Cit 380 securing computer systems
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

CIT 380: Securing Computer Systems PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on
  • Presentation posted in: General

CIT 380: Securing Computer Systems. Incident Response. Incident Response. What is an Incident? Phases of Incident Response Preparation Identification Containment Damage Assessment Preserve Evidence Eradication Recovery Follow-up. What is an Incident?. Violation of security policy:

Download Presentation

CIT 380: Securing Computer Systems

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cit 380 securing computer systems

CIT 380: Securing Computer Systems

Incident Response

CIT 380: Securing Computer Systems


Incident response

Incident Response

What is an Incident?

Phases of Incident Response

  • Preparation

  • Identification

  • Containment

  • Damage Assessment

  • Preserve Evidence

  • Eradication

  • Recovery

  • Follow-up

CIT 380: Securing Computer Systems


What is an incident

What is an Incident?

Violation of security policy:

  • Unauthorized access of information

  • Unauthorized access to machines

  • Embezzlement

  • Virus or worm attack

  • Denial of service attacks

  • Email spam or harassment

CIT 380: Securing Computer Systems


Detecting an incident

Detecting an Incident

  • Catching perpetrator in the act

    • Unauthorized logins, NIDS alerts.

  • Noticing unauthorized system changes.

  • Receiving a message from another site, saying that your site was used to launch an attack on them.

  • Strange activities on system:

    • crashes, random reboots, slow performance.

CIT 380: Securing Computer Systems


Incident response1

Incident Response

Restoring system to satisfy site security policy

Phases:

  • Preparation for attack (before attack detected)

  • Identification of attack

  • Containment of attack (confinement)

  • Damage assessment

  • Preserve evidence (if necessary)

  • Eradication of attack (stop attack)

  • Recovery from attack (restore system to secure state)

  • Follow-up to attack (analysis and other actions)

CIT 380: Securing Computer Systems


Preparation

Preparation

  • Configure intrusion detection systems.

  • Determine your response goals.

  • Document incident response procedures.

    • Who to contact?

    • What to do?

  • Organizing a CSIRT

    • Finding and training personnel.

    • Hardware/software necessary for investigation.

CIT 380: Securing Computer Systems


Incident response goals

Incident Response Goals

  • Determine if a security breach occurred.

  • Contain intrusion to prevent further damage.

  • Recover systems and data.

  • Prevent future intrusions of same kind.

  • Investigate and/or prosecute intrusion.

  • Prevent public knowledge of incident.

CIT 380: Securing Computer Systems


Identification

Identification

  • Who/what reported incident.

  • Date and time of the incident.

  • Nature of the intrusion.

    • What level of unauthorized access was attained?

    • Is it known to the public?

  • Hardware/software involved

    • How critical are the affected systems?

  • Assemble CSIRT

    • Team membership may vary based on nature of incident

CIT 380: Securing Computer Systems


Containment

Containment

Limit access of attacker to system resources.

Containment method depends on criticality of systems and extent of intrusion.

  • Monitoring intruder

  • Reducing intruder’s access

  • Deception

  • De-activating the affected account

    • Need to kill active processes too

  • Blocking access to system via firewall

  • Pulling network/phone cable

  • Powering down system

CIT 380: Securing Computer Systems


Monitoring

Monitoring

  • Records attacker’s actions; does not interfere with attack:

    • Idea is to find out what the attacker is after and/or methods the attacker is using.

  • Problem: attacked system is vulnerable throughout

    • Attacker can also attack other systems.

  • Example: type of OS can be derived from settings of TCP and IP packets of incoming connections

    • Analyst draws conclusions about source of attack.

CIT 380: Securing Computer Systems


Reducing access

Reducing Access

  • Reduce protection domain of attacker.

  • Problem: if defenders do not know what attacker is after, reduced protection domain may contain what the attacker is after.

    • Stoll created document that attacker d/led.

    • Download took several hours, during which the phone call was traced to Germany.

CIT 380: Securing Computer Systems


Deception

Deception

Honeypot: system designed for intruders to attack, to waste their time and to allow safe monitoring

  • ex: The Honeynet Project, honeyd

    Deception Tool Kit

  • Creates false network interface.

  • Can present any network configuration to attackers.

  • When probed, can return wide range of vulnerabilities.

  • Attacker wastes time attacking non-existent systems while analyst collects and analyzes attacks to determine goals and abilities of attacker.

CIT 380: Securing Computer Systems


Deception1

Deception

  • Experiments show deception is effective response to keep attackers from targeting real systems.

CIT 380: Securing Computer Systems


Honeynet project

Honeynet Project

Tool development

  • Environment simulation: virtual machines.

  • Data control: firewalling tools to limit attacker activities to avoid damaging other systems.

  • Data collection: network and keystroke loggers.

  • Data analysis: tools to extract relevant data from tcpdump logs and more.

    Research and documentation

  • Analysis of attacker and honeypot techniques.

  • Analysis of particular attacks.

CIT 380: Securing Computer Systems


Damage assessment data

Damage Assessment: Data

  • System date and time when assessment began.

  • List of users currently logged in.

  • Time/date stamps for filesystem.

  • List of processes

  • List of open network sockets

    • Associated applications

    • Associated systems

CIT 380: Securing Computer Systems


Damage assessment data1

Damage Assessment: Data

  • System configuration files.

  • Log and accounting files.

  • System date and time when assessment complete.

CIT 380: Securing Computer Systems


Data assessment procedure

Data Assessment: Procedure

Use trusted binaries from floppy/CDROM

  • Use a trusted shell.

  • Set PATH to only use floppy/CDROM tools.

    System date and time:

    > date

    Mon Apr 26 13:33:08 EDT 2004

    List of current users

    > w

    1:33pm up 30 day(s), 3:34, 3 users, load avg:0.26

    User tty login@ idle JCPU PCPU what

    root console 9:21am 4:13 -sh

    wald pts/14 15Apr04 3:25 66:24 63:06 -bash

    root pts/20 9:21am 4:12 -sh

    novi pts/6 Sat 4pm 17 52 -bash

CIT 380: Securing Computer Systems


Data assessment procedure1

Data Assessment: Procedure

File date/time stamps

ls –alRu / >/mnt/floppy/atime

ls –alRc / >/mnt/floppy/ctime

ls –alR / >/mnt/floppy/mtime

CIT 380: Securing Computer Systems


Data assessment procedure2

Data Assessment: Procedure

Network ports

> netstat –anp

Active Internet connections (servers and established)

Proto Local Addr Foreign Addr State Program

tcp :::22 :::* LISTEN 26327/sshd

tcp 10.17.0.110:22 10.1.0.90:51327 ESTABLISHED 28644/sshd:

tcp 127.0.0.1:25 0.0.0.0:* LISTEN 1840/sendmail

udp 0.0.0.0:32768 0.0.0.0:* 1456/rpc.statd

udp 0.0.0.0:68 0.0.0.0:* 1363/dhclient

udp 0.0.0.0:111 0.0.0.0:* 1436/portmap

CIT 380: Securing Computer Systems


Data assessment procedure3

Data Assessment: Procedure

Running Processes

> ps aux

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

root 1 0.0 0.0 1928 520 ? S Apr17 0:04 init [5]

root 1403 0.0 0.0 2128 580 ? S Apr17 0:01 syslogd -m 0

rpc 1436 0.0 0.0 2516 576 ? S Apr17 0:00 portmap

rpcuser 1456 0.0 0.0 2916 832 ? S Apr17 0:00 rpc.statd

smmsp 1849 0.0 0.2 7324 2520 ? S Apr17 0:00 sendmail: Queue [email protected]:00:00 for /var/spool/clientmqueue

root 1970 0.0 0.0 2992 348 tty3 S Apr17 0:00 /sbin/mingetty tty3

root 26327 0.0 0.1 4728 1504 ? S Apr21 0:00 /usr/sbin/sshd

waldenj 28646 0.0 0.2 8548 2560 ? S 11:12 0:00 sshd: [email protected]

/7

waldenj 28647 0.0 0.1 6800 1500 pts/7 S 11:12 0:00 -bash

root 28767 0.0 0.1 6572 1356 pts/7 S 13:44 0:00 bash

root 28789 0.0 0.0 3624 876 pts/7 R 13:49 0:00 ps aux

CIT 380: Securing Computer Systems


Data assessment procedure4

Data Assessment: Procedure

Collect system configuration

  • Check for sniffers: ifconfig

  • /etc/passwd, /etc/shadow, /etc/group

  • Scheduled jobs: cron and at

  • System init files: /etc/inittab, /etc/rc.d

    Collect system log files

  • Login logs in /etc/utmp, /etc/wtmp

  • Check /etc/syslog.conf

  • Log files in /var/adm, /var/log

  • Process accounting files in /var/acct

  • Shell history files, e.g., ~/.bash_history

CIT 380: Securing Computer Systems


Preserve evidence

Preserve Evidence

In-depth live system investigation.

Construct a bit-level copy of entire hard disk or partition for forensic examination.

  • Create image in single-user mode

    md5sum /dev/hda

    dd if=/dev/hda conv=noerror,sync | ssh desthost “cat >disk.img”

    desthost> md5sum disk.img

CIT 380: Securing Computer Systems


Eradication

Eradication

  • Do nothing.

  • Kill attacker’s processes and/or accounts.

  • Block attacker’s network access to system.

  • Patch and repair what you think was changed, then resume operation.

  • Investigate until root cause discovered, then restore system from backups and patch security holes.

  • Call law enforcement before proceeding further.

CIT 380: Securing Computer Systems


Follow up

Follow-Up

  • File reports with law enforcement, vendor, or regulatory agency.

  • File insurance claims if relevant.

  • Notify administrators of other affected systems.

  • Disciplinary actions against employees for internal attacks.

  • Update security of computer networks/systems.

  • Review handling of the incident.

  • Update incident handling policy/training.

CIT 380: Securing Computer Systems


Follow up1

Follow-Up

Tracking/Counter-attacking

  • IP header marking: traceback at the packet level.

  • Counterattacking

CIT 380: Securing Computer Systems


Ip header marking

IP Header Marking

Router inserts header data indicating path taken.

http://en.wikipedia.org/wiki/IP_traceback

When do you mark it?

Deterministic: always marked.

Probabilistic: marked with some probability.

How do you mark it?

Internal: marking placed in existing header.

Expansive: header expanded to include space for marking.

CIT 380: Securing Computer Systems


Counterattacking

Counterattacking

Use legal procedures

  • Collect chain of evidence so legal authorities can establish attack was real.

  • Check with lawyers for this

    • Rules of evidence very specific and detailed.

    • If you don’t follow them, expect case to be dropped.

      Technical attack

  • Goal is to damage attacker seriously enough to stop current attack and deter future attacks.

CIT 380: Securing Computer Systems


Consequences

Consequences

  • Counterattack may harm innocent party.

    • Attacker may have broken into source of attack or may be impersonating innocent party.

  • Counterattack may have side effects.

    • If counterattack is flooding, may block legitimate use of network.

  • Counterattack antithetical to shared use of network.

    • Counterattack absorbs network resources and makes threats more immediate.

  • Counterattack may be legally actionable.

CIT 380: Securing Computer Systems


Example counterworm

Example: Counterworm

  • Counterworm given signature of worm.

  • Counterworm spreads rapidly, deleting all occurrences of original worm.

    • ex: Welchia/Nachi hunts Blaster/MyDoom worms.

  • Issues

    • Can counterworm delete only targeted worm?

    • What if infected system gathering worms for research?

    • How do originators of counterworm know it will not cause problems for any system?

      • And are they legally liable if it does?

CIT 380: Securing Computer Systems


Key points

Key Points

  • Security incidents come in many forms.

  • Prepare for an incident before one occurs.

  • Understand your response goals.

  • Don’t trust the affected system in any way.

  • Contain the problem, then prepare detailed response.

  • Save data offline for later analysis.

  • Legal issues of counterattacks.

CIT 380: Securing Computer Systems


References

References

  • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.

  • N. Brownlee and E. Guttman, , “RFC 2350 - Expectations for Computer Security Incident Response,” http://www.faqs.org/rfcs/rfc2350.html, 1998.

  • CERT, “Computer Security Incident Response Team (CSIRT) FAQ,” http://www.cert.org/csirts/csirt_faq.html

  • William Cheswick, Steven Bellovin, Steven, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, Addison-Wesley, 2003.

  • Fraser (ed.), “RFC 2196 - Site Security Handbook,” http://www.faqs.org/rfcs/rfc2196.html, 1997.

  • Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.

  • Kevin Mandia, Chris Prosise, and Matt Pepe, Incident Response & Computer Forensics, 2nd edition, McGraw-Hill, 2003.

CIT 380: Securing Computer Systems


  • Login