We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJazmin Berman
Modified about 1 year ago
Copyright © Sanda International Corp. Investigating Internet Security Incidents A Brief Introduction to Cyber Forensic Analysis Peter Stephenson
Copyright © Sanda International Corp. Agenda o Intrusion approaches o Investigative tool kit o Investigative approaches o End-to-end tracing o Evidence collection and preservation o Forensic use of RMON2-based tools for documenting the path of an attack
Copyright © Sanda International Corp. What is Cyber Crime? o Crimes directed against a computer o Crimes where the computer contains evidence o Crimes where the computer is used to commit the crime
Copyright © Sanda International Corp. The Nature of Computer Related Crime in Today’s Organizations Source: 1998 CSI/FBI Study
Copyright © Sanda International Corp. There Are Only 4 Kinds of Attacks o Denial of service o Social engineering o Technical o Sniffing
Copyright © Sanda International Corp. Intrusion Approaches o Target selection, research and background info l Internet searches l Whois, nslookup o Preliminary probing - avoid logging - get passwords l POP probe l Sniffing l DNS zone transfer l SMTP probe l Other simple probes o Search for back doors o Technical attack or social engineering
Copyright © Sanda International Corp. Cleaning Up After an Attack o Delete tools and work files o Modify logs (Unix example) l Syslog l messages files (especially the mail log) l su log l lastlog (including wtmp and utmp) l daemon logs l transfer logs
Copyright © Sanda International Corp. INVESTIGATIVE AXIOM: Treat every incident as if it will end up in a criminal prosecution.
Copyright © Sanda International Corp. Your Investigative Tool Kit o Policies o Criminal profiling o Tracing tools o Log analysis o Crime scene (victim computer) analysis o header analysis o News group header analysis
Copyright © Sanda International Corp. The Role of Policies o They define the actions you can take o They must be clear and simple to understand o The employee must acknowledge that he or she read them, understands them and will comply with them o They can’t violate law
Copyright © Sanda International Corp. Electronic Communications Privacy Act - Your Enabling Law o Owner may intercept communications between an intruder and that owner's computer system o Owner providing others with the ability to use that computer to communicate with other computer systems may: l make routine backups and perform other routine monitoring l intercept with prior consent of the user l intercept portions of communications necessary to determine origin and destination l intercept where necessary to protect owners rights or property l disclose to law-enforcement any communications inadvertently discovered which reveal criminal activity
Copyright © Sanda International Corp. Criminal Profiling o Criminal profiling is the process of using available information about a crime and crime scene to compose a psychological portrait of the unknown perpetrator of the crime o Classical profiling goals - to provide: l a social and psychological assessment of the offender l a psychological evaluation of relevant possessions found with suspected offenders l strategies that should be used when interviewing offenders
Copyright © Sanda International Corp. Crime Scene Analysis o Branch of profiling using standard investigative techniques to analyze crime scenes o Investigators are usually most comfortable with this approach o Very useful in computer incidents
Copyright © Sanda International Corp. Developing a Profile of an Intruder o Crime scene analysis l how was access obtained? What skills were required? l how did the intruder behave on the system? Damage? Clean-up? Theft? o Investigative psychology l motivation l personality type
Copyright © Sanda International Corp. Goals of an Investigation o To ensure that all applicable logs and evidence are preserved o To understand how the intruder is entering the system o To obtain the information you need to justify a trap and trace of the phone line the intruder is using or to obtain a subpoena to obtain information from an ISP o To discover why the intruder has chosen the computer o To gather as much evidence of the intrusion as possible o To obtain information that may narrow your list of suspects o To document the damage caused by the intruder o Gather enough information to decide if law enforcement should be involved.
Copyright © Sanda International Corp. Immediate Objective: PRESERVE THE EVIDENCE !!! o Begin a traceback to identify possible log locations o Contact system administrators on intermediate sites to request log preservation o Contain damage o Collect local logs o Image disks on victim computers
Copyright © Sanda International Corp. Building an Incident Hypothesis o Start with witness accounts o Consider how the intruder could have gained access l eliminate the obvious l use logs and other physical evidence F consider the skill level or inside knowledge required o Create mirrors of affected computers
Copyright © Sanda International Corp. Building an Incident Hypothesis o Develop a profile of the intruder o Consider the path into the victim computer o Recreate the incident in the lab l use real mirrors whenever possible o Consider alternative explanations l test alternatives
Copyright © Sanda International Corp. Incident Reconstruction o Physical l use mirrors of the actual involved systems l useful for single computers o Logical l use similar systems l useful for networks where you have access to the entire network o Theoretical l hypothesize intermediate computers l necessary when you can’t access all involved computers
Copyright © Sanda International Corp. Back Tracing o Elements of a back trace l end points l intermediate systems l and packet headers l logs o Objective: to get to a dial-in POP o The only messages that can’t be back traced are those using a true anonymizer and those where no logs are present
Copyright © Sanda International Corp. Enabling Relationships DIAL INTERNET PENETRATE HOST ATTACK VICTIM OUR LOGS ISP’s LOGS TELCO LOGS
Copyright © Sanda International Corp. Obtaining Subpoenas o Notify involved organization that you are going to subpoena and request that they preserve evidence - find out who to deliver the subpoena to o File John/Jane Doe lawsuit with an emergency order to subpoena appropriate records o Subpoena the logs you need l Get everything you can on the first pass l May need depositions
Copyright © Sanda International Corp. Requirements for Logs to be used as Evidence o Must not be modifiable l Spool off to protected loghost l Optical media l Backups o Must be complete l All superuser access l Login and logout l Attempts to use any controlled services l Attempts to access critical resources l details o Appropriate retention
Copyright © Sanda International Corp. Tracing Headers (3) Received: from mailhost.example.com ([XXX.XXX ]) by smtp.exampl.com; Sat, 12 Sep :25: (2) Received: from web03.iname.net by mailhost.example.com (AIX 3.2/UCB 5.64/4.03) id AA07400; Sat, 12 Sep :31: (1) Received: (from by web03.iname.net (8.8.8/8.8.0) id SAA29949; Sat, 12 Sep :25: (EDT) Date: Sat, 12 Sep :25: (EDT) (4) From: fake user Message-Id: Content-Type: text/plain Mime-Version: 1.0 To: Content-Transfer-Encoding: 7bit Subject: This is a forged message
Copyright © Sanda International Corp. Performing the Trace Contact iname’s Security Officer Connect account name, time, & message ID to source IP address Get logs from source IP Who was connected at the time of the ? Locate ISP & contact Security Officer
Copyright © Sanda International Corp. Evidence Collection & Preservation o Forensic evidence l Safeback - creates physical images and mirrors of affected computers o Forensic analysis l NTI tools o NEVER work directly on the evidence l Never contribute to the evidence o Ensure chain of custody
Copyright © Sanda International Corp. RMON2 Tracing Tools o Requires RMON2 devices o Use ODS Networks Secure Switch Investigator o Looks for evidence of alien conversations served from within the victim’s perimeter o By moving “outwards” a step at a time, determine source of attack
Copyright © Sanda International Corp. MCI DoSTracker o Attempts to trace source forged packets, starting at a victim location, and tracing backwards to the possible source o Attack must be in progress o Process - login to starting edge router l Deploy access control list in debug mode for victim IP l Clear victim subnet cache l Look for forged packets by comparing to route table l Spawn separate process to log into next hop router and continue
Copyright © Sanda International Corp. CMDS - Abuse at the Host o Manager-Agent architecture o Responds to violations of policies o Analyzes usage patterns l Identifies rogue users l Identifies masqueraders o Available from ODS Networks
Copyright © Sanda International Corp. Summary o Ensure appropriate policies o Preserve the crime scene (victim computer) o Act immediately to identify and preserve logs on intermediate systems o Conduct your investigation o Obtain subpoenas or contact law enforcement
Legal Issues in Information Security Chapter 5. Objectives Understand U.S. Criminal Law Understand U.S. Criminal Law Understand State Laws Understand.
Computer Forensics. Introduction Topics to be covered –Defining Computer Forensics –Reasons for gathering evidence –Who uses Computer Forensics –Steps.
Common types of online attacks Dr.Talal Alkharobi.
Incident Response Incident Response Process Forensics.
Logical IT Security By Prashant Mali.
1 DEVELOPING A LEGAL FRAMEWORK TO COMBAT CYBERCRIME Providing Law Enforcement with the Legal Tools to Prevent, Investigate, and Prosecute Cybercrime.
Network Security Workshop BUSAN 2003 Saravanan Kulanthaivelu
Ethical Hacking Module I Introduction to Ethical Hacking.
1 Network Security Workshop BUSAN 2003 Rahmat Budiarto
Introduction to Network Security INFSCI 1075: Network Security Amir Masoumzadeh.
1 PCI Compliance Training University of Nevada, Reno Presented by The Controllers Office.
Insert your company logo here (on slide master). Insert your company logo here (on slide master) Developed by the Department of Communications, Information.
UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls.
Version 4.1 CCNA Discovery 2– Chapter 7. Contents 7.1: ISP Services : TCP / IP Protocols 7.2: 7.3: DNS 7.3: 7.4: Application Layer Protocols 7.4.
Breach vs. Incident – a Guided Discussion Sharon Blanton, PhD Craig Schiller, CISSP-ISSMP, ISSAP Chief Information Officer Chief Information Security Officer.
1 Information Security Awareness Training: Good Computing Practices for Confidential Electronic Information Information Security Training for all Workforce.
1 Information Security and Privacy Training for [the Agency] Information System Security Officers June 12 & 13, 2000.
Computer Vulnerabilities 1. 1.Overview 2. 2.Threats to Computer Systems 3. 3.How Hackers Work 4. 4.Using the Internet Securely 5. 5.How We Make It Easy.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin Copyright © 2008 The McGraw-Hill Companies, Inc.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 9 Applications Copyright © 2010, Elsevier Inc. All rights Reserved.
Principles of Information Security, 3rd Edition 2 Explain what contingency planning is and how incident response planning, disaster recovery planning,
1 The Art of Penetration Testing Breaking in before the bad guys! RSA 2003 San Francisco George G. McBride, CISSP 14 April 2003.
What is an Operating System? A program that acts as an intermediary between a user of a computer and the computer hardware. Operating system goals: Execute.
Bring Your Own Device: Challenges faced by the Consumerization of IT Therese P. Miller, Esq., CIPP Shook, Hardy & Bacon LLP April 18, 2013.
1 Security Awareness 101 ……and Beyond 20th Annual Computer Security Applications Conference December 6, 2004 Tucson, Arizona Kelley Bogart Melissa Guenther.
2 Welcome To Defect Management Training Objective: The objective of this course is to learn about standards that emphasize a best practice approach for.
© 2016 SlidePlayer.com Inc. All rights reserved.