IT Security Incident Response
advertisement
IT Security Incident Response Overview You may need to check a live system to evaluate it for the initial response to a security incident. This will be used to initially screen if a compromise has taken place. If you suspect a compromise in progress, use the Outlook help ticket system to contact an SNS staff member. If you do not use the Outlook help ticket system, follow your normal process. The information found during this process could lead to human resource or legal actions. The following document will attempt to outline how to capture volatile data from a live system before evidence is possibly lost. It is important to limit the alteration of the system as much as possible. If the evidence or case warrants further investigation, an in-depth forensic image may be taken for further evaluation. An SNS team member must be contacted to perform that step. Likely scenarios where this process should be followed include: * Host is infected * Host is compromised * Host has Trojan * Host is being maliciously used by another user Initial Command First, run the following NMAP against the system from your trusted admin system. Timestamp your command and paste it in a report. C:\>nmap -sS –O 141.x.x.x Starting nmap V. 3.00 ( www.insecure.org/nmap ) Interesting ports on TEST (141.x.x.x): (The 1594 ports scanned but not shown below are in state: closed) Port State Service 113/tcp open auth 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 3000/tcp open ppp 3389/tcp open ms-term-serv Remote operating system guess: Microsoft Windows.NET Enterprise Server (build 36043615 beta) Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds Page 1 of 3 Refer to www.first.org/docs/guides/gr/ofw32 for more info IT Security Incident Response Incident Response Technical Steps 1. Get as much remote information from the machine as possible a. Create an authenticated name pipe to machine if possible (net use U: \\machinename\c$ /user:Administrator) b. Run nbtstat -a address c. Get timestamp of machine: net time \\machinename d. Run winfingerprint http://winfingerprint.sourceforge.net/ e. Run nmap (nmap -sT -O <ip address>) f. Run pslist \\machinename g. Put all information into incident response website and keep updating incident tracking system with new information as it comes up. 2. Determine host location and owner 3. Call owner and verify they will be present if you don’t have remote access to host 4. If owner is available and local, go over and do these steps. If owner is remote, you may be forced to go through these steps over phone with owner. If forced to do this over phone w/owner chances of discovering possible malicious intent are very limited. 5. Verify McAfee VirusScan version. Open console, under Task->View Log. Copy log and paste it into notes. 6. Download fport and run it. Or from remote: • Make an administrative connection to remote machine: • Net use \\machine\ipc$ /user:machine\administrator Then copy fport to remote machine: • xcopy /v fport.exe \\machine\c$ • psexec \\machine cmd • While in shell on box type: • C:\fport.exe Note and save results by saving as <filename> 7. Look for any process bound to the port used in incident. 8. Check through registry keys for common Trojan places for establishing persistence. To make a remote connection, launch regedit on your local station and go to File -> Connect Network Registry. Put in the \\workstation - Go to the run keys (Run, RunOnce and RunOnceEx) and check for any unusual apps being started. HkLocalM->Software->Microsoft->Windows->Current version->Run Examples are: Explorer .exe (note the space and it should not even be here), psexec etc. 9. If no malware is found go to the windows system directory (c:\winnt\system32 or c:\windows\system32) and sort filenames by age. Look at the *.exe files with the latest date stamps. The real windows system files that are executable will be much older than the malware. If you don't find anything searching in that directory use the Page 2 of 3 Refer to www.first.org/docs/guides/gr/ofw32 for more info IT Security Incident Response Microsoft search features in explorer to find all *.exe's that are newer than one month old. Document them. 10. From a command prompt (type run cmd.exe) type net session to output open sessions (who has connected in). 11. Type netstat to listen open connections. Paste the result into your documentation. 12. List members of administrator group using NTRESKIT showmbrs (in SNS toolkit) check for anything unusual 13. List services using NTRESKIT sclist - rootkits or other remote access programs are often executed from a service 14. Run Srvcheck (from NTRESKIT) to list open shares and who has access to them 15. Run PSLogList.exe (SNS toolkit) to see who is logged on currently. 16. Run NTLast.exe to find login history The above data gathering should be enough to capture most of the volatile data needed to make an educated decision about what the next steps for the device should be. If you see or suspect anything strange once reviewing this data, escalate an Outlook help ticket to SNS. If you do not use the Outlook help ticket system, follow your normal process. References Nmap www.insecure.org/nmap Fport http://secure.ramsec.com/index.htm?subnav=resources/navigation.htm&subcontent=/reso urces/proddesc/fport.htm Page 3 of 3 Refer to www.first.org/docs/guides/gr/ofw32 for more info
