Incident Handling and Detection

Similar documents
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Security: Principles and Practice

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

GCIH. GIAC Certified Incident Handler.

Home Computer and Internet User Security

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

CSE 565 Computer Security Fall 2018

Curso: Ethical Hacking and Countermeasures

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Chapter 4. Network Security. Part I

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Firewalls, Tunnels, and Network Intrusion Detection

Ethical Hacking and Prevention

2. INTRUDER DETECTION SYSTEMS

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Raj Jain. Washington University in St. Louis

DumpsTorrent. Latest dumps torrent provider, real dumps

Dave McCurdy Executive Director Internet Security Alliance President Electronics Industry Alliance

AIIC Associazione Italiana esperti Infrastrutture Critiche AIIC (1)

Chapter 12. Information Security Management

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Strategic Infrastructure Security

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Network Security Issues and New Challenges

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

CIH

CIS Controls Measures and Metrics for Version 7

SDR Guide to Complete the SDR

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

A+ Guide to Managing & Maintaining Your PC, 8th Edition. Chapter 17 Windows Resources on a Network


Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Network Security Platform Overview

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

Security Audit What Why

Pass Microsoft Exam

NETWORK SECURITY. Ch. 3: Network Attacks

IS Today: Managing in a Digital World 9/17/12

CIS Controls Measures and Metrics for Version 7

Ethical Hacking. Content Outline: Session 1

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

A Review Paper on Network Security Attacks and Defences

Overview Intrusion Detection Systems and Practices

Cybersecurity: Incident Response Short

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

McAfee Virtual Network Security Platform 8.4 Revision A

Using CSC SSM with Trend Micro Damage Cleanup Services

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Post-Class Quiz: Access Control Domain

Design your network to aid forensics investigation

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

19.1. Security must consider external environment of the system, and protect it from:

McAfee Network Security Platform

CSE 565 Computer Security Fall 2018

Authentication System

ISO27001 Preparing your business with Snare

Network Security. Course notes. Version

Information Security Policy

Question: 1 DES - Data Encryption standard has a 128 bit key and is very difficult to break.

Seqrite Endpoint Security

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

ECCouncil v9. ECCouncil Computer Hacking Forensic Investigator (V9)

ch02 True/False Indicate whether the statement is true or false.

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Advanced Security Measures for Clients and Servers

ISC2 EXAM - SSCP. Systems Security Certified Practitioner. Buy Full Product.

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Correlating IDS Alerts with Vulnerability Information

Why?

ISSP Network Security Plan

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Module 20: Security. The Security Problem Authentication Program Threats System Threats Threat Monitoring Encryption. Operating System Concepts 20.

Monitoring the Device

CyberArk Privileged Threat Analytics

NETWORK THREATS DEMAN

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Information Security Training Needs Assessment Study. Dr. Melissa Dark CERIAS Assistant Professor Continuing Education Director

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

5. Execute the attack and obtain unauthorized access to the system.

McAfee Network Security Platform

Grid-CERT Services. Modification of traditional and additional new CERT Services for Grids

Transcription:

Incident Handling and Detection Mohammed Fadzil Haron SSP-MPA GSEC GCIA MyCERT 5 th SIG July 19, 2005 2005 Intel Corporation. All Rights Reserved.

Agenda Definition Threat and Trend Incident Response Overview Detection of Incidents Documentation Detection in Windows* and Unix* 2 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Definitions Events An observable occurrence in an information system that actually happened at some point in time. Incident An event that might lead to an accident or an accident which is not too serious. Security Incident An event that involves a security violation. This may be an event that breaks a security policy, UAP, laws and jurisdictions, etc. 3

Threat Trend: Attack Sophistication increasing Intruder Technical Knowledge decreasing High Low Intruder Technical Knowledge Attack Sophistication back doors disabling audits packet spoofing sweepers burglaries exploiting known vulnerabilities password cracking sniffers self-replicating code password guessing hijacking sessions stealth / advanced scanning techniques denial of service DDoS attacks www attacks automated probes/scans GUI network mgmt. diagnostics Improved Tools Required Intruder Knowledge 1980 1985 1990 1995 2000 Source: Cert/CC Internet Security Trends 2005 4

Security Incidents Source: CERT* Security incidents reported to CERT* Most frequently detected attacks or incidents percentage of respondents Source: 2002 CSI/FBI security survey Detected viruses, worms, malicious code Virus 300 Insider abuse of net access Laptop theft Denial of service The Wildlist* (worldwide) Systems Unauthorized penetration access by insiders Source: McAfee* 5 200 100 0 Jan-99 Mar-99 May-99 Jul-99 Sep-99 Nov-99 Jan-00 Mar-00 May-00 Jul-00 Sep-00 Nov-00 Jan-01 Mar-01 Source: The Wildlist* May-01 Jul-01 Sep-01 Nov-01 Jan-02 * Other names and brands may be claimed as the property of others.

Difficulties in Assessing Computer Crime Most computer crimes go undetected by their victims Of those attacks which are detected, few are reported ** White Paper on Computer Crime Statistics, the International Computer Security Association 6

Simple Incident Handling Flow Resolution Incident Handling Flow Preparation Detection / Identification Response 7

Complete Incident Handling Flow Follow-Up Preparation Detection / Identification Incident Handling Flow Recovery Eradication Containment 8

Complete Incident Handling Flow Follow-Up Preparation Incident Handling Flow Recovery Detection / Identification Containment Eradication Shorten Detection/ Identification Time 9

Preparation for Detection Incident Response Team identified Processes and documentations in place Get buy-off from top management Build necessary skills from professional certifications or in-house training 10 This paper is for Informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESSED OR IMPLIED IN THIS PAPER.

The Response Team Employees Engineering Physical Security System Administrator (Firewall etc) Information Security Lawyer Human Resource Help Desk 11

Your Role as Incident Handler Detect an incident Evaluate it Report it Start incident response process 12

Who Detects an Incident? End User Intrusion Detection System Alert System Administrator Help Desk Security Human Resource Legal Public Knowledge e.g., a defacement mirror such as zone-h.org 13

Computer and Network Events Event Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork Howard s Event 14

Computer and Network Attacks Attack Event Tool Vulnerability Action Target Unauthorized Result Physical Attack Design Probe Account Increased Access Info. Exchange Implementation Scan Process Disclosure of Info User Command Configuration Flood Data Corruption of Info Script or Program Authenticate Component Denial of Service Autonomous Agent Bypass Computer Theft of Resources Toolkit Spoof Network Distributed Tool Read Internetwork Data Tap Copy Steal Modify Delete Howard s Attacks 15

Computer and Network Incident Autonomy Attack Event Incident Attacker Hackers Spies Terrorists Tool Physical Attack Info. Exchange User Command Vulnerability Design Implementation Configuration Action Probe Scan Flood Target Account Process Data Unauthorized ResultObjectives Increased Access Disclosure of Info Corruption of Info Challenge, Status, Thrill Political Gain Corp. Raiders Script or Program Authenticate Component Denial of Service Financial Gain Pro. Criminals Autonomous Agent Bypass Computer Theft of Resources Damage Vandals Toolkit Spoof Network Voyeurs Distributed Tool Read Internetwork Data Tap Copy Steal Modify Delete Howard s Incidents 16

Event Documentation Record This Information When an Event Becomes an Incident: Date Time Source of event report (who or what?) Description of event 17

Event Documentation Reported by an IDS Additional Information to Obtain When an Event Is Reported by an IDS : The apparent source address(es) of the event The apparent target address(es) of the event The specific alert(s) that were raised by the IDS The sensor(s) which detected the event(s) Time when the first alert was triggered Time when the last alert was triggered Reverse DNS lookup such as nslookup Resolve the addresses using services such as whois from ARIN, APNIC and RIPE Correlate activity against other events from same source Assess if your systems could have been compromised by the activity or whether it was contained by existing security controls 18

What If Event Might Lead To Legal Prosecution? Do not perform direct reverse network activities such as Ping or Traceroute This might alert the intruder Only use non-intrusive methods, such as nslookup, whois 19

Classification Determine if an event should be classified as an incident by answering these questions: Is it a risk to data integrity? Is it a risk to the availability of the resource? Is it a risk to the confidentiality of the data? Is the activity abnormal? Does it violate company security policies? If the answer to any of the above questions is Yes, it is probable the event is an incident 20

What to Look For In Windows* Systems Unusual Processes Unusual Files Unusual Network Usage Unusual Schedule Tasks Unusual Accounts Unusual Log Entries 21 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Processes in Windows* Look for unusual or unexpected processes: Using Task Manager (taskmgr.exe) On Windows XP* and Windows 2003*, focus on processes with username SYSTEM or Administrator or users in the Administrator s group Look for unusual network services C:\ net start You need to be familiar with normal processes and unusual processes Also look for: Processes running at unexpected times Processes terminating prematurely New, unexpected or previously disabled process or services Inactive user accounts that spawn processes and use CPU resources 22 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Files in Windows* Check for sudden decreases in disk space Use GUI Explorer or type: C:\ dir c:\ Look for unusually big files (10MB) Start -> Search -> For Files or Folders Search Options -> Size -> At Least 10000KB 23 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Network Usage in Windows* Check file shares C:\ net view 127.0.0.1 Look at who has an open session with the machine C:\ net session Look at which sessions this machine has opened with other systems C:\ net use 24 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Network Usage in Windows* Look at NetBIOS over TCP/IP activity C:\> nbtstat S Look for unusual listening TCP and UDP ports C:\> netstat na C:\> netstat na 5 (refresh every 5 sec) C:\> netstat nao 5 (-o flag showing process id) 25 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Schedule Tasks in Windows* Look at scheduled tasks on local host C:\> at Also check the scheduled tasks using the Task Manager: Start -> Programs -> Accessories -> System Tools -> Scheduled Tasks Look for unusual scheduled tasks, especially with Administrator s privilege, as SYSTEM or a blank username 26 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Accounts in Windows* Look for new, unexpected accounts in the Administrators group in Local User Manager: C:\> lusrmgr.msc Click on Groups, Double click on Administrators, and then check members of this group 27 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Log Entries in Windows* Look at the logs from event viewer: C:\> eventvwr.msc Look for suspicious events like: Event log service was stopped Windows File Protection is not active on this system The MS Telnet Service has started successfully Look for large number of failed logon attempts or locked out accounts Look at application logs for unusual activities IIS* log at C:\>WINNT\System32\LogFiles\W3SVC1 28 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

How To Detect In Unix* Operating Systems Unusual Processes Unusual Files Unusual Network Usage Unusual Schedule Tasks Unusual Accounts Unusual Log Entries 29 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Processes in Unix* Look for running processes # ps aux Get familiar with normal processes Look for unusual processes especially with root (UID 0) For unfamiliar processes, get detail by # lsof p [pid] This will show all the files and ports used by the process Also look for: Processes running at unexpected times Processes terminating prematurely New, unexpected or previously disabled process or services Inactive user accounts that are spawning processes and using CPU resources 30 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Files in Unix* Look for unusual SUID root files: # find / -uid 0 perm -4000 print You need to know normal SUID files Look for unusual large files (Greater than 10MB) # find / -size +10000k print You need to know normal large files 31 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Files in Unix* Look for files named with dots and spaces such as,..,. and # find / -name name print # find / -name name.. print # find / -name name. print # find / -name name print 32 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Files If RPM is installed (in Linux*, RedHat*, Mandrake*, etc.), run RPM tool to verify packages: # rpm Va Checks size, MD5 sum, permissions, type, owner, and group of each file with information from RPM database Pay special attention to changes associated with items in /sbin, /bin, /usr/sbin and /usr/bin 33 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Files Output includes: S - File size differs M Mode differs (permissions) 5 MD5 sum differs D Device number mismatch L readlink path mismatch U user ownership differs G group ownership differs T modification time differs 34

Unusual Schedule Tasks in Unix* Look for cron jobs scheduled by root or any UID 0 accounts # crontab u root l Look for unusual system-wide cron jobs # cat /etc/crontab # ls /etc/cron.* 35 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Network Usage in Unix* Look for promiscuous mode, which might indicate a sniffer # ip link grep PROMISC Look for unusual port listeners # lsof I # netstat nap Look for unusual ARP entries, for incorrect IP address to MAC address mapping for the LAN # arp -a 36 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Accounts in Unix* Look in /etc/passwd for new account, especially UID 0 or GID 0 # less /etc/passwd # grep :0: /etc/passwd 37 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Unusual Log Entries in Unix* Look for unusual and suspicious events in system logs Look at application logs for unusual activities Apache* log at /usr/local/apache/logs/access_log 38 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Key Mistakes in Detection Event not even detected (false negative) Event detected but not validated, causing false alarm (Don t jump to conclusions too quickly) Event not even reported Not asking for help Incomplete notes Mishandling or destroying evidence 39

Conclusion Detection is very important step in incident response handling after preparation Reduced detection time can result in faster containment Validate the detection Report it to start the incident handling process 40

Questions? 41

References http://www.securityfocus.com/infocus/1244 http://www.sans.org/score/checklists/id_windows.pdf http://www.sans.org/score/checklists/id_linux.pdf http://www.sans.org/rr/whitepapers/incident/1516.php http://www.sans.org/rr/whitepapers/incident/1065.php http://www.sans.org/rr/whitepapers/incident/647.php http://www.sans.org/rr/whitepapers/incident/646.php http://www.terena.nl/tech/task-forces/tf-csirt/iodef/docs/itaxonomy_terms.html 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback