Incident Handling
COEN 250
Definitions



Event – An observable occurrence
Adverse Events – Events with negative
consequences
Computer Security Incident:
 traditional
 security-related adverse event in which there was a loss of
data confidentiality, disruption of data or system integrity, or
disruption or denial of availability
 newer
 a violation or imminent threat of violation of computer security
policies, acceptable use policies, or standard security
practices
Incident Types

CIA related incidents:
 Confidentiality
 Integrity
 Availability

Other Types
 Reconnaissance Attacks
 Repudiation

Someone takes action and denies it later on.
Need for Incident Response

All organizations

Systematic response to incidents
 Help in recovering quickly and efficiently
 Prepare for handling and avoidance of future incidents
 Deal properly with legal issues

Federal Agencies

Federal Information Security Management Act (FISMA) of 2002



Provide “procedures for detecting, reporting, and responding to security
incidents”
Establishes centralized Federal information security incident center.
Civilian agency


Establish point of contact (POC) with FedCIRC (Federal Computer Incident Reporting
Center )
OMB’s Circular No. A-130, Appendix III

Capability to provide help to users when an incident occurs
Incident Response Scope

Technical:
 Incident
detection and investigation tools and
procedures

Management-related
 Policy
 Formation

of incident response capability
In-house vs. out-sourced
Stake Holders

Organization’s ability to fulfill mission

Users
 Administrators (Organization’s ISP)

Providers



Third Party





Software vendors
Telecommunications providers
Clients
Affected external party
Other incident response teams
Owner of attacking address
Reporting Agencies



Media
Law Enforcement Agencies
Incident Reporting Agencies
Incident Response Policy

Typical elements





Statement of management commitment
Purpose and objectives of the policy
Scope of the policy (to whom and what it applies and under what
circumstances)
Definition of computer security incidents and their consequences
Organizational structure and delineation of roles, responsibilities,
and levels of authority






Includes confiscation / disconnection of equipment
Monitoring of activity
Requirements for reporting
Prioritization or severity ratings of incidents
Performance measures
Reporting and contact forms.
Sharing Information with Outside
Parties

Media
 Establish
media communications procedures
 Designate single Point of Contact (PoC)
 Prepare for media interaction
Do not reveal sensitive, technical information
 Appreciate the importance to communicate the
public fully and effectively
 Brief media contacts on issues and sensitivities
before discussion with media

Sharing Information with Outside
Parties

Law Enforcement
 Which

agency?
Federal investigatory agencies
FBI
 US Secret Service

State law enforcement
 Local law enforcement
 Office of the Inspector General (OIG) for federal
agencies

Sharing Information with Outside
Parties

Law Enforcement
 What

Discuss beforehand.
 How

incidents?
to report
Discuss beforehand.
 Collection
What?
 How?

of evidence
Sharing Information with Outside
Parties

Incident Reporting Organizations
 Federal
agencies only to FedCIRC
 Information Analysis Infrastructure Protection
(IAIP)
 CERT® Coordination Center (CERT®/CC).
 Information Sharing and Analysis Centers
(ISAC)
Incident Response Team Structure

Team Models
 Central Incident Response Team
 Distributed Incident Response Teams
 Coordinating Team
 Provides guidance and advice
 Does not have authority

Staffing Models
 Employees
 Partially outsourced
 Fully
outsourced
Incident Response Team Structure

Criteria
 In
house:
Need for 24/7 availability
 Full time vs. part time team members



Volunteer fire department model
Employee morale

Incident response demands on-call responsibilities for
most team members
Cost
 Staff Expertise
 Organizational structure of the organizations

Incident Response Team Structure

Criteria
 Outsourcer
Current and Future Quality of Work
 Division of Responsibilities
 Sensitive Information Revealed to the Contractor
 Lack of Organization-Specific Knowledge
 Lack of Correlation



Outsourcer requires administrative access to systems
and to logs
Location

Incident response often requires physical presence
Incident Response Team Structure

Team Development
 Budget
for training, publications, references
 Mentoring program
 Rotation between incident response and other
duties
 Training exercises
Incident Response Team Structure

Interactions with other groups

Management



Information security staff
Telecommunications staff







Support, buy-in
Some incidents involve unauthorized access to telephone lines
IT support staff
Legal department
Public affairs / media relations
Human resources
Business continuity planning
Physical security and facilities management
Incident Response Team Structure


Incident response team services
Determine the scope of the incident response team







Incident response
Advisory distribution
Vulnerability assessment
Intrusion detection
Education and awareness
Technology watch
Patch management

Usually not recommended
Incident Handling
Preparation
Post-incident
activity
Detection and
Analysis
Containment,
Eradication
and Recovery
Incident Handling: Preparation

Incident Handler Communications and Facilities
 Contact
information On-call information for other
teams within the organization, including escalation
information Incident reporting mechanisms
 Pagers or cell phones to be carried by team members
for off-hour support, onsite communications
 Encryption software
 War room for central communication and coordination
 Secure storage facility for securing evidence and
other sensitive materials
Incident Handling: Preparation

Incident Analysis Hardware and Software







Computer forensic workstations and/or backup devices to create disk
images, preserve log files, and save other relevant incident data
Blank portable media
Easily portable printer
Packet sniffers and protocol analyzers
Computer forensic software
Floppies and CDs with trusted versions of programs to be used to
gather evidence from systems
Evidence gathering accessories






hard-bound notebooks
digital cameras
audio recorders
chain of custody forms
evidence storage bags and tags
evidence tape
Incident Handling: Preparation

Incident Analysis Resources
 Port
lists, including commonly used ports and Trojan
horse ports
 Documentation for OSs, applications, protocols, and
intrusion detection and antivirus signatures
 Network diagrams and lists of critical assets, such as
Web, e-mail, and File Transfer Protocol (FTP) servers
 Baselines of expected network, system and
application activity
 Cryptographic hashes of critical files to speed the
analysis, verification, and eradication of incidents
Incident Handling: Preparation

Incident Mitigation Software
 Media,
including OS boot disks and CDROMs, OS media, and application media
 Security patches from OS and application
vendors
 Backup images of OS, applications, and data
stored on secondary media
Incident Handling:
Detection and Analysis

Incident Categories
 Denial
of Service
 Malicious code
 Unauthorized access
 Inappropriate usage
 Multiple component incidents
Incident Handling:
Detection and Analysis

Signs of an incident






Intrusion detection systems
Antivirus software
Log analyzers
File integrity checking
Third-party monitoring of critical services
Incident indications vs. precursors

Precursor is a sign that an incident may occur in the future


E.g. scanning
Indication is a sign that an incident is occurring or has occurred
Incident Handling:
Detection and Analysis

Indication of incident is no proof that incident has
occurred
Number of indications exceedingly high

Recommendations





Profile networks and systems
Understand normal behavior
Use centralized logging and create a log retention policy
Perform event correlation


Keep hosts synchronized (Network time protocol)
Run packet sniffers
Incident Handling:
Detection and Analysis

Incident documentation


Incident Prioritization based on



If incident is suspected, start recording facts
Current and potential technical effects
Criticality of affected resources
Incident notification





CIO
Head of information system
Local information security officer
Other incident teams
Other agency departments such as HR, public affairs, legal
department
Incident Handling:
Containment, Eradication, Recovery

Containment strategies
 Vary
based on type of incident
 Criteria for choosing strategy include
Potential damage / theft of resources
 Need for evidence information
 Service availability
 Resource consumption of strategy
 Effectiveness of strategy
 Duration of solution

Incident Handling:
Containment, Eradication, Recovery

Evidence gathering
 For
incident analysis
 For legal proceedings
Chain of custody
 Authentication of evidence

Incident Handling:
Containment, Eradication, Recovery

Attacker identification
 Validation
of attacker IP address
 Scanning attacker’s system
 Research attacker through search engines
 Using Incident Databases
 Monitoring possible attacker communication
channels
Incident Handling:
Containment, Eradication, Recovery

Eradication
 Deleting malicious code
 Disabling breached user

accounts
Recovery
 Restoration of system(s) to normal
 Restoring from clean backups
 Rebuilding systems from scratch
 Replacing compromised files
 Installing patches
 Changing passwords
 Tighten perimeter security
 Strengthen logging
operations
Incident Handling:
Post-Incident Activity

Evidence Retention
 Prosecution
of attacker
 Data retention policies
 Cost
Denial of Service Incidents

DoS prevents authorized used of IT
resources
 Crashing
OS through malformed TCP/IP
packets
 Crashing an application through malformed
requests
 Consume available resources
Network
 Memory
 Disk space

Denial of Service Incidents

DoS prevents authorized used of IT
resources
 Crashing
OS through malformed TCP/IP
packets
 Crashing an application through malformed
requests
 Consume available resources
Network
 Memory
 Disk space

Denial of Service Attacks

Reflector attack
 Spoof
source address
 Responder floods system with that source
address

Double reflector attacks
Port 7 is echo – reflection service
If DNS server responds echoed
packet, a loop is possible
Denial of Service Attacks

Amplifier attacks
Denial of Service Attacks

Distributed Denial of Service
Denial of Service Attacks

Syn Floods
Denial of Service Attacks

Preparation
 Talk

with organization’s ISP
Filtering / limiting traffic
 Coordinated
response through CERT / FedCIRC
 Intrusion detection software to detect DoS and DDoS
 Resource monitoring
 Internet health monitoring

Monitoring of WWW response times
Denial of Service Attacks

Incident prevention
 Perimeter


configuration
Block use of services that no longer serve a legitimate
purpose
Perform ingress and egress filtering
 Implement
rate limiting
 Use host hardening (disable services)
 Implement DoS prevention software
 Implement redundancy for services
Denial of Service Attacks

Detection and Analysis
 Precursors
Reconnaissance activity
 Newly released DoS tool

 Indications
Denial of Service Attacks

Network-based DoS against a particular host
 User reports of system unavailability
 Unexplained connection losses
 Network intrusion detection alerts
 Host intrusion detection alerts (until the
host is
overwhelmed)
 Increased network bandwidth utilization
 Large number of connections to a single host
 Asymmetric network traffic pattern (large amount of
traffic going to the host, little traffic coming from the
host)
 Firewall and router log entries
 Packets with unusual source addresses
Denial of Service Attacks

Network-based DoS against a network
 User
reports of system and network unavailability
 Unexplained connection losses
 Network intrusion detection alerts
 Increased network bandwidth utilization
 Asymmetric network traffic pattern (large amount of
traffic entering the network, little traffic leaving the
network)
 Firewall and router log entries
 Packets with unusual source addresses
 Packets with nonexistent destination addresses
Denial of Service Attacks

DoS against the operating system of a particular
host
 User
reports of system and application unavailability
 Network and host intrusion detection alerts
 Operating system log entries
 Packets with unusual source addresses

DoS against an application on a particular host
 User
reports of application unavailability
 Network and host intrusion detection alerts
 Application log entries
 Packets with unusual source addresses
Denial of Service Attacks

Containment, Eradication, and Recovery
 Correct
vulnerability that is being exploited
 Implement filtering
 Relocate target
 Do not Hack Back
Denial of Service Attacks

Evidence Gathering
 Identifying
the Source of Attacks From
Observed Traffic
 Tracing Attacks Back Through ISPs
 Learning How the Attacking DDoS Hosts
Were Compromised
 Reviewing a Large Number of Log Entries
Malicious Code

Malicious Code Types

Viruses








File infectors
Boot sector viruses
Macro viruses
Virus hoaxes
Trojan horses
Worms
Mobile code
Blended




Email
Windows shares
Web server attacks (Nimda)
Web clients (Nimda)
Malicious Code
Incident Preparation



User awareness
Subscribe to antivirus vendor bulletins
Deploy host-based intrusion detection systems to critical
hosts

IDS detects



Configuration changes (Registry, …)
System executable modifications
Black list Trojan horse ports

Ineffective, because


There are too many ports
Newer trojan horses can be configured for any port
Malicious Code
Incident Prevention



Use of antivirus software
Block suspicious attached files
Configure email clients to act more securely


Limit the use of non-essential programs with file transfer capabilities





P2P file & music sharing
Instant messaging
IRC clients / servers
Educate users on safe handling of email attachments
Eliminate open windows shares



No preview, no automatic opening, no execution, …
Infection can quickly spread from one system to many others.
Prevent incoming / outgoing traffic on NetBIOS ports
Use web browser setting to limit mobile code
Malicious Code
Detection

Precursors
 Alerts
for software that the organization uses
 Antivirus software quarantines files

Indications
 Many
different categories
Malicious Code
Containment, Eradication, Recovery

Containment
 Malicious
code is written to spread rapidly
 Disconnect non-critical machines from network
 Need to identify other hosts:






One confirmed incident indicates other infections
Perform port scans
Use antivirus scanning and cleanup
Review e-mail, firewall, …, hosts logs
Reconfigure network and host IDS
Audit processes currently running
Malicious Code
Containment, Eradication, Recovery

Containment
 Send
unknown malicious code to antivirus
vendors
 Configure email servers and clients to block
email or shut them down
 Block particular hosts or isolate networks from
internet
Malicious Code
Containment, Eradication, Recovery

Evidence gathering
 Typically

pointless since the attack is not targeted
Eradication and recovery
 Depends on nature of infection:
 Either use antivirus software to remove malicious code
infections
 Rebuild systems


From scratch
From known good copy
 Prevent
re-infection
Unauthorized Access

Examples:










Performing a remote root compromise of an e-mail server
Defacing a Web server
Guessing and cracking passwords
Copying a database containing credit card numbers
Viewing sensitive data, including payroll records and medical
information, without authorization
Running a packet sniffer on a workstation to capture usernames and
passwords
Using a permission error on an anonymous FTP server to distribute
pirated software and music files
Dialing into an unsecured modem and gaining internal network access
Posing as an executive, calling the help desk, resetting the executive’s
e-mail password, and learning the new password
Using an unattended, logged-in workstation without permission.
Unauthorized Access
Preparation
Configure IDS to identify and alert
attempts to gain access
 Use centralized secured logs
 Establish password policies

Unauthorized Access
Prevention

Use defense in depth

Network security





Firewall settings
Identify and secure all remote access methods
Use a DMZ
Use private IP addresses in internal networks
Host Security






Perform regularly vulnerability assessments
Disable unneeded services on hosts.
Use virtualization / run services on different hosts
Use principle of least privilege
Use host-based firewalls
Limit unauthorized physical access:



Mandatory screen locking
Log-off policy before leaving a workstation
Audit permission settings for critical resources


Password files
Sensitive databases
Unauthorized Access
Prevention

Use defense in depth
 Authentication
and Authorization
Create and audit a password policy
 Require stronger authentication for critical
resources



Develop and use standards (FIPS 140-2)
Establish procedures for provisioning and
deprovisioning user accounts
 Physical

Security
Implement physical security
Unauthorized Access
Detection and Analysis

Precursors
 Reconnaissance
 Security
bulletin warnings, proof of concept
exploits, …
 Reports of social engineering attempts
 Reports of failed physical access attempts
Unauthorized Access
Detection and Analysis

Root compromise of a host
 Hacker
tools on system
 Unusual traffic to / from host
 System configuration changes
 Modification of critical files
 Unexplained account usage
 Strange OS / application log messages
Unauthorized Access
Detection and Analysis

Indications

Web defacement, FTP warez server, …





NIDS alerts
Resource utilization: bandwidth, storage, …
User reports
Modifications to critical files
Unauthorized use of standard user account


Access to critical files
Unexplained account usage:




Idle account used
Account in use from multiple locations
Large number of locked-out accounts
Web proxy logs showing download of hacker tools
Unauthorized Access
Detection and Analysis

Indications
 Physical Intruder
 Reports of physical signs of intrusion
 User reports of network or system availability
 System restarts, shutdowns
 Missing hardware
 Unauthorized hardware
 Unauthorized data access
 IDS alerts
 Logs of accesses to critical files
Unauthorized Access
Containment, Eradication, Recovery

Response time critical
 Extensive
forensics analysis is typically
required
Initial analysis in order to determine priority and
initial containment measures
 Further analysis to reconstruct incident, develop
countermeasures, and perform ultimate
containment, eradication, recovery

 Need
to weight costs of caution and inaction
Unauthorized Access
Containment, Eradication, Recovery

Initial containment elements
 Isolation
of affected system
 Disabling affected service
 Eliminate attacker’s route
 Disable user accounts used in attack
 Enhance physical security
Unauthorized Access
Containment, Eradication, Recovery

Evidence gathering
 Need

for a forensic copy of affected system
Other imaging can destroy evidence
 Safeguard
log files before they are destroyed
 Use chain of evidence rules to protect
physical and image evidence
Unauthorized Access
Containment, Eradication, Recovery

Eradication
 Attackers
usually install rootkits
 Safer: Reconfigure system from known good
copy
 Safest: Reconfigure system from scratch
 Problem: Can data be trusted?
Inappropriate Usage Incidents

Examples
 Porn
 Password
cracking tool downloads
 Send spam / email to promote personal business
 Harassing e-mails
 Use of P2P file / music sharing
 Improper handling of sensitive materials
 Usage of organization’s IT resources to attack
other computers
Inappropriate Usage Incidents

Preparation
 Establish
input from HR, legal department, physical
security

Need for confidentiality


Need for physical safety of incident handling team


Someone else’s account is used to download porn
Perpetrator might be mentally unstable or try to avoid
apprehension
Liability issues
 Set
up expectations of privacy and monitoring /
logging policies
 Configure IDS and logs accordingly
Inappropriate Usage Incidents

Prevention
 Few
general guidelines
 Have organization’s policies be reflected in firewall
settings
 Configure email servers


To not relay email to prevent SPAM
To use a spam blocker to also prevent outgoing SPAM
 Prevent
inappropriate data transfer by limiting
protocols
Inappropriate Usage Incidents
Detection and Analysis

COEN 252