Incident Handling and Detection Mohammed Fadzil Haron SSP-MPA GSEC GCIA MyCERT 5 th SIG July 19, 2005 2005 Intel Corporation. All Rights Reserved.
Agenda Definition Threat and Trend Incident Response Overview Detection of Incidents Documentation Detection in Windows* and Unix* 2 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Definitions Events An observable occurrence in an information system that actually happened at some point in time. Incident An event that might lead to an accident or an accident which is not too serious. Security Incident An event that involves a security violation. This may be an event that breaks a security policy, UAP, laws and jurisdictions, etc. 3
Threat Trend: Attack Sophistication increasing Intruder Technical Knowledge decreasing High Low Intruder Technical Knowledge Attack Sophistication back doors disabling audits packet spoofing sweepers burglaries exploiting known vulnerabilities password cracking sniffers self-replicating code password guessing hijacking sessions stealth / advanced scanning techniques denial of service DDoS attacks www attacks automated probes/scans GUI network mgmt. diagnostics Improved Tools Required Intruder Knowledge 1980 1985 1990 1995 2000 Source: Cert/CC Internet Security Trends 2005 4
Security Incidents Source: CERT* Security incidents reported to CERT* Most frequently detected attacks or incidents percentage of respondents Source: 2002 CSI/FBI security survey Detected viruses, worms, malicious code Virus 300 Insider abuse of net access Laptop theft Denial of service The Wildlist* (worldwide) Systems Unauthorized penetration access by insiders Source: McAfee* 5 200 100 0 Jan-99 Mar-99 May-99 Jul-99 Sep-99 Nov-99 Jan-00 Mar-00 May-00 Jul-00 Sep-00 Nov-00 Jan-01 Mar-01 Source: The Wildlist* May-01 Jul-01 Sep-01 Nov-01 Jan-02 * Other names and brands may be claimed as the property of others.
Difficulties in Assessing Computer Crime Most computer crimes go undetected by their victims Of those attacks which are detected, few are reported ** White Paper on Computer Crime Statistics, the International Computer Security Association 6
Simple Incident Handling Flow Resolution Incident Handling Flow Preparation Detection / Identification Response 7
Complete Incident Handling Flow Follow-Up Preparation Detection / Identification Incident Handling Flow Recovery Eradication Containment 8
Complete Incident Handling Flow Follow-Up Preparation Incident Handling Flow Recovery Detection / Identification Containment Eradication Shorten Detection/ Identification Time 9
Preparation for Detection Incident Response Team identified Processes and documentations in place Get buy-off from top management Build necessary skills from professional certifications or in-house training 10 This paper is for Informational purposes only. INTEL MAKES NO WARRANTIES, EXPRESSED OR IMPLIED IN THIS PAPER.
The Response Team Employees Engineering Physical Security System Administrator (Firewall etc) Information Security Lawyer Human Resource Help Desk 11
Your Role as Incident Handler Detect an incident Evaluate it Report it Start incident response process 12
Who Detects an Incident? End User Intrusion Detection System Alert System Administrator Help Desk Security Human Resource Legal Public Knowledge e.g., a defacement mirror such as zone-h.org 13
Computer and Network Events Event Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork Howard s Event 14
Computer and Network Attacks Attack Event Tool Vulnerability Action Target Unauthorized Result Physical Attack Design Probe Account Increased Access Info. Exchange Implementation Scan Process Disclosure of Info User Command Configuration Flood Data Corruption of Info Script or Program Authenticate Component Denial of Service Autonomous Agent Bypass Computer Theft of Resources Toolkit Spoof Network Distributed Tool Read Internetwork Data Tap Copy Steal Modify Delete Howard s Attacks 15
Computer and Network Incident Autonomy Attack Event Incident Attacker Hackers Spies Terrorists Tool Physical Attack Info. Exchange User Command Vulnerability Design Implementation Configuration Action Probe Scan Flood Target Account Process Data Unauthorized ResultObjectives Increased Access Disclosure of Info Corruption of Info Challenge, Status, Thrill Political Gain Corp. Raiders Script or Program Authenticate Component Denial of Service Financial Gain Pro. Criminals Autonomous Agent Bypass Computer Theft of Resources Damage Vandals Toolkit Spoof Network Voyeurs Distributed Tool Read Internetwork Data Tap Copy Steal Modify Delete Howard s Incidents 16
Event Documentation Record This Information When an Event Becomes an Incident: Date Time Source of event report (who or what?) Description of event 17
Event Documentation Reported by an IDS Additional Information to Obtain When an Event Is Reported by an IDS : The apparent source address(es) of the event The apparent target address(es) of the event The specific alert(s) that were raised by the IDS The sensor(s) which detected the event(s) Time when the first alert was triggered Time when the last alert was triggered Reverse DNS lookup such as nslookup Resolve the addresses using services such as whois from ARIN, APNIC and RIPE Correlate activity against other events from same source Assess if your systems could have been compromised by the activity or whether it was contained by existing security controls 18
What If Event Might Lead To Legal Prosecution? Do not perform direct reverse network activities such as Ping or Traceroute This might alert the intruder Only use non-intrusive methods, such as nslookup, whois 19
Classification Determine if an event should be classified as an incident by answering these questions: Is it a risk to data integrity? Is it a risk to the availability of the resource? Is it a risk to the confidentiality of the data? Is the activity abnormal? Does it violate company security policies? If the answer to any of the above questions is Yes, it is probable the event is an incident 20
What to Look For In Windows* Systems Unusual Processes Unusual Files Unusual Network Usage Unusual Schedule Tasks Unusual Accounts Unusual Log Entries 21 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Processes in Windows* Look for unusual or unexpected processes: Using Task Manager (taskmgr.exe) On Windows XP* and Windows 2003*, focus on processes with username SYSTEM or Administrator or users in the Administrator s group Look for unusual network services C:\ net start You need to be familiar with normal processes and unusual processes Also look for: Processes running at unexpected times Processes terminating prematurely New, unexpected or previously disabled process or services Inactive user accounts that spawn processes and use CPU resources 22 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Files in Windows* Check for sudden decreases in disk space Use GUI Explorer or type: C:\ dir c:\ Look for unusually big files (10MB) Start -> Search -> For Files or Folders Search Options -> Size -> At Least 10000KB 23 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Network Usage in Windows* Check file shares C:\ net view 127.0.0.1 Look at who has an open session with the machine C:\ net session Look at which sessions this machine has opened with other systems C:\ net use 24 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Network Usage in Windows* Look at NetBIOS over TCP/IP activity C:\> nbtstat S Look for unusual listening TCP and UDP ports C:\> netstat na C:\> netstat na 5 (refresh every 5 sec) C:\> netstat nao 5 (-o flag showing process id) 25 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Schedule Tasks in Windows* Look at scheduled tasks on local host C:\> at Also check the scheduled tasks using the Task Manager: Start -> Programs -> Accessories -> System Tools -> Scheduled Tasks Look for unusual scheduled tasks, especially with Administrator s privilege, as SYSTEM or a blank username 26 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Accounts in Windows* Look for new, unexpected accounts in the Administrators group in Local User Manager: C:\> lusrmgr.msc Click on Groups, Double click on Administrators, and then check members of this group 27 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Log Entries in Windows* Look at the logs from event viewer: C:\> eventvwr.msc Look for suspicious events like: Event log service was stopped Windows File Protection is not active on this system The MS Telnet Service has started successfully Look for large number of failed logon attempts or locked out accounts Look at application logs for unusual activities IIS* log at C:\>WINNT\System32\LogFiles\W3SVC1 28 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
How To Detect In Unix* Operating Systems Unusual Processes Unusual Files Unusual Network Usage Unusual Schedule Tasks Unusual Accounts Unusual Log Entries 29 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Processes in Unix* Look for running processes # ps aux Get familiar with normal processes Look for unusual processes especially with root (UID 0) For unfamiliar processes, get detail by # lsof p [pid] This will show all the files and ports used by the process Also look for: Processes running at unexpected times Processes terminating prematurely New, unexpected or previously disabled process or services Inactive user accounts that are spawning processes and using CPU resources 30 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Files in Unix* Look for unusual SUID root files: # find / -uid 0 perm -4000 print You need to know normal SUID files Look for unusual large files (Greater than 10MB) # find / -size +10000k print You need to know normal large files 31 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Files in Unix* Look for files named with dots and spaces such as,..,. and # find / -name name print # find / -name name.. print # find / -name name. print # find / -name name print 32 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Files If RPM is installed (in Linux*, RedHat*, Mandrake*, etc.), run RPM tool to verify packages: # rpm Va Checks size, MD5 sum, permissions, type, owner, and group of each file with information from RPM database Pay special attention to changes associated with items in /sbin, /bin, /usr/sbin and /usr/bin 33 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Files Output includes: S - File size differs M Mode differs (permissions) 5 MD5 sum differs D Device number mismatch L readlink path mismatch U user ownership differs G group ownership differs T modification time differs 34
Unusual Schedule Tasks in Unix* Look for cron jobs scheduled by root or any UID 0 accounts # crontab u root l Look for unusual system-wide cron jobs # cat /etc/crontab # ls /etc/cron.* 35 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Network Usage in Unix* Look for promiscuous mode, which might indicate a sniffer # ip link grep PROMISC Look for unusual port listeners # lsof I # netstat nap Look for unusual ARP entries, for incorrect IP address to MAC address mapping for the LAN # arp -a 36 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Accounts in Unix* Look in /etc/passwd for new account, especially UID 0 or GID 0 # less /etc/passwd # grep :0: /etc/passwd 37 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Unusual Log Entries in Unix* Look for unusual and suspicious events in system logs Look at application logs for unusual activities Apache* log at /usr/local/apache/logs/access_log 38 Intel, the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.
Key Mistakes in Detection Event not even detected (false negative) Event detected but not validated, causing false alarm (Don t jump to conclusions too quickly) Event not even reported Not asking for help Incomplete notes Mishandling or destroying evidence 39
Conclusion Detection is very important step in incident response handling after preparation Reduced detection time can result in faster containment Validate the detection Report it to start the incident handling process 40
Questions? 41
References http://www.securityfocus.com/infocus/1244 http://www.sans.org/score/checklists/id_windows.pdf http://www.sans.org/score/checklists/id_linux.pdf http://www.sans.org/rr/whitepapers/incident/1516.php http://www.sans.org/rr/whitepapers/incident/1065.php http://www.sans.org/rr/whitepapers/incident/647.php http://www.sans.org/rr/whitepapers/incident/646.php http://www.terena.nl/tech/task-forces/tf-csirt/iodef/docs/itaxonomy_terms.html 42