatures, the course content is presented over the web by an instructor.Both students and instructors are remote.Accessing the WebEx sessionStudents and instructors will receive Email notifications with the needed credentialsto access the scheduled training that is offered through the WebEx Training Center.Once at the WebEx Training Center, the student: Enters an access code. Downloads a WebEx plugin. Enters the WebEx Training Center.<(c)> page 4
PrefaceTeaching Tools: ReadyTech Lab ManagementCisco uses ReadyTech to host a remote lab for training purposes.Accessing the LabStudents can either use the HTML5 access method or the Remote Desktop Lab(RDP) method to get into the lab. Each method has slightly different steps to gainaccess to the lab environment.HTML5https://lancope.instructorled.training/access/loginRemote Desktophttps://lancope.hostedtraining.com<(c)> page 5
PrefaceCourse MaterialsA Workshop Guide containing Cisco Stealthwatch background information and labactivities is available for this course.For every Use Case covered in the Workshop Guide, there is a corresponding labactivity. A lab consists of a series of activities the student completes in the virtualtraining lab. Each section of detailed directions includes links back to the previous lab end of the step-by-step directions.The Workshop Guide includes step-by-step instructions along with screen capturesand callouts to key areas in the Stealthwatch System that can be accessed byclicking the exercise. The section title will link back to the previous lab. Another linkis located at theUsing the Workshop Guide students can access the ReadyTech hosted labenvironment to complete lab activities.<(c)> page 6
Lesson 2Lab 00: Access ReadyTech Lab EnvironmentActivity 1: Log into the ReadyTech LabPurposeThe purpose of this activity is to for you to validate your access to the ReadyTechlab environment and practice navigating between the WebEx Training Center andremote lab.ProcedureUse the following steps to complete this activity:1. Access the ReadyTech Web Site at https://lancope.instructorled.training.2. Enter your assigned access code.3. Log into the ReadyTech virtual environment.<(c)> page 7
Lab 00: Access ReadyTech Lab EnvironmentActivity 2: Register the Lab Access Code and Send a Chat Message anda Green Checkmark to the InstructorPurposeThe purpose of this activity is to validate that you can register your ReadyTech Laband practice accessing the chat feature in the lab.ProcedureUse the following steps to complete this activity:1. Launch the Course Registration tool from the ReadyTech virtual desktop and register your access code.2. Launch the ReadyTech Lab Manager from the virtual desktop and send a chat message to the instructor.<(c)> page 8
Lab 00: Access ReadyTech Lab EnvironmentActivity 3: Launch Management Console Java ClientPurposeThe purpose of this activity is to validate you can log into the Management ConsoleJava Client and Web App. The Management Console is where you manage,coordinate, and configure the Stealthwatch System.BrowserThe instructions presented here are based upon using the Google Chrome browseron the virtual desktop. If you use another browser, what you see and do may bedifferent.Lab Environment Stealthwatch Credentials:User Name: adminPassword: lan411cope<(c)> page 9
Lab 00: Access ReadyTech Lab Environment This page intentionally left blank.<(c)> page 10
Lesson 3Run Script to begin WorkshopIntroductionThis workshop uses pre-made scripts to generate traffic in the lab environment.The following lab will walk you through running the first script to create thenecessary traffic for the workshop.OverviewSet-up lab with real world traffic.PurposeGenerate the necessary traffic in the lab environment.Minimum RequirementsAccess to the Ready Tech Lab environment and course material folder on thevirtual desktop.Run Script to Simulate Real World TrafficDescriptionFor this scenario, you will need to complete the following tasks:1. Open the file folder Desktop > Course Material > UCW > Rogue Device2. Double-click the script: Rogue DeviceConclusionYou have run the pre-made script for the upcoming workshop. Your labenvironment is now ready to begin the workshop.<(c)> page 11
Run Script to begin WorkshopHere are the step-by-step instructions for your scenario1. Open the Course Material Folder on the virtual desktop.2. Open the UCW folder.3. Open the Rogue Device Folder4. Double-click the Rouge Device shortcut to initiate the traffic.Result: A command window opens running the necessary traffic for your workshop.<(c)> page 12
Run Script to begin Workshop Do not close the command window. It will automatically close once the script finishes.<(c)> page 13
Run Script to begin Workshop This page intentionally left blank.<(c)> page 14
Lesson 4Workshop IntroductionWorkshop OverviewModern enterprise networks are larger and more complex than ever before, so ittakes a robust and complex system like Stealthwatch to defend them. The samecomplexity that makes Stealthwatch such a powerful tool can also presentchallenges when working to effectively implement the system after it is installed inyour network. The Customer Success team has developed a library of StealthwatchUse Case documents to address these challenges and made them availablethrough the Customer Community. Use Cases highlight how to most effectively useStealthwatch to identify and investigate common issues and threats in yournetwork.In this workshop, you will work through a series of Use Cases that focus on customfilters, dashboards, and alarm configurations. The workshop is designed to provideyou with hands-on, practical experience implementing techniques from the UseCases so you can feel confident applying them in your own network environment.This workshop is intended to be interactive and engaging, so you are encouragedto ask questions, respond to questions, and share best practices and ideas.<(c)> page 15
Workshop IntroductionWorkshop ObjectivesAt the end of this workshop, you will be able to implement Stealthwatch Use Casesin order to:1. Configure Brute Force Login security event to alarm.2. Examine the Domain Dashboard for potential rogue devices.3. Create custom flow filters to identify potential rogue DHCP servers.<(c)> page 16
Workshop IntroductionWorkshop AssumptionsFor the purpose of this workshop, some basic assumptions were made about yournetwork configurations and Stealthwatch deployment.In order to get the maximum benefit from this workshop, you should have thefollowing systems (or comparable) installed and configured on your network: Stealthwatch 6.6 or higher Stealthwatch Flow CollectorOptional Stealthwatch Flow Sensor Cisco ISE or other identity appliances<(c)> page 17
Workshop IntroductionWorkshop Agenda1. Why are Rogues bad in my Network2. Lab Activities Brute Force Attack Detection Rogue Device Detection Detecting Rogue DHCP Servers3. Conclusion<(c)> page 18
Workshop IntroductionWhy are Rogues bad in my NetworkSo, what is a rogue in today's networks? By definition, a rogue is someone orsomething that strays from the accepted norm. On your network, that “someone” or“something” can be a Rogue Device – a Rogue Access Point (AP), a RogueWireless Device, a Rogue User, and so on.Consider this familiar situation; you have a user who decides to activate theirwireless card as an AP so they can connect their personal phone to the companyInternet. Is this acceptable behavior? No. Users should not be allowed to connectnew devices onto the company network. That unauthorized wireless card is a roguedevice and it has caused a breach in security. An attacker with a sniffer can nowuse this newly opened network to bypass your company's firewalls.There are several, common types of rogues that can threaten your network, toinclude: Rogue DHCP server: a DHCP server on a network, which is not under the administrative control of the network staff. Rogue Device: unauthorized devices connected to the network that poses a significant risk to the organization. Rogue AP: a wireless access point installed on a wired enterprise network without authorization from the network administrator. Rogue users: employees who are intentionally out to cause harm on the networkRogues of any kind are dangerous because they are already inside your network.They do not have to go through the standard security checks to gain access. Theyare inside the perimeter – beyond the reach of your firewalls and other perimeternetwork defenses.Enter Stealthwatch. Using your network as sensor, Stealthwatch detects behaviorchanges and anomalies in the network allowing for the detection of internal threatssuch as policy violations, unauthorized access, and rogue devices.In this workshop, you will use Stealthwatch to go hunting for rogues. Yourchallenge begins with a seemingly simple user login issue. However, within amatter a days, this simple login issue has mutates into a flood of rouges enteringyour network. Your goal - identify the rogues in order to end the threat before itadvances any further.<(c)> page 19
Workshop Introduction This page intentionally left blank. <(c)> page 20
Lesson 5Brute Force DetectionIntroductionOverviewYour office has been getting a high number of calls about password resets over thelast few hours. This is uncommon and raises concern about a possible brute forceattack on the network. Your experience tells you that this a situation that needs tobe monitored – closely. Therefore, you are going to set it up so an alarm triggers inStealthwatch whenever a host attempts to make multiple connections with lowamounts of data to another host.PurposeThe purpose of this lab is to configure a Brute Force Login Security Event inStealthwatch so that it triggers an alarm when a host attempts to make multipleconnections with low amounts of data to another host.Minimum RequirementsStealthwatch 6.5 or later<(c)> page 21
Brute Force DetectionEnable Brute Force to AlarmDescriptionThe security event, Brute Force Login, by default contributes toward the ConcernIndex (CI), but does not generate an individual alarm for brute force attacks. In thisactivity, you will tune the Stealthwatch system to alarm for brute force attacks.For this scenario, you will need to complete the following tasks:1. Open the Host Policy Manager to select the Default Policy for Inside Hosts2. Enable the Brute Force Login security event to alarm under the Security Events tab.ConclusionIn this activity, you enabled a Brute Force Login security event to alarm on yournetwork for the Inside Hosts Default Policy. This allows Stealthwatch to alarm ofpotential brute force attacks across the internal network.Here are the step-by-step instructions for your scenario1. Open the Host Policy Manager.2. Select Host Policy Manager… from the Configuration menu.3. Click the Alarm box and ensure and Check Mark has appeared in the box.<(c)> page 22
Brute Force Detection4. Select Inside Hosts from the Default Policies section. Then, click the Edit… button.5. Click the Security Events tab in the Edit Default Policy dialog. Result: You to see a list of security events and their settings.<(c)> page 23
Brute Force Detection6. Locate the Brute Force Login type from the Security Events list. Click the check box next to Alarm box so it is enabled. Result: The Brute Force Login Alarm is turned on.7. Enable Brute Force Login to alarm Click the Alarm box and ensure and Check Mark has appeared in the box.8. Click OK. Result: The updated Security Event changes have been saved.<(c)> page 24
Brute Force DetectionName of the activity that the student will perform<(c)> page 25
Brute Force DetectionRun Brute Force ScriptDescriptionYou enabled an Alarm for the Brute Force Login Security Event. Now, you want toinitiate traffic that simulates a real-world brute force login traffic to verify the alarmtriggers and to generate alarm data that you can investigate.For this scenario, you will need to complete the following tasks:1. Run a Brute Force Login script from the Course Material>UCW>Rogue Device folder.ConclusionYou initiated traffic that forced a brute force attack to occur, activating the BruteForce Login Security Event. This will start triggering alarms in Stealthwatch. Now,you can go into Stealthwatch and determine how best to analyze this alarm data.Here are the complete Step-by-Step Instructions for Initiating aScript to run Brute Force Login Traffic.9. Open Course Materials > UCW > Rogue Device folder.10. Double-click the Brute Force shortcut to initiate the traffic.<(c)> page 26
Brute Force Detection A command window opens and the Brute Force Attack traffic executes. Do not close the command window. It will automatically close once the script finishes executing.<(c)> page 27
Brute Force DetectionViewing Brute Force Alarms in the WebUIDescriptionNow that the Brute Force Attack traffic has executed, you have alarm data toinvestigate. You can view this alarm data using both the Stealthwatch DesktopClient and the Stealthwatch WebUI. In this activity, you will use both of theinterfaces to dig into the alarm data and review the flows for further analysis.For this scenario, you will need to complete the following tasks:1. Log on to the Stealthwatch WebUI2. View the Today's Alarms for Brute Force Login alarms3. View the Alarms by Type for Brute Force Login alarms4. Double-Click on the Brute Force Login alarm and view the alarms for Today5. View the Security Events Details for the source IP belonging to the Catch All Host GroupConclusionIn this activity, you viewed the Brute Force Login alarms that have taken place forthe day. You noticed several alarms from different sources and one in particularfrom the Catch All host group. 192.168.130.28 is an undefined host that is trying toget access to other hosts on the network and showing signs of data extraction. Forbeing in the Catch All group, this host also has the potential to be a rogue deviceon your internal network.<(c)> page 28
Brute Force DetectionHere are the complete step-by-step instructions for your scenario11. Log into the WebUI. Result: The Web UI Security Insight Dashboard displays. upon login. begin at the Security Insight Dashboard, the next few steps breaks down the dashboard to highlight where to see Brute Force Login alarm.Review the following data from your dashboard:Today’s Alarms: One (1) brute force login attack in represented in the piechart.<(c)> page 29
Brute Force DetectionAlarms by Type shows a brute force attack in the bar chart. <(c)> page 30
Brute Force Detection12. Click the names of all alarm types except for “Brute Force Login” from the Alarms by Type list to view only the number of brute force attacks for Today. Deselect alarms you do not want to see by clicking on their names in the alarm type box. Once clicked the alarm will become grayed out. <(c)> page 31
Brute Force Detection13. Hover over the bar chart alarm for Brute Force Login. Double-click on the bar to view the associated alarms of that type for the day. <(c)> page 32
Brute Force Detection As we are looking thru the alarms, you should notice an alarm sourced from the Catch All group. Brute Force attacks are worrying but this one in particular due to the nature it's a undefined host on your internal network. This is a possible indicator of a rogue in your network which should be investigated.14. Click on the View Details for the source host of 192.168.130.28. <(c)> page 33
Brute Force Detection The Security Events Details: 192.168.130.28 will load up and show all events for this Host. You notice that the has gained access and begin to extract data from other hosts.<(c)> page 34
Brute Force DetectionViewing Brute Force Alarms in the Desktop ClientDescriptionUsing the desktop client to view the Alarm Table to identify the brute force attackhas set off the Brute Force Login alarm.For this scenario, you will need to complete the following tasks:1. Launch the Desktop Client.2. Run an Alarm Table for your domain.3. Locate the Brute Force Login alarm.ConclusionIn this activity, you use the desktop management console to view current alarms forthe day. By sorting the alarms by Alarm, you are able to view the brute force alarmthat was triggered by the script you ran earlier. Host 192.168.130.28 is the samehost you saw in the WebUI conducting brute force attacks.Here are the complete step-by-step instructions for your scenario15. Run an Alarm Table for the domain by right-clicking the domain name in the enterprise tree.<(c)> page 35
Brute Force Detection16. Select Status>Alarm Table to view today's alarms.17. Look for Brute Force Login under the alarm heading. Note: You can click on the heading to sort the records<(c)> page 36
Lesson 6Using the Domain Dashboard to Identify RoguesIntroductionOverviewYou have identified host, 192.168.130.28, as being a bad host in our network. Thehost belonging to the Catch All Host Group was conducting brute force attacks andsuspect data extraction out of our network. Using Stealthwatch's built in DomainDashboard, you will check for possible rogues in your network that have appearedtoday.PurposeThe purpose of this activity is to identify any potential rogue host by using the built-in Domain Dashboard in Stealthwatch.Minimum RequirementsAny version of Stealthwatch<(c)> page 37
Using the Domain Dashboard to Identify RoguesIdentify Rogues using the Domain DashboardDescriptionUsing the built-in Domain Dashboard, you will identity any possible rogue hosts thathave appeared since the archive hour.For this scenario, you will need to complete the following tasks:1. Load the Domain Dashboard in the desktop client.2. View all potential rogue devices in the Rogue Hosts tabConclusionLooking at the Rogue Hosts tab in the Domain Dashboard, you noticed that host192.168.130.28 is new to your network. This host is using a private IP address andfurther investigation is required to find out how this host obtained the IP address.Here are the complete step-by-step instructions for your scenario18. Click on the File tab and select Manage Documents<(c)> page 38
Using the Domain Dashboard to Identify Rogues19. Locate and select the Domain Dashboard20. Click open to show the Domain Dashboard as a new tab in the Management Console<(c)> page 39
Using the Domain Dashboard to Identify Rogues21. The Domain Dashboard has now appeared in the MC, now select the Rogue Hosts tab to view all potential rogues in the network.With the Rogue Hosts tab displayed, you can now view any new host that hasjoined your network since the archive hour.<(c)> page 40
Using the Domain Dashboard to Identify Rogues<(c)> page 41
Using the Domain Dashboard to Identify Rogues This page intentionally left blank.<(c)> page 42
Lesson 7Rogue DHCP Server DiscoveryIntroductionOverviewAfter consulting other IT departments about host 192.16.168.28, you determine thishost to be a rogue host in your network. What is the next step in the equation?How did the device get this private IP? What device gave out the IP? Is the deviceallowed to give out IP addresses? These are all questions that need answers andthe following lab will guide you through.PurposeThe purpose of this lab is to create a custom flow table filter to determine if there isa Rogue DHCP Server handing out illegitimate IPs on the network.Minimum RequirementsStealthwatch 6.6 or newer version<(c)> page 43
Rogue DHCP Server DiscoveryRogue DHCP Custom Flow Table FilterDescriptionKnowing before hand that host 192.168.130.28 is an rogue device, you now mustdetermine who gave him the IP address. You will create a custom flow table filter todetermine the rogue DHCP server in your network.For this scenario, you will need to complete the following tasks:1. Launch a Flow Table2. Set the Date relative to Today3. Configure the following Host Settings: Client set to include IP address 192.18.130.28, exclude None. Server set to include Inisde Hosts, exclude DHCP Servers4. Filter by the following services: dhcpc dhcps5. Generate the flow table to view results.ConclusionHost 192.18.130.28 was given an IP from a desktop in the New York office. Host10.50.100.71 is not listed to be a DHCP server but is running server services andapplications for DHCP. The 10.50.100.71 host has become a Rogue DHCP Serverletting unauthorized (rogue) devices onto your network.<(c)> page 44
Rogue DHCP Server Discovery With a Flow Sensor deployed on this network, in- depth applications data can be gathered. This host shows DHCP application running.Here are the complete step-by-step instructions for your scenario22. Open up a Flow Table. Right-click the domain name, select Flows>Flow Table and left-click Flow Table to launch the Flow Table. To go directing to the filter options, CTRL + click on the Flow Table selection to bring up the filter settings. This will bypass Step 2 of this lab.23. Click on the Filter icon. To customize the Flow Table, you must click on the Filter icon to bring up the filter settings.<(c)> page 45
Rogue DHCP Server Discovery24. In the Date/Time option, configure the following: Set the radio button to For the Day; Relative Today.25. In the Hosts option, configure the following: A. Check Filter by Host B. Where the Client Host Includes the IP Address List: In the context box type in the IP address of the Rogue Device; 192.168.130.28 And excludes None<(c)> page 46
Rogue DHCP Server Discovery C. And the Server Host Includes the Host Group: Click the Browse button and select Inside Hosts And excludes the Host Group Click the Browse button and select Inside Hosts > By Function > Servers > DHCP Servers26. In the Applications & Services option, configure the following: a. Click the Filter by Services, at check mark will appear b. Ensure include is selected c. Choose the dhcpc and dhcps options<(c)> page 47
Rogue DHCP Server Discovery27. Click OK to generate a new report in the Management Console window. We can now see that IP address 192.168.130.28 has been given an IP address from host 10.50.100.71, who resides in the Desktops, New York Host Group. This host has been is generating DHCP traffic, which is not expected. Further investigation needs to be done on this host to find out why there is DHCP traffic on this host.28. Let's dive deeper into the Server Host 10.50.100.71 by double-clicking on this host. <(c)> page 48
Search
