recognizing attacks1. 2 recognition stances recognizing attacks3 leading questions is it a real...

Recognizing Attacks 1

Recognizing Attacks


Recognition Stances


Leading Questions

• Is it a real break-in?• Was any damage really done?• Is protecting evidence important?• Is restoring normal operation quickly

important?• Willing to chance modification of files?• Is no publicity important?• Can it happen again?


Document Actions

• Start notebook

• Collect printouts and backup media

• Use scripts

• Get legal assistance for evidence-gathering

• PLAN AHEAD


Finding the Intruder

• Finding changes

• Receiving message from other system administrator / net defender

• Strange activities

• User reports


Steps in Handling

1.Identify/understand the problem

2.Contain/stop the damage

3.Confirm diagnosis and determine damage

4.Restore system

5.Deal with the cause

6.Perform related recovery


Dealing with Intruder• Ignore Intruder

– Dangerous– Contrary to policy/law?

• Communicate with intruder– Dangerous– Low return

• Trace/identify intruder– Watch for traps / assumptions– Network and host options– Phone logs

• Break intruder’s connection– Physically– Logically (logout, kill processes, lock account)


Asking for Help

• CERT, FIRST, Law enforcement, etc.

• Don’t use infected system

• Avoid using email from connected systems


Finding Damage• What have affected accounts done lately?

– Missing log files?– What has root done?– What reboots have occurred?– Unexplained error messages?– Connections from/to unfamiliar sites?– New hidden directories?

• Integrity checkers– Changed binaries?– Changed configuration files?– Changed library files?– Changed boot files?– Changed user files?


Dealing with Damage

• Delete unauthorized account(s)• Restore authorized access to affected

account(s)• Restore file / device protections• Remove setuid/setgid programs• Remove unauthorized mail aliases• Remove added files / directories• Force new passwords


Resume Service

• Patch and repair damage, enable further monitoring, resume

• Quick scan and cleanup, resume

• Call in law enforcement -- delay resumption

• Do nothing -- use corrupted system


Dealing with Consequences

• Was sensitive information disclosed?

• Who do you need to notify formally?

• Who do you need to notify informally?

• What disciplinary action is needed?


Moving Forward

• What vendor contacts do we need to make?

• What other system administrators should be notified?

• What updated employee training is needed?


Netwar

• Individual: affect key decision-maker– Ems telegram

– Gulf war marines

• Corporate: affect environment of decision– Zapatista peso collapse

– Vietnam protests

– Intifada / Cyber-Intifada?

• Strategic combination of all previous


Example: Zapatista Cyberstrike

• Mid-1990s rebellion in Mexico

• Military situation strongly favored Mexican Army

• Agents of influence circulated rumors of Peso instability

• Peso crash forced government to negotiating table

• Compounded by intrusions into Mexican logistics


Building Understanding

Internet Behavior

Intrusions/Responses

Threats/Counters

Vulnerabilities/Fixes

Operators/Groups Victims

Stimuli/MotivesOpportunities


Analysis ProcessIncident Information

Flow

Identify Profiles and Categories

Isolate Variables

Identify Data Sources

Establish Relevancy

Identify Gaps


Limits of Analysis

• Inherently partial data

• Baseline in dynamic environment

• Correlation vs. Causation

• Implications– Need to be cautious in kinds of conclusions– Consider strategies for dealing with trends gone wrong


Physical and Cyber Attacks

Country in which there are precipitous cliffs with torrents running between, deep natural hollows, confined places, tangled thickets, quagmires and crevasses, should be left with all possible speed and not approached.

- Sun Tzu


Underlying Principles

Separation of physical and cyber security no longer possible

Physical events can have cyber consequences

Cyber events can have physical consequences

Understanding the cyber environment is now an essential element of developing and maintaining situational control

The nature of cyberspace means that the old “fortress” mentality is no longer viable


Security Policies

• Does the organization have physical and cyber security policies?

• Have they been reviewed with respect to each other?

• Are the parties responsible for these policies in contact?

• What are the enforcement methods?


Specific Policy Areas of Concern

• Hiring and firing

• Outsourcing contracts

• Visitors

• Customers/sponsors

• Special events


Facility Controls

• Are the physical security plans for the facility documented and tested?

• To what degree is the physical security dependent on computers and information networks?

• Policies and procedures for visitors?• Do new or renovated facilities have computer

controlled elevators, escalators, security systems, or fire doors?

• Are these systems isolated or are they connected via the Internet to an external security provider?


Physical Protection of Information Resources

How is physical access to remote nodes controlled?

What precautions are taken to minimize access to servers, cabling, routers, etc.?

What access controls are in place?

How are the access controls updated and managed?

How are system components physically safeguarded?

Are audit and monitoring records routinely examined for anomalies and necessary corrective actions? By whom?


Network Security

What does the network look like?

What is the connectivity between networks?

Can the network be accessed from the outside?

What encryption protocols (if any) are in use on the network?


Network Concerns

Is redundancy built into the network?

Are all necessary security patches in place?

How often are security patch requirements reviewed?

Are there external nodes on the network, and if so, are any of them wireless?

Is the network administered on-site or at a remote facility?


Information Protection of Physical Resources

• What information regarding the facility is available on the network?

• Is there information about guests, employees, critical functions available? (scheduling, credentialing, etc.)

• What access controls are in place for this information? (technology, procedure)

• Is sensitive or critical information protected by secure, offsite storage and backups?

• Is the integrity of installed software and data verified regularly? How?

• Are all changes to IT hardware and software planned, controlled, and documented?

• Is unique user identification required for all information system users, including third-party users?


Example Impacts

• Interruption of emergency services– 911 service off line– Disruption of hospital networks– Potential loss of life

• Interruption of power grid– Disruption of services dependent on power

• Hospitals• Hazardous material facilities• Secure facilities

– Traffic control in chaos– Potential financial loss enormous


Cascade Impacts

• Interruption of Telecommunications– Impact on all levels of communications– Severe impact on financial services– Loss of communications with public impacts confidence in

government– Potentially serious impact on military logistics (over 90 percent of

all logistics over private infrastructure)

• Interruption of Transportation– Disruption of commerce– Foodstuffs and fuel deliveries interrupted– Potential hazardous material compromises– Direct impact on population


Summary

• Incidents are not proof of bad administration

• Lots of effort involved in handling Incidents

• Need proactive, strategic planning to reduce costs, improve handling


Closing Quote

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

Sun Tzu

recognizing attacks1. 2 recognition stances recognizing attacks3 leading questions is it a real...

Documents