Presentation is loading. Please wait.

Presentation is loading. Please wait.

(c) 2003 Carnegie Mellon Universary1 Incident Handling.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "(c) 2003 Carnegie Mellon Universary1 Incident Handling."— Presentation transcript:

1 (c) 2003 Carnegie Mellon Universary1 Incident Handling

2 (c) 2003 Carnegie Mellon Universary2 Intruder Technology Intruders use currently available technology to develop new technology

3 (c) 2003 Carnegie Mellon Universary3 Code Red An automated worm with variety of malicious behavior –CR1 built from single-site DoS tool and previous worm –At least 7 versions exist that differ in target selection and payload –All exploit vulnerabilities in IIS; installed by default in Windows 2000 and Windows XP –CR2 different payload and improved propagation algorithm –CR2 was almost certainly created by a different author than CR, based on the original worm (New versions are appearing)

4 (c) 2003 Carnegie Mellon Universary4 Professional Threats The new threat is not just simple hacking. Sociology of today’s threat vs. “hackers” Morale Organization Vigilance vs. assumed invulnerability Motivation of today’s threat Accountability vs. anarchy Delayed vs. immediate gratification Internal vs. external gratification Preparation of current threat vs. “hackers” Training Intelligence / strategy

5 (c) 2003 Carnegie Mellon Universary5 Handling Break-ins What to do How to catch intruder How to find damage How to repair damage

6 (c) 2003 Carnegie Mellon Universary6 Basic Rules (1) DON’T PANIC Is it a real break-in? Was any damage really done? Is protecting evidence important? Is restoring normal operation quickly important? Willing to chance modification of files? Is no publicity important? Can it happen again?

7 (c) 2003 Carnegie Mellon Universary7 Basic Rules (2) DOCUMENT Start notebook Collect printouts and backup media Use scripts Consult legal assistance for evidence- gathering

8 (c) 2003 Carnegie Mellon Universary8 Basic Rules (3) PLAN AHEAD 1.Identify/understand the problem 2.Contain/stop the damage 3.Confirm diagnosis and determine damage 4.Restore system 5.Deal with the cause 6.Perform related recovery

9 (c) 2003 Carnegie Mellon Universary9 Discovering an Intruder Catching them in the act Finding changes Receiving message from other system administrator Strange activities User reports

10 (c) 2003 Carnegie Mellon Universary10 Signs of Intrusions

11 (c) 2003 Carnegie Mellon Universary11 Running Processes What: –Background programs running on user accounts –New system processes –Running for abnormal amounts of time How to detect: –Check process list –Watch system response time –Watch total system load

12 (c) 2003 Carnegie Mellon Universary12 Dealing with Running Processes Notify users of process checking Clarify ownership/identity of processes Look for files opened by process (even if removed) Look at network connections by process Check file system/network/configuration

13 (c) 2003 Carnegie Mellon Universary13 Changed Configuration What: –Network cards in promiscuous mode –Odd printer configuration –Odd disk configuration/partitioning How to detect: –Configuration utilities –Static checking tools –Program failures –Network/printing delays

14 (c) 2003 Carnegie Mellon Universary14 Dealing with Changed Configurations What to do: –Report changes off of baseline –Do a walkabout audit of equipment on network –Probe for modems –Look for unexpected network routes How to do it: –Set priorities –Establish a flexible schedule –Automate as much as possible –Vary checks over time

15 (c) 2003 Carnegie Mellon Universary15 Added Accounts/Directories/Files What: –New files in system areas –New programs in odd locations (temporary, guest, scratch) –New directories with odd names (“.. ”, “...”, “//”, etc.) –New accounts How to detect: –File listing utilities –File system utilities –Account management utilities

16 (c) 2003 Carnegie Mellon Universary16 Dealing with Added Objects Establish procedures for program/account creation Verify ownership and content of suspect files/accounts Examine actions taken by suspect programs

17 (c) 2003 Carnegie Mellon Universary17 Log Gaps What: –Deleted or abridged log files How to detect: –Lack of expected messages across a time span –Mismatches between logs –Mismatches with billed access/reported access

18 (c) 2003 Carnegie Mellon Universary18 Dealing with Log Gaps Examine logs for typical events as well as atypical ones Establish overlapping logging Establish non-traditional logging

19 (c) 2003 Carnegie Mellon Universary19 Changed Programs/Files What: –Modified system programs or files –Virus-infected programs or files How to detect: –Integrity checkers –Virus scanners How to Deal (see integrity lecture)

20 (c) 2003 Carnegie Mellon Universary20 Communication What: –IRC communication –E-mail –Modem traffic –Website chat –Instant messaging How to detect: –Logs –Sniffing/Monitoring –Caller id

21 (c) 2003 Carnegie Mellon Universary21 Dealing with Intruder Communication Set policy and publicize it Announce examination of e-mail/IRC/instant message/web Reconcile logs Look for added clients Watch for suspect sites

22 (c) 2003 Carnegie Mellon Universary22 Dealing with Intruder(1) Ignore intruder Dangerous Contrary to policy/law? Communicate with intruder Dangerous Low return Trace/identify intruder Watch for traps / assumptions Easiest if prepared ahead of time

23 (c) 2003 Carnegie Mellon Universary23 Dealing with Intruder(2) Break intruder’s connection Physically Logically (logout, kill processes, lock account) Contact outside help Don’t use infected system Avoid using email from connected systems

24 (c) 2003 Carnegie Mellon Universary24 Cleaning up after Intruder Restore system programs / files Delete unauthorized accounts Restore authorized access to affected accounts Restore file / device protections Remove setuid/setgid programs Remove unauthorized mail aliases Remove added files / directories Force new passwords

25 (c) 2003 Carnegie Mellon Universary25 Resuming Operation Investigate until how and when is known, fix holes and resume Patch and repair damage, enable further monitoring, resume Quick scan and cleanup, resume Call in law enforcement -- delay resumption Do nothing -- use corrupted system

26 (c) 2003 Carnegie Mellon Universary26 Damage Control Deal with consequences of break-in Was sensitive information disclosed? Who do you need to notify formally? Who do you need to notify informally? What disciplinary action is needed? What vendor contacts do we need to make? What other system administrators should be notified? What updated employee training is needed?

Download ppt "(c) 2003 Carnegie Mellon Universary1 Incident Handling."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc. 2007.

Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.

Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.
Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.

Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Handling Security Incidents

Handling Security Incidents
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Network security policy: best practices

Network security policy: best practices
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015

Similar presentations

Ads by Google