Incident Response Introduction. Risk Analysis. Risk Management. Outline of threats. Data Loss. Fundamentals.

Transcription

1 Stateful PIX/ASA firewall Incident Response Introduction. Risk Analysis. Risk Management. Outline of threats. Data Loss. Fundamentals. Eve Bob Trent Bob Alice

2 Inc Response Types Stateful PIX/ASA firewall Some data breaches Author: Author: Prof Bill Prof Buchanan Bill Buchanan

3 Incident Response Stateful PIX/ASA firewall Incident Taxonomy Author: Author: Prof Bill Prof Buchanan Bill Buchanan

4 Stateful PIX/ASA firewall

5 Incident Response Stateful PIX/ASA firewall Data Sources/Timeline Author: Author: Prof Bill Prof Buchanan Bill Buchanan

6 Introduction Incidents Intruder Before Incident During Incident After Incident Intrusion Detection Incidents Stateful PIX/ASA firewall Author: Author: Prof Bill Prof Buchanan Bill Buchanan

7 Data states Inc. Response Data in-motion, data in-use and data at-rest Stateful PIX/ASA firewall Eve Switch Data inmotion Firewall Domain name server Bob Intrusion Detection System Data atrest Internet Firewall Router Database server Data inuse Data atrest Web server server FTP server Proxy server DMZ Intrusion Detection System Alice

8 Introduction Incidents Intruder Before Incident During Incident After Incident Data At Rest Timeline Files, Directories, File Rights, Domain Rights, etc. File changes, File CRUD (Create, Delete, Update, Delete), Thumbprints Data In-Motion Data In-Process Network scanners, Intrusion Detection Systems, Firewall logs, etc Processes, Threads, Memory, etc. Network packet logs, Web logs, Security logs Security Log, Application Log, Registry, Domain Rights. Author: Author: Prof Bill Prof Buchanan Bill Buchanan Incidents Stateful PIX/ASA firewall

9 Inc Response Introduction Four Stateful Vs PIX/ASA of Big firewall Data V- Velocity [Speed of data generation] V- Veracity [Trustworthiness] Eve V- Variety [Different forms of data] Bob Firewall Router Switch Alice Management report Sales analysis Targeted marketing Trending/Correlation Incident Response Web server server FTP server Proxy server Intrusion Detection System V- Volume [Scale of data]

10 Inc Response Introduction Web Services IT Ops Network/Security Apache. IIS. Nagios. NetApp. Cisco UCS. Syslog/SNMP. Cisco NetFlow. Snort. Database Sys Eve Oracle. My SQL. Microsoft SQL. Bob Firewall Router Switch Alice Structured Data CSV. JSON. XML. Microsoft Infrastructure Web server Weblogic. WebSphere. Tomcat server FTP server Proxy server Intrusion Detection System AWS Cloudtrail. Amazon S3. Azure. Active Directory. Exchange. SharePoint. Application Serv Cloud Stateful PIX/ASA firewall Data Capture

11 Inc Response Introduction Investigation Stateful PIX/ASA firewall sources Trusted partners Internal systems Eve Bob Firewall Router Cloud service providers Communication service providers Web server server FTP server Proxy server

12 Inc Response Introduction Eve Device switch-on Phone call Wifi connect Facebook post Web page access Tweet send Corporate login Time line Cloud service providers Communication service providers Call record Location record Logs/ Web log Web services Device logs System Log Internet cache Web/Domain Log Basic Stateful PIX/ASA timeline firewall

13 Inc Response Introduction Stateful PIX/ASA firewall Eve Eve Logs/alerts SIEM Package (Splunk) Bob Security alerts News feeds

14 Incident Response Stateful PIX/ASA firewall Patterns of Intrusion Author: Author: Prof Bill Prof Buchanan Bill Buchanan

15 Inc Response Types Typical pattern Stateful of PIX/ASA intrusion firewall Intruder gains public information about the systems, such as DNS and IP information Intruder gains more specific information such as subnet layout, and networked devices. Intrusion Detection Outside reconnaissance Intrusion Detection Inside reconnaissance Intrusion Detection Eve Bob From code yellow to code red... Exploit Intruder finds a weakness, such as cracking a password, breaching a firewall, and so on. Profit Data stealing, system damage, user abuse, and so on. Intrusion Detection Foothold Once into the system, the intruder can then advance up the privilege levels, Intrusion Detection Author: Author: Prof Bill Prof Buchanan Bill Buchanan

16 Inc Response Types Cyber Kill Chain Stateful PIX/ASA firewall Preparation (hrs to mons) Reconnaissance Weaponization Intrusion (minutes) Delivery Eve From code yellow to code red... Explotation Bob Action on Objective Command and Control Active Breach (months) Installation Author: Author: Prof Bill Prof Buchanan Bill Buchanan

17 Incident Response Stateful PIX/ASA firewall Risk Analysis Author: Author: Prof Bill Prof Buchanan Bill Buchanan

18 Introduction Risk analysis Risk analysis (Cost/likelihood) Stateful PIX/ASA firewall Intruder Cost High cost Low cost High likelihood High Likelihood, High Cost - Maybe worth mitigating against. Highly Likely, Low Cost - Worth mitigating against Low Likelihood, High Cost - Probably not worth mitigating against Low Likelihood, Low Cost - Maybe worth mitigating against. Low likelihood Likelihood Author: Author: Prof Bill Prof Buchanan Bill Buchanan

19 Stateful PIX/ASA firewall

20 Stateful PIX/ASA firewall

21 Incident Response Stateful PIX/ASA firewall Risk Management Author: Author: Prof Bill Prof Buchanan Bill Buchanan

22 Stateful PIX/ASA firewall

23 Stateful PIX/ASA firewall

24 Stateful PIX/ASA firewall

25 Incident Response Stateful PIX/ASA firewall Some Threats

26 Stateful PIX/ASA firewall Risk 2: Rogue SSID/Gateway Free Moonbucks Wireless Rogue Gateway Moonbucks Wireless Internet Gateway

27 Stateful PIX/ASA firewall Risk 3: Lack of Separation Business Life Home Life Corporate Firewall

28 Stateful PIX/ASA firewall Risk 4: One Password Fits All 150 million accounts compromised 47 million accounts 6.5 million accounts (June 2013) # Count Ciphertext Plaintext EQ7fIpT7i/Q= j9p+hwtwwt86amjgzflzyg== L8qbAD3jl3jioxG6CatHBw== password BB4e6X+b2xLioxG6CatHBw== adobe j9p+hwtwwt/ioxg6cathbw== djv7ZCI2ws= qwerty dqi0aswpyvq= LqYzKVeq8I= PMDTbP0LZxu03SwrFUvYGA== photoshop e6mpxq5g6a8= One account hack leads to others 1 million accounts in plain text. 77 million compromised Dropbox compromised ,000 client accounts

29 Stateful PIX/ASA firewall Risk 4: One Password Fits All 150 million accounts compromised # Count Ciphertext Plaintext EQ7fIpT7i/Q= j9p+hwtwwt86amjgzflzyg== L8qbAD3jl3jioxG6CatHBw== password BB4e6X+b2xLioxG6CatHBw== adobe j9p+hwtwwt/ioxg6cathbw== djv7ZCI2ws= qwerty dqi0aswpyvq= LqYzKVeq8I= PMDTbP0LZxu03SwrFUvYGA== photoshop e6mpxq5g6a8= Two-factor everything in the Cloud

30 Risk 5: Device Poisoning Who has this IP address ( )? ARP Poisoning Here is my MAC address (11:22:33:44:55:66) Gateway ( ) DHCP Request... Here is your IP address, Gateway, and DNS IP Here is my MAC address (22:33:44:55:66) DHCP 314 DHCP Discover - Transaction ID 0x3d1d Frame 1: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits) Ethernet II, Src: Grandstr_01:fc:42 (00:0b:82:01:fc:42), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67) Eve DNS Poisoning Eve DHCP 342 DHCP Offer - Transaction ID 0x3d1d Frame 2: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) Ethernet II, Src: DellComp_ad:f1:9b (00:08:74:ad:f1:9b), Dst: Grandstr_01:fc:42 (00:0b:82:01:fc:42) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68) DHCP 314 DHCP Request - Transaction ID 0x3d1e Frame 3: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits) Ethernet II, Src: Grandstr_01:fc:42 (00:0b:82:01:fc:42), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67) DHCP 342 DHCP ACK - Transaction ID 0x3d1e Frame 4: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) Ethernet II, Src: DellComp_ad:f1:9b (00:08:74:ad:f1:9b), Dst: Grandstr_01:fc:42 (00:0b:82:01:fc:42) Internet Protocol Version 4, Src: ( ), Dst: ( ) User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68) Stateful PIX/ASA firewall

31 Risk 6: Unpatched Systems CVE Adobe Flash Player. Integer overflow Eve CVE Java Exploit CVE Adobe Flash Player. Run code on machine. CrimeBoss Phoenix Exploit Kit Stateful PIX/ASA firewall

32 Stateful PIX/ASA firewall

33 Stateful PIX/ASA firewall

34 Stateful PIX/ASA firewall

35 Stateful PIX/ASA firewall

36 Stateful PIX/ASA firewall

37 Stateful PIX/ASA firewall

38 Stateful PIX/ASA firewall

39 Stateful PIX/ASA firewall

40 Stateful PIX/ASA firewall

41 Stateful PIX/ASA firewall

42 Stateful PIX/ASA firewall

43 Stateful PIX/ASA firewall

44 Incident Response Stateful PIX/ASA firewall A Few Fundamentals Author: Author: Prof Bill Prof Buchanan Bill Buchanan

45 DLP Data Formats Octal Bob Hex Base-64 A B C D ASCII characters e 20 e6 aa Encryption/ Encoding XiDmqg== Byte values ^ æª ASCII Hex and Base-64 Stateful PIX/ASA firewall

46 DLP Data Formats Bob e 2 0 e 6 a a What is ? Decimal Binary Oct Bit stream Hex Decimal Binary Hex A B C D E F Hex Stateful PIX/ASA firewall

47 DLP Data Formats bit width = = Bob X I D m q g = = Bit stream Base-64 abc 24 bits (4*6) YWJj abcd 32 bits (5*6) + (2+4) + 12 bits YWJjZA== abcde 40 bits (8*6) + (2+4) + 4 bits YWJjZGU= Val Enc Val Enc Val Enc Val Enc 0 A 16 Q 32 g 48 w 1 B 17 R 33 h 49 x 2 C 18 S 34 i 50 y 3 D 19 T 35 j 51 z 4 E 20 U 36 k F 21 V 37 l G 22 W 38 m H 23 X 39 n I 24 Y 40 o J 25 Z 41 p K 26 a 42 q L 27 b 43 r M 28 c 44 s N 29 d 45 t O 30 e 46 u P 31 f 47 v 63 / Base-64 Stateful PIX/ASA firewall

48 DLP Data Formats hello MD5 5D41402ABC4B2A76B9719D911017C bits (32 hex characters) SHA-1 AAF4C61DDCC5E8A2DABEDE0F3B482CD9AEA9434D SHA bits (40 hex characters) SHA-384 $ cat hello.txt Hello $ openssl md5 hello.txt MD5(c:\hello.txt)= 5d41402abc4b2a76b9719d911017c592 SHA-512 $ echo -n "hello" openssl md5 (stdin)= 5d41402abc4b2a76b9719d911017c592 MD5 Stateful PIX/ASA firewall

49 Data Formats DLP RegEx Stateful PIX/ASA firewall [ character_group ] Match any single character in character_group Example: gr[ae]y gray, grey [ ^character_group ] Match any single character in character_group Example: gr[^ae]y grby, grcy [a-z] Character range Example a, b, c z {n} Matches previous character repeated n times a{n,m} Matches between n and m or a \d Matches a digit. Single character (a b) Matches a or b a? Zero or one match of a a* Zero or more match of a a+ One or more match of a $ Match at the end Escape: \s (space) Telephone: \\d{3}[-.]?\\d{3}[-.]?\\d{4} [ character_group ] Year: [0-9]{4} 1961 Matches any single character in character_group. By default, the match is case-sensitive. [a-za-z0-9._%+-]+@[a-za-z0-9._%+-] test@home.com Master: Am Ex: Visa: 5\\d{3}(\\s -)?\\d{4}(\\s -)?\\d{4}(\\s -)?\d{4} 3\\d{3}(\\s -)?\\d{6}(\\s -)?\\d{5} 4\\d{3}(\\s -)?\\d{4}(\\s -)?\\d{4}(\\s -)?\d{4} IP: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}

50 Stateful PIX/ASA firewall Incident Response Introduction. Risk Analysis. Risk Management. Outline of threats. Data Loss. Fundamentals. Eve Bob Trent Bob Alice