The Demo Disclaimer… Is everyone paying attention now? Remember, SQL Injection is the result of improper form validation…..and can happen on ANY database server that supports ANSI 99 (incl MySQL, Oracle, DB2). No, I will not give you those tools. I don’t care what you do or who you work for…. (besides, if you really DO work for the NSA, you’ve got better tools than this anyway). If you don’t ask, I don’t have to say no.
Agenda The Incident and the 31337 h4XØr Identifying the Attack and Proving it Summary & Resources
What is an “incident”? As defined by AUS-CERT – “An attack against a computer or network which harmed, or potentially may harm, the confidentiality, integrity or availability of network data or systems.” May include the following general categories: Compromise of Confidentiality Compromise of Integrity Denial of Resources IntrusionsMisuseDamageHoaxes
The components of an incident Howard, John D. “A Common Language for Computer Security Incidents” 1998. http://www.cert.org/research/taxonomy_988667.pdf http://www.cert.org/research/taxonomy_988667.pdf
But who are these “31337 H4xØrz”? Not all are as elite as you (or they) may think…. …but first and foremost, they’re just criminals. Script Kiddies Real Hackers “Hacktivists” Terrorists Competitors (Foreign & Domestic) Organized Hacker groups Foreign Intelligence CyberWar THREATTHREAT CAPABILITY Organized Crime “If you’re a good hacker…everybody knows. If you’re a GREAT hacker…nobody knows.” If you’re a GREAT hacker…nobody knows.”-Anonymous
So what is “Incident Handling”? Incident Handling - Actions taken to protect and restore the normal operating condition of computers and the information stored in them when an adverse event occurs. Incentives for efficient incident handling: Economic Protecting Proprietary / Classified / Sensitive Information Operational / Business Continuity Public Relations Legal / Regulatory Compliance Safety
Determine what the problem is and to assess its magnitude Major sources of information Log files and syslog output Wrapper tools (e.g., TCP wrapper) Firewall logs (personal and network) Intrusion detection systems (IDS) and prevention systems (IPS) Analyze all anomalies Gather proof! Did something occur? How do you know?
Version Length TOS Total Length Identification Flags TTL Offset ProtocolHeader Checksum Source IP Address Destination IP address Options Data Understanding the dreaded IP Header
What should I be looking for? Are any IP Header fields suspect? Is the Source IP address suspect? Is odd fragmentation occurring? Does the size of the packet raise concerns? Are any TCP header fields suspect? Is the destination port a valid service? Does the traffic follow RFC standards? What are the timestamps of the traffic? Mandia, Kevin and Chris Prosise. “Incident Response: Fighting Computer Crime”. 2001. Osborne/McGraw Hill.
Event logs: Some Logon/Logoff Event IDs 528 - Successful Logon 529 - Logon Failure: Unknown user name or bad password 530 - Logon Failure: Account logon time restriction violation 531 - Logon Failure: Account currently disabled 532 - Logon Failure: The specified user account has expired 533 - Logon Failure: User not allowed to logon at this computer 534 - Logon Failure: User not granted requested logon type at this machine 535 - Logon Failure: The specified account’s password has expired 539 - Logon Failure: Account locked out 540 - Successful Network Logon (Win2000, XP, 2003 Only)
Event logs: Event IDs on your Domain Controller 675 – Failed logon from workstation (usually a bad password) 676/672 – Other AutN failure 681/680 – Failed logon with a domain account 642 – Reset PW or Disabled account was re-enabled 632/636/660 – User was added to a group 624 – New user account created 644 – Account lockout after repeated logon failures 517 – User cleared the logs
“Are you sure they did it?” - Electronic Discovery
Kai’s Tools and Tips…(see a common trend?) Process Explorer – Free tool that provides detailed process info. Task manager on steroids AutoRuns – Free util that checks all the startup folders and reg keys Wire Shark (formerly Ethereal)– Free OSS network sniffer. Very pretty. md5sum – Free file integrity verifier. Get a hash from a “known good” file. EventCombMT – Free event ID parser. Part of the …..there are TONS more free tools!
Upon Identification: Obtain full backup and copy any hacked files or bogus code for analysis If it’s likely you’ve been “Øwn3d”: Turn on or increase auditing Set system clock correctly Document! Document! Document! Initiate notification process The IR Team Your InfoSec contact Your PR people Your Legal team Law Enforcement!!!! Got proof….now what?
Digital Forensics First and foremost: Kai is not a lawyer. Always consult your local law enforcement agency and legal department first! Digital forensics is SERIOUS BUSINESS You can easily shoot yourself in the foot by doing it incorrectly Get some in-depth training …this is not in-depth training!!! (Nor is it legal advice. Be smart. The job you save may be your own.) I just want to spend a few minutes showing you some common forensic tools and how they can help.
Encase – Guidance Software, Inc. http://www.guidancesoftware.com Very popular in private corporations EnScript Macro Language allows for creation of powerful scripts and filters to automate tasks Safely preview a disk before acquisition Picture gallery shows thumbnails of all images Virtually boot disk image using VMWare to allow first-hand view of the system
Forensic Tool Kit – Access Data, Inc. http://www.accessdata.com/ Full indexed searches in addition to regex searches Preprocess of all files, which makes for faster searching Data is categorized by type (document, image, email, archive, etc.) for easy sorting Ability to rule out “common files” using the Known File Filter plug-in Detection of encrypted / compressed files
Open Source Forensics Tools The Sleuth Kit (TSK) and Autopsy Written by Brian Carrier (www.sleuthkit.org) www.sleuthkit.org TSK is command line; Autopsy provides GUI for TSK. Runs on *nix platforms. Client server architecture allows multiple examiners to use one central server Allows basic recovery of deleted data and searching Lots of manual control to the investigator, but is light on the automation Helix – e-Fense Customized Knoppix disk that is forensically safe Includes improved versions of ‘dd’ Terminal windows log everything for good documentation Includes Sleuthkit, Autopsy, chkrootkit, and others Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools
“I have you now….” – D. Vader Digital Forensics “I have you now….” – D. Vader Digital Forensics
Acquiring Data should always be done carefully… Always preserve originals and ONLY work on copies! Utilize HW write blockers to ensure MAC times are not altered Your legal team and law enforcement will thank you!
Have a forensics jumpkit! Critical for the success of the investigation
Other stuff Some incidents may occur on a SAN or large servers with special complications Cannot go offline OR They have so much storage that it cannot be successfully imaged (or have RAID, so an image will be technically infeasible) The best option is still to perform some sort of backup, at least of the suspicious files and logs, then analyze them off-line A tape backup will not include all the information such as slack space data, but it may be the only alternative
Additional Microsoft Resources NEW! Fundamental Computer Investigation Guide For Windows NEW! Fundamental Computer Investigation Guide For Windows http://www.microsoft.com/technet/security/guidance/disasterre covery/computer_investigation http://www.microsoft.com/technet/security/guidance/disasterre covery/computer_investigation Windows Security Logging and Other Esoterica Windows Security Logging and Other Esoterica http://blogs.msdn.com/ericfitz/ The Security Monitoring and Attack Detection Planning Guide The Security Monitoring and Attack Detection Planning Guide http://www.microsoft.com/technet/security/topics/auditingandm onitoring/securitymonitoring/default.mspx http://www.microsoft.com/technet/security/topics/auditingandm onitoring/securitymonitoring/default.mspx Microsoft Windows Security Resource Kit v2.0. Microsoft Windows Security Resource Kit v2.0. ISBN: 0735621748
My Digital Forensics Reading List File System Forensic Analysis. Brian Carrier ISBN: 0-321-26817-2 Digital Evidence and Computer Crime. Eoghan Casey. ISBN: 012162885X Incident Response: Investigating Computer Crime. Kevin Mandia & Chris Prosise ISBN: 007222696X Hacking Exposed: Computer Forensics. Chris Davis, Aaron Phillip ISBN: 0072256753