Upload
creative73
View
223
Download
0
Embed Size (px)
Citation preview
8/14/2019 Inet Investigation Short4
1/30
Copyright 1998-1999 Sanda International Corp.
Investigating Internet SecurityInvestigating Internet Security
IncidentsIncidents
A Brief Introduction toA Brief Introduction to
Cyber Forensic AnalysisCyber Forensic Analysis
Peter
Stephe
nson
hen@imfgro
up.com
8/14/2019 Inet Investigation Short4
2/30
Ste
Copyright 1998-1999 Sanda International Corp.
AgendaAgenda
t Intrusion approaches
t Investigative tool kit
t Investigative approaches
t End-to-end tracing
t Evidence collection and preservation
t Forensic use of RMON2-based toolsfor documenting the path of an attack
8/14/2019 Inet Investigation Short4
3/30
Copyright 1998-1999 Sanda International Corp.
What is Cyber Crime?What is Cyber Crime?
t Crimes directed against acomputer
t
Crimes where the computercontains evidence
t Crimes where the computer isused to commit the crime
8/14/2019 Inet Investigation Short4
4/30
Copyright 1998-1999 Sanda International Corp.
0
20
40
60
80
100
% R eporting
Disgr.
Empl.
Hackers US
Compet.
For.
Corp.
For. Gov.
0
5
10
15
20
25
30
35
40
45
%
U
nauth.
Access
DoS
Outside
Pen.
Theftof
Info
Fraud
Sa
botage
The Nature of Computer RelatedThe Nature of Computer Related
Crime in Todays OrganizationsCrime in Todays Organizations
Source: 1998 CSI/FBI Study
8/14/2019 Inet Investigation Short4
5/30
Copyright 1998-1999 Sanda International Corp.
There Are Only 4 Kinds of AttacksThere Are Only 4 Kinds of Attacks
t Denial of service
t Social engineering
t
Technicalt Sniffing
8/14/2019 Inet Investigation Short4
6/30
Copyright 1998-1999 Sanda International Corp.
Intrusion ApproachesIntrusion Approaches
t Target selection, research and background infoq Internet searches
q Whois, nslookup
t Preliminary probing - avoid logging - get passwordsq POP probe
q Sniffing
q DNS zone transfer
q SMTP probe
q Other simple probes
t Search for back doors
t Technical attack or social engineering
8/14/2019 Inet Investigation Short4
7/30Copyright 1998-1999 Sanda International Corp.
Cleaning Up After an AttackCleaning Up After an Attack
t Delete tools and work files
t Modify logs (Unix example)q Syslog
q messages files (especially the mail log)
q su log
q lastlog (including wtmp and utmp)
q daemon logsq transfer logs
8/14/2019 Inet Investigation Short4
8/30Copyright 1998-1999 Sanda International Corp.
INVESTIGATIVE AXIOM:INVESTIGATIVE AXIOM:
Treat every incident as if it willTreat every incident as if it will
end up in a criminalend up in a criminalprosecution.prosecution.
8/14/2019 Inet Investigation Short4
9/30Copyright 1998-1999 Sanda International Corp.
Your Investigative Tool KitYour Investigative Tool Kit
t Policies
t Criminal profiling
t Tracing tools
t Log analysist Crime scene (victim computer) analysis
t E-mail header analysis
t News group header analysis
8/14/2019 Inet Investigation Short4
10/30Copyright 1998-1999 Sanda International Corp.
The Role of PoliciesThe Role of Policies
t They define the actions you can take
t They must be clear and simple tounderstand
t The employee must acknowledge thathe or she read them, understands themand will comply with them
t They cant violate law
8/14/2019 Inet Investigation Short4
11/30Copyright 1998-1999 Sanda International Corp.
Electronic CommunicationsElectronic Communications
Privacy Act - Your Enabling LawPrivacy Act - Your Enabling Law
t Owner may intercept communications between anintruder and that owner's computer system
t Owner providing others with the ability to use thatcomputer to communicate with other computersystems may:q make routine backups and perform other routine monitoring
q intercept with prior consent of the user
q intercept portions of communications necessary to determine origin anddestination
q intercept where necessary to protect owners rights or property
q disclose to law-enforcement any communications inadvertentlydiscovered which reveal criminal activity
8/14/2019 Inet Investigation Short4
12/30Copyright 1998-1999 Sanda International Corp.
Criminal ProfilingCriminal Profiling
t Criminal profiling is the process of usingavailable information about a crime and crimescene to compose a psychological portrait of the
unknown perpetrator of the crimet Classical profiling goals - to provide:
q a social and psychological assessment of the offender
q a psychological evaluation of relevant possessions found withsuspected offenders
q strategies that should be used when interviewing offenders
8/14/2019 Inet Investigation Short4
13/30Copyright 1998-1999 Sanda International Corp.
Crime Scene AnalysisCrime Scene Analysis
t Branch of profiling usingstandard investigativetechniques to analyze crime
scenes
t Investigators are usually mostcomfortable with this approach
t Very useful in computer incidents
8/14/2019 Inet Investigation Short4
14/30Copyright 1998-1999 Sanda International Corp.
Developing a Profile of an IntruderDeveloping a Profile of an Intruder
t Crime scene analysisq how was access obtained? What skills
were required?
q how did the intruder behave on thesystem? Damage? Clean-up? Theft?
t Investigative psychologyq motivation
q personality type
8/14/2019 Inet Investigation Short4
15/30Copyright 1998-1999 Sanda International Corp.
Goals of an InvestigationGoals of an Investigation
t To ensure that all applicable logs and evidence are preserved
t To understand how the intruder is entering the system
t To obtain the information you need to justify a trap and trace of the phoneline the intruder is using or to obtain a subpoena to obtain information froman ISP
t To discover why the intruder has chosen the computer
t To gather as much evidence of the intrusion as possible
t To obtain information that may narrow your list of suspects
t To document the damage caused by the intruder
t Gather enough information to decide if law enforcement should be involved.
8/14/2019 Inet Investigation Short4
16/30Copyright 1998-1999 Sanda International Corp.
Immediate Objective:Immediate Objective:PRESERVEPRESERVE
THE EVIDENCETHE EVIDENCE!!!!!!t Begin a traceback to identify
possible log locations
t Contact system administrators on
intermediate sites to request logpreservation
t Contain damage
t Collect local logst Image disks on victim computers
8/14/2019 Inet Investigation Short4
17/30Copyright 1998-1999 Sanda International Corp.
Building an Incident HypothesisBuilding an Incident Hypothesis
t Start with witness accountst Consider how the intruder could
have gained access
q eliminate the obviousq use logs and other physical evidence
3 consider the skill level or inside knowledgerequired
t Create mirrors of affected computers
8/14/2019 Inet Investigation Short4
18/30Copyright 1998-1999 Sanda International Corp.
Building an Incident HypothesisBuilding an Incident Hypothesis
t Develop a profile of the intruder
t Consider the path into the victimcomputer
t Recreate the incident in the labq use real mirrors whenever possible
t Consider alternative explanationsq test alternatives
8/14/2019 Inet Investigation Short4
19/30Copyright 1998-1999 Sanda International Corp.
Incident ReconstructionIncident Reconstruction
t Physicalq use mirrors of the actual involved systems
q useful for single computers
t Logicalq use similar systems
q useful for networks where you have access to theentire network
t Theoretical
q hypothesize intermediate computersq necessary when you cant access all involved
computers
8/14/2019 Inet Investigation Short4
20/30Copyright 1998-1999 Sanda International Corp.
Back TracingBack Tracing
t Elements of a back traceq end points
q intermediate systems
q e-mail and packet headers
q logst Objective: to get to a dial-in POP
t The only messages that cant be backtraced are those using a true anonymizer
and those where no logs are present
8/14/2019 Inet Investigation Short4
21/30Copyright 1998-1999 Sanda International Corp.
Enabling RelationshipsEnabling Relationships
I n t r u d e r ' s
L a p t o p
I n t e r n e t
I S P
R o u t e r
I n t e r m e d i a t e
H o s t
V I C T I M
DIAL
INTERNET
PENETRATE
HOST
ATTACK VICTIM
OUR LOGS
ISPs LOGSTELCO LOGS
8/14/2019 Inet Investigation Short4
22/30Copyright 1998-1999 Sanda International Corp.
Obtaining SubpoenasObtaining Subpoenas
t Notify involved organization that you aregoing to subpoena and request that theypreserve evidence - find out who to deliverthe subpoena to
t File John/Jane Doe lawsuit with anemergency order to subpoena appropriaterecords
t Subpoena the logs you needq Get everything you can on the first pass
q May need depositions
R i t f L t b dR i t f L t b d
8/14/2019 Inet Investigation Short4
23/30
Copyright 1998-1999 Sanda International Corp.
Requirements for Logs to be usedRequirements for Logs to be used
as Evidenceas Evidence
t Must not be modifiableq Spool off to protected loghost
q Optical media
q Backups
t Must be completeq All superuser access
q Login and logout
q Attempts to use any controlled services
q Attempts to access critical resources
q E-mail details
t Appropriate retention
8/14/2019 Inet Investigation Short4
24/30
Copyright 1998-1999 Sanda International Corp.
Tracing E-Mail HeadersTracing E-Mail Headers
(3) Received: from mailhost.example.com
([XXX.XXX.178.66])
by smtp.exampl.com; Sat, 12 Sep 1998 15:25:54 -0700
(2) Received: from web03.iname.net by mailhost.example.com (AIX
3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep 1998 15:31:55 -0700
(1) Received: (from root@localhost) by web03.iname.net (8.8.8/8.8.0) idSAA29949; Sat, 12 Sep 1998 18:25:13 -0400 (EDT)
Date: Sat, 12 Sep 1998 18:25:13 -0400 (EDT)
(4) From:fake user [email protected]
Message-Id:
Content-Type: text/plainMime-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: This is a forged e-mail message
8/14/2019 Inet Investigation Short4
25/30
Copyright 1998-1999 Sanda International Corp.
Performing the TracePerforming the Trace
Contact inames
Security Officer Connect account name,
time, & message ID to
source IP address
Get logs from
source IP
Who was connected
at the time of the
E-Mail?
Locate ISP & contact
Security Officer
8/14/2019 Inet Investigation Short4
26/30
Copyright 1998-1999 Sanda International Corp.
Evidence Collection &Evidence Collection &
PreservationPreservationt Forensic evidence
q Safeback - creates physical images and mirrorsof affected computers
t
Forensic analysisq NTI tools
t NEVER work directly on the evidenceq Never contribute to the evidence
t Ensure chain of custody
8/14/2019 Inet Investigation Short4
27/30
Copyright 1998-1999 Sanda International Corp.
RMON2 Tracing ToolsRMON2 Tracing Tools
t Requires RMON2 devices
t Use ODS Networks Secure SwitchInvestigator
t Looks for evidence of alienconversations served from withinthe victims perimeter
t By moving outwards a step at atime, determine source of attack
8/14/2019 Inet Investigation Short4
28/30
Copyright 1998-1999 Sanda International Corp.
MCI DoSTrackerMCI DoSTracker
t Attempts to trace source forged packets, startingat a victim location, and tracing backwards to thepossible source
t Attack must be in progress
t Process - login to starting edge routerq Deploy access control list in debug mode for victim IP
q Clear victim subnet cache
q Look for forged packets by comparing to route table
q Spawn separate process to log into next hop router and continue
8/14/2019 Inet Investigation Short4
29/30
Copyright 1998-1999 Sanda International Corp.
CMDS - Abuse at the HostCMDS - Abuse at the Host
t Manager-Agent architecture
t Responds to violations of policies
t
Analyzes usage patternsq Identifies rogue usersq Identifies masqueraders
t Available from ODS Networks
8/14/2019 Inet Investigation Short4
30/30
SummarySummary
t Ensure appropriate policies
t Preserve the crime scene (victimcomputer)
t Act immediately to identify and preservelogs on intermediate systems
t Conduct your investigation
t Obtain subpoenas or contact lawenforcement