responding to computer attacks presenter name job title company
TRANSCRIPT
Responding to Computer AttacksResponding to Computer Attacks
Presenter NamePresenter NameJob TitleJob TitleCompanyCompany
Session PrerequisitesSession Prerequisites
Basic knowledge of computer security Basic knowledge of computer security incidentsincidents
Basic knowledge of security incident Basic knowledge of security incident responseresponse
Basic knowledge of Windows networkingBasic knowledge of Windows networking
Level 200Level 200
What this session isWhat this session is…...and what it is …...and what it is notnot
It is:It is:A chance for you to see and understand the A chance for you to see and understand the methodology and process required for effective methodology and process required for effective incident responseincident response
An opportunity to see some of the tools and An opportunity to see some of the tools and processes that help you identify attacksprocesses that help you identify attacks
It is It is notnot: : A “forensics investigation” class A “forensics investigation” class
The definitive guide for all things IR/IHThe definitive guide for all things IR/IH
……we simply want to show you how to plan we simply want to show you how to plan and react to things if you think you may have and react to things if you think you may have been “been “ØØwn3dwn3d””
““ØØwn3Dwn3D!!!”!!!” demo
The Demo Disclaimer…The Demo Disclaimer…
No, I will No, I will notnot give you those tools give you those tools and they are and they are notnot on the DVD. It does on the DVD. It does not matter what you do for a living not matter what you do for a living or who you work for.or who you work for.
If you don’t ask, I don’t have to say If you don’t ask, I don’t have to say no.no.
……this demonstration was only this demonstration was only meant to “wake everyone up” and meant to “wake everyone up” and to show you what an incident to show you what an incident couldcould look like.look like.
Remember, SQL Injection is the result of improper Remember, SQL Injection is the result of improper form validation…..and can lead to bad things.form validation…..and can lead to bad things.
AgendaAgenda
IntroductionIntroductionThe Incident Response LifecycleThe Incident Response LifecycleForming your Incident Response Forming your Incident Response TeamTeamSummarySummary
First things first, whatFirst things first, whatis an “incident”?is an “incident”?
An An incidentincident is an adverse event (or is an adverse event (or threatthreat of an adverse event) in a of an adverse event) in a computer systemcomputer system
Adverse events include the following Adverse events include the following general categories:general categories:
Compromise of Confidentiality Compromise of Confidentiality
Compromise of Integrity Compromise of Integrity
Denial of ResourcesDenial of Resources
IntrusionsIntrusions
MisuseMisuse
DamageDamage
HoaxesHoaxes
The components ofThe components ofan incidentan incident
Howard, John D. “A Common Language for Computer Security Incidents” 1998. http://www.cert.org/research/taxonomy_988667.pdf
Who are theseWho are these““31337 H4xØrz31337 H4xØrz”?”?
Not all are as elite as you (or they) may Not all are as elite as you (or they) may think….think….
……but first and foremost, they’re just criminals.but first and foremost, they’re just criminals.
Script Kiddies
Real Hackers
“Hacktivists”
Terrorists
Competitors (Foreign & Domestic)
Organized Hacker groups
Foreign Intelligence
CyberWar
THREA
T
CAPABILITY
Organized Crime
So what isSo what is“Incident Handling”?“Incident Handling”?
Incident HandlingIncident Handling - - Actions taken to Actions taken to protect and restore the normal protect and restore the normal operating condition of computers and operating condition of computers and the information stored in them when an the information stored in them when an adverse event occurs.adverse event occurs.
Incentives for efficient incident Incentives for efficient incident handling:handling:
EconomicEconomic
Protecting Proprietary / Classified / Sensitive Protecting Proprietary / Classified / Sensitive InformationInformation
Operational / Business ContinuityOperational / Business Continuity
Public RelationsPublic Relations
Legal / Regulatory ComplianceLegal / Regulatory Compliance
SafetySafety
““Failing to Plan, is Planning to Fail!”Failing to Plan, is Planning to Fail!”
So how do we do that?So how do we do that?You have in place, an IR/IH methodologyYou have in place, an IR/IH methodology
Why should we bother using an incident Why should we bother using an incident handling methodology?handling methodology?
Provides structure and organizationProvides structure and organization
Improves efficiencyImproves efficiency
Facilitates understanding the process of respondingFacilitates understanding the process of responding
Helps dealing with the unexpectedHelps dealing with the unexpected
Incident HandlingIncident HandlingMethodologyMethodology
Incident Response LifecycleIncident Response Lifecycle
The incident response lifecycle consists of The incident response lifecycle consists of six stages:six stages:
1.1. PreparePrepare
2.2. DetectDetect
3.3. ContainContain
4.4. EradicateEradicate
5.5. RecoverRecover
6.6. Follow-UpFollow-Up
**PANICPANIC is not one of the stages. is not one of the stages.
Your direction:Your direction:Develop an incident response policyDevelop an incident response policy
Create procedures for dealing with incidents Create procedures for dealing with incidents as efficiently as possibleas efficiently as possible
Ensure that a suitable management Ensure that a suitable management infrastructure is in placeinfrastructure is in place
Implement a reasonable set of defenses for Implement a reasonable set of defenses for systems that are to be used in responding to systems that are to be used in responding to incidentsincidents
Step 1 - PrepareStep 1 - Prepare
Solving “Now What?!?”:Solving “Now What?!?”:Your written Incident Response policyYour written Incident Response policy
The anchor of an entire incident The anchor of an entire incident response effortresponse effortA suitable incident response policy A suitable incident response policy should address/includeshould address/includeProvides scope, purpose and objectivesProvides scope, purpose and objectivesHelp define what is a “security-related” Help define what is a “security-related” incidentincidentAcceptable risk limits, eval criteria, Acceptable risk limits, eval criteria, reporting reqs, etc.reporting reqs, etc.Roles, responsibilities and authorityRoles, responsibilities and authority
Remember…Remember…
Good planning will help you mitigate Good planning will help you mitigate the situation.the situation.
You are not the first person this has You are not the first person this has ever happened too.ever happened too.
Panic is Panic is worthlessworthless and and contagiouscontagious. .
Where are Where are youyou in your process? in your process?
Determine if Incident Occurred:Determine if Incident Occurred:Determine what the problem is and to assess Determine what the problem is and to assess its magnitudeits magnitude
Major sources of informationMajor sources of informationLog files and syslog outputLog files and syslog output
Wrapper tools (e.g., TCP wrapper)Wrapper tools (e.g., TCP wrapper)
Personal firewalls (e.g., BlackIce Defender)Personal firewalls (e.g., BlackIce Defender)
Firewall logsFirewall logs
Intrusion detection systems (IDS) and prevention Intrusion detection systems (IDS) and prevention systems (IPS)systems (IPS)
Analyze all anomaliesAnalyze all anomalies
Step 2 - DetectStep 2 - Detect
Wow! Kai was right…this
new Britney Spears album
kicks!
Holy Cow! Is that our IDS?
No problem. We got Matt on this.
He’s on our CERT.
If it’s a real intrusion…..he’ll
catch it.
Version Length
TOS Total Length
Identification Flags
TTL
Offset
Protocol Header Checksum
Source IP Address
Destination IP address
Options
Data
Understanding the dreadedUnderstanding the dreadedIP HeaderIP Header
What should I be looking for?What should I be looking for?
Are any IP Header fields suspect?Are any IP Header fields suspect?Is the Source IP address suspect?Is the Source IP address suspect?
Is odd fragmentation occurring?Is odd fragmentation occurring?
Does the size of the packet raise concerns?Does the size of the packet raise concerns?
Are any TCP header fields suspect?Are any TCP header fields suspect?Is the destination port a valid service?Is the destination port a valid service?
Does the traffic follow RFC standards?Does the traffic follow RFC standards?
What are the timestamps of the traffic?What are the timestamps of the traffic?
Mandia, Kevin and Chris Prosise. “Incident Response: Fighting Computer Crime”. 2001. Osborne/McGraw Hill.
Developing an Audit PolicyDeveloping an Audit Policy
As with all security policy, proper design of audit As with all security policy, proper design of audit policy requires a threat analysispolicy requires a threat analysis
Audit mitigates some threats with non-repudiationAudit mitigates some threats with non-repudiation
Audit has real costsAudit has real costsStorage (disk)Storage (disk)
Collection (network)Collection (network)
Analysis (machine and human)Analysis (machine and human)
Sometimes additional audit categories are Sometimes additional audit categories are desirable for correlationdesirable for correlation
Process Tracking (except on batch/CGI servers)Process Tracking (except on batch/CGI servers)
Account LogonAccount Logon
Audit Policy is iterative: Test & RefineAudit Policy is iterative: Test & Refine
Some Logon/LogoffSome Logon/LogoffEvent IDsEvent IDs
528 - Successful Logon529 - Logon Failure: Unknown user name or bad password530 - Logon Failure: Account logon time restriction violation531 - Logon Failure: Account currently disabled532 - Logon Failure: The specified user account has expired533 - Logon Failure: User not allowed to logon at this computer534 - Logon Failure: User not granted requested logon type at this machine535 - Logon Failure: The specified account’s password has expired539 - Logon Failure: Account locked out540 - Successful Network Logon (Win2000, XP, 2003 Only)
Important Event IDs on yourImportant Event IDs on yourDomain ControllerDomain Controller
675 – Failed logon from workstation, usually a bad password676/672 – Other AutN failure681/680 – Failed logon with a domain account642 – Reset PW or Disabled account was re-enabled632/636/660 – User was added to a group624 – New user account created644 – Account lockout after repeated logon failures517 – User cleared the logs
Success/Failure PolicySuccess/Failure Policy
Audit can be a denial-of-service (DoS)!!Audit can be a denial-of-service (DoS)!!Success audit requires more attacker access & resources Success audit requires more attacker access & resources and can be constrained by quotaand can be constrained by quota
Failure audit can, in the worst case, allow anonymous Failure audit can, in the worst case, allow anonymous remote users to consume resourcesremote users to consume resources
Success auditSuccess auditProvides a forensic or accounting recordProvides a forensic or accounting record
Failure auditFailure auditProvides evidence that security controls are workingProvides evidence that security controls are working
Can be used for intrusion detection (if scenarios are Can be used for intrusion detection (if scenarios are clearly defined and analyst resources are allocated)clearly defined and analyst resources are allocated)
Can be difficult to analyzeCan be difficult to analyze
Some failures are normalSome failures are normal
Setting Audit PolicySetting Audit Policy
When thinking about your policy, When thinking about your policy, consider…consider…
Audit Audit isis good at: good at:Tampering- changes to system executables & configTampering- changes to system executables & config
Change tracking to data filesChange tracking to data files
Audit is Audit is notnot good at: good at:Recording reads to files (audit directory instead or Recording reads to files (audit directory instead or audit a single critical file)audit a single critical file)
Explaining events from the user’s point of view (one Explaining events from the user’s point of view (one click often causes multiple auditsclick often causes multiple audits
Copy protection (where the file went)Copy protection (where the file went)
Beware of:Beware of:Oddly-behaved applications (winword.exe, Oddly-behaved applications (winword.exe, explorer.exe)explorer.exe)
Detecting the Incident
Reviewing a Network Trace
Reviewing security logs
Using some great tools
demo
Upon Identification:Upon Identification:Obtain full backup and copy any hacked files or Obtain full backup and copy any hacked files or bogus code for analysisbogus code for analysisIf it’s likely you’ve been “Øwn3d”:If it’s likely you’ve been “Øwn3d”:
Turn on or increase auditingTurn on or increase auditingSet system clock correctlySet system clock correctlyDocument! Document! Document!Document! Document! Document!
Initiate notification processInitiate notification processThe IR TeamThe IR TeamYour InfoSec contact Your InfoSec contact Your PR peopleYour PR peopleYour Legal teamYour Legal teamLaw Enforcement!!!!Law Enforcement!!!!
Step 2 - DetectStep 2 - Detect
To keep incident from spreadingTo keep incident from spreading
Important decisions need to be made Important decisions need to be made during this stage:during this stage:
Do we shut down?Do we shut down?
Should we disconnect from the network?Should we disconnect from the network?
Continue monitoring?Continue monitoring?
Set a trap?Set a trap?
Disable features?Disable features?
Call in the Feds?Call in the Feds?
Step 3 - ContainStep 3 - Contain
To eliminate cause of incident To eliminate cause of incident
Be sure to save any copies of malicious Be sure to save any copies of malicious programs before deleting themprograms before deleting them
May require the use of eradication May require the use of eradication softwaresoftware
Clean/reformat disks (if appropriate)Clean/reformat disks (if appropriate)
Ensure that backups are cleanEnsure that backups are clean
Continue to document all activitiesContinue to document all activities
Continue to keep your public relations and Continue to keep your public relations and legal offices advised (if warranted)legal offices advised (if warranted)
Step 4 - EradicateStep 4 - Eradicate
Business Resumption:Business Resumption:
Return to mission statusReturn to mission status
Follow procedures for system recovery Follow procedures for system recovery
Send the “All Clear" messageSend the “All Clear" message
Restore dataRestore data
Change passwordsChange passwords
Continue to log all activitiesContinue to log all activities
For classified/sensitive/proprietary For classified/sensitive/proprietary systems, require verification of data systems, require verification of data integrityintegrity
Step 5 - RecoverStep 5 - Recover
Make things better:Make things better:
Review and integrate infoReview and integrate info
Most neglected stage of the process, and the Most neglected stage of the process, and the most valuable.most valuable.
Conduct Postmortem Conduct Postmortem
Reevaluate proceduresReevaluate procedures
Assess time and resources used, and Assess time and resources used, and financial damagefinancial damage
Prepare report(s)Prepare report(s)
Support prosecution activity (if applicable)Support prosecution activity (if applicable)
Step 6 – Follow UpStep 6 – Follow Up
Technical ConsiderationsTechnical Considerations
React Accordingly!!!React Accordingly!!!Some incidents occur on large servers with special Some incidents occur on large servers with special complicationscomplications
They cannot be taken off-line, ORThey cannot be taken off-line, OR
They have so much storage that it cannot be They have so much storage that it cannot be successfully imaged (or have RAID, so an image successfully imaged (or have RAID, so an image will be technically infeasible) will be technically infeasible)
The best option is still to perform some sort of The best option is still to perform some sort of backup, at least of the suspicious files and logs, then backup, at least of the suspicious files and logs, then analyze them off-lineanalyze them off-line
A tape backup will A tape backup will notnot include all the information include all the information such as slack space data, but it may be the only such as slack space data, but it may be the only alternativealternative
Legal ConsiderationsLegal Considerations
Incident Response has legal Incident Response has legal implicationimplication
Documentation is a legal foundation. Documentation is a legal foundation. Do it thoroughly!Do it thoroughly!
Keep good recordsKeep good records
Know when to contact law Know when to contact law enforcementenforcement
Some Best Practices forSome Best Practices forIncident HandlingIncident Handling
Verify the incident, ruling out alternative Verify the incident, ruling out alternative explanations of what has happenedexplanations of what has happened
Follow written procedures during incidentsFollow written procedures during incidents
Ensure that you have backups very early Ensure that you have backups very early during the course of an incidentduring the course of an incident
Coordinate and consult with other technical Coordinate and consult with other technical expertsexperts
Keep management advised of status of Keep management advised of status of incident and your effortsincident and your efforts
Log all activitiesLog all activities
Why form anWhy form anincident response team?incident response team?
Incidents are complex- experts are Incidents are complex- experts are needed needed
EfficiencyEfficiency
Proactive elementProactive element
Agency or corporate requirementsAgency or corporate requirements
Liaison functionLiaison function
Authority to engage in activities that Authority to engage in activities that a normal organization doesn’t geta normal organization doesn’t get
Considerations for yourConsiderations for yourIncident Response TeamIncident Response Team
Executive SponsorshipExecutive SponsorshipWithout it, your team will die.Without it, your team will die.
Keep the sponsor aware of the situationKeep the sponsor aware of the situation
Identify the Key StakeholdersIdentify the Key StakeholdersNot just the “IT guys”Not just the “IT guys”
Key reps from all the LOB ownersKey reps from all the LOB owners
Choosing a Team LeaderChoosing a Team LeaderOwns the CSIRT, not necessarily each incident Owns the CSIRT, not necessarily each incident responseresponse
Conducts team “post-mortems” to make policy Conducts team “post-mortems” to make policy update changesupdate changes
Smith, Ben and Brian Komar. “Microsoft Windows Security Resource Kit v2.0”. 2005. Microsoft Press
Train your “A-Team”, Fool!Train your “A-Team”, Fool!
Mock Incident Response Exercises:Mock Incident Response Exercises:Allows validation of your proceduresAllows validation of your procedures
““Practice makes perfect”Practice makes perfect”
You can gauge the size and complexity of the You can gauge the size and complexity of the process process
Benefits increased if external objective observer Benefits increased if external objective observer helps identify issueshelps identify issues
Mock Incident Handling Exercises:Mock Incident Handling Exercises:Develop a variety of scenariosDevelop a variety of scenarios
Record critical data and evaluate Record critical data and evaluate
Conduct at regular intervals Conduct at regular intervals
Warning--Carefully plan any mock incident handling Warning--Carefully plan any mock incident handling exercises to avoid disruption of operational exercises to avoid disruption of operational environmentsenvironments
CERT’s Virtual TrainingCERT’s Virtual TrainingEnvironment (VTE)Environment (VTE)
FREE! Web-based training resource to the FREE! Web-based training resource to the communitycommunity
Nearly 200 hours of videocaptured course lecturesNearly 200 hours of videocaptured course lectures
Over 100 demonstrations of Security techniques and Over 100 demonstrations of Security techniques and toolstools
2,200 pages of written material2,200 pages of written material
Searchable and sortableSearchable and sortable
CERTCERT®® also offers online training through VTE also offers online training through VTEIntroduction and Advanced Information SecurityIntroduction and Advanced Information Security
Forensics and Incident Response for AdminsForensics and Incident Response for Admins
Subscriptions to the 48 hands-on labs in our Subscriptions to the 48 hands-on labs in our environmentenvironment
Learn more about online courses through VTE: Learn more about online courses through VTE: http://www.sei.cmu.edu/products/courses/courses.htmhttp://www.sei.cmu.edu/products/courses/courses.html#VTEl#VTE
https://www.vte.cert.orghttps://www.vte.cert.org
CERT’s Virtual Training Environment (VTE)
Classroom instruction
Hands On Labs
demo
Microsoft Has Resources to Microsoft Has Resources to HelpHelp
Microsoft Security Response Center Microsoft Security Response Center (MSRC)(MSRC)
Microsoft Security Advisories & BulletinsMicrosoft Security Advisories & BulletinsSign up to receive security updates Sign up to receive security updates notifications via email, instant message, notifications via email, instant message, mobile devices or RSSmobile devices or RSSDownload and deploy security updates Download and deploy security updates (Microsoft Download Center, Windows (Microsoft Download Center, Windows Update)Update)
Attend the monthly TechNet Security Attend the monthly TechNet Security Bulletin WebcastBulletin Webcast
Review information and guidelines on Review information and guidelines on the the Microsoft TechNet Security siteMicrosoft TechNet Security site
Report security vulnerabilities through Report security vulnerabilities through [email protected]
Check out the MSRC Blog at Check out the MSRC Blog at http://blogs.technet.com/msrc
Microsoft Security ResourcesMicrosoft Security Resources
The Microsoft Security Response Center (MSRC) blog:The Microsoft Security Response Center (MSRC) blog:http://blogs.technet.com/msrc/http://blogs.technet.com/msrc/
Security Advisories:Security Advisories:http://www.microsoft.com/technet/security/advisory/default.mspxhttp://www.microsoft.com/technet/security/advisory/default.mspx
Security Bulletins:Security Bulletins:http://www.microsoft.com/technet/security/current.aspxhttp://www.microsoft.com/technet/security/current.aspx
Security Notification Services (regular and Security Notification Services (regular and comprehensive):comprehensive):http://www.microsoft.com/technet/security/bulletin/notify.mspxhttp://www.microsoft.com/technet/security/bulletin/notify.mspx
Monthly Security Bulletin webcast:Monthly Security Bulletin webcast:http://www.microsoft.com/technet/security/bulletin/summary.mspxhttp://www.microsoft.com/technet/security/bulletin/summary.mspx
Contact Microsoft PSS Security:Contact Microsoft PSS Security:1-866-PCSAFETY1-866-PCSAFETY
Additional Microsoft ResourcesAdditional Microsoft Resources
Windows Security Logging and Other Windows Security Logging and Other EsotericaEsotericahttp://blogs.msdn.com/ericfitz/http://blogs.msdn.com/ericfitz/
The Security Monitoring and Attack The Security Monitoring and Attack Detection Planning GuideDetection Planning Guidehttp://www.microsoft.com/technet/security/http://www.microsoft.com/technet/security/topics/auditingandmonitoring/topics/auditingandmonitoring/securitymonitoring/default.mspxsecuritymonitoring/default.mspx
Microsoft Windows Security Resource Kit Microsoft Windows Security Resource Kit v2.0v2.0
ISBN: 0735621748ISBN: 0735621748
33rdrd Party Resources! Party Resources!
Computer Emergency Response Team (CERT)Computer Emergency Response Team (CERT)http://www.cert.org/tech_tips/incident_reporting.htmhttp://www.cert.org/tech_tips/incident_reporting.htm
National Institute of Standards and TechnologyNational Institute of Standards and Technologyhttp://csrc.nist.gov/publications/nistpubs/800-61/sp800-6http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf1.pdf
Forum of Incident Response and Security Forum of Incident Response and Security TeamsTeamshttp://www.first.orghttp://www.first.org
SysInternals (Freeware utils AutoRuns, PSList, SysInternals (Freeware utils AutoRuns, PSList, etc.)etc.)http://www.sysinternals.comhttp://www.sysinternals.com
““Incident Response: Investigating Computer Incident Response: Investigating Computer Crime”Crime”ISBN: 007222696XISBN: 007222696X
Questions and AnswersQuestions and Answers
There are bad people out there.There are bad people out there.
You You cancan properly protect, properly protect, identify, and resolve network identify, and resolve network incidents. incidents.
Remember, defense-in-depth. Remember, defense-in-depth.
Planning now is critical! Planning now is critical! ……so is auditing….but I’m sure so is auditing….but I’m sure everyone is already doing that, everyone is already doing that, right?right?
Session SummarySession Summary