220 likes | 406 Views
Malicious code Incidents. Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. Malicious code Incidents. Malicious Activities Include : Destroy data . Run destructive or intrusive programs.
E N D
Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. Malicious code Incidents
Malicious Activities Include : • Destroy data . • Run destructive or intrusive programs. • Compromise the security or the confidentiality, integrity, and availability of the victim’s data, applications, or operating system. Malicious code Incidents
Types Of Threats : 1)Viruses • Compiled Viruses • Interpreted viruses 2)Worms • Network Service Worms • Mass mailing Worms 3)Trojan Horses Malicious code Incidents
Types Of Threats : 4)Malicious Mobile Codes • Mostly Java, ActiveX, JavaScript, and VBScript codes. 5)Blended Attacks • Combination of 1 to 4 6) Attack Tools • Backdoors • Rootkits • Key Loggers • … Malicious code Incidents
Types Of Threats : 7) Tracking Cookies 8) Non-malware threats • Hoax • Phishing Malicious code Incidents
Step 1 :Preparation • Preparation • Awareness • Deployment • Resources Malicious code Incidents • Prevention • Education • Configuration • Control
Step2: Detection and Analysis • Fast spread of incident so: Rapid Detection is Necessary • Precursors often appear immediately before an incident So: Group must not wait for indications • Most of indications could have causes other than malware Malicious code Incidents
Step2: Detection and Analysis Precursors and Reactions: • An alert warns of new malicious code. • Research and Block Ways of Entrance • Antivirus software detects and successfully disinfects or quarantines a newly received infected file • Find Reason And Mitigate Vulnerability Malicious code Incidents
Step2: Detection and Analysis Special Indications of Each Malicious Code • Virus • Changes to templates for word processing documents, spreadsheets, etc. • Deleted, corrupted, or inaccessible files • Unusual items on the screen, such as odd messages and graphics Malicious code Incidents
Step2: Detection and Analysis Special Indications For Each malicious Code • Worm: • Port scans and failed connection attempts targeted at the vulnerable service • Increased network usage • Trojan: • Network connections between the host and unknown remote systems • Unusual and unexpected ports open Malicious code Incidents
Step2: Detection and Analysis Special Indications For Each malicious Code • Malicious Mobile Code • To spread Virus, worm,… • Unexpected dialog boxes, requesting permission to do s.th • Unusual graphics, such as overlapping message boxes • To exploit vulnerabilities • Network connections between the host and unknown remote systems • Receiving Hoax Reports • No links to outside sources Malicious code Incidents
Step3: 1)Containment Strategies • All incident Prevention Activities must be done in order to stop spread of virus • Other Activities : • Notification • Isolation • Change Access rules • Identification of infected hosts is not easy Malicious code Incidents
Step3: 2)Eradication And Recovery • Some Infected files can not be cleaned • System Restore may be needed • Securing system is the last step Malicious code Incidents
Definition : A Multiple Componentincident is a single incident that encompasses two or more incidents. Multiple Component Incidents
Multiple Component Incidents Example:
Step 1&2 : Preparation, Detection, Analysis • Conduct exercises reviews scenarios involving multiple component incidents. • Efficient incident analysis: • centralized logging • correlation software. Multiple Component Incidents
Step3: Containment, Eradication, Recovery Approach : • Contain the initial incident and then search for signs of other components • Gauss if incident have other components • Unauthorized access incidents are more likely to have multiple components Multiple Component Incidents
Step3: Containment, Eradication, Recovery Prioritization: • Components must be separately prioritize • Response the most urgent one • Another factor: How current each component is • It may be possible to contain the whole incident by containing just one component Multiple Component Incidents
Computer Security Incident Handling Guide National Institute of Standard and Technology (NIST) U.S • A Step-By-Step Approach on How To Set Up a CSIRT European Network and Information Security Agency (ENISA) • Expectations for Computer Security Incident Response RFC3250 • Handbook for Computer Security Incident Response Teams Carnegie Mellon University , 2nd Edition: April 2003 • Defining Incident Management Processes for CSIRTs: A Work in Progress Chris Alberts, Audrey Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek, October 2004 References
Thanks For Your Attention