incident handling in academia what to do when you have been hacked!
TRANSCRIPT
Incident Handling in Academia
What to do when you have been hacked!
The Presenters
Scott Fendley– BS Comp Science – U of AR 1999– MS Comp Science – U of AR 2004– Security Analyst, Dept of Computing Services– Volunteer Incident Handler, SANS Institute
David Merrifield– Associate Director of Computing Services
Session Description
Explores how to handle the attacks on your Internet infrastructure.
Discusses a time-tested 6 step procedure for Incident Handling.
Touches on the legal issues relevant to all Academic Institutions (K12 or Higher Ed)
Dealing with Law Enforcement and handling Evidence
Employee Monitoring vs Student Monitoring
Disclaimers, Disclaimers, Disclaimers
I am not a lawyer. Consult your nearest legal counsel if you choose to handle incidents on your campus or have questions.
The majority of this information is the basis of my procedures at the University of Arkansas, but your mileage may vary.
Foundation of Incident Handling
An Action Plan for dealing with intrusions, cyber-theft, denial of service and other security-related events
Events can be of a electronic nature or of a physical nature.
Definitions Incident – an adverse event in an information
system, and/or network, or the threat of the occurrence of such event.– Ex: unauthorized use of another user’s account– Execution of malicious code– Unauthorized use of system privileges
Event – Any observable occurrence in a system and or/network.– Ex: Packet Traces– System Boot Sequences– Anything that you can record in your IH notebook
Incident Handling Metaphor
Incident Handling is like First Aid. The Handler is under pressure and mistakes
can be costly Practice is a key. Skills degrade without
use. Use pre-designed forms and procedures,
and call on others for help.
Emergency Action Plan
Remain Calm. Communicate with your management, and
coordinate with your co-workers to keep things focused.
Use formalized language.– EX: Whiskey Five Yankee Mic, We have a
bogey on your nine.– Explicit meaning, no room for interpretation is
less likely to cause mistakes.
Emergency Action Plan
REMAIN CALM (still!) Do not hurry. Mistakes can be costly.
Notes, logs and other evidence are crucial– If the perpetrator is ever found and arraigned, how can
you testify if your notes are not organized and detailed?
Failure to take notes is the most common mistake. Consult your legal counsel for how long you
should keep your logs. Quality not Quantity
Emergency Action Plan
Take good notes.– Remember what your English teacher taught you.
– The 4 W’s• Who?
• What?
• When?
• Where?
– Extra Credit for the 5th W and the H• Why?
• How?
Emergency Action Plan (1)
Notify your manager of your progress Do you have easy access to your School’s phone
directory? Pager numbers? Home numbers? If you are over your head, do not hesitate to ask
for help– FBI Field Office
– Local Law Enforcement
– Trained Computer Forensic Investigators
Emergency Action Plan (2)
Enforce a “need to know” policy. Do not tip your hand to potential insider
threats. Use out of band communications. (Don’t
email people about IH discussions.)– Telephones– Faxes– Personal Visits
PGP Keys
Emergency Action Plan (3)
Contain the problem. (stop the bleeding)– Pull the network plug?– Pull the power plug?– Forensic Evidence Quandary.
Containment Micro Example
Call the user and say “Take your hands off the keyboard and move away from the computer.”
Stand up go to the back of the computer and unplug the network (and/or modem).
Don’t touch anything, we’ll be right there. Fax instructions/forms for them to fill out.
Emergency Action Plan (4)
Make a backup of the affected system(s) as soon as is practical. Use new, unused media.
Make a binary, or bit-by-bit backup. Failure to make a backup is the second most
common error. Chain of custody of the evidence.
Emergency Action Plan (5)
Get rid of the problem. Identify what went wrong if you can. Take steps to correct the deficiencies that allowed the problem to occur.
Nuke the computer or just scrub it? Get back in business using clean backups
and monitor the system to make sure it can resume functioning.
Emergency Action Plan (6)
Learn from this experience. Share your experience with others.
– Sys-admin List for K12
– Arktech List for Universities and Colleges
– Another useful list is [email protected] for all Educational entities.
Review the incident from start to completion. Identify areas of improvement Engineers versus Mathematicians
Seven Deadly Sins of IH
Failure to report or ask for help Incomplete/non-existent notes (Accidental) Mishandling/destroying
evidence Failure to create working backups. Failure to contain or eradicate Failure to prevent re-infection Failure to apply lessons learned
Emergency Action Plan Summary Remain calm, don’t hurry. Notify your oranizations’s management, apply
need to know, use out of band communications. Take good notes (even if you aren’t/can’t
prosecute). Contain the problem Back up the system(s), collect evidence Eradicate the problem and get back to business Lessons Learned
Six Steps of Incident Handling
Preparation Identification Containment Eradication Recovery Lessons Learned
Preparation
Update your organization’s disaster recovery plan to include Incident Handling
Establish visibility and a compensation plan for the team. (Slush fund for food and caffeine for long weekends or evenings of mitigating an emergency.)
Checklists! Emergency Communications Plan
Preparation Key Points
Password Access Conduct training for incident handlers
(War Games) Establish guidelines for inter-departmental
cooperation. Build relationships with techies and sys admins Develop interfaces with law enforcement agencies
in your area.
Preparation - Jump Bag Small tape recorder
– Blank Tapes
Binary Backup Utils– Safe Back
– Ghost
– Encase
Forensic Software– TCT
– Autopsy
– Encase
Small Hub and cables
Laptop (extra batteries) CD’s with clean binaries
– Sysinternals
– Foundstone
– Windows Resource Kit
Call List, Phone book Cell Phone (batteries) Fresh Blank Media
(CD-Rs Floppys, Zip, etc)
Preparation in a nutshell
Policy People Data Software/Hardware Communications Supplies
Transportation Space Power and
environmental controls
Documentation
Identification
Fire Alarm Analogy– Who can pull a fire alarm?– Who authorizes re-entry?
Maintain situation awareness Provide current “intelligence” Correlate information (mailing lists are
great sources for newest worms/viruses or attacks)
Signs of an incident Intrusion Detection system alarm Suspicious entries in system or networking
accounting Discrepancies in logs (Un) successful logon attempts Unexplained, new user accounts Unexplained processes or services running Notification via abuse@ address or phone call Poor system performance Unusual time of usage.
Identification
Initial Assessment “Efficient handling of errors is part of the process” Be careful to maintain a provable chain of
custody. Use the tape record if at all possible to keep notes
for you on what commands you run and actions you do.
Make law enforcement sign for any evidence you hand off to them. Assign a value to it.
Containment
This is where we cross the threshold in which we begin to actively modify the system.
Keep the system pristine Pull the system off the network (or perhaps
the subnet off the network). Load your binaries, set the path Backup the system
Containment
Safely store any backup disks/tapes so that they will not be lost and/or stolen. Multiple copies are best with volatile media types.
Keep a low profile. Analyze a copy of the backup Report to management on progress Are you sure you backed up the media in
question?
Containment
Acquire logs and other sources of information.
Firewalls, IDS Logs Logs from other systems nearby
Containment
Consult with system owners (departmental technical staff)
Change passwords Determine possible other systems that have
potentially had passwords breached. Packet sniffers are easy to install.
Eradication
Is your schools policy to nuke the computer and reinstall with a secured OS, or just clean and secure?
Improve your defenses Perform vulnerability analysis and system
audits. Locate the most clean backup and carefully
install it.
Recovery
Restore from backups if required Be sure you do not restore the malware Secured system? Validate the system and create baselines Test that everything on the system is working as
expected with the owner. Place the final decision on the system owner of
when to restore operations. Monitor the systems
Follow-up / Lessons Learned
Develop a follow-up report– Start as soon as possible– Include any forms you used in identification
step– Details, details, details!
Lessons Learned Meeting Executive Summary Report Recommended Changes to procedures? Additions to jump kit
Legal Issues to Academia
HIPAA– Privacy Rule (2002)– Security Rule (2005)
FERPA (Buckley Amendment) DMCA Patriot Act
Monitoring
Monitoring employees Student Privacy Student-employees?
Law Enforcement Contacts
University Police City Police or County Sheriff FBI (Field office in LR) Secret Service Department of Homeland Security Infraguard Arkansas
More Information
http://www.sans.org/ http://www.securityfocus.com/ http://www.foundstone.com/ http://www.sysinternals.com/ http://www.incidents.org/ http://ists.dartmouth.edu/
Questions?
Contact me at [email protected] or call me at 479-575-2022.
Also, talk to those in the state and across the nation for specific questions.– [email protected]– [email protected]