Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 11 Basics of Incident Response

Published byJohn Watkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Lesson 11 Basics of Incident Response"— Presentation transcript:

1 Lesson 11 Basics of Incident Response

2 UTSA IS 3523 ID and Incident Response
Overview Hacker Lexicon Incident Response Process UTSA IS 3523 ID and Incident Response

3 UTSA IS 3523 ID and Incident Response
Hacker Lexicon Rootkit - a collection of tools an intruder loads onto a compromised computer Usually Consists of: trojanized utilities network sniffers log-cleaning scripts UTSA IS 3523 ID and Incident Response

4 UTSA IS 3523 ID and Incident Response
Root Kits Three primary types: traditional loadable kernel modules (LKMs) for Unix/Linux kernel -level rootkit for Windows NT/2000 Hundreds of Root-kits in existence Hackers sites contain “click and choose smorgasbord” (KNOW THY ENEMY) UTSA IS 3523 ID and Incident Response

5 Traditional Unix/Linux Rootkits
Backdoors - programs that listen on TCP/UDP ports that allow intruder stealthy access Log wipers - utility which erases log files to hide signs of intruders presence Packet sniffers - software designed to monitor network traffic to capture packets of interest Internet Relay Chat (IRC) utilities for comms DDOS agents - S/W that sends UDP/ICMP floods UTSA IS 3523 ID and Incident Response

6 UTSA IS 3523 ID and Incident Response
LKM Rootkits Most rootkits used against Unix/Linux systems are Loadable Kernel Modules (LKMs) Kernel is transparently modified: Execute Redirection: remaps system utility calls Remote execution: commands transmitted via the net Promiscuous mode hiding: hides sniffers Task hacking: changing the user id (UID), effective user id (EUID), and file system user id (FSUID) of any process UTSA IS 3523 ID and Incident Response

7 UTSA IS 3523 ID and Incident Response
LKM Rootkits Kernel is transparently modified (contd): Real-time process hiding -sending the following: “kill -31 process id” allows kernel to suppress all info about the given process Kernel Module Hiding: LKMs can actually mask their own presence (stealthy LKMs) UTSA IS 3523 ID and Incident Response

8 UTSA IS 3523 ID and Incident Response
WIN NT/2000 Rootkits Contains: Kernel Mode Device Driver: “_root_.sys” Launcher program: “deploy.exe” Capabilities: Back doors Hide files: files with _root_ will be hidden from “dir” Hide processes and registry entries Keystroke Intercept UTSA IS 3523 ID and Incident Response

9 Incident Response Overview
Goals Methodology Preparation Detection Initial Response Strategy Formulation Investigation Monitoring Recovery Reporting UTSA IS 3523 ID and Incident Response

10 UTSA IS 3523 ID and Incident Response
What is an Incident? Incident - an event in an information system/network Time based security: Protection time >> detection time + reaction time Some say its all about vulnerability management UTSA IS 3523 ID and Incident Response

11 General Vulnerabilities
1. Default installs of OSs and applications 2. Weak or non-existent passwords 3. Incomplete or non-existent backups 4. Large number of open ports 5. Lack of packet filtering 6. Incomplete or non-existent logging 7. Vulnerable CGI programs Source: The SANS Institute Default Installs of operating systems and applications Weak or non-existent passwords Incomplete or non-existent backups Large number of open ports Lack of packet filtering for correct addresses Incomplete or non-existent logging Vulnerable CGI programs (common gateway interface; sample programs installed) UTSA IS 3523 ID and Incident Response

12 Windows Vulnerabilities
8. Unicode Vulnerability 9. ISAPI Extension Buffer Overflows 10. MS Remote Data Services Exploit 11. NETBIOS – Unprotected Windows Networking Shares 12. Leakage via Null Session Connections 13. Weak Hashing in SAM (Lan Manager Hash) Source: The SANS Institute UTSA IS 3523 ID and Incident Response

13 UTSA IS 3523 ID and Incident Response
Unix Vulnerabilities 14. Buffer Overflows in Remote Procedure Call Services 15. Sendmail Vulnerabilities 16. Bind Weaknesses 17. R Commands 18. LPD – Remote Print Protocol Daemon 19. Sadmind and Mountd 20. Default SNMP Strings Source: The SANS Institute UTSA IS 3523 ID and Incident Response

14 UTSA IS 3523 ID and Incident Response
Home User Guidelines Use strong passwords (alpha-numeric, over 8 characters) Make regular backups of critical data Use virus protection software Use a firewall as a gatekeeper between your computer and the Internet Do not leave computers online Do not open attachments from strangers Source: FBI Use strong passwords. [Give different passwords to all accounts. Change passwords on a regular basis. ] Make regular backups of critical data. [Backups must be made at least once each day. Larger organizations should perform a full backup weekly and incremental backups every day. At least once a month the backup media should be verified. ] Use virus protection software. [That means three things: have it on your computer in the first place, check regularly for new virus signature updates, and actually scan all the files on your computer periodically.] Use a firewall as a gatekeeper between your computer and the Internet [Firewalls are essential for those who keep their computers online through DSL and cable modem connections, but they are also valuable for those who still dial in. ] Do not keep computers online when not in use [Either shut them off or physically disconnect them from Internet connection.] WHY Do not open attachments from strangers [regardless of how enticing the subject line or attachment may be. Be suspicious of unexpected attachments from people you do know because it may have been sent without that person’s knowledge from an infected machine.] Regularly download security patches from your software vendors. UTSA IS 3523 ID and Incident Response

15 The Worst Can Happen "Don't look at the past and assume that's the future. Look at the enemy's strengths and your vulnerability. You've got to realize that the worst case does sometimes happen." -Richard Clarke Special Advisor for Cybersecurity QUOTE... But even if you’re not part of the critical infrastructure, and thus a likely target for terrorism, there are still reasons you should care deeply about information security. UTSA IS 3523 ID and Incident Response

16 Goals of Incident Response
Confirm or dispel incident Promote accurate info accumulation Establish controls for evidence Protects privacy rights Minimize disruption to operations Allow for legal/civil recriminations Provide accurate reports/recommendations UTSA IS 3523 ID and Incident Response

17 Incident Response Methodology
Pre-incident preparation Detection Initial Response Strategy formulation Duplication Investigation Security measure implementation Network monitoring Recovery Reporting Follow-up See page 18, Fig 2-1 UTSA IS 3523 ID and Incident Response

18 7 Components of Incident Response
Investigate the Incident Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Data Collection Data Analysis Reporting Resolution Recovery Implement Security Measures UTSA IS 3523 ID & Incident Response Page 15, Fig 2-1, Mandia 2nd Edition

19 UTSA IS 3523 ID and Incident Response
Detection D E T C Firewall Logs IDS Logs Response Team Activated Notification Checklist Completed Suspicious User Sys Admin UTSA IS 3523 ID and Incident Response

20 Initial Critical Details
Current time and date Who/what is reporting the incident Nature of the incident When the incident occurred Hardware/software involved Point of contact for involved personnel UTSA IS 3523 ID and Incident Response

21 Details from notification
INITIAL RESPONSE Success Details from notification checklist I R N E I S T P I O A N L S E Verified information about the incident Prepared response team How much info is enough? Failure UTSA IS 3523 ID and Incident Response

22 Response Strategy Formulation
Verified information about the incident Mgt Approved Action Plan Formulate Response Strategy Response Posture Goal: determine most appropriate response strategy UTSA IS 3523 ID and Incident Response

23 UTSA IS 3523 ID and Incident Response
Factors for Strategy How critical are the impacted systems? Data sensitivity Who are the perpetrators? Does the incident have publicity Level of access to the hacker Apparent skill of the attacker How much downtime can be tolerated Overall dollar loss involved UTSA IS 3523 ID and Incident Response

24 UTSA IS 3523 ID and Incident Response
Common Incidents Denial of Service Attack Unauthorized Use Vandalism Information Theft Computer Intrusion Management Support network downtime user downtime legal liability publcity theft of intellectual property Type of incident + response likely outcome UTSA IS 3523 ID and Incident Response

25 UTSA IS 3523 ID and Incident Response
Investigation Stage Live System Investigation Network Logs Investigative Report Forensic Duplicate UTSA IS 3523 ID and Incident Response

26 Security Measure Implementation Stage
Verified Info Implementing Security Remedies Monitor Network Logs Response Posture Isolate and Contain Prevent Same Exposure! Fishbowling the attacker UTSA IS 3523 ID and Incident Response

27 Recovery/Reporting Process
backups hardening user education COOP Conclusions Report Support Criminal Actions Lessons Learned Prevent Repeats Successful containment UTSA IS 3523 ID and Incident Response

28 UTSA IS 3523 ID and Incident Response
What Will You Do? We Need a Initial Response that: Supports the Goals of Computer Security Supports the Business Practices Supports Administrative and Legal Policy Is Forensically Sound Is Simple and Efficient (KISS) Provides an Accurate Snapshot for Decision Makers Supports Civil, Administrative, or Criminal Action. UTSA IS 3523 ID and Incident Response

29 UTSA IS 3523 ID and Incident Response
Common Mistakes Failure to Document Findings Appropriately. Failure to Notify or Provide Accurate Information to Decision Makers. Failure to Record and Control Access to Digital Evidence. Wait Too Long Before Reporting. Underestimating the Scope of Evidence that may be found. UTSA IS 3523 ID and Incident Response

30 UTSA IS 3523 ID and Incident Response
Common Mistakes Technical Blunders: Altering Time/Date Stamps on Evidence Systems “Killing” Rogue Processes Patching the System Not Recording the Steps Taken on the System Not Acting Passively UTSA IS 3523 ID and Incident Response

31 UTSA IS 3523 ID & Incident Response
Summary Important to Understand Hacker Lexicon IR Process based on real experiences….must be tailored in execution UTSA IS 3523 ID & Incident Response

Download ppt "Lesson 11 Basics of Incident Response"

Similar presentations

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
SECAM Systems Product Presentation SECAM Systems © 2010.

SECAM Systems Product Presentation SECAM Systems © 2010.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Lesson 6 Basics of Incident Response. UTSA IS 6353 Security Incident Response Overview Hacker Lexicon Incident Response.

Lesson 6 Basics of Incident Response. UTSA IS 6353 Security Incident Response Overview Hacker Lexicon Incident Response.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia.

Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Incidence Response & Computer Forensics, Second Edition

Incidence Response & Computer Forensics, Second Edition
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Network security policy: best practices

Network security policy: best practices
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Similar presentations

Ads by Google