Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan

Slides:

Advertisements

Similar presentations

Presented by Nikita Shah 5th IT ( )

Advertisements

Identifying and Responding to Security Incidents in the Law Firm

Malware Artifacts.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

Access Control Chapter 3 Part 5 Pages 248 to 252.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

Intrusion Detection Systems and Practices

Network Security Testing Techniques Presented By:- Sachin Vador.

Network and Server Attacks and Penetration Chapter 12.

Incidence Response & Computer Forensics, Second Edition

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Maintaining and Updating Windows Server 2008

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

Network security policy: best practices

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Incident Response Updated 03/20/2015

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes

Network Forensics: When conventional forensic analysis is not enough Manuel Humberto Santander Peláez GIAC GCFA Gold, GNET Silver, GCIA Gold.

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

FORESEC Academy FORESEC Academy Security Essentials (II)

Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Honeypot and Intrusion Detection System

Module 14: Configuring Server Security Compliance

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

Compatibility and Interoperability Requirements

Linux Networking and Security

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Cracking Techniques Onno W. Purbo

Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Understand Audit Policies LESSON Security Fundamentals.

Role Of Network IDS in Network Perimeter Defense.

IS3220 Information Technology Infrastructure Security

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

Maintaining and Updating Windows Server 2008 Lesson 8.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Security Methods and Practice CET4884

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Backdoor Attacks.

CIS 333 RANK Education for Service-- cis333rank.com.

IS4680 Security Auditing for Compliance

TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.

Bethesda Cybersecurity Club

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 2 Who am I? 10+ years experience in IT security 2 years at U-M  ITSS (IT Security Services)  Incident Response Coordinator tEnsure consistent handling of serious incidents University-wide tExpert advice – computer forensics, network and malware analysis Please understand due to confidentiality, I will not be discussing real incidents

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 3 Agenda What is an incident? Incident lifecycle First steps in incident handling Tools What you can do

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 4 What is an incident? IT security incidents have three faces  Data - attempted or successful unauthorized access, use, disclosure, modification, or destruction of information  Resources - interference with IT operation  People - violation of explicit or implied policy Impact  Not all incidents are equal

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 5 Goals of incident response Minimize consequences of incidents Enable informed decisions to be made by appropriate stakeholders  Not just an IT problem Understand the cause and effect of an incident Incorporate lessons learned  Processes and procedures  Countermeasures

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 6 Incident lifecycle Phase 1 – “The first 10 minutes”  Notification  Initial assessment  Escalation  Containment Phase 2  Analysis  Further action  Lessons learned

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 7 First steps Notification  First signs of an incident  IDS alert / abuse report / user notification  Amount of information is typically low Initial assessment  What is the possible impact?  How confident are you this is an incident?  Almost always requires further investigation

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 8 Risk of actions Availability of data goes down as your understanding of an incident goes up  File system MAC times are overwritten  Logs are rotated  Attackers cover traces  Examining a system changes it, possibly destroying valuable volatile data  Can that crucial deleted log entry in slack space be overwritten? Every action taken when examining an incident is a risk benefit/decision  Increasing level of intrusiveness

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 9 Risk of actions Does pulling the network cable have no risk? while `true`; do ping -c 1 || rm -rf /; sleep 30; done What about pulling the power cable?  Lose ALL volatile information on the system  Active processes, network connections

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 10 Initial assessment Scenario  We receive an abuse from Merit that a Windows XP machine on our network ( ) is generating a large amount of traffic. We don’t know what could be causing this, but this machine might contain student SSNs.  How do we determine with a high-degree of confidence whether this machine is compromised?

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 11 Portscan

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 12 Portscan

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 13 Portscan

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 14 Portscan Nmap  Netcat  Risks: depends entirely on the services probed, possibly modified MAC times on daemons, or generated log entries

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 15 TCPView

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 16 TCPView

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 17 TCPView  Risks: copied a binary to the system and executed it  Can we trust the output if there is a rootkit installed?  Requires Administrator access, was a keyboard sniffer installed when we logged on?  Modified registry if run from USB or CDROM  Utility installs new system device driver  New entry in Prefetch cache

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 18 Event Viewer

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 19 Event Viewer Risks: modifies access time on MMC.EXE, file containing event logs %windir%\SYSTEM32\config\*.evt

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 20 Virus Scan Identifies any potential malicious code on the system, but…. Risks: overwrites the Access time on all files scanned  High level of intrusiveness

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 21 What next? Escalation  Notify the appropriate business owners  Devise a containment plan together  Explain the risks Containment  Pull the network plug?  Add a firewall rule or router filter?

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 22 After the first 10 minutes Analysis  What other information about the system do you have?  Netflow, firewall, antivirus logs  Analyze to determine root cause and effect  Escalate to other stakeholders, as necessary Further action  Notification to affected individuals?  Involve law enforcement? Lessons learned

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 23 Other tools EnCase  Helix  VMWare  http :// IDA Pro 

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 24 What you can do Develop a toolset Stay current in the security community Identify critical systems and locations of sensitive data Know your business owners Introduce yourself to law enforcement

Questions / Comments Thank You