l esson 1 course introduction. utsa is 6353 incident response overview course administrivia info...

Lesson 1Course Introduction

UTSA IS 6353 Incident Response

Overview

•Course Administrivia• Info Assurance Review• Incident Response


IS6353 Intrusion Detectionand

Incident Response

• 6:00-7:50 PM T/TH• Robert Kaufman

– Background– Contact information

• Syllabus and Class Schedule• Student Background Information

– Email to [email protected]


Student Information

• Name• Reliable email address• Email to [email protected]

mailto:[email protected]


Text Books

• Course Text:– Incident Response and Computer Forensics McGraw Hill

Publishing, 2014. ISBN 978-0071798686• Additional References:

– Principles of Computer Security, Conklin, White, Cothren, Williams, and Davis

– Hacking Exposed, by McClure, Scambray, Kurtz– Cyber crime Investigator’s Field Guide, by Bruce Middleton


Grading

• Grades– 2 Tests– Final– 1 Paper– 4-5 Labs

A Sampling of Malicious Activity

• March 1999 - EBay gets hacked• March 1999 - Melissa virus hits Internet• April 1999 - Chernobyl Virus hits• May 1999 - Hackers shut down web sites of FBI,

Senate, and DOE• June 1999 - Worm.Explore.Zip virus hits• July 1999 - Cult of the Dead Cow (CDC) releases

Back Orifice• Sept 1999 - Hacker pleads guilty to attacking NATO

and Gore web sites• Oct 1999 - Teenage hacker admits to breaking into

AOL

A Sampling of Malicious Activity• Nov 1999 - BubbleBoy virus hits• Dec 1999 - Babylonia virus spreads• Feb 2000 - Several sites experience DOS

attacks• Feb 2000 - Alaska Airlines site hacked• May 2000 - Love Bug virus ravages net• July 2001 – Code Red Runs Rampant• Sept 2001 – Nimda Explodes

http://www.caida.org/research/security/code-red/newframes-small-log.gif

A Sampling of Malicious Activity• Jan 2003 – Sapphire/Slammer Worm• Aug 2003 – Blaster (LoveSan) Worm• Jan 2004 – MyDoom• Mar 2004 – Witty Worm• May 2004 – Sasser Worm• Dec 2006 – TJX Credit/Debit Card Theft• Jan 2007 – Storm Worm• Mar 2009 - Conficker • June 2010 - Stuxnet

http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms


Spread of Slammer—25 Jan 05:29 UTC


Spread of Slammer—25 Jan 06:00 UTC


CSI Survey: Average Loss

Ref: 2008 CSI Survey


Internet Security Software Market

2002 - $7.4 Billion est.

1999 - $4.2 Billion

1998 - $3.1 Billion

1997 - $2 Billion

’97 & ’98 figures based on a study released by market research firm International Data Corp. in Framingham, Mass.

’99 & ’02 figures from IDC study based on a survey of 300 companies with more than $100 million in annual revenues


DISA VAAP Results

PROTECTION

DETECTION

REACTION

38,000Attacks

24,700Succeed

13,300Blocked

988Detected

23,712Undetected

267Reported

721 NotReported


Computer Security

The Prevention and/or detection of unauthorized actions by users of a computer system.

In the beginning, this meant ensuring privacy on shared systems.Today, interesting aspect of security is in enabling different access levels.


What are our goals in Security?

• The “CIA” of security– Confidentiality– Integrity

• Data integrity• Software Integrity

– Availability• Accessible and usable on demand

– (authentication)– (nonrepudiation)


The “root” of the problem

• Most security problems can be grouped into one of the following categories:– Network and host misconfigurations

• Lack of qualified people in the field

– Operating system and application flaws• Deficiencies in vendor quality assurance efforts• Lack of qualified people in the field• Lack of understanding of/concern for security


Computer Security Operational Model

Protection = Prevention + (Detection + Response)

Access ControlsEncryptionFirewalls

Intrusion DetectionIncident Handling


Proactive –vs- Reactive Models

• “Most organizations only react to security threats, and, often times, those reactions come after the damage has already been done.”

• “The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you.”


So What Happens When Computer Security Fails?

• Incident Response Methodology--7 Step Process– Preparation: Proactive Computer Security– Detection of Incidents– Initial Response– Formulate Response Strategy– Investigate the Incident– Reporting– Resolution


7 Components of Incident Response

Pre-Incident Preparation

Detectionof

Incidents

InitialResponse

FormulateResponseStrategy

DataCollection

DataAnalysis

Reporting

Investigate the Incident

ResolutionRecovery

Implement Security Measures

Page 15, Fig 2-1, Mandia 2nd Edition


Resources in the Fight

• SANS

• CERT CC

• FIRST

• CERIAS

• NIST

• CIAS


SANS

• System Administration, Networking, and Security (SANS) Institute

• Global Incident Analysis Center• Security Alerts, Updates, & Education• NewsBites, Security Digest, Windows

Digest• Certification

• http://www.sans.org/


Carnegie Mellon CERT CC

• Computer Emergency Response Team Coordination Center

• Started by DARPA • Alerts & Response Services• Training and CERT Standup• Clearing House• http://www.cert.org


FIRST

• Forum of Incident Response and Security

Teams• Established 1988• Govt & Private Sector Membership• Over 70 Members• Coordinate Global Response

• http://www.first.org


CERIAS

• Center for Education and Research in

Information Assurance and Security• Home of Gene Spafford • A "University Center"• InfoSec Research & Education• Members: Academia, Govt, & Industry

• http://www.cerias.purdue.edu/coast/)


NIST

• National Institute of Science and Technology (NIST)

• Operares Computer Security Resource Clearinghouse (CSRC)

• Raising Awarenss• Multiple Disciplines• Main Source of Fed Govt Standards• http://csrc.ncsl.nist.gov/


CIAS

• UTSA’s Center for Infrastructure Assurance and Security (CIAS)• Multidisciplinary education and development of

operational capabilities in the areas of infrastructure

assurance and security. • National Cyber Exercises• Cyber Security Training• Cyber Competitions• http://www.utsa.edu/cias/


So How Many VulnerabiltiesAre Out?

Lets See What the CERT CCSays.


History LessonThe Art of War, Sun Tzu

Lesson for you• Know the enemy• Know yourself…and in a 100 battles you

will never be defeated• If ignorant both of your enemy and of

yourself you are certain in every battle to be in peril


History LessonThe Art of War, Sun Tzu

Lesson for the Hacker• Probe him and learn where his strength

is abundant and where deficient• To subdue the enemy without fighting is

the acme of skill• One able to gain victory by modifying his

tactics IAW with enemy situation may be said to be divine


Hacker Attacks

• Intent is for you to know your enemy• Not intended to make you a hacker• Need to know defensive techniques• Need to know where to start recovery

process• Need to assess extent of investigative

environment


Anatomy of a Hack

FOOTPRINTING SCANNING ENUMERATION

GAINING ACCESS ESCALATINGPRIVILEGE

PILFERING

COVERING TRACKS

CREATING BACKDOORSDENIAL

OF SERVICE

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz


Footprinting

Objective• Target Address

Range• Acquire

Namespace • Information

Gathering• Surgical Attack• Don’t Miss Details

Technique• Open Source Search• whois• Web Interface to

whois• ARIN whois• DNS Zone Transfer



Scanning

Objective• Bulk target

assessment• Determine

Listening Services• Focus attack vector

Technique• Ping Sweep• TCP/UDP Scan• OS Detection



Enumeration

Objective• Intrusive Probing

Commences• Identify valid

accounts• Identify poorly

protected shares

Technique• List user accounts• List file shares• Identify applications



Gaining Access

Objective• Informed attempt

to access target

• Typically User level access

Technique• Password sniffing• File share brute

forcing• Password file grab• Buffer overflows



Escalating Privilege

Objective• Gain Root level

access

Technique• Password cracking

• Known exploits



Pilfering

Objective• Info gathering to

access trusted systems

Technique• Evaluate trusts

• Search for cleartext passwords



Cover Tracks

Objective• Ensure highest

access

• Hide access from system administrator or owner

Technique• Clear logs

• Hide tools



Creating Back Doors

Objective• Deploy trap doors

• Ensure easy return access

Technique• Create rogue user

accounts• Schedule batch jobs• Infect startup files• Plant remote control

services• Install monitors• Trojanize



Denial of Service

Objective• If unable to

escalate privilege then kill

• Build DDOS network

Technique• SYN Flood• ICMP Attacks• Identical src/dst SYN

requests• Out of bounds TCP

options• DDOS



Hacker Exploits per SANS

RECONNAISSANCE SCANNING

EXPLOIT SYSTEMS KEEPING ACCESS

COVERTRACKS

Source: SANs Institute


Hacking Summary

• Threat: Hacking on the rise• Security posture usually reactive• Losses increasing• 7 Step Process• Hacker Techniques

l esson 1 course introduction. utsa is 6353 incident response overview course administrivia info...

Documents

incident responsecreating

incident response lesson

bubbleboy virus hitsdec

chernobyl virus hitsmay

babylonia virus spreadsfeb

zip virus hitsjuly

love bug virus ravages

computer attacks