Upload
evan
View
58
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Incident Response. Incident Response. Objectives: The student should be able to: Define 4 steps of what needs to be done in advance of an incident. Describe the purpose of an incident response procedure and what the procedure should include. - PowerPoint PPT Presentation
Citation preview
Incident ResponseObjectives:The student should be able to:Define 4 steps of what needs to be done in advance of
an incident.Describe the purpose of an incident response
procedure and what the procedure should include.Describe the information that must be collected when
a penetration has occurred: if computer is up; when computer is down; other evidence.
Describe important guidelines for collecting this information concerning chain of custody and authenticity.
Find information about a penetration using the PsTools and other tools: pslist, fport, listDLLs, netstat, netcat, psLoggedOn. (Lab only)
How should a Sys Admin react?You are a system administrator and an incident
occurs. Should you:Go offline?Block hacker at firewall?Disable certain services?Bring down machine/server?Bring down the internal network?Let the intruder proceed to collect evidence?Your actions can have financial impact on the
corporation.
When an Incident Occurs…?How would these decisions differ if business
pertained to:Credit card / Banking?Network services?Medical prescriptions?WWW Search Engine?The CEO must determine the priorities for
incident response.
Incident Response ProcedureA clear procedure defines what should
happen when an intrusion is suspectedDefine expected responses to different types
of intrusionsDecide early because time will be limited
during an attack
Incident Response Plan ContentsPreincident readinessHow to declare a disasterEvacuation proceduresIdentifying persons responsible, contact
informationIRT, S/W-H/W vendors, insurance, recovery facilities,
suppliers, offsite media, human relations, law enforcement (for serious security threat)
Step-by-step proceduresRequired resources for recovery & continued
operations
EstablishDetectionProcedur
es
Create Incident
Response Team
Define &
Publish Policies
Perform Training/ Rehearsal
Tools
DetectionProcedur
es
Contact List
Incident ResponseProcedur
es
Establish Detection Procedures(Step 0)
SNMP: Monitors availability, response times, etc. and notifies administrator
IDS/IPS: Monitors for attacks and notifies administrator
Logs from all devices must be synchronized, monitored and audited
After a break-in administrators wish they had had stronger logging
Create Incident Response Team (Step 0)
An incident response team can help to decide the Incident Response procedures and make decisions during an incident response.
Shall include:Security Team: Detect, control attack.Upper management: Be responsible for making
decisions on major break-ins.Human Resources: Deal with an attack from
employees.Technical Staff (MIS): Bring systems back in order.Outside Members: Contact law enforcement,
affected customers, ISP.
Define and Publish Policies(Step 0)
Policies are defined and publicized as to what is and is not allowed
System banners indicate who/what is allowed on the system
Perform Training/Rehearsal(Step 0)
Each person should be trained in what they need to do.
Carry out a drill.Attacks succeed because companies are
unprepared.
Respond to
incident
Recovery & Resume
Review &Implemen
t
Detect Incident
ToolsDetectionProcedur
es
Contact List
Incident ResponseProcedur
es
DetectionProcedur
es
Tools
Contact List
Step 1: Incident Response and Containment
What types of attacks warrant which reactions?How do we gather information on the attack?
(Next section)To whom should attacks be reported?Do you inform police or FBI?Can ISP help with log info and attack filtering?Should vendors/customers be notified?Shall the intrusion be hidden from the press?FBI has a webpage for reporting crime at:
www.usdoj.gov/criminal/cybercrime/reporting.html
Step 2: Recovery and ResumptionRebuild Affected System (Old system can be
hiding rootkit)Lock down system
Apply patchesMinimize software availabilitySet secure configurationChange passwords on all systemsTest
Step 3: Review & ImplementCould we have detected intrusion faster?What losses did we sustain overall?What did the hacker attempt to do and accomplish?Why did the vulnerability occur?Have we eliminated the vulnerability on this and
other machines?Could we have reacted in a quicker or more
effective way?How can we improve our legal case against the
next intruder?What changes should we make to our policies and
procedures?
Example: You receive an email indicating your network was part of an
attackMay be a valid accusationMay be a mistakeMay be a ruse
So you investigate:Your site may have been hacked.An internal employee may be hacking outside.
If you reply to email indicating a break-in you may:Provide your email address and confirm an IP address Indicate your readiness level: “We don’t have logs on that
particular intrusion”May fall for ‘social engineering spam’ (e.g., company
selling IDS products).
A break-in has occurred…Get all information without changing any
possible evidenceConsider the totality of the circumstances via
investigationReact according to the type of break-in
Document & Witness…Procedure must be professional, documented in order toCollect evidence against individualProtect organizationFor legal reasons, you need to document your actions in a
form and have a witness to all. It is very difficult to prosecute a crime – have a law
enforcement professional with you Certain tools are regarded as ‘professional’
Call PoliceOr IncidentResponse
Copy memory,processes
files, connectionsIn progress
Powerdown
Analyze copiedimages
Preserveoriginal system
In locked storagew. min. access
Take photos ofsurrounding area
Evidence must be unalteredChain of custody professionally maintained
Four considerations:Identify evidencePreserve evidenceAnalyze copy of evidencePresent evidence
Copy disk
Computer ForensicsDid a crime occur?If so, what occurred?
Evidence must pass tests for:Authenticity: Evidence is a true and
faithful copy of the crime sceneComputer Forensics does not destroy or alter
the evidenceContinuity: “Chain of custody” assures
that the evidence is intact.
10:53 AMAttack
observedJan K
11:04Inc. Resp.
team arrives
11:05-11:44System copied
PKB & RFT
11:15SystembroughtOffline
RFT
11:45System
Powered down
PKB & RFT
11:47-1:05Disk
CopiedRFT & PKB
1:15System locked in
static-free bagin storage room
RFT & PKB
Who did what to evidence when?(Witness is required)
TimeLine
Preparing EvidenceWork with police to AVOID:Contaminating the evidenceVoiding the chain of custody
Evidence is not impure or taintedWritten documentation lists chain of custody: locations,
persons in contact – time & placeInfringing on the rights of the suspect
Warrant required unless…Company permission given; in plain site; communicated
to third party; evidence in danger of being destroyed; or normal part of arrest; ...
Computer Forensics
The process of identifying preserving, analyzing and presenting digital evidence for a legal proceeding
Original MirrorImage
3) Forensically Sterile:Wipes existing data;Records sterility
4) One-way Copy:Cannot modifyoriginal
5) Bit-by-Bit Copy:Mirror image
2) Accuracy Feature:Tool is accepted as accurate by the scientific community:
e.g., CoreRESTORE, Forensic Replicator, FRED
1) & 6) Calculate Message Digest:Before and after copy
7) Calculate Message DigestValidate correctness of copy
When break-in noticed, with a witness…
Before Logoff/Power down save volatile information
Use trusted commands in accessing remote machine (use commands off read-only CD, floppy)
Do not alter system in any way Save data to network or removable USB drive
(fast, large storage)Collect information and label it: Case number,
time, date, data collector, data analyzer.Seal and lock up the evidence. Track any access
to sealed dataTake pictures of system from all sides
Collected information includes…Volatile information:System memory: Unix /dev/mem or
/dev/kmemCurrently running processesLogged in usersNetwork connections: Recent connections
and open applications/socketsCurrently open files: File system time & date
stampsSystem date & time
After computer is turned off…Reboot will change disk images. Do not reboot!Make forensic backup = system image =
bit-stream backupCopy every bit of the file system, not just the
disk files!Example tools include:
Intelligent Computer Solutions: Image MASSterEnCase (www.guidancesoftware.com)SafeBack (www.forensics-intl.com/safeback.html)Unix dd command
Compute hash value of disk and backup
Useful information to collect…Photos of computer, surroundings, display (if
on), back panel plugs, etc.IDS, Firewall, and System logsEmployees web pages, emails, internet
activitiesEmployees access of files
(created/modified/viewed)Local peripheral paraphernalia (CDs,
floppies, papers)Better to collect too much than too little
Forensic ToolkitMaintain a CD or two floppy disks (write-
protected) with forensic utilities (Abbreviated from Incident Response & Computer Forensics, Mandia, Prosise, Pepe, McGraw Hill, pp. 87-88)
Avoid stored utilities on the potentially-compromised computer
Forensic Utilitiescmd.exe: Command prompt for Windows NT/2000PsLoggedOn: Shows all connected users, local &
remote (www.foundstone.com)Rasusers: Lists the users with remote-access
privileges on the system (NT Resource Kit)Netstat: Lists all listening ports and all current
connections on the portsFport: Lists all processes that opened any TCP ports
and executable path (www.foundstone.com)PsList: Enumerates all running processes
(www.foundstone.com)ListDLLs: Lists all running processes, their command-
line arguments, and the DLLs they depend on (www.foundstone.com)
Forensic Utilities (2)Nbtstat: Lists NetBIOS connections for last 10
minutes (approx.) Arp: Lists the MAC addresses system has been
communicating within last minutesKill: Terminates a process (NTRK)Md5sum: Creates MD5 hashes for a file
(www.cygwin.com)Rmtshare: Displays the accessible shares (NTRK)Netcat: Creates a communication channel
between two systems (www.atstake.com)Cryptcat: Creates an encrypted channel of
communications (sourceforge.net)
Forensic Utilities (3)PsLogList: Dumps the event logs (www.foundstone.com) PsKill: Kill a process (www.foundstone.com) Ipconfig: Display interface configuration PsInfo: Provide info about local system build
(www.foundstone.com) PsService: Lists current processes and threads
(www.foundstone.com)Auditpol: Displays security audit settings (NTRK)Doskey: displays command history for an open cmd.exe shell AFind: Provides file access times (www.foundstone.com)Pasco: Most recent websites accessed
(www.foundstone.com)EnCase: List files whose extensions do not match file type
(.doc->.jpeg)Sfind: Show hidden or alternative data stream files
(www.foundstone.com)
Save volatile dataThree ways to save forensic data:Save to memory stick/floppy: [cmd] >> f:\logfileUse netcat: Below we send from hacked station to
forensic station on port 1234 (at forensic station:) nc –l –p 1234 > logfile (at hacked station:) [cmd] | nc 192.168.0.n
1234 where: -l listen mode: accept incoming
connectionUse cryptcat: encrypted so no one can observe or
modify netcat data.
Response Script ExampleFrom Incident Response & Computer Forensics p. 114)Filename: ir.bat time /t date /t psloggedon dir /t:a /o:d /a /s c:\ dir /t:w /o:d /a /s c:\ dir /t:c /o:d /a /s c:\ netstat –an fport pslist nbtstat –c time /t date /t doskey /history where: dir –help indicates that
/t: indicates whether last Accessed, last Written or Created date should be included /s: indicates that directories and subdirectories should be listed /a: indicates types of files
‘time /t’ and ‘date /t’ do not prompt for new times, dates
SummaryMust detect incidentsHave an established incident response
procedureSave off volatile data firstDo not rely on utilities on the compromised
machineLegal proceedings require Authenticity &
Continuity (chain of custody)Improve incident response procedure after
test or usage