7
Incident Response
Network Security
Incident Response
Text:
Objectives:
The student should be able to:
· Describe the purpose of an incident response procedure and what the procedure should outline.
· Describe the information that must be collected when a penetration has occurred: if computer is up; when computer is down; other evidence.
· Describe the procedure for collecting this information.
· Describe the use of the following commands: pslist, fport, listDLLs, netstat, netcat, psLoggedOn.
· Find information about a penetration using the above-mentioned tools.
Class Time:
Lecture:
Lecture 1 hour
Overview of cmds 0.5 hours
Lab 1.5 hours
Total: 3 hours
Preparing for an Incident
You are a system administrator and an incident occurs. Should you:
· Go offline?
· Block hacker at firewall?
· Disable certain services?
· Bring down machine/server?
· Bring down the internal network?
· Let the intruder proceed to collect evidence?
Your actions can have financial impact on the corporation.
How would these decisions differ if business pertained to:
· Credit card / Banking?
· Network services?
· Medical prescriptions?
· WWW Search Engine?
The CEO must determine the priorities for incident response.
Incident Response Procedure
· A procedure must be clear as to what should happen when an intrusion is suspected.
· The expected response to different types of intrusions shall be defined.
· Decide early because time will be limited during an attack.
Step 0: Plan for Incident Response
Establish Detection Procedures:
· SNMP: Monitors availability, response times, etc. and notifies administrator
· IDS/IPS: Monitors for attacks and notifies administrator
· Logs from all devices must be synchronized, monitored and audited
After a break-in administrators wish they had had stronger logging
Create an Incident Response Team:
· An incident response team can help to decide the Incident Response procedures and make decisions during an incident response.
· Shall include:
· Security Team: Detect, control attack.
· Upper management: Be responsible for making decisions on major break-ins.
· Human Resources: Deal with an attack from employees.
· Technical Staff (MIS): Bring systems back in order.
· Outside Members: Contact law enforcement, affected customers, ISP.
Define and publish policies
· Policies are defined and publicized as to what is and is not allowed
· System banners indicate who/what is allowed on the system
Can perform Training/Rehearsal:
· Each person should be trained in what they need to do.
· Carry out a drill.
· Attacks succeed because companies are unprepared.
Step 1: Incident Response and Containment
· What types of attacks warrant which reactions?
· How do we gather information on the attack? (Next section)
· To whom should attacks be reported?
· Do you inform police or FBI?
· Can ISP help with log info and attack filtering?
· Should vendors/customers be notified?
· Shall the intrusion be hidden from the press?
FBI has a webpage for reporting crime at: www.usdoj.gov/criminal/cybercrime/reporting.html
Step 2: Recovery and Resumption
· Rebuild Affected System (Old system can be hiding rootkit)
· Lock down system (Apply patches)
Step 3: Review & Implement
· Could we have detected intrusion faster?
· What losses did we sustain overall?
· What did the hacker attempt to do and accomplish?
· Why did the vulnerability occur?
· Have we eliminated the vulnerability on this and other machines?
· Could we have reacted in a quicker or more effective way?
· How can we improve our legal case against the next intruder?
· What changes should we make to our policies and procedures?
Example: You receive an email indicating your network was part of an attack:
· May be a valid accusation
· May be a mistake
· May be a ruse
So you investigate:
· Your site may have been hacked.
· An internal employee may be hacking outside.
If you reply to email indicating a break-in you may:
· Provide your email address and confirm an IP address
· Indicate your readiness level: “We don’t have logs on that particular intrusion”
· May fall for ‘social engineering spam’ (e.g., company selling IDS products).
Responding to an Incident
A break-in has occurred…
· Get all information without changing any possible evidence
· Consider the totality of the circumstances via investigation
· React according to the type of break-in
Procedure must be professional, documented in order to
· Collect evidence against individual
· Protect organization
For legal reasons, you need to document your actions in a form and have a witness to all.
When break-in noticed, with a witness:
· Before Logoff/Power down save volatile information
· Use trusted commands in accessing remote machine (use commands off read-only CD, floppy)
· Do not alter system in any way
· Save data to network or removable USB drive (fast, large storage)
· Collect information and label it: Case number, time, date, data collector, data analyzer.
· Seal and lock up the evidence. Track any access to sealed data.
Information that must be collected includes volatile information:
· System date & time
· System memory: Unix /dev/mem or /dev/kmem
· Currently running processes
· Logged in users
· Network connections: Recent connections and open applications/sockets
· Currently open files: File system time & date stamps
When attacked computer turned off:
· Reboot will change disk images. Do not reboot!
· Make forensic backup = system image = bit-stream backup
· Copy every bit of the file system, not just the disk files!
· Example tools include:
· Intelligent Computer Solutions: Image MASSter
· EnCase (www.guidancesoftware.com)
· SafeBack (www.forensics-intl.com/safeback.html)
· Unix dd command
· Compute hash value of disk and backup
Useful information can also be collected from:
· Photos of computer, surroundings, display (if on), back panel plugs, etc.
· IDS, Firewall, and System logs
· Employees web pages, emails, internet activities
· Employees access of files (created/modified/viewed)
· Local peripheral paraphernalia (CDs, floppies, papers)
Better to collect too much than too little
Forensic Toolkit
Maintain a CD or two floppy disks (write-protected) with the following utilities: (Abbreviated from Incident Response & Computer Forensics, Mandia, Prosise, Pepe, McGraw Hill, pp. 87-88)
· cmd.exe: Command prompt for Windows NT/2000
· PsLoggedOn: Shows all connected users, local & remote (www.foundstone.com)
· Rasusers: Lists the users with remote-access privileges on the system (NT Resource Kit)
· Netstat: Lists all listening ports and all current connections on the ports
· Fport: Lists all processes that opened any TCP ports and executable path (www.foundstone.com)
· PsList: Enumerates all running processes (www.foundstone.com)
· ListDLLs: Lists all running processes, their command-line arguments, and the DLLs they depend on (www.foundstone.com)
· Nbtstat: Lists NetBIOS connections for last 10 minutes (approx.)
· Arp: Lists the MAC addresses system has been communicating within last minutes
· Kill: Terminates a process (NTRK)
· Md5sum: Creates MD5 hashes for a file (www.cygwin.com)
· Rmtshare: Displays the accessible shares (NTRK)
· Netcat: Creates a communication channel between two systems (www.atstake.com)
· Cryptcat: Creates an encrypted channel of communications (sourceforge.net)
· PsLogList: Dumps the event logs (www.foundstone.com)
· PsKill: Kill a process (www.foundstone.com)
· Ipconfig: Display interface configuration
· PsInfo: Provide info about local system build (www.foundstone.com)
· PsService: Lists current processes and threads (www.foundstone.com)
· Auditpol: Displays security audit settings (NTRK)
· Doskey: displays command history for an open cmd.exe shell
· AFind: Provides file access times (www.foundstone.com)
· Pasco: Most recent websites accessed (www.foundstone.com)
· EnCase: List files whose extensions do not match file type (.doc->.jpeg)
· Sfind: Show hidden or alternative data stream files (www.foundstone.com)
Do not use any utilities on the hack machine before all information is saved!
Three ways to save forensic data:
Save to floppy: [cmd] > a:\logfile
Use netcat: Below we send from hacked station to forensic station on port 1234
(at forensic station:) nc –l –p 1234 > logfile
(at hacked station:) [cmd] | nc 192.168.0.n 1234
where: -l listen mode: accept incoming connection
Use cryptcat: encrypted so no one can observe or modify netcat data.
An Initial Response Script Example (Incident Response & Computer Forensics p. 114)
Filename: ir.bat
time /t
date /t
psloggedon
dir /t:a /o:d /a /s c:\
dir /t:w /o:d /a /s c:\
dir /t:c /o:d /a /s c:\
netstat –an
fport
pslist
nbtstat –c
time /t
date /t
doskey /history
where:
dir –help indicates that
/t: indicates whether last accessed, last written or created date should be included
/s: indicates that directories and subdirectories should be listed
/a: indicates types of files
‘time /t’ and ‘date /t’ do not prompt for new times, dates
Lab: Incident Response
These tools can be found at:
www.sysinternals.com Microsoft: PsTools, ListDLLs,
www.foundstone.com
trinux.sourceforge.net Unix TRINUX package
· Use the following commands to determine what is happening with a break-in.
List running processes, services and device drivers:
pslist // View active processes
// Normal: idle, system, smss, csrss, winlogon,
// services, lsass, svchost, spoolsv, svchost,
// explorer, cmd, pslist
psservice // View NT services. Hacker are often “Not Stoppable”
driverquery // device drivers on system: old: drivers.exe
listdlls // List the DLL files used by each executable
// listdlls <PID from Pslist> or listdlls <process>
// Shows command line of executable
// Networking DLLs: wsock32.dll, rpcrt4.dll,
// icmp.dll, ws2_32.dll, mswsock.dll,
// NETAPI32.dll, wshtcpip.dll
Determine local and remote logins
Psloggedon // logged on users
nbtstat [-n] [-s] [-c] // NetBIOS over TCP networking services
net session // List NetBios connections to/from the system
net use // “
psFile // Show files opened remotely
List open ports and applications using these ports:
Fport // active and listening programs and their ports
netstat –an // remote system connections to ports
// ESTABLISHED state = Active session
// LISTEN state = Server inactive
// TIME_WAIT state = in disconnect
List the current network configuration:
netstat –r // routing tables
arp –a // Lists entries in the ARP cache
ipconfig /all // Lists the TCP/IP configuration settings
List logs and hidden files
psLogList //Dump event (or alarm) logs
SFind // Display alternate data streams
HFind // Display hidden files
hunt // List all shares normal and hidden on a system
md5sum // Creates a hash for >= 1 file (not available)
Procedure
In this lab we will look at a number of incident response tools to detect if an intruder is in the system. These should be run from a secure CD or floppy (which ensures that the tools have not been modified) however, for simplicity we will run them from our disk. Instead of looking at a real hack, we will look at two normal applications: telnet and Network Neighborhood. If we can recognize normal applications, we have a better chance of recognizing a hack. We will generate a lot of information about the system before and after the two applications are running so we can see the delta changes to the system, and which tools accomplish what.
In the Windows VMware, open a command prompt in system administrator mode. (I.e., select ‘cmd’, right click->run as admin) At a command prompt, go to /PsTools.
> cd \Tools\PsTools
Generate a command file to save off output from a number of system tools into a file called incidentResponse.cmd.
> notepad incidentResponse.cmd
Do add an ‘echo <cmd>’ before each ‘<cmd>’ so you can see what command actually executed. The first time each command runs, it may create a license screen, so it is best to execute each command manually once.
date /T
time /T
echo pslist
pslist
echo psservice
psservice
driverquery
listdlls
psloggedon
nbtstat –n
net use
fport
netstat –an
date /T
time /T
Run the command file, saving the output to a file in /PsTools:
> incidentResponse.cmd > incidentTest1.txt
Next we will open Wireshark. You want to see which ports are used when you telnet and use Network Neighborhood. Start sniffing using Wireshark, filterning using:
host <your_IP_address>
Next start up the telnet application in your cmd screen, and connect to Mystery:
> telnet mystery // alternatively an IP address will work
User Name: student
Password: badpass
Start up the Network Neighborhood application. This will allow you to access a data share in the network. Normally this would be done by:
Start-> Computer -> Mystery
You will have to login – use student badpass. Look for the password file.
1) Describe password file contents:
2) Enter the protocols and port numbers used for the two applications you opened:
Protocol / Your Port Number / Mystery’s port numbertelnet
Network neighborhood
Now save off output from the tools again, but this time to the incidentTest2.txt file:
> incidentResponse.cmd > incidentTest2.txt
We want to compare the two files: incidentTest1.txt with incidentTest2.txt. The fc.exe (file compare) utility can compare an older baseline with a current one. The /N option provides line numbers where the changes occurred:
> fc /N scriptout.txt scriptout2.txt
Alternatively, that can be done with the diff command on a unix system:
$ diff save.txt save2.txt
Now go through each command on the other side and complete the two tables listed on the next sheets. Learn as much as you can about the established network connections, including
· the protocol, IP address, and port number used by network connection,
· the path of the hacking (or two networking) tools,
· the calling sequence of the tool, and
· which DLLs the hacker (you) are using.
Information about the telnet application
IP Address / Port AddressSource
Destination
Protocol (TCP/UDP)
Directory Path
Command name
Networking DLLs used
Which tools did you learn this information from?
Information about Network Neighborhood Sharing
IP Address / Port AddressSource
Destination
Protocol (TCP/UDP)
Directory Path
Command name
Networking DLLs used
Which tools did you learn this information from?