l esson 1 course introduction. utsa is 6353 incident response overview course administrivia info...
TRANSCRIPT
Lesson 1Course Introduction
UTSA IS 6353 Incident Response
Overview
•Course Administrivia• Info Assurance Review• Incident Response
UTSA IS 6353 Incident Response
IS6353 Intrusion Detectionand
Incident Response
• 6:00-7:50 PM T/TH• Robert Kaufman
– Background– Contact information
• Syllabus and Class Schedule• Student Background Information
– Email to [email protected]
UTSA IS 6353 Incident Response
Student Information
• Name• Reliable email address• Email to [email protected]
UTSA IS 6353 Incident Response
Text Books
• Course Text:– Incident Response and Computer Forensics McGraw Hill
Publishing, 2014. ISBN 978-0071798686• Additional References:
– Principles of Computer Security, Conklin, White, Cothren, Williams, and Davis
– Hacking Exposed, by McClure, Scambray, Kurtz– Cyber crime Investigator’s Field Guide, by Bruce Middleton
UTSA IS 6353 Incident Response
Grading
• Grades– 2 Tests– Final– 1 Paper– 4-5 Labs
A Sampling of Malicious Activity
• March 1999 - EBay gets hacked• March 1999 - Melissa virus hits Internet• April 1999 - Chernobyl Virus hits• May 1999 - Hackers shut down web sites of FBI,
Senate, and DOE• June 1999 - Worm.Explore.Zip virus hits• July 1999 - Cult of the Dead Cow (CDC) releases
Back Orifice• Sept 1999 - Hacker pleads guilty to attacking NATO
and Gore web sites• Oct 1999 - Teenage hacker admits to breaking into
AOL
A Sampling of Malicious Activity• Nov 1999 - BubbleBoy virus hits• Dec 1999 - Babylonia virus spreads• Feb 2000 - Several sites experience DOS
attacks• Feb 2000 - Alaska Airlines site hacked• May 2000 - Love Bug virus ravages net• July 2001 – Code Red Runs Rampant• Sept 2001 – Nimda Explodes
A Sampling of Malicious Activity• Jan 2003 – Sapphire/Slammer Worm• Aug 2003 – Blaster (LoveSan) Worm• Jan 2004 – MyDoom• Mar 2004 – Witty Worm• May 2004 – Sasser Worm• Dec 2006 – TJX Credit/Debit Card Theft• Jan 2007 – Storm Worm• Mar 2009 - Conficker • June 2010 - Stuxnet
http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
UTSA IS 6353 Incident Response
Spread of Slammer—25 Jan 05:29 UTC
UTSA IS 6353 Incident Response
Spread of Slammer—25 Jan 06:00 UTC
UTSA IS 6353 Incident Response
CSI Survey: Average Loss
Ref: 2008 CSI Survey
UTSA IS 6353 Incident Response
Internet Security Software Market
2002 - $7.4 Billion est.
1999 - $4.2 Billion
1998 - $3.1 Billion
1997 - $2 Billion
’97 & ’98 figures based on a study released by market research firm International Data Corp. in Framingham, Mass.
’99 & ’02 figures from IDC study based on a survey of 300 companies with more than $100 million in annual revenues
UTSA IS 6353 Incident Response
DISA VAAP Results
PROTECTION
DETECTION
REACTION
38,000Attacks
24,700Succeed
13,300Blocked
988Detected
23,712Undetected
267Reported
721 NotReported
UTSA IS 6353 Incident Response
Computer Security
The Prevention and/or detection of unauthorized actions by users of a computer system.
In the beginning, this meant ensuring privacy on shared systems.Today, interesting aspect of security is in enabling different access levels.
UTSA IS 6353 Incident Response
What are our goals in Security?
• The “CIA” of security– Confidentiality– Integrity
• Data integrity• Software Integrity
– Availability• Accessible and usable on demand
– (authentication)– (nonrepudiation)
UTSA IS 6353 Incident Response
The “root” of the problem
• Most security problems can be grouped into one of the following categories:– Network and host misconfigurations
• Lack of qualified people in the field
– Operating system and application flaws• Deficiencies in vendor quality assurance efforts• Lack of qualified people in the field• Lack of understanding of/concern for security
UTSA IS 6353 Incident Response
Computer Security Operational Model
Protection = Prevention + (Detection + Response)
Access ControlsEncryptionFirewalls
Intrusion DetectionIncident Handling
UTSA IS 6353 Incident Response
Proactive –vs- Reactive Models
• “Most organizations only react to security threats, and, often times, those reactions come after the damage has already been done.”
• “The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you.”
UTSA IS 6353 Incident Response
So What Happens When Computer Security Fails?
• Incident Response Methodology--7 Step Process– Preparation: Proactive Computer Security– Detection of Incidents– Initial Response– Formulate Response Strategy– Investigate the Incident– Reporting– Resolution
UTSA IS 6353 Incident Response
7 Components of Incident Response
Pre-Incident Preparation
Detectionof
Incidents
InitialResponse
FormulateResponseStrategy
DataCollection
DataAnalysis
Reporting
Investigate the Incident
ResolutionRecovery
Implement Security Measures
Page 15, Fig 2-1, Mandia 2nd Edition
UTSA IS 6353 Incident Response
Resources in the Fight
• SANS
• CERT CC
• FIRST
• CERIAS
• NIST
• CIAS
UTSA IS 6353 Incident Response
SANS
• System Administration, Networking, and Security (SANS) Institute
• Global Incident Analysis Center• Security Alerts, Updates, & Education• NewsBites, Security Digest, Windows
Digest• Certification
• http://www.sans.org/
UTSA IS 6353 Incident Response
Carnegie Mellon CERT CC
• Computer Emergency Response Team Coordination Center
• Started by DARPA • Alerts & Response Services• Training and CERT Standup• Clearing House• http://www.cert.org
UTSA IS 6353 Incident Response
FIRST
• Forum of Incident Response and Security
Teams• Established 1988• Govt & Private Sector Membership• Over 70 Members• Coordinate Global Response
• http://www.first.org
UTSA IS 6353 Incident Response
CERIAS
• Center for Education and Research in
Information Assurance and Security• Home of Gene Spafford • A "University Center"• InfoSec Research & Education• Members: Academia, Govt, & Industry
• http://www.cerias.purdue.edu/coast/)
UTSA IS 6353 Incident Response
NIST
• National Institute of Science and Technology (NIST)
• Operares Computer Security Resource Clearinghouse (CSRC)
• Raising Awarenss• Multiple Disciplines• Main Source of Fed Govt Standards• http://csrc.ncsl.nist.gov/
UTSA IS 6353 Incident Response
CIAS
• UTSA’s Center for Infrastructure Assurance and Security (CIAS)• Multidisciplinary education and development of
operational capabilities in the areas of infrastructure
assurance and security. • National Cyber Exercises• Cyber Security Training• Cyber Competitions• http://www.utsa.edu/cias/
UTSA IS 6353 Incident Response
So How Many VulnerabiltiesAre Out?
Lets See What the CERT CCSays.
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
History LessonThe Art of War, Sun Tzu
Lesson for you• Know the enemy• Know yourself…and in a 100 battles you
will never be defeated• If ignorant both of your enemy and of
yourself you are certain in every battle to be in peril
UTSA IS 6353 Incident Response
History LessonThe Art of War, Sun Tzu
Lesson for the Hacker• Probe him and learn where his strength
is abundant and where deficient• To subdue the enemy without fighting is
the acme of skill• One able to gain victory by modifying his
tactics IAW with enemy situation may be said to be divine
UTSA IS 6353 Incident Response
Hacker Attacks
• Intent is for you to know your enemy• Not intended to make you a hacker• Need to know defensive techniques• Need to know where to start recovery
process• Need to assess extent of investigative
environment
UTSA IS 6353 Incident Response
Anatomy of a Hack
FOOTPRINTING SCANNING ENUMERATION
GAINING ACCESS ESCALATINGPRIVILEGE
PILFERING
COVERING TRACKS
CREATING BACKDOORSDENIAL
OF SERVICE
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Footprinting
Objective• Target Address
Range• Acquire
Namespace • Information
Gathering• Surgical Attack• Don’t Miss Details
Technique• Open Source Search• whois• Web Interface to
whois• ARIN whois• DNS Zone Transfer
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Scanning
Objective• Bulk target
assessment• Determine
Listening Services• Focus attack vector
Technique• Ping Sweep• TCP/UDP Scan• OS Detection
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Enumeration
Objective• Intrusive Probing
Commences• Identify valid
accounts• Identify poorly
protected shares
Technique• List user accounts• List file shares• Identify applications
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Gaining Access
Objective• Informed attempt
to access target
• Typically User level access
Technique• Password sniffing• File share brute
forcing• Password file grab• Buffer overflows
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Escalating Privilege
Objective• Gain Root level
access
Technique• Password cracking
• Known exploits
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Pilfering
Objective• Info gathering to
access trusted systems
Technique• Evaluate trusts
• Search for cleartext passwords
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Cover Tracks
Objective• Ensure highest
access
• Hide access from system administrator or owner
Technique• Clear logs
• Hide tools
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Creating Back Doors
Objective• Deploy trap doors
• Ensure easy return access
Technique• Create rogue user
accounts• Schedule batch jobs• Infect startup files• Plant remote control
services• Install monitors• Trojanize
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Denial of Service
Objective• If unable to
escalate privilege then kill
• Build DDOS network
Technique• SYN Flood• ICMP Attacks• Identical src/dst SYN
requests• Out of bounds TCP
options• DDOS
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 6353 Incident Response
Hacker Exploits per SANS
RECONNAISSANCE SCANNING
EXPLOIT SYSTEMS KEEPING ACCESS
COVERTRACKS
Source: SANs Institute
UTSA IS 6353 Incident Response
Hacking Summary
• Threat: Hacking on the rise• Security posture usually reactive• Losses increasing• 7 Step Process• Hacker Techniques