ID-IRReview

UTSA IS 3532 IR-ID

Overview

• Incident Response Takeaways

• Test 2

• Final Paper

UTSA IS 3532 IR-ID

The “root” of the problem

• Most security problems can be grouped into one of the following categories:– Network and host misconfigurations

• Lack of qualified people in the field

– Operating system and application flaws• Deficiencies in vendor quality assurance efforts

• Lack of qualified people in the field

• Lack of understanding of/concern for security

UTSA IS 3532 IR-ID

Anatomy of a Hack

FOOTPRINTING SCANNING ENUMERATION

GAINING ACCESS ESCALATINGPRIVILEGE

PILFERING

COVERING TRACKS

CREATING BACKDOORSDENIAL

OF SERVICE

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

UTSA IS 3532 IR-ID

Spoofed Source IP

X-Protocol

ICMP

High Traffic Ports

Encryption

Internal Source IP

Traffic Masking

On the Fly Changes

HTTPSMTPPOP

Ring of Detection

The Hackers Realm

UTSA IS 3532 IR-ID

– Web

– Sniffing

– Spoofing, hijacking, replay

– Denial of Service

Typical Net-based Attacks

Action

Probe

Scan

Flood

Authenticate

Bypass

Spoof

Read

Copy

Steal

Modify

Delete

Target

Account

Process

Data

Component

Computer

Network

Internetwork

Event

UnauthorizedResult

IncreasedAccess

Disclosure ofInformation

Corruption ofInformation

Denial ofService

Theft ofResources

Attack

Vulnerability

Design

Implementation

Configuration

Tool

PhysicalForce

InformationExchange

UserCommandScript orProgram

AutonomousAgent

Toolkit

DistributedTool

Data Tap

Intrusion

Intruders Objectives

Design

BufferOverflow

Bypass

AccountIncreased

Access

Intrusion 1

Poor Security Practice: SSH to public web server

UTSA IS 3532 IR-ID

Counterhack

• DOS Commands• NET

• NBTSTAT

• NETSTAT

• WINIPCFG

• WINREP

• Dr. Watson

• Windows Commands• START|PROGRAM|

ACCESSORIES|SYSTEM TOOLS|System Information

• Dr. Watson is behind the scene engine

UTSA IS 3532 IR-ID

Generic Intrusion Detection Model

EventGenerator

ActivityProfile

Rule Set/Detection

Engine

Create AnomalyRecords

Update ProfileState

DesignNewProfiles

Definenew &modifyexistingrulesCLOCK

Audit trails,network packetsapplication logs

UTSA IS 3532 IR-ID

External ROUTER

INTERNET

Adversary

DMZ Server(s)

FIREWALL

INTERNALNETWORK

Intrusion DetectionSystem--Network Based“A Layer in the Defense”

Intrusion DetectionSystem

Other NetworkDefense

Tools

UTSA IS 3532 IR-ID

Log/Event Monitoring

File IntegrityChecking

Network TrafficMonitoringSystem

Monitoring

PolicyCompliance

Ref: Rasmussen, ISSA, Mar 02

Five Functional Areas of HIDS

UTSA IS 3532 IR-ID

So What Happens When Computer Security Fails?

• Incident Response--A Six Step Process– Preparation: Proactive Computer Security– Identification– Containment– Eradication– Recovery– Hot Wash

UTSA IS 3532 IR-ID

Goals of Incident Response

• Confirm or dispel incident

• Promote accurate info accumulation

• Establish controls for evidence

• Protects privacy rights

• Minimize disruption to operations

• All for legal/civil recriminations

• Provide accurate reports/recommendations

UTSA IS 3532 IR-ID

Incident Response Process

Incident Preparation

Incident Detection

Activate IR Team

Define Roles.Establish Policies.Identify Tools.Network Preparation. Firewall Logs.

IDS Logs.Suspicious User.System Administrator.

Complete IR ChecklistWho/What/Where/When.Incident DescriptionHardware/Software.Personnel Involved.Network.

Initial ResponseCompleted IR Checklist.

Verify Incident.Affected Systems.Users Involved.Business Impact.

Is it really and Incident?

UTSA IS 3532 IR-ID

Incident Response Process-Continued

Response Strategy

Forensic Duplication

System Criticality.Information Sensitivity.Perpetrators.Publicity.Skill of Attacker.System Downtime.Dollar Loss.

Management ApprovalDollar Loss.Downtime.Legal Liability.Publicity.Intellectual Property.

Accumulate Evidence&

Secure System

Best Evidence Rule.Chain of custody.Data Volatility.

UTSA IS 3532 IR-ID

Incident Response Process Contd

Investigate

Who, What, When, Where, How.People and Things.

Implement Security Measures

Isolate and Contain.Disconnect.Electronically isolate.Network Filtering.

Network Monitoring

Monitor throughout the incident.Track the hacker.No incident recurrence.

Monitor on subnet.Monitor at boundary.

UTSA IS 3532 IR-ID

Incident Response Process-Continued

Recovery

Documentation

New Procedures.Reinstall files.Reinstall from CD-Rom. Secure System.

Turnoff unneeded services. Apply patches. Strong Passwords. Strong Administration.

Document everything as it occurs.

Support both criminal and civil prosecution.

Produce the final report.

Process improvement.

UTSA IS 3532 IR-ID

Establish Incident Response Team

• Technical experts

• Management POC

• Team leader/principal investigator

• Decide on mission/goal

“Critical thinking team players who enjoy hardwork and long hours”

UTSA IS 3532 IR-ID

Response Toolkits

• High-end processor w/lots of memory• Large IDE and SCSI drives• Backup storage: CD-RW and Tape Drives• Spare cables• Router/Hub and network interface card• Digital camera• Trusted software

ref: www.computer-forensics.com

UTSA IS 3532 IR-ID

Investigative Guidelines

• Initial assessment

• Incident notification checklist

• Investigating

• Formulating Response Strategy

Initial assessment not always accurate

UTSA IS 3532 IR-ID

Investigating the Incident

• Prime directive: DO NO HARM

• Personnel interviews

• Hands-on activities

• Many suspected incidents turn into non-events

• Will the investigation do more damage than the incident itself?

UTSA IS 3532 IR-ID

Forensics Terminology

• Evidence Media: Original media that needs to be investigated

• Target Media: the media that the evidence media is duplicated onto

• Restored Image: Copy of the forensic image restored to bootable form

• Native Operating System: OS utilized when the evidence media or forensic duplicate is booted for analysis

• Live Analysis: A analysis conducted on the original evidence media

• Off-line Analysis: Analysis conducted on the forensic image

• Trace Evidence: Fragments of information from the free space, etc.

UTSA IS 3532 IR-ID

Common Forensics Mistakes

• Failure to Maintain through complete documentation

• Failure to control access to digital information

• Underestimate the scope of the incident

• Failure to report the incident in a timely manner

• Failure to provide accurate information

• No incident response plan

Plan, control, document, report

UTSA IS 3532 IR-ID

Network Forensics Data

• Network data can come from:• Routers, Firewalls, Servers, IDS, DHCP Servers, etc

• These logs may have different formats, be difficult to find, difficult to correlate and have a broken chain of custody

• Chain of Custody

• Strictly controlled network monitoring can maintain a proper chain of custody

• Electronic evidence requires tighter control than most other types of evidence because it can be easily altered

• A broken chain goes to weight and not admissibility

UTSA IS 3532 IR-ID

Network Forensics Definitions

• Sniffer: Hardware or software that passively intercepts packets as they traverse the network. Other name include Protocol Analyzer and Network Monitor.

• Silent Sniffers will not respond to any received packets.• Illegal Sniffers violate 18 USC 2511 dealing with wiretaps.

• Promiscuous Mode. A sniffer operates in a mode that intercepts all packets flowing across the network.

• A normal NIC only intercepts packets packets addressed to its IP address and Broadcasts address.

• Transactional (Noncontent) information consists only of header information. For example, IP, TCP or UDP headers.

• Same as a LE Trap and Trace or Pen Register.

• Content Information consists of not only the headers but also part or all of the encapsulated data.

UTSA IS 3532 IR-ID

• Conduct an after action meeting• Prepare an after action report to document the incident, the response to the incident and the recovery from the incident

• Lessons Learned?• Policy to general• Responsibilities not sufficiently defined• Inadequate monitoring tools• Systems not backed up• Hard disk needs smaller partitions• Set smaller limits on disk usage• System not scanned with tools: SATAN and ISS

After Action Meeting and Report

UTSA IS 3532 IR-ID

Footprinting

Objective• Target Address

Range• Acquire Namespace • Information

Gathering• Surgical Attack• Don’t Miss Details

Technique• Open Source Search• whois• Web Interface to

whois• ARIN whois• DNS Zone Transfer

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

UTSA IS 3532 IR-ID

Scanning

Objective• Bulk target

assessment• Determine Listening

Services• Focus attack vector

Technique• Ping Sweep• TCP/UDP Scan• OS Detection

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

UTSA IS 3532 IR-ID

Enumeration

Objective• Intrusive Probing

Commences• Identify valid

accounts• Identify poorly

protected shares

Technique• List user accounts• List file shares• Identify applications

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

UTSA IS 3532 IR-ID

Gaining Access

Objective• Informed attempt to

access target

• Typically User level access

Technique• Password sniffing• File share brute

forcing• Password file grab• Buffer overflows

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

UTSA IS 3532 IR-ID

Escalating Privilege

Objective• Gain Root level

access

Technique• Password cracking

• Known exploits

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

UTSA IS 3532 IR-ID

Pilfering

Objective• Info gathering to

access trusted systems

Technique• Evaluate trusts

• Search for cleartext passwords

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

UTSA IS 3532 IR-ID

Cover Tracks

Objective• Ensure highest

access

• Hide access from system administrator or owner

Technique• Clear logs

• Hide tools

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

UTSA IS 3532 IR-ID

Creating Back Doors

Objective• Deploy trap doors

• Ensure easy return access

Technique• Create rogue user

accounts• Schedule batch jobs• Infect startup files• Plant remote control

services• Install monitors• Trojanize

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

UTSA IS 3532 IR-ID

Denial of Service

Objective• If unable to escalate

privilege then kill

• Build DDOS network

Technique• SYN Flood• ICMP Attacks• Identical src/dst SYN

requests• Out of bounds TCP

options• DDOS

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz