Publications: 97 | Followers: 0

Introduction - Northern Kentucky University

Publish on Category: Birds 0

CSC 482/582: Computer Security
Incident Response
CSC 482/582: Computer Security
CSC 482/582: Computer Security
Incident Response
What is an Incident?Phases of Incident ResponsePreparationIdentificationContainmentDamage AssessmentPreserve EvidenceEradicationRecoveryFollow-up
CSC 482/582: Computer Security
What is an Incident?
Violation of security policyUnauthorized access of informationUnauthorized access to machinesEmbezzlementVirus or worm attackDenial of service attacksEmail spam or harassment
CSC 482/582: Computer Security
Detecting an Incident
Catching perpetrator in the actUnauthorized logins, NIDS alertsNoticing unauthorized changes in the systemReceiving a message from another site, saying that your site was used to launch an attack on themStrange activities on systemcrashes, random reboots, slow performance
CSC 482/582: Computer Security
Incident Response
Restoring system to satisfy site security policyPhases:Preparationfor attack (before attack detected)Identificationof attackContainmentof attack (confinement)Damage assessmentPreserve evidence(if necessary)Eradicationof attack (stop attack)Recoveryfrom attack (restore system to secure state)Follow-upto attack (analysis and other actions)
CSC 482/582: Computer Security
Preparation
Configure intrusion detection systemsDetermine your response goalsDocument incident response proceduresWho to contact?What to do?Organizing a CSIRTFinding and training personnelHardware/software necessary for investigation
CSC 482/582: Computer Security
Incident Response Goals
Determine whether a security breach occurredContain the intrusion to prevent further damageRecover systems and dataPrevent future intrusions of same kindInvestigate and/or prosecute intrusionPrevent public knowledge of incident
CSC 482/582: Computer Security
Identification
Who/what reported incidentDate and time of the incidentNature of the intrusionWhat level of unauthorized access was attained?Is it known to the public?Hardware/software involvedHow critical are the affected systems?Assemble CSIRTTeam membership may vary based on nature of incident
CSC 482/582: Computer Security
Containment
Limit access of attacker to system resourcesContainment method depends on criticality of systems and extent of intrusionMonitoring intruderReducing intruder’s accessDeceptionDe-activating the affected accountNeed to kill active processes tooBlocking access to system via firewallPulling network/phone cablePowering down system
CSC 482/582: Computer Security
Monitoring
Records attacker’s actions; doesnotinterfere with attackIdea is to find out what the attacker is after and/or methods the attacker is usingProblem: attacked system is vulnerable throughoutAttacker can also attack other systemsExample: type of operating system can be derived from settings of TCP and IP packets of incoming connectionsAnalyst draws conclusions about source of attack
CSC 482/582: Computer Security
Reducing Access
Reduce protection domain of attackerProblem: if defenders do not know what attacker is after, reduced protection domain may contain what the attacker is afterStoll created document that attacker downloadedDownload took several hours, during which the phone call was traced to Germany
CSC 482/582: Computer Security
Deception
Honeypot: system designed for intruders to attack, to waste their time and to allow safe monitoringex: TheHoneynetProject,honeydDeception Tool KitCreates false network interfaceCan present any network configuration to attackersWhen probed, can return wide range of vulnerabilitiesAttacker wastes time attacking non-existent systems while analyst collects and analyzes attacks to determine goals and abilities of attackerExperiments show deception is effective response to keep attackers from targeting real systems
CSC 482/582: Computer Security
Honeynet Project
TooldevelopmentEnvironment simulation: virtual machinesData control: firewalling tools to limit attacker activities to avoid damaging other systemsData collection: network and keystroke loggersData analysis: tools to extract relevant data fromtcpdumplogs and moreResearchand documentationAnalysis of attacker andhoneypottechniquesAnalysis of particular attacks
CSC 482/582: Computer Security
Damage Assessment: Data
System date and time when assessment beganList of users currently logged inTime/date stamps for filesystemList of processesList of open network socketsAssociated applicationsAssociated systemsSystem configuration filesLog and accounting filesSystem date and time when assessment complete
CSC 482/582: Computer Security
Data Assessment: Procedure
Use trusted binaries from floppy/CDROMUse a trusted shellSet PATH to only use floppy/CDROM toolsSystem date and time:> dateMonApr26 13:33:08 EDT 2004List of current users> w1:33pm up 30 day(s), 3:34, 3 users, load avg:0.26Userttylogin@ idle JCPU PCPU whatroot console 9:21am 4:13 -shwaldpts/14 15Apr04 3:25 66:24 63:06 -bashroot pts/20 9:21am 4:12 -shnovipts/6 Sat 4pm 17 52 -bash
CSC 482/582: Computer Security
Data Assessment: Procedure
File date/time stampsls–alRu/ >/mnt/floppy/atimels–alRc/ >/mnt/floppy/ctimels–alR/ >/mnt/floppy/mtimeNetwork ports>netstat–anpActive Internet connections (servers and established)Proto LocalAddrForeignAddrState Programtcp:::22 :::* LISTEN 26327/sshdtcp10.17.0.110:22 10.1.0.90:51327 ESTABLISHED 28644/sshd:tcp127.0.0.1:25 0.0.0.0:* LISTEN 1840/sendmailudp0.0.0.0:32768 0.0.0.0:* 1456/rpc.statdudp0.0.0.0:68 0.0.0.0:* 1363/dhclientudp0.0.0.0:111 0.0.0.0:* 1436/portmap
CSC 482/582: Computer Security
Data Assessment: Procedure
Running Processes>psauxUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDroot 1 0.0 0.0 1928 520 ? S Apr17 0:04 init [5]root 1403 0.0 0.0 2128 580 ? S Apr17 0:01syslogd-m 0rpc1436 0.0 0.0 2516 576 ? S Apr17 0:00portmaprpcuser1456 0.0 0.0 2916 832 ? S Apr17 0:00rpc.statdsmmsp1849 0.0 0.2 7324 2520 ? S Apr17 0:00sendmail: Queue runner@01:00:00 for /var/spool/clientmqueueroot 1970 0.0 0.0 2992 348 tty3 S Apr17 0:00 /sbin/mingettytty3root 26327 0.0 0.1 4728 1504 ? S Apr21 0:00 /usr/sbin/sshdwaldenj28646 0.0 0.2 8548 2560 ? S 11:12 0:00sshd:waldenj@pts/7waldenj28647 0.0 0.1 6800 1500 pts/7 S 11:12 0:00 -bashroot 28767 0.0 0.1 6572 1356 pts/7 S 13:44 0:00 bashroot 28789 0.0 0.0 3624 876 pts/7 R 13:49 0:00psaux
CSC 482/582: Computer Security
Data Assessment: Procedure
Collect system configurationCheck for sniffers:ifconfig/etc/passwd, /etc/shadow, /etc/groupScheduled jobs:cronandatSystem init files:/etc/inittab, /etc/rc.dCollect system log filesLogin logs in/etc/utmp, /etc/wtmpCheck/etc/syslog.confLog files in/var/adm, /var/logProcess accounting files in/var/acctShell history files, e.g.,~/.bash_history
CSC 482/582: Computer Security
Preserve Evidence
In-depth live system investigationConstruct a bit-level copy of entire hard disk or partition for forensic examinationCreate image in single-user modemd5sum /dev/hdadd if=/dev/hda conv=noerror,sync | ssh desthost “cat >disk.img”desthost> md5sum disk.img
CSC 482/582: Computer Security
Eradication
Do nothingKill attacker’s processes and/or accountsBlock attacker’s network access to systemPatch and repair what you think was changed, then resume operationInvestigate until root cause discovered, then restore system from backups and patch security holesCall law enforcement before proceeding further
CSC 482/582: Computer Security
Follow-Up
File reports with law enforcement, vendor, or regulatory agencyFile insurance claims if relevantNotify administrators of other affected systemsDisciplinary actions against employees for internal attacksUpdate security of computer networks/systemsReview handling of the incidentUpdate incident handling policy/training
CSC 482/582: Computer Security
Counterattacking
Uselegal proceduresCollect chain of evidence so legal authorities can establish attack was realCheck with lawyers for thisRules of evidence very specific and detailedIf you don’t follow them, expect case to be droppedTechnical attackGoal is to damage attacker seriously enough to stop current attack and deter future attacks
CSC 482/582: Computer Security
Consequences
Counterattack may harm innocent partyAttacker may have broken into source of attack or may be impersonating innocent partyCounterattack may have side effectsIf counterattack is flooding, may block legitimate use of networkCounterattack antithetical to shared use of networkCounterattack absorbs network resources and makes threats more immediateCounterattack may be legally actionable
CSC 482/582: Computer Security
Example: Counterworm
Counterworm given signature of wormCounterworm spreads rapidly, deleting all occurrences of original wormexample: Welchia/Nachi hunts Blaster/MyDoom wormsIssuesHow can counterworm be set up to deleteonlytargeted worm?What if infected system is gathering worms for research?How do originators of counterworm know it will not cause problems for any system?And are they legally liable if it does?
CSC 482/582: Computer Security
Key Points
Security incidents come in many formsPrepare for an incidentbeforeone occursUnderstand your response goalsDon’t trust the affected system in any wayKnow your available data sources and their usesSave data offline for later analysisLegal issues ofcounterattacksPhases of Incident Response:Preparation, Identification, ContainmentDamage Assessment, Preserve EvidenceEradication, Recovery, Follow-up
CSC 482/582: Computer Security
References
Brownlee, N. andGuttman, E., “RFC 2350 - Expectations for Computer Security Incident Response,”http://www.faqs.org/rfcs/rfc2350.html, 1998CERT, “Computer Security Incident Response Team (CSIRT) FAQ,” http://www.cert.org/csirts/csirt_faq.htmlCheswick, William,Bellovin, Steven, and Rubin,Aviel,Firewalls and Internet Security, 2ndedition, Addison-Wesley, 2003Fraser (ed.), “RFC 2196 - Site Security Handbook,”http://www.faqs.org/rfcs/rfc2196.html, 1997Garfinkel,Simson,Spafford, Gene, andSchartz, Alan,Practical UNIX and Internet Security, 3rdedition, O’Reilly & Associates, 2003Mandia, Kevin,Prosise, Chris, andPepe, Matt,Incident Response & Computer Forensics, 2ndedition, McGraw-Hill, 2003

0

Embed

Share

Upload

Make amazing presentation for free
Introduction - Northern Kentucky University