Identifying Computer Attacks – Identifying Computer Attacks – Tips, Tricks and ToolsTips, Tricks and ToolsIdentifying Computer Attacks – Identifying Computer Attacks – Tips, Tricks and ToolsTips, Tricks and Tools

Kai Axford, CISSP, MCSE-SecurityKai Axford, CISSP, MCSE-SecuritySr. Security StrategistSr. Security StrategistMicrosoft CorporationMicrosoft Corporationkaiax@microsoft.comkaiax@microsoft.comhttp://blogs.technet.com/kaiaxford

““The server is acting The server is acting weird.”weird.”““The server is acting The server is acting weird.”weird.”

The Demo Disclaimer…The Demo Disclaimer…

Is everyone paying attention now?Is everyone paying attention now?Remember, SQL Injection is the result of improper Remember, SQL Injection is the result of improper form validation…..and can happen on ANY database form validation…..and can happen on ANY database server that supports ANSI 99 (incl MySQL, Oracle, server that supports ANSI 99 (incl MySQL, Oracle, DB2).DB2).

No, I will No, I will notnot give you those tools. I don’t care give you those tools. I don’t care what you do or who you work for….what you do or who you work for….

(besides, if you really (besides, if you really DODO work for the NSA, you’ve work for the NSA, you’ve got better tools than this anyway).got better tools than this anyway).

If you don’t ask, I don’t have to say no.If you don’t ask, I don’t have to say no.

AgendaAgenda

The Incident and the The Incident and the 31337 h4XØr31337 h4XØrIdentifying the Attack and Proving itIdentifying the Attack and Proving itSummary & ResourcesSummary & Resources

What is an “incident”?What is an “incident”?

As defined by AUS-CERT – As defined by AUS-CERT – “An attack “An attack against a computer or network which against a computer or network which harmed, or potentially may harm, the harmed, or potentially may harm, the confidentiality, integrity or availability of confidentiality, integrity or availability of network data or systems.”network data or systems.”

May include the following general May include the following general categories:categories:

Compromise of Confidentiality Compromise of Confidentiality

Compromise of Integrity Compromise of Integrity

Denial of ResourcesDenial of Resources

IntrusionsIntrusions

MisuseMisuse

DamageDamage

HoaxesHoaxes

The components of an incidentThe components of an incident

Howard, John D. “A Common Language for Computer Security Incidents” 1998. http://www.cert.org/research/taxonomy_988667.pdf

But who are these “But who are these “31337 31337 H4xØrzH4xØrz”?”?Not all are as elite as you (or they) may Not all are as elite as you (or they) may

think….think….

……but first and foremost, they’re just criminals.but first and foremost, they’re just criminals.

Script Kiddies

Real Hackers

“Hacktivists”

Terrorists

Competitors (Foreign & Domestic)

Organized Hacker groups

Foreign Intelligence

CyberWar

THREA

T

CAPABILITY

Organized Crime

““If you’re a good If you’re a good hacker…everybody hacker…everybody

knows.knows. If you’re a If you’re a GREATGREAT

hacker…hacker…nobodynobody knows.”knows.”

-Anonymous-Anonymous

Got disk space and CPU? Got disk space and CPU?

Attack of the 10,000 BotsAttack of the 10,000 Bots

A BotNet of 10,000 machines can:A BotNet of 10,000 machines can:4.5 million SYN packets /second4.5 million SYN packets /second

930,000 HTTP-GET requests /second930,000 HTTP-GET requests /second

1.8 GBPS Uplink1.8 GBPS Uplink

4.5 GBPS Downlink4.5 GBPS Downlink

(..and you thought he only helped Luke)(..and you thought he only helped Luke)

It’s getting worse…It’s getting worse…

So what is “Incident Handling”?So what is “Incident Handling”?

Incident HandlingIncident Handling - - Actions taken to Actions taken to protect and restore the normal protect and restore the normal operating condition of computers and operating condition of computers and the information stored in them when an the information stored in them when an adverse event occurs.adverse event occurs.

Incentives for efficient incident Incentives for efficient incident handling:handling:

EconomicEconomic

Protecting Proprietary / Classified / Sensitive Protecting Proprietary / Classified / Sensitive InformationInformation

Operational / Business ContinuityOperational / Business Continuity

Public RelationsPublic Relations

Legal / Regulatory ComplianceLegal / Regulatory Compliance

SafetySafety

Determine what the problem is and to Determine what the problem is and to assess its magnitudeassess its magnitude

Major sources of informationMajor sources of informationLog files and syslog outputLog files and syslog output

Wrapper tools (e.g., TCP wrapper)Wrapper tools (e.g., TCP wrapper)

Firewall logs (personal and network)Firewall logs (personal and network)

Intrusion detection systems (IDS) and Intrusion detection systems (IDS) and prevention systems (IPS)prevention systems (IPS)

Analyze Analyze allall anomalies anomalies

Gather proof!Gather proof!

Did something occur? How do you Did something occur? How do you know?know?

Version Length

TOS Total Length

Identification Flags

TTL

Offset

Protocol Header Checksum

Source IP Address

Destination IP address

Options

Data

Understanding the dreaded IP Understanding the dreaded IP HeaderHeader

What should I be looking for?What should I be looking for?

Are any IP Header fields suspect?Are any IP Header fields suspect?Is the Source IP address suspect?Is the Source IP address suspect?

Is odd fragmentation occurring?Is odd fragmentation occurring?

Does the size of the packet raise concerns?Does the size of the packet raise concerns?

Are any TCP header fields suspect?Are any TCP header fields suspect?Is the destination port a valid service?Is the destination port a valid service?

Does the traffic follow RFC standards?Does the traffic follow RFC standards?

What are the timestamps of the traffic?What are the timestamps of the traffic?

Mandia, Kevin and Chris Prosise. “Incident Response: Fighting Computer Crime”. 2001. Osborne/McGraw Hill.

Event logs: Some Logon/Logoff Event logs: Some Logon/Logoff Event IDsEvent IDs

528 - Successful Logon529 - Logon Failure: Unknown user name or bad password530 - Logon Failure: Account logon time restriction violation531 - Logon Failure: Account currently disabled532 - Logon Failure: The specified user account has expired533 - Logon Failure: User not allowed to logon at this computer534 - Logon Failure: User not granted requested logon type at this machine535 - Logon Failure: The specified account’s password has expired539 - Logon Failure: Account locked out540 - Successful Network Logon (Win2000, XP, 2003 Only)

Event logs: Event IDs on your Event logs: Event IDs on your Domain ControllerDomain Controller

675 – Failed logon from workstation (usually a bad password)676/672 – Other AutN failure681/680 – Failed logon with a domain account642 – Reset PW or Disabled account was re-enabled632/636/660 – User was added to a group624 – New user account created644 – Account lockout after repeated logon failures517 – User cleared the logs

“Are you sure they did it?” -

Electronic Discovery

“Are you sure they did it?” -

Electronic Discovery

Kai’s Tools and Tips…(see a Kai’s Tools and Tips…(see a common trend?)common trend?)

Process ExplorerProcess Explorer – – FreeFree tool that provides tool that provides detailed process info. Task manager on detailed process info. Task manager on steroidssteroids

AutoRunsAutoRuns – – FreeFree util that checks all the util that checks all the startup folders and reg keysstartup folders and reg keys

Wire Shark (formerly Ethereal)Wire Shark (formerly Ethereal)– – FreeFree OSS OSS network sniffer. Very pretty.network sniffer. Very pretty.

md5summd5sum – – FreeFree file integrity verifier. Get a file integrity verifier. Get a hash from a “known good” file. hash from a “known good” file.

EventCombMTEventCombMT – – FreeFree event ID parser. Part event ID parser. Part of the of the

……..there are TONS more free tools!..there are TONS more free tools!

Upon Identification:Upon Identification:Obtain full backup and copy any hacked files or Obtain full backup and copy any hacked files or bogus code for analysisbogus code for analysisIf it’s likely you’ve been “Øwn3d”:If it’s likely you’ve been “Øwn3d”:

Turn on or increase auditingTurn on or increase auditingSet system clock correctlySet system clock correctlyDocument! Document! Document!Document! Document! Document!

Initiate notification processInitiate notification processThe IR TeamThe IR TeamYour InfoSec contact Your InfoSec contact Your PR peopleYour PR peopleYour Legal teamYour Legal teamLaw Enforcement!!!!Law Enforcement!!!!

Got proof….now what?Got proof….now what?

Digital ForensicsDigital Forensics

First and foremostFirst and foremost: Kai is not a lawyer. : Kai is not a lawyer. Always consult your local law enforcement Always consult your local law enforcement agency and legal department agency and legal department firstfirst! !

Digital forensics is Digital forensics is SERIOUS BUSINESSSERIOUS BUSINESSYou can easily shoot yourself in the foot by You can easily shoot yourself in the foot by doing it incorrectlydoing it incorrectly

Get some in-depth trainingGet some in-depth training

……this is not in-depth training!!! (Nor is it legal this is not in-depth training!!! (Nor is it legal advice. Be smart. The job you save may be your advice. Be smart. The job you save may be your own.)own.)

I just want to spend a few minutes showing I just want to spend a few minutes showing you some common forensic tools and how you some common forensic tools and how they can help.they can help.

Encase – Guidance Software, Encase – Guidance Software, Inc.Inc.

http://www.guidancesoftware.com

Very popular in private corporations Very popular in private corporations

EnScript Macro Language allows for EnScript Macro Language allows for creation of powerful scripts and filters to creation of powerful scripts and filters to automate tasks automate tasks

Safely preview a disk before acquisition Safely preview a disk before acquisition

Picture gallery shows thumbnails of all Picture gallery shows thumbnails of all images images

Virtually boot disk image using VMWare to Virtually boot disk image using VMWare to allow first-hand view of the systemallow first-hand view of the system

Forensic Tool Kit – Access Data, Forensic Tool Kit – Access Data, Inc.Inc.

http://www.accessdata.com/

Full indexed searches in addition to Full indexed searches in addition to regex searches regex searches

Preprocess of all files, which makes for Preprocess of all files, which makes for faster searchingfaster searching

Data is categorized by type (document, Data is categorized by type (document, image, email, archive, etc.) for easy image, email, archive, etc.) for easy sorting sorting

Ability to rule out “common files” using Ability to rule out “common files” using the Known File Filter plug-inthe Known File Filter plug-in

Detection of encrypted / compressed Detection of encrypted / compressed filesfiles

Open Source Forensics ToolsOpen Source Forensics ToolsThe Sleuth Kit (TSK) and AutopsyThe Sleuth Kit (TSK) and Autopsy

Written by Brian Carrier (Written by Brian Carrier (www.sleuthkit.org))

TSK is command line; Autopsy provides GUI for TSK. Runs TSK is command line; Autopsy provides GUI for TSK. Runs on *nix platforms. on *nix platforms.

Client server architecture allows multiple examiners to Client server architecture allows multiple examiners to use one central server use one central server

Allows basic recovery of deleted data and searching Allows basic recovery of deleted data and searching

Lots of manual control to the investigator, but is light on Lots of manual control to the investigator, but is light on the automationthe automation

Helix – Helix – e-Fensee-FenseCustomized Knoppix disk that is forensically safe

Includes improved versions of ‘dd’

Terminal windows log everything for good documentation

Includes Sleuthkit, Autopsy, chkrootkit, and others

Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools

“I have you now….” – D. Vader

Digital Forensics

“I have you now….” – D. Vader

Digital Forensics

Acquiring Data should always Acquiring Data should always be done carefully…be done carefully…

Always preserve Always preserve originals and ONLY work originals and ONLY work on copies!on copies!

Utilize HW write Utilize HW write blockers to ensure MAC blockers to ensure MAC times are not alteredtimes are not altered

Your legal team and law Your legal team and law enforcement will thank enforcement will thank you!you!

Suspect HardDrive

Write Blocker

Have a forensics jumpkit!Have a forensics jumpkit!

Critical for the success of the investigationCritical for the success of the investigation

Other stuffOther stuff

Some incidents may occur on a SAN or large Some incidents may occur on a SAN or large servers with special complicationsservers with special complications

Cannot go offline ORCannot go offline OR

They have so much storage that it cannot be They have so much storage that it cannot be successfully imaged (or have RAID, so an image successfully imaged (or have RAID, so an image will be technically infeasible) will be technically infeasible)

The best option is still to perform some sort of The best option is still to perform some sort of backup, at least of the suspicious files and backup, at least of the suspicious files and logs, then analyze them off-linelogs, then analyze them off-line

A tape backup will A tape backup will notnot include all the include all the information such as slack space data, but it information such as slack space data, but it may be the only alternativemay be the only alternative

Additional Microsoft ResourcesAdditional Microsoft Resources

• NEW! Fundamental Computer Investigation NEW! Fundamental Computer Investigation Guide For WindowsGuide For Windowshttp://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation

• Windows Security Logging and Other EsotericaWindows Security Logging and Other Esotericahttp://blogs.msdn.com/ericfitz/http://blogs.msdn.com/ericfitz/

• The Security Monitoring and Attack Detection The Security Monitoring and Attack Detection Planning GuidePlanning Guidehttp://www.microsoft.com/technet/security/topics/http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/auditingandmonitoring/securitymonitoring/default.mspxdefault.mspx

• Microsoft Windows Security Resource Kit v2.0.Microsoft Windows Security Resource Kit v2.0.ISBN: 0735621748ISBN: 0735621748

My Digital Forensics Reading My Digital Forensics Reading ListList

File System Forensic AnalysisFile System Forensic Analysis. Brian Carrier. Brian Carrier

ISBN: 0-321-26817-2ISBN: 0-321-26817-2

Digital Evidence and Computer CrimeDigital Evidence and Computer Crime. . Eoghan Casey. Eoghan Casey. ISBN: 012162885X ISBN: 012162885X

Incident Response: Investigating Computer Incident Response: Investigating Computer CrimeCrime. Kevin Mandia & Chris Prosise. Kevin Mandia & Chris ProsiseISBN: 007222696XISBN: 007222696X

Hacking Exposed: Computer ForensicsHacking Exposed: Computer Forensics. . Chris Davis, Aaron PhillipChris Davis, Aaron PhillipISBN: 0072256753 ISBN: 0072256753

Questions and AnswersQuestions and Answers

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.