Incident response

advertisement
Intrusion Detection Methods
“Intrusion detection is the process of
identifying and responding to malicious
activity targeted at computing and
networking resources.”
1
The Seven Fundamentals
1.
2.
3.
4.
5.
6.
What are the methods used
How are IDS Organized
What is an intrusion
How do we trace and how do they hide
How do we correlate information
How can we trap intruders
7. Incident response
2
The Emergency Action Card
When a computer security incident occurs, and you are not
prepared, follow these ten steps:
Emergency Step 1.
Remain calm.
Even a fairly mild incident tends to raise
everyone's stress level. Communication and
coordination become difficult. Your calm can
help others avoid making critical errors.
3
http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 2.
Take good notes.
Make sure you answer the four Ws - Who, What,
When, and Where- and, for extra credit, How
and Why.
4
http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 3.
Notify the right people and get help.
Begin by notifying your security coordinator
and your manager and asking that a coworker
be assigned to help coordinate the incident
handling process. Get a copy of the corporate
phonebook and keep it with you. Ask your
helper to keep careful notes on each person
with whom he or she speaks and what was said.
Make sure you do the same.
5
http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 4.
Enforce a "need to know" policy.
Tell the details of the incident to the
minimum number of people possible. Remind
them, where appropriate, that they are
trusted individuals and that your
organization is counting in their discretion.
Avoid speculation except when it is required
to decide what to do. Too often the initial
information in an incident is misinterpreted
and the "working theory" has to be scrapped.
6
http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 5.
Use out of band communications.
If the computers may have been compromised,
avoid using them for incident handling
discussions. Use telephones and faxes
instead. Do not send information about the
incident by electronic mail, talk, chat, or
news; the information may be intercepted by
the attacker and used to worsen the
situation. When computers are being used,
encrypt all incident handling e-mail.
7
http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 6.
Contain the problem.
Take the necessary steps to keep the problem
from getting worse. Usually that means
removing the system from the network, though
management may decide to keep the connections
open in an effort to catch an intruder.
8
http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 7.
Make a backup of the affected system(s) as
soon as practicable.
Use new, unused media. If possible make a
binary, or bit-by-bit backup.
9
http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 8.
Get rid of the problem.
Identify what went wrong if you can. Take
steps to correct the deficiencies that
allowed the problem to occur.
10
http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 9.
Get back in business.
After checking your backups to ensure they
are not compromised, restore your system from
backups and monitor the system closely to
determine whether it can resume its tasks.
11
http://www.sans.org/newlook/publications/incident_handling.htm
Emergency Step 10.
Learn from this experience, so you won't get
caught unprepared the next time an incident
occurs.
12
http://www.sans.org/newlook/publications/incident_handling.htm
Incident response
• The real-time decisions and actions of
asset managers that are intended to
minimize incident related effects on their
assets and to mitigate residual security risk
based on available evidence from the
incident.
13
Incident Response factors
• Soft factors
– Management policies
– Organizational
structure
– Administrative
procedures
• Hard factors
– IDS
– Traps
– Trace back tools
14
Incident Response Process
ID
Process
onse
Resp ted
Initia
R es
Com ponse
plet
ed
Incident
Detected
em d
st re
Sy st o
e
R
th
i
tw
c
ra tem
e
t
I n Sy s
15
Response
• Human initiated response
• Automatically initiated response
• Coordinated Human & Automatic response
16
Factors influencing Response
• Passive factors
– What assets have been affected or damaged by
the incident
– How did the incident occur
– How was it detected
– How trustworthy is the incident related
information
17
Factors influencing Response
• Active factors
– What would the effect of altering the target
system’s functionality
– What would the effect of initiating trace backs
and traps
– What would the effect of doing nothing
– How legal is the response
18
Robin Hood and Friar Tuck
!X id1
id1: Friar Tuck... I am under attack!
Pray save me!
id1: Off (aborted)
id2: Fear not, friend Robin!
Sherif of Nottingham's men!
I shall rout the
id1: Thank you, my good fellow!
Each ghost-job would detect the fact that the other had been
killed, and would start a new copy of the recently slain program
within a few milliseconds. The only way to kill both ghosts was
to kill them simultaneously (very difficult) or to deliberately
crash the system.
19
http://www.tuxedo.org/~esr/jargon/
Examples
• Real secure + Firewall-1
• Snort + IP-tables
20
Download