investigating internet security incidents

Copyright © 1998-1999 Sanda International Corp.

Investigating Internet Security Investigating Internet Security IncidentsIncidents

A Brief Introduction to A Brief Introduction to Cyber Forensic AnalysisCyber Forensic Analysis

Peter

Stephenson

[email protected]


AgendaAgenda

Intrusion approaches Investigative tool kit Investigative approaches End-to-end tracing Evidence collection and preservation Forensic use of RMON2-based tools

for documenting the path of an attack


What is Cyber Crime?What is Cyber Crime?

Crimes directed against a computer

Crimes where the computer contains evidence

Crimes where the computer is used to commit the crime


0

20

40

60

80

100

% Reporting

Disgr.Empl.

Hackers USCompet.

For.Corp.

For. Gov.

05

1015202530354045

%

Una

uth.

Acc

ess

DoS

Out

side

Pen

.

Thef

t of

Info

Fra

ud

Sab

otag

e

The Nature of Computer Related The Nature of Computer Related Crime in Today’s OrganizationsCrime in Today’s Organizations

Source: 1998 CSI/FBI Study


There Are Only 4 Kinds of AttacksThere Are Only 4 Kinds of Attacks

Denial of service Social engineering Technical Sniffing


Intrusion ApproachesIntrusion Approaches

Target selection, research and background info Internet searches Whois, nslookup

Preliminary probing - avoid logging - get passwords POP probe Sniffing DNS zone transfer SMTP probe Other simple probes

Search for back doors Technical attack or social engineering


Cleaning Up After an AttackCleaning Up After an Attack

Delete tools and work files Modify logs (Unix example)

Syslog messages files (especially the mail log) su log lastlog (including wtmp and utmp) daemon logs transfer logs


INVESTIGATIVE AXIOM:INVESTIGATIVE AXIOM:

Treat every incident as if it will Treat every incident as if it will end up in a criminal end up in a criminal

prosecution.prosecution.


Your Investigative Tool KitYour Investigative Tool Kit

Policies Criminal profiling Tracing tools Log analysis Crime scene (victim computer)

analysis E-mail header analysis News group header analysis


The Role of PoliciesThe Role of Policies

They define the actions you can take They must be clear and simple to

understand The employee must acknowledge

that he or she read them, understands them and will comply with them

They can’t violate law


Electronic Communications Electronic Communications Privacy Act - Your Enabling LawPrivacy Act - Your Enabling Law Owner may intercept communications

between an intruder and that owner's computer system

Owner providing others with the ability to use that computer to communicate with other computer systems may: make routine backups and perform other routine monitoring intercept with prior consent of the user intercept portions of communications necessary to determine

origin and destination intercept where necessary to protect owners rights or property disclose to law-enforcement any communications inadvertently

discovered which reveal criminal activity


Criminal ProfilingCriminal Profiling

Criminal profiling is the process of using available information about a crime and crime scene to compose a psychological portrait of the unknown perpetrator of the crime

Classical profiling goals - to provide: a social and psychological assessment of the offender a psychological evaluation of relevant possessions found

with suspected offenders strategies that should be used when interviewing

offenders


Crime Scene AnalysisCrime Scene Analysis

Branch of profiling using standard investigative techniques to analyze crime scenes

Investigators are usually most comfortable with this approach

Very useful in computer incidents


Developing a Profile of an IntruderDeveloping a Profile of an Intruder

Crime scene analysis how was access obtained? What skills

were required? how did the intruder behave on the

system? Damage? Clean-up? Theft?

Investigative psychology motivation personality type


Goals of an InvestigationGoals of an Investigation

To ensure that all applicable logs and evidence are preserved

To understand how the intruder is entering the system To obtain the information you need to justify a trap and

trace of the phone line the intruder is using or to obtain a subpoena to obtain information from an ISP

To discover why the intruder has chosen the computer To gather as much evidence of the intrusion as possible To obtain information that may narrow your list of

suspects To document the damage caused by the intruder Gather enough information to decide if law enforcement

should be involved.


Immediate Objective: Immediate Objective: PRESERVE PRESERVE THE EVIDENCETHE EVIDENCE !!! !!! Begin a traceback to identify

possible log locations Contact system administrators on

intermediate sites to request log preservation

Contain damage Collect local logs Image disks on victim computers


Building an Incident HypothesisBuilding an Incident Hypothesis

Start with witness accounts Consider how the intruder could

have gained access eliminate the obvious use logs and other physical evidence

consider the skill level or inside knowledge required

Create mirrors of affected computers


Building an Incident HypothesisBuilding an Incident Hypothesis

Develop a profile of the intruder Consider the path into the victim

computer Recreate the incident in the lab

use real mirrors whenever possible

Consider alternative explanations test alternatives


Incident ReconstructionIncident Reconstruction

Physical use mirrors of the actual involved systems useful for single computers

Logical use similar systems useful for networks where you have access to the

entire network

Theoretical hypothesize intermediate computers necessary when you can’t access all involved

computers


Back TracingBack Tracing Elements of a back trace

end points intermediate systems e-mail and packet headers logs

Objective: to get to a dial-in POP The only messages that can’t be back

traced are those using a true anonymizer and those where no logs are present


Enabling RelationshipsEnabling Relationships

Intruder'sLaptop

Internet

ISP

Router

IntermediateHost

VICTIM

DIAL

INTERNET

PENETRATEHOST

ATTACK VICTIM

OUR LOGS

ISP’s LOGSTELCO LOGS


Obtaining SubpoenasObtaining Subpoenas Notify involved organization that you are

going to subpoena and request that they preserve evidence - find out who to deliver the subpoena to

File John/Jane Doe lawsuit with an emergency order to subpoena appropriate records

Subpoena the logs you need Get everything you can on the first pass May need depositions


Requirements for Logs to be used Requirements for Logs to be used as Evidenceas Evidence

Must not be modifiable Spool off to protected loghost Optical media Backups

Must be complete All superuser access Login and logout Attempts to use any controlled services Attempts to access critical resources E-mail details

Appropriate retention


Tracing E-Mail HeadersTracing E-Mail Headers

(3) Received: from mailhost.example.com([XXX.XXX.178.66])by smtp.exampl.com; Sat, 12 Sep 1998 15:25:54 -0700

(2) Received: from web03.iname.net by mailhost.example.com (AIX 3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep 1998 15:31:55 -0700(1) Received: (from root@localhost) by web03.iname.net (8.8.8/8.8.0) id SAA29949; Sat, 12 Sep 1998 18:25:13 -0400 (EDT)Date: Sat, 12 Sep 1998 18:25:13 -0400 (EDT)(4) From: fake user [email protected]: <[email protected]>Content-Type: text/plainMime-Version: 1.0To: [email protected]: 7bitSubject: This is a forged e-mail message


Performing the TracePerforming the Trace

Contact iname’sSecurity Officer Connect account name,

time, & message ID tosource IP address

Get logs fromsource IP

Who was connectedat the time of theE-Mail?

Locate ISP & contactSecurity Officer


Evidence Collection & Evidence Collection & PreservationPreservation Forensic evidence

Safeback - creates physical images and mirrors of affected computers

Forensic analysis NTI tools

NEVER work directly on the evidence Never contribute to the evidence

Ensure chain of custody


RMON2 Tracing ToolsRMON2 Tracing Tools

Requires RMON2 devices Use ODS Networks Secure Switch

Investigator Looks for evidence of alien

conversations served from within the victim’s perimeter

By moving “outwards” a step at a time, determine source of attack


MCI DoSTrackerMCI DoSTracker

Attempts to trace source forged packets, starting at a victim location, and tracing backwards to the possible source

Attack must be in progress Process - login to starting edge router

Deploy access control list in debug mode for victim IP Clear victim subnet cache Look for forged packets by comparing to route table Spawn separate process to log into next hop router

and continue


CMDS - Abuse at the HostCMDS - Abuse at the Host

Manager-Agent architecture Responds to violations of policies Analyzes usage patterns

Identifies rogue users Identifies masqueraders

Available from ODS Networks


SummarySummary

Ensure appropriate policies Preserve the crime scene (victim

computer) Act immediately to identify and

preserve logs on intermediate systems Conduct your investigation Obtain subpoenas or contact law

enforcement

investigating internet security incidents

Documents