Incident ResponseObjectives:The student should be able to:Define 4 steps of what needs to be done in advance of

an incident.Describe the purpose of an incident response

procedure and what the procedure should include.Describe the information that must be collected when

a penetration has occurred: if computer is up; when computer is down; other evidence.

Describe important guidelines for collecting this information concerning chain of custody and authenticity.

Find information about a penetration using the PsTools and other tools: pslist, fport, listDLLs, netstat, netcat, psLoggedOn. (Lab only)

How should a Sys Admin react?You are a system administrator and an incident

occurs. Should you:Go offline?Block hacker at firewall?Disable certain services?Bring down machine/server?Bring down the internal network?Let the intruder proceed to collect evidence?Your actions can have financial impact on the

corporation.

When an Incident Occurs…?How would these decisions differ if business

pertained to:Credit card / Banking?Network services?Medical prescriptions?WWW Search Engine?The CEO must determine the priorities for

incident response.

Incident Response ProcedureA clear procedure defines what should

happen when an intrusion is suspectedDefine expected responses to different types

of intrusionsDecide early because time will be limited

during an attack

Incident Response Plan ContentsPreincident readinessHow to declare a disasterEvacuation proceduresIdentifying persons responsible, contact

informationIRT, S/W-H/W vendors, insurance, recovery facilities,

suppliers, offsite media, human relations, law enforcement (for serious security threat)

Step-by-step proceduresRequired resources for recovery & continued

operations

EstablishDetectionProcedur

es

Create Incident

Response Team

Define &

Publish Policies

Perform Training/ Rehearsal

Tools

DetectionProcedur

es

Contact List

Incident ResponseProcedur

es

Establish Detection Procedures(Step 0)

SNMP: Monitors availability, response times, etc. and notifies administrator

IDS/IPS: Monitors for attacks and notifies administrator

Logs from all devices must be synchronized, monitored and audited

After a break-in administrators wish they had had stronger logging

Create Incident Response Team (Step 0)

An incident response team can help to decide the Incident Response procedures and make decisions during an incident response.

Shall include:Security Team: Detect, control attack.Upper management: Be responsible for making

decisions on major break-ins.Human Resources: Deal with an attack from

employees.Technical Staff (MIS): Bring systems back in order.Outside Members: Contact law enforcement,

affected customers, ISP.

Define and Publish Policies(Step 0)

Policies are defined and publicized as to what is and is not allowed

System banners indicate who/what is allowed on the system

Perform Training/Rehearsal(Step 0)

Each person should be trained in what they need to do.

Carry out a drill.Attacks succeed because companies are

unprepared.

Respond to

incident

Recovery & Resume

Review &Implemen

t

Detect Incident

ToolsDetectionProcedur

es

Contact List

Incident ResponseProcedur

es

DetectionProcedur

es

Tools

Contact List

Step 1: Incident Response and Containment

What types of attacks warrant which reactions?How do we gather information on the attack?

(Next section)To whom should attacks be reported?Do you inform police or FBI?Can ISP help with log info and attack filtering?Should vendors/customers be notified?Shall the intrusion be hidden from the press?FBI has a webpage for reporting crime at:

www.usdoj.gov/criminal/cybercrime/reporting.html

Step 2: Recovery and ResumptionRebuild Affected System (Old system can be

hiding rootkit)Lock down system

Apply patchesMinimize software availabilitySet secure configurationChange passwords on all systemsTest

Step 3: Review & ImplementCould we have detected intrusion faster?What losses did we sustain overall?What did the hacker attempt to do and accomplish?Why did the vulnerability occur?Have we eliminated the vulnerability on this and

other machines?Could we have reacted in a quicker or more

effective way?How can we improve our legal case against the

next intruder?What changes should we make to our policies and

procedures?

Example: You receive an email indicating your network was part of an

attackMay be a valid accusationMay be a mistakeMay be a ruse

So you investigate:Your site may have been hacked.An internal employee may be hacking outside.

If you reply to email indicating a break-in you may:Provide your email address and confirm an IP address Indicate your readiness level: “We don’t have logs on that

particular intrusion”May fall for ‘social engineering spam’ (e.g., company

selling IDS products).

A break-in has occurred…Get all information without changing any

possible evidenceConsider the totality of the circumstances via

investigationReact according to the type of break-in

Document & Witness…Procedure must be professional, documented in order toCollect evidence against individualProtect organizationFor legal reasons, you need to document your actions in a

form and have a witness to all. It is very difficult to prosecute a crime – have a law

enforcement professional with you Certain tools are regarded as ‘professional’

Call PoliceOr IncidentResponse

Copy memory,processes

files, connectionsIn progress

Powerdown

Analyze copiedimages

Preserveoriginal system

In locked storagew. min. access

Take photos ofsurrounding area

Evidence must be unalteredChain of custody professionally maintained

Four considerations:Identify evidencePreserve evidenceAnalyze copy of evidencePresent evidence

Copy disk

Computer ForensicsDid a crime occur?If so, what occurred?

Evidence must pass tests for:Authenticity: Evidence is a true and

faithful copy of the crime sceneComputer Forensics does not destroy or alter

the evidenceContinuity: “Chain of custody” assures

that the evidence is intact.

10:53 AMAttack

observedJan K

11:04Inc. Resp.

team arrives

11:05-11:44System copied

PKB & RFT

11:15SystembroughtOffline

RFT

11:45System

Powered down

PKB & RFT

11:47-1:05Disk

CopiedRFT & PKB

1:15System locked in

static-free bagin storage room

RFT & PKB

Who did what to evidence when?(Witness is required)

TimeLine

Preparing EvidenceWork with police to AVOID:Contaminating the evidenceVoiding the chain of custody

Evidence is not impure or taintedWritten documentation lists chain of custody: locations,

persons in contact – time & placeInfringing on the rights of the suspect

Warrant required unless…Company permission given; in plain site; communicated

to third party; evidence in danger of being destroyed; or normal part of arrest; ...

Computer Forensics

The process of identifying preserving, analyzing and presenting digital evidence for a legal proceeding

Original MirrorImage

3) Forensically Sterile:Wipes existing data;Records sterility

4) One-way Copy:Cannot modifyoriginal

5) Bit-by-Bit Copy:Mirror image

2) Accuracy Feature:Tool is accepted as accurate by the scientific community:

e.g., CoreRESTORE, Forensic Replicator, FRED

1) & 6) Calculate Message Digest:Before and after copy

7) Calculate Message DigestValidate correctness of copy

When break-in noticed, with a witness…

Before Logoff/Power down save volatile information

Use trusted commands in accessing remote machine (use commands off read-only CD, floppy)

Do not alter system in any way Save data to network or removable USB drive

(fast, large storage)Collect information and label it: Case number,

time, date, data collector, data analyzer.Seal and lock up the evidence. Track any access

to sealed dataTake pictures of system from all sides

Collected information includes…Volatile information:System memory: Unix /dev/mem or

/dev/kmemCurrently running processesLogged in usersNetwork connections: Recent connections

and open applications/socketsCurrently open files: File system time & date

stampsSystem date & time

After computer is turned off…Reboot will change disk images. Do not reboot!Make forensic backup = system image =

bit-stream backupCopy every bit of the file system, not just the

disk files!Example tools include:

Intelligent Computer Solutions: Image MASSterEnCase (www.guidancesoftware.com)SafeBack (www.forensics-intl.com/safeback.html)Unix dd command

Compute hash value of disk and backup

Useful information to collect…Photos of computer, surroundings, display (if

on), back panel plugs, etc.IDS, Firewall, and System logsEmployees web pages, emails, internet

activitiesEmployees access of files

(created/modified/viewed)Local peripheral paraphernalia (CDs,

floppies, papers)Better to collect too much than too little

Forensic ToolkitMaintain a CD or two floppy disks (write-

protected) with forensic utilities (Abbreviated from Incident Response & Computer Forensics, Mandia, Prosise, Pepe, McGraw Hill, pp. 87-88)

Avoid stored utilities on the potentially-compromised computer

Forensic Utilitiescmd.exe: Command prompt for Windows NT/2000PsLoggedOn: Shows all connected users, local &

remote (www.foundstone.com)Rasusers: Lists the users with remote-access

privileges on the system (NT Resource Kit)Netstat: Lists all listening ports and all current

connections on the portsFport: Lists all processes that opened any TCP ports

and executable path (www.foundstone.com)PsList: Enumerates all running processes

(www.foundstone.com)ListDLLs: Lists all running processes, their command-

line arguments, and the DLLs they depend on (www.foundstone.com)

Forensic Utilities (2)Nbtstat: Lists NetBIOS connections for last 10

minutes (approx.) Arp: Lists the MAC addresses system has been

communicating within last minutesKill: Terminates a process (NTRK)Md5sum: Creates MD5 hashes for a file

(www.cygwin.com)Rmtshare: Displays the accessible shares (NTRK)Netcat: Creates a communication channel

between two systems (www.atstake.com)Cryptcat: Creates an encrypted channel of

communications (sourceforge.net)

Forensic Utilities (3)PsLogList: Dumps the event logs (www.foundstone.com) PsKill: Kill a process (www.foundstone.com) Ipconfig: Display interface configuration PsInfo: Provide info about local system build

(www.foundstone.com) PsService: Lists current processes and threads

(www.foundstone.com)Auditpol: Displays security audit settings (NTRK)Doskey: displays command history for an open cmd.exe shell AFind: Provides file access times (www.foundstone.com)Pasco: Most recent websites accessed

(www.foundstone.com)EnCase: List files whose extensions do not match file type

(.doc->.jpeg)Sfind: Show hidden or alternative data stream files

(www.foundstone.com)

Save volatile dataThree ways to save forensic data:Save to memory stick/floppy: [cmd] >> f:\logfileUse netcat: Below we send from hacked station to

forensic station on port 1234 (at forensic station:) nc –l –p 1234 > logfile (at hacked station:) [cmd] | nc 192.168.0.n

1234 where: -l listen mode: accept incoming

connectionUse cryptcat: encrypted so no one can observe or

modify netcat data.

Response Script ExampleFrom Incident Response & Computer Forensics p. 114)Filename: ir.bat time /t date /t psloggedon dir /t:a /o:d /a /s c:\ dir /t:w /o:d /a /s c:\ dir /t:c /o:d /a /s c:\ netstat –an fport pslist nbtstat –c time /t date /t doskey /history where: dir –help indicates that

/t: indicates whether last Accessed, last Written or Created date should be included /s: indicates that directories and subdirectories should be listed /a: indicates types of files

‘time /t’ and ‘date /t’ do not prompt for new times, dates

SummaryMust detect incidentsHave an established incident response

procedureSave off volatile data firstDo not rely on utilities on the compromised

machineLegal proceedings require Authenticity &

Continuity (chain of custody)Improve incident response procedure after

test or usage