1 / 49

L esson 1 Course Introduction

L esson 1 Course Introduction. Overview. Course Administrivia Info Assurance Review Incident Response. IS6353 Intrusion Detection and Incident Response. 6:00-7:50 PM T/TH Robert Kaufman Background Contact information Syllabus and Class Schedule Student Background Information

ziv
Download Presentation

L esson 1 Course Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 1Course Introduction

  2. Overview • Course Administrivia • Info Assurance Review • Incident Response UTSA IS 6353 Incident Response

  3. IS6353 Intrusion DetectionandIncident Response • 6:00-7:50 PM T/TH • Robert Kaufman • Background • Contact information • Syllabus and Class Schedule • Student Background Information • Email to robert.kaufman@utsa.edu UTSA IS 6353 Incident Response

  4. Student Information • Name • Reliable email address • Email to robert.kaufman@utsa.edu UTSA IS 6353 Incident Response

  5. Text Books • Course Text: • Incident Response and Computer Forensics Mandia, Kevin and Prosise, Chris, Osborne/McGraw Hill Publishing, 2003.  ISBN 0-07-222696-X • Additional References: • Principles of Computer Security, Conklin, White, Cothren, Williams, and Davis • Hacking Exposed, by McClure, Scambray, Kurtz • Cyber crime Investigator’s Field Guide, by Bruce Middleton UTSA IS 6353 Incident Response

  6. Grading • Grades • 2 Tests • Final • 1 Paper • 3-5 Labs UTSA IS 6353 Incident Response

  7. A Sampling of Malicious Activity • March 1999 - EBay gets hacked • March 1999 - Melissa virus hits Internet • April 1999 - Chernobyl Virus hits • May 1999 - Hackers shut down web sites of FBI, Senate, and DOE • June 1999 - Worm.Explore.Zip virus hits • July 1999 - Cult of the Dead Cow (CDC) releases Back Orifice • Sept 1999 - Hacker pleads guilty to attacking NATO and Gore web sites • Oct 1999 - Teenage hacker admits to breaking into AOL

  8. A Sampling of Malicious Activity • Nov 1999 - BubbleBoy virus hits • Dec 1999 - Babylonia virus spreads • Feb 2000 - Several sites experience DOS attacks • Feb 2000 - Alaska Airlines site hacked • May 2000 - Love Bug virus ravages net • July 2001 – Code Red Runs Rampant • Sept 2001 – Nimda Explodes

  9. A Sampling of Malicious Activity • Jan 2003 – Sapphire/Slammer Worm • Aug 2003 – Blaster (LoveSan) Worm • Jan 2004 – MyDoom • Mar 2004 – Witty Worm • May 2004 – Sasser Worm • Dec 2006 – TJX Credit/Debit Card Theft via hack • Jan 2007 – Storm Worm • Mar 2009 - Conficker • 2008-2009- STUXNET • 2009 – Zues Trojan http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms

  10. Spread of Slammer—25 Jan 05:29 UTC UTSA IS 6353 Incident Response

  11. Spread of Slammer—25 Jan 06:00 UTC UTSA IS 6353 Incident Response

  12. CSI Survey: Average Loss UTSA IS 6353 Incident Response Ref: 2008 CSI Survey

  13. Internet Security Software Market 2002 - $7.4 Billion est. 1999 - $4.2 Billion 1998 - $3.1 Billion 1997 - $2 Billion ’97 & ’98 figures based on a study released by market research firm International Data Corp. in Framingham, Mass. ’99 & ’02 figures from IDC study based on a survey of 300 companies with more than $100 million in annual revenues UTSA IS 6353 Incident Response

  14. 988 Detected 267 Reported 24,700 Succeed 38,000 Attacks 721 Not Reported 23,712 Undetected 13,300 Blocked DISA VAAP Results P R O TECTION D E T E C T I O N REACTION UTSA IS 6353 Incident Response

  15. Computer Security The Prevention and/or detection of unauthorized actions by users of a computer system. In the beginning, this meant ensuring privacy on shared systems. Today, interesting aspect of security is in enabling different access levels. UTSA IS 6353 Incident Response

  16. What are our goals in Security? • The “CIA” of security • Confidentiality • Integrity • Data integrity • Software Integrity • Availability • Accessible and usable on demand • (authentication) • (nonrepudiation) UTSA IS 6353 Incident Response

  17. The “root” of the problem • Most security problems can be grouped into one of the following categories: • Network and host misconfigurations • Lack of qualified people in the field • Operating system and application flaws • Deficiencies in vendor quality assurance efforts • Lack of qualified people in the field • Lack of understanding of/concern for security UTSA IS 6353 Incident Response

  18. Access Controls Encryption Firewalls Intrusion Detection Incident Handling Computer Security Operational Model Protection = Prevention + (Detection + Response) UTSA IS 6353 Incident Response

  19. Proactive –vs- Reactive Models • “Most organizations only react to security threats, and, often times, those reactions come after the damage has already been done.” • “The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you.” UTSA IS 6353 Incident Response

  20. So What Happens When Computer Security Fails? • Incident Response Methodology--7 Step Process • Preparation: Proactive Computer Security • Detection of Incidents • Initial Response • Formulate Response Strategy • Investigate the Incident • Reporting • Resolution UTSA IS 6353 Incident Response

  21. 7 Components of Incident Response Investigate the Incident Pre-Incident Preparation Formulate Response Strategy Data Collection Data Analysis Reporting Detection of Incidents Initial Response Resolution Recovery Implement Security Measures UTSA IS 6353 Incident Response Page 15, Fig 2-1, Mandia 2nd Edition

  22. Resources in the Fight • SANS • CERT CC • FIRST • CERIAS • NIST • CIAS UTSA IS 6353 Incident Response

  23. SANS • System Administration, Networking, and Security (SANS) Institute • Global Incident Analysis Center • Security Alerts, Updates, & Education • NewsBites, Security Digest, Windows • Digest • Certification • http://www.sans.org/ UTSA IS 6353 Incident Response

  24. Carnegie Mellon CERT CC • Computer Emergency Response Team Coordination Center • Started by DARPA • Alerts & Response Services • Training and CERT Standup • Clearing House • http://www.cert.org UTSA IS 6353 Incident Response

  25. FIRST • Forum of Incident Response and Security • Teams • Established 1988 • Govt & Private Sector Membership • Over 70 Members • Coordinate Global Response • http://www.first.org UTSA IS 6353 Incident Response

  26. CERIAS • Center for Education and Research in • Information Assurance and Security • Home of Gene Spafford • A "University Center" • InfoSec Research & Education • Members: Academia, Govt, & Industry • http://www.cerias.purdue.edu/coast/) UTSA IS 6353 Incident Response

  27. NIST • National Institute of Science and Technology (NIST) • Operares Computer Security • Resource Clearinghouse (CSRC) • Raising Awarenss • Multiple Disciplines • Main Source of Fed Govt Standards • http://csrc.ncsl.nist.gov/ UTSA IS 6353 Incident Response

  28. CIAS • UTSA’s Center for Infrastructure Assurance and Security (CIAS) • Multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security. • National Cyber Exercises • Cyber Security Training • Cyber Competitions • http://www.utsa.edu/cias/ UTSA IS 6353 Incident Response

  29. So How Many VulnerabiltiesAre Out?Lets See What the CERT CCSays. UTSA IS 6353 Incident Response

  30. UTSA IS 6353 Incident Response

  31. UTSA IS 6353 Incident Response

  32. UTSA IS 6353 Incident Response

  33. UTSA IS 6353 Incident Response

  34. UTSA IS 6353 Incident Response

  35. History LessonThe Art of War, Sun Tzu Lesson for you • Know the enemy • Know yourself…and in a 100 battles you will never be defeated • If ignorant both of your enemy and of yourself you are certain in every battle to be in peril UTSA IS 6353 Incident Response

  36. History LessonThe Art of War, Sun Tzu Lesson for the Hacker • Probe him and learn where his strength is abundant and where deficient • To subdue the enemy without fighting is the acme of skill • One able to gain victory by modifying his tactics IAW with enemy situation may be said to be divine UTSA IS 6353 Incident Response

  37. Hacker Attacks • Intent is for you to know your enemy • Not intended to make you a hacker • Need to know defensive techniques • Need to know where to start recovery process • Need to assess extent of investigative environment UTSA IS 6353 Incident Response

  38. Anatomy of a Hack FOOTPRINTING SCANNING ENUMERATION ESCALATING PRIVILEGE GAINING ACCESS PILFERING CREATING BACKDOORS COVERING TRACKS DENIAL OF SERVICE UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  39. Footprinting Objective • Target Address Range • Acquire Namespace • Information Gathering • Surgical Attack • Don’t Miss Details Technique • Open Source Search • whois • Web Interface to whois • ARIN whois • DNS Zone Transfer UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  40. Scanning Objective • Bulk target assessment • Determine Listening Services • Focus attack vector Technique • Ping Sweep • TCP/UDP Scan • OS Detection UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  41. Enumeration Objective • Intrusive Probing Commences • Identify valid accounts • Identify poorly protected shares Technique • List user accounts • List file shares • Identify applications UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  42. Gaining Access Objective • Informed attempt to access target • Typically User level access Technique • Password sniffing • File share brute forcing • Password file grab • Buffer overflows UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  43. Escalating Privilege Objective • Gain Root level access Technique • Password cracking • Known exploits UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  44. Pilfering Objective • Info gathering to access trusted systems Technique • Evaluate trusts • Search for cleartext passwords UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  45. Cover Tracks Objective • Ensure highest access • Hide access from system administrator or owner Technique • Clear logs • Hide tools UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  46. Creating Back Doors Objective • Deploy trap doors • Ensure easy return access Technique • Create rogue user accounts • Schedule batch jobs • Infect startup files • Plant remote control services • Install monitors • Trojanize UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  47. Denial of Service Objective • If unable to escalate privilege then kill • Build DDOS network Technique • SYN Flood • ICMP Attacks • Identical src/dst SYN requests • Out of bounds TCP options • DDOS UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

  48. Hacker Exploits per SANS RECONNAISSANCE SCANNING KEEPING ACCESS EXPLOIT SYSTEMS COVER TRACKS UTSA IS 6353 Incident Response Source: SANs Institute

  49. Hacking Summary • Threat: Hacking continues to rise • Security posture usually reactive • Losses increasing…persistent • 7 Step Process • Hacker Techniques UTSA IS 6353 Incident Response

More Related