Recognizing Attacks1

2 Recognition Stances

Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence important? Is restoring normal operation quickly important? Willing to chance modification of files? Is no publicity important? Can it happen again?

Recognizing Attacks4 Document Actions Start notebook Collect printouts and backup media Use scripts Get legal assistance for evidence- gathering PLAN AHEAD

Recognizing Attacks5 Finding the Intruder Finding changes Receiving message from other system administrator / net defender Strange activities User reports

Recognizing Attacks6 Steps in Handling 1.Identify/understand the problem 2.Contain/stop the damage 3.Confirm diagnosis and determine damage 4.Restore system 5.Deal with the cause 6.Perform related recovery

Recognizing Attacks7 Dealing with Intruder Ignore Intruder –Dangerous – Contrary to policy/law? Communicate with intruder – Dangerous – Low return Trace/identify intruder – Watch for traps / assumptions – Network and host options – Phone logs Break intruder’s connection – Physically – Logically (logout, kill processes, lock account)

Recognizing Attacks8 Asking for Help CERT, FIRST, Law enforcement, etc. Don’t use infected system Avoid using from connected systems

Recognizing Attacks9 Finding Damage What have affected accounts done lately? – Missing log files? – What has root done? – What reboots have occurred? – Unexplained error messages? – Connections from/to unfamiliar sites? – New hidden directories? Integrity checkers – Changed binaries? – Changed configuration files? – Changed library files? – Changed boot files? – Changed user files?

Recognizing Attacks10 Dealing with Damage Delete unauthorized account(s) Restore authorized access to affected account(s) Restore file / device protections Remove setuid/setgid programs Remove unauthorized mail aliases Remove added files / directories Force new passwords

Recognizing Attacks11 Resume Service Patch and repair damage, enable further monitoring, resume Quick scan and cleanup, resume Call in law enforcement -- delay resumption Do nothing -- use corrupted system

Recognizing Attacks12 Dealing with Consequences Was sensitive information disclosed? Who do you need to notify formally? Who do you need to notify informally? What disciplinary action is needed?

Recognizing Attacks13 Moving Forward What vendor contacts do we need to make? What other system administrators should be notified? What updated employee training is needed?

Recognizing Attacks14 Netwar Individual: affect key decision-maker –Ems telegram –Gulf war marines Corporate: affect environment of decision –Zapatista peso collapse –Vietnam protests –Intifada / Cyber-Intifada? Strategic combination of all previous

Recognizing Attacks15 Example: Zapatista Cyberstrike Mid-1990s rebellion in Mexico Military situation strongly favored Mexican Army Agents of influence circulated rumors of Peso instability Peso crash forced government to negotiating table Compounded by intrusions into Mexican logistics

Recognizing Attacks16 Building Understanding Internet Behavior Intrusions/Responses Threats/Counters Vulnerabilities/Fixes Operators/GroupsVictims Stimuli/Motives Opportunities

Recognizing Attacks17 Analysis Process Incident Information Flow Identify Profiles and Categories Isolate Variables Identify Data Sources Establish Relevancy Identify Gaps

Recognizing Attacks18 Limits of Analysis Inherently partial data Baseline in dynamic environment Correlation vs. Causation Implications –Need to be cautious in kinds of conclusions –Consider strategies for dealing with trends gone wrong

Recognizing Attacks19 Physical and Cyber Attacks Country in which there are precipitous cliffs with torrents running between, deep natural hollows, confined places, tangled thickets, quagmires and crevasses, should be left with all possible speed and not approached. - Sun Tzu

Recognizing Attacks20 Underlying Principles Separation of physical and cyber security no longer possible Physical events can have cyber consequences Cyber events can have physical consequences Understanding the cyber environment is now an essential element of developing and maintaining situational control The nature of cyberspace means that the old “fortress” mentality is no longer viable

Recognizing Attacks21 Security Policies Does the organization have physical and cyber security policies? Have they been reviewed with respect to each other? Are the parties responsible for these policies in contact? What are the enforcement methods?

Recognizing Attacks22 Specific Policy Areas of Concern Hiring and firing Outsourcing contracts Visitors Customers/sponsors Special events

Recognizing Attacks23 Facility Controls Are the physical security plans for the facility documented and tested? To what degree is the physical security dependent on computers and information networks? Policies and procedures for visitors? Do new or renovated facilities have computer controlled elevators, escalators, security systems, or fire doors? Are these systems isolated or are they connected via the Internet to an external security provider?

Recognizing Attacks24 Physical Protection of Information Resources How is physical access to remote nodes controlled? What precautions are taken to minimize access to servers, cabling, routers, etc.? What access controls are in place? How are the access controls updated and managed? How are system components physically safeguarded? Are audit and monitoring records routinely examined for anomalies and necessary corrective actions? By whom?

Recognizing Attacks25 Network Security What does the network look like? What is the connectivity between networks? Can the network be accessed from the outside? What encryption protocols (if any) are in use on the network?

Recognizing Attacks26 Network Concerns Is redundancy built into the network? Are all necessary security patches in place? How often are security patch requirements reviewed? Are there external nodes on the network, and if so, are any of them wireless? Is the network administered on-site or at a remote facility?

Recognizing Attacks27 Information Protection of Physical Resources What information regarding the facility is available on the network? Is there information about guests, employees, critical functions available? (scheduling, credentialing, etc.) What access controls are in place for this information? (technology, procedure) Is sensitive or critical information protected by secure, offsite storage and backups? Is the integrity of installed software and data verified regularly? How? Are all changes to IT hardware and software planned, controlled, and documented? Is unique user identification required for all information system users, including third-party users?

Recognizing Attacks28 Example Impacts Interruption of emergency services –911 service off line –Disruption of hospital networks –Potential loss of life Interruption of power grid –Disruption of services dependent on power Hospitals Hazardous material facilities Secure facilities – Traffic control in chaos – Potential financial loss enormous

Recognizing Attacks29 Cascade Impacts Interruption of Telecommunications – Impact on all levels of communications –Severe impact on financial services – Loss of communications with public impacts confidence in government –Potentially serious impact on military logistics (over 90 percent of all logistics over private infrastructure) Interruption of Transportation –Disruption of commerce –Foodstuffs and fuel deliveries interrupted –Potential hazardous material compromises –Direct impact on population

Recognizing Attacks30 Summary Incidents are not proof of bad administration Lots of effort involved in handling Incidents Need proactive, strategic planning to reduce costs, improve handling

Recognizing Attacks31 Closing Quote If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Sun Tzu