280 likes | 290 Views
Learn about the phases of incident response, from preparation to follow-up, addressing security policy violations, incident detection, containment, restoration, and monitoring in a detailed manner. Understand the goals, identification, and damage assessment involved in responding to security incidents. Be equipped with the knowledge needed to detect, contain, and recover from security breaches effectively.
E N D
CSC 382/582: Computer Security Incident Response CSC 382/582: Computer Security
Incident Response What is an Incident? Phases of Incident Response • Preparation • Identification • Containment • Damage Assessment • Preserve Evidence • Eradication • Recovery • Follow-up CSC 382/582: Computer Security
What is an Incident? Violation of security policy: • Unauthorized access of information • Unauthorized access to machines • Embezzlement • Virus or worm attack • Denial of service attacks • Email spam or harassment CSC 382/582: Computer Security
Detecting an Incident • Catching perpetrator in the act • Unauthorized logins, NIDS alerts. • Noticing unauthorized system changes. • Receiving a message from another site, saying that your site was used to launch an attack on them. • Strange activities on system: • crashes, random reboots, slow performance. CSC 382/582: Computer Security
Incident Response Restoring system to satisfy site security policy Phases: • Preparation for attack (before attack detected) • Identification of attack • Containment of attack (confinement) • Damage assessment • Preserve evidence (if necessary) • Eradication of attack (stop attack) • Recovery from attack (restore system to secure state) • Follow-up to attack (analysis and other actions) CSC 382/582: Computer Security
Preparation • Configure intrusion detection systems. • Determine your response goals. • Document incident response procedures. • Who to contact? • What to do? • Organizing a CSIRT • Finding and training personnel. • Hardware/software necessary for investigation. CSC 382/582: Computer Security
Incident Response Goals • Determine if a security breach occurred. • Contain intrusion to prevent further damage. • Recover systems and data. • Prevent future intrusions of same kind. • Investigate and/or prosecute intrusion. • Prevent public knowledge of incident. CSC 382/582: Computer Security
Identification • Who/what reported incident. • Date and time of the incident. • Nature of the intrusion. • What level of unauthorized access was attained? • Is it known to the public? • Hardware/software involved • How critical are the affected systems? • Assemble CSIRT • Team membership may vary based on nature of incident CSC 382/582: Computer Security
Containment Limit access of attacker to system resources. Containment method depends on criticality of systems and extent of intrusion. • Monitoring intruder • Reducing intruder’s access • Deception • De-activating the affected account • Need to kill active processes too • Blocking access to system via firewall • Pulling network/phone cable • Powering down system CSC 382/582: Computer Security
Monitoring • Records attacker’s actions; does not interfere with attack: • Idea is to find out what the attacker is after and/or methods the attacker is using. • Problem: attacked system is vulnerable throughout • Attacker can also attack other systems. • Example: type of OS can be derived from settings of TCP and IP packets of incoming connections • Analyst draws conclusions about source of attack. CSC 382/582: Computer Security
Reducing Access • Reduce protection domain of attacker. • Problem: if defenders do not know what attacker is after, reduced protection domain may contain what the attacker is after. • Stoll created document that attacker d/led. • Download took several hours, during which the phone call was traced to Germany. CSC 382/582: Computer Security
Deception Honeypot: system designed for intruders to attack, to waste their time and to allow safe monitoring • ex: The Honeynet Project, honeyd Deception Tool Kit • Creates false network interface. • Can present any network configuration to attackers. • When probed, can return wide range of vulnerabilities. • Attacker wastes time attacking non-existent systems while analyst collects and analyzes attacks to determine goals and abilities of attacker. Experiments show deception is effective response to keep attackers from targeting real systems. CSC 382/582: Computer Security
Honeynet Project Tool development • Environment simulation: virtual machines. • Data control: firewalling tools to limit attacker activities to avoid damaging other systems. • Data collection: network and keystroke loggers. • Data analysis: tools to extract relevant data from tcpdump logs and more. Research and documentation • Analysis of attacker and honeypot techniques. • Analysis of particular attacks. CSC 382/582: Computer Security
Damage Assessment: Data • System date and time when assessment began. • List of users currently logged in. • Time/date stamps for filesystem. • List of processes • List of open network sockets • Associated applications • Associated systems • System configuration files. • Log and accounting files. • System date and time when assessment complete. CSC 382/582: Computer Security
Data Assessment: Procedure Use trusted binaries from floppy/CDROM • Use a trusted shell. • Set PATH to only use floppy/CDROM tools. System date and time: > date Mon Apr 26 13:33:08 EDT 2004 List of current users > w 1:33pm up 30 day(s), 3:34, 3 users, load avg:0.26 User tty login@ idle JCPU PCPU what root console 9:21am 4:13 -sh wald pts/14 15Apr04 3:25 66:24 63:06 -bash root pts/20 9:21am 4:12 -sh novi pts/6 Sat 4pm 17 52 -bash CSC 382/582: Computer Security
Data Assessment: Procedure File date/time stamps ls –alRu / >/mnt/floppy/atime ls –alRc / >/mnt/floppy/ctime ls –alR / >/mnt/floppy/mtime Network ports > netstat –anp Active Internet connections (servers and established) Proto Local Addr Foreign Addr State Program tcp :::22 :::* LISTEN 26327/sshd tcp 10.17.0.110:22 10.1.0.90:51327 ESTABLISHED 28644/sshd: tcp 127.0.0.1:25 0.0.0.0:* LISTEN 1840/sendmail udp 0.0.0.0:32768 0.0.0.0:* 1456/rpc.statd udp 0.0.0.0:68 0.0.0.0:* 1363/dhclient udp 0.0.0.0:111 0.0.0.0:* 1436/portmap CSC 382/582: Computer Security
Data Assessment: Procedure Running Processes > ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 1928 520 ? S Apr17 0:04 init [5] root 1403 0.0 0.0 2128 580 ? S Apr17 0:01 syslogd -m 0 rpc 1436 0.0 0.0 2516 576 ? S Apr17 0:00 portmap rpcuser 1456 0.0 0.0 2916 832 ? S Apr17 0:00 rpc.statd smmsp 1849 0.0 0.2 7324 2520 ? S Apr17 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue root 1970 0.0 0.0 2992 348 tty3 S Apr17 0:00 /sbin/mingetty tty3 root 26327 0.0 0.1 4728 1504 ? S Apr21 0:00 /usr/sbin/sshd waldenj 28646 0.0 0.2 8548 2560 ? S 11:12 0:00 sshd: waldenj@pts /7 waldenj 28647 0.0 0.1 6800 1500 pts/7 S 11:12 0:00 -bash root 28767 0.0 0.1 6572 1356 pts/7 S 13:44 0:00 bash root 28789 0.0 0.0 3624 876 pts/7 R 13:49 0:00 ps aux CSC 382/582: Computer Security
Data Assessment: Procedure Collect system configuration • Check for sniffers: ifconfig • /etc/passwd, /etc/shadow, /etc/group • Scheduled jobs: cron and at • System init files: /etc/inittab, /etc/rc.d Collect system log files • Login logs in /etc/utmp, /etc/wtmp • Check /etc/syslog.conf • Log files in /var/adm, /var/log • Process accounting files in /var/acct • Shell history files, e.g., ~/.bash_history CSC 382/582: Computer Security
Preserve Evidence In-depth live system investigation. Construct a bit-level copy of entire hard disk or partition for forensic examination. • Create image in single-user mode md5sum /dev/hda dd if=/dev/hda conv=noerror,sync | ssh desthost “cat >disk.img” desthost> md5sum disk.img CSC 382/582: Computer Security
Eradication • Do nothing. • Kill attacker’s processes and/or accounts. • Block attacker’s network access to system. • Patch and repair what you think was changed, then resume operation. • Investigate until root cause discovered, then restore system from backups and patch security holes. • Call law enforcement before proceeding further. CSC 382/582: Computer Security
Follow-Up • File reports with law enforcement, vendor, or regulatory agency. • File insurance claims if relevant. • Notify administrators of other affected systems. • Disciplinary actions against employees for internal attacks. • Update security of computer networks/systems. • Review handling of the incident. • Update incident handling policy/training. CSC 382/582: Computer Security
Follow-Up Tracking/Counter-attacking • IP header marking: traceback at the packet level. • Counterattacking CSC 382/582: Computer Security
IP Header Marking Router inserts header data indicating path taken. When do you mark it? Deterministic: always marked. Probabilistic: marked with some probability. How do you mark it? Internal: marking placed in existing header. Expansive: header expanded to include space for marking. CSC 382/582: Computer Security
Counterattacking Use legal procedures • Collect chain of evidence so legal authorities can establish attack was real. • Check with lawyers for this • Rules of evidence very specific and detailed. • If you don’t follow them, expect case to be dropped. Technical attack • Goal is to damage attacker seriously enough to stop current attack and deter future attacks. CSC 382/582: Computer Security
Consequences • Counterattack may harm innocent party. • Attacker may have broken into source of attack or may be impersonating innocent party. • Counterattack may have side effects. • If counterattack is flooding, may block legitimate use of network. • Counterattack antithetical to shared use of network. • Counterattack absorbs network resources and makes threats more immediate. • Counterattack may be legally actionable. CSC 382/582: Computer Security
Example: Counterworm • Counterworm given signature of worm. • Counterworm spreads rapidly, deleting all occurrences of original worm. • ex: Welchia/Nachi hunts Blaster/MyDoom worms. • Issues • Can counterworm delete only targeted worm? • What if infected system gathering worms for research? • How do originators of counterworm know it will not cause problems for any system? • And are they legally liable if it does? CSC 382/582: Computer Security
Key Points • Security incidents come in many forms. • Prepare for an incident before one occurs. • Understand your response goals. • Don’t trust the affected system in any way. • Contain the problem, then prepare detailed response. • Save data offline for later analysis. • Legal issues of counterattacks. CSC 382/582: Computer Security
References • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. • N. Brownlee and E. Guttman, , “RFC 2350 - Expectations for Computer Security Incident Response,” http://www.faqs.org/rfcs/rfc2350.html, 1998. • CERT, “Computer Security Incident Response Team (CSIRT) FAQ,” http://www.cert.org/csirts/csirt_faq.html • William Cheswick, Steven Bellovin, Steven, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, Addison-Wesley, 2003. • Fraser (ed.), “RFC 2196 - Site Security Handbook,” http://www.faqs.org/rfcs/rfc2196.html, 1997. • Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. • Kevin Mandia, Chris Prosise, and Matt Pepe, Incident Response & Computer Forensics, 2nd edition, McGraw-Hill, 2003. CSC 382/582: Computer Security