Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 6 Basics of Incident Response. UTSA IS 6353 Security Incident Response Overview Hacker Lexicon Incident Response.

Published byCharles Fletcher Modified over 9 years ago

Similar presentations

Presentation on theme: "Lesson 6 Basics of Incident Response. UTSA IS 6353 Security Incident Response Overview Hacker Lexicon Incident Response."— Presentation transcript:

1 Lesson 6 Basics of Incident Response

2 UTSA IS 6353 Security Incident Response Overview Hacker Lexicon Incident Response

3 UTSA IS 6353 Security Incident Response Hacker Lexicon Rootkit - a collection of tools an intruder loads onto a compromised computer Usually Consists of: –trojanized utilities –network sniffers –log-cleaning scripts

4 UTSA IS 6353 Security Incident Response Root Kits Three primary types: –traditional –loadable kernel modules (LKMs) for Unix/Linux –kernel -level rootkit for Windows Hundreds of Root-kits in existence –Hackers sites contain “click and choose smorgasbord” (KNOW THY ENEMY)

5 UTSA IS 6353 Security Incident Response Basic RootKit Functionality Maintain Access Attack other Systems Destroy Evidence

6 UTSA IS 6353 Security Incident Response Traditional Rootkit Tools Backdoors - programs that listen on TCP/UDP ports that allow intruder stealthy access Log wipers - utility which erases log files to hide signs of intruders presence Packet sniffers - software designed to monitor network traffic to capture packets of interest Internet Relay Chat (IRC) utilities for comms DDOS agents - S/W that sends UDP/ICMP floods

7 UTSA IS 6353 Security Incident Response LKM Rootkits Most rootkits used against Unix/Linux systems are Loadable Kernel Modules (LKMs) Kernel is transparently modified: –Execute Redirection: remaps system utility calls –Remote execution: commands transmitted via the net –Promiscuous mode hiding: hides sniffers –Task hacking: changing the user id (UID), effective user id (EUID), and file system user id (FSUID) of any process

8 UTSA IS 6353 Security Incident Response LKM Rootkits Kernel is transparently modified (contd): –Real-time process hiding -sending the following: “kill -31 process id” allows kernel to suppress all info about the given process –Kernel Module Hiding: LKMs can actually mask their own presence (stealthy LKMs)

9 UTSA IS 6353 Security Incident Response WINDOWS Rootkits Contains: – Kernel Mode Device Driver: “_root_.sys” –Launcher program: “deploy.exe” Capabilities: –Back doors –Hide files: files with _root_ will be hidden from “dir” –Hide processes and registry entries –Keystroke Intercept

10 UTSA IS 6353 Security Incident Response Incident Response Overview Goals Methodology Preparation Detection Initial Response Strategy Formulation Investigation Monitoring Recovery Reporting

11 UTSA IS 6353 Security Incident Response What is an Incident? Incident - an event in an information system/network Time based security: Protection time >> detection time + reaction time Some say its all about vulnerability management

12 UTSA IS 6353 Security Incident Response SANS/FBI Top 20 List 20 MOST CRITICAL INTERNET VULNERABILITIES UP TO 800 POSSIBLE SANS Institute 20 Most Critical Internet Security Vulnerabilities

13 UTSA IS 6353 Security Incident Response General Vulnerabilities 1. Default installs of OSs and applications 2. Weak or non-existent passwords 3. Incomplete or non-existent backups 4. Large number of open ports 5. Lack of packet filtering 6. Incomplete or non-existent logging 7. Vulnerable CGI programs Source: The SANS Institute

14 UTSA IS 6353 Security Incident Response Windows Vulnerabilities 8. Unicode Vulnerability 9. ISAPI Extension Buffer Overflows 10. MS Remote Data Services Exploit 11. NETBIOS – Unprotected Windows Networking Shares 12. Leakage via Null Session Connections 13. Weak Hashing in SAM (Lan Manager Hash) Source: The SANS Institute

15 UTSA IS 6353 Security Incident Response Unix Vulnerabilities 14. Buffer Overflows in Remote Procedure Call Services 15. Sendmail Vulnerabilities 16. Bind Weaknesses 17. R Commands 18. LPD – Remote Print Protocol Daemon 19. Sadmind and Mountd 20. Default SNMP Strings Source: The SANS Institute

16 UTSA IS 6353 Security Incident Response Home User Guidelines Use strong passwords (alpha-numeric, over 8 characters) Make regular backups of critical data Use virus protection software Use a firewall as a gatekeeper between your computer and the Internet Do not leave computers online Do not open attachments from strangers Source: FBI

17 UTSA IS 6353 Security Incident Response The Worst Can Happen "Don't look at the past and assume that's the future. Look at the enemy's strengths and your vulnerability. You've got to realize that the worst case does sometimes happen." -Richard Clarke Special Advisor for Cybersecurity

18 UTSA IS 6353 Security Incident Response Goals of Incident Response Confirm or dispel incident Promote accurate info accumulation Establish controls for evidence Protects privacy rights Minimize disruption to operations Allow for legal/civil recriminations Provide accurate reports/recommendations

19 UTSA IS 6353 Security Incident Response Incident Response Methodology Pre-incident preparation Detection Initial Response Strategy formulation Duplication Investigation Security measure implementation Network monitoring Recovery Reporting Follow-up

20 UTSA IS 6353 Security Incident Response 7 Components of Incident Response Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Data Collection Data Analysis Reporting Investigate the Incident Resolution Recovery Implement Security Measures Page 15, Fig 2-1, Mandia 2nd Edition

21 UTSA IS 6353 Security Incident Response Detection Firewall Logs IDS Logs Suspicious User Sys Admin DETECTDETECT Notification Checklist Completed Response Team Activated

22 UTSA IS 6353 Security Incident Response Initial Critical Details Current time and date Who/what is reporting the incident Nature of the incident When the incident occurred Hardware/software involved Point of contact for involved personnel

23 UTSA IS 6353 Security Incident Response INITIAL RESPONSE Details from notification checklist Prepared response team I R N E I S T P I O A N L S E Verified information about the incident Success Failure How much info is enough?

24 UTSA IS 6353 Security Incident Response Response Strategy Formulation Formulate Response Strategy Mgt Approved Action Plan Verified information about the incident Response Posture Goal: determine most appropriate response strategy

25 UTSA IS 6353 Security Incident Response Factors for Strategy How critical are the impacted systems? Data sensitivity Who are the perpetrators? Does the incident have publicity Level of access to the hacker Apparent skill of the attacker How much downtime can be tolerated Overall dollar loss involved

26 UTSA IS 6353 Security Incident Response Common Incidents Denial of Service Attack Unauthorized Use Vandalism Information Theft Computer Intrusion Type of incident + response likely outcome Management Support network downtime user downtime legal liability publcity theft of intellectual property

27 UTSA IS 6353 Security Incident Response Investigation Stage Live System Network Logs Forensic Duplicate Investigation Investigative Report

28 UTSA IS 6353 Security Incident Response Security Measure Implementation Stage Verified Info Network Logs Response Posture Implementing Security Remedies Monitor Isolate and Contain Prevent Same Exposure! Fishbowling the attacker

29 UTSA IS 6353 Security Incident Response Recovery/Reporting Process Conclusions Successful containment Recovery backups hardening user education COOP Report Support Criminal Actions Lessons Learned Prevent Repeats

30 UTSA IS 6353 Security Incident Response What Will You Do? We Need a Initial Response that: –Supports the Goals of Computer Security –Supports the Business Practices –Supports Administrative and Legal Policy –Is Forensically Sound –Is Simple and Efficient (KISS) –Provides an Accurate Snapshot for Decision Makers –Supports Civil, Administrative, or Criminal Action.

31 UTSA IS 6353 Security Incident Response Common Mistakes Failure to Document Findings Appropriately. Failure to Notify or Provide Accurate Information to Decision Makers. Failure to Record and Control Access to Digital Evidence. Wait Too Long Before Reporting. Underestimating the Scope of Evidence that may be found.

32 UTSA IS 6353 Security Incident Response Common Mistakes Technical Blunders: –Altering Time/Date Stamps on Evidence Systems –“Killing” Rogue Processes –Patching the System –Not Recording the Steps Taken on the System –Not Acting Passively

Download ppt "Lesson 6 Basics of Incident Response. UTSA IS 6353 Security Incident Response Overview Hacker Lexicon Incident Response."

Similar presentations

COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
SECAM Systems Product Presentation SECAM Systems © 2010.

SECAM Systems Product Presentation SECAM Systems © 2010.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia.

Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia.
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Handling Security Incidents

Handling Security Incidents
Incidence Response & Computer Forensics, Second Edition

Incidence Response & Computer Forensics, Second Edition
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google