7

Incident Response

Network Security

Incident Response

Text:

Objectives:

The student should be able to:

·  Describe the purpose of an incident response procedure and what the procedure should outline.

·  Describe the information that must be collected when a penetration has occurred: if computer is up; when computer is down; other evidence.

·  Describe the procedure for collecting this information.

·  Describe the use of the following commands: pslist, fport, listDLLs, netstat, netcat, psLoggedOn.

·  Find information about a penetration using the above-mentioned tools.

Class Time:

Lecture:

Lecture 1 hour

Overview of cmds 0.5 hours

Lab 1.5 hours

Total: 3 hours

Preparing for an Incident

You are a system administrator and an incident occurs. Should you:

·  Go offline?

·  Block hacker at firewall?

·  Disable certain services?

·  Bring down machine/server?

·  Bring down the internal network?

·  Let the intruder proceed to collect evidence?

Your actions can have financial impact on the corporation.

How would these decisions differ if business pertained to:

·  Credit card / Banking?

·  Network services?

·  Medical prescriptions?

·  WWW Search Engine?

The CEO must determine the priorities for incident response.

Incident Response Procedure

·  A procedure must be clear as to what should happen when an intrusion is suspected.

·  The expected response to different types of intrusions shall be defined.

·  Decide early because time will be limited during an attack.

Step 0: Plan for Incident Response

Establish Detection Procedures:

·  SNMP: Monitors availability, response times, etc. and notifies administrator

·  IDS/IPS: Monitors for attacks and notifies administrator

·  Logs from all devices must be synchronized, monitored and audited

After a break-in administrators wish they had had stronger logging

Create an Incident Response Team:

·  An incident response team can help to decide the Incident Response procedures and make decisions during an incident response.

·  Shall include:

·  Security Team: Detect, control attack.

·  Upper management: Be responsible for making decisions on major break-ins.

·  Human Resources: Deal with an attack from employees.

·  Technical Staff (MIS): Bring systems back in order.

·  Outside Members: Contact law enforcement, affected customers, ISP.

Define and publish policies

·  Policies are defined and publicized as to what is and is not allowed

·  System banners indicate who/what is allowed on the system

Can perform Training/Rehearsal:

·  Each person should be trained in what they need to do.

·  Carry out a drill.

·  Attacks succeed because companies are unprepared.

Step 1: Incident Response and Containment

·  What types of attacks warrant which reactions?

·  How do we gather information on the attack? (Next section)

·  To whom should attacks be reported?

·  Do you inform police or FBI?

·  Can ISP help with log info and attack filtering?

·  Should vendors/customers be notified?

·  Shall the intrusion be hidden from the press?

FBI has a webpage for reporting crime at: www.usdoj.gov/criminal/cybercrime/reporting.html

Step 2: Recovery and Resumption

·  Rebuild Affected System (Old system can be hiding rootkit)

·  Lock down system (Apply patches)

Step 3: Review & Implement

·  Could we have detected intrusion faster?

·  What losses did we sustain overall?

·  What did the hacker attempt to do and accomplish?

·  Why did the vulnerability occur?

·  Have we eliminated the vulnerability on this and other machines?

·  Could we have reacted in a quicker or more effective way?

·  How can we improve our legal case against the next intruder?

·  What changes should we make to our policies and procedures?

Example: You receive an email indicating your network was part of an attack:

·  May be a valid accusation

·  May be a mistake

·  May be a ruse

So you investigate:

·  Your site may have been hacked.

·  An internal employee may be hacking outside.

If you reply to email indicating a break-in you may:

·  Provide your email address and confirm an IP address

·  Indicate your readiness level: “We don’t have logs on that particular intrusion”

·  May fall for ‘social engineering spam’ (e.g., company selling IDS products).

Responding to an Incident

A break-in has occurred…

·  Get all information without changing any possible evidence

·  Consider the totality of the circumstances via investigation

·  React according to the type of break-in

Procedure must be professional, documented in order to

·  Collect evidence against individual

·  Protect organization

For legal reasons, you need to document your actions in a form and have a witness to all.

When break-in noticed, with a witness:

·  Before Logoff/Power down save volatile information

·  Use trusted commands in accessing remote machine (use commands off read-only CD, floppy)

·  Do not alter system in any way

·  Save data to network or removable USB drive (fast, large storage)

·  Collect information and label it: Case number, time, date, data collector, data analyzer.

·  Seal and lock up the evidence. Track any access to sealed data.

Information that must be collected includes volatile information:

·  System date & time

·  System memory: Unix /dev/mem or /dev/kmem

·  Currently running processes

·  Logged in users

·  Network connections: Recent connections and open applications/sockets

·  Currently open files: File system time & date stamps

When attacked computer turned off:

·  Reboot will change disk images. Do not reboot!

·  Make forensic backup = system image = bit-stream backup

·  Copy every bit of the file system, not just the disk files!

·  Example tools include:

·  Intelligent Computer Solutions: Image MASSter

·  EnCase (www.guidancesoftware.com)

·  SafeBack (www.forensics-intl.com/safeback.html)

·  Unix dd command

·  Compute hash value of disk and backup

Useful information can also be collected from:

·  Photos of computer, surroundings, display (if on), back panel plugs, etc.

·  IDS, Firewall, and System logs

·  Employees web pages, emails, internet activities

·  Employees access of files (created/modified/viewed)

·  Local peripheral paraphernalia (CDs, floppies, papers)

Better to collect too much than too little

Forensic Toolkit

Maintain a CD or two floppy disks (write-protected) with the following utilities: (Abbreviated from Incident Response & Computer Forensics, Mandia, Prosise, Pepe, McGraw Hill, pp. 87-88)

·  cmd.exe: Command prompt for Windows NT/2000

·  PsLoggedOn: Shows all connected users, local & remote (www.foundstone.com)

·  Rasusers: Lists the users with remote-access privileges on the system (NT Resource Kit)

·  Netstat: Lists all listening ports and all current connections on the ports

·  Fport: Lists all processes that opened any TCP ports and executable path (www.foundstone.com)

·  PsList: Enumerates all running processes (www.foundstone.com)

·  ListDLLs: Lists all running processes, their command-line arguments, and the DLLs they depend on (www.foundstone.com)

·  Nbtstat: Lists NetBIOS connections for last 10 minutes (approx.)

·  Arp: Lists the MAC addresses system has been communicating within last minutes

·  Kill: Terminates a process (NTRK)

·  Md5sum: Creates MD5 hashes for a file (www.cygwin.com)

·  Rmtshare: Displays the accessible shares (NTRK)

·  Netcat: Creates a communication channel between two systems (www.atstake.com)

·  Cryptcat: Creates an encrypted channel of communications (sourceforge.net)

·  PsLogList: Dumps the event logs (www.foundstone.com)

·  PsKill: Kill a process (www.foundstone.com)

·  Ipconfig: Display interface configuration

·  PsInfo: Provide info about local system build (www.foundstone.com)

·  PsService: Lists current processes and threads (www.foundstone.com)

·  Auditpol: Displays security audit settings (NTRK)

·  Doskey: displays command history for an open cmd.exe shell

·  AFind: Provides file access times (www.foundstone.com)

·  Pasco: Most recent websites accessed (www.foundstone.com)

·  EnCase: List files whose extensions do not match file type (.doc->.jpeg)

·  Sfind: Show hidden or alternative data stream files (www.foundstone.com)

Do not use any utilities on the hack machine before all information is saved!

Three ways to save forensic data:

Save to floppy: [cmd] > a:\logfile

Use netcat: Below we send from hacked station to forensic station on port 1234

(at forensic station:) nc –l –p 1234 > logfile

(at hacked station:) [cmd] | nc 192.168.0.n 1234

where: -l listen mode: accept incoming connection

Use cryptcat: encrypted so no one can observe or modify netcat data.

An Initial Response Script Example (Incident Response & Computer Forensics p. 114)

Filename: ir.bat

time /t

date /t

psloggedon

dir /t:a /o:d /a /s c:\

dir /t:w /o:d /a /s c:\

dir /t:c /o:d /a /s c:\

netstat –an

fport

pslist

nbtstat –c

time /t

date /t

doskey /history

where:

dir –help indicates that

/t: indicates whether last accessed, last written or created date should be included

/s: indicates that directories and subdirectories should be listed

/a: indicates types of files

‘time /t’ and ‘date /t’ do not prompt for new times, dates

Lab: Incident Response

These tools can be found at:

www.sysinternals.com Microsoft: PsTools, ListDLLs,

www.foundstone.com

trinux.sourceforge.net Unix TRINUX package

·  Use the following commands to determine what is happening with a break-in.

List running processes, services and device drivers:

pslist // View active processes

// Normal: idle, system, smss, csrss, winlogon,

// services, lsass, svchost, spoolsv, svchost,

// explorer, cmd, pslist

psservice // View NT services. Hacker are often “Not Stoppable”

driverquery // device drivers on system: old: drivers.exe

listdlls // List the DLL files used by each executable

// listdlls <PID from Pslist> or listdlls <process>

// Shows command line of executable

// Networking DLLs: wsock32.dll, rpcrt4.dll,

// icmp.dll, ws2_32.dll, mswsock.dll,

// NETAPI32.dll, wshtcpip.dll

Determine local and remote logins

Psloggedon // logged on users

nbtstat [-n] [-s] [-c] // NetBIOS over TCP networking services

net session // List NetBios connections to/from the system

net use // “

psFile // Show files opened remotely

List open ports and applications using these ports:

Fport // active and listening programs and their ports

netstat –an // remote system connections to ports

// ESTABLISHED state = Active session

// LISTEN state = Server inactive

// TIME_WAIT state = in disconnect

List the current network configuration:

netstat –r // routing tables

arp –a // Lists entries in the ARP cache

ipconfig /all // Lists the TCP/IP configuration settings

List logs and hidden files

psLogList //Dump event (or alarm) logs

SFind // Display alternate data streams

HFind // Display hidden files

hunt // List all shares normal and hidden on a system

md5sum // Creates a hash for >= 1 file (not available)

Procedure

In this lab we will look at a number of incident response tools to detect if an intruder is in the system. These should be run from a secure CD or floppy (which ensures that the tools have not been modified) however, for simplicity we will run them from our disk. Instead of looking at a real hack, we will look at two normal applications: telnet and Network Neighborhood. If we can recognize normal applications, we have a better chance of recognizing a hack. We will generate a lot of information about the system before and after the two applications are running so we can see the delta changes to the system, and which tools accomplish what.

In the Windows VMware, open a command prompt in system administrator mode. (I.e., select ‘cmd’, right click->run as admin) At a command prompt, go to /PsTools.

> cd \Tools\PsTools

Generate a command file to save off output from a number of system tools into a file called incidentResponse.cmd.

> notepad incidentResponse.cmd

Do add an ‘echo <cmd>’ before each ‘<cmd>’ so you can see what command actually executed. The first time each command runs, it may create a license screen, so it is best to execute each command manually once.

date /T

time /T

echo pslist

pslist

echo psservice

psservice

driverquery

listdlls

psloggedon

nbtstat –n

net use

fport

netstat –an

date /T

time /T

Run the command file, saving the output to a file in /PsTools:

> incidentResponse.cmd > incidentTest1.txt

Next we will open Wireshark. You want to see which ports are used when you telnet and use Network Neighborhood. Start sniffing using Wireshark, filterning using:

host <your_IP_address>

Next start up the telnet application in your cmd screen, and connect to Mystery:

> telnet mystery // alternatively an IP address will work

User Name: student

Password: badpass

Start up the Network Neighborhood application. This will allow you to access a data share in the network. Normally this would be done by:

Start-> Computer -> Mystery

You will have to login – use student badpass. Look for the password file.

1)  Describe password file contents:

2)  Enter the protocols and port numbers used for the two applications you opened:

Protocol / Your Port Number / Mystery’s port number
telnet
Network neighborhood

Now save off output from the tools again, but this time to the incidentTest2.txt file:

> incidentResponse.cmd > incidentTest2.txt

We want to compare the two files: incidentTest1.txt with incidentTest2.txt. The fc.exe (file compare) utility can compare an older baseline with a current one. The /N option provides line numbers where the changes occurred:

> fc /N scriptout.txt scriptout2.txt

Alternatively, that can be done with the diff command on a unix system:

$ diff save.txt save2.txt

Now go through each command on the other side and complete the two tables listed on the next sheets. Learn as much as you can about the established network connections, including

·  the protocol, IP address, and port number used by network connection,

·  the path of the hacking (or two networking) tools,

·  the calling sequence of the tool, and

·  which DLLs the hacker (you) are using.

Information about the telnet application

IP Address / Port Address
Source
Destination
Protocol (TCP/UDP)
Directory Path
Command name
Networking DLLs used

Which tools did you learn this information from?

Information about Network Neighborhood Sharing

IP Address / Port Address
Source
Destination
Protocol (TCP/UDP)
Directory Path
Command name
Networking DLLs used

Which tools did you learn this information from?