1	Incident Response Preparedness is Essential in Today’s Computing Environment
2	Virtual warfare Information systems are subject to malicious activity on a regular basis Internal or external incidents will continue to challenge information security personnel The challenge is how to respond, who to notify, how to preserve “evidence”, etc. Fortunately, the vast majority of attacks are unsuccessful
3	Why Incident Response Established procedures must be in place to: Identify the attack Mitigate the damage Recover from the breach Without a formal process in place critical information may be lost These procedures can be thought of as the Incident Response (IR) Cycle
4	Developing a Response Policy Define your organization’s overall incident response structure Develop and implement alert mechanisms that permit quick action Establish a centralized reporting structure Appoint and train incident response personnel
5	What is an Incident In order to respond we must first recognize an incident—no uniform agreement as to what constitutes an incident An “incident” is an “adverse event” that threatens system’s Confidentiality Integrity Accessibility An “adverse event” must be observable such as: Denial of Service (DOS) attack Unauthorized access to email accounts Unauthorized access to company’s databases
6	Recognizing Intrusion Observe your system for unexpected behavior or anything suspicious Investigate anything considered unusual If the investigation finds something that isn’t explained by authorized activity, immediately initiate intrusion response procedures
7	Legal Implications The Gramm-Leach-Bliley (GLB) Act: Financial Institutions must protect consumer’s personal financial information The Sarbanes-Oxley Act: Requires that internal technical controls be in place for publicly traded companies The Federal Information Security Management Act (FISMA): Requires that Federal agencies to have an incident response capability California’s SB1386: Requires that individuals be notified when personal information is compromised In order to comply you must be able to identify security breaches
8	Unauthorized Access Unauthorized access is normally acquired in the following methods: Valid User Credential Vulnerable Services Backdoors
9	Role of Computers in IR Victim A computer that is the object of an intrusion or unauthorized activity Instrumentality Computers used to conduct illegal activity Evidence Computers that are used to store evidence of the crime
10	Incident Response Cycle Preparation Detection Analysis Recovery After-Action
11	Preparation Preparation involves: Incident Response Policy Incident Response Procedures Identification of Team Training of Team Equipment for Team Liaison with law enforcement Liaison with other CIRT’s, ISP’s, etc.
12	Detection Identification of the Incident. Intrusion Detection Systems Honeypot’s Unexplained high network bandwidth utilization Unexplained user accounts Unexplained utilization of disk storage Categorization of the incident. Malicious code Unauthorized access Inappropriate Use Denial of Service
13	Incident Prioritization Detection involves the Prioritization of Incidents (Varies from Company to Company) Level 1 – Root or Administrator Account Compromise/Access Level 2 – User Account Compromise/Access Level 3 – Unauthorized access to a system Level 4 – Network or system scanning
14	Analysis Determining what took place: Live System Forensics Network Devices Servers Traditional Computer Forensics Stand alone systems Reporting
15	Incident Response Issues Operating Systems Microsoft Linux Solaris Cisco PDA
16	Computer Forensics Computer forensics is the discipline of acquiring, preserving, identifying and examining digital media—whether on a “live” or a powered down system It involves retrieving computer data in a manner which meets admissibility standards as evidence in legal proceedings The original media MUST NOT be altered. If the data is altered, the examiner must ensure that there is a reason for the alteration
17	Forensic Examination Identify the perpetrator Identify the means and methods by which access was gained to the computer or network Conduct a damage assessment of the victim computer Preserve the evidence for appropriate legal action—could be criminal or civil
18	Examination of Evidence Reliability of evidence Adherence to accepted protocols and practices (standards) Use of proven & accepted software. Ability to testify as to methods and results of analysis Trained and certified computer forensics examiners Proper training is crucial for testimonial purposes
19	Exploitation of Evidence Identifying and separating pertinent evidence from non-pertinent Evaluating the evidence for criticality and usability in a court of law Documentation of actions taken by the examiner
20	“Live” System Forensics What if the compromised system cannot be powered down because of its critical business function? How do you respond to such an incident? The forensic examination must be conducted on a “live” system EnCase Enterprise Edition
21	A snapshot in time Typically, the following information should be gathered from a system that can not be powered down: System date and time A list of currently running processes A list of currently open sockets The applications listening on open sockets A list of the users that are currently logged on A list of the systems that have current or had recent connections to the system
22	Relevant Commands Establish a trusted shell. Record the system date and time. Determine who is logged on. Record time/date stamps. Record open sockets. List Processes that open sockets. List currently running processes. List systems that recently connected. Record system time. Record the steps taken.
23	Traditional Computer Forensics A Physical and Logical image is made of the magnetic media Physical image is restored to sterile media for processing Physical image is processed for: Directory Listing Hidden Files Deleted Files Encryption File Slack
24	Containment & Recovery Identification of other systems that may be compromised Minimizing the impact to the network Restoring systems to normal operation
25	After Action How did the incident occur How to prevent similar incidents from occurring in the future What worked/didn’t work during the response Incorporate “Lessons Learned” into IR plan
26	"CASE STUDY" CASE STUDY Actual case presented by Art Ehuan, Manager, Bearing Point, at a recent meeting of the HTCIA Mid-Atlantic Chapter
27	The call Victim company’s Information Technology (IT) director (hereafter referred to as Acme) receives an phone call from the Information Security (IS) director of a multinational corporation The IS director advises the Acme IT director that they are monitoring unauthorized activity originating from the Acme network The unauthorized activity involves the breach and access of the multinational company’s internal network
28	The details The IS director advises Acme that they have identified five (5) IP addresses originating from the Acme network. The IS director advises that one of the IP addresses, within Acme’s network range, has contact information in Russia, based on the whois lookup. IS director and staff attempt to determine if an Acme employee is responsible for the unauthorized activity.
29	Looking for clues Acme IT staff locate two (2) of the five (5) IP’s provided by the multinational corporation The two devices identified are a Citrix server and a Checkpoint Firewall Acme personnel are unsure of what actions to take to identify what activity is taking place Acme brings in outside assistance A review of DShield.org logs reveal that 2 of the systems have been reported to the site for conducting unauthorized activity
30	The bad news If your IP address is listed on DShield.org, you probably have been compromised
31	The investigation A “live” analysis is conducted to identify ongoing activity from the two systems Analysis identifies an IRC channel that is active Traditional forensic analysis is conducted of the two identified systems. The rule set on the Checkpoint Firewall is set to: ANY ANY Large amounts of Warez are located on the Firewall
32	Forensic Examination Forensic analysis is conducted on the Citrix server The analysis identifies numerous scanning and password cracking programs like nmap and l0phtcrack. Also located a large password files and Warez. The forensic analysis also identifies that VMware has been installed on the Citrix server with Red Hat Linux 8 as the installed OS. An IRC server has been installed on the Linux system.
33	Firewall logs A review of the Firewall logs revealed:
34	Preliminary Findings Acme’s IT staff are contacted and asked if they had installed any of the scanning, password cracking, VMware or Linux on the Citrix server Acme personnel respond that those programs where not installed by their staff Forensic analysis of the SWAP file (Pagefile.sys) identifies numerous Linux commands being run and being used to conduct attacks against victim multinational corporation and many others
35	Conclusions Firewall logs were not being reviewed No policy or process was in place to respond to incidents IT personnel did not recognize anomalous activity on their network which included massive bandwidth utilization IT personnel did not even have a current network topology of their systems
36	"Phillip Rodokanakis" Phillip Rodokanakis, CFE Managing Partner U.S. Data Forensics, LLC 4520 East West Hwy Suite #640 Bethesda, MD 20814 Tel. 301-657-5600 FAX 301-907-9227 phil@usdfllc.com www.usdataforensics.com