Educause MARCCopyright 2002, Marchany 1 Unit 3 Incident Response: Creating the Computer Incident Response Team (CIRT)
Educause MARC Copyright 2002, Marchany2 How Easy Is It? % set term=cterm100 % telnet victim.com Trying 0.0.0.0... Connected to victim.com. Escape character is '^]'. UNIX(r) System V Release 4.0 (victim.com) # id uid=0(root) gid=0(root) #
Educause MARC Copyright 2002, Marchany3 Incident Response Steps Dave Dittrich, Univ. of Washington, wrote a good checklist describing the Incident Response Cycle. 6 major steps Preparation Detection Containment Eradication Recovery Follow-up
Educause MARC Copyright 2002, Marchany4 Preparation – Creating the CIRT Need to create a Computer Incident Response Team (CIRT) before we can use it. How do we create it? Read an excellent paper on issues that need to be considered when building a CIRT.
Educause MARC Copyright 2002, Marchany5 What Do I Do? An excellent reference document for things to consider when setting up the CIRT “Handbook for Computer Security Incident Response Teams (CSIRTs), Moira West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, 12/98 Available from www.cert.orgwww.cert.org Describes basic issues that should be considered when setting up the CIRT (CSIRT). The following slides summarize this document
Educause MARC Copyright 2002, Marchany6 Setting Up the CIRT CIRT is like the fire department Our CIRT is like the volunteer fire department or rescue squad. No full time members except the University Information Security Officer Other members called in as needed. They have management approval to drop whatever they’re doing in order to respond to the incident. Fixing the problem is top priority.
Educause MARC Copyright 2002, Marchany7 Setting Up the CIRT Information Confidentiality Critical! The CIRT must be trusted to handle sensitive information responsibly. Otherwise, no one will report incidents to it. What type of CIRT? International? Build trust with external CIRTs. University? Respond to incidents within the university. Dept sysadmins and users will use the service. Overlaps?
Educause MARC Copyright 2002, Marchany8 Setting Up the CIRT Authority and Scope FULL – the CIRT has the authority to undertake any necessary action on behalf of their constituency in order to protect University resources SHARED – CIRT provides direct support and share in the decision making process. Can influence dept sysadmins but can’t dictate to them NONE – CIRT acts in an advisory or advocate capacity only.
Educause MARC Copyright 2002, Marchany9 CIRT Authority FULL CIRT could require disconnection until the threat is removed. CIRT may actually do the disconnection. SHARED CIRT could advise and influence victims to disconnect from the net until the problem is fixed but can’t force them.
Educause MARC Copyright 2002, Marchany10 CIRT Services Mandatory Provide a focal point for reporting computer security incidents. Provide coordinated support in response to such reports Common/Typical Incident tracing Tracking and tracing intruder activity
Educause MARC Copyright 2002, Marchany11 CIRT Services Typical/Common Intrusion Detection Support active detection of intruder activity Education Conduct training seminars for general users, system administrators, management, faculty, staff, etc. Vulnerability Analysis Provide security scanning service to departments
Educause MARC Copyright 2002, Marchany12 CIRT Information Flow Important to understand which services are related to each other. Determine which services rely on info from or provide info to another service. Determine which services are responsible for providing/requesting info to/from another service. Assign different priorities depending on the source of the request.
Educause MARC Copyright 2002, Marchany13 CIRT Flexibility External Factors affect the CIRT Rate of incident reports is unpredictable CIRT may get overloaded New attacks and exploits Type and complexity of Incident reports changes over time New Technology Advances CIRT expertise needs to be updated constantly
Educause MARC Copyright 2002, Marchany14 CIRT Flexibility Computer crime laws are just now becoming a force CIRT needs to be aware of the changing legal framework of the environment and adapt accordingly. Varying demands on the CIRT Situations will arise when an unprepared CIRT may be insufficient to respond effectively to meet these conflicting demands.
Educause MARC Copyright 2002, Marchany15 CIRT and Liability A liability issue is everything that you say, do or write or that you omit to say, do or write, for which people want to sue you, with a reasonable chance of success in court. Needless to say, this is an issue in the US.
Educause MARC Copyright 2002, Marchany16 Liability Context: Omission Lack of information disclosure You receive log-files that indicate an intruder’s activities and you fail to follow up on the lead. If this fact is discovered, you may be liable for failing to act on the information. Neglecting side effects You deal with a new vulnerability in a specific incident but fail to notify the vendor/net/other CIRTs of this vulnerability. Some time later, the net is attacked via the same vulnerability.
Educause MARC Copyright 2002, Marchany17 Liability Context: Omission Failure to observe legal reporting or archiving obligations Many countries require you to report to or generate archives for law enforcement regarding a serious crime. Espionage, murder, drug dealing, etc. are examples.
Educause MARC Copyright 2002, Marchany18 Liability Context: CIRT and Signed Contracts Inadequate service definition CIRT service isn’t available during holidays or after hours. This isn’t stated clearly in the service agreement with your constituents. Service level isn’t provided CIRT didn’t do what was promised. The quality of the work wasn’t what was expected.
Educause MARC Copyright 2002, Marchany19 Liability Context: Information Disclosure References to individuals/organizations CIRT gives the impression a party is involved in an attack. The party’s reputation/business is damaged by this disclosure. Revealing identities Depends on who is requesting the information EDU: FERPA, Medical: HIPPA Revealing the identity w/o prior approval
Educause MARC Copyright 2002, Marchany20 Liability Context: Information Disclosure Distributing False Information You release info about a but in an OS but it’s wrong. The vendor may be upset. You correctly warn of a vulnerability but your solution doesn’t work Incorrect advice Your advice is wrong, outdated and causes damages to your constituent.
Educause MARC Copyright 2002, Marchany21 CIRT Service Functions Triage Single point of contact for accepting, collecting, sorting, ordering information about an incident. Incident Provide support and guidance related to suspected or confirmed computer security incidents.
Educause MARC Copyright 2002, Marchany22 CIRT Functions Announcement Provide general information via sysadmin and tech support mailing lists, www sites, etc. Feedback Can be provided by explicit requests by mgt or media Can be provided as an annual report or case- driven report
Educause MARC Copyright 2002, Marchany23 CIRT Incident Related Contacts People the CIRT needs to keep in the loop Upper management Other department’s technical staff Security officer Legal counsel Internal audit Risk management group Network operations center Network information center
Educause MARC Copyright 2002, Marchany24 CIRT Non-Incident Related Contacts Site security contacts ISP Other CIRT Law enforcement Vendors External experts media
Educause MARC Copyright 2002, Marchany25 The CIRT AUP defines the rules CIRT Composition Sysadmin - decode syslogs, sniffer Network Management Team - decode router logs, packet filter, sniffer Legal - proper evidence collection Supervisory/Audit- authority to force change Legal or not?
Educause MARCCopyright 2002, Marchany 26 Preparation Client Insecurity Issues “Mommas, don’t let your kids grow up to be PCs!” What Types of Attacks to Expect
Educause MARC Copyright 2002, Marchany27 The Doom Scenario SC Attack The Server Good Sysadmin Practices Install Sniffer Install Encryption Email Attachments -NetBus -B02K No Effective Defense if the Client is PC/Mac
Educause MARC Copyright 2002, Marchany28 Types of Attacks Types of attacks we’ve seen at our site EMAIL PASSWORD/SNIFFER DENIAL OF SERVICE RELAY ATTACKS WWW ATTACKS The next section describes each of the above attacks using Dittrich’s Incident Response Model.
Educause MARC Copyright 2002, Marchany29 Case 1: Email Abuse We handle +2.5M external emails/wk. Need network management help to trace to internal site need mail administrator to decipher mail logs
Educause MARC Copyright 2002, Marchany30 Types of Email Abuse at VT Chain Letters “Good Times”, “recipes” Letter is sent & supposed to be mailed to 10 others Annoying
Educause MARC Copyright 2002, Marchany31 Types of Email Abuse at VT Mail Spoofing(Forgery) Usually done in conjunction with flames Could impersonate a real person. Too easy to do.
Educause MARC Copyright 2002, Marchany32 Types of Email Abuse at VT Email Infrastructure Attacks Mail bombs, exploiting sendmail vulnerabilities (Outlook, sendmail), SPAM SPAM Site is notified and warned Unheeded warnings (3) result in 30 day block of anything from that site.
Educause MARC Copyright 2002, Marchany33 Types of Email Abuse at VT Flaming Profane, obscene, angry or threatening comments Messages are sent either by email or Usenet newsgroups Death threats require immediate attention.
Educause MARC Copyright 2002, Marchany34 Email Logs Sendmail Server logs Logs sender/receiver, timestamp, email ID Terminal Server/Modem Pool Log all users. Used to identify the real owner of a modem session. Caller ID on modem pool.
Educause MARC Copyright 2002, Marchany35 Email Logs POP3 mail logs Logs the PID of the sender, password change dates, etc. Source/Target system logs Personal Firewall logs, sniffers, etc. Usenet Logs News Server logs Logs are sent to central syslog server and dumped to CD once a month. Audit requirement: 18 month retention.
Educause MARC Copyright 2002, Marchany36 Preparation: Handling Complaints IS will gather appropriate info from the logs ONLY at the request of a proper authority and only releases the logs to them. IS DOES NOT prosecute, get involved in policing but 'helps' by gathering log info, helping interpret it, at the request of the proper authority. The 'Proper Authority' is any entity that does the actual prosecution (Provost, Dean, Police, FBI, Secret Service).
Educause MARC Copyright 2002, Marchany37 Preparation: CIRT Have a plan of action ready and approved Sample CIRT Checklist Sample CIRT Checklist
Educause MARC Copyright 2002, Marchany38 Detection: Email Abuse Generic mail id to report problems: firstname.lastname@example.org If the user thinks it’s abuse, we have to check. Users are told to send reports there. Users can call Help Desk to report problems. Help Desk crew notifies mail sysadmins if there is a problem. System mail log monitors detect large volume of email traffic. The mail admins check for spam, email flooding.
Educause MARC Copyright 2002, Marchany39 Containment: Email Abuse If the email threatens the receiver, every effort is made to identify the sending host and person if possible. Network router logs determine if the threat came from onsite systems. Mail system logs give source, destination and intermediate mail system handling information. Syslogs of sending system yield origin information. These three log types help determine if IP spoofing is active. IMPORTANT: get the original email with complete headers!
Educause MARC Copyright 2002, Marchany40 Eradication: Email Abuse Hard to do Spam filters for sendmail Relay filters for sendmail Isolate the sending machine if onsite Notify the sending machine, if remote system is involved then they may have a problem. Bodily harm threats must be taken seriously.
Educause MARC Copyright 2002, Marchany41 Recovery: Email Abuse Denial of service mail attack remove spam messages use routers to block out offending system process mail as quickly as possible Disable user account access IF the AUP allows this. Notify the recipient on progress
Educause MARC Copyright 2002, Marchany42 Followup: Email Abuse User Education how to spot email trash who to notify if abuse starts SAVE THE ORIGINAL EMAIL!!!! Netiquette System Manager Education SPAM, Relay filtering rules save the email logs at a central site ask users for the complete email message with headers
Educause MARC Copyright 2002, Marchany43 Summary The previous slides list the 6 phases of IR as it applies to 1 category of attack: email abuse Do the same for the other types of attacks you expect at your site. Have the Procedure Checklist ready.
Educause MARC Copyright 2002, Marchany44 Recommendations Revise your AUP and IRP as needed Construct your response plans according to Dittrich’s Response model : Preparation, Detection, Containment, Eradication, Recovery, Follow-up Your IR plans should address the “How do we do …” for each layer of the Response Model IR is a coordinated action involving all aspects of an org’s IS structure: sysadmin, network mgrs, supervisory, audit, legal, upper mgt. Liability is an issue! Are you liable for internal (email) as well as external (the NY Times “hacker”) if your response structure is inadequate? Probably!
Educause MARC Copyright 2002, Marchany45 As It Should Be......