300 likes | 378 Views
Investigating Internet Security Incidents. A Brief Introduction to Cyber Forensic Analysis. Peter Stephenson pstephen@imfgroup.com. Agenda. Intrusion approaches Investigative tool kit Investigative approaches End-to-end tracing Evidence collection and preservation
E N D
Investigating Internet Security Incidents A Brief Introduction to Cyber Forensic Analysis Peter Stephenson pstephen@imfgroup.com
Agenda • Intrusion approaches • Investigative tool kit • Investigative approaches • End-to-end tracing • Evidence collection and preservation • Forensic use of RMON2-based tools for documenting the path of an attack
What is Cyber Crime? • Crimes directed against a computer • Crimes where the computer contains evidence • Crimes where the computer is used to commit the crime
The Nature of Computer Related Crime in Today’s Organizations Source: 1998 CSI/FBI Study
There Are Only 4 Kinds of Attacks • Denial of service • Social engineering • Technical • Sniffing
Intrusion Approaches • Target selection, research and background info • Internet searches • Whois, nslookup • Preliminary probing - avoid logging - get passwords • POP probe • Sniffing • DNS zone transfer • SMTP probe • Other simple probes • Search for back doors • Technical attack or social engineering
Cleaning Up After an Attack • Delete tools and work files • Modify logs (Unix example) • Syslog • messages files (especially the mail log) • su log • lastlog (including wtmp and utmp) • daemon logs • transfer logs
INVESTIGATIVE AXIOM:Treat every incident as if it will end up in a criminal prosecution.
Your Investigative Tool Kit • Policies • Criminal profiling • Tracing tools • Log analysis • Crime scene (victim computer) analysis • E-mail header analysis • News group header analysis
The Role of Policies • They define the actions you can take • They must be clear and simple to understand • The employee must acknowledge that he or she read them, understands them and will comply with them • They can’t violate law
Electronic Communications Privacy Act - Your Enabling Law • Owner may intercept communications between an intruder and that owner's computer system • Owner providing others with the ability to use that computer to communicate with other computer systems may: • make routine backups and perform other routine monitoring • intercept with prior consent of the user • intercept portions of communications necessary to determine origin and destination • intercept where necessary to protect owners rights or property • disclose to law-enforcement any communications inadvertently discovered which reveal criminal activity
Criminal Profiling • Criminal profiling is the process of using available information about a crime and crime scene to compose a psychological portrait of the unknown perpetrator of the crime • Classical profiling goals - to provide: • a social and psychological assessment of the offender • a psychological evaluation of relevant possessions found with suspected offenders • strategies that should be used when interviewing offenders
Crime Scene Analysis • Branch of profiling using standard investigative techniques to analyze crime scenes • Investigators are usually most comfortable with this approach • Very useful in computer incidents
Developing a Profile of an Intruder • Crime scene analysis • how was access obtained? What skills were required? • how did the intruder behave on the system? Damage? Clean-up? Theft? • Investigative psychology • motivation • personality type
Goals of an Investigation • To ensure that all applicable logs and evidence are preserved • To understand how the intruder is entering the system • To obtain the information you need to justify a trap and trace of the phone line the intruder is using or to obtain a subpoena to obtain information from an ISP • To discover why the intruder has chosen the computer • To gather as much evidence of the intrusion as possible • To obtain information that may narrow your list of suspects • To document the damage caused by the intruder • Gather enough information to decide if law enforcement should be involved.
Immediate Objective: PRESERVE THE EVIDENCE !!! • Begin a traceback to identify possible log locations • Contact system administrators on intermediate sites to request log preservation • Contain damage • Collect local logs • Image disks on victim computers
Building an Incident Hypothesis • Start with witness accounts • Consider how the intruder could have gained access • eliminate the obvious • use logs and other physical evidence • consider the skill level or inside knowledge required • Create mirrors of affected computers
Building an Incident Hypothesis • Develop a profile of the intruder • Consider the path into the victim computer • Recreate the incident in the lab • use real mirrors whenever possible • Consider alternative explanations • test alternatives
Incident Reconstruction • Physical • use mirrors of the actual involved systems • useful for single computers • Logical • use similar systems • useful for networks where you have access to the entire network • Theoretical • hypothesize intermediate computers • necessary when you can’t access all involved computers
Back Tracing • Elements of a back trace • end points • intermediate systems • e-mail and packet headers • logs • Objective: to get to a dial-in POP • The only messages that can’t be back traced are those using a true anonymizer and those where no logs are present
TELCO LOGS ISP’s LOGS DIAL INTERNET OUR LOGS PENETRATE HOST ATTACK VICTIM Enabling Relationships
Obtaining Subpoenas • Notify involved organization that you are going to subpoena and request that they preserve evidence - find out who to deliver the subpoena to • File John/Jane Doe lawsuit with an emergency order to subpoena appropriate records • Subpoena the logs you need • Get everything you can on the first pass • May need depositions
Requirements for Logs to be used as Evidence • Must not be modifiable • Spool off to protected loghost • Optical media • Backups • Must be complete • All superuser access • Login and logout • Attempts to use any controlled services • Attempts to access critical resources • E-mail details • Appropriate retention
Tracing E-Mail Headers (3) Received: from mailhost.example.com ([XXX.XXX.178.66]) by smtp.exampl.com; Sat, 12 Sep 1998 15:25:54 -0700 (2) Received: from web03.iname.net by mailhost.example.com (AIX 3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep 1998 15:31:55 -0700 (1) Received: (from root@localhost) by web03.iname.net (8.8.8/8.8.0) id SAA29949; Sat, 12 Sep 1998 18:25:13 -0400 (EDT) Date: Sat, 12 Sep 1998 18:25:13 -0400 (EDT) (4) From: fake user name@iname.com Message-Id: <199809122225.SAA29949@web03.iname.net> Content-Type: text/plain Mime-Version: 1.0 To: victim@smtp.example.com Content-Transfer-Encoding: 7bit Subject: This is a forged e-mail message
Contact iname’s Security Officer Connect account name, time, & message ID to source IP address Locate ISP & contact Security Officer Get logs from source IP Who was connected at the time of the E-Mail? Performing the Trace
Evidence Collection & Preservation • Forensic evidence • Safeback - creates physical images and mirrors of affected computers • Forensic analysis • NTI tools • NEVER work directly on the evidence • Never contribute to the evidence • Ensure chain of custody
RMON2 Tracing Tools • Requires RMON2 devices • Use ODS Networks Secure Switch Investigator • Looks for evidence of alien conversations served from within the victim’s perimeter • By moving “outwards” a step at a time, determine source of attack
MCI DoSTracker • Attempts to trace source forged packets, starting at a victim location, and tracing backwards to the possible source • Attack must be in progress • Process - login to starting edge router • Deploy access control list in debug mode for victim IP • Clear victim subnet cache • Look for forged packets by comparing to route table • Spawn separate process to log into next hop router and continue
CMDS - Abuse at the Host • Manager-Agent architecture • Responds to violations of policies • Analyzes usage patterns • Identifies rogue users • Identifies masqueraders • Available from ODS Networks
Summary • Ensure appropriate policies • Preserve the crime scene (victim computer) • Act immediately to identify and preserve logs on intermediate systems • Conduct your investigation • Obtain subpoenas or contact law enforcement