Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | nathan-kelly |
View: | 218 times |
Download: | 5 times |
UTSA IS 3532 IR-ID
The “root” of the problem
• Most security problems can be grouped into one of the following categories:– Network and host misconfigurations
• Lack of qualified people in the field
– Operating system and application flaws• Deficiencies in vendor quality assurance efforts
• Lack of qualified people in the field
• Lack of understanding of/concern for security
UTSA IS 3532 IR-ID
Anatomy of a Hack
FOOTPRINTING SCANNING ENUMERATION
GAINING ACCESS ESCALATINGPRIVILEGE
PILFERING
COVERING TRACKS
CREATING BACKDOORSDENIAL
OF SERVICE
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3532 IR-ID
Spoofed Source IP
X-Protocol
ICMP
High Traffic Ports
Encryption
Internal Source IP
Traffic Masking
On the Fly Changes
HTTPSMTPPOP
Ring of Detection
The Hackers Realm
UTSA IS 3532 IR-ID
– Web
– Sniffing
– Spoofing, hijacking, replay
– Denial of Service
Typical Net-based Attacks
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Attack
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion
Intruders Objectives
Design
BufferOverflow
Bypass
AccountIncreased
Access
Intrusion 1
Poor Security Practice: SSH to public web server
UTSA IS 3532 IR-ID
Counterhack
• DOS Commands• NET
• NBTSTAT
• NETSTAT
• WINIPCFG
• WINREP
• Dr. Watson
• Windows Commands• START|PROGRAM|
ACCESSORIES|SYSTEM TOOLS|System Information
• Dr. Watson is behind the scene engine
UTSA IS 3532 IR-ID
Generic Intrusion Detection Model
EventGenerator
ActivityProfile
Rule Set/Detection
Engine
Create AnomalyRecords
Update ProfileState
DesignNewProfiles
Definenew &modifyexistingrulesCLOCK
Audit trails,network packetsapplication logs
UTSA IS 3532 IR-ID
External ROUTER
INTERNET
Adversary
DMZ Server(s)
FIREWALL
INTERNALNETWORK
Intrusion DetectionSystem--Network Based“A Layer in the Defense”
Intrusion DetectionSystem
Other NetworkDefense
Tools
UTSA IS 3532 IR-ID
Log/Event Monitoring
File IntegrityChecking
Network TrafficMonitoringSystem
Monitoring
PolicyCompliance
Ref: Rasmussen, ISSA, Mar 02
Five Functional Areas of HIDS
UTSA IS 3532 IR-ID
So What Happens When Computer Security Fails?
• Incident Response--A Six Step Process– Preparation: Proactive Computer Security– Identification– Containment– Eradication– Recovery– Hot Wash
UTSA IS 3532 IR-ID
Goals of Incident Response
• Confirm or dispel incident
• Promote accurate info accumulation
• Establish controls for evidence
• Protects privacy rights
• Minimize disruption to operations
• All for legal/civil recriminations
• Provide accurate reports/recommendations
UTSA IS 3532 IR-ID
Incident Response Process
Incident Preparation
Incident Detection
Activate IR Team
Define Roles.Establish Policies.Identify Tools.Network Preparation. Firewall Logs.
IDS Logs.Suspicious User.System Administrator.
Complete IR ChecklistWho/What/Where/When.Incident DescriptionHardware/Software.Personnel Involved.Network.
Initial ResponseCompleted IR Checklist.
Verify Incident.Affected Systems.Users Involved.Business Impact.
Is it really and Incident?
UTSA IS 3532 IR-ID
Incident Response Process-Continued
Response Strategy
Forensic Duplication
System Criticality.Information Sensitivity.Perpetrators.Publicity.Skill of Attacker.System Downtime.Dollar Loss.
Management ApprovalDollar Loss.Downtime.Legal Liability.Publicity.Intellectual Property.
Accumulate Evidence&
Secure System
Best Evidence Rule.Chain of custody.Data Volatility.
UTSA IS 3532 IR-ID
Incident Response Process Contd
Investigate
Who, What, When, Where, How.People and Things.
Implement Security Measures
Isolate and Contain.Disconnect.Electronically isolate.Network Filtering.
Network Monitoring
Monitor throughout the incident.Track the hacker.No incident recurrence.
Monitor on subnet.Monitor at boundary.
UTSA IS 3532 IR-ID
Incident Response Process-Continued
Recovery
Documentation
New Procedures.Reinstall files.Reinstall from CD-Rom. Secure System.
Turnoff unneeded services. Apply patches. Strong Passwords. Strong Administration.
Document everything as it occurs.
Support both criminal and civil prosecution.
Produce the final report.
Process improvement.
UTSA IS 3532 IR-ID
Establish Incident Response Team
• Technical experts
• Management POC
• Team leader/principal investigator
• Decide on mission/goal
“Critical thinking team players who enjoy hardwork and long hours”
UTSA IS 3532 IR-ID
Response Toolkits
• High-end processor w/lots of memory• Large IDE and SCSI drives• Backup storage: CD-RW and Tape Drives• Spare cables• Router/Hub and network interface card• Digital camera• Trusted software
ref: www.computer-forensics.com
UTSA IS 3532 IR-ID
Investigative Guidelines
• Initial assessment
• Incident notification checklist
• Investigating
• Formulating Response Strategy
Initial assessment not always accurate
UTSA IS 3532 IR-ID
Investigating the Incident
• Prime directive: DO NO HARM
• Personnel interviews
• Hands-on activities
• Many suspected incidents turn into non-events
• Will the investigation do more damage than the incident itself?
UTSA IS 3532 IR-ID
Forensics Terminology
• Evidence Media: Original media that needs to be investigated
• Target Media: the media that the evidence media is duplicated onto
• Restored Image: Copy of the forensic image restored to bootable form
• Native Operating System: OS utilized when the evidence media or forensic duplicate is booted for analysis
• Live Analysis: A analysis conducted on the original evidence media
• Off-line Analysis: Analysis conducted on the forensic image
• Trace Evidence: Fragments of information from the free space, etc.
UTSA IS 3532 IR-ID
Common Forensics Mistakes
• Failure to Maintain through complete documentation
• Failure to control access to digital information
• Underestimate the scope of the incident
• Failure to report the incident in a timely manner
• Failure to provide accurate information
• No incident response plan
Plan, control, document, report
UTSA IS 3532 IR-ID
Network Forensics Data
• Network data can come from:• Routers, Firewalls, Servers, IDS, DHCP Servers, etc
• These logs may have different formats, be difficult to find, difficult to correlate and have a broken chain of custody
• Chain of Custody
• Strictly controlled network monitoring can maintain a proper chain of custody
• Electronic evidence requires tighter control than most other types of evidence because it can be easily altered
• A broken chain goes to weight and not admissibility
UTSA IS 3532 IR-ID
Network Forensics Definitions
• Sniffer: Hardware or software that passively intercepts packets as they traverse the network. Other name include Protocol Analyzer and Network Monitor.
• Silent Sniffers will not respond to any received packets.• Illegal Sniffers violate 18 USC 2511 dealing with wiretaps.
• Promiscuous Mode. A sniffer operates in a mode that intercepts all packets flowing across the network.
• A normal NIC only intercepts packets packets addressed to its IP address and Broadcasts address.
• Transactional (Noncontent) information consists only of header information. For example, IP, TCP or UDP headers.
• Same as a LE Trap and Trace or Pen Register.
• Content Information consists of not only the headers but also part or all of the encapsulated data.
UTSA IS 3532 IR-ID
• Conduct an after action meeting• Prepare an after action report to document the incident, the response to the incident and the recovery from the incident
• Lessons Learned?• Policy to general• Responsibilities not sufficiently defined• Inadequate monitoring tools• Systems not backed up• Hard disk needs smaller partitions• Set smaller limits on disk usage• System not scanned with tools: SATAN and ISS
After Action Meeting and Report
UTSA IS 3532 IR-ID
Footprinting
Objective• Target Address
Range• Acquire Namespace • Information
Gathering• Surgical Attack• Don’t Miss Details
Technique• Open Source Search• whois• Web Interface to
whois• ARIN whois• DNS Zone Transfer
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3532 IR-ID
Scanning
Objective• Bulk target
assessment• Determine Listening
Services• Focus attack vector
Technique• Ping Sweep• TCP/UDP Scan• OS Detection
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3532 IR-ID
Enumeration
Objective• Intrusive Probing
Commences• Identify valid
accounts• Identify poorly
protected shares
Technique• List user accounts• List file shares• Identify applications
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3532 IR-ID
Gaining Access
Objective• Informed attempt to
access target
• Typically User level access
Technique• Password sniffing• File share brute
forcing• Password file grab• Buffer overflows
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3532 IR-ID
Escalating Privilege
Objective• Gain Root level
access
Technique• Password cracking
• Known exploits
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3532 IR-ID
Pilfering
Objective• Info gathering to
access trusted systems
Technique• Evaluate trusts
• Search for cleartext passwords
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3532 IR-ID
Cover Tracks
Objective• Ensure highest
access
• Hide access from system administrator or owner
Technique• Clear logs
• Hide tools
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3532 IR-ID
Creating Back Doors
Objective• Deploy trap doors
• Ensure easy return access
Technique• Create rogue user
accounts• Schedule batch jobs• Infect startup files• Plant remote control
services• Install monitors• Trojanize
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz