UTSA IS 3523 Incident Detection/Response Roesch on the Threat “The propagation of automated tools for auto-hacking with the fact that less and less sophisticated attackers getting their hands on these tools is really going to cause big problems.” Martin Roesch CEO, Sourcefire SNORT Lead Developer
UTSA IS 3523 Incident Detection/Response Initial Response
UTSA IS 3523 Incident Detection/Response Freeze the Incident Scene Verbally contain the scene with instructions such as: “Take your hands off the keyboard and step away from the computer.” “Physically disconnect the computer from the network.” “What is your name, office and telephone number.” “What is the hardware and operating system?” “I’m going to fax you a set of instruction. What is your Fax number?” Off-scene Response
Incident Response Checklist Version 1.0 Date: Time: Name: Telephone Number: Nature of Incident: Time of Incident: How was the incident detected: Current Impact of Incident: Future Impact of incident: Description of the incident: Hardware/OS/Software involved: IP and network addresses of compromised systems: Network Type: Modem: Criticality of Information: Physical location: System Administrator Name and Number: Current status of machine: Description of Hacker Actions Ongoing activity: Source Address: Malicious program involved: Denial of Service Vandalism: Indication of insider or outsider:
Incident Response Checklist Continued Version 1.0 Client Actions Network disconnected: Remote access available: Local Access available: Audit logs available and examined: Any changes to firewall: Any changes to ACL: Who has been notified: Other actins taken: Available Tools Third party host auditing: Network monitoring: Network Auditing: Additional Contacts Users: System Administrators: Network Administrators: Special Information Who should not know about this incident: Response Team Member Signature/Date:__________________________________
Incident Response Team Fax Version 1.0 Date:_____________ Time:____________ Name:_______________________ Thank you for notifying the incident response team and agreeing to help. Please do not touch the affected computer(s) unless told to do so by a member of the Incident Response team. Please remain within sight of the computer until a member of the Incident Response Team arrives and assure that no one touches the computer. Please help us by detailing as much information about the incident as possible. Please complete the following items. If additional space is required use a separate sheet of paper. Witnesses: What indicators lead you to notice and/or report the incident. Be as specific as possible. Incident Indicators: The next section is important so be as accurate as possible. From the time you noticed the incident to the time you took your hands from the computer, list every command you typed and any file you accessed. Commands typed and Files accessed: Response Team Member Signature:______________________________________-
UTSA IS 3523 Incident Detection/Response Physically contain the scene Two personnel, if possible, should immediately respond to the scene Incident Scene Survey (1 st Member) Use a portable tape recorder to: 1. Record the scene 2. Everyone present Order everyone to leave the scene who is not directly involved in the incident 3. Interview the individual who reported the incident 4. Record, intermittently, the actions of the 2nd individual 5. Assist the 2 nd Member On-scene Response
UTSA IS 3523 Incident Detection/Response Contain the System (2nd Member) Ask the System Administrator to assist. Back up the system. Do this with forensic type tool that does bit-by-bit backup such as SafeBack at Alternatively, remove the drive and seal it in a plastic bag with your notes and the notes of the individual who reported the incident Attempt to identify the changed files through: Tripwire or alternatively Expert Witness at On-Scene Response Continued
Incident Investigation & Assessment
UTSA IS 3523 Incident Detection/Response Knowing Architecture and Policies Review Network Topology External connectivity Internet Extranet Dial-up Remote Sites Network Devices: Routers, Firewall, IDS Broadcast domains Review the Corporate Policies with regard to Acceptable use policies Network Monitoring Computer Forensics
UTSA IS 3523 Incident Detection/Response System administrator selected questions include: Unusual Activity? Administrative Access to System?. Remote Access to Systems? Logging Capabilities? Current Security Precautions? Managers selected questions include: On-going Security tests? Disgruntled employees? Recently fired employee? History of current employees? Sensitive data or applications on the systems? End users selected questions include: Anomalous Behavior or Suspicious activity? Conducting Personnel Interviews
UTSA IS 3523 Incident Detection/Response Assess the potential security Incident What are the incident symptoms? Is it a security incident? A system problem? Power outage Faulty software Communication problems Procedural problem Training Problem Initial Assessment
UTSA IS 3523 Incident Detection/Response Evaluate the severity & scope of incident What specifically happened? What was the entry point? What local computers/networks were affected? What remote computers/networks were affected? What information was affected? What was its value to the organization? What further can possibly occur? Who else knows about the incident? What are the estimated time/resources required to handle the incident. Initial Evaluation
UTSA IS 3523 Incident Detection/Response A new account Passwords were changed on existing accounts The protection changed on selected files/devices New SUID and SGID programs have been found System programs have been added/modified An alias has been installed in the system to run a program New features have been added to your news or UUCP system Password sniffer was found (Steal passwords to use Crack) File dates have been modified Login files have been modified The system has an unexplained crash Accounting discrepancies Denial of Service Unexplained poor system performance Suspicious probes/browsing Incident Indications
UTSA IS 3523 Incident Detection/Response Undocumented changes or upgrades to programs Unexplained user account charges or changes Security Access compromise (passwords, etc) Unauthorized use of computer facilities Unexplained network/computer crashes Unexplained corrupted files or services Theft/missing computer/storage equipment Unexplained Performance/response problems Unexplained High utilization of equipment, storage or network resources Unexplained loss of critical/sensitive data Unexplained user account lockouts Unexplained Network traps/alarms Unexplained Firewall/IDS alerts/alarms Incident Indications continued
UTSA IS 3523 Incident Detection/Response All systems/networks are suspect until the actual extent of the incident is known Verify integrity of all site computers Verify integrity of all site networks Verify integrity of all files/directories (checksums) Compare system files with backups or initial distributions Compare software application with the baseline Analyze the documentation, files and security logs Initial Steps Be careful not to contaminate the crime scene
UTSA IS 3523 Incident Detection/Response Pathways All data leaves a trail. The search for data leaves a trail. The erasure of data leaves a trail. The absence of data, under the right circumstances, can leave the clearest trail of all. Pathways All data leaves a trail. The search for data leaves a trail. The erasure of data leaves a trail. The absence of data, under the right circumstances, can leave the clearest trail of all. “This Alien Shore”, C. S. Friedman (C) 1998
UTSA IS 3523 Incident Detection/Response Computer Forensics Basic Principles Investigate as if LE will be called in and the attackers will be prosecuted Principle 1 - Preserve the evidence in an unchanged state Principle 2 - Document the investigative process…thoroughly and completely
UTSA IS 3523 Incident Detection/Response Forensics Terminology Evidence Media: Original media that needs to be investigated Target Media: the media that the evidence media is duplicated onto Restored Image: Copy of the forensic image restored to bootable form Native Operating System: OS utilized when the evidence media or forensic duplicate is booted for analysis Live Analysis: A analysis conducted on the original evidence media Off-line Analysis: Analysis conducted on the forensic image Trace Evidence: Fragments of information from the free space, etc.
UTSA IS 3523 Incident Detection/Response Best Evidence Rule Common Mistakes include: Altering time and date stamps Killing rogue processes Patching the system before the investigation Not recording commands executed on the system Using un-trusted commands and binaries Writing over potential evidence: Installing software on the evidence media Running program that store output on evidence media. FRE 1001(3) "...if data are stored on a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an 'Original.'"
UTSA IS 3523 Incident Detection/Response Evidence Chain of Custody Prosecution is responsible for proving that which is presented in court is that which was originally collected. An Evidence Chain of Custody must be maintained Create an Evidence Tag at the time of collection A designated Evidence Custodian with a Laptop to generate the Evidence Tags Date and Time Case Number Evidence Tag number Evidence Description Individual receiving the evidence and Date Each time the evidence moves from one person to another or from one media to another must be recorded
UTSA IS 3523 Incident Detection/Response Forensic Image Initial Response: power system down or work it online? Volatile Data: if powered down then volatile data lost Memory State of of Network connections State of running Processes Useful Windows NT/2000 commands/utilities date, time, loggedon, netstat, fport, pslist, nbtstat, and doskey Useful Unix commands w, netstat -amp, lsof, ps, netstat, script
UTSA IS 3523 Incident Detection/Response BIOS Review Review the Basic Input/Output System (BIOS) before beginning a duplication to determine: Basic geometry of the hard drive on the target System Document the hard drive setting to include maximum capacity, cylinders, heads, and sectors For proper recovery by the original OS the partitions should be aligned on the cylinder boundaries Determine the Boot Sequence on the target System - Floppy drives- Network - PCMCIA Card - CD-Rom - Hard Drive Throughout the forensics process do not forget the basics…assume nothing.
UTSA IS 3523 Incident Detection/Response Forensic Duplication Three Forensic Duplication Approaches 1. Remove the storage media and connect it to a Forensics Workstation Document the system details to include serial number, jumper settings, visible damage, etc Remove media from target system and connect it to the forensics workstation Image the media using Safeback, the Unix dd utility or EnCase Forensics Workstations Safeback EnCase DiskPro
UTSA IS 3523 Incident Detection/Response Forensic Duplication Continued 2. Attach a hard drive to the Target Computer Make sure the target computer works as expected 3. Image the storage media by transmitting the disk image over a closed network to the forensics Workstation Establish a point-to-point interface from evidence system to forensics workstation using an Ethernet Switch of Ethernet cross-connect cable Perform MD5 computation on both the original and target system Don’t forget to document the process you used
The Computer Forensic Process Forensic duplicatio n? Use Safeback Use dd Use EnCase Use Other Forensic Software Yes Create DOS Controlled Boot Floppy Create Linux Controlled Boot Floppy Create DOS Controlled Boot Floppy ?? Make Safeback Image Files (.SFB) Make dd Duplication File Make EnCase Evidence Files (.E00) ?? Restore Safeback Image Files to a Separate Hard Drive for Analysis Use EnCase Operating Environment to Analyze Drive Content If the drive is Windows OS, will likely have to restore drive to separate media. ??
UTSA IS 3523 Incident Detection/Response Forensic Analysis Physical Analysis--performed on the forensic image only! Perform a String Search Sting Search Perform a Search and Extract Looks for file types File Formats Extract File slack and/Free Space Free Space: Hard Drive space not allocated to a file and deleted file fragments. Slack Space: Space left when a minimum block size is not filled by a write operation. NTI Tool Suite
UTSA IS 3523 Incident Detection/Response Forensic Analysis Continued Logical Analysis. Partition by partition analysis of each file Typical process includes: Mount each partition in read-only mode under Linux Export the partition via SAMBA to the forensics system Examine each file with the appropriate file viewer Typical Lists created: Web Sites addresses Specific Key words, etc Quick View Plus HandyVuehttp://shop.store.yahoo.com/repc/handyvue.html
UTSA IS 3523 Incident Detection/Response Common Forensics Mistakes Failure to Maintain through complete documentation Failure to control access to digital information Underestimate the scope of the incident Failure to report the incident in a timely manner Failure to provide accurate information No incident response plan Plan, control, document, report
UTSA IS 3523 Incident Detection/Response Closing Thought “If an organization is going to make the effort to secure its systems it must make every effort to respond to security breaches…the only failure to good security planning is to fail to plan a response action for a breach in that security.” Rob Kaufman
UTSA IS 3523 Incident Detection/Response Summary Prepare for incidents Perform initial assessment Evaluate crime scene Conduct forensics--D 3