Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Published byAugusta Lamb Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"— Presentation transcript:

1 Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

2 Today What is Computer Forensics? Threat types Useful data sources Gathering information Malware Analysis Hunting Rootkits Expanding the search Planning to facilitate forensics and incident analysis

3 Forensics 101 We have a suspected machine / network installation You know little to nothing about the specific threat, and even less about how it got there You want to know everything! o How they got there o Find and fix any damage they’ve done o Find out if they took any sensitive information o Who they are, what do they want? o Finally – figure out how to prevent the next incident

4 Threat Types Non targeted attack – script-kiddies, botnets, drive-by downloads, toolbars, scam sites, etc. Targeted attack, a.k.a. APT (Advanced Persistant Threats) – o They know who you are o They’ll invest lots of resources to get what they want o Very hard to defend against o But if you do your work well – you’ll know what they did

5 Basic Data Sources Running process list, loaded Kernel module list Complete memory image – RAM + Swap Anything that’s changed in the suspected time frame (time since last major system change is a good start) Checking file signatures against ‘known good’ list (whitelist) Contents of config files – users, lowered hardening, anything an attack might want to change LOG FILES File / directory creation, modification and access times Network analysis – which machines download/upload more than they should? Which machines are talking to machines that they shouldn’t?

6 Gathering Information You could work in the client’s production environment But then you could make mistakes that will destroy valuable ‘bread crumbs’ and/or reveal information to the adversary You want a perfect memory snapshot, and a perfect disk image to take to the lab

7 Getting a snapshot of the system Getting the contents of the memory by asking the computer to hibernate / reading memory via FireWire Getting the contents of the disks by pulling the power immediately, and taking the disks to the lab

8 Disks or Memory – choose one! If the attacker was smart – her tools will hide better in a some scenarios o She’s put a hook on the hibernate function, to make the memory snapshot “clean”, and maybe even clean her rootkit from the disk o She might scrub her files off the disk after loading, only writing them back on a regular shutdown, or not at all… You may have a better tool (Liquid NO2 + magic) – but you’ll still have to choose one over the other

9 Malware Analysis First – a quick check against any known signatures Then, lots of looking for potential malware Once good candidates surface, lots of reverse engineering The goal is to spend as little time initially, to classify things as “interesting”, “maybe”, and “junk” Finally, start diving into the “interesting” and “maybe” bins You may find hints that will make you go back on the field and collect more information

10 Hunting Rootkits Nir touched upon offline scanning in the last exercise One of the simplest and most reliable tool to find a rootkit o test any resource via the API o Test again from a trusted machine, booting from a live-cd, accessing the data on the lowest level you can muster o Compare the two. Any difference should be worth your time! Very clever rootkits may detect a process that is walking the entire namespace, and revert to “innocent” operation. Very very rare.

11 Expanding the Search You’ve identified a threat Next step is to build a detector, and spread it as far as you can Gather more information from new infections you found Continue to learn more about the attacker … Repeat

12 Planning for Forensics Instead of reacting – we can plan the system / network to facilitate forensics, and make it much harder for the attacker Logging should be local AND network based, in multiple locations, and logging servers should be extremely secure Logging should be as deep as possible (forever is a good depth) Log anything important, especially anything touching the core secrets of the company Keep ‘good’ system images for important machines, and again – depth is your friend Keep an exact and central log for any maintenance event, to help quickly filter these events later on

13 Monitoring Find a SOC (Security Operations Center) solution that suits you, and USE it! Build rules to filter out the noise Build rules to highlight important events Central logging will permit high-order anomaly detection, data clustering and machine learning based filtering to help you analyze all that data If possible – make this system report to the system administrators in real-time! The key is to actively look for the threats, not just install-and-forget…

14 Questions?

Download ppt "Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)"

Similar presentations

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Lesson 4 : Computer Literacy Basics Laquan Hale. Maintenance Issues To maintain optimal performance, you have to keep up with your hardware. Even if you.

Lesson 4 : Computer Literacy Basics Laquan Hale. Maintenance Issues To maintain optimal performance, you have to keep up with your hardware. Even if you.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Cosc 4765 Cleaning up.. So… The Windows machine has been infected/comprised or just “acting funny”. How to clean it up. Hope you have backups…

Cosc 4765 Cleaning up.. So… The Windows machine has been infected/comprised or just “acting funny”. How to clean it up. Hope you have backups…
AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.

AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.
ITMS- 3153 Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.

ITMS Information Systems Security 1. Malicious Code Malicious code or rogue program is the general name for unanticipated or undesired effects in.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.

How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.
1 UNIX Postmortem Mark Henman. 2 Introduction For most system administrators, there is no question that at some point at least one of their systems is.

1 UNIX Postmortem Mark Henman. 2 Introduction For most system administrators, there is no question that at some point at least one of their systems is.
Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003.

Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CH 13 Server and Network Monitoring. Hands-On Microsoft Windows Server 20082 Objectives Understand the importance of server monitoring Monitor server.

CH 13 Server and Network Monitoring. Hands-On Microsoft Windows Server Objectives Understand the importance of server monitoring Monitor server.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Virtual Memory Tuning   You can improve a server’s performance by optimizing the way the paging file is used   You may want to size the paging file.

Virtual Memory Tuning   You can improve a server’s performance by optimizing the way the paging file is used   You may want to size the paging file.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Similar presentations

Ads by Google