Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chapter 10: Auditing the Expenditure Cycle
CSA 223 network and web security Chapter one
The State of Security Management By Jim Reavis January 2003.
System and Network Security Practices COEN 351 E-Commerce Security.
Intrusion Detection Systems and Practices
Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.
1 UNIX Postmortem Mark Henman. 2 Introduction For most system administrators, there is no question that at some point at least one of their systems is.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
(c) 2003 Carnegie Mellon Universary1 Incident Handling.
1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major.
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice
Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Incident Response Updated 03/20/2015
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Peter Johnson NetSmartz411 Project Manager National Center for Missing & Exploited Children.
Chapter Fourteen Windows XP Professional Fault Tolerance.
Web Site Content Protection Solution. Protecting Web Site Content with.
FORESEC Academy FORESEC Academy Security Essentials (II)
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©
Computer Security By Duncan Hall.
Network management Network management refers to the activities, methods, procedures, and tools that pertain to the operation, administration, maintenance,
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Security Methods and Practice CET4884
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Cybersecurity - What’s Next? June 2017
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
NETWORKS Fall 2010.
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
IS4680 Security Auditing for Compliance
BACHELOR’S THESIS DEFENSE
16. Account Monitoring and Control
6. Application Software Security
Presentation transcript:

Recognizing Attacks1

2 Recognition Stances

Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence important? Is restoring normal operation quickly important? Willing to chance modification of files? Is no publicity important? Can it happen again?

Recognizing Attacks4 Document Actions Start notebook Collect printouts and backup media Use scripts Get legal assistance for evidence- gathering PLAN AHEAD

Recognizing Attacks5 Finding the Intruder Finding changes Receiving message from other system administrator / net defender Strange activities User reports

Recognizing Attacks6 Steps in Handling 1.Identify/understand the problem 2.Contain/stop the damage 3.Confirm diagnosis and determine damage 4.Restore system 5.Deal with the cause 6.Perform related recovery

Recognizing Attacks7 Dealing with Intruder Ignore Intruder –Dangerous – Contrary to policy/law? Communicate with intruder – Dangerous – Low return Trace/identify intruder – Watch for traps / assumptions – Network and host options – Phone logs Break intruder’s connection – Physically – Logically (logout, kill processes, lock account)

Recognizing Attacks8 Asking for Help CERT, FIRST, Law enforcement, etc. Don’t use infected system Avoid using from connected systems

Recognizing Attacks9 Finding Damage What have affected accounts done lately? – Missing log files? – What has root done? – What reboots have occurred? – Unexplained error messages? – Connections from/to unfamiliar sites? – New hidden directories? Integrity checkers – Changed binaries? – Changed configuration files? – Changed library files? – Changed boot files? – Changed user files?

Recognizing Attacks10 Dealing with Damage Delete unauthorized account(s) Restore authorized access to affected account(s) Restore file / device protections Remove setuid/setgid programs Remove unauthorized mail aliases Remove added files / directories Force new passwords

Recognizing Attacks11 Resume Service Patch and repair damage, enable further monitoring, resume Quick scan and cleanup, resume Call in law enforcement -- delay resumption Do nothing -- use corrupted system

Recognizing Attacks12 Dealing with Consequences Was sensitive information disclosed? Who do you need to notify formally? Who do you need to notify informally? What disciplinary action is needed?

Recognizing Attacks13 Moving Forward What vendor contacts do we need to make? What other system administrators should be notified? What updated employee training is needed?

Recognizing Attacks14 Netwar Individual: affect key decision-maker –Ems telegram –Gulf war marines Corporate: affect environment of decision –Zapatista peso collapse –Vietnam protests –Intifada / Cyber-Intifada? Strategic combination of all previous

Recognizing Attacks15 Example: Zapatista Cyberstrike Mid-1990s rebellion in Mexico Military situation strongly favored Mexican Army Agents of influence circulated rumors of Peso instability Peso crash forced government to negotiating table Compounded by intrusions into Mexican logistics

Recognizing Attacks16 Building Understanding Internet Behavior Intrusions/Responses Threats/Counters Vulnerabilities/Fixes Operators/GroupsVictims Stimuli/Motives Opportunities

Recognizing Attacks17 Analysis Process Incident Information Flow Identify Profiles and Categories Isolate Variables Identify Data Sources Establish Relevancy Identify Gaps

Recognizing Attacks18 One Effort – Looking Inside the Noise Network Activity Example Overall Activity Several Gbytes/day Noise - Below the Radar

Recognizing Attacks19 Low-Packet Filtering It’s hard to use TCP without generating a lot of packets –Negotiation, transmission, configuration, error checking Few legitimate low-packet sessions possible –Mostly web access

Recognizing Attacks20 Low-Packet Traffic

Recognizing Attacks21 Flow Based Detection Scans and Probes Distributed Tools Worm/Virus Propagation ???

Challenges to Analysis Gathering sufficient datasets to make statistically valid judgments Developing automated technical analysis tools Developing a reliable methodology for cyber-analysis Overcoming organizational bias against sharing information

Recognizing Attacks23 Limits of Analysis Inherently partial data Baseline in dynamic environment Correlation vs. Causation Implications –Need to be cautious in kinds of conclusions –Consider strategies for dealing with trends gone wrong

Recognizing Attacks24 Summary Incidents are not proof of bad administration Lots of effort involved in handling Incidents Need proactive, strategic planning to reduce costs, improve handling

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.