Incident Handling

1
Incident Handling
2
Intruder Technology

• Intruders use currently available technology to
  develop new technology

3
Code Red

• An automated worm with variety of malicious
  behavior
• CR1 built from single-site DoS tool and previous
  worm
• At least 7 versions exist that differ in target
  selection and payload
• All exploit vulnerabilities in IIS installed by
  default in Windows 2000 and Windows XP
• CR2 different payload and improved propagation
  algorithm
• CR2 was almost certainly created by a different
  author than CR, based on the original worm (New
  versions are appearing)

4
Professional Threats

• The new threat is not just simple hacking.
• Sociology of todays threat vs. hackers
• Morale
• Organization
• Vigilance vs. assumed invulnerability
• Motivation of todays threat
• Accountability vs. anarchy
• Delayed vs. immediate gratification
• Internal vs. external gratification
• Preparation of current threat vs. hackers
• Training
• Intelligence / strategy

5
Handling Break-ins

• What to do
• How to catch intruder
• How to find damage
• How to repair damage

6
Basic Rules (1)

• DONT PANIC
• Is it a real break-in?
• Was any damage really done?
• Is protecting evidence important?
• Is restoring normal operation quickly important?
• Willing to chance modification of files?
• Is no publicity important?
• Can it happen again?

7
Basic Rules (2)

• DOCUMENT
• Start notebook
• Collect printouts and backup media
• Use scripts
• Consult legal assistance for evidence-gathering

8
Basic Rules (3)

• PLAN AHEAD
• 1. Identify/understand the problem
• 2. Contain/stop the damage
• 3. Confirm diagnosis and determine damage
• 4. Restore system
• 5. Deal with the cause
• 6. Perform related recovery

9
Discovering an Intruder

• Catching them in the act
• Finding changes
• Receiving message from other system administrator
• Strange activities
• User reports

10
Signs of Intrusions
Running Processes
Configuration Changes
Log Gaps
Changed Programs
Communication
11
Running Processes

• What
• Background programs running on user accounts
• New system processes
• Running for abnormal amounts of time
• How to detect
• Check process list
• Watch system response time
• Watch total system load

12
Dealing with Running Processes

• Notify users of process checking
• Clarify ownership/identity of processes
• Look for files opened by process (even if
  removed)
• Look at network connections by process
• Check file system/network/configuration

13
Changed Configuration

• What
• Network cards in promiscuous mode
• Odd printer configuration
• Odd disk configuration/partitioning
• How to detect
• Configuration utilities
• Static checking tools
• Program failures
• Network/printing delays

14
Dealing with Changed Configurations

• What to do
• Report changes off of baseline
• Do a walkabout audit of equipment on network
• Probe for modems
• Look for unexpected network routes
• How to do it
• Set priorities
• Establish a flexible schedule
• Automate as much as possible
• Vary checks over time

15
Added Accounts/Directories/Files

• What
• New files in system areas
• New programs in odd locations (temporary, guest,
  scratch)
• New directories with odd names (.. , ...,
  //, etc.)
• New accounts
• How to detect
• File listing utilities
• File system utilities
• Account management utilities

16
Dealing with Added Objects

• Establish procedures for program/account creation
• Verify ownership and content of suspect
  files/accounts
• Examine actions taken by suspect programs

17
Log Gaps

• What
• Deleted or abridged log files
• How to detect
• Lack of expected messages across a time span
• Mismatches between logs
• Mismatches with billed access/reported access

18
Dealing with Log Gaps

• Examine logs for typical events as well as
  atypical ones
• Establish overlapping logging
• Establish non-traditional logging

19
Changed Programs/Files

• What
• Modified system programs or files
• Virus-infected programs or files
• How to detect
• Integrity checkers
• Virus scanners
• How to Deal (see integrity lecture)

20
Communication

• What
• IRC communication
• E-mail
• Modem traffic
• Website chat
• Instant messaging
• How to detect
• Logs
• Sniffing/Monitoring
• Caller id

21
Dealing with Intruder Communication

• Set policy and publicize it
• Announce examination of e-mail/IRC/instant
  message/web
• Reconcile logs
• Look for added clients
• Watch for suspect sites

22
Dealing with Intruder(1)

• Ignore intruder
• Dangerous
• Contrary to policy/law?
• Communicate with intruder
• Dangerous
• Low return
• Trace/identify intruder
• Watch for traps / assumptions
• Easiest if prepared ahead of time

23
Dealing with Intruder(2)

• Break intruders connection
• Physically
• Logically (logout, kill processes, lock account)
• Contact outside help
• Dont use infected system
• Avoid using email from connected systems

24
Cleaning up after Intruder

• Restore system programs / files
• Delete unauthorized accounts
• Restore authorized access to affected accounts
• Restore file / device protections
• Remove setuid/setgid programs
• Remove unauthorized mail aliases
• Remove added files / directories
• Force new passwords

25
Resuming Operation

• Investigate until how and when is known, fix
  holes and resume
• Patch and repair damage, enable further
  monitoring, resume
• Quick scan and cleanup, resume
• Call in law enforcement -- delay resumption
• Do nothing -- use corrupted system

26
Damage Control

• Deal with consequences of break-in
• Was sensitive information disclosed?
• Who do you need to notify formally?
• Who do you need to notify informally?
• What disciplinary action is needed?
• What vendor contacts do we need to make?
• What other system administrators should be
  notified?
• What updated employee training is needed?