1 / 31

Lesson 11 Basics of Incident Response

Lesson 11 Basics of Incident Response. Overview. Hacker Lexicon Incident Response. Hacker Lexicon. Rootkit - a collection of tools an intruder loads onto a compromised computer Usually Consists of: trojanized utilities network sniffers log-cleaning scripts. Root Kits.

roy
Download Presentation

Lesson 11 Basics of Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 11BasicsofIncident Response

  2. Overview • Hacker Lexicon • Incident Response UTSA IS 3523 ID and Incident Response

  3. Hacker Lexicon • Rootkit - a collection of tools an intruder loads onto a compromised computer • Usually Consists of: • trojanized utilities • network sniffers • log-cleaning scripts UTSA IS 3523 ID and Incident Response

  4. Root Kits • Three primary types: • traditional • loadable kernel modules (LKMs) for Unix/Linux • kernel -level rootkit for Windows NT/2000 • Hundreds of Root-kits in existence • Hackers sites contain “click and choose smorgasbord” (KNOW THY ENEMY) UTSA IS 3523 ID and Incident Response

  5. Traditional Unix/Linux Rootkits • Backdoors - programs that listen on TCP/UDP ports that allow intruder stealthy access • Log wipers - utility which erases log files to hide signs of intruders presence • Packet sniffers - software designed to monitor network traffic to capture packets of interest • Internet Relay Chat (IRC) utilities for comms • DDOS agents - S/W that sends UDP/ICMP floods UTSA IS 3523 ID and Incident Response

  6. LKM Rootkits • Most rootkits used against Unix/Linux systems are Loadable Kernel Modules (LKMs) • Kernel is transparently modified: • Execute Redirection: remaps system utility calls • Remote execution: commands transmitted via the net • Promiscuous mode hiding: hides sniffers • Task hacking: changing the user id (UID), effective user id (EUID), and file system user id (FSUID) of any process UTSA IS 3523 ID and Incident Response

  7. LKM Rootkits • Kernel is transparently modified (contd): • Real-time process hiding -sending the following: “kill -31 process id” allows kernel to suppress all info about the given process • Kernel Module Hiding: LKMs can actually mask their own presence (stealthy LKMs) UTSA IS 3523 ID and Incident Response

  8. WIN NT/2000 Rootkits • Contains: • Kernel Mode Device Driver: “_root_.sys” • Launcher program: “deploy.exe” • Capabilities: • Back doors • Hide files: files with _root_ will be hidden from “dir” • Hide processes and registry entries • Keystroke Intercept UTSA IS 3523 ID and Incident Response

  9. Incident Response Overview • Goals • Methodology • Preparation • Detection • Initial Response • Strategy Formulation • Investigation • Monitoring • Recovery • Reporting UTSA IS 3523 ID and Incident Response

  10. What is an Incident? Incident - an event in an information system/network Time based security: Protection time >> detection time + reaction time Some say its all about vulnerability management UTSA IS 3523 ID and Incident Response

  11. SANS/FBI Top 20 List 20 MOST CRITICAL INTERNET VULNERABILITIES UP TO 800 POSSIBLE SANS Institute 20 Most Critical Internet Security Vulnerabilities UTSA IS 3523 ID and Incident Response

  12. General Vulnerabilities 1. Default installs of OSs and applications 2. Weak or non-existent passwords 3. Incomplete or non-existent backups 4. Large number of open ports 5. Lack of packet filtering 6. Incomplete or non-existent logging 7. Vulnerable CGI programs Source: The SANS Institute UTSA IS 3523 ID and Incident Response

  13. Windows Vulnerabilities 8. Unicode Vulnerability 9. ISAPI Extension Buffer Overflows 10. MS Remote Data Services Exploit 11. NETBIOS – Unprotected Windows Networking Shares 12. Leakage via Null Session Connections 13. Weak Hashing in SAM (Lan Manager Hash) Source: The SANS Institute UTSA IS 3523 ID and Incident Response

  14. Unix Vulnerabilities 14. Buffer Overflows in Remote Procedure Call Services 15. Sendmail Vulnerabilities 16. Bind Weaknesses 17. R Commands 18. LPD – Remote Print Protocol Daemon 19. Sadmind and Mountd 20. Default SNMP Strings Source: The SANS Institute UTSA IS 3523 ID and Incident Response

  15. Home User Guidelines • Use strong passwords (alpha-numeric, over 8 characters) • Make regular backups of critical data • Use virus protection software • Use a firewall as a gatekeeper between your computer and the Internet • Do not leave computers online • Do not open attachments from strangers Source: FBI UTSA IS 3523 ID and Incident Response

  16. The Worst Can Happen "Don't look at the past and assume that's the future. Look at the enemy's strengths and your vulnerability. You've got to realize that the worst case does sometimes happen." -Richard Clarke Special Advisor for Cybersecurity UTSA IS 3523 ID and Incident Response

  17. Goals of Incident Response • Confirm or dispel incident • Promote accurate info accumulation • Establish controls for evidence • Protects privacy rights • Minimize disruption to operations • Allow for legal/civil recriminations • Provide accurate reports/recommendations UTSA IS 3523 ID and Incident Response

  18. Incident Response Methodology • Pre-incident preparation • Detection • Initial Response • Strategy formulation • Duplication • Investigation • Security measure implementation • Network monitoring • Recovery • Reporting • Follow-up See page 18, Fig 2-1 UTSA IS 3523 ID and Incident Response

  19. Pre-Incident Preparation Detection of Incidents Notification Checklist Completed Incident Response Team Formed Initial Response Is it really an Incident? No Yes Formulate Response Strategy Pursue and accumulate evidence and/or secure system Secure System Can Pursue Both Paths Simultaneously Accumulate Evidence Yes Forensic duplication? Forensic Duplication No Investigation Implement Security Measures Perform Network Monitoring Isolate and Contain Reporting Follow-Up Page 18, Fig 2-1

  20. Detection D E T E C T Firewall Logs IDS Logs Response Team Activated Notification Checklist Completed Suspicious User Sys Admin UTSA IS 3523 ID and Incident Response

  21. Initial Critical Details • Current time and date • Who/what is reporting the incident • Nature of the incident • When the incident occurred • Hardware/software involved • Point of contact for involved personnel UTSA IS 3523 ID and Incident Response

  22. INITIAL RESPONSE Success Details from notification checklist I R N E I S T P I O A N L S E Verified information about the incident Prepared response team How much info is enough? Failure UTSA IS 3523 ID and Incident Response

  23. Response Strategy Formulation Verified information about the incident Mgt Approved Action Plan Formulate Response Strategy Response Posture Goal: determine most appropriate response strategy UTSA IS 3523 ID and Incident Response

  24. Factors for Strategy • How critical are the impacted systems? • Data sensitivity • Who are the perpetrators? • Does the incident have publicity • Level of access to the hacker • Apparent skill of the attacker • How much downtime can be tolerated • Overall dollar loss involved UTSA IS 3523 ID and Incident Response

  25. Type of incident + response likely outcome Common Incidents • Denial of Service Attack • Unauthorized Use • Vandalism • Information Theft • Computer Intrusion Management Support network downtime user downtime legal liability publcity theft of intellectual property UTSA IS 3523 ID and Incident Response

  26. Investigation Stage Live System Investigation Network Logs Investigative Report Forensic Duplicate UTSA IS 3523 ID and Incident Response

  27. Security Measure Implementation Stage Verified Info Implementing Security Remedies Monitor Network Logs Response Posture Isolate and Contain Prevent Same Exposure! Fishbowling the attacker UTSA IS 3523 ID and Incident Response

  28. Recovery/Reporting Process Recovery backups hardening user education COOP Conclusions Report Support Criminal Actions Lessons Learned Prevent Repeats Successful containment UTSA IS 3523 ID and Incident Response

  29. What Will You Do? • We Need a Initial Response that: • Supports the Goals of Computer Security • Supports the Business Practices • Supports Administrative and Legal Policy • Is Forensically Sound • Is Simple and Efficient (KISS) • Provides an Accurate Snapshot for Decision Makers • Supports Civil, Administrative, or Criminal Action. UTSA IS 3523 ID and Incident Response

  30. Common Mistakes • Failure to Document Findings Appropriately. • Failure to Notify or Provide Accurate Information to Decision Makers. • Failure to Record and Control Access to Digital Evidence. • Wait Too Long Before Reporting. • Underestimating the Scope of Evidence that may be found. UTSA IS 3523 ID and Incident Response

  31. Common Mistakes • Technical Blunders: • Altering Time/Date Stamps on Evidence Systems • “Killing” Rogue Processes • Patching the System • Not Recording the Steps Taken on the System • Not Acting Passively UTSA IS 3523 ID and Incident Response

More Related