Scanning for compromised machines - Final Report

This is the final report for Project 103 - Scanning for compromised machines.

Contents

1. Introduction

The idea of this project was to investigate/prototype ways of detecting self-managed machines on our network which might have been compromised in some way. The self-managed machines involved will be running a mixture of Linux, Mac and Windows.

2. Deliverables

A report with summary and recommendations.

3. Summary

This investigation seemed unsatisfactory and largely inconclusive - see the report.

Of the tools investigated, the only one which produced useful results was the commercial offering 'Nessus'. In trial form, that software runs in a somewhat crippled state, but an initial conclusion was that we should probably buy a licence for it (at about £1500 p.a.), try it in earnest for a year, and review its usefulness after that period. However, it's since turned out that the University has purchased a licence for penetration-testing software apparently based on Nessus which we have the opportunity to use. So the suggestion is now to do that instead.

Based on what other people appear to do, it seems like it we ought to investigate the use of sFlow in order to both monitor and visualize our network traffic flows at the IP level. Doing so might allow us to detect compromised machines by their behaviour; having better visualization of traffic on our network should be useful, in any case. Project 98 is immediately relevant.

The work done was spread over 2012T3 and 2013T1. A long break between periods of work on this project was counter-productive: things had to relearned, and redone.

4. Effort

-- IanDurkacz - 30 Apr 2013