lesson 5 introduction to incident response. utsa is 6353 incident response overview hacker lexicon...

Lesson 5Introduction

toIncident Response

UTSA IS 6353 Incident Response

Overview

•Hacker Lexicon•Incident Response


Hacker Lexicon

• Rootkit - a collection of tools an intruder loads onto a compromised computer

• Usually Consists of:– trojanized utilities– network sniffers– log-cleaning scripts


Root Kits

• Three primary types:– traditional– loadable kernel modules (LKMs) for

Unix/Linux– kernel -level rootkit for Windows NT/2000

• Hundreds of Root-kits in existence– Hackers sites contain “click and choose

smorgasbord” (KNOW THY ENEMY)


Traditional Unix/Linux Rootkits

• Backdoors - programs that listen on TCP/UPD ports that allow intruder stealthy access

• Log wipers - utility which erases log files to hide signs of intruders presence

• Packet sniffers - software designed to monitor network traffic to capture packets of interest

• Internet Relay Chat (IRC) utilities for comms• DDOS agents - S/W that sends UDP/ICMP

floods


LKM Rootkits

• Most rootkits used against Unix/Linux systems are Loadable Kernel Modules (LKMs)

• Kernel is transparently modified:– Execute Redirection: remaps system utility calls

– Remote execution: commands transmitted via the net

– Promiscuous mode hiding: hides sniffers

– Task hacking: changing the user id (UID), effective user id (EUID), and file system user id (FSUID) of any process


LKM Rootkits

• Kernel is transparently modified (contd):– Real-time process hiding -sending the following:

“kill -31 process id” allows kernel to suppress all info about the given process

– Kernel Module Hiding: LKMs can actually mask their own presence (stealthy LKMs)


WIN NT/2000 Rootkits

• Contains:– Kernel Mode Device Driver: “_root_.sys”

– Launcher program: “deploy.exe”

• Capabilities:– Back doors

– Hide files: files with _root_ will be hidden from “dir”

– Hide processes and registry entries

– Keystroke Intercept


Incident Response Overview

• Goals• Methodology• Preparation• Detection• Initial Response• Strategy Formulation• Investigation• Monitoring• Recovery• Reporting


What is an Incident?

Incident - an event in an information

system/network

Time based security: Protection time >> detection time + reaction time

Some say its all about vulnerability management


SANS/FBI Top 20 List

20 MOST CRITICAL INTERNET VULNERABILITIES

UP TO 800 POSSIBLE

SANS Institute 20 Most Critical Internet Security Vulnerabilities


General Vulnerabilities

1. Default installs of OSs and applications

2. Weak or non-existent passwords

3. Incomplete or non-existent backups

4. Large number of open ports

5. Lack of packet filtering

6. Incomplete or non-existent logging

7. Vulnerable CGI programs

Source: The SANS Institute


Windows Vulnerabilities

8. Unicode Vulnerability

9. ISAPI Extension Buffer Overflows

10. MS Remote Data Services Exploit

11. NETBIOS – Unprotected Windows

Networking Shares

12. Leakage via Null Session Connections

13. Weak Hashing in SAM (Lan Manager

Hash)Source: The SANS Institute


Unix Vulnerabilities14. Buffer Overflows in Remote

Procedure Call Services

15. Sendmail Vulnerabilities

16. Bind Weaknesses

17. R Commands

18. LPD – Remote Print Protocol Daemon

19. Sadmind and Mountd

20. Default SNMP StringsSource: The SANS Institute


Home User Guidelines

• Use strong passwords (alpha-numeric, over 8 characters)

• Make regular backups of critical data• Use virus protection software• Use a firewall as a gatekeeper between your

computer and the Internet• Do not leave computers online• Do not open attachments from strangers

Source: FBI


The Worst Can Happen

"Don't look at the past and assume that's the future. Look at the enemy's strengths

and your vulnerability. You've got to realize that the worst case does sometimes

happen."-Richard Clarke

Special Advisor for Cybersecurity


Goals of Incident Response

• Confirm or dispel incident

• Promote accurate info accumulation

• Establish controls for evidence

• Protects privacy rights

• Minimize disruption to operations

• All for legal/civil recriminations

• Provide accurate reports/recommendations


Incident Response Methodology

• Pre-incident preparation

• Detection• Initial Response• Strategy formulation• Duplication• Investigation

• Security measure implementation

• Network monitoring• Recovery• Reporting• Follow-up

See page 18, Fig 2-1

Pre-Incident Preparation

Detection of Incidents

Incident Response Team FormedNotification Checklist Completed

Initial Response

Formulate Response Strategy

Is it really an Incident?

Yes

No

Follow-Up

Pursue and accumulate

evidence and/or secure system

Secure System

Reporting

Implement Security Measures

Forensic Duplication

Investigation

Forensic duplication?

Accumulate EvidenceYes

No

Perform Network Monitoring

Isolate and Contain

Can Pursue Both Paths Simultaneously

Page 18, Fig 2-1


Detection

Firewall Logs

IDS Logs

Suspicious User

Sys Admin

DETECT

NotificationChecklist

Completed

ResponseTeam

Activated


Initial Critical Details

• Current time and date

• Who/what is reporting the incident

• Nature of the incident

• When the incident occurred

• Hardware/software involved

• Point of contact for involved personnel


INITIAL RESPONSE

Details from notification checklist

Prepared response team

I RN EI ST PI OA NL S E

Verifiedinformation

about the incident

Success

FailureHow muchinfo is enough?


Response Strategy Formulation

FormulateResponseStrategy

MgtApproved

Action Plan

Verifiedinformation about

the incident

ResponsePosture

Goal: determine most appropriate response strategy


Factors for Strategy

• How critical are the impacted systems?

• Data sensitivity

• Who are the perpetrators?

• Does the incident have publicity

• Level of access to the hacker

• Apparent skill of the attacker

• How much downtime can be tolerated

• Overall dollar loss involved


Common Incidents

• Denial of Service Attack

• Unauthorized Use

• Vandalism

• Information Theft

• Computer Intrusion

Type of incident + response likely outcome

Management Support

network downtimeuser downtimelegal liabilitypublcitytheft of intellectual property


Investigation Stage

Live System

Network Logs

Forensic Duplicate

Investigation InvestigativeReport


Security Measure Implementation Stage

Verified Info

Network Logs

Response Posture

ImplementingSecurity

RemediesMonitor

Isolateand Contain

Prevent Same Exposure! Fishbowling the attacker


Recovery/Reporting Process

Conclusions

Successful containment

Recovery

backupshardening

user educationCOOP

Report

Support Criminal ActionsLessons LearnedPrevent Repeats


What Will You Do?• We Need a Initial Response that:

– Supports the Goals of Computer Security

– Supports the Business Practices

– Supports Administrative and Legal Policy

– Is Forensically Sound

– Is Simple and Efficient (KISS)

– Provides an Accurate Snapshot for Decision Makers

– Supports Civil, Administrative, or Criminal Action.


Common Mistakes

• Failure to Document Findings Appropriately.

• Failure to Notify or Provide Accurate Information to Decision Makers.

• Failure to Record and Control Access to Digital Evidence.

• Wait Too Long Before Reporting.• Underestimating the Scope of Evidence

that may be found.


Common Mistakes

• Technical Blunders:– Altering Time/Date Stamps on Evidence

Systems– “Killing” Rogue Processes– Patching the System– Not Recording the Steps Taken on the

System– Not Acting Passively

lesson 5 introduction to incident response. utsa is 6353 incident response overview hacker lexicon...

Documents

incident response sansfbi

incident response root

process slide

enemy slide

sans institute slide

vulnerability management

presence stealthy lkms

process id