Incident Handling COEN 250 Definitions Event – An observable occurrence Adverse Events – Events with negative consequences Computer Security Incident: traditional security-related adverse event in which there was a loss of data confidentiality, disruption of data or system integrity, or disruption or denial of availability newer a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices Incident Types CIA related incidents: Confidentiality Integrity Availability Other Types Reconnaissance Attacks Repudiation Someone takes action and denies it later on. Need for Incident Response All organizations Systematic response to incidents Help in recovering quickly and efficiently Prepare for handling and avoidance of future incidents Deal properly with legal issues Federal Agencies Federal Information Security Management Act (FISMA) of 2002 Provide “procedures for detecting, reporting, and responding to security incidents” Establishes centralized Federal information security incident center. Civilian agency Establish point of contact (POC) with FedCIRC (Federal Computer Incident Reporting Center ) OMB’s Circular No. A-130, Appendix III Capability to provide help to users when an incident occurs Incident Response Scope Technical: Incident detection and investigation tools and procedures Management-related Policy Formation of incident response capability In-house vs. out-sourced Stake Holders Organization’s ability to fulfill mission Users Administrators (Organization’s ISP) Providers Third Party Software vendors Telecommunications providers Clients Affected external party Other incident response teams Owner of attacking address Reporting Agencies Media Law Enforcement Agencies Incident Reporting Agencies Incident Response Policy Typical elements Statement of management commitment Purpose and objectives of the policy Scope of the policy (to whom and what it applies and under what circumstances) Definition of computer security incidents and their consequences Organizational structure and delineation of roles, responsibilities, and levels of authority Includes confiscation / disconnection of equipment Monitoring of activity Requirements for reporting Prioritization or severity ratings of incidents Performance measures Reporting and contact forms. Sharing Information with Outside Parties Media Establish media communications procedures Designate single Point of Contact (PoC) Prepare for media interaction Do not reveal sensitive, technical information Appreciate the importance to communicate the public fully and effectively Brief media contacts on issues and sensitivities before discussion with media Sharing Information with Outside Parties Law Enforcement Which agency? Federal investigatory agencies FBI US Secret Service State law enforcement Local law enforcement Office of the Inspector General (OIG) for federal agencies Sharing Information with Outside Parties Law Enforcement What Discuss beforehand. How incidents? to report Discuss beforehand. Collection What? How? of evidence Sharing Information with Outside Parties Incident Reporting Organizations Federal agencies only to FedCIRC Information Analysis Infrastructure Protection (IAIP) CERT® Coordination Center (CERT®/CC). Information Sharing and Analysis Centers (ISAC) Incident Response Team Structure Team Models Central Incident Response Team Distributed Incident Response Teams Coordinating Team Provides guidance and advice Does not have authority Staffing Models Employees Partially outsourced Fully outsourced Incident Response Team Structure Criteria In house: Need for 24/7 availability Full time vs. part time team members Volunteer fire department model Employee morale Incident response demands on-call responsibilities for most team members Cost Staff Expertise Organizational structure of the organizations Incident Response Team Structure Criteria Outsourcer Current and Future Quality of Work Division of Responsibilities Sensitive Information Revealed to the Contractor Lack of Organization-Specific Knowledge Lack of Correlation Outsourcer requires administrative access to systems and to logs Location Incident response often requires physical presence Incident Response Team Structure Team Development Budget for training, publications, references Mentoring program Rotation between incident response and other duties Training exercises Incident Response Team Structure Interactions with other groups Management Information security staff Telecommunications staff Support, buy-in Some incidents involve unauthorized access to telephone lines IT support staff Legal department Public affairs / media relations Human resources Business continuity planning Physical security and facilities management Incident Response Team Structure Incident response team services Determine the scope of the incident response team Incident response Advisory distribution Vulnerability assessment Intrusion detection Education and awareness Technology watch Patch management Usually not recommended Incident Handling Preparation Post-incident activity Detection and Analysis Containment, Eradication and Recovery Incident Handling: Preparation Incident Handler Communications and Facilities Contact information On-call information for other teams within the organization, including escalation information Incident reporting mechanisms Pagers or cell phones to be carried by team members for off-hour support, onsite communications Encryption software War room for central communication and coordination Secure storage facility for securing evidence and other sensitive materials Incident Handling: Preparation Incident Analysis Hardware and Software Computer forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data Blank portable media Easily portable printer Packet sniffers and protocol analyzers Computer forensic software Floppies and CDs with trusted versions of programs to be used to gather evidence from systems Evidence gathering accessories hard-bound notebooks digital cameras audio recorders chain of custody forms evidence storage bags and tags evidence tape Incident Handling: Preparation Incident Analysis Resources Port lists, including commonly used ports and Trojan horse ports Documentation for OSs, applications, protocols, and intrusion detection and antivirus signatures Network diagrams and lists of critical assets, such as Web, e-mail, and File Transfer Protocol (FTP) servers Baselines of expected network, system and application activity Cryptographic hashes of critical files to speed the analysis, verification, and eradication of incidents Incident Handling: Preparation Incident Mitigation Software Media, including OS boot disks and CDROMs, OS media, and application media Security patches from OS and application vendors Backup images of OS, applications, and data stored on secondary media Incident Handling: Detection and Analysis Incident Categories Denial of Service Malicious code Unauthorized access Inappropriate usage Multiple component incidents Incident Handling: Detection and Analysis Signs of an incident Intrusion detection systems Antivirus software Log analyzers File integrity checking Third-party monitoring of critical services Incident indications vs. precursors Precursor is a sign that an incident may occur in the future E.g. scanning Indication is a sign that an incident is occurring or has occurred Incident Handling: Detection and Analysis Indication of incident is no proof that incident has occurred Number of indications exceedingly high Recommendations Profile networks and systems Understand normal behavior Use centralized logging and create a log retention policy Perform event correlation Keep hosts synchronized (Network time protocol) Run packet sniffers Incident Handling: Detection and Analysis Incident documentation Incident Prioritization based on If incident is suspected, start recording facts Current and potential technical effects Criticality of affected resources Incident notification CIO Head of information system Local information security officer Other incident teams Other agency departments such as HR, public affairs, legal department Incident Handling: Containment, Eradication, Recovery Containment strategies Vary based on type of incident Criteria for choosing strategy include Potential damage / theft of resources Need for evidence information Service availability Resource consumption of strategy Effectiveness of strategy Duration of solution Incident Handling: Containment, Eradication, Recovery Evidence gathering For incident analysis For legal proceedings Chain of custody Authentication of evidence Incident Handling: Containment, Eradication, Recovery Attacker identification Validation of attacker IP address Scanning attacker’s system Research attacker through search engines Using Incident Databases Monitoring possible attacker communication channels Incident Handling: Containment, Eradication, Recovery Eradication Deleting malicious code Disabling breached user accounts Recovery Restoration of system(s) to normal Restoring from clean backups Rebuilding systems from scratch Replacing compromised files Installing patches Changing passwords Tighten perimeter security Strengthen logging operations Incident Handling: Post-Incident Activity Evidence Retention Prosecution of attacker Data retention policies Cost Denial of Service Incidents DoS prevents authorized used of IT resources Crashing OS through malformed TCP/IP packets Crashing an application through malformed requests Consume available resources Network Memory Disk space Denial of Service Incidents DoS prevents authorized used of IT resources Crashing OS through malformed TCP/IP packets Crashing an application through malformed requests Consume available resources Network Memory Disk space Denial of Service Attacks Reflector attack Spoof source address Responder floods system with that source address Double reflector attacks Port 7 is echo – reflection service If DNS server responds echoed packet, a loop is possible Denial of Service Attacks Amplifier attacks Denial of Service Attacks Distributed Denial of Service Denial of Service Attacks Syn Floods Denial of Service Attacks Preparation Talk with organization’s ISP Filtering / limiting traffic Coordinated response through CERT / FedCIRC Intrusion detection software to detect DoS and DDoS Resource monitoring Internet health monitoring Monitoring of WWW response times Denial of Service Attacks Incident prevention Perimeter configuration Block use of services that no longer serve a legitimate purpose Perform ingress and egress filtering Implement rate limiting Use host hardening (disable services) Implement DoS prevention software Implement redundancy for services Denial of Service Attacks Detection and Analysis Precursors Reconnaissance activity Newly released DoS tool Indications Denial of Service Attacks Network-based DoS against a particular host User reports of system unavailability Unexplained connection losses Network intrusion detection alerts Host intrusion detection alerts (until the host is overwhelmed) Increased network bandwidth utilization Large number of connections to a single host Asymmetric network traffic pattern (large amount of traffic going to the host, little traffic coming from the host) Firewall and router log entries Packets with unusual source addresses Denial of Service Attacks Network-based DoS against a network User reports of system and network unavailability Unexplained connection losses Network intrusion detection alerts Increased network bandwidth utilization Asymmetric network traffic pattern (large amount of traffic entering the network, little traffic leaving the network) Firewall and router log entries Packets with unusual source addresses Packets with nonexistent destination addresses Denial of Service Attacks DoS against the operating system of a particular host User reports of system and application unavailability Network and host intrusion detection alerts Operating system log entries Packets with unusual source addresses DoS against an application on a particular host User reports of application unavailability Network and host intrusion detection alerts Application log entries Packets with unusual source addresses Denial of Service Attacks Containment, Eradication, and Recovery Correct vulnerability that is being exploited Implement filtering Relocate target Do not Hack Back Denial of Service Attacks Evidence Gathering Identifying the Source of Attacks From Observed Traffic Tracing Attacks Back Through ISPs Learning How the Attacking DDoS Hosts Were Compromised Reviewing a Large Number of Log Entries Malicious Code Malicious Code Types Viruses File infectors Boot sector viruses Macro viruses Virus hoaxes Trojan horses Worms Mobile code Blended Email Windows shares Web server attacks (Nimda) Web clients (Nimda) Malicious Code Incident Preparation User awareness Subscribe to antivirus vendor bulletins Deploy host-based intrusion detection systems to critical hosts IDS detects Configuration changes (Registry, …) System executable modifications Black list Trojan horse ports Ineffective, because There are too many ports Newer trojan horses can be configured for any port Malicious Code Incident Prevention Use of antivirus software Block suspicious attached files Configure email clients to act more securely Limit the use of non-essential programs with file transfer capabilities P2P file & music sharing Instant messaging IRC clients / servers Educate users on safe handling of email attachments Eliminate open windows shares No preview, no automatic opening, no execution, … Infection can quickly spread from one system to many others. Prevent incoming / outgoing traffic on NetBIOS ports Use web browser setting to limit mobile code Malicious Code Detection Precursors Alerts for software that the organization uses Antivirus software quarantines files Indications Many different categories Malicious Code Containment, Eradication, Recovery Containment Malicious code is written to spread rapidly Disconnect non-critical machines from network Need to identify other hosts: One confirmed incident indicates other infections Perform port scans Use antivirus scanning and cleanup Review e-mail, firewall, …, hosts logs Reconfigure network and host IDS Audit processes currently running Malicious Code Containment, Eradication, Recovery Containment Send unknown malicious code to antivirus vendors Configure email servers and clients to block email or shut them down Block particular hosts or isolate networks from internet Malicious Code Containment, Eradication, Recovery Evidence gathering Typically pointless since the attack is not targeted Eradication and recovery Depends on nature of infection: Either use antivirus software to remove malicious code infections Rebuild systems From scratch From known good copy Prevent re-infection Unauthorized Access Examples: Performing a remote root compromise of an e-mail server Defacing a Web server Guessing and cracking passwords Copying a database containing credit card numbers Viewing sensitive data, including payroll records and medical information, without authorization Running a packet sniffer on a workstation to capture usernames and passwords Using a permission error on an anonymous FTP server to distribute pirated software and music files Dialing into an unsecured modem and gaining internal network access Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password Using an unattended, logged-in workstation without permission. Unauthorized Access Preparation Configure IDS to identify and alert attempts to gain access Use centralized secured logs Establish password policies Unauthorized Access Prevention Use defense in depth Network security Firewall settings Identify and secure all remote access methods Use a DMZ Use private IP addresses in internal networks Host Security Perform regularly vulnerability assessments Disable unneeded services on hosts. Use virtualization / run services on different hosts Use principle of least privilege Use host-based firewalls Limit unauthorized physical access: Mandatory screen locking Log-off policy before leaving a workstation Audit permission settings for critical resources Password files Sensitive databases Unauthorized Access Prevention Use defense in depth Authentication and Authorization Create and audit a password policy Require stronger authentication for critical resources Develop and use standards (FIPS 140-2) Establish procedures for provisioning and deprovisioning user accounts Physical Security Implement physical security Unauthorized Access Detection and Analysis Precursors Reconnaissance Security bulletin warnings, proof of concept exploits, … Reports of social engineering attempts Reports of failed physical access attempts Unauthorized Access Detection and Analysis Root compromise of a host Hacker tools on system Unusual traffic to / from host System configuration changes Modification of critical files Unexplained account usage Strange OS / application log messages Unauthorized Access Detection and Analysis Indications Web defacement, FTP warez server, … NIDS alerts Resource utilization: bandwidth, storage, … User reports Modifications to critical files Unauthorized use of standard user account Access to critical files Unexplained account usage: Idle account used Account in use from multiple locations Large number of locked-out accounts Web proxy logs showing download of hacker tools Unauthorized Access Detection and Analysis Indications Physical Intruder Reports of physical signs of intrusion User reports of network or system availability System restarts, shutdowns Missing hardware Unauthorized hardware Unauthorized data access IDS alerts Logs of accesses to critical files Unauthorized Access Containment, Eradication, Recovery Response time critical Extensive forensics analysis is typically required Initial analysis in order to determine priority and initial containment measures Further analysis to reconstruct incident, develop countermeasures, and perform ultimate containment, eradication, recovery Need to weight costs of caution and inaction Unauthorized Access Containment, Eradication, Recovery Initial containment elements Isolation of affected system Disabling affected service Eliminate attacker’s route Disable user accounts used in attack Enhance physical security Unauthorized Access Containment, Eradication, Recovery Evidence gathering Need for a forensic copy of affected system Other imaging can destroy evidence Safeguard log files before they are destroyed Use chain of evidence rules to protect physical and image evidence Unauthorized Access Containment, Eradication, Recovery Eradication Attackers usually install rootkits Safer: Reconfigure system from known good copy Safest: Reconfigure system from scratch Problem: Can data be trusted? Inappropriate Usage Incidents Examples Porn Password cracking tool downloads Send spam / email to promote personal business Harassing e-mails Use of P2P file / music sharing Improper handling of sensitive materials Usage of organization’s IT resources to attack other computers Inappropriate Usage Incidents Preparation Establish input from HR, legal department, physical security Need for confidentiality Need for physical safety of incident handling team Someone else’s account is used to download porn Perpetrator might be mentally unstable or try to avoid apprehension Liability issues Set up expectations of privacy and monitoring / logging policies Configure IDS and logs accordingly Inappropriate Usage Incidents Prevention Few general guidelines Have organization’s policies be reflected in firewall settings Configure email servers To not relay email to prevent SPAM To use a spam blocker to also prevent outgoing SPAM Prevent inappropriate data transfer by limiting protocols Inappropriate Usage Incidents Detection and Analysis COEN 252