Title: Lesson 6 Basics of Incident Response
1Lesson 6BasicsofIncident Response
2Overview
- Hacker Lexicon
- Incident Response
3Hacker Lexicon
- Rootkit - a collection of tools an intruder loads
onto a compromised computer - Usually Consists of
- trojanized utilities
- network sniffers
- log-cleaning scripts
4Root Kits
- Three primary types
- traditional
- loadable kernel modules (LKMs) for Unix/Linux
- kernel -level rootkit for Windows
- Hundreds of Root-kits in existence
- Hackers sites contain click and choose
smorgasbord (KNOW THY ENEMY)
5Basic RootKit Functionality
- Maintain Access
- Attack other Systems
- Destroy Evidence
6Traditional Rootkit Tools
- Backdoors - programs that listen on TCP/UDP ports
that allow intruder stealthy access - Log wipers - utility which erases log files to
hide signs of intruders presence - Packet sniffers - software designed to monitor
network traffic to capture packets of interest - Internet Relay Chat (IRC) utilities for comms
- DDOS agents - S/W that sends UDP/ICMP floods
7LKM Rootkits
- Most rootkits used against Unix/Linux systems are
Loadable Kernel Modules (LKMs) - Kernel is transparently modified
- Execute Redirection remaps system utility calls
- Remote execution commands transmitted via the
net - Promiscuous mode hiding hides sniffers
- Task hacking changing the user id (UID),
effective user id (EUID), and file system user id
(FSUID) of any process
8LKM Rootkits
- Kernel is transparently modified (contd)
- Real-time process hiding -sending the following
- kill -31 process id allows kernel to
suppress all info about the given process - Kernel Module Hiding LKMs can actually mask
their own presence (stealthy LKMs)
9WINDOWS Rootkits
- Contains
- Kernel Mode Device Driver _root_.sys
- Launcher program deploy.exe
- Capabilities
- Back doors
- Hide files files with _root_ will be hidden from
dir - Hide processes and registry entries
- Keystroke Intercept
10Incident Response Overview
- Goals
- Methodology
- Preparation
- Detection
- Initial Response
- Strategy Formulation
- Investigation
- Monitoring
- Recovery
- Reporting
11What is an Incident?
- Incident - an event in an information
- system/network
- Time based security
- Protection time gtgt detection time reaction time
Some say its all about vulnerability management
12SANS/FBI Top 20 List
20 MOST CRITICAL INTERNET VULNERABILITIES UP
TO 800 POSSIBLE SANS Institute 20 Most Critical
Internet Security Vulnerabilities
13General Vulnerabilities
- 1. Default installs of OSs and applications
- 2. Weak or non-existent passwords
- 3. Incomplete or non-existent backups
- 4. Large number of open ports
- 5. Lack of packet filtering
- 6. Incomplete or non-existent logging
- 7. Vulnerable CGI programs
- Source The SANS Institute
14Windows Vulnerabilities
- 8. Unicode Vulnerability
- 9. ISAPI Extension Buffer Overflows
- 10. MS Remote Data Services Exploit
- 11. NETBIOS Unprotected Windows
- Networking Shares
- 12. Leakage via Null Session Connections
- 13. Weak Hashing in SAM (Lan Manager
- Hash)
- Source The SANS Institute
15Unix Vulnerabilities
- 14. Buffer Overflows in Remote
- Procedure Call Services
- 15. Sendmail Vulnerabilities
- 16. Bind Weaknesses
- 17. R Commands
- 18. LPD Remote Print Protocol Daemon
- 19. Sadmind and Mountd
- 20. Default SNMP Strings
- Source The SANS Institute
16Home User Guidelines
- Use strong passwords (alpha-numeric, over 8
characters) - Make regular backups of critical data
- Use virus protection software
- Use a firewall as a gatekeeper between your
computer and the Internet - Do not leave computers online
- Do not open attachments from strangers
- Source FBI
17The Worst Can Happen
"Don't look at the past and assume that's the
future. Look at the enemy's strengths and your
vulnerability. You've got to realize that the
worst case does sometimes happen." -Richard
Clarke Special Advisor for Cybersecurity
18Goals of Incident Response
- Confirm or dispel incident
- Promote accurate info accumulation
- Establish controls for evidence
- Protects privacy rights
- Minimize disruption to operations
- Allow for legal/civil recriminations
- Provide accurate reports/recommendations
19Incident Response Methodology
- Pre-incident preparation
- Detection
- Initial Response
- Strategy formulation
- Duplication
- Investigation
- Security measure implementation
- Network monitoring
- Recovery
- Reporting
- Follow-up
207 Components of Incident Response
Investigate the Incident
Pre-Incident Preparation
Formulate Response Strategy
Data Collection
Data Analysis
Reporting
Detection of Incidents
Initial Response
Resolution Recovery Implement Security Measures
Page 15, Fig 2-1, Mandia 2nd Edition
21Detection
D E T E C T
Firewall Logs
IDS Logs
Response Team Activated
Notification Checklist Completed
Suspicious User
Sys Admin
22Initial Critical Details
- Current time and date
- Who/what is reporting the incident
- Nature of the incident
- When the incident occurred
- Hardware/software involved
- Point of contact for involved personnel
23INITIAL RESPONSE
Success
Details from notification checklist
I R N E I S T P I O A N L S E
Verified information about the incident
Prepared response team
How much info is enough?
Failure
24Response Strategy Formulation
Verified information about the incident
Mgt Approved Action Plan
Formulate Response Strategy
Response Posture
Goal determine most appropriate response
strategy
25Factors for Strategy
- How critical are the impacted systems?
- Data sensitivity
- Who are the perpetrators?
- Does the incident have publicity
- Level of access to the hacker
- Apparent skill of the attacker
- How much downtime can be tolerated
- Overall dollar loss involved
26Common Incidents
- Denial of Service Attack
- Unauthorized Use
- Vandalism
- Information Theft
- Computer Intrusion
Management Support
network downtime user downtime legal
liability publcity theft of intellectual property
27Investigation Stage
Live System
Investigation
Network Logs
Investigative Report
Forensic Duplicate
28Security Measure Implementation Stage
Verified Info
Implementing Security Remedies
Monitor
Network Logs
Response Posture
Isolate and Contain
Prevent Same Exposure!
Fishbowling the attacker
29Recovery/Reporting Process
Recovery backups hardening user education COOP
Conclusions
Report
Support Criminal Actions Lessons
Learned Prevent Repeats
Successful containment
30What Will You Do?
- We Need a Initial Response that
- Supports the Goals of Computer Security
- Supports the Business Practices
- Supports Administrative and Legal Policy
- Is Forensically Sound
- Is Simple and Efficient (KISS)
- Provides an Accurate Snapshot for Decision Makers
- Supports Civil, Administrative, or Criminal
Action.
31Common Mistakes
- Failure to Document Findings Appropriately.
- Failure to Notify or Provide Accurate Information
to Decision Makers. - Failure to Record and Control Access to Digital
Evidence. - Wait Too Long Before Reporting.
- Underestimating the Scope of Evidence that may be
found.
32Common Mistakes
- Technical Blunders
- Altering Time/Date Stamps on Evidence Systems
- Killing Rogue Processes
- Patching the System
- Not Recording the Steps Taken on the System
- Not Acting Passively