Security fundamentals Topic 13 Detecting and responding to incidents Agenda • Detecting intrusions • Responding to incidents Intrusion detection • Minimise the negative impact of security incidents • Protect evidence for prosecution • Intrusion detection – Monitor and evaluate computer events and network traffic for signs of intrusions – Use a computer or software that can detect unauthorised activity on your network, log this activity, and alert you • Network-based IDS (NIDS) – A NIDS monitors network traffic and traffic patterns to discover attempted denial of service (DoS) attacks, port scans or attempts to guess the password to a secured resource • Host-based IDS (HIDS) – A HIDS monitors a single system’s file structure to determine when an attacker modifies, deletes or changes a system file • Log file monitor – A log file monitor processes system log entries from one or more computers to identify possible system attacks or compromises – Log file monitors often analyse databases to which log file entries have been copied and correlate multiple events to detect patterns Network-based IDS • Use sensors at various points on a network which monitor and analyse network traffic at their locations and report potential attacks to a central management console • Commonly bastion hosts limited to running only the IDS sensor software • Stealth mode – sensors do not send any data on the network segment they monitor • Low impact on network traffic because they don’t act as gateways Network-based IDS • Features: – Protect multiple systems – – – – – – • Monitor traffic inside your firewall Alert you to firewall failures Detect slow attacks (such as scans over time) Delayed analysis for honeypots Take corrective action by changing configuration to stop attack Increase overall security: one layer of a defence-in-depth Limitations: – – – – – – Processing speed for processing and collection Segmentation: use a switch span port Encryption: most NIDS can’t decrypt Attack success: report only that an attack was initiated Missed detections: up to date attack signatures False positives: alerts that indicate an intrusion, even though no actual attempt has occurred – NIDS attacks: tools like Stick, Fragroute, Tribe Flood Network • Internet Information Systems: RealSecure®, Snort® Host-based IDS • Features: – – – – – Installed on servers and other critical computers to protect the systems More reliable than NIDSs in detecting attacks on individual systems Typically use operating system audit trails and system logs Also monitor changes to system files Must carefully configure an HIDS to not create false positives • Benefits: – HIDSs are better at monitoring and keeping track of local system events – HIDSs typically cannot be bypassed by encrypted attacks – HIDSs can help you detect attack software that has been installed on a computer, such as trojan horse software. – Because HIDSs protect only a single computer – switches, virtual private networks (VPNs) and routers do not affect their functionality Host-based IDS limitations Limitations: – HIDSs are more difficult to manage as they are on individual systems – HIDSs are susceptible to DoS attacks – HIDSs require resources from the protected host: • Extra hard disk space to store logs and tracking information • Processor time and memory to analyse packets, user-issued commands, audit trails, and system logs to protect the client Application-based IDS • Integrating IDS functions into vendor applications • Analyse the events occurring within a specific software application by using the application’s transaction log files • Analyse interactions between the user, the data and the application Detection methods Misuse detection: • Requires the IDS to identify a predefined attack pattern • Identifying an attack signature • Analyse system activity, looking for events that match a predefined pattern of attack • Benefits: – They can quickly identify defined attacks – They help you track attacks – Don’t generate many false alarms • Limitations: – Require updated attack signature files because they can detect only predefined attacks that are based on those signatures – They can be attacked by sending data that matches the attack signatures Detection methods Anomaly detection: – Recognising something suspicious or atypical – Identify unusual activities or situations, called anomalies – Must gather information about the systems and networks on which it operates, can then identify abnormalities based on historical data • Benefits: – Don’t need to rely on predefined attack signature files to identify attacks – Can help identify attack patterns that can later be converted into attack signatures for misuse detectors • Limitations: – Require more experienced security administrators to determine the attacks – The detector can only point out abnormalities, which might or might not be attacks – More likely to produce false alarms because not all irregularities are actual attacks – They require more administrative involvement than misuse detectors Response types Active response: • An automatic action that a system takes when it recognises an attack • Increase logging activities or the number of packets captured for analysis • Reconfiguring the network such as reconfigure firewall filters, isolate a host on a particular VLAN or reroute network packets Passive response: • Simply alerts a system or security administrator about an event • Might be a log entry or it might involve immediate notification by email or pager IDS deployment • Stage 1: Deploy a limited NIDS – Install management console, deploy the console before you begin adding sensors – Start to customise NIDS • Stage 2: Deploy NIDS sensors – Incrementally deploy sensors throughout your network – Understand the differences in traffic, reporting, logging and alerts that you receive from that sensor • Stage 3: Deploy a limited HIDS – Deploy HIDS only on critical hosts or servers at first – Too many alerts to analyse if done on a large scale initially • Stage 4: Fully deploy an HIDS – Roll out the HIDS to all client systems • Where to place sensors • How critical the resources are that you must secure and where you expect attacks to occur Honeypots and honeynets • Traps that are set up to catch hackers or to study their behaviour • Appears to be a normal computer system and looks like an attractive target for an attack • Honeypots are more likely to give you valuable information about an attack as attackers, not legitimate users, use them • Honeypots are designed to track access, so they are not likely to run out of system resources when under attack • Learn about how hackers operate by investigating the exact actions that they use to attack a honeypot • Honeypots can occupy hackers so they don’t attack other computers Incident response basics • An incident is an actual, attempted or suspected breach of computer security • An incident response policy exists so that all users know who to contact if they think an incident is occurring • Contains specific steps that everyone involved should take when an incident occurs including priority list. For example: 1. 2. 3. 4. 5. Protect people’s lives and safety Protect classified and sensitive data first Protect other data Protect hardware and software Minimise disruption of business services and operations • Computer security incident response team (CSIRT), computer emergency response team (CERT) or security officer usually takes the lead in receiving, reviewing, and responding to incident reports and activity Computer forensics • The investigation and analysis of computer security incidents with the interests of gathering and preserving potential legal evidence • Collecting evidence – Designate a Point of Contact for maintaining contact with law enforcement and other CSIRTs and disseminating information – Also is responsible for coordinating the collection of evidence to ensure that it is done in accordance with all laws and legal regulations • Working carefully – Consider what your actions might mean to the present state of the system – Concentrate on not altering anything and meticulously document all of your actions for later reference – Analyse a replica of the system instead of the original, make an exact bit-level copy of the disk • Using forensic tools, EnCase® • Audit trail – To establish, examine and preserve an audit trail. An audit trail is a record of the users who accessed a computer and what operations they performed Collecting information • Obtain and protect the latest partial and full system backups • Take pictures or screen shots of all evidence • Obtain and protect any security videos, audios or reports from periods of time surrounding and including the incident • Recover as many deleted, encrypted or damaged files related to the intrusion as possible • You should also create and maintain a written log for all incident response activity • Examples of what you should document include the following: – – – – – – – – The name of the system or systems compromised The time, date and location of each activity The specific actions that were taken The identities of the people performing each action Who was notified and what information was disseminated What actions that were taken by each notified person, group or organization Who had access to the system, physical location and evidence What data was collected and who analysed it Collecting evidence Maintaining a chain of custody: • A documented chain of custody shows who collected and had access to each piece of evidence • Failure to maintain this chain of custody might make your evidence inadmissible in court – Including dates, times, locations and the verified identities of every person who handled evidence – Includes any time evidence is accessed or moved while in storage – Anyone accessing stored evidence should provide a legitimate, verifiable, and documented purpose for doing so Preserving evidence Preserving evidence • Work carefully and change as little as possible • Try to conduct your investigation on a separate system that is a restored backup or imaged version of the compromised system • Everything you do must be thoroughly documented – Archive and retain all information concerning an intrusion until the investigation and any legal proceedings are complete – Preserve all critical information on and offsite: • Make copies of all logs, system hard disks, policies, procedures, system and network configurations, photographs, cryptographic checksums, databases and system backups. • Offsite storage preserves evidence in the event of a natural disaster or subsequent intrusion – Define, document and follow a strict procedure for securing and accessing evidence both onsite and offsite Lesson summary • How to go about detecting intrusions with IDS • How to go about responding to incidents and collecting information