educause marccopyright 2002, marchany 1 unit 3 incident response: creating the computer incident...
TRANSCRIPT
Educause MARC Copyright 2002, Marchany 1
Unit 3
Incident Response: Creating the Computer Incident Response Team
(CIRT)
Educause MARC Copyright 2002, Marchany 2
How Easy Is It?
% set term=cterm100
% telnet victim.comTrying 0.0.0.0...Connected to victim.com.Escape character is '^]'.
UNIX(r) System V Release 4.0 (victim.com)
# iduid=0(root) gid=0(root)#
Educause MARC Copyright 2002, Marchany 3
Incident Response Steps
Dave Dittrich, Univ. of Washington, wrote a good checklist describing the Incident Response Cycle.
6 major steps Preparation Detection Containment Eradication Recovery Follow-up
Educause MARC Copyright 2002, Marchany 4
Preparation – Creating the CIRT
Need to create a Computer Incident Response Team (CIRT) before we can use it.
How do we create it? Read an excellent paper on issues that need
to be considered when building a CIRT.
Educause MARC Copyright 2002, Marchany 5
What Do I Do?
An excellent reference document for things to consider when setting up the CIRT “Handbook for Computer Security Incident Response
Teams (CSIRTs), Moira West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, 12/98
Available from www.cert.org Describes basic issues that should be considered when
setting up the CIRT (CSIRT). The following slides summarize this document
Educause MARC Copyright 2002, Marchany 6
Setting Up the CIRT
CIRT is like the fire department Our CIRT is like the volunteer fire department or rescue
squad. No full time members except the University Information
Security Officer Other members called in as needed. They have
management approval to drop whatever they’re doing in order to respond to the incident.
Fixing the problem is top priority.
Educause MARC Copyright 2002, Marchany 7
Setting Up the CIRT
Information Confidentiality Critical! The CIRT must be trusted to handle sensitive
information responsibly. Otherwise, no one will report incidents to it.
What type of CIRT? International? Build trust with external CIRTs. University? Respond to incidents within the university.
Dept sysadmins and users will use the service. Overlaps?
Educause MARC Copyright 2002, Marchany 8
Setting Up the CIRT
Authority and Scope FULL – the CIRT has the authority to undertake any
necessary action on behalf of their constituency in order to protect University resources
SHARED – CIRT provides direct support and share in the decision making process. Can influence dept sysadmins but can’t dictate to them
NONE – CIRT acts in an advisory or advocate capacity only.
Educause MARC Copyright 2002, Marchany 9
CIRT Authority
FULL CIRT could require disconnection until the threat
is removed. CIRT may actually do the disconnection.
SHARED CIRT could advise and influence victims to
disconnect from the net until the problem is fixed but can’t force them.
Educause MARC Copyright 2002, Marchany 10
CIRT Services
Mandatory Provide a focal point for reporting computer
security incidents. Provide coordinated support in response to such
reports Common/Typical
Incident tracingTracking and tracing intruder activity
Educause MARC Copyright 2002, Marchany 11
CIRT Services
Typical/Common Intrusion Detection
Support active detection of intruder activity Education
Conduct training seminars for general users, system administrators, management, faculty, staff, etc.
Vulnerability AnalysisProvide security scanning service to departments
Educause MARC Copyright 2002, Marchany 12
CIRT Information Flow
Important to understand which services are related to each other.
Determine which services rely on info from or provide info to another service.
Determine which services are responsible for providing/requesting info to/from another service.
Assign different priorities depending on the source of the request.
Educause MARC Copyright 2002, Marchany 13
CIRT Flexibility
External Factors affect the CIRT Rate of incident reports is unpredictable
CIRT may get overloaded
New attacks and exploits Type and complexity of Incident reports changes over
time
New Technology Advances CIRT expertise needs to be updated constantly
Educause MARC Copyright 2002, Marchany 14
CIRT Flexibility
Computer crime laws are just now becoming a force CIRT needs to be aware of the changing legal framework
of the environment and adapt accordingly.
Varying demands on the CIRT Situations will arise when an unprepared CIRT may be
insufficient to respond effectively to meet these conflicting demands.
Educause MARC Copyright 2002, Marchany 15
CIRT and Liability
A liability issue is everything that you say, do or write or that you omit to say, do or write, for which people want to sue you, with a reasonable chance of success in court.
Needless to say, this is an issue in the US.
Educause MARC Copyright 2002, Marchany 16
Liability Context: Omission
Lack of information disclosure You receive log-files that indicate an intruder’s activities
and you fail to follow up on the lead. If this fact is discovered, you may be liable for failing to act on the information.
Neglecting side effects You deal with a new vulnerability in a specific incident
but fail to notify the vendor/net/other CIRTs of this vulnerability. Some time later, the net is attacked via the same vulnerability.
Educause MARC Copyright 2002, Marchany 17
Liability Context: Omission
Failure to observe legal reporting or archiving obligations Many countries require you to report to or
generate archives for law enforcement regarding a serious crime. Espionage, murder, drug dealing, etc. are examples.
Educause MARC Copyright 2002, Marchany 18
Liability Context: CIRT and Signed Contracts
Inadequate service definition CIRT service isn’t available during holidays or
after hours. This isn’t stated clearly in the service agreement with your constituents.
Service level isn’t provided CIRT didn’t do what was promised. The quality of the work wasn’t what was
expected.
Educause MARC Copyright 2002, Marchany 19
Liability Context: Information Disclosure
References to individuals/organizations CIRT gives the impression a party is involved in
an attack. The party’s reputation/business is damaged by this disclosure.
Revealing identities Depends on who is requesting the information EDU: FERPA, Medical: HIPPA Revealing the identity w/o prior approval
Educause MARC Copyright 2002, Marchany 20
Liability Context: Information Disclosure
Distributing False Information You release info about a but in an OS but it’s
wrong. The vendor may be upset. You correctly warn of a vulnerability but your
solution doesn’t work Incorrect advice
Your advice is wrong, outdated and causes damages to your constituent.
Educause MARC Copyright 2002, Marchany 21
CIRT Service Functions
Triage Single point of contact for accepting, collecting,
sorting, ordering information about an incident.
Incident Provide support and guidance related to
suspected or confirmed computer security incidents.
Educause MARC Copyright 2002, Marchany 22
CIRT Functions
Announcement Provide general information via sysadmin and
tech support mailing lists, www sites, etc. Feedback
Can be provided by explicit requests by mgt or media
Can be provided as an annual report or case-driven report
Educause MARC Copyright 2002, Marchany 23
CIRT Incident Related Contacts
People the CIRT needs to keep in the loop Upper management Other department’s technical staff Security officer Legal counsel Internal audit Risk management group Network operations center Network information center
Educause MARC Copyright 2002, Marchany 24
CIRT Non-Incident Related Contacts
Site security contacts ISP Other CIRT Law enforcement Vendors External experts media
Educause MARC Copyright 2002, Marchany 25
The CIRT
AUP defines the rules CIRT Composition
Sysadmin - decode syslogs, sniffer Network Management Team - decode router
logs, packet filter, sniffer Legal - proper evidence collection Supervisory/Audit- authority to force change
Legal or not?
Educause MARC Copyright 2002, Marchany 26
Preparation
Client Insecurity Issues
“Mommas, don’t let your kids grow up to be PCs!”
What Types of Attacks to Expect
Educause MARC Copyright 2002, Marchany 27
The Doom Scenario
S C
AttackThe Server
GoodSysadminPractices
Install Sniffer
Install Encryption
EmailAttachments-NetBus-B02K
No EffectiveDefense if theClient is PC/Mac
Educause MARC Copyright 2002, Marchany 28
Types of Attacks
Types of attacks we’ve seen at our site EMAIL PASSWORD/SNIFFER DENIAL OF SERVICE RELAY ATTACKS WWW ATTACKS
The next section describes each of the above attacks using Dittrich’s Incident Response Model.
Educause MARC Copyright 2002, Marchany 29
Case 1: Email Abuse
We handle +2.5M external emails/wk. Need network management help to trace to
internal site need mail administrator to decipher mail logs
Educause MARC Copyright 2002, Marchany 30
Types of Email Abuse at VT
Chain Letters “Good Times”, “recipes” Letter is sent & supposed to be mailed to 10
others Annoying
Educause MARC Copyright 2002, Marchany 31
Types of Email Abuse at VT
Mail Spoofing(Forgery) Usually done in conjunction with flames Could impersonate a real person. Too easy to do.
Educause MARC Copyright 2002, Marchany 32
Types of Email Abuse at VT
Email Infrastructure Attacks Mail bombs, exploiting sendmail vulnerabilities
(Outlook, sendmail), SPAM SPAM
Site is notified and warnedUnheeded warnings (3) result in 30 day block of
anything from that site.
Educause MARC Copyright 2002, Marchany 33
Types of Email Abuse at VT
Flaming Profane, obscene, angry or threatening
comments Messages are sent either by email or Usenet
newsgroups Death threats require immediate attention.
Educause MARC Copyright 2002, Marchany 34
Email Logs
Sendmail Server logs Logs sender/receiver, timestamp, email ID
Terminal Server/Modem Pool Log all users. Used to identify the real owner
of a modem session. Caller ID on modem pool.
Educause MARC Copyright 2002, Marchany 35
Email Logs
POP3 mail logs Logs the PID of the sender, password change dates, etc.
Source/Target system logs Personal Firewall logs, sniffers, etc.
Usenet Logs News Server logs
Logs are sent to central syslog server and dumped to CD once a month. Audit requirement: 18 month retention.
Educause MARC Copyright 2002, Marchany 36
Preparation: Handling Complaints
IS will gather appropriate info from the logs ONLY at the request of a proper authority and only releases the logs to them.
IS DOES NOT prosecute, get involved in policing but 'helps' by gathering log info, helping interpret it, at the request of the proper authority. The 'Proper Authority' is any entity that does the actual prosecution (Provost, Dean, Police, FBI, Secret Service).
Educause MARC Copyright 2002, Marchany 37
Preparation: CIRT
Have a plan of action ready and approved Sample CIRT Checklist
Educause MARC Copyright 2002, Marchany 38
Detection: Email Abuse
Generic mail id to report problems: [email protected] If the user thinks it’s abuse, we have to check. Users are told to send reports there.
Users can call Help Desk to report problems. Help Desk crew notifies mail sysadmins if there is a
problem. System mail log monitors detect large volume of email
traffic. The mail admins check for spam, email flooding.
Educause MARC Copyright 2002, Marchany 39
Containment: Email Abuse
If the email threatens the receiver, every effort is made to identify the sending host and person if possible.
Network router logs determine if the threat came from onsite systems.
Mail system logs give source, destination and intermediate mail system handling information.
Syslogs of sending system yield origin information. These three log types help determine if IP spoofing is active. IMPORTANT: get the original email with complete
headers!
Educause MARC Copyright 2002, Marchany 40
Eradication: Email Abuse
Hard to do Spam filters for sendmail Relay filters for sendmail Isolate the sending machine if onsite Notify the sending machine, if remote system is involved
then they may have a problem. Bodily harm threats must be taken seriously.
Educause MARC Copyright 2002, Marchany 41
Recovery: Email Abuse
Denial of service mail attack remove spam messages use routers to block out offending system process mail as quickly as possible
Disable user account access IF the AUP allows this. Notify the recipient on progress
Educause MARC Copyright 2002, Marchany 42
Followup: Email Abuse
User Education how to spot email trash who to notify if abuse starts SAVE THE ORIGINAL EMAIL!!!! Netiquette
System Manager Education SPAM, Relay filtering rules save the email logs at a central site ask users for the complete email message with headers
Educause MARC Copyright 2002, Marchany 43
Summary
The previous slides list the 6 phases of IR as it applies to 1 category of attack: email abuse
Do the same for the other types of attacks you expect at your site.
Have the Procedure Checklist ready.
Educause MARC Copyright 2002, Marchany 44
Recommendations
Revise your AUP and IRP as needed Construct your response plans according to Dittrich’s Response
model : Preparation, Detection, Containment, Eradication, Recovery, Follow-up
Your IR plans should address the “How do we do …” for each layer of the Response Model
IR is a coordinated action involving all aspects of an org’s IS structure: sysadmin, network mgrs, supervisory, audit, legal, upper mgt.
Liability is an issue! Are you liable for internal (email) as well as external (the NY Times “hacker”) if your response structure is inadequate? Probably!
Educause MARC Copyright 2002, Marchany 45
As It Should Be......