Recognizing Attacks 1 Recognition Stances Recognizing Attacks 2
- Slides: 24
Recognizing Attacks 1
Recognition Stances Recognizing Attacks 2
Leading Questions • • Is it a real break-in? Was any damage really done? Is protecting evidence important? Is restoring normal operation quickly important? • Willing to chance modification of files? • Is no publicity important? • Can it happen again? Recognizing Attacks 3
Document Actions • • Start notebook Collect printouts and backup media Use scripts Get legal assistance for evidencegathering • PLAN AHEAD Recognizing Attacks 4
Finding the Intruder • Finding changes • Receiving message from other system administrator / net defender • Strange activities • User reports Recognizing Attacks 5
Steps in Handling 1. Identify/understand the problem 2. Contain/stop the damage 3. Confirm diagnosis and determine damage 4. Restore system 5. Deal with the cause 6. Perform related recovery Recognizing Attacks 6
Dealing with Intruder • Ignore Intruder – Dangerous – Contrary to policy/law? • Communicate with intruder – Dangerous – Low return • Trace/identify intruder – Watch for traps / assumptions – Network and host options – Phone logs • Break intruder’s connection – Physically – Logically (logout, kill processes, lock account) Recognizing Attacks 7
Asking for Help • CERT, FIRST, Law enforcement, etc. • Don’t use infected system • Avoid using email from connected systems Recognizing Attacks 8
Finding Damage • What have affected accounts done lately? – – – Missing log files? What has root done? What reboots have occurred? Unexplained error messages? Connections from/to unfamiliar sites? New hidden directories? – – – Changed binaries? Changed configuration files? Changed library files? Changed boot files? Changed user files? • Integrity checkers Recognizing Attacks 9
Dealing with Damage • Delete unauthorized account(s) • Restore authorized access to affected account(s) • Restore file / device protections • Remove setuid/setgid programs • Remove unauthorized mail aliases • Remove added files / directories • Force new passwords Recognizing Attacks 10
Resume Service • Patch and repair damage, enable further monitoring, resume • Quick scan and cleanup, resume • Call in law enforcement -- delay resumption • Do nothing -- use corrupted system Recognizing Attacks 11
Dealing with Consequences • Was sensitive information disclosed? • Who do you need to notify formally? • Who do you need to notify informally? • What disciplinary action is needed? Recognizing Attacks 12
Moving Forward • What vendor contacts do we need to make? • What other system administrators should be notified? • What updated employee training is needed? Recognizing Attacks 13
Netwar • Individual: affect key decision-maker – Ems telegram – Gulf war marines • Corporate: affect environment of decision – Zapatista peso collapse – Vietnam protests – Intifada / Cyber-Intifada? • Strategic combination of all previous Recognizing Attacks 14
Example: Zapatista Cyberstrike • Mid-1990 s rebellion in Mexico • Military situation strongly favored Mexican Army • Agents of influence circulated rumors of Peso instability • Peso crash forced government to negotiating table Recognizing Attacks 15
Building Understanding Operators/Groups Victims Internet Behavior Stimuli/Motives Opportunities Intrusions/Responses Threats/Counters Vulnerabilities/Fixes Recognizing Attacks 16
Analysis Process Incident Information Flow Identify Profiles and Categories Isolate Variables Identify Data Sources Establish Relevancy Identify Gaps Recognizing Attacks 17
One Effort – Looking Inside the Noise Network Activity Example Overall Activity Several Gbytes/day Noise - Below the Radar Recognizing Attacks 18
Low-Packet Filtering It’s hard to use TCP without generating a lot of packets – Negotiation, transmission, configuration, error checking Few legitimate low-packet sessions possible – Mostly web access Recognizing Attacks 19
Low-Packet Traffic Recognizing Attacks 20
Flow Based Detection • • Scans and Probes Distributed Tools Worm/Virus Propagation ? ? ? Recognizing Attacks 21
Challenges to Analysis • Gathering sufficient datasets to make statistically valid judgments • Developing automated technical analysis tools • Developing a reliable methodology for cyber-analysis • Overcoming organizational bias against sharing information
Limits of Analysis • Inherently partial data • Baseline in dynamic environment • Correlation vs. Causation • Implications – Need to be cautious in kinds of conclusions – Consider strategies for dealing with trends gone wrong Recognizing Attacks 23
Summary • Incidents are not proof of bad administration • Lots of effort involved in handling Incidents • Need proactive, strategic planning to reduce costs, improve handling Recognizing Attacks 24
The most common critical stances for literature
Modern contemporary dance meaning
Chapter 3 recognizing opportunity
Chapter 3 recognizing opportunity
Recognizing and resolving abo discrepancies
Recognizing opportunities and generating ideas
The importance of listening in lang
Recognizing laboratory safety
Strategy: recognizing cognates
Trends and opportunities examples
Adverb of happy
Recognizing interruptions of health development
Recognizing lab safety worksheet
All household materials are useful
Sensory language definition
Faulty parallel structure
Argumentative genre
Argumentative text anchor chart
Recognizing opportunities and generating ideas
Sequence pattern paragraph
Chapter 3 recognizing opportunity
Bottom-up listening strategies examples
Design marketing channel
Pronouno
Chapter 3 recognizing opportunity
