investigating internet security incidents
DESCRIPTION
Investigating Internet Security Incidents. A Brief Introduction to Cyber Forensic Analysis. Peter Stephenson [email protected]. Agenda. Intrusion approaches Investigative tool kit Investigative approaches End-to-end tracing Evidence collection and preservation - PowerPoint PPT PresentationTRANSCRIPT
Copyright © 1998-1999 Sanda International Corp.
Investigating Internet Security Investigating Internet Security IncidentsIncidents
A Brief Introduction to A Brief Introduction to Cyber Forensic AnalysisCyber Forensic Analysis
Peter
Stephenson
Copyright © 1998-1999 Sanda International Corp.
AgendaAgenda
Intrusion approaches Investigative tool kit Investigative approaches End-to-end tracing Evidence collection and preservation Forensic use of RMON2-based tools
for documenting the path of an attack
Copyright © 1998-1999 Sanda International Corp.
What is Cyber Crime?What is Cyber Crime?
Crimes directed against a computer
Crimes where the computer contains evidence
Crimes where the computer is used to commit the crime
Copyright © 1998-1999 Sanda International Corp.
0
20
40
60
80
100
% Reporting
Disgr.Empl.
Hackers USCompet.
For.Corp.
For. Gov.
05
1015202530354045
%
Una
uth.
Acc
ess
DoS
Out
side
Pen
.
Thef
t of
Info
Fra
ud
Sab
otag
e
The Nature of Computer Related The Nature of Computer Related Crime in Today’s OrganizationsCrime in Today’s Organizations
Source: 1998 CSI/FBI Study
Copyright © 1998-1999 Sanda International Corp.
There Are Only 4 Kinds of AttacksThere Are Only 4 Kinds of Attacks
Denial of service Social engineering Technical Sniffing
Copyright © 1998-1999 Sanda International Corp.
Intrusion ApproachesIntrusion Approaches
Target selection, research and background info Internet searches Whois, nslookup
Preliminary probing - avoid logging - get passwords POP probe Sniffing DNS zone transfer SMTP probe Other simple probes
Search for back doors Technical attack or social engineering
Copyright © 1998-1999 Sanda International Corp.
Cleaning Up After an AttackCleaning Up After an Attack
Delete tools and work files Modify logs (Unix example)
Syslog messages files (especially the mail log) su log lastlog (including wtmp and utmp) daemon logs transfer logs
Copyright © 1998-1999 Sanda International Corp.
INVESTIGATIVE AXIOM:INVESTIGATIVE AXIOM:
Treat every incident as if it will Treat every incident as if it will end up in a criminal end up in a criminal
prosecution.prosecution.
Copyright © 1998-1999 Sanda International Corp.
Your Investigative Tool KitYour Investigative Tool Kit
Policies Criminal profiling Tracing tools Log analysis Crime scene (victim computer)
analysis E-mail header analysis News group header analysis
Copyright © 1998-1999 Sanda International Corp.
The Role of PoliciesThe Role of Policies
They define the actions you can take They must be clear and simple to
understand The employee must acknowledge
that he or she read them, understands them and will comply with them
They can’t violate law
Copyright © 1998-1999 Sanda International Corp.
Electronic Communications Electronic Communications Privacy Act - Your Enabling LawPrivacy Act - Your Enabling Law Owner may intercept communications
between an intruder and that owner's computer system
Owner providing others with the ability to use that computer to communicate with other computer systems may: make routine backups and perform other routine monitoring intercept with prior consent of the user intercept portions of communications necessary to determine
origin and destination intercept where necessary to protect owners rights or property disclose to law-enforcement any communications inadvertently
discovered which reveal criminal activity
Copyright © 1998-1999 Sanda International Corp.
Criminal ProfilingCriminal Profiling
Criminal profiling is the process of using available information about a crime and crime scene to compose a psychological portrait of the unknown perpetrator of the crime
Classical profiling goals - to provide: a social and psychological assessment of the offender a psychological evaluation of relevant possessions found
with suspected offenders strategies that should be used when interviewing
offenders
Copyright © 1998-1999 Sanda International Corp.
Crime Scene AnalysisCrime Scene Analysis
Branch of profiling using standard investigative techniques to analyze crime scenes
Investigators are usually most comfortable with this approach
Very useful in computer incidents
Copyright © 1998-1999 Sanda International Corp.
Developing a Profile of an IntruderDeveloping a Profile of an Intruder
Crime scene analysis how was access obtained? What skills
were required? how did the intruder behave on the
system? Damage? Clean-up? Theft?
Investigative psychology motivation personality type
Copyright © 1998-1999 Sanda International Corp.
Goals of an InvestigationGoals of an Investigation
To ensure that all applicable logs and evidence are preserved
To understand how the intruder is entering the system To obtain the information you need to justify a trap and
trace of the phone line the intruder is using or to obtain a subpoena to obtain information from an ISP
To discover why the intruder has chosen the computer To gather as much evidence of the intrusion as possible To obtain information that may narrow your list of
suspects To document the damage caused by the intruder Gather enough information to decide if law enforcement
should be involved.
Copyright © 1998-1999 Sanda International Corp.
Immediate Objective: Immediate Objective: PRESERVE PRESERVE THE EVIDENCETHE EVIDENCE !!! !!! Begin a traceback to identify
possible log locations Contact system administrators on
intermediate sites to request log preservation
Contain damage Collect local logs Image disks on victim computers
Copyright © 1998-1999 Sanda International Corp.
Building an Incident HypothesisBuilding an Incident Hypothesis
Start with witness accounts Consider how the intruder could
have gained access eliminate the obvious use logs and other physical evidence
consider the skill level or inside knowledge required
Create mirrors of affected computers
Copyright © 1998-1999 Sanda International Corp.
Building an Incident HypothesisBuilding an Incident Hypothesis
Develop a profile of the intruder Consider the path into the victim
computer Recreate the incident in the lab
use real mirrors whenever possible
Consider alternative explanations test alternatives
Copyright © 1998-1999 Sanda International Corp.
Incident ReconstructionIncident Reconstruction
Physical use mirrors of the actual involved systems useful for single computers
Logical use similar systems useful for networks where you have access to the
entire network
Theoretical hypothesize intermediate computers necessary when you can’t access all involved
computers
Copyright © 1998-1999 Sanda International Corp.
Back TracingBack Tracing Elements of a back trace
end points intermediate systems e-mail and packet headers logs
Objective: to get to a dial-in POP The only messages that can’t be back
traced are those using a true anonymizer and those where no logs are present
Copyright © 1998-1999 Sanda International Corp.
Enabling RelationshipsEnabling Relationships
Intruder'sLaptop
Internet
ISP
Router
IntermediateHost
VICTIM
DIAL
INTERNET
PENETRATEHOST
ATTACK VICTIM
OUR LOGS
ISP’s LOGSTELCO LOGS
Copyright © 1998-1999 Sanda International Corp.
Obtaining SubpoenasObtaining Subpoenas Notify involved organization that you are
going to subpoena and request that they preserve evidence - find out who to deliver the subpoena to
File John/Jane Doe lawsuit with an emergency order to subpoena appropriate records
Subpoena the logs you need Get everything you can on the first pass May need depositions
Copyright © 1998-1999 Sanda International Corp.
Requirements for Logs to be used Requirements for Logs to be used as Evidenceas Evidence
Must not be modifiable Spool off to protected loghost Optical media Backups
Must be complete All superuser access Login and logout Attempts to use any controlled services Attempts to access critical resources E-mail details
Appropriate retention
Copyright © 1998-1999 Sanda International Corp.
Tracing E-Mail HeadersTracing E-Mail Headers
(3) Received: from mailhost.example.com([XXX.XXX.178.66])by smtp.exampl.com; Sat, 12 Sep 1998 15:25:54 -0700
(2) Received: from web03.iname.net by mailhost.example.com (AIX 3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep 1998 15:31:55 -0700(1) Received: (from root@localhost) by web03.iname.net (8.8.8/8.8.0) id SAA29949; Sat, 12 Sep 1998 18:25:13 -0400 (EDT)Date: Sat, 12 Sep 1998 18:25:13 -0400 (EDT)(4) From: fake user [email protected]: <[email protected]>Content-Type: text/plainMime-Version: 1.0To: [email protected]: 7bitSubject: This is a forged e-mail message
Copyright © 1998-1999 Sanda International Corp.
Performing the TracePerforming the Trace
Contact iname’sSecurity Officer Connect account name,
time, & message ID tosource IP address
Get logs fromsource IP
Who was connectedat the time of theE-Mail?
Locate ISP & contactSecurity Officer
Copyright © 1998-1999 Sanda International Corp.
Evidence Collection & Evidence Collection & PreservationPreservation Forensic evidence
Safeback - creates physical images and mirrors of affected computers
Forensic analysis NTI tools
NEVER work directly on the evidence Never contribute to the evidence
Ensure chain of custody
Copyright © 1998-1999 Sanda International Corp.
RMON2 Tracing ToolsRMON2 Tracing Tools
Requires RMON2 devices Use ODS Networks Secure Switch
Investigator Looks for evidence of alien
conversations served from within the victim’s perimeter
By moving “outwards” a step at a time, determine source of attack
Copyright © 1998-1999 Sanda International Corp.
MCI DoSTrackerMCI DoSTracker
Attempts to trace source forged packets, starting at a victim location, and tracing backwards to the possible source
Attack must be in progress Process - login to starting edge router
Deploy access control list in debug mode for victim IP Clear victim subnet cache Look for forged packets by comparing to route table Spawn separate process to log into next hop router
and continue
Copyright © 1998-1999 Sanda International Corp.
CMDS - Abuse at the HostCMDS - Abuse at the Host
Manager-Agent architecture Responds to violations of policies Analyzes usage patterns
Identifies rogue users Identifies masqueraders
Available from ODS Networks
Copyright © 1998-1999 Sanda International Corp.
SummarySummary
Ensure appropriate policies Preserve the crime scene (victim
computer) Act immediately to identify and
preserve logs on intermediate systems Conduct your investigation Obtain subpoenas or contact law
enforcement