Incident Response In a Microsoft World. By John K.
88 Slides1.66 MB
Incident Response In a Microsoft World. By John K. AKA [email protected]
Over View (Intro) Incident Response what is it? Definition and examples. Purpose of Incident Response. Recognizing an Incident. Policy. Education. What to do in an incident. Scenario One. Scenario Two.
Incident Response. What is it? Incident: An action likely to lead to grave consequences especially in diplomatic matters a serious border incident Grave consequences: Sounds bad. Really bad. Probably does not look good on the resume. Could mean loss of revenue. Company/Corporate level. Security Manager personal level.
Incident Examples: Malicious code. Virus infection. Trojan programs. Worms. Malicious scripting. Usually hidden and some have the potential to Replicate. Effects can range from simple monitoring of system/network traffic to complicated automated backdoors with full system rights.
Incident Examples: Malicious code. Unauthorized Access. Accessing data without permission. Utilizing an account not assigned. Utilizing another users account. Utilizing assigned account in a manner not specifically assigned. Elevating privileges above assigned.
Incident Examples: Malicious code. Unauthorized Access. Unauthorized Utilization of Services. Game play. Mail relay. Dialup access. Use of corporate equipment for personal gain. (Home business, stocks, etc ) Personal servers on network. Much of this depends on Policy.
Incident Examples: Malicious code. Unauthorized Access. Unauthorized Utilization of Services. Espionage. Information stealing/manipulation. Email monitoring. Utilize ISP as a point of presence. Notebook theft. Data copying. CD burners, zip drives, flash memory. Simple trojan/tunneling methods.
Incident Examples: Malicious code. Unauthorized Access. Unauthorized Utilization of Services. Espionage. Hoaxes. Warnings. Virus threats, bomb threats, etc Scams. Pyramid mail, sob stories, contests. Corporate mail is for Business use only. Authorized personnel will distribute warnings.
Incident Examples: Malicious code. Unauthorized Access. Unauthorized Utilization of Services. Espionage. Hoaxes. Aggressive Probes. Does not include port scans. Baseline network to observe unusual trends. Unusual activity should be investigated. Monitor both internal and external network traffic.
Incident Response. What is it? Response: An act of responding. Something constituting a reply or a reaction. The activity or inhibition of previous activity of an organism or any of its parts resulting from stimulation The output of a transducer or detecting device resulting from a given input.
Incident Response. What is it? Incident Response: An act of responding to an action likely to lead to grave consequences especially in diplomatic matters. Sometimes referred to as a Knee Jerk reaction. Ideally Incident Response would be a set of policies that allow an individual or individuals to react to an incident in an efficient and professional manner thereby decreasing the likelihood of grave consequences. Pay check Good, Pink slip Bad.
Purpose: Minimize overall impact. Hide from public scrutiny. Stop further progression. Involve Key personnel. Control situation.
Purpose: Minimize overall impact. Recover Quickly & Efficiently. Respond as if going to prosecute. If possible replace system with new one. Priority one, business back to normal. Ensure all participants are notified. Record everything.
Purpose: Minimize overall impact. Recover Quickly & Efficiently. Secure System. Lock down all known avenues of attack. Assess system for unseen vulnerabilities. Implement proper auditing. Implement new security measures.
Purpose: Minimize overall impact. Recover Quickly & Efficiently. Secure System. Follow-up (It is never REALLY over). Ensure that all systems are secure. Continue prosecution. Securely store all evidence and notes. Distribute lessons learned.
Recognizing an Incident: Obvious. Web page defacement. Contact from Perp. (Email, phone, etc ) System service denial. Uh, George? Did you change the wallpaper on the servers? Well all the NT boxes in the server room have this pretty blue screen on them now
Recognizing an Incident: Obvious. Automated Response. Intrusion Detection System(s) Anti-malicious code software. Firewall. Other security systems.
Recognizing an Incident: Obvious. Automated Response. Outside Source. Another company reporting possible links. Password files, IP addresses, etc Contact by CERT. Law enforcement. Public announcement. News, attrition.org, Hackernews.net.
Recognizing an Incident: Obvious. Automated Response. Outside Source. Physical Report. Sensitive material found in public area. Privacy act information, bids, etc Hardware reported missing. Secure areas left unsecured. Unescorted unknown personnel. Controlled areas left unattended.
Recognizing an Incident: Obvious. Automated Response. Outside Source. Physical Report. System Administrator Report. Unusual log activity. Failed logins, unusual connect times. New accounts. New files. Missing files.
Recognizing an Incident: Obvious. Automated Response. Outside Source. Physical Report. System Administrator Report. Technician Report. Malicious code found on WorkStation. Policy violation found on WorkStation. Games, personal software, etc Evidence of system modification. This is the man in the field. Very useful.
Recognizing an Incident: Obvious. Automated Response. Outside Source. Physical Report. System Administrator Report. Technician Report. Obscure. Without investigation by a subject matter expert many incidents can be incorrectly labeled as user error, equipment failure, etc Technicians and SA’s need to investigate problems fully and pass on to Security.
Policy? Much of Incident Response will depend on your Security Policy.
Policy? Much of Incident Response will depend on your Security Policy. Don’t have one? Better get one. CYA (Cover Your Access) Hard for employee to deny wrong doing when you have signed papers showing review of existing policies to include Acceptable Use.
Policy? Much of Incident Response will depend on your Security Policy. Don’t have one? Better get one. CYA (Cover Your Access) Acceptable Use. Games. Email. Personal software. Stock watchers. ICQ, AIM, IRC, etc
Policy? Much of Incident Response will depend on your Security Policy. Don’t have one? Better get one. CYA (Cover Your Access) Acceptable Use. Monitoring. Specify daily monitoring for troubleshooting. Specify ALL traffic WILL be monitored. Do not allow legal opening for invasion of privacy. Workplace is for business and all business efforts are subject to security measures and perusal to ensure best business practices.
Policy? Current Point Of Contact List. Primary number for 24 hour emergency. Email and desk numbers for Security staff. Designed to give all personnel the minimal needed information to respond to an incident or to ask a question.
Policy? Current Point Of Contact List. User Responsibilities. Acceptable use. Software installation. Security reporting. Be aware (weakest link theory is in full effect for security).
Policy? Current Point Of Contact List. User Responsibilities. Technician/System Administrator Responsibilities. Follow all user responsibilities. Lead by example when ever possible. Report any potential violations to Security. Assist security in matters regarding their area of expertise. Keep investigations highly confidential. Monitor and archive all logs. Be aware (technical expertise is only of value if used).
Policy? Current Point Of Contact List. User Responsibilities. Technician/System Administrator Responsibilities. Security Officer(s)/Manager(s) Responsibilities. Lead by example. Monitor logs/reports. Provide for on call duties. Open door/email policy. Communicate. Educate the masses. Educate self daily. Be aware (or be compromised).
Educate. Policy is worthless unless implemented. What good is a library that is locked? What good are laws that are not enforced? What good is a policy that is not updated?
Educate. Policy is worthless unless implemented. The users must have easy access to policy. All new users should be required to read Policy at hire and sign acceptance. Policy should be kept easily available. Online (Read only). Hard copy (HR, Security Office, Library, etc ) A system for suggestions should be available. All memorandums that affect security should be included in Policy.
Educate. Policy is worthless unless implemented. The users must have easy access to the Policy. The Policy needs to be explained to users. A glossary should be provided. The Policy should be easily understandable. The Policy should not be vague enough to allow misinterpretation. Security should be willing to assist users. Every 6 months refresher should be required. Coincide with password change. Sign for new password and Policy acceptance.
Educate. Policy is worthless unless implemented. The users must have easy access to policy. The policy needs to be explained to users. The policy needs to be supported by Management. The highest level needs to sign off on policy. All members are subject to policy. It is at the higher levels that the larger “Incidents” can be found. No favorites. “Iron Clad” policies backed by weak enforcement leads to ridicule.
Educate. Policy is worthless unless implemented. The users must have easy access to policy. The policy needs to be explained to users. The policy needs to be supported by Management. If possible provide small classes. Anti-virus software. Good Password selection (if needed). Suggest SA’s distribute passwords. Computer access. User alertness. Acceptable use. Ignorance is curable.
What to do. Instead of a rigid framework of how Incident Response HAS to be handled I am going to provide two basic scenarios and walk through how a small to medium sized company could handle two different incidents.
What to do. Instead of a rigid framework of how Incident Response HAS to be handled I am going to provide two basic scenarios and walk through how a small to medium sized company could handle two different incidents. Crowd participation is requested and appreciated. Stories of similar incidents with different responses are especially of interest. Don’t be shy, wake up! Participate.
Scenario One. Time: 2013 A V.P. is giving a party at home. Decides to show off new web page. While viewing corporate leadership page V.P. notices certain pictures of persons (including V.P.) and bio information have been modified to be less than favorable.
Scenario One. Time: 2015 Having just read and signed off on the current Security Policy earlier that week. V.P. remembers that personnel can contact the helpdesk 24 hours a day for reporting problems. Phoning the Helpdesk he reports the problem and expresses an intense desire to have the situation resolved as soon as possible. After logging all information the Helpdesk assures the V.P. resolution shall be swift.
Scenario One. Basic Information to gather: Time and date reported (specify time zone) Name of contact. Phone number and/or email of contact. System suspected to be affected. Technical details of system if known. IP address(es), OS, patches loaded, physical location, services running, suspected access point (vulnerability). Time and date ‘incident’ noticed by contact. Description of incident.
Scenario One. Time: 2020 Helpdesk finishes entering information into log. Helpdesk verifies that page has been modified. Per security policy all incidents affecting the company in a ‘Public’ manner are considered Priority 1.
Scenario One. Time: 2021 Helpdesk reviews POC list and calls the Security Manager’s pager. This specific SecManager insists on notification of all Priority 1’s. Another approach would be an on call security member that updates the Manager after reviewing situation.
Scenario One. Time: 2027 Helpdesk reviews POC list and calls the Security Manager’s pager. After being updated of current situation SM requests helpdesk to contact NT server on call person and have him meet him at office in 30 minutes. SM gets ready for a late night at the office.
Scenario One. Time: 2030 Helpdesk checks POC list and calls on call SA. Helpdesk explains basic situation to SA. SA assures he is getting ready to go.
Scenario One. Time: 2035 Per intra-department policy SA calls department head while enroute to office to notify about situation and to ensure response is in process. Department head receives information and requests update if any new/important information arises. Otherwise he will want full update in the morning.
Scenario One. Time: 2100 SA and SM meet at server room. Quick discussion of current assets reveals that there is a backup server available with recently loaded OS, services, and patches. SA begins process of restoring data from backup tape while SM begins process of bit by bit copy of compromised server. More complete details of Forensic techniques Will be given in Paul Mobley’s Forensic Speech.
Scenario One. Time: 2300 SA finishes restoring webserver data and verifies that data restored has not been manipulated. Since current backup policy states full backups at 0100 every day this gives a roughly 18 hour window for the data manipulation to have occurred. SA brings new server online and updates logs for Incident.
Scenario One. Time: 2330 As forensic backups become available the original Hard drives are removed and locked in a safe logs are noted with time of entry and an evidence log is created for those specific items. SA and SM will work through the night looking for evidence of how the manipulation occurred.
Scenario One. Time: 0800 Good news! Through the diligent work of the SA and SM information was found that showed that the data was manipulated at 1957 by a dial in account. This shows that the incident may have remained unseen by public. Further review of online web defacement authorities (attrition.org) shows no mention of defacement.
Scenario One. Time: 0800 Coordination with HR reveals that the owner of the account had recently been passed over for a promotion. Normally that user account would not have rights to the webserver directories but an earlier update to the server created a hole for internal users. The SA quickly reconfigured file access for the server and closed that hole.
Scenario One. Time: 1000 Coordination with HR, Legal, and the employee’s direct supervisor showed that due to previous poor work record and misconduct it would be in the best interest of the company to terminate the employment of the individual in question.
Scenario One. Conclusion: Due to proper procedures and quick response of all personnel involved the incident was quickly contained, resolved, and business returned to normal. Communication and coordination is especially important in Incident Response. Any break down in the chain can cause the entire process to fail.
Scenario Two. Time: 1000 Helpdesk operator Julie has been especially busy this morning. Aside from the normal calls of users not being able to properly format documents in Word and find the ‘any’ key. There was a spurt of user complaints from being locked out. In addition one of the traveling salespeople (Frank) has returned from being in the field and has logged numerous complaints about his system not ‘working right’.
Scenario Two. Julie diligently logged all of the calls today and sent them off to the appropriate queues. System Admin received the lockouts. Technical Support received Frank.
Scenario Two. During the day Julie will check on assigned tickets to ensure that adequate response is being given. She noticed that at 1003 System admin had fixed all of the lockouts and was researching why they had happened. At 1012 technical support accepted Frank’s ticket and were enroute.
Scenario Two. Time: 1030 Chris in Technical support meets with Frank. Frank explains that this morning after he logged in, the system said something about performing maintenance please wait. So he went off and had a cup of coffee and checked with coworkers on latest news. Upon return to his computer it appeared to be done with its program but “acted” weird during the morning. Sometimes it would beep and sometimes the cd tray would eject for no reason. Very weird.
Scenario Two. Time: 1040 Chris quickly took a look at the system to see what was running and didn’t notice anything obvious. He did notice that contrary to Policy Frank had appeared to have installed some custom programs like a stock ticker and a theme from the television show Baywatch.
Scenario Two. Time: 1044 While looking at the laptop computer the cd rom Drive opened. Within was a copy of Quake. Chris decided to reboot to see if the symptoms would continue.
Scenario Two. Time: 1047 After the system finished rebooting Chris noticed that the anti-virus software was not running. Further investigation showed that it had been disabled. After enabling the anti-virus software he had it update to the latest dat file and then run a full scan against the system. Last scan had been over 6 months ago.
Scenario Two. Time: 1100 After the anti-virus program finished its scan it reported that Back Orifice 2000 was found. Chris immediately disconnected the infected machine from the network. He then contacted the Helpdesk to update Julie and have her contact the Security Department.
Scenario Two. Time: 1107 Julie contacted the Security Manager and updated him on the situation. The SM requested the phone number for where Chris was currently located. He then called Chris and told him to make sure the computer was not disturbed until his arrival.
Scenario Two. Time: 1115 After having Chris update him in person the SM confiscated the computer to be taken back to the lab and have proper forensics ran against it.
Scenario Two. Time: 1125 Upon return to his office there was a message from the System Admin department stating that logs show repeated attempts to log in to numerous accounts from a users machine. The owner of the machine is listed as Frank.
Scenario Two. Time: 1130 The SM contacts HR, Legal, and Frank’s direct Supervisor to discuss that due to deliberate violation of Policy it appears that Frank has enabled an outside presence to mount an attack on the companies computer systems. With the agreement of HR, Frank’s supervisor sends Frank home while investigation proceeds. The SM ensures that all of Frank’s access is disabled. In addition a network wide password change is enforced.
Scenario Two. Time: 0900 (the next day) Analysis of Frank’s machine shows that he received an email claiming to be themes for the TV show Baywatch. One of the themes was wrapped with BO2K. Headers show that the email originated from the Ukraine.
Scenario Two. Time: 0900 (the next day) Due to the difficulty in coordinating investigations in Ukraine further research has been deemed not cost productive. Current logs and evidence have been stored in case of further activity from that area. CERT was notified on incident with particulars given about Ukraine activity.
Scenario Two. Time: 0900 (the next day) Due to the lack of previous problems with Frank and his excellent work history Frank has had the Incident recorded in his record. In addition Frank will assist Security in further classes by being an example of what can happen by violating Policy.
Scenario Two. Time: 0900 (the next day) Research is being done in regards to implementing a server controlled anti-virus program. This will help locate systems without virus protection and force feed updates to the users. In addition Intrusion Detection Systems are being evaluated to improve network awareness.
Scenario Two. Conclusion: At first a problem may not seem to be a security incident but further investigation is always needed to ensure what the total scope is. Seemingly unrelated incidents can be part of one large incident when observed after the initial report. Policy must be enforced.
Conclusion (0uttro) Incident Response: An act of responding to an action likely to lead to grave consequences especially in diplomatic matters. Sometimes referred to as a Knee Jerk reaction. With the knowledge you are now armed with you can ensure your company is on the way from using Knee Jerk reactionary tactics to creating Incident Response skills that can overcome any adversary.
Conclusion (0uttro) Minimize overall impact. Hide from public scrutiny. Stop further progression. Involve Key personnel. Control situation. Recover Quickly & Efficiently. Respond as if going to prosecute. If possible replace system with new one. Priority one, business back to normal. Ensure all participants are notified. Document every action, backup all data.
Conclusion (0uttro) Secure System. Lock down all known avenues of attack. Assess system for unseen vulnerabilities. Implement proper auditing. Implement new security measures. Control situation. Follow-up (always learn from incidents). Ensure that all systems are secure. Continue prosecution. Securely store all evidence and notes. Distribute lessons learned.
Extra. The following slides will consist of reference web pages in no particular order or preference. The one thing they all have in common is that they offer valuable information to people interested in the latest and best in information security. This list is not meant to be a complete list in any way. There are other web sites out there with valuable information to be found. It is up to you to find them. Ignorance is curable. I am merely offering a small dose of the cure. There is more out there.
Attrition.org http://www.attrition.org/mirror/attrition/months.html
CERT.org http://www.cert.org
Windows NT Intruder Detection Checklist http://www.cert.org/tech tips/win intruder detection checklist.html
Handbook for CSIRTS http://www.sei.cmu.edu/publications/documents/98.reports/ 98hb001/98hb001abstract.html
SecurityHorizon.com http://www.securityhorizon.com
SecurityFocus.com http://www.securityfocus.com
ICAT Database http://icat.nist.gov/icat.taf
Jawz, Inc.com http://www.jawzinc.com
Foundstone.com http://www.foundstone.com/rdlabs/tools.html
[email protected] http://packetstorm.securify.com
AtStake (L0pht&HNN) http://www.atstake.com/security news/index.html
Insecure.org (Fyodor&Nmap) http://lists.insecure.org/
Astalavista.box.sk http://www.astalavista.box.sk
Credits. Jeff Moss & BlackHat. The man who made this all happen. Dr. Greg Miles & Jawz Inc. The boss that said sure go to Vegas and speak. Just make sure to bring me something. Security Horizon The website that is going to allow me to place more information online. Hugh Howe & Scott Mallory The last minute editors that ensured this presentation was legible.
Incident Response In a Microsoft World. By John K. AKA [email protected] Thank you for attending.
