1 / 30

Investigating Internet Security Incidents

Investigating Internet Security Incidents. A Brief Introduction to Cyber Forensic Analysis. Peter Stephenson pstephen@imfgroup.com. Agenda. Intrusion approaches Investigative tool kit Investigative approaches End-to-end tracing Evidence collection and preservation

ulema
Download Presentation

Investigating Internet Security Incidents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Investigating Internet Security Incidents A Brief Introduction to Cyber Forensic Analysis Peter Stephenson pstephen@imfgroup.com

  2. Agenda • Intrusion approaches • Investigative tool kit • Investigative approaches • End-to-end tracing • Evidence collection and preservation • Forensic use of RMON2-based tools for documenting the path of an attack

  3. What is Cyber Crime? • Crimes directed against a computer • Crimes where the computer contains evidence • Crimes where the computer is used to commit the crime

  4. The Nature of Computer Related Crime in Today’s Organizations Source: 1998 CSI/FBI Study

  5. There Are Only 4 Kinds of Attacks • Denial of service • Social engineering • Technical • Sniffing

  6. Intrusion Approaches • Target selection, research and background info • Internet searches • Whois, nslookup • Preliminary probing - avoid logging - get passwords • POP probe • Sniffing • DNS zone transfer • SMTP probe • Other simple probes • Search for back doors • Technical attack or social engineering

  7. Cleaning Up After an Attack • Delete tools and work files • Modify logs (Unix example) • Syslog • messages files (especially the mail log) • su log • lastlog (including wtmp and utmp) • daemon logs • transfer logs

  8. INVESTIGATIVE AXIOM:Treat every incident as if it will end up in a criminal prosecution.

  9. Your Investigative Tool Kit • Policies • Criminal profiling • Tracing tools • Log analysis • Crime scene (victim computer) analysis • E-mail header analysis • News group header analysis

  10. The Role of Policies • They define the actions you can take • They must be clear and simple to understand • The employee must acknowledge that he or she read them, understands them and will comply with them • They can’t violate law

  11. Electronic Communications Privacy Act - Your Enabling Law • Owner may intercept communications between an intruder and that owner's computer system • Owner providing others with the ability to use that computer to communicate with other computer systems may: • make routine backups and perform other routine monitoring • intercept with prior consent of the user • intercept portions of communications necessary to determine origin and destination • intercept where necessary to protect owners rights or property • disclose to law-enforcement any communications inadvertently discovered which reveal criminal activity

  12. Criminal Profiling • Criminal profiling is the process of using available information about a crime and crime scene to compose a psychological portrait of the unknown perpetrator of the crime • Classical profiling goals - to provide: • a social and psychological assessment of the offender • a psychological evaluation of relevant possessions found with suspected offenders • strategies that should be used when interviewing offenders

  13. Crime Scene Analysis • Branch of profiling using standard investigative techniques to analyze crime scenes • Investigators are usually most comfortable with this approach • Very useful in computer incidents

  14. Developing a Profile of an Intruder • Crime scene analysis • how was access obtained? What skills were required? • how did the intruder behave on the system? Damage? Clean-up? Theft? • Investigative psychology • motivation • personality type

  15. Goals of an Investigation • To ensure that all applicable logs and evidence are preserved • To understand how the intruder is entering the system • To obtain the information you need to justify a trap and trace of the phone line the intruder is using or to obtain a subpoena to obtain information from an ISP • To discover why the intruder has chosen the computer • To gather as much evidence of the intrusion as possible • To obtain information that may narrow your list of suspects • To document the damage caused by the intruder • Gather enough information to decide if law enforcement should be involved.

  16. Immediate Objective: PRESERVE THE EVIDENCE !!! • Begin a traceback to identify possible log locations • Contact system administrators on intermediate sites to request log preservation • Contain damage • Collect local logs • Image disks on victim computers

  17. Building an Incident Hypothesis • Start with witness accounts • Consider how the intruder could have gained access • eliminate the obvious • use logs and other physical evidence • consider the skill level or inside knowledge required • Create mirrors of affected computers

  18. Building an Incident Hypothesis • Develop a profile of the intruder • Consider the path into the victim computer • Recreate the incident in the lab • use real mirrors whenever possible • Consider alternative explanations • test alternatives

  19. Incident Reconstruction • Physical • use mirrors of the actual involved systems • useful for single computers • Logical • use similar systems • useful for networks where you have access to the entire network • Theoretical • hypothesize intermediate computers • necessary when you can’t access all involved computers

  20. Back Tracing • Elements of a back trace • end points • intermediate systems • e-mail and packet headers • logs • Objective: to get to a dial-in POP • The only messages that can’t be back traced are those using a true anonymizer and those where no logs are present

  21. TELCO LOGS ISP’s LOGS DIAL INTERNET OUR LOGS PENETRATE HOST ATTACK VICTIM Enabling Relationships

  22. Obtaining Subpoenas • Notify involved organization that you are going to subpoena and request that they preserve evidence - find out who to deliver the subpoena to • File John/Jane Doe lawsuit with an emergency order to subpoena appropriate records • Subpoena the logs you need • Get everything you can on the first pass • May need depositions

  23. Requirements for Logs to be used as Evidence • Must not be modifiable • Spool off to protected loghost • Optical media • Backups • Must be complete • All superuser access • Login and logout • Attempts to use any controlled services • Attempts to access critical resources • E-mail details • Appropriate retention

  24. Tracing E-Mail Headers (3) Received: from mailhost.example.com ([XXX.XXX.178.66]) by smtp.exampl.com; Sat, 12 Sep 1998 15:25:54 -0700 (2) Received: from web03.iname.net by mailhost.example.com (AIX 3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep 1998 15:31:55 -0700 (1) Received: (from root@localhost) by web03.iname.net (8.8.8/8.8.0) id SAA29949; Sat, 12 Sep 1998 18:25:13 -0400 (EDT) Date: Sat, 12 Sep 1998 18:25:13 -0400 (EDT) (4) From: fake user name@iname.com Message-Id: <199809122225.SAA29949@web03.iname.net> Content-Type: text/plain Mime-Version: 1.0 To: victim@smtp.example.com Content-Transfer-Encoding: 7bit Subject: This is a forged e-mail message

  25. Contact iname’s Security Officer Connect account name, time, & message ID to source IP address Locate ISP & contact Security Officer Get logs from source IP Who was connected at the time of the E-Mail? Performing the Trace

  26. Evidence Collection & Preservation • Forensic evidence • Safeback - creates physical images and mirrors of affected computers • Forensic analysis • NTI tools • NEVER work directly on the evidence • Never contribute to the evidence • Ensure chain of custody

  27. RMON2 Tracing Tools • Requires RMON2 devices • Use ODS Networks Secure Switch Investigator • Looks for evidence of alien conversations served from within the victim’s perimeter • By moving “outwards” a step at a time, determine source of attack

  28. MCI DoSTracker • Attempts to trace source forged packets, starting at a victim location, and tracing backwards to the possible source • Attack must be in progress • Process - login to starting edge router • Deploy access control list in debug mode for victim IP • Clear victim subnet cache • Look for forged packets by comparing to route table • Spawn separate process to log into next hop router and continue

  29. CMDS - Abuse at the Host • Manager-Agent architecture • Responds to violations of policies • Analyzes usage patterns • Identifies rogue users • Identifies masqueraders • Available from ODS Networks

  30. Summary • Ensure appropriate policies • Preserve the crime scene (victim computer) • Act immediately to identify and preserve logs on intermediate systems • Conduct your investigation • Obtain subpoenas or contact law enforcement

More Related