Incident Response by ESh0i12Z

VIEWS: 30 PAGES: 36

									Incident Response
Objectives:
The student should be able to:
 Define 4 steps of what needs to be done in advance of an
  incident.
 Describe the purpose of an incident response procedure and
  what the procedure should include.
 Describe the information that must be collected when a
  penetration has occurred: if computer is up; when computer is
  down; other evidence.
 Describe important guidelines for collecting this information
  concerning chain of custody and authenticity.
 Find information about a penetration using the PsTools and
  other tools: pslist, fport, listDLLs, netstat, netcat, psLoggedOn.
  (Lab only)
How should a Sys Admin react?
You are a system administrator and an incident occurs.
  Should you:
 Go offline?
 Block hacker at firewall?
 Disable certain services?
 Bring down machine/server?
 Bring down the internal network?
 Let the intruder proceed to collect evidence?
 Your actions can have financial impact on the
  corporation.
When an Incident Occurs…?
How would these decisions differ if business pertained
  to:
 Credit card / Banking?
 Network services?
 Medical prescriptions?
 WWW Search Engine?
The CEO must determine the priorities for incident
  response.
Incident Response Procedure
 A clear procedure defines what should happen when
  an intrusion is suspected
 Define expected responses to different types of
  intrusions
 Decide early because time will be limited during an
  attack
Incident Response Plan
Contents
   Preincident readiness
   How to declare a disaster
   Evacuation procedures
   Identifying persons responsible, contact information
     IRT, S/W-H/W vendors, insurance, recovery facilities, suppliers,
      offsite media, human relations, law enforcement (for serious
      security threat)
 Step-by-step procedures
 Required resources for recovery & continued operations
           Step 0:
Plan for Incident Response
        Establish     Tools
       Detection
       Procedures   Detection
                    Procedures
         Create
        Incident      Contact
        Response       List
         Team

        Define &
                     Incident
        Publish
                     Response
        Policies
                    Procedures
         Perform
        Training/
        Rehearsal
   Establish Detection Procedures
               (Step 0)
 SNMP: Monitors availability, response times, etc. and
  notifies administrator
 IDS/IPS: Monitors for attacks and notifies
  administrator
 Logs from all devices must be synchronized,
  monitored and audited
 After a break-in administrators wish they had had
  stronger logging
  Create Incident Response Team
              (Step 0)
 An incident response team can help to decide the
  Incident Response procedures and make decisions
  during an incident response.
 Shall include:
   Security Team: Detect, control attack.
   Upper management: Be responsible for making
    decisions on major break-ins.
   Human Resources: Deal with an attack from employees.
   Technical Staff (MIS): Bring systems back in order.
   Outside Members: Contact law enforcement, affected
    customers, ISP.
      Define and Publish Policies
               (Step 0)
 Policies are defined and publicized as to what is and is
  not allowed
 System banners indicate who/what is allowed on the
  system
     Perform Training/Rehearsal
              (Step 0)
 Each person should be trained in what they need to
  do.
 Carry out a drill.
 Attacks succeed because companies are unprepared.
     Responding to Incident
              Detect     Detection
   Tools
             Incident    Procedures


Contact     Respond to
 List        incident



            Recovery &       Incident
             Resume          Response
                            Procedures

   Tools
             Review &
                             Detection
  Contact   Implement
                             Procedures
   List
     Step 1: Incident Response and
              Containment
 What types of attacks warrant which reactions?
 How do we gather information on the attack? (Next
    section)
   To whom should attacks be reported?
   Do you inform police or FBI?
   Can ISP help with log info and attack filtering?
   Should vendors/customers be notified?
   Shall the intrusion be hidden from the press?
   FBI has a webpage for reporting crime at:
    www.usdoj.gov/criminal/cybercrime/reporting.html
Step 2: Recovery and Resumption
 Rebuild Affected System (Old system can be hiding
  rootkit)
 Lock down system
   Apply patches
   Minimize software availability
   Set secure configuration
Step 3: Review & Implement
 Could we have detected intrusion faster?
 What losses did we sustain overall?
 What did the hacker attempt to do and accomplish?
 Why did the vulnerability occur?
 Have we eliminated the vulnerability on this and other
  machines?
 Could we have reacted in a quicker or more effective way?
 How can we improve our legal case against the next
  intruder?
 What changes should we make to our policies and
  procedures?
    Example: You receive an email
indicating your network was part of an
                 attack
 May be a valid accusation
 May be a mistake
 May be a ruse

So you investigate:
 Your site may have been hacked.
 An internal employee may be hacking outside.

If you reply to email indicating a break-in you may:
 Provide your email address and confirm an IP address
 Indicate your readiness level: “We don’t have logs on that particular
   intrusion”
 May fall for ‘social engineering spam’ (e.g., company selling IDS
   products).
A break-in has occurred…
 Get all information without changing any possible
  evidence
 Consider the totality of the circumstances via
  investigation
 React according to the type of break-in
Document & Witness…
Procedure must be professional, documented in order to
 Collect evidence against individual
 Protect organization
 For legal reasons, you need to document your actions in a form and
  have a witness to all.
 It is very difficult to prosecute a crime – have a law enforcement
  professional with you
    Certain tools are regarded as ‘professional’
Computer Crime Investigation
    Call Police          Analyze
    Or Incident          copied
    Response             images           Evidence must be unaltered
                                          Chain of custody
   Copy memory,                            professionally maintained
                        Take photos of
      processes
                       surrounding area
 files, connections                       Four considerations:
     In progress                          Identify evidence
                           Preserve       Preserve evidence
                       original system    Analyze copy of evidence
      Power
                      In locked storage   Present evidence
      down
                        w. min. access



   Copy disk
Computer Forensics
 Did a crime occur?
 If so, what occurred?

Evidence must pass tests for:
 Authenticity: Evidence is a true and faithful copy
  of the crime scene
   Computer Forensics does not destroy or alter the
    evidence
 Continuity: “Chain of custody” assures that the
  evidence is intact.
Chain of Custody
       11:04  11:05-11:44                 11:47-1:05
                            System           Disk
         Inc. Resp.
                            copied          Copied
       team arrives
                           PKB & RFT      RFT & PKB
                                                         Time
                                                         Line

    10:53 AM      11:15                   11:45               1:15
     Attack      System                  System        System locked in
    observed     brought                Powered         static-free bag
      Jan K      Offline                  down         in storage room
                   RFT                 PKB & RFT          RFT & PKB



  Who did what to evidence when?
               (Witness is required)
Preparing Evidence
Work with police to AVOID:
 Contaminating the evidence
 Voiding the chain of custody
    Evidence is not impure or tainted
    Written documentation lists chain of custody: locations, persons in
     contact – time & place
 Infringing on the rights of the suspect
    Warrant required unless…
    Company permission given; in plain site; communicated to third
     party; evidence in danger of being destroyed; or normal part of
     arrest; ...
Computer Forensics



The process of identifying preserving, analyzing
   and presenting digital evidence for a legal
                   proceeding
Creating a Forensic Copy
                           2) Accuracy Feature:
          Tool is accepted as accurate by the scientific community:
              e.g., CoreRESTORE, Forensic Replicator, FRED



                          4) One-way Copy:
       Original           Cannot modify                        Mirror
                          original                             Image

                          5) Bit-by-Bit Copy:
                          Mirror image                 3) Forensically Sterile:
1) & 6) Calculate Message Digest:                      Wipes existing data;
Before and after copy                                  Records sterility
                                                      7) Calculate Message Digest
                                                      Validate correctness of copy
           When break-in noticed,
             with a witness…
 Before Logoff/Power down save volatile information
 Use trusted commands in accessing remote machine (use
    commands off read-only CD, floppy)
   Do not alter system in any way
   Save data to network or removable USB drive (fast, large
    storage)
   Collect information and label it: Case number, time, date,
    data collector, data analyzer.
   Seal and lock up the evidence. Track any access to sealed
    data
   Take pictures of system from all sides
Collected information includes…
Volatile information:
 System memory: Unix /dev/mem or /dev/kmem
 Currently running processes
 Logged in users
 Network connections: Recent connections and open
  applications/sockets
 Currently open files: File system time & date stamps
 System date & time
After computer is turned off…
 Reboot will change disk images. Do not reboot!
 Make forensic backup = system image = bit-stream
  backup
 Copy every bit of the file system, not just the disk files!
 Example tools include:
    Intelligent Computer Solutions: Image MASSter
    EnCase (www.guidancesoftware.com)
    SafeBack (www.forensics-intl.com/safeback.html)
    Unix dd command
 Compute hash value of disk and backup
Useful information to collect…
 Photos of computer, surroundings, display (if on),
  back panel plugs, etc.
 IDS, Firewall, and System logs
 Employees web pages, emails, internet activities
 Employees access of files (created/modified/viewed)
 Local peripheral paraphernalia (CDs, floppies, papers)
 Better to collect too much than too little
              Forensic Toolkit
 Maintain a CD or two floppy disks (write-protected)
  with forensic utilities (Abbreviated from Incident
  Response & Computer Forensics, Mandia, Prosise,
  Pepe, McGraw Hill, pp. 87-88)
 Avoid stored utilities on the potentially-compromised
  computer
                  Forensic Utilities
 cmd.exe: Command prompt for Windows NT/2000
 PsLoggedOn: Shows all connected users, local & remote
    (www.foundstone.com)
   Rasusers: Lists the users with remote-access privileges on the
    system (NT Resource Kit)
   Netstat: Lists all listening ports and all current connections on
    the ports
   Fport: Lists all processes that opened any TCP ports and
    executable path (www.foundstone.com)
   PsList: Enumerates all running processes
    (www.foundstone.com)
   ListDLLs: Lists all running processes, their command-line
    arguments, and the DLLs they depend on
    (www.foundstone.com)
            Forensic Utilities (2)
 Nbtstat: Lists NetBIOS connections for last 10 minutes
    (approx.)
   Arp: Lists the MAC addresses system has been
    communicating within last minutes
   Kill: Terminates a process (NTRK)
   Md5sum: Creates MD5 hashes for a file (www.cygwin.com)
   Rmtshare: Displays the accessible shares (NTRK)
   Netcat: Creates a communication channel between two
    systems (www.atstake.com)
   Cryptcat: Creates an encrypted channel of
    communications (sourceforge.net)
               Forensic Utilities (3)
   PsLogList: Dumps the event logs (www.foundstone.com)
   PsKill: Kill a process (www.foundstone.com)
   Ipconfig: Display interface configuration
   PsInfo: Provide info about local system build (www.foundstone.com)
   PsService: Lists current processes and threads (www.foundstone.com)
   Auditpol: Displays security audit settings (NTRK)
   Doskey: displays command history for an open cmd.exe shell
   AFind: Provides file access times (www.foundstone.com)
   Pasco: Most recent websites accessed (www.foundstone.com)
   EnCase: List files whose extensions do not match file type (.doc->.jpeg)
   Sfind: Show hidden or alternative data stream files
    (www.foundstone.com)
            Save volatile data
Three ways to save forensic data:
 Save to memory stick/floppy: [cmd] >> f:\logfile
 Use netcat: Below we send from hacked station to
  forensic station on port 1234
     (at forensic station:) nc –l –p 1234 > logfile
     (at hacked station:) [cmd] | nc 192.168.0.n 1234
     where: -l listen mode: accept incoming connection
 Use cryptcat: encrypted so no one can observe or
 modify netcat data.
            Response Script Example
From Incident Response & Computer Forensics p. 114)
Filename: ir.bat
 time /t
 date /t
 psloggedon
 dir /t:a /o:d /a /s c:\
 dir /t:w /o:d /a /s c:\
 dir /t:c /o:d /a /s c:\
 netstat –an
 fport
 pslist
 nbtstat –c
 time /t
 date /t
 doskey /history

where:
 dir –help indicates that
        /t: indicates whether last Accessed, last Written or Created date should be included
        /s: indicates that directories and subdirectories should be listed
        /a: indicates types of files
   ‘time /t’ and ‘date /t’ do not prompt for new times, dates
                      Summary
 Must detect incidents
 Have an established incident response procedure
 Save off volatile data first
 Do not rely on utilities on the compromised machine
 Legal proceedings require Authenticity & Continuity
  (chain of custody)
 Improve incident response procedure after test or
  usage

								
To top