Tools are designed to make IT Professionals’ and Developers’ lives easier. A good tool can save a lot of work and time for those people responsible for developing and managing software. I thought I’d write a series of articles dedicated to highlighting some of the most useful free security-related tools Microsoft offers.
Over the years I developed several networking and security support tools that became popular with IT Professionals. Some of these tools were released in various Resource Kits and Support Tools offerings included with some versions of Windows operating systems. These tools include DNSLint, Portqry, NBLookup, and many others.
Port Reporter runs as a service (in the background with no user interaction) and logs all the network usage and related details such as the IP addresses the system is communicating with, the TCP and UDP ports that are used, the processes running on the system that use the ports, whether each process is a service (some attackers like to use services vs apps), the modules (.dll, etc) that each process using network ports loaded, the user accounts that start processes using the network.
This type of data is very helpful when determining what users, services, applications used the network and which remote systems were involved. This data and the context it provides are also very helpful in incident response investigations. For example, you could use this data to identify patterns of network usage that could help spot a compromised system being used for exfiltration of information from an environment. On a busy server in a data center, Port Reporter can generate a lot of data, so much data that I needed to provide an easy way to read and analyze the data.
Figure: Example of a log file generated by Port Reporter
Port Reporter Parser correlates and analyzes the data contained in the log files that Port Reporter generates. Once the data was in this tool it enabled you to look for tell-tale signs of compromise, many different ways.
Figure on left: Port Reporter Parser spots a trick attackers used to use – naming a hacker tool the same name as a well-known system file, but running it from a slightly less restricted directory hoping the system administrator wouldn’t notice; figure on right: a binary that system administrators were looking specifically for is identified using the network
Top figure: example of the applications the system uses and how often they are logged by Port Reporter helps to identify which ones are most commonly used; bottom figure: all services that are hosted by svchost.exe – another trick attackers used to use to hide malicious processes
When the right queries were run on this data, you could get very interesting and useful information that would help detect threats and respond to them. This granular data, together with firewall logs, could offer a very good view of what was actually happening on a network: which users were using it, when and how, what applications and services were running under each user’s account, and which dynamic load libraries and modules those applications had loaded in memory at the time. From there, you could create baselines based on “routine” patterns of network traffic and application behavior so that anomalies could be identified.
Today there are newer, more sophisticated and scalable tools for collecting this type of information, and of course much, much more data available. But Port Reporter can still help organizations that are running older operating systems like Windows XP Service Pack 3 and Windows Server 2003. Many years ago when I developed these tools, I wrote an article about them in case you are interested in more detail.
But are organizations really aggregating and analyzing all the data, like audit logs for example, that they have access to? Most of the customers I have talked to say they simply don’t have the time or resources to do this. But using this type of data from systems across an organization, along with data from other parts of the organization, and data from elsewhere, could be very powerful in helping to detect and respond to threats earlier and faster than ever.
Recently all the buzz around big data, security breaches and targeted attacks have peaked many people’s interest in how they can mine the vast amounts of data they have and collaborate with other organizations in order to better protect their environments. Aggregating and analyzing vast amounts of data, looking for signs of compromise so that containment and recovery starts and ends earlier is what many of the people I talk to are interested in.
In my next article on tools I will introduce you to a new security tool that can be helpful for both IT Professionals and Developers.
Director, Trustworthy Computing