Detecting and responding to incidents

advertisement
Security fundamentals
Topic 13
Detecting and responding to
incidents
Agenda
• Detecting intrusions
• Responding to incidents
Intrusion detection
• Minimise the negative impact of security incidents
• Protect evidence for prosecution
• Intrusion detection
– Monitor and evaluate computer events and network traffic for signs of intrusions
– Use a computer or software that can detect unauthorised activity on your network,
log this activity, and alert you
• Network-based IDS (NIDS)
– A NIDS monitors network traffic and traffic patterns to discover attempted denial
of service (DoS) attacks, port scans or attempts to guess the password to a secured
resource
• Host-based IDS (HIDS)
– A HIDS monitors a single system’s file structure to determine when an attacker
modifies, deletes or changes a system file
• Log file monitor
– A log file monitor processes system log entries from one or more computers to
identify possible system attacks or compromises
– Log file monitors often analyse databases to which log file entries have been
copied and correlate multiple events to detect patterns
Network-based IDS
• Use sensors at various points on a network which
monitor and analyse network traffic at their
locations and report potential attacks to a central
management console
• Commonly bastion hosts limited to running only
the IDS sensor software
• Stealth mode – sensors do not send any data on
the network segment they monitor
• Low impact on network traffic because they don’t
act as gateways
Network-based IDS
•
Features:
– Protect multiple systems
–
–
–
–
–
–
•
Monitor traffic inside your firewall
Alert you to firewall failures
Detect slow attacks (such as scans over time)
Delayed analysis for honeypots
Take corrective action by changing configuration to stop attack
Increase overall security: one layer of a defence-in-depth
Limitations:
–
–
–
–
–
–
Processing speed for processing and collection
Segmentation: use a switch span port
Encryption: most NIDS can’t decrypt
Attack success: report only that an attack was initiated
Missed detections: up to date attack signatures
False positives: alerts that indicate an intrusion, even though no actual attempt has
occurred
– NIDS attacks: tools like Stick, Fragroute, Tribe Flood Network
•
Internet Information Systems: RealSecure®, Snort®
Host-based IDS
• Features:
–
–
–
–
–
Installed on servers and other critical computers to protect the systems
More reliable than NIDSs in detecting attacks on individual systems
Typically use operating system audit trails and system logs
Also monitor changes to system files
Must carefully configure an HIDS to not create false positives
• Benefits:
– HIDSs are better at monitoring and keeping track of local system events
– HIDSs typically cannot be bypassed by encrypted attacks
– HIDSs can help you detect attack software that has been installed on a
computer, such as trojan horse software.
– Because HIDSs protect only a single computer – switches, virtual private
networks (VPNs) and routers do not affect their functionality
Host-based IDS limitations
Limitations:
– HIDSs are more difficult to manage as they are on
individual systems
– HIDSs are susceptible to DoS attacks
– HIDSs require resources from the protected host:
• Extra hard disk space to store logs and tracking information
• Processor time and memory to analyse packets, user-issued
commands, audit trails, and system logs to protect the client
Application-based IDS
• Integrating IDS functions into vendor
applications
• Analyse the events occurring within a specific
software application by using the application’s
transaction log files
• Analyse interactions between the user, the
data and the application
Detection methods
Misuse detection:
• Requires the IDS to identify a predefined attack pattern
• Identifying an attack signature
• Analyse system activity, looking for events that match a predefined
pattern of attack
• Benefits:
– They can quickly identify defined attacks
– They help you track attacks
– Don’t generate many false alarms
• Limitations:
– Require updated attack signature files because they can detect only
predefined attacks that are based on those signatures
– They can be attacked by sending data that matches the attack
signatures
Detection methods
Anomaly detection:
– Recognising something suspicious or atypical
– Identify unusual activities or situations, called anomalies
– Must gather information about the systems and networks on which it
operates, can then identify abnormalities based on historical data
• Benefits:
– Don’t need to rely on predefined attack signature files to identify attacks
– Can help identify attack patterns that can later be converted into attack
signatures for misuse detectors
• Limitations:
– Require more experienced security administrators to determine the attacks
– The detector can only point out abnormalities, which might or might not be
attacks
– More likely to produce false alarms because not all irregularities are actual
attacks
– They require more administrative involvement than misuse detectors
Response types
Active response:
• An automatic action that a system takes when it recognises an
attack
• Increase logging activities or the number of packets captured for
analysis
• Reconfiguring the network such as reconfigure firewall filters,
isolate a host on a particular VLAN or reroute network packets
Passive response:
• Simply alerts a system or security administrator about an event
• Might be a log entry or it might involve immediate notification by
email or pager
IDS deployment
• Stage 1: Deploy a limited NIDS
– Install management console, deploy the console before you begin adding
sensors
– Start to customise NIDS
• Stage 2: Deploy NIDS sensors
– Incrementally deploy sensors throughout your network
– Understand the differences in traffic, reporting, logging and alerts that you
receive from that sensor
• Stage 3: Deploy a limited HIDS
– Deploy HIDS only on critical hosts or servers at first
– Too many alerts to analyse if done on a large scale initially
• Stage 4: Fully deploy an HIDS
– Roll out the HIDS to all client systems
• Where to place sensors
• How critical the resources are that you must secure and where you expect
attacks to occur
Honeypots and honeynets
• Traps that are set up to catch hackers or to study their
behaviour
• Appears to be a normal computer system and looks like an
attractive target for an attack
• Honeypots are more likely to give you valuable information
about an attack as attackers, not legitimate users, use them
• Honeypots are designed to track access, so they are not
likely to run out of system resources when under attack
• Learn about how hackers operate by investigating the exact
actions that they use to attack a honeypot
• Honeypots can occupy hackers so they don’t attack other
computers
Incident response basics
• An incident is an actual, attempted or suspected breach of computer
security
• An incident response policy exists so that all users know who to contact if
they think an incident is occurring
• Contains specific steps that everyone involved should take when an
incident occurs including priority list. For example:
1.
2.
3.
4.
5.
Protect people’s lives and safety
Protect classified and sensitive data first
Protect other data
Protect hardware and software
Minimise disruption of business services and operations
• Computer security incident response team (CSIRT), computer emergency
response team (CERT) or security officer usually takes the lead in
receiving, reviewing, and responding to incident reports and activity
Computer forensics
• The investigation and analysis of computer security incidents with the
interests of gathering and preserving potential legal evidence
• Collecting evidence
– Designate a Point of Contact for maintaining contact with law enforcement and
other CSIRTs and disseminating information
– Also is responsible for coordinating the collection of evidence to ensure that it is
done in accordance with all laws and legal regulations
• Working carefully
– Consider what your actions might mean to the present state of the system
– Concentrate on not altering anything and meticulously document all of your
actions for later reference
– Analyse a replica of the system instead of the original, make an exact bit-level copy
of the disk
• Using forensic tools, EnCase®
• Audit trail
– To establish, examine and preserve an audit trail. An audit trail is a record of the
users who accessed a computer and what operations they performed
Collecting information
• Obtain and protect the latest partial and full system backups
• Take pictures or screen shots of all evidence
• Obtain and protect any security videos, audios or reports from periods of
time surrounding and including the incident
• Recover as many deleted, encrypted or damaged files related to the
intrusion as possible
• You should also create and maintain a written log for all incident response
activity
• Examples of what you should document include the following:
–
–
–
–
–
–
–
–
The name of the system or systems compromised
The time, date and location of each activity
The specific actions that were taken
The identities of the people performing each action
Who was notified and what information was disseminated
What actions that were taken by each notified person, group or organization
Who had access to the system, physical location and evidence
What data was collected and who analysed it
Collecting evidence
Maintaining a chain of custody:
• A documented chain of custody shows who collected and had
access to each piece of evidence
• Failure to maintain this chain of custody might make your
evidence inadmissible in court
– Including dates, times, locations and the verified identities
of every person who handled evidence
– Includes any time evidence is accessed or moved while in
storage
– Anyone accessing stored evidence should provide a
legitimate, verifiable, and documented purpose for doing
so
Preserving evidence
Preserving evidence
• Work carefully and change as little as possible
• Try to conduct your investigation on a separate system that is a
restored backup or imaged version of the compromised system
• Everything you do must be thoroughly documented
– Archive and retain all information concerning an intrusion until
the investigation and any legal proceedings are complete
– Preserve all critical information on and offsite:
• Make copies of all logs, system hard disks, policies, procedures, system
and network configurations, photographs, cryptographic checksums,
databases and system backups.
• Offsite storage preserves evidence in the event of a natural disaster or
subsequent intrusion
– Define, document and follow a strict procedure for securing and
accessing evidence both onsite and offsite
Lesson summary
• How to go about detecting intrusions with IDS
• How to go about responding to incidents and
collecting information
Download