Incident Response by ESh0i12Z


									Incident Response
The student should be able to:
 Define 4 steps of what needs to be done in advance of an
 Describe the purpose of an incident response procedure and
  what the procedure should include.
 Describe the information that must be collected when a
  penetration has occurred: if computer is up; when computer is
  down; other evidence.
 Describe important guidelines for collecting this information
  concerning chain of custody and authenticity.
 Find information about a penetration using the PsTools and
  other tools: pslist, fport, listDLLs, netstat, netcat, psLoggedOn.
  (Lab only)
How should a Sys Admin react?
You are a system administrator and an incident occurs.
  Should you:
 Go offline?
 Block hacker at firewall?
 Disable certain services?
 Bring down machine/server?
 Bring down the internal network?
 Let the intruder proceed to collect evidence?
 Your actions can have financial impact on the
When an Incident Occurs…?
How would these decisions differ if business pertained
 Credit card / Banking?
 Network services?
 Medical prescriptions?
 WWW Search Engine?
The CEO must determine the priorities for incident
Incident Response Procedure
 A clear procedure defines what should happen when
  an intrusion is suspected
 Define expected responses to different types of
 Decide early because time will be limited during an
Incident Response Plan
   Preincident readiness
   How to declare a disaster
   Evacuation procedures
   Identifying persons responsible, contact information
     IRT, S/W-H/W vendors, insurance, recovery facilities, suppliers,
      offsite media, human relations, law enforcement (for serious
      security threat)
 Step-by-step procedures
 Required resources for recovery & continued operations
           Step 0:
Plan for Incident Response
        Establish     Tools
       Procedures   Detection
        Incident      Contact
        Response       List

        Define &
   Establish Detection Procedures
               (Step 0)
 SNMP: Monitors availability, response times, etc. and
  notifies administrator
 IDS/IPS: Monitors for attacks and notifies
 Logs from all devices must be synchronized,
  monitored and audited
 After a break-in administrators wish they had had
  stronger logging
  Create Incident Response Team
              (Step 0)
 An incident response team can help to decide the
  Incident Response procedures and make decisions
  during an incident response.
 Shall include:
   Security Team: Detect, control attack.
   Upper management: Be responsible for making
    decisions on major break-ins.
   Human Resources: Deal with an attack from employees.
   Technical Staff (MIS): Bring systems back in order.
   Outside Members: Contact law enforcement, affected
    customers, ISP.
      Define and Publish Policies
               (Step 0)
 Policies are defined and publicized as to what is and is
  not allowed
 System banners indicate who/what is allowed on the
     Perform Training/Rehearsal
              (Step 0)
 Each person should be trained in what they need to
 Carry out a drill.
 Attacks succeed because companies are unprepared.
     Responding to Incident
              Detect     Detection
             Incident    Procedures

Contact     Respond to
 List        incident

            Recovery &       Incident
             Resume          Response

             Review &
  Contact   Implement
     Step 1: Incident Response and
 What types of attacks warrant which reactions?
 How do we gather information on the attack? (Next
   To whom should attacks be reported?
   Do you inform police or FBI?
   Can ISP help with log info and attack filtering?
   Should vendors/customers be notified?
   Shall the intrusion be hidden from the press?
   FBI has a webpage for reporting crime at:
Step 2: Recovery and Resumption
 Rebuild Affected System (Old system can be hiding
 Lock down system
   Apply patches
   Minimize software availability
   Set secure configuration
Step 3: Review & Implement
 Could we have detected intrusion faster?
 What losses did we sustain overall?
 What did the hacker attempt to do and accomplish?
 Why did the vulnerability occur?
 Have we eliminated the vulnerability on this and other
 Could we have reacted in a quicker or more effective way?
 How can we improve our legal case against the next
 What changes should we make to our policies and
    Example: You receive an email
indicating your network was part of an
 May be a valid accusation
 May be a mistake
 May be a ruse

So you investigate:
 Your site may have been hacked.
 An internal employee may be hacking outside.

If you reply to email indicating a break-in you may:
 Provide your email address and confirm an IP address
 Indicate your readiness level: “We don’t have logs on that particular
 May fall for ‘social engineering spam’ (e.g., company selling IDS
A break-in has occurred…
 Get all information without changing any possible
 Consider the totality of the circumstances via
 React according to the type of break-in
Document & Witness…
Procedure must be professional, documented in order to
 Collect evidence against individual
 Protect organization
 For legal reasons, you need to document your actions in a form and
  have a witness to all.
 It is very difficult to prosecute a crime – have a law enforcement
  professional with you
    Certain tools are regarded as ‘professional’
Computer Crime Investigation
    Call Police          Analyze
    Or Incident          copied
    Response             images           Evidence must be unaltered
                                          Chain of custody
   Copy memory,                            professionally maintained
                        Take photos of
                       surrounding area
 files, connections                       Four considerations:
     In progress                          Identify evidence
                           Preserve       Preserve evidence
                       original system    Analyze copy of evidence
                      In locked storage   Present evidence
                        w. min. access

   Copy disk
Computer Forensics
 Did a crime occur?
 If so, what occurred?

Evidence must pass tests for:
 Authenticity: Evidence is a true and faithful copy
  of the crime scene
   Computer Forensics does not destroy or alter the
 Continuity: “Chain of custody” assures that the
  evidence is intact.
Chain of Custody
       11:04  11:05-11:44                 11:47-1:05
                            System           Disk
         Inc. Resp.
                            copied          Copied
       team arrives
                           PKB & RFT      RFT & PKB

    10:53 AM      11:15                   11:45               1:15
     Attack      System                  System        System locked in
    observed     brought                Powered         static-free bag
      Jan K      Offline                  down         in storage room
                   RFT                 PKB & RFT          RFT & PKB

  Who did what to evidence when?
               (Witness is required)
Preparing Evidence
Work with police to AVOID:
 Contaminating the evidence
 Voiding the chain of custody
    Evidence is not impure or tainted
    Written documentation lists chain of custody: locations, persons in
     contact – time & place
 Infringing on the rights of the suspect
    Warrant required unless…
    Company permission given; in plain site; communicated to third
     party; evidence in danger of being destroyed; or normal part of
     arrest; ...
Computer Forensics

The process of identifying preserving, analyzing
   and presenting digital evidence for a legal
Creating a Forensic Copy
                           2) Accuracy Feature:
          Tool is accepted as accurate by the scientific community:
              e.g., CoreRESTORE, Forensic Replicator, FRED

                          4) One-way Copy:
       Original           Cannot modify                        Mirror
                          original                             Image

                          5) Bit-by-Bit Copy:
                          Mirror image                 3) Forensically Sterile:
1) & 6) Calculate Message Digest:                      Wipes existing data;
Before and after copy                                  Records sterility
                                                      7) Calculate Message Digest
                                                      Validate correctness of copy
           When break-in noticed,
             with a witness…
 Before Logoff/Power down save volatile information
 Use trusted commands in accessing remote machine (use
    commands off read-only CD, floppy)
   Do not alter system in any way
   Save data to network or removable USB drive (fast, large
   Collect information and label it: Case number, time, date,
    data collector, data analyzer.
   Seal and lock up the evidence. Track any access to sealed
   Take pictures of system from all sides
Collected information includes…
Volatile information:
 System memory: Unix /dev/mem or /dev/kmem
 Currently running processes
 Logged in users
 Network connections: Recent connections and open
 Currently open files: File system time & date stamps
 System date & time
After computer is turned off…
 Reboot will change disk images. Do not reboot!
 Make forensic backup = system image = bit-stream
 Copy every bit of the file system, not just the disk files!
 Example tools include:
    Intelligent Computer Solutions: Image MASSter
    EnCase (
    SafeBack (
    Unix dd command
 Compute hash value of disk and backup
Useful information to collect…
 Photos of computer, surroundings, display (if on),
  back panel plugs, etc.
 IDS, Firewall, and System logs
 Employees web pages, emails, internet activities
 Employees access of files (created/modified/viewed)
 Local peripheral paraphernalia (CDs, floppies, papers)
 Better to collect too much than too little
              Forensic Toolkit
 Maintain a CD or two floppy disks (write-protected)
  with forensic utilities (Abbreviated from Incident
  Response & Computer Forensics, Mandia, Prosise,
  Pepe, McGraw Hill, pp. 87-88)
 Avoid stored utilities on the potentially-compromised
                  Forensic Utilities
 cmd.exe: Command prompt for Windows NT/2000
 PsLoggedOn: Shows all connected users, local & remote
   Rasusers: Lists the users with remote-access privileges on the
    system (NT Resource Kit)
   Netstat: Lists all listening ports and all current connections on
    the ports
   Fport: Lists all processes that opened any TCP ports and
    executable path (
   PsList: Enumerates all running processes
   ListDLLs: Lists all running processes, their command-line
    arguments, and the DLLs they depend on
            Forensic Utilities (2)
 Nbtstat: Lists NetBIOS connections for last 10 minutes
   Arp: Lists the MAC addresses system has been
    communicating within last minutes
   Kill: Terminates a process (NTRK)
   Md5sum: Creates MD5 hashes for a file (
   Rmtshare: Displays the accessible shares (NTRK)
   Netcat: Creates a communication channel between two
    systems (
   Cryptcat: Creates an encrypted channel of
    communications (
               Forensic Utilities (3)
   PsLogList: Dumps the event logs (
   PsKill: Kill a process (
   Ipconfig: Display interface configuration
   PsInfo: Provide info about local system build (
   PsService: Lists current processes and threads (
   Auditpol: Displays security audit settings (NTRK)
   Doskey: displays command history for an open cmd.exe shell
   AFind: Provides file access times (
   Pasco: Most recent websites accessed (
   EnCase: List files whose extensions do not match file type (.doc->.jpeg)
   Sfind: Show hidden or alternative data stream files
            Save volatile data
Three ways to save forensic data:
 Save to memory stick/floppy: [cmd] >> f:\logfile
 Use netcat: Below we send from hacked station to
  forensic station on port 1234
     (at forensic station:) nc –l –p 1234 > logfile
     (at hacked station:) [cmd] | nc 192.168.0.n 1234
     where: -l listen mode: accept incoming connection
 Use cryptcat: encrypted so no one can observe or
 modify netcat data.
            Response Script Example
From Incident Response & Computer Forensics p. 114)
Filename: ir.bat
 time /t
 date /t
 psloggedon
 dir /t:a /o:d /a /s c:\
 dir /t:w /o:d /a /s c:\
 dir /t:c /o:d /a /s c:\
 netstat –an
 fport
 pslist
 nbtstat –c
 time /t
 date /t
 doskey /history

 dir –help indicates that
        /t: indicates whether last Accessed, last Written or Created date should be included
        /s: indicates that directories and subdirectories should be listed
        /a: indicates types of files
   ‘time /t’ and ‘date /t’ do not prompt for new times, dates
 Must detect incidents
 Have an established incident response procedure
 Save off volatile data first
 Do not rely on utilities on the compromised machine
 Legal proceedings require Authenticity & Continuity
  (chain of custody)
 Improve incident response procedure after test or

To top