Security + Certification - Chapter 11: Incident Response - Athena

Chapter 11 Incident Response  Incident Response Overview  Computer Forensics Defined  Contemporary Issues in Computer Forensics  Forensic Process  Forensic Tools  Forensic Problems  The Future of Computer Forensics ATHENA Incident Response – Why is it Critical?  Resolve the problem • Find out what happened • How it happened • Who did it  Create a record of the incident for later use  Create a record to observe trends  Create a record to improve processes  Avoid confusion ATHENA Elements of Incident Response  Preparation  Identification  Containment  Eradication  Recovery  Follow-up ATHENA Preparation Without adequate preparation, it is extremely likely that response efforts to an incident will be disorganized and that there will be considerable confusion among personnel. Preparation limits the potential for damage by ensuring response actions are known and coordinated. ATHENA Identification The process of determining whether or not an incident has occurred and the nature of an incident. Identification may occur through the use of automated network intrusion equipment or by a user or SA. Identification is a difficult process. Noticing the symptoms of an incident is often difficult. There are many false positives. However, noticing an anomaly should drive the observer to investigate further. ATHENA Who can identify an Incident  Users – My system is slow, my mail is missing, my files have changed  System support personnel – servers locked up, files missing, accounts add/deleted, weird stuff happening , anomalies in the logs  Intrusion Detection Systems and Firewalls – Automatically ID violations to policies ATHENA Possible Incident Classifications  Unauthorized Privileged (root) Access – Access gained to a system and the use of root privileges without authorization.  Unauthorized Limited (user) Access – Access gained to a system and the use of user privileges without authorization.  Unauthorized Unsuccessful Attempted Access – Repeated attempt to gain access as root or user on the same host, service, or system with a certain number of connections from the same source. ATHENA Possible Incident Classifications (cont.)  Unauthorized Probe – Any attempt to gather information about a system or user on-line by scanning a site and accessing ports through operating system vulnerabilities.  Poor Security Practices – Bad passwords, direct privileged logins, etc, which are collected from network monitor systems.  Denial of Service (DOS) Attacks – Any action that preempts or degrades performance of a system or network affecting the mission, business, or function of an organization. ATHENA  Malicious Logic – Self-replicating software that is viral in nature; is disseminated by attaching to or mimicking authorized computer system files; or acts as a trojan horse, worm, malicious scripting, or a logic bomb. Usually hidden and some may replicate. Effects can range from simple monitoring of traffic to complicated automated backdoor with full system rights. Possible Incident Classifications (cont.) ATHENA Possible Incident Classifications (cont.)  Hardware/Software Failure – Non-malicious failure of HW or SW assets.  Infrastructure Failure – Non-malicious failure of supporting infrastructure to include power failure, natural disasters, forced evacuation, and service providers failure to deliver services.  Unauthorized Utilization of Services – This can include game play, relaying mail without approval, creating dial- up access, use organizational equipment for personal gain, and personal servers on the network. ATHENA Containment The process of limiting the scope and magnitude of an incident. As soon as it is recognized that an incident has occurred or is occurring, steps should immediately be taken to contain the incident. ATHENA Containment - Example  Incidents involving using malicious code are common, and since malicious code incidents can spread rapidly, massive destruction and compromise of information is possible.  It is not uncommon to find every workstation connected to a LAN infected when there is a virus outbreak. • Internet Worm of 1988 attacked 6,000 computers in the U.S. in one day. • LoveBug Virus affected over 10Million computers with damage estimated between $2.5B-$10B US • Kournikova worm affects still being analyzed ATHENA Eradication  The process of removing the cause of the incident. • For a virus – anti-virus software is best • For a network may involve block/filter IP address at the router/firewall • Ideally, but difficult, best eradicated by bringing the perpetrators into legal custody and convicting them in a court of law. ATHENA Recovery  The process of restoring a system to its normal operating status • Unsuccessful incidents – assure system operation and data not affected • Complex and/or successful incidents – May require complete restoration from known clean system backups. Essential to assure the backups integrity and to verify restore operation was successful ATHENA Follow-Up  Critical  Helps to improve incident handling procedures  Address efforts to prosecute perpetrators  Activities Include: • Analyze the Incident and the Response • Analyze the Cost of the Incident • Prepare a Report • Revise Policies and Procedures ATHENA What is Computer Forensics? Computer Forensics can be defined simply, as a process of applying scientific and analytical techniques to computer Operating Systems and File Structures in determining the potential for Legal Evidence. ATHENA Why is Evidence important?  In the legal world, Evidence is EVERYTHING.  Evidence is used to establish facts.  The Forensic Examiner is not biased. ATHENA Who needs Computer Forensics?  The Victim!  Law Enforcement  Insurance Carriers  Ultimately the Legal System ATHENA Who are the Victims? •Private Business •Government •Private Individuals ATHENA ATHENA ATHENA ATHENA  ID the perpetrator.  ID the method/vulnerability of the network that allowed the perpetrator to gain access into the system.  Conduct a damage assessment of the victimized network.  Preserve the Evidence for Judicial action. Reasons for a Forensic Analysis ATHENA  Disk Forensics  Network Forensics  E-mail Forensics  Internet (Web) Forensics  Source Code Forensics Types of Computer Forensics ATHENA Disk Forensics  Disk forensics is the process of acquiring and analyzing the data stored on some form of physical storage media. • Includes the recovery of hidden and deleted data. • Includes file identification, which is the process used to identify who created a particular file or message. – Melissa Virus ATHENA Network Forensics  Network forensics is the process of examining network traffic. It includes: • After the fact analysis of transaction logs • Real-time analysis via network monitoring – Sniffers – Real-time tracing ATHENA E-mail Forensics  E-mail forensics is the study of source and content of electronic mail as evidence. • It includes the process of identifying the actual sender and recipient of a message, the date and time it was sent, and where it was sent from. • E-mail has turned out to be the Achilles Heal for many individuals and organizations. • Many time issues of sexual harassment, racial and religious prejudice, or unauthorized activity are tied to e-mail. ATHENA Internet Forensics  Internet or Web forensics is the process of piecing together where and when a user has been on the Internet. • For example, it is used to determine whether the download of pornography was accidental or not. ATHENA Source Code Forensics  Source code forensics is used to determine software ownership or software liability issues. • It is not merely a review of the actual source code. • It is an examination of the entire development process, including development procedures, review of developer time sheets, documentation review and the review of source code revision practices. ATHENA Technological Progress  The Population is More Computer Literate  The World is Networked, Yet Users Can Retain a Sense of Anonymity  The Use of Encryption is Becoming Common  Network Bandwidth is Increasing while Cost is Decreasing  Disks are Less Expensive and have Higher Capacities • More Data Available On-Line ATHENA Technological Progress Albert Einstein said “Technological progress is like an axe in the hands of a pathological criminal.” ATHENA Technological Progress  Computers are Tools and Targets • Instrumentality • Data Repository – Many Criminals Are Using Computers in the Normal Course of Business  Computer Crime Today • Crime Without Punishment • Media Sensationalism • Public Apathy • Easy to Commit ATHENA What is Cyber Crime? A crime in which technology plays an important, and often a necessary, part. • The computer is: – the target of an attack – the tool used in an attack – used to store data related to criminal activity ATHENA Types of Cyber Crime Unauthorized Access Denial of Service Extortion Theft Sabotage Espionage Computer Fraud Embezzlement Copyright Violation Forgery and Counterfeiting Internet Fraud – “Imposter Sites” SEC Fraud and Stock Manipulation Child Pornography Stalking & Harassment Credit Card Fraud & Skimming ATHENA Contemporary Issues in Computer Forensics  Criminal Justice System is not Prepared to Handle High-Tech Crime • Shortage of Trained Investigators & Analysts • Lack of Forensic Standards  Too Much Data! • Large Disk Drives and Disk Arrays • High Speed Network Connections  Issues Relating to Time ATHENA Contemporary Issues in Computer Forensics  Evidence Collection and Examination Must not Violate the following: • Privacy Protection Act • Electronic Communications Privacy Act ATHENA Forensics Process  Preparation  Protection  Imaging  Examination  Documentation ATHENA Preparation  Confirm the authority to conduct analysis/search of media.  Verify the purpose of the analysis and the clearly defined desired results.  Ensure that sterile media is available and utilized for imaging. (ie..Free of virus, Non-essential files, and verified before use.)  Ensure that all software tools utilized for the analysis are tested and widely accepted for use in the forensics community. ATHENA Protection  Protect the integrity of the evidence. Maintain control until final disposition.  Prior to Booting target computer, DISCONNECT HDD and verify CMOS. ATHENA Imaging  Utilize disk “imaging” software to make an exact image of the target media. Verify the image. When conducting an analysis of target media, utilize the restored image of the target media; never utilize the actual target media. ATHENA Examination  The Operating System  Services  Applications/processes  Hardware  LOGFILES!  System, Security, and Application  File System ATHENA Examination (Cont)  Deleted/Hidden Files/NTFS Streams  Software  Encryption Software  Published Shares/Permissions  Password Files  SIDS  Network Architecture/Trusted Relationships ATHENA Off-Site Storage  “X-Drives”  FTP Links  FTP Logs  Shares on internal networks ATHENA Documentation  Document EVERYTHING  Reason for Examination  “The Scene”  Utilize Screen Capture/Copy Suspected files  All apps for Analysis/apps on Examined system. ATHENA Forensic Tools  Forensic Tool Kit  Forensic Computer System  Forensic Software ATHENA Forensic Tool Kit ATHENA Forensic System Hardware  Main Systems • Pentium-based Computer • Multiple O/S – UNIX, Windows, MAC  Media Options  Removable Media (REM-KIT)  Disk Imaging Hardware • Image MASSter 500 & 1000  Static-Dissipative Grounding Kit w/Wrist Strap  UPS ATHENA Media Options Your Forensic System should have plenty of room for expansion and external media. This is usually best supported by SCSI Systems. ATHENA Media Options Internal Hard Disk Tape Media • QIC Tape Drive • Travan Tape Drive • DAT Optical Media • CD-ROM • CD-Writer • DVD ATHENA Removable Media Hard Drives ZIP Drives Jazz Drives PCMCIA Flash Disks ATHENA Disk Imaging Hardware  Supports IDE & SCSI  Sector by Sector Copy • DOS, Windows 3.1, • Windows 95, NT, SCO, • UNIX, OS/2 & Mac O/S  Full Read/Write Verification & Reporting  Logging Capability  No Writing to Master Disk ATHENA Forensic Software  Clean Operating System(s)  Disk Image Backup Software  Search & Recovery Utilities  File Viewing Utilities  Cracking Software  Archive & Compression Utilities ATHENA Validate Software  Determine Functionality • Verify operation • Identify limitations • Identify bugs  Court Presentation • Testify from own experience ATHENA Disk Imaging Software  Bit Level Copy of the Disk, not File Level  Not Operating System Dependent  Must have Logging or Error Reporting  Must Copy Deleted Files and Slackspace  Tools • EnCase • SafeBack • SnapBack ATHENA Search Utilities  Forensic Software • EnCase • The Coroners Tool Kit  File System Utilities • DOS, Windows, NT, UNIX  Norton Utilities ATHENA File Viewing Utilities  Quick View Plus  Drag & View  Thumbs Plus ATHENA Forensic Analysis  Computer Forensics • Lock the Disk • Create an Image of the Disk(s) • File System Authentication • List Disk Directories and File Systems • Locate Hidden or Obscured Data • Cluster Analysis ATHENA File System Authentication  Integrity of data related to any seizure is essential Message Digest - One-way Hash Algorithm • CRC32 (32 bits) • MD5 (128 bits) • SHA (160 bits)  Create MD for system directories and files ATHENA File System Authentication ATHENA List Directories and Files  Create Hierarchical Directory Listing (Tree)  Identify Suspect Files  Inventory All Files on the Disk  Search Communications Programs  Registry Files  Last Files Accessed  Document Association ATHENA Identify Suspect Files  File Name Search based on Case Characteristics  Key Word Search based on Case Characteristics Modified File Extensions that Do Not Match the File Type  Hidden or Deleted Files ATHENA Hidden & Obscure Data  Hidden File Attributes  Hidden Directories  Temporary Directories  Deleted Files  Slack Space  Unallocated Space  Swap Space  Steganography ATHENA Steganography  The Art of Hiding Communications  While Encryption Conceals the Data, Steganography Denies the Data Exists  Files Can Be Hidden within an Image  Disguising Data as Innocent Text ATHENA S-Tools Hides Data inside Images, Audio Files and Slack Space ATHENA Analysis Problems  Searching Access Controlled Systems  Virus Infection  Formatted Disk  Corrupted Disk  DiskWipe or Degaussed Media  Defragmented Disk  Cluster Boundaries  Evidence Eliminator ATHENA Evidence Protection  Transparent Static Shielding Bags • Provides shielding from electrostatic discharge by safely enveloping static sensitive devices in a humidity-independent Faraday cage. The nickel shielding layer creates a Faraday type shield.Meets MIL-B-81705 and DoD-STD-1686A  Foam-Filled Disk Transport Box  EMF Warning Labels ATHENA Evidence Protection ATHENA Network Forensics  Analyze Packet Traces • Establish a Sequence of Events • Goal is Identify the Intruder  Tools • Network Sniffer • System Logs • NTSC Adapter ATHENA  IP Spoofing  Hijacking  Password Attacks • Social Engineering • Cracking Passwords • Sniffers  Distributed-Coordinated Attacks  Identity Concealed by Connection Laundering Network Forensics ATHENA Connection Laundering ATHENA E-mail Forensics  E-mail Usage in 2000 • 108 Million E-mail Subscribers • 25.2 Billion Message Daily  E-mail is a asynchronous communications mechanisms that allows venting.  People have a tendency to include more in an e- mail message than they would say in person of over the phone.  E-mail Spoofing ATHENA E-mail Spoofing  Requires Only: • Mail Relay Server • Knowledge of Mail Commands – telnet – helo – mail from: gwbush@whitehouse.com – rcpt to: twelch@sendsecure.com – Data ATHENA The Future Forensics  Crimes and Methods to Hide Crimes are becoming more Sophisticated, thus Investigators and Analyst must become more Technical • Specialist are Needed • More Training is needed in both the Public and Private Sectors  Encryption will Continue to be an Issue, but Only Time will Tell ATHENA The Future Forensics  Forensic Tools • Must Become Automated • Forensic Search Engines Must include Fuzzy Logic and Intelligence to handle Cluster Boundaries • UNIX Tools Must be Developed • Better Network Analysis Tools need to be Developed • Tools to Analyze Distributed Applications such as Java, COM, and DCOM will need to be Developed. ATHENA Conclusions  Computer forensics is an integral function within incident response  Processes are the most important aspects of computer forensics  The future of cyber crime will lead to an increased need for computer forensic capabilities ATHENA Questions ? ATHENA Objective in this chapter  Physical Security  Forensics  Risk Identification ATHENA What do you do after a system has been penetrated? ATHENA Physical Security  Access Control: physical barriers, Biometrics  Social Engineering  Environment:  Temperature, Humidity, Airflow, Electrical interference, Electrostatic discharge (ESD) Wireless Cells, Location, Shielding (EMI, RFI), Fire Suppression ATHENA Physical Security  Shielding  radio frequency interference (RFI)  electromagnetic interference (EMI)  Fire Suppression • Inergen (IG-541): nitrogen + agon + Carbon dioxide • Heptafluoropropane (HFC-227ea) (~FM-200) • Trifluromethane (FE-13) • Carbon Dioxide Systems ATHENA Forensics  Computer forensics is the application of computer skills and investigation techniques for the purpose of acquiring evidence  Forensics has 4 basic components: Collected, Examined, Preserved and Presented ATHENA Forensics  Awareness What Your Role Is: First responder, Investigator, Crime scene technician ATHENA Forensics  Chain of Custody  Preservation of Evidence  Collection of Evidence: SafeBack, Encase, ProDiscover ATHENA Risk Identification  Hard Reality – Systems fail and can be breached  How much does it cost to build a wall of security  How much which failed services will cost the most in downtime  How can you mitigate the loss of those services?  How can you quickly recover those failed services? ATHENA Risk Identification  Asset Identification  Risk assessment  Threat Identification  Vulnerabilities ATHENA Asset Identification Identify physical and logical company resources Assign hard dollar amounts to loss of those resources ATHENA Risk assessment  Determine cost ARO * SLE = ALE ARO: Annualized Rate of Occurrence SLEL Single Loss Expectancy ALE: Annual Loss Expectancy  Determine cost of replacement and cost of outage  Identify likelihood of failure occurring  Identify how to avoid risk of loss  Identify how to response to failure ATHENA Threat Identification  Create thread model that outlines possible security threats  A common security model is called STRIDE – Spoofing – Tampering – Repudiation – Information Disclosure – Denial of Service – Elevation of privilege ATHENA Vulnerabilities Use threat model to review network for possible threats Determine how best to thwart those types of attacks Create security guide ATHENA