Download IR-Technicalppt - Incident Response and Analysis.ppt

Document Sample
Download IR-Technicalppt - Incident Response and Analysis.ppt Powered By Docstoc
					Incident Response and Analysis



Eoghan Casey
 Title V Collaborative Grant
 2nd Annual Meeting: April 23, 2003
Minor Incidents
   Network intrusion
       organizational disruption
   Computer intrusion
       credit card storage
   FBI requests information about hack
       keep records to protect yourself
   Important Web servers compromised
       medical and proprietary data
   Trojans on Windows 98 (IRC / DDoS)
       weakly protected network shares
       unpatched IIS systems
Trojans: The Good, Bad, and Ugly
Case Example

Password Theft
 Every day
 Haha!

 Lost and found
Example (Password Theft)

   Individual’s password was repeatedly stolen
       every day he would change his password
       every day intruder had the new password
       was our primary server compromised?
       no, our server appeared to be intact
   Reconstruction of victim’s activities
       victim only used his work system
       monitored traffic to and from this system
       nothing unusual
Password Theft (cont)

   Individual’s password was still being stolen
       second interview: victim also used home PC
       “but nobody else uses my home PC”
   Monitor traffic when victim dials in
       capture traffic for his dial-up account (not all)
       tacacs-action and tcpdump
       carnivore with RADIUS trigger
 Password Theft (haha!)
Network traffic showed connection from UK dial-up to home PC

09:24 userbf38.aol.uk.uudial.com.1391 > dialup03.corpX.com.1982
 0000: 4500 002f 9fd9 4000 7406 a606 3e7d 0c2f E../..@.t...>}./
 0010: 8284 f3b8 056f 07be 0340 c236 0003 ef1b .....o...@.6....
 0020: 5018 2395 b25c 0000 5057 4468 6168 61 P.#..\..PWDhaha

09:24 dialup03.corpX.com.1982 > userbf38.aol.uk.uudial.com.1391
 0000: 4500 006d d800 4000 7e06 63a1 8284 f3b8 E..m..@.~.c.....
 0010: 3e7d 0c2f 07be 056f 0003 ef1b 0340 c23d >}./...o.....@.=
 0020: 5018 2179 6089 0000 636f 6e6e 6563 7465 P.!y`...connecte
 0030: 642e 2030 393a                 d. 09:
Password Theft (server side)
   Network traffic showed connection from UK to our main
    server

09:25 server.corpX.com.telnet > userbf38.aol.uk.uudial.com.2231
 0000: 4510 0034 f6e2 4000 fe06 28a8 8284 8ff8 E..4..@...(.....
 0010: 3e7d 0c2f 0017 08b7 3d2d f4d9 06bf f9fb >}./....=-......
 0020: 5018 faf0 2744 0000 0d0a 5061 7373 776f P...'D....Passwo
 0030: 7264 3a20                     rd:

   Corresponding login on server:
user   pts/41   userbf38.aol.uk. Wed Jun 14 09:21 - 09:21 (00:00)

   Note: server was approximately 5 minutes behind sniffer
Major Incidents
   Cyberstalking/harassment
   Child pornography
   Server compromise
       thousands of passwords had to be changed
       lesson: prevention is better than cure
   Web server compromise
       vulnerable CGI from consultants
       lesson: Tripwire makes recovery easier
   Network compromise
       40+ Unix machines, hundreds of passwords
       disruption of operations
       lesson: this presentation
IR Overview

Applying Forensic Science to Computers
Forensic Science Overview

   Science exercised on behalf of the law
       A forensic science is defined by use in court
   Locard’s exchange principle
   Locate / identify evidence
   Collection, documentation & preservation
       everything that you will need in two years
   Crime reconstruction (forensic analysis)
       when, where, how, what, who, why
       reproducible & free from bias/distortion
   Report / present
Incident Response Process
1.    Initial observation, report, or question
2.    What do others know, who is involved
3.    Assessment of severity and worth
4.    Physical assessment
5.    Preserve Data on Target Systems
6.    Network Assessment
7.    LAN/WAN Assessment
8.    Preserve related evidence on network
9.    Develop response/investigative strategy
10.   Crime analysis
11.   Conclusions and reports
Lessons in Discretion

   Do not use unencrypted e-mail
   Involve attorneys, HR, public relations early
   Ask individuals to be discrete
       if insider is involved, he/she may cover
        tracks if he learns that investigation is
        underway
       false accusations can cause damage if
        rumors spread (rumors are difficult to
        remedy)
       disclosure of information to media may
        cause more damage than incident itself
Chain of Custody

 Who collected & handled the evidence
 Fewer people handling the evidence

  => Fewer people testify
 Standard forms & procedures

  => Consistency
Collection & Preservation

   Acquire evidence
       calculate MD5 checksum of evidence
       digitally sign evidence (MD5, time & person)
   Documentation
       acquisition & verification process
       who, where, how, when, and sometimes why
   Lock original in safe
       alternately use a custodian
Message Digests

   128-bit “fingerprint”
       16 hexadecimal values
   Two messages with same digest
       Computationally infeasible
 Search disk for file with same MD5
 md5sum netstat.exe
    => 447282012156d360a862b30c7dd2cf3d
What to Collect?

   The original disk
   An exact copy of the original disk
   Log files from the disk (e.g. UNIX wtmp)
   Interpreted logs (output of last)
       Information lost in summarization
   Relevant portions of interpreted logs
       Output of last username
       May miss some relevant entries
   Written notes describing command output

The approach depends on the circumstances
Documentation

   Expense and time logs
       dates and times working on incidents,
        including time to recover systems
       helps calculate cost of damage
   Incident response actions taken and when
       telephone conversations
       helps explain incident response years later
   Employees questioned and involved
       everyone involved may be required to testify
   Evidence inventory
       helps locate evidence later
Case Example: Floppy

   Floppy found in desk drawer
   Collected by IT staff
       No authorization
         • Not clear if search was legal
       Process not documented
         • Not clear who found disk
       Disk not labeled
         • Not clear which disk among several disks
   Hot potato – drop it!
       High risk of counter suit
IR Procedures

Practical and Technical Considerations
Responding to Minor Incidents
   Confirm report & assess damage
       port scanning is not sufficient
   Protect target from further attack
   Collect/preserve most volatile evidence first
       change as little as possible
   Document everything
       pay special attention to system clock offsets
   Analyze/reconstruct events
       avoid a priori investigative bias
       locate collateral victims from sniffer logs
       conduct advanced analysis if necessary
   Do not assume that this is an isolated incident
    Demonstrate Tools for Live
    NT Evidence Gathering
Recall W2K DC & consider evidence destination
 Trusted shell and system binaries

 Processes
       who is connected to the machine
       what ports are open (fport, netstat -ano)
   Registry (machine and users)
   Logs
       auditpol, ntlast, dumpevt, application logs
   File contents and MAC times
   First Responser’s Evidence Disk (FRED)
Exercise

SubSeven/IRC/DoS Network
What do you do?
 SubSeven found on three machines
 Netstat shows connections to IRC

 DoS tools present
Challenge                Concealment

   Deleted binary
       Copy in /proc/pid/file
       icat /dev/hda inode > recovered
   Log deletion or wiping
       wzap clears wtmp entries
   Altering file attributes
   Hidden files/Alternate Data Streams
       hfind.exe (Foundstone)
       Device files in Recycle Bin
   Rootkits/Loadable Kernel Modules (Knark)
   Encryption
Rootkits

   Creates backdoors
   Replace system components to hide:
       files
       processes
       promiscuous mode
       network connections
   Often includes tools
       Sniffers
       Log wiping utilities
       Patches
Freeze!

Preserve the evidence
Evidence Processing Tools
 Linux as a forensic platform
 The Coroner’s Toolkit / TASK

 SMART

 Maresware

 NTI

 EnCase

 AccessData
Server Logs

Associating Online Activity with Logs
 Server logs
 E-mail server logs

 Web server logs
      Internet activity -> data

Internet activity   Logs               Active
PPP Dial-up         TACACS/RADIUS      Terminal Server
Router/Firewall     Syslog/Netflow     show conns
Host logon          wtmp/NT Eventlog   utmp/nbtstat -c
Web server          access/error       netstat -an
E-mail server       messages/syslog    spool
FTP server          xferlog            netstat -an
IRC                 server/bot logs    netstat -an
Wireless            device logs        device query
Mobile phone        transactions       location/conversations
Case Example

Harassment Complaint
 Complaint
 Unauthorized e-mail access

 Suspect pool

 Process accounting

 Bash history
Harassment (janesmith)

 Make    sure logs are consistent

  mailserver# grep 'Login user=janesmith' syslog*
  syslog:Sep 24 17:11:40 mailserver ipop3d[6466]: [ID
    234311 mail.info] Login user=janesmith
    host=johnsmith.nasa.gov [192.168.135.156]



 What   to look for next?
Harassment (continued)

   wtmp logs indicate that her e-mail account was
    accessed from server4.nasa.gov on Dec 9 at
    13:14
emailserver# last janesmith
janesmith pts/114 server4.nasa.gov Sun Dec 9 13:14 - 13:19 (00:05)


   MAC times show that the .pinerc file was
    created on Dec 9 suggesting that this was the
    first time Pine was used to access e-mail in
    this account.
    Harassment (continued)

   wtmp logs on server4.nasa.gov show that seven
    people were logged in on Dec 9 at 13:14

Note: clock on server4.nasa.gov was 4 minutes fast

server4% last
walterp pts/14 roosevelt.nasa.g Sun Dec 9 13:10 - 13:17 (00:07)
johnsmith pts/2 pc01.admin.nasa. Sun Dec 9 13:09 - 13:29 (00:10)
stephens pts/13 lincoln.nasa.com Sun Dec 9 13:01 - 16:16 (03:15)
hansmol pts/3 homepc.isp.com Fri Dec 7 14:14 - 10:53 (6+20:38)
ianjones pts/7 nasavpn-22.nasa. Fri Dec 7 08:39 - 01:23 (5+16:44)
Harassment (continued)
   RADIUS logs show suspect disconnected
    prior to offense

192.168.1.219,NASA\ianjones,12/07/2002,08:43:07,IAS,NTSE
   RVER,5,7029,6,2,7,1,8,192.168.16.22,25,311 1
   192.168.1.45 10/08/2001 19:38:34
   22348,40,1,44,E0D03B6B,66,64.252.248.134,45,1,41,0,61,
   5,4108,192.168.1.219,4116,0,4128,NASA
   VPN,4136,4,4142,0

192.168.1.219,NASA\ianjones,12/07/2002,09:27:12,IAS,NTSE
   RVER,5,7029,6,2,7,1,8,192.168.16.22,25,311 1
   192.168.1.45 10/08/2001 19:38:34
   22348,40,2,42,36793575,43,6837793,44,E0D03B6B,46,356
   19,47,417258,48,59388,49,1,66,64.252.248.134,45,1,41,0,6
   1,5,4108,192.168.1.219,4116,0,4128,NASA
   VPN,4136,4,4142,0
    Harassment (continued)

   However, server4.nasa.gov kept process
    accounting logs and an examination of these
    logs show only one SSH connection at the time
    in question. This indicates that another account
    (johnsmith) was used to connect to the
    complainants e-mail account.
server4% lastcomm | grep ssh
ssh         S timsteel     ??   0.11 secs Sun Dec 9 10:24
ssh         S johnsmith ??       0.02 secs Sun Dec 9 13:10
ssh         S richevans ??       0.03 secs Sun Dec 9 12:10
Harassment (continued)

   Confirmed using bash history
server4# grep janesmith /home/johnsmith/.bash_history
ssh -l janesmith mailserver.ispX.com
Exercise

Solaris running sniffers
        What do you do?
   External complaint about compromised host
   Internal report of another compromised host
   CERT team members examined machines
       confirmed reports & assessed damage
       determined source and method of attack
   Several RPC vulnerabilities exploited
   Stolen dial-up account used to launch attack
   Backdoors and sniffers installed on all hosts
Responding to Major Incidents
   Deploy incident response team
   Decide whether or not to collect volatile data
   Take systems offline for forensic analysis
       copy to sterilized media
       verify copy = original using checksums
   Probe and monitor network
       other systems may be compromised
       what about remote collection of evidence?
   Interview individuals
   Document everything
   Correlate data from multiple sources
   Communicate with legal counsel and police
Network Traffic

   Historical data
       Performance monitoring
       NetFlow & Argus
       IDS (may include full packet capture)
   Traffic capture
       Temporal considerations
       Preservation
       Reconstruction and analysis
       Tools
         • Dsniff, NetWitness, Sandstorm, Nixsun, SilentRunner
         • Many for Unix (e.g., ngrep, review)
Performance Monitoring

   Shows patterns on a device
     Spikes in traffic
     Loss of connectivity to a segment

   Multi Router Traffic Grapher (MRTG)
       www.mrtg.org
NetFlow and Snort Overview
Netflow and Snort Overview

   NetFlow
       flows represent unidirectional collection of
        similar packets
       NetFlow logs contain basic flow information
        (src, dst, times, size)
   Snort
       based on libpcap
       detects known attacks
       highly configurable
          Using Snort and NetFlow
   Host logs may be overwritten
   Intrusion Detection System shows partial picture

[**] FTP-site-exec [**]
02/23-04:51:38.012306 192.168.164.88:2721 -> 192.168.168.2:21
TCP TTL:46 TOS:0x0 ID:20194 IpLen:20 DgmLen:468 DF
***AP*** Seq: 0x11A6920B Ack: 0xD567116C Win: 0x3EBC
TCP Options (3) => NOP NOP TS: 98258650 1405239787

   NetFlow logs show more complete picture

Start        End         Sif SrcIPaddress      SrcP DIf DstIPaddress
   DstP    P Fl Pkts    Octets

0223.04:51:38.841 0223.04:51:48.685 2      192.168.164.88 2721 13
   192.168.168.2 21 6 2 3         144
Netflow Losses

   Sequence numbers show gaps
% flow-header < ft-v05.2002-04-15.183000-0400
# mode:            normal
# capture hostname: flow
# exporter IP address: 130.132.1.100
# capture start:    Mon Apr 15 18:30:00 2002
# capture end:       Mon Apr 15 18:45:00 2002
# capture period:     900 seconds
# compress:          on
# byte order:       big
# stream version:     3
# export version:    5
# lost flows:       179520
# corrupt packets:    0
# sequencer resets: 1
# capture flows:     206760
Reconstruction of Events

   Relational & Temporal Reconstruction
       Where and when
   Temporal Considerations
       Time zones
       Logs ordered by end time (e.g., NetFlow)
       Log entries out of sequence
       System clock offsets
   Introduction of Error
       Corrupt wtmpx
       Remote syslog
Relational Reconstruction

 Improve understanding of events
 Locate additional sources of evidence

 Example: Accounting server break-in
    Log File Correlation

   Sort each source independently, then combine
       Correlate MAC times and LastWrite times of
        Registry keys with Eventlogs, PC modem & ISP
        logs
         05-15-2000   16:32:53.93   - Initializing modem.
         05-15-2000   16:32:53.93   - Send: AT
         05-15-2000   16:32:53.93   - Recv: AT
         05-15-2000   16:32:54.05   - Recv: OK
         05-15-2000   16:32:54.05   - Interpreted response: Ok
         05-15-2000   16:32:54.05   - Send: AT&FE0V1&C1&D2 S0=0 W1
         05-15-2000   16:32:54.07   - Recv: AT&FE0V1&C1&D2 S0=0 W1
         05-15-2000   16:32:54.19   - Recv: OK
         05-15-2000   16:32:54.19   - Interpreted response: Ok
         05-15-2000   16:32:54.20   - Send: ATS7=60S40=0L1M1\N7%C1&K3B0N1X3
         05-15-2000   16:32:54.22   - Recv: OK
         05-15-2000   16:32:54.22   - Interpreted response: Ok
         05-15-2000   16:32:54.26   - Dialing.
         05-15-2000   16:32:54.26   - Send: ATDT##########
Time Pattern Analysis

        Mon   Tues   Wed   Thurs   Fri   Sat   Sun
8am
9am
10am                                     x
11am                                           x
12pm
1pm
2pm
3pm
4pm
5pm     x     x      x     x       x
6pm
7pm
x = event
Histograms

   Histogram of events over time
       High number of events at key times
   Histogram of time periods may show
    unusual gaps
     MAC times
     System log entries
Case Example

Intellectual Property Theft (rootkit)
Intellectual Property

 IDS     logs show intrusion

[**] FTP-site-exec [**]
 09/14-12:27: 208.181.151.231 -> 130.132.x.y
 09/14-12:28: 24.11.120.215 -> 130.132.x.y
 09/14-12:33: 64.28.102.2 -> 130.132.x.y


 Concern:  system contains
  sensitive data
IP Theft (assess damage)

   Initial examination of compromised host
    showed no signs of compromise
       no wtmp entries from site exec exploit
       no syslog entries
       no odd processes using ps or files using ls
   System clock was 5 hours fast (Δt = 5hrs)
   Oddities on system suggested compromise
       difference between ps & lsof; /tmp/.tmp/
IP Theft (analysis)

 Used EnCase to analyze evidence
 Recovered deleted syslogs (noting Δt)

Sep 14 17:07:22 host ftpd[617]: FTP session closed
Sep 15 00:21:54 host ftpd[622]: ANONYMOUS FTP LOGIN FROM
   231.efinityonline.com
                       1
   [208.181.151.231], •À1Û1É°F̀  1À1ÛC‰ÙA ëk^1À1ɀ
                                                °?̀      ^^AˆF^D
           1 ^^A°=̀
   f¹ÿ^A°'Í€À•       1À1ۀ^^H‰C^B1ÉþÉ1À€ °^L̀^^H þÉuó1ÀˆF^I€ ^^H
      þ                                    N V
   °=Í€^N°0þȈF^D1ÀˆF^G‰v^H‰F^L‰ó•^H•^L°^KÍ€À1Û°^AÍ€•   1      è
   ÿÿÿ0bin0sh1..11
Sep 14 17:22:54 host inetd[448]: pid 622: exit status 1
Linux in EnCase
IP Theft (reconstruction)

   Confirmed source of initial intrusion
   Determined that target was high risk
   Determined motive and intent
       not aware of sensitive information on host
       used host for DoS, scanning, and IRC
   Determined that a sniffer had been used
   Located other compromised systems
       notified system owners on outside networks
Exercise

Intellectual Property Theft (Insider)
Initial Complaint

   Employee stole information prior to leaving
       Terminated on Sept 16, 2002
   Unknown documents from workstation
   clients.mdb
       Client contact database
       Stored on W2K workstation
   projectX
       Secret project details
       Stored on Unix file server
   What do you look for?
W2K Workstation
   Security (card swipe) records
       Suspect entered building at 08:45am
   Logon/Logoff record
C:\>ntlast /ad 16/9/2002 /v
Record Number: 18298
ComputerName: WKSTN11
EventID: 528 - Successful Logon
Logon: Tue Sep 16 08:50:58am 2002
Logoff: Tue Sep 16 09:10:00am 2002
Details -
     ClientName: user11
     ClientID:     (0x0,0xDCF9)
     ClientMachine: WKSTN11
     ClientDomain: CORPX
     LogonType:       Interactive

   How to collect this information as evidence?
W2K Workstation

   Transfer of clients.mdb
       Accessed 09/16/2002 08:58:30 EST
   HKEY_USERS
       \Windows\CurrentVersion\Explorer\RecentDocs
   Suspect’s environment temp\clients.xls
       Created at 08:59:14
       Last modified at 08:58:49
   Suspect’s e-mail outbox
       Shows clients.xls sent to Hotmail
   What information would you seek on network?
W2K Workstation

   Other file accessed at same time
       private.doc
 Registry OpenSaveMRU entry
 Recent .lnk written and accessed
       Recent A: .lnk written and accessed
   What would you expect to find on
    associated floppy diskette?
Unix File Server
   SSH Client Access
       Accessed:
         • \user11\Application Data\Microsoft\Internet
           Explorer\Quick Launch\Shortcut to SshClient.lnk
         • Files in \user11\Application Data\SSH\
         • \user11\Application Data\SSH\ HostKeys\key_22_srv1
   How to collect evidence?
    % last user11
    user11 pts/77 wkstn11.corpx.com Sep 16 09:05 - 09:06 (00:01)
    % ls –altu
    -rwxr-xr-x 1 admin staff 8529583 Sep 16 09:05 projectX
   ProjectX file found in c:\temp on wkstn11
       What timestamps changed in transfer?
W2K Workstation

   Deleted projectX file found in c:\temp
     Created: 09:05am
     Accessed: 09:07am
     Modified: 09/12/2002 10:07:07am
   Explorer\RecentDocs\NetHood
     \\competitorpc\upload
     LastWrite 09/13/2002 11:04AM
   Explain time discrepancy
           Network Logs

              IDS logs
           [**] Netbios Access [**]
           09/16-09:06:03.313894 192.168.16.88:1576 -> 172.16.14.3:139
           TCP TTL:127 TOS:0x0 ID:61055 IpLen:20 DgmLen:231 DF
           ***AP*** Seq: 0x4A8908DB Ack: 0x5C6EFB75 Win: 0x431B TcpLen: 20

                   show Netbios connection at 09:06am
              NetFlow logs
Start         End           SrcIPaddress SrcP DstIPaddress DstP P Fl Pkts    Octets
0916.09:07:34 0916.09:09:36 192.168.16.88 1576 172.16.14.3 139  6 3 9711     7526495

                   Start 09:07am end 09:09am
                   Bytes suggest smaller file (7GB)
              Explain time and size discrepancies
Exercise

Live Harassment Investigation
 Anonymous e-mail
 Network Address Translation/Proxy

 NetFlow

 TCPdump
Exercise

Network Intrusion
 Log file tampering
 Firewall rules

 Internal/skilled attacker
Related Reading

   Book: Advanced level
       Handbook of Computer Crime Investigation
       http://www.disclosedigital.com
   FRED
       http://www.dfrws.org/dfrws2002/papers/Pape
        rs/Jesse_Kornblum.pdf
   Encryption
       http://www.dfrws.org/dfrws2002/papers/Pape
        rs/Eoghan_Casey.pdf
   Error, Uncertainty and Loss
       http://www.ijde.org/02_summer_art1.html
Related Tools

   patriot.net/~carvdawg/perl.html
   www.foundstone.com
   www.sysinternals.com
   NT Resource Kit
   Ntsecurity.nu
   www.maresware.com
   www.net.ohio-state.edu/software/
   www.ethereal.com
   www.tcpdump.org

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:9/20/2011
language:English
pages:69
yanyan yan yanyan yan
About