1 / 36

Incident Response

Incident Response. Incident Response. Objectives: The student should be able to: Define 4 steps of what needs to be done in advance of an incident. Describe the purpose of an incident response procedure and what the procedure should include.

evan
Download Presentation

Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Incident Response

  2. Incident Response Objectives: The student should be able to: • Define 4 steps of what needs to be done in advance of an incident. • Describe the purpose of an incident response procedure and what the procedure should include. • Describe the information that must be collected when a penetration has occurred: if computer is up; when computer is down; other evidence. • Describe important guidelines for collecting this information concerning chain of custody and authenticity. • Find information about a penetration using the PsTools and other tools: pslist, fport, listDLLs, netstat, netcat, psLoggedOn. (Lab only)

  3. How should a Sys Admin react? You are a system administrator and an incident occurs. Should you: • Go offline? • Block hacker at firewall? • Disable certain services? • Bring down machine/server? • Bring down the internal network? • Let the intruder proceed to collect evidence? • Your actions can have financial impact on the corporation.

  4. When an Incident Occurs…? How would these decisions differ if business pertained to: • Credit card / Banking? • Network services? • Medical prescriptions? • WWW Search Engine? The CEO must determine the priorities for incident response.

  5. Incident Response Procedure • A clear procedure defines what should happen when an intrusion is suspected • Define expected responses to different types of intrusions • Decide early because time will be limited during an attack

  6. Incident Response Plan Contents • Preincident readiness • How to declare a disaster • Evacuation procedures • Identifying persons responsible, contact information • IRT, S/W-H/W vendors, insurance, recovery facilities, suppliers, offsite media, human relations, law enforcement (for serious security threat) • Step-by-step procedures • Required resources for recovery & continued operations

  7. Step 0: Plan for Incident Response Tools Establish Detection Procedures Detection Procedures Create Incident Response Team Contact List Define & Publish Policies Incident Response Procedures Perform Training/ Rehearsal

  8. Establish Detection Procedures(Step 0) • SNMP: Monitors availability, response times, etc. and notifies administrator • IDS/IPS: Monitors for attacks and notifies administrator • Logs from all devices must be synchronized, monitored and audited • After a break-in administrators wish they had had stronger logging

  9. Create Incident Response Team (Step 0) • An incident response team can help to decide the Incident Response procedures and make decisions during an incident response. • Shall include: • Security Team: Detect, control attack. • Upper management: Be responsible for making decisions on major break-ins. • Human Resources: Deal with an attack from employees. • Technical Staff (MIS): Bring systems back in order. • Outside Members: Contact law enforcement, affected customers, ISP.

  10. Define and Publish Policies(Step 0) • Policies are defined and publicized as to what is and is not allowed • System banners indicate who/what is allowed on the system

  11. Perform Training/Rehearsal(Step 0) • Each person should be trained in what they need to do. • Carry out a drill. • Attacks succeed because companies are unprepared.

  12. Responding to Incident Detect Incident Detection Procedures Tools Respond to incident Contact List Recovery & Resume Incident Response Procedures Tools Review & Implement Detection Procedures Contact List

  13. Step 1: Incident Response and Containment • What types of attacks warrant which reactions? • How do we gather information on the attack? (Next section) • To whom should attacks be reported? • Do you inform police or FBI? • Can ISP help with log info and attack filtering? • Should vendors/customers be notified? • Shall the intrusion be hidden from the press? • FBI has a webpage for reporting crime at: www.usdoj.gov/criminal/cybercrime/reporting.html

  14. Step 2: Recovery and Resumption • Rebuild Affected System (Old system can be hiding rootkit) • Lock down system • Apply patches • Minimize software availability • Set secure configuration

  15. Step 3: Review & Implement • Could we have detected intrusion faster? • What losses did we sustain overall? • What did the hacker attempt to do and accomplish? • Why did the vulnerability occur? • Have we eliminated the vulnerability on this and other machines? • Could we have reacted in a quicker or more effective way? • How can we improve our legal case against the next intruder? • What changes should we make to our policies and procedures?

  16. Example: You receive an email indicating your network was part of an attack • May be a valid accusation • May be a mistake • May be a ruse So you investigate: • Your site may have been hacked. • An internal employee may be hacking outside. If you reply to email indicating a break-in you may: • Provide your email address and confirm an IP address • Indicate your readiness level: “We don’t have logs on that particular intrusion” • May fall for ‘social engineering spam’ (e.g., company selling IDS products).

  17. Responding to an Incident

  18. A break-in has occurred… • Get all information without changing any possible evidence • Consider the totality of the circumstances via investigation • React according to the type of break-in

  19. Document & Witness… Procedure must be professional, documented in order to • Collect evidence against individual • Protect organization • For legal reasons, you need to document your actions in a form and have a witness to all. • It is very difficult to prosecute a crime – have a law enforcement professional with you • Certain tools are regarded as ‘professional’

  20. Computer Crime Investigation Analyze copied images Call Police Or Incident Response Evidence must be unaltered Chain of custody professionally maintained Four considerations: Identify evidence Preserve evidence Analyze copy of evidence Present evidence Take photos of surrounding area Copy memory, processes files, connections In progress Preserve original system In locked storage w. min. access Power down Copy disk

  21. Computer Forensics • Did a crime occur? • If so, what occurred? Evidence must pass tests for: • Authenticity: Evidence is a true and faithful copy of the crime scene • Computer Forensics does not destroy or alter the evidence • Continuity: “Chain of custody” assures that the evidence is intact.

  22. Chain of Custody 11:47-1:05 Disk Copied RFT & PKB 11:05-11:44 System copied PKB & RFT 11:04 Inc. Resp. team arrives Time Line 10:53 AM Attack observed Jan K 11:15 System brought Offline RFT 11:45 System Powered down PKB & RFT 1:15 System locked in static-free bag in storage room RFT & PKB Who did what to evidence when? (Witness is required)

  23. Preparing Evidence Work with police to AVOID: • Contaminating the evidence • Voiding the chain of custody • Evidence is not impure or tainted • Written documentation lists chain of custody: locations, persons in contact – time & place • Infringing on the rights of the suspect • Warrant required unless… • Company permission given; in plain site; communicated to third party; evidence in danger of being destroyed; or normal part of arrest; ...

  24. Computer Forensics The process of identifying preserving, analyzing and presenting digital evidence for a legal proceeding

  25. Creating a Forensic Copy 2) Accuracy Feature: Tool is accepted as accurate by the scientific community: e.g., CoreRESTORE, Forensic Replicator, FRED Original Mirror Image 4) One-way Copy: Cannot modify original 5) Bit-by-Bit Copy: Mirror image 3) Forensically Sterile: Wipes existing data; Records sterility 1) & 6) Calculate Message Digest: Before and after copy 7) Calculate Message Digest Validate correctness of copy

  26. When break-in noticed, with a witness… • Before Logoff/Power down save volatile information • Use trusted commands in accessing remote machine (use commands off read-only CD, floppy) • Do not alter system in any way • Save data to network or removable USB drive (fast, large storage) • Collect information and label it: Case number, time, date, data collector, data analyzer. • Seal and lock up the evidence. Track any access to sealed data • Take pictures of system from all sides

  27. Collected information includes… Volatile information: • System memory: Unix /dev/mem or /dev/kmem • Currently running processes • Logged in users • Network connections: Recent connections and open applications/sockets • Currently open files: File system time & date stamps • System date & time

  28. After computer is turned off… • Reboot will change disk images. Do not reboot! • Make forensic backup = system image = bit-stream backup • Copy every bit of the file system, not just the disk files! • Example tools include: • Intelligent Computer Solutions: Image MASSter • EnCase (www.guidancesoftware.com) • SafeBack (www.forensics-intl.com/safeback.html) • Unix dd command • Compute hash value of disk and backup

  29. Useful information to collect… • Photos of computer, surroundings, display (if on), back panel plugs, etc. • IDS, Firewall, and System logs • Employees web pages, emails, internet activities • Employees access of files (created/modified/viewed) • Local peripheral paraphernalia (CDs, floppies, papers) • Better to collect too much than too little

  30. Forensic Toolkit • Maintain a CD or two floppy disks (write-protected) with forensic utilities (Abbreviated from Incident Response & Computer Forensics, Mandia, Prosise, Pepe, McGraw Hill, pp. 87-88) • Avoid stored utilities on the potentially-compromised computer

  31. Forensic Utilities • cmd.exe: Command prompt for Windows NT/2000 • PsLoggedOn: Shows all connected users, local & remote (www.foundstone.com) • Rasusers: Lists the users with remote-access privileges on the system (NT Resource Kit) • Netstat: Lists all listening ports and all current connections on the ports • Fport: Lists all processes that opened any TCP ports and executable path (www.foundstone.com) • PsList: Enumerates all running processes (www.foundstone.com) • ListDLLs: Lists all running processes, their command-line arguments, and the DLLs they depend on (www.foundstone.com)

  32. Forensic Utilities (2) • Nbtstat: Lists NetBIOS connections for last 10 minutes (approx.) • Arp: Lists the MAC addresses system has been communicating within last minutes • Kill: Terminates a process (NTRK) • Md5sum: Creates MD5 hashes for a file (www.cygwin.com) • Rmtshare: Displays the accessible shares (NTRK) • Netcat: Creates a communication channel between two systems (www.atstake.com) • Cryptcat: Creates an encrypted channel of communications (sourceforge.net)

  33. Forensic Utilities (3) • PsLogList: Dumps the event logs (www.foundstone.com) • PsKill: Kill a process (www.foundstone.com) • Ipconfig: Display interface configuration • PsInfo: Provide info about local system build (www.foundstone.com) • PsService: Lists current processes and threads (www.foundstone.com) • Auditpol: Displays security audit settings (NTRK) • Doskey: displays command history for an open cmd.exe shell • AFind: Provides file access times (www.foundstone.com) • Pasco: Most recent websites accessed (www.foundstone.com) • EnCase: List files whose extensions do not match file type (.doc->.jpeg) • Sfind: Show hidden or alternative data stream files (www.foundstone.com)

  34. Save volatile data Three ways to save forensic data: • Save to memory stick/floppy: [cmd] >> f:\logfile • Use netcat: Below we send from hacked station to forensic station on port 1234 • (at forensic station:) nc –l –p 1234 > logfile • (at hacked station:) [cmd] | nc 192.168.0.n 1234 • where: -l listen mode: accept incoming connection • Use cryptcat: encrypted so no one can observe or modify netcat data.

  35. Response Script Example From Incident Response & Computer Forensics p. 114) Filename: ir.bat • time /t • date /t • psloggedon • dir /t:a /o:d /a /s c:\ • dir /t:w /o:d /a /s c:\ • dir /t:c /o:d /a /s c:\ • netstat –an • fport • pslist • nbtstat –c • time /t • date /t • doskey /history where: • dir –help indicates that • /t: indicates whether last Accessed, last Written or Created date should be included • /s: indicates that directories and subdirectories should be listed • /a: indicates types of files • ‘time /t’ and ‘date /t’ do not prompt for new times, dates

  36. Summary • Must detect incidents • Have an established incident response procedure • Save off volatile data first • Do not rely on utilities on the compromised machine • Legal proceedings require Authenticity & Continuity (chain of custody) • Improve incident response procedure after test or usage

More Related