Incident Response Incident Response Objectives The student should
Incident Response
Incident Response Objectives: The student should be able to: Define 4 steps of what needs to be done in advance of an incident. Describe the purpose of an incident response procedure and what the procedure should include. Describe the information that must be collected when a penetration has occurred: if computer is up; when computer is down; other evidence. Describe important guidelines for collecting this information concerning chain of custody and authenticity. Find information about a penetration using the Ps. Tools and other tools: pslist, fport, list. DLLs, netstat, netcat, ps. Logged. On. (Lab only)
How should a Sys Admin react? You are a system administrator and an incident occurs. Should you: Go offline? Block hacker at firewall? Disable certain services? Bring down machine/server? Bring down the internal network? Let the intruder proceed to collect evidence? Your actions can have financial impact on the corporation.
When an Incident Occurs…? How would these decisions differ if business pertained to: Credit card / Banking? Network services? Medical prescriptions? WWW Search Engine? The CEO must determine the priorities for incident response.
Incident Response Procedure A clear procedure defines what should happen when an intrusion is suspected Define expected responses to different types of intrusions Decide early because time will be limited during an attack
Incident Response Plan Contents Preincident readiness How to declare a disaster Evacuation procedures Identifying persons responsible, contact information IRT, S/W-H/W vendors, insurance, recovery facilities, suppliers, offsite media, human relations, law enforcement (for serious security threat) Step-by-step procedures Required resources for recovery & continued operations
Step 0: Plan for Incident Response Establish Detection Procedures Create Incident Response Team Define & Publish Policies Perform Training/ Rehearsal Tools Detection Procedures Contact List Incident Response Procedures
Establish Detection Procedures (Step 0) Data Loss Prevention software SNMP: Monitors availability, response times, etc. and notifies administrator IDS/IPS: Monitors for attacks and notifies administrator Logs from all devices must be synchronized, monitored and audited Monitoring current configurations against baselines After a break-in administrators wish they had stronger logging
Create Incident Response Team (Step 0) An incident response team can help to decide the Incident Response procedures and make decisions during an incident response. Shall include: Security Team: Detect, control attack. Upper management: Be responsible for making decisions on major break-ins. Human Resources: Deal with an attack from employees. Technical Staff (MIS): Bring systems back in order. Outside Members: Contact law enforcement, affected customers, ISP.
Define and Publish Policies (Step 0) Policies are defined and publicized as to what is and is not allowed System banners indicate who/what is allowed on the system Logs: Alarms indicate issues in the network Alarms: Critical event require action from administrator Alerts: Less critical notification of event; informational Trend: Note changes in network, e. g. , network scan
Perform Training/Rehearsal (Step 0) Each person should be trained in what they need to do. Carry out a drill. Attacks succeed because companies are unprepared.
Responding to Incident Tools Contact List Detect Incident Detection Procedures Respond to incident Recovery & Resume Incident Response Procedures Tools Contact List Review & Implement Detection Procedures
Step 1: Incident Response and Containment What types of attacks warrant which reactions? How do we gather information on the attack? (Next section) To whom should attacks be reported? Do you inform police or FBI? Can ISP help with log info and attack filtering? Should vendors/customers be notified? Shall the intrusion be hidden from the press? FBI has a webpage for reporting crime at: www. usdoj. gov/criminal/cybercrime/reporting. html
Step 2: Recovery and Resumption Rebuild Affected System (Old system can be hiding rootkit) Preconfigured image + security template Lock down system Apply patches Minimize software availability Set secure configuration Change passwords on all systems Test: MS Baseline Security Analyzer, Nessus Remediation: Fix mistakes found in test
Step 3: Review & Implement Could we have detected intrusion faster? What losses did we sustain overall? What did the hacker attempt to do and accomplish? Why did the vulnerability occur? Have we eliminated the vulnerability on this and other machines? Could we have reacted in a quicker or more effective way? How can we improve our legal case against the next intruder? What changes should we make to our policies and procedures?
Example: You receive an email indicating your network was part of an attack May be a valid accusation May be a mistake May be a ruse So you investigate: Your site may have been hacked. An internal employee may be hacking outside. If you reply to email indicating a break-in you may: Provide your email address and confirm an IP address Indicate your readiness level: “We don’t have logs on that particular intrusion” May fall for ‘social engineering spam’ (e. g. , company selling IDS products).
Responding to an Incident
A break-in has occurred… Get all information without changing any possible evidence Consider the totality of the circumstances via investigation React according to the type of break-in
Document & Witness… Procedure must be professional, documented in order to Collect evidence against individual Protect organization For legal reasons, you need to document your actions in a form and have a witness to all. It is very difficult to prosecute a crime – have a law enforcement professional with you Certain tools are regarded as ‘professional’
Computer Crime Investigation Call Police Or Incident Response Copy memory, processes files, connections In progress Power down Copy disk Analyze copied images Take photos of surrounding area Preserve original system In locked storage w. min. access Evidence must be unaltered Chain of custody professionally maintained Four considerations: Identify evidence Preserve evidence Analyze copy of evidence Present evidence
Computer Forensics Did a crime occur? If so, what occurred? Evidence must pass tests for: Authenticity: Evidence is a true and faithful original from the crime scene Computer Forensics does not destroy or alter the evidence Continuity: “Chain of custody” assures that the evidence is intact.
Chain of 11: 04 Custody 11: 05 -11: 44 Inc. Resp. team arrives 10: 53 AM Attack observed Jan K System copied PKB & RFT 11: 15 System brought Offline RFT 11: 47 -1: 05 Disk Copied RFT & PKB Time Line 11: 45 System Powered down PKB & RFT Who did what to evidence when? (Witness is required) 1: 15 System locked in static-free bag in storage room RFT & PKB
Preparing Evidence Work with police to AVOID: Contaminating the evidence Voiding the chain of custody Evidence is not impure or tainted Written documentation lists chain of custody: locations, persons in contact – time & place Infringing on the rights of the suspect Warrant required unless… Company permission given; in plain site; communicated to third party; evidence in danger of being destroyed; or normal part of arrest; . . .
Computer Forensics The process of identifying preserving, analyzing and presenting digital evidence for a legal proceeding
Creating a Forensic Copy 2) Accuracy Feature: Tool is accepted as accurate by the scientific community: e. g. , Core. RESTORE, Forensic Replicator, FRED Original 4) One-way Copy: Cannot modify original 5) Bit-by-Bit Copy: Mirror image 1) & 6) Calculate Message Digest: Before and after copy Mirror Image 3) Forensically Sterile: Wipes existing data; Records sterility 7) Calculate Message Digest Validate correctness of copy
When break-in noticed, with a witness… Before Logoff/Power down save volatile information Use trusted commands in accessing remote machine (use commands off read-only CD, floppy) Do not alter system in any way Save data to network or removable USB drive (fast, large storage) Collect information and label it: Case number, time, date, data collector, data analyzer. Seal and lock up the evidence. Track any access to sealed data Take pictures of system from all sides
Collected information includes… Volatile information: System memory: Unix /dev/mem or /dev/kmem Currently running processes Logged in users Network connections: Recent connections and open applications/sockets Currently open files: File system time & date stamps System date & time
After computer is turned off… Reboot will change disk images. Do not reboot! Make forensic backup = system image = bitstream backup Copy every bit of the file system, not just the disk files! Example tools include: Intelligent Computer Solutions: Image MASSter En. Case (www. guidancesoftware. com) Safe. Back (www. forensics-intl. com/safeback. html) Unix dd command Compute hash value of disk and backup
Useful information to collect… Photos of computer, surroundings, display (if on), back panel plugs, etc. IDS, Firewall, and System logs Employees web pages, emails, internet activities Employees access of files (created/modified/viewed) Local peripheral paraphernalia (CDs, floppies, papers) Better to collect too much than too little
Forensic Analysis User-created documents: Microsoft Office, PDF, etc. Corporate Email File Shares Paper Documents USB Devices Mobile Devices & Apps Cloud services Internet History Event Logs Social Media Disk Volume Shadow Copies/Backups Personal Webmail Unallocated Disk Space Program Execution History
Evidence, internal affair Emails Computers Phones External hard drives Security camera footage Keycard access logs Printer logs Server/database logs Extranet access logs Deleted files may be recoverable with forensic software OS/App history points to files accessed most recently (links, last modified date)
Questions to be answered… Which devices were last used? Windows: a list of every device plugged in with first and last connection dates Mac: a list of devices plugged in within the last 30 days When did all happen? Files have time stamps of events (created, modified, last accessed) Computers logs show dates and times of certain events Dates/times are keyed off of the internal clock – which can be changed
Forensic Toolkit Maintain a CD or two floppy disks (write-protected) with forensic utilities (Abbreviated from Incident Response & Computer Forensics, Mandia, Prosise, Pepe, Mc. Graw Hill, pp. 87 -88) Avoid stored utilities on the potentially-compromised computer
Forensic Utilities cmd. exe: Command prompt for Windows NT/2000 Ps. Logged. On: Shows all connected users, local & remote (www. foundstone. com) Rasusers: Lists the users with remote-access privileges on the system (NT Resource Kit) Netstat: Lists all listening ports and all current connections on the ports Fport: Lists all processes that opened any TCP ports and executable path (www. foundstone. com) Ps. List: Enumerates all running processes (www. foundstone. com) List. DLLs: Lists all running processes, their command-line arguments, and the DLLs they depend on (www. foundstone. com)
Forensic Utilities (2) Nbtstat: Lists Net. BIOS connections for last 10 minutes (approx. ) Arp: Lists the MAC addresses system has been communicating within last minutes Kill: Terminates a process (NTRK) Md 5 sum: Creates MD 5 hashes for a file (www. cygwin. com) Rmtshare: Displays the accessible shares (NTRK) Netcat: Creates a communication channel between two systems (www. atstake. com) Cryptcat: Creates an encrypted channel of communications (sourceforge. net)
Forensic Utilities (3) Ps. Log. List: Dumps the event logs (www. foundstone. com) Ps. Kill: Kill a process (www. foundstone. com) Ipconfig: Display interface configuration Ps. Info: Provide info about local system build (www. foundstone. com) Ps. Service: Lists current processes and threads (www. foundstone. com) Auditpol: Displays security audit settings (NTRK) Doskey: displays command history for an open cmd. exe shell AFind: Provides file access times (www. foundstone. com) Pasco: Most recent websites accessed (www. foundstone. com) En. Case: List files whose extensions do not match file type (. doc->. jpeg) Sfind: Show hidden or alternative data stream files (www. foundstone. com)
![Save volatile data Three ways to save forensic data: Save to memory stick/floppy: [cmd]](http://slidetodoc.com/presentation_image_h/e68c3bd5172f7c220e834edd50f11c71/image-37.jpg "Save volatile data Three ways to save forensic data: Save to memory stick/floppy: [cmd]")
Save volatile data Three ways to save forensic data: Save to memory stick/floppy: [cmd] >> f: logfile Use netcat: Below we send from hacked station to forensic station on port 1234 (at forensic station: ) nc –l –p 1234 > logfile (at hacked station: ) [cmd] | nc 192. 168. 0. n 1234 where: -l listen mode: accept incoming connection Use cryptcat: encrypted so no one can observe or modify netcat data.
Response Script Example From Incident Response & Computer Forensics p. 114) Filename: ir. bat time /t date /t psloggedon dir /t: a /o: d /a /s c: dir /t: w /o: d /a /s c: dir /t: c /o: d /a /s c: netstat –an fport pslist nbtstat –c time /t date /t doskey /history where: dir –help indicates that /t: indicates whether last Accessed, last Written or Created date should be included /s: indicates that directories and subdirectories should be listed /a: indicates types of files ‘time /t’ and ‘date /t’ do not prompt for new times, dates
Summary Must detect incidents Have an established incident response procedure Save off volatile data first Do not rely on utilities on the compromised machine Legal proceedings require Authenticity & Continuity (chain of custody) Improve incident response procedure after test or usage
- Slides: 39
