Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Published byAlison Carpenter Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,"— Presentation transcript:

1 Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Modern Incident Response Tools and Techniques John “Four” Flynn - GWU

3 Obligatory Overview Slide Rootkits What they are How they work Discovery techniques Detecting Rootkits FRISK/IR Best tool ever made No upwardly sloping charts

4 Rootkits Definition Post exploitation Hide actions on the host Why is this a threat? Difficult to detect Difficult to remove

5 A Little History Binary modification Tripwire Rootkit techniques

6 Rootkits Privilege Levels – Ring 0,3 Intel supports 4 levels, why not use them? Kernel Mode vs. User Mode Kernel mode means full write access to ALL of memory

7 User Mode Rootkits Win32 API vs. Native API PE file format Import Table Hooking

8

9 Obtaining Ring 0 Exploiting the Kernel Symantec FW DNS mishandling vuln Old and patched but illustrative Device Drivers Other Kernel Overflows/Exploits

10 Kernel Mode Techniques System Dispatch Table Hooking Process Unlinking Remove pointer to EPROCESS structure Process still gets CPU time! DKOM – (FU) Hoglund’s 2 bit patch Sky is truly the limit

11 Detecting Rootkits Execution Path Analysis See where the PE Import Pointers go Walk the dispatch table and follow pointers API Diff Compare Results from Win32 vs. Native API Kernel Data Structure Analysis Process Table Kernel Dispatcher Thread Table

12 I Lied: Upward Sloping Chart

13 A losing battle? Intrinsic Problem: Full Memory Write Access = Infinite possiblities Live response vs offline analysis Offline Analysis will catch all of these threats Offline analysis is expensive So is doing incident response worth it?

14 Incident Response in Higher-Ed Small number of security staff Relatively high number of incidents due to “open network” policies Distributed support network Massive number of endpoints Sound Familiar?

15 The Solution: FRISK/IR Flexible HTML template-driven output system Secure uploading of results to a central location Robust plugin architecture Forensically Sound and Automated Open Source, Perl Based, Clean Design Perform Response on Critical Systems Quickly

16

17

18 FRISK: Secure Uploads HARD problem Assume credentials can be stolen Authenticated SSL Upload communication with a CGI script View data with a different set of credentials

19

20 FRISK - Plugins Perl Based OS Aware Can call 3 rd party binary or perform operations directly in perl Hope to start a nessus-style update system

21 FRISK/IR Forensically Sound Never touches disk on local system Can be run from read-only media (CD-ROM) Plugin System Easy to write and add new plugins Full Perl! Automatic Update… (soon)

22 Rootkit detection VICE: Execution Path Analysis RootkitRevealer: Win32 API vs Raw Reads(reg/fs) Klister – Lists Threads used by Kernel Dispatcher Blacklight Rkdetector Strider Ghostbuster - offline vs. online diff FHS – Find Hidden Service Unhackme Others…

23

24 Conclusions While live response is imperfect, it is often our first and most important line of defense Thanks for your attention! Please help me make FRISK even better!

25 References/Links www.sourceforge.net/projects/frisk www.rootkit.com “Step into the Ring 0” Barnaby Jack – Eeye Greg Hoglund – Exploiting Software James Butler – Misc Papers Holy Father – Papers on hxdef etc

Download ppt "Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,"

Similar presentations

CHECK 2012 Bridging the Gap for Mobile Devices: Eager Adoption v. Practical Support Emporia State University The Faculty & Staff Support Perspective Cory.

CHECK 2012 Bridging the Gap for Mobile Devices: Eager Adoption v. Practical Support Emporia State University The Faculty & Staff Support Perspective Cory.
What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.

What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.
So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,

So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.

Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Maintaining Business Continuity After Internal and External Incidents Greg Schaffer, CISSP Director of Network Services Middle Tennessee State University.

Maintaining Business Continuity After Internal and External Incidents Greg Schaffer, CISSP Director of Network Services Middle Tennessee State University.
Delivering Windows OS Updates at Yale with SUS EDUCAUSE Security Professionals Workshop May 17, 2004 Washington DC Ken Hoover, Systems Programmer

Delivering Windows OS Updates at Yale with SUS EDUCAUSE Security Professionals Workshop May 17, 2004 Washington DC Ken Hoover, Systems Programmer
Office of the Vice President Copyright Notice Copyright Greg Hedrick, Matthew Wirges 2004. This work is the intellectual property of the author. Permission.

Office of the Vice President Copyright Notice Copyright Greg Hedrick, Matthew Wirges This work is the intellectual property of the author. Permission.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, 2007. This work is the intellectual property of the author. Permission is granted.

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
 Copyright Curtis D. Edmonds, 2002.  This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

 Copyright Curtis D. Edmonds,  This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Copyright Anthony K. Holden, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Return On Security Investment Taz Daughtrey Becky Neary James Madison University EDUCAUSE Security Professionals Workshop May 18, 2004 Copyright Taz Daughtrey.

Return On Security Investment Taz Daughtrey Becky Neary James Madison University EDUCAUSE Security Professionals Workshop May 18, 2004 Copyright Taz Daughtrey.

Similar presentations

Ads by Google