Incident Response –
Why is it Critical?
Resolve the problem
• Find out what happened
• How it happened
• Who did it
Create a record of the incident for later use
Create a record to observe trends
Create a record to improve processes
Avoid confusion
Elements of Incident Response
Preparation
Identification
Containment
Eradication
Recovery
Follow-up
90 trang |
Chia sẻ: candy98 | Lượt xem: 520 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Security + Certification - Chapter 11: Incident Response - Athena, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 11
Incident Response
Incident Response Overview
Computer Forensics Defined
Contemporary Issues in Computer Forensics
Forensic Process
Forensic Tools
Forensic Problems
The Future of Computer Forensics
ATHENA
Incident Response –
Why is it Critical?
Resolve the problem
• Find out what happened
• How it happened
• Who did it
Create a record of the incident for later use
Create a record to observe trends
Create a record to improve processes
Avoid confusion
ATHENA
Elements of Incident Response
Preparation
Identification
Containment
Eradication
Recovery
Follow-up
ATHENA
Preparation
Without adequate preparation, it is extremely likely
that response efforts to an incident will be
disorganized and that there will be considerable
confusion among personnel. Preparation limits
the potential for damage by ensuring response
actions are known and coordinated.
ATHENA
Identification
The process of determining whether or not an
incident has occurred and the nature of an
incident. Identification may occur through the
use of automated network intrusion
equipment or by a user or SA.
Identification is a difficult process. Noticing the
symptoms of an incident is often difficult.
There are many false positives. However,
noticing an anomaly should drive the observer
to investigate further.
ATHENA
Who can identify an Incident
Users – My system is slow, my mail is missing,
my files have changed
System support personnel – servers locked up,
files missing, accounts add/deleted, weird stuff
happening , anomalies in the logs
Intrusion Detection Systems and Firewalls –
Automatically ID violations to policies
ATHENA
Possible Incident Classifications
Unauthorized Privileged (root) Access – Access gained to a
system and the use of root privileges without authorization.
Unauthorized Limited (user) Access – Access gained to a
system and the use of user privileges without authorization.
Unauthorized Unsuccessful Attempted Access – Repeated
attempt to gain access as root or user on the same host,
service, or system with a certain number of connections
from the same source.
ATHENA
Possible Incident Classifications
(cont.)
Unauthorized Probe – Any attempt to gather information about
a system or user on-line by scanning a site and accessing ports
through operating system vulnerabilities.
Poor Security Practices – Bad passwords, direct privileged
logins, etc, which are collected from network monitor systems.
Denial of Service (DOS) Attacks – Any action that preempts or
degrades performance of a system or network affecting the
mission, business, or function of an organization.
ATHENA
Malicious Logic – Self-replicating software that is
viral in nature; is disseminated by attaching to or
mimicking authorized computer system files; or acts
as a trojan horse, worm, malicious scripting, or a logic
bomb. Usually hidden and some may replicate.
Effects can range from simple monitoring of traffic to
complicated automated backdoor with full system
rights.
Possible Incident
Classifications (cont.)
ATHENA
Possible Incident Classifications
(cont.)
Hardware/Software Failure – Non-malicious failure of
HW or SW assets.
Infrastructure Failure – Non-malicious failure of
supporting infrastructure to include power failure, natural
disasters, forced evacuation, and service providers failure
to deliver services.
Unauthorized Utilization of Services – This can include
game play, relaying mail without approval, creating dial-
up access, use organizational equipment for personal
gain, and personal servers on the network.
ATHENA
Containment
The process of limiting the scope and magnitude of an
incident.
As soon as it is recognized that an incident has occurred
or is occurring, steps should immediately be taken to
contain the incident.
ATHENA
Containment - Example
Incidents involving using malicious code are
common, and since malicious code incidents can
spread rapidly, massive destruction and
compromise of information is possible.
It is not uncommon to find every workstation
connected to a LAN infected when there is a virus
outbreak.
• Internet Worm of 1988 attacked 6,000 computers in
the U.S. in one day.
• LoveBug Virus affected over 10Million computers
with damage estimated between $2.5B-$10B US
• Kournikova worm affects still being analyzed
ATHENA
Eradication
The process of removing the cause of the incident.
• For a virus – anti-virus software is best
• For a network may involve block/filter IP address at the
router/firewall
• Ideally, but difficult, best eradicated by bringing the
perpetrators into legal custody and convicting them in a
court of law.
ATHENA
Recovery
The process of restoring a system to its normal
operating status
• Unsuccessful incidents – assure system operation and
data not affected
• Complex and/or successful incidents – May require
complete restoration from known clean system backups.
Essential to assure the backups integrity and to verify
restore operation was successful
ATHENA
Follow-Up
Critical
Helps to improve incident handling procedures
Address efforts to prosecute perpetrators
Activities Include:
• Analyze the Incident and the Response
• Analyze the Cost of the Incident
• Prepare a Report
• Revise Policies and Procedures
ATHENA
What is Computer Forensics?
Computer Forensics can be defined simply,
as a process of applying scientific and
analytical techniques to computer
Operating Systems and File Structures in
determining the potential for Legal
Evidence.
ATHENA
Why is Evidence important?
In the legal world, Evidence is
EVERYTHING.
Evidence is used to establish facts.
The Forensic Examiner is not biased.
ATHENA
Who needs Computer Forensics?
The Victim!
Law Enforcement
Insurance Carriers
Ultimately the Legal System
ATHENA
Who are the Victims?
•Private Business
•Government
•Private Individuals
ATHENA
ATHENA
ATHENA
ATHENA
ID the perpetrator.
ID the method/vulnerability of the network
that allowed the perpetrator to gain access
into the system.
Conduct a damage assessment of the
victimized network.
Preserve the Evidence for Judicial action.
Reasons for a Forensic Analysis
ATHENA
Disk Forensics
Network Forensics
E-mail Forensics
Internet (Web) Forensics
Source Code Forensics
Types of Computer Forensics
ATHENA
Disk Forensics
Disk forensics is the process of
acquiring and analyzing the data
stored on some form of physical
storage media.
• Includes the recovery of hidden and
deleted data.
• Includes file identification, which is the
process used to identify who created a
particular file or message.
– Melissa Virus
ATHENA
Network Forensics
Network forensics is the process of
examining network traffic. It includes:
• After the fact analysis of transaction logs
• Real-time analysis via network monitoring
– Sniffers
– Real-time tracing
ATHENA
E-mail Forensics
E-mail forensics is the study of source and
content of electronic mail as evidence.
• It includes the process of identifying the actual
sender and recipient of a message, the date and
time it was sent, and where it was sent from.
• E-mail has turned out to be the Achilles Heal for
many individuals and organizations.
• Many time issues of sexual harassment, racial and
religious prejudice, or unauthorized activity are
tied to e-mail.
ATHENA
Internet Forensics
Internet or Web forensics is the process of
piecing together where and when a user has
been on the Internet.
• For example, it is used to determine whether the
download of pornography was accidental or not.
ATHENA
Source Code Forensics
Source code forensics is used to
determine software ownership or
software liability issues.
• It is not merely a review of the actual source code.
• It is an examination of the entire development
process, including development procedures, review
of developer time sheets, documentation review
and the review of source code revision practices.
ATHENA
Technological Progress
The Population is More Computer Literate
The World is Networked, Yet Users Can Retain a
Sense of Anonymity
The Use of Encryption is Becoming Common
Network Bandwidth is Increasing while Cost is
Decreasing
Disks are Less Expensive and have Higher
Capacities
• More Data Available On-Line
ATHENA
Technological Progress
Albert Einstein said “Technological
progress is like an axe in the hands
of a pathological criminal.”
ATHENA
Technological Progress
Computers are Tools and Targets
• Instrumentality
• Data Repository
– Many Criminals Are Using Computers in the
Normal Course of Business
Computer Crime Today
• Crime Without Punishment
• Media Sensationalism
• Public Apathy
• Easy to Commit
ATHENA
What is Cyber Crime?
A crime in which technology plays
an important, and often a necessary,
part.
• The computer is:
– the target of an attack
– the tool used in an attack
– used to store data related to
criminal activity
ATHENA
Types of Cyber Crime
Unauthorized Access
Denial of Service
Extortion
Theft
Sabotage
Espionage
Computer Fraud
Embezzlement
Copyright Violation
Forgery and Counterfeiting
Internet Fraud – “Imposter Sites”
SEC Fraud and Stock Manipulation
Child Pornography
Stalking & Harassment
Credit Card Fraud & Skimming
ATHENA
Contemporary Issues in Computer
Forensics
Criminal Justice System is not Prepared to
Handle High-Tech Crime
• Shortage of Trained Investigators & Analysts
• Lack of Forensic Standards
Too Much Data!
• Large Disk Drives and Disk Arrays
• High Speed Network Connections
Issues Relating to Time
ATHENA
Contemporary Issues in Computer
Forensics
Evidence Collection and Examination
Must not Violate the following:
• Privacy Protection Act
• Electronic Communications Privacy Act
ATHENA
Forensics Process
Preparation
Protection
Imaging
Examination
Documentation
ATHENA
Preparation
Confirm the authority to conduct analysis/search of
media.
Verify the purpose of the analysis and the clearly
defined desired results.
Ensure that sterile media is available and utilized for
imaging. (ie..Free of virus, Non-essential files, and
verified before use.)
Ensure that all software tools utilized for the analysis
are tested and widely accepted for use in the forensics
community.
ATHENA
Protection
Protect the integrity of the evidence. Maintain
control until final disposition.
Prior to Booting target computer,
DISCONNECT HDD and verify CMOS.
ATHENA
Imaging
Utilize disk “imaging” software to make an
exact image of the target media. Verify the
image.
When conducting an analysis of target media,
utilize the restored image of the target media;
never utilize the actual target media.
ATHENA
Examination
The Operating System
Services
Applications/processes
Hardware
LOGFILES!
System, Security, and Application
File System
ATHENA
Examination (Cont)
Deleted/Hidden Files/NTFS Streams
Software
Encryption Software
Published Shares/Permissions
Password Files
SIDS
Network Architecture/Trusted Relationships
ATHENA
Off-Site Storage
“X-Drives”
FTP Links
FTP Logs
Shares on internal networks
ATHENA
Documentation
Document EVERYTHING
Reason for Examination
“The Scene”
Utilize Screen Capture/Copy Suspected files
All apps for Analysis/apps on Examined
system.
ATHENA
Forensic Tools
Forensic Tool Kit
Forensic Computer System
Forensic Software
ATHENA
Forensic Tool Kit
ATHENA
Forensic System Hardware
Main Systems
• Pentium-based Computer
• Multiple O/S
– UNIX, Windows, MAC
Media Options
Removable Media (REM-KIT)
Disk Imaging Hardware
• Image MASSter 500 & 1000
Static-Dissipative Grounding Kit w/Wrist
Strap
UPS
ATHENA
Media Options
Your Forensic System should have plenty of
room for expansion and external media.
This is usually best supported by SCSI
Systems.
ATHENA
Media Options
Internal Hard Disk
Tape Media
• QIC Tape Drive
• Travan Tape Drive
• DAT
Optical Media
• CD-ROM
• CD-Writer
• DVD
ATHENA
Removable Media
Hard Drives
ZIP Drives
Jazz Drives
PCMCIA Flash Disks
ATHENA
Disk Imaging Hardware
Supports IDE & SCSI
Sector by Sector Copy
• DOS, Windows 3.1,
• Windows 95, NT, SCO,
• UNIX, OS/2 & Mac O/S
Full Read/Write Verification &
Reporting
Logging Capability
No Writing to Master Disk
ATHENA
Forensic Software
Clean Operating System(s)
Disk Image Backup Software
Search & Recovery Utilities
File Viewing Utilities
Cracking Software
Archive & Compression Utilities
ATHENA
Validate Software
Determine Functionality
• Verify operation
• Identify limitations
• Identify bugs
Court Presentation
• Testify from own experience
ATHENA
Disk Imaging Software
Bit Level Copy of the Disk, not File Level
Not Operating System Dependent
Must have Logging or Error Reporting
Must Copy Deleted Files and Slackspace
Tools
• EnCase
• SafeBack
• SnapBack
ATHENA
Search Utilities
Forensic Software
• EnCase
• The Coroners Tool Kit
File System Utilities
• DOS, Windows, NT, UNIX
Norton Utilities
ATHENA
File Viewing Utilities
Quick View Plus
Drag & View
Thumbs Plus
ATHENA
Forensic Analysis
Computer Forensics
• Lock the Disk
• Create an Image of the Disk(s)
• File System Authentication
• List Disk Directories and File Systems
• Locate Hidden or Obscured Data
• Cluster Analysis
ATHENA
File System Authentication
Integrity of data related to any seizure is
essential
Message Digest - One-way Hash Algorithm
• CRC32 (32 bits)
• MD5 (128 bits)
• SHA (160 bits)
Create MD for system directories and files
ATHENA
File System Authentication
ATHENA
List Directories and Files
Create Hierarchical Directory Listing (Tree)
Identify Suspect Files
Inventory All Files on the Disk
Search Communications Programs
Registry Files
Last Files Accessed
Document Association
ATHENA
Identify Suspect Files
File Name Search based on Case
Characteristics
Key Word Search based on Case
Characteristics
Modified File Extensions that Do Not
Match the File Type
Hidden or Deleted Files
ATHENA
Hidden & Obscure Data
Hidden File Attributes
Hidden Directories
Temporary Directories
Deleted Files
Slack Space
Unallocated Space
Swap Space
Steganography
ATHENA
Steganography
The Art of Hiding Communications
While Encryption Conceals the Data,
Steganography Denies the Data Exists
Files Can Be Hidden within an Image
Disguising Data as Innocent Text
ATHENA
S-Tools
Hides Data inside Images, Audio Files and
Slack Space
ATHENA
Analysis Problems
Searching Access Controlled Systems
Virus Infection
Formatted Disk
Corrupted Disk
DiskWipe or Degaussed Media
Defragmented Disk
Cluster Boundaries
Evidence Eliminator
ATHENA
Evidence Protection
Transparent Static Shielding Bags
• Provides shielding from electrostatic discharge by
safely enveloping static sensitive devices in a
humidity-independent Faraday cage. The nickel
shielding layer creates a Faraday type shield.Meets
MIL-B-81705 and DoD-STD-1686A
Foam-Filled Disk Transport Box
EMF Warning Labels
ATHENA
Evidence Protection
ATHENA
Network Forensics
Analyze Packet Traces
• Establish a Sequence of Events
• Goal is Identify the Intruder
Tools
• Network Sniffer
• System Logs
• NTSC Adapter
ATHENA
IP Spoofing
Hijacking
Password Attacks
• Social Engineering
• Cracking Passwords
• Sniffers
Distributed-Coordinated Attacks
Identity Concealed by Connection Laundering
Network Forensics
ATHENA
Connection Laundering
ATHENA
E-mail Forensics
E-mail Usage in 2000
• 108 Million E-mail Subscribers
• 25.2 Billion Message Daily
E-mail is a asynchronous communications
mechanisms that allows venting.
People have a tendency to include more in an e-
mail message than they would say in person of
over the phone.
E-mail Spoofing
ATHENA
E-mail Spoofing
Requires Only:
• Mail Relay Server
• Knowledge of Mail Commands
– telnet
– helo
– mail from: gwbush@whitehouse.com
– rcpt to: twelch@sendsecure.com
– Data
ATHENA
The Future Forensics
Crimes and Methods to Hide Crimes are
becoming more Sophisticated, thus
Investigators and Analyst must become
more Technical
• Specialist are Needed
• More Training is needed in both the Public and
Private Sectors
Encryption will Continue to be an Issue,
but Only Time will Tell
ATHENA
The Future Forensics
Forensic Tools
• Must Become Automated
• Forensic Search Engines Must include Fuzzy Logic and
Intelligence to handle Cluster Boundaries
• UNIX Tools Must be Developed
• Better Network Analysis Tools need to be Developed
• Tools to Analyze Distributed Applications such as Java,
COM, and DCOM will need to be Developed.
ATHENA
Conclusions
Computer forensics is an integral function within
incident response
Processes are the most important aspects of
computer forensics
The future of cyber crime will lead to an
increased need for computer forensic capabilities
ATHENA
Questions ?
ATHENA
Objective in this chapter
Physical Security
Forensics
Risk Identification
ATHENA
What do you do after a system
has been penetrated?
ATHENA
Physical Security
Access Control: physical barriers, Biometrics
Social Engineering
Environment:
Temperature, Humidity, Airflow, Electrical
interference, Electrostatic discharge (ESD)
Wireless Cells, Location, Shielding (EMI, RFI),
Fire Suppression
ATHENA
Physical Security
Shielding
radio frequency interference (RFI)
electromagnetic interference (EMI)
Fire Suppression
• Inergen (IG-541): nitrogen + agon + Carbon dioxide
• Heptafluoropropane (HFC-227ea) (~FM-200)
• Trifluromethane (FE-13)
• Carbon Dioxide Systems
ATHENA
Forensics
Computer forensics is the application of
computer skills and investigation techniques for
the purpose of acquiring evidence
Forensics has 4 basic components: Collected,
Examined, Preserved and Presented
ATHENA
Forensics
Awareness
What Your Role Is: First responder, Investigator, Crime scene
technician
ATHENA
Forensics
Chain of Custody
Preservation of Evidence
Collection of Evidence: SafeBack, Encase,
ProDiscover
ATHENA
Risk Identification
Hard Reality – Systems fail and can be breached
How much does it cost to build a wall of security
How much which failed services will cost the most in
downtime
How can you mitigate the loss of those services?
How can you quickly recover those failed services?
ATHENA
Risk Identification
Asset Identification
Risk assessment
Threat Identification
Vulnerabilities
ATHENA
Asset Identification
Identify physical and
logical company resources
Assign hard dollar
amounts to loss of those
resources
ATHENA
Risk assessment
Determine cost
ARO * SLE = ALE
ARO: Annualized Rate of Occurrence
SLEL Single Loss Expectancy
ALE: Annual Loss Expectancy
Determine cost of replacement and cost of outage
Identify likelihood of failure occurring
Identify how to avoid risk of loss
Identify how to response to failure
ATHENA
Threat Identification
Create thread model that outlines possible
security threats
A common security model is called STRIDE
– Spoofing
– Tampering
– Repudiation
– Information Disclosure
– Denial of Service
– Elevation of privilege
ATHENA
Vulnerabilities
Use threat model to review network for possible threats
Determine how best to thwart those types of attacks
Create security guide
ATHENA