Security Incident Database

By L. Michael Johnson, CISSPmjohnson@ou.edu

"Copyright L. Michael Johnson 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author."

SID: Overview

• Purpose• Personnel/Tools• History

– Evolution– Phases

• Mechanics– Tools– Components (Dependencies)– The Incident Defined– Procedures

• Future

SID: Purpose

• Encourage Development• Reactive Measure with Proactive Tools• Unique Rewards• Customized• Conforms to Your Policies/Procedures• You Decide What An Incident Is• First Incident: 2001-08-20• As of 2006-04-06: 9456 incidents recorded,

3089 unresolved, 27923 followups.

SID: Personnel

• Security Team– Level 2 Technicians: 2

• Enter Incidents, Block, Unblock

– Level 3 Engineers: 3• Oversee, can enter Incidents, Block, Unblock,

Open Multiple

– Design Manager (Database): 1

• Service Centers– Helpdesk Technicians, limited interface

SID: Tools

• None Generate Incident– Simply sources of information

• QRadar

• Snort

• Symantec Network Security (SNS Appliance), Managed Services

• Logs

• Some Helpdesk Ticketing System

SID: History

• Phase 1: Notes

• Phase 2: Database

• Phase 3: Web Interface

• Phase 4: Addition of Tools - Alerting

SID:History: Phase 1

• Sticky Note Phase

• Flat Text File

• Accessed by Web site

• CGI

• Tracking Changes Difficult

• Blocking by Edge Switch Port Disable

SID:History: Phase 2

• Database

• CGI Interface Perl DBI

• Linux based bash scripting

• Began incorporating blocking

• Transaction Table for Tracking Changes

• Simple Web Interface for Helpdesk

SID:History: Phase 3

• Established CART Protocols (External Communication)

• Incorporating ModemPool/VPN Violations

• Redesigned the Web Interface for Multiple Users, Tracking Options, Changes

• Began Alerting (later SLA)

• Reporting Capabilities

SID:History: Phase 4

• Tied In Forensic Tools• NBTSTAT• Scanning NMAP• HPOpenview’s locate• Open Multiple Incidents• Expanded Reporting• Up to 260 Mbytes, 16 tables, 2.8 million

records

SID: Mechanics

• Tools

• Components Depends On (Other Databases)

• The Incident Dissected

• Procedures (Copyright / Others)

SID: Mechanics: Tools

• MySQL (mysql.org)

• Perl (perl.org)

• Apache+MODSSL (apache.org)

• PHP (php.net)

• Linux (Redhat) (7.2 -> AS 4)

• Expect (expect.nist.gov)

• CRON (?)

SID: Mechanics: Components

• Arpcache Database – SID depends

• NullRoute Database - Related

• NETREG – Related

SID: Mechanics: ComponentsArpCache Database

• Arpcache Database– Architecture Dependant, Centric Best– Every 10 minutes download IP/MAC associations– Establishes Network Access Timelines

• MAC associated with IP how long?• FirstSeen/LastSeen

– Later: became a network & forensic tool– Stolen Laptops?– 700,000+ IP / MAC relations

SID: Mechanics: ComponentsArpCache Database

• ArpCache Database– Establishes

Network Access Timelines

• MAC associated with IP how long?

• FirstSeen/LastSeen

– Later: became a forensic tool

• EXAMPLE, IP changes MACs

SID: Mechanics: ComponentsArpCache Database

• ArpCache Database– Establishes

Network Access Timelines

• MAC associated with IP how long?

• FirstSeen/LastSeen

– Later: became a forensic tool

• EXAMPLE, MAC changes IPs

SID: Mechanics: ComponentsArpCache Database

• Imagine uses– Network Troubleshooting– Track Usage of IP Space– Forensic– DHCP Usage– Find Non-Compliant Devices– Vendor Prefix: HP, Dell, Gateway?– SUPPORT SECURITY INCIDENT

DATABASE

SID: Mechanics: ComponentsNullRoute Database

• Security Incident Database for Non-Campus IPs

• Enter Complaints

• Track Incidents, expire 1 week (varies)

• No MAC addresses

• Blocking via NULLROUTE– Routers handle routes naturally (as opposed

to ACLs)

SID: Mechanics: ComponentsNullRoute Database

• ip route 12.108.65.76 255.255.255.255 Null0• ip route 12.155.199.50 255.255.255.255 Null0• ip route 24.6.166.217 255.255.255.255 Null0• ip route 24.91.145.236 255.255.255.255 Null0• ip route 24.181.31.26 255.255.255.255 Null0• ip route 24.242.225.74 255.255.255.255 Null0• ip route 58.99.39.139 255.255.255.255 Null0• ip route 59.188.0.148 255.255.255.255 Null0• ip route 60.13.218.11 255.255.255.255 Null0• ip route 61.59.76.253 255.255.255.255 Null0• ip route 61.83.132.138 255.255.255.255 Null0• ip route 61.100.180.18 255.255.255.255 Null0• ip route 61.110.240.90 255.255.255.255 Null0

SID: Mechanics: ComponentsNETREG

• Network Registration built on similar tools

• Students redirected to web page via DHCP/BOGUS DNS

• Requires Login

• Fill Out Form (including contact information), Click Register

• 1 Minute Later, DHCP restarted

• Incidents can import this information

SID: MechanicsThe Incident

• Overall Design:– Static Information

• Helpdesk can see, Alerts

– Followups• Initial Emails, Complaints• Notes, Resolutions, Emails Exchanged

SID: MechanicsThe Incident

• Static Information– IP, MAC– Dates/Times Incident Opened, Resolved– Categorical Information

• Department• Network• Type of Violation• Blocked? Resolved?• Escalation (Information Only, Action Requested, Action

Performed)• Source (email complaint, automated scan, vendor product,

Snort, QRadar)• Student/Employee ID

SID: MechanicsThe Incident

• Everything Else Is A Followup (Transaction Table)– Date/Time– Private? Y/N– Description Text Field (Email/Notes/Scan

Results)

SID: MechanicsThe Incident

• Blocking, via expect:– set cam static filter 00-xx-a5-xx-62-xx 212– set cam static filter 00-10-xx-c6-xx-2a 208– set cam static filter 00-0a-xx-95-xx-83 208

• Regular reports (bash/perl)

• Maintenance (bash/perl)– Update expired incidents– Enforce blocking nightly

Interface: How it works

SID: MechanicsProcedures

• Overall Design:– Copyright Violations– Campus Wide Incidents– All Others

SID: MechanicsProcedures

• Copyright Violations– Notice is entered into system (via email

complaint to security@, abuse@, etc)– Notice is forwarded to Designated Person

who will draft a response (example)– 2nd, 3rd, nth violation?– Reasonable attempt to notify if a contact is

known– Blocked (on first complaint)– User Calls Helpdesk

SID: MechanicsProcedures (cont)

• Copyright Violations– Service Center Looks Up informs Incident Number

• User Actions– Visit Legal Counsel, Sign Affirmation of Compliance (example)

– 2nd or more violations: Visit Student Affairs Office

– Designated Legal Counsel Representative notifies Security Group of Signed Affirmation of Compliance

– Machine is unblocked, Resolved– Signed Affirmation of Compliance forms are sent to

Director of IT-Security

SID: MechanicsProcedures

• Campus Wide Incidents– Open Multiple Incidents– Lists of IP addresses– No need for followups– Once certified clean by Service Centers,

unblocked

SID: MechanicsProcedures

• All Other Incidents– Entered Into Database– Complaints are entered as followups– Verification of Source Required to Block

• Spam usually results in 2 or more complaints• Some sources we trust more than others

(dshield.org?)

SID: MechanicsProcedures

• Planning Cost/Use– Regular Reports Useful for Planning

• State of the Network/ Security Posture (weekly)

• Reports at request (Perl)– Auditing

• Yearly reports– By Network– By Location

SID: Lessons Learned

• Valuable assets– Reporting– Forensics– Costing– Designing Policy– Statistics/Forecasting– Outbreaks– SLA (selling point)– Security Audits for Departments (includes report)

• Examples of use– Dec ’05 2 Boxes, admin changed mac addresses– State of the network “Security Posture” weekly report

SID: Lessons Learned

• Requires Maintenance– VLANS IP Address Space– Depends on centric network, blocked at core– Handful blocked manually (cable cut, switch

port disable – rogue dhcp)

SID: Future

• Integration with other tools, snort, etc.

• Integration with the NullRoute Database– On/off campus handled the same

• Complete Redesign of the Web Interface

• Reports as needed

• Automatic Expiration of Incidents

• State-wide Honeynet (input into SID)