Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence."— Presentation transcript:

1 Recognizing Attacks1

2 2 Recognition Stances

3 Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence important? Is restoring normal operation quickly important? Willing to chance modification of files? Is no publicity important? Can it happen again?

4 Recognizing Attacks4 Document Actions Start notebook Collect printouts and backup media Use scripts Get legal assistance for evidence- gathering PLAN AHEAD

5 Recognizing Attacks5 Finding the Intruder Finding changes Receiving message from other system administrator / net defender Strange activities User reports

6 Recognizing Attacks6 Steps in Handling 1.Identify/understand the problem 2.Contain/stop the damage 3.Confirm diagnosis and determine damage 4.Restore system 5.Deal with the cause 6.Perform related recovery

7 Recognizing Attacks7 Dealing with Intruder Ignore Intruder –Dangerous – Contrary to policy/law? Communicate with intruder – Dangerous – Low return Trace/identify intruder – Watch for traps / assumptions – Network and host options – Phone logs Break intruder’s connection – Physically – Logically (logout, kill processes, lock account)

8 Recognizing Attacks8 Asking for Help CERT, FIRST, Law enforcement, etc. Don’t use infected system Avoid using email from connected systems

9 Recognizing Attacks9 Finding Damage What have affected accounts done lately? – Missing log files? – What has root done? – What reboots have occurred? – Unexplained error messages? – Connections from/to unfamiliar sites? – New hidden directories? Integrity checkers – Changed binaries? – Changed configuration files? – Changed library files? – Changed boot files? – Changed user files?

10 Recognizing Attacks10 Dealing with Damage Delete unauthorized account(s) Restore authorized access to affected account(s) Restore file / device protections Remove setuid/setgid programs Remove unauthorized mail aliases Remove added files / directories Force new passwords

11 Recognizing Attacks11 Resume Service Patch and repair damage, enable further monitoring, resume Quick scan and cleanup, resume Call in law enforcement -- delay resumption Do nothing -- use corrupted system

12 Recognizing Attacks12 Dealing with Consequences Was sensitive information disclosed? Who do you need to notify formally? Who do you need to notify informally? What disciplinary action is needed?

13 Recognizing Attacks13 Moving Forward What vendor contacts do we need to make? What other system administrators should be notified? What updated employee training is needed?

14 Recognizing Attacks14 Netwar Individual: affect key decision-maker –Ems telegram –Gulf war marines Corporate: affect environment of decision –Zapatista peso collapse –Vietnam protests –Intifada / Cyber-Intifada? Strategic combination of all previous

15 Recognizing Attacks15 Example: Zapatista Cyberstrike Mid-1990s rebellion in Mexico Military situation strongly favored Mexican Army Agents of influence circulated rumors of Peso instability Peso crash forced government to negotiating table Compounded by intrusions into Mexican logistics

16 Recognizing Attacks16 Building Understanding Internet Behavior Intrusions/Responses Threats/Counters Vulnerabilities/Fixes Operators/GroupsVictims Stimuli/Motives Opportunities

17 Recognizing Attacks17 Analysis Process Incident Information Flow Identify Profiles and Categories Isolate Variables Identify Data Sources Establish Relevancy Identify Gaps

18 Recognizing Attacks18 One Effort – Looking Inside the Noise Network Activity Example Overall Activity Several Gbytes/day Noise - Below the Radar

19 Recognizing Attacks19 Low-Packet Filtering It’s hard to use TCP without generating a lot of packets –Negotiation, transmission, configuration, error checking Few legitimate low-packet sessions possible –Mostly web access

20 Recognizing Attacks20 Low-Packet Traffic

21 Recognizing Attacks21 Flow Based Detection Scans and Probes Distributed Tools Worm/Virus Propagation ???

22 Challenges to Analysis Gathering sufficient datasets to make statistically valid judgments Developing automated technical analysis tools Developing a reliable methodology for cyber-analysis Overcoming organizational bias against sharing information

23 Recognizing Attacks23 Limits of Analysis Inherently partial data Baseline in dynamic environment Correlation vs. Causation Implications –Need to be cautious in kinds of conclusions –Consider strategies for dealing with trends gone wrong

24 Recognizing Attacks24 Summary Incidents are not proof of bad administration Lots of effort involved in handling Incidents Need proactive, strategic planning to reduce costs, improve handling

Download ppt "Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chapter 10: Auditing the Expenditure Cycle

Chapter 10: Auditing the Expenditure Cycle
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.

Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.
1 UNIX Postmortem Mark Henman. 2 Introduction For most system administrators, there is no question that at some point at least one of their systems is.

1 UNIX Postmortem Mark Henman. 2 Introduction For most system administrators, there is no question that at some point at least one of their systems is.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
(c) 2003 Carnegie Mellon Universary1 Incident Handling.

(c) 2003 Carnegie Mellon Universary1 Incident Handling.
1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major.

1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Similar presentations

Ads by Google