Incident ResponseBlck HatHome事件响应黑帽的家

《Incident ResponseBlck HatHome事件响应黑帽的家》由会员分享，可在线阅读，更多相关《Incident ResponseBlck HatHome事件响应黑帽的家（88页珍藏版）》请在装配图网上搜索。

1、Incident ResponseIn a Microsoft World.By John K.AKA MIncident Response what is it?Definition and examples.Purpose of Incident Response.Recognizing an Incident.Policy.Education.What to do in an incident.Scenario One.Scenario Two.Over View (Intro)Incident: An action likely to lead to grave consequence

2、s especially in diplomatic matters Grave consequences:Sounds bad. Really bad. Probably doesnot look good on the resume.Could mean loss of revenue.Company/Corporate level.Security Manager personal level.Incident Response. What is it?Malicious code.Virus infection.Trojan programs.Worms.Malicious scrip

3、ting.Usually hidden and some have the potential to Replicate. Effects can range from simple monitoring of system/network traffic to complicated automated backdoors with full system rights.Incident Examples:Malicious code.Unauthorized Access.Accessing data without permission.Utilizing an account not

4、assigned.Utilizing another users account.Utilizing assigned account in a mannernot specifically assigned.Elevating privileges above assigned.Incident Examples:Malicious code.Unauthorized Access.Unauthorized Utilization of Services.Game play.Mail relay.Dialup access.Use of corporate equipment for per

5、sonalgain. (Home business, stocks, etc)Personal servers on network.Much of this depends on Policy.Incident Examples:Malicious code.Unauthorized Access.Unauthorized Utilization of Services.Espionage.Information stealing/manipulation.Email monitoring.Utilize ISP as a point of presence.Notebook theft.D

6、ata copying.CD burners, zip drives, flash memory.Simple trojan/tunneling methods.Incident Examples:Malicious code.Unauthorized Access.Unauthorized Utilization of Services.Espionage.Hoaxes.Warnings.Virus threats, bomb threats, etcScams.Pyramid mail, sob stories, contests.Corporate mail is for Busines

7、s use only.Authorized personnel will distribute warnings.Incident Examples:Malicious code.Unauthorized Access.Unauthorized Utilization of Services.Espionage.Hoaxes.Aggressive Probes.Does not include port scans.Baseline network to observe unusual trends.Unusual activity should be investigated.Monitor

8、 both internal and external networktraffic. Incident Examples:Response: An act of responding.Something constituting a reply or a reaction.The activity or inhibition of previous activityof an organism or any of its parts resulting from stimulationThe output of a transducer or detecting device resulti

9、ng from a given input. Incident Response. What is it?Incident Response: An act of responding to an action likely to lead to grave consequences especially indiplomatic matters.Sometimes referred to as a Knee Jerk reaction.Ideally Incident Response would be a set of policiesthat allow an individual or

10、 individuals to react to an incident in an efficient and professional manner thereby decreasing the likelihood of grave consequences.Pay check = Good, Pink slip = Bad.Incident Response. What is it?Minimize overall impact.Hide from public scrutiny.Stop further progression.Involve Key personnel.Contro

11、l situation.Purpose:Minimize overall impact.Recover Quickly & Efficiently.Respond as if going to prosecute.If possible replace system with new one.Priority one, business back to normal.Ensure all participants are notified.Record everything.Purpose:Minimize overall impact.Recover Quickly & Efficientl

12、y.Secure System.Lock down all known avenues of attack.Assess system for unseen vulnerabilities.Implement proper auditing.Implement new security measures.Purpose:Minimize overall impact.Recover Quickly & Efficiently.Secure System.Follow-up (It is never REALLY over).Ensure that all systems are secure.

13、Continue prosecution.Securely store all evidence and notes.Distribute lessons learned.Purpose:Obvious.Web page defacement.Contact from Perp. (Email, phone, etc)System service denial.Uh, George? Did you change thewallpaper on the servers? Wellall the NT boxes in the server roomhave this pretty blue s

14、creen on themnowRecognizing an Incident:Obvious.Automated Response.Intrusion Detection System(s)Anti-malicious code software.Firewall.Other security systems.Recognizing an Incident:Obvious.Automated Response.Outside Source.Another company reporting possible links.Password files, IP addresses, etcCon

15、tact by CERT.Law enforcement.Public announcement.News, attrition.org, H.Recognizing an Incident:Obvious.Automated Response.Outside Source.Physical Report.Sensitive material found in public area.Privacy act information, bids, etcHardware reported missing.Secure areas left unsecured.Unescorted unknown

16、 personnel.Controlled areas left unattended.Recognizing an Incident:Obvious.Automated Response.Outside Source.Physical Report.System Administrator Report.Unusual log activity.Failed logins, unusual connect times.New accounts.New files.Missing files.Recognizing an Incident:Obvious.Automated Response.

17、Outside Source.Physical Report.System Administrator Report.Technician Report.Malicious code found on WorkStation.Policy violation found on WorkStation.Games, personal software, etcEvidence of system modification.This is the man in the field. Very useful.Recognizing an Incident:Obvious.Automated Resp

18、onse.Outside Source.Physical Report.System Administrator Report.Technician Report.Obscure.Without investigation by a subject matterexpert many incidents can be incorrectly labeled as user error, equipment failure, etcTechnicians and SAs need to investigateproblems fully and pass on to Security.Recog

19、nizing an Incident:Much of Incident Response will depend on your Security Policy.Policy?Much of Incident Response will depend on your Security Policy.Dont have one? Better get one. CYA (Cover Your Access)Hard for employee to deny wrong doingwhen you have signed papers showing reviewof existing polic

20、ies to include Acceptable Use.Policy?Much of Incident Response will depend on your Security Policy.Dont have one? Better get one. CYA (Cover Your Access)Acceptable Use.Games.Email.Personal software.Stock watchers.ICQ, AIM, IRC, etcPolicy?Much of Incident Response will depend on your Security Policy.

21、Dont have one? Better get one. CYA (Cover Your Access)Acceptable Use.Monitoring.Specify daily monitoring for troubleshooting.Specify ALL traffic WILL be monitored.Do not allow legal opening for invasion ofprivacy. Workplace is for businessand all business efforts are subject tosecurity measures and

22、perusal toensure best business practices.Policy?Current Point Of Contact List.Primary number for 24 hour emergency.Email and desk numbers for Security staff.Designed to give all personnel the minimalneeded information to respond to anincident or to ask a question.Policy?Current Point Of Contact List

23、.User Responsibilities.Acceptable use.Software installation.Security reporting.Be aware (weakest link theory is in full effect for security).Policy?Current Point Of Contact List.User Responsibilities.Technician/System Administrator Responsibilities.Follow all user responsibilities.Lead by example wh

24、en ever possible.Report any potential violations to Security.Assist security in matters regarding their area of expertise.Keep investigations highly confidential.Monitor and archive all logs.Be aware (technical expertise is only of valueif used).Policy?Current Point Of Contact List.User Responsibili

25、ties.Technician/System Administrator Responsibilities.Security Officer(s)/Manager(s) Responsibilities.Lead by example.Monitor logs/reports.Provide for on call duties.Open door/email policy.Communicate.Educate the masses.Educate self daily.Be aware (or be compromised).Policy?Policy is worthless unles

26、s implemented.What good is a library that is locked?What good are laws that are not enforced?What good is a policy that is not updated?Educate.Policy is worthless unless implemented.The users must have easy access to policy.All new users should be required to readPolicy at hire and sign acceptance.P

27、olicy should be kept easily available.Online (Read only).Hard copy (HR, Security Office,Library, etc)A system for suggestions should be available.All memorandums that affect security shouldbe included in Policy.Educate.Policy is worthless unless implemented.The users must have easy access to the Pol

28、icy.The Policy needs to be explained to users.A glossary should be provided.The Policy should be easily understandable.The Policy should not be vague enough to allow misinterpretation.Security should be willing to assist users.Every 6 months refresher should be required.Coincide with password change

29、.Sign for new password and Policyacceptance.Educate.Policy is worthless unless implemented.The users must have easy access to policy.The policy needs to be explained to users.The policy needs to be supported by Management.The highest level needs to sign off on policy.All members are subject to polic

30、y.It is at the higher levels that the larger“Incidents” can be found.No favorites.“Iron Clad” policies backed by weakenforcement leads to ridicule.Educate.Policy is worthless unless implemented.The users must have easy access to policy.The policy needs to be explained to users.The policy needs to be

31、 supported by Management.If possible provide small classes.Anti-virus software.Good Password selection (if needed).Suggest SAs distribute passwords.Computer access.User alertness.Acceptable use.Ignorance is curable. Educate.Instead of a rigid framework of how IncidentResponse HAS to be handled I am

32、going to provide two basic scenarios and walk through how a small to medium sized company could handle two different incidents.What to do.Instead of a rigid framework of how IncidentResponse HAS to be handled I am going toprovide two basic scenarios and walk through how a small to medium sized compa

33、ny could handle two different incidents.Crowd participation is requested and appreciated.Stories of similar incidents with different responsesare especially of interest.Dont be shy, wake up! Participate.What to do.Time: 2013A V.P. is giving a party at home. Decides to showoff new web page.While view

34、ing corporate leadership page V.P.notices certain pictures of persons (including V.P.) and bio information have been modified to be less than favorable.Scenario One.Time: 2015Having just read and signed off on the currentSecurity Policy earlier that week. V.P. remembers that personnel can contact th

35、e helpdesk 24 hours a day for reporting problems.Phoning the Helpdesk he reports the problem andexpresses an intense desire to have the situation resolved as soon as possible.After logging all information the Helpdesk assuresthe V.P. resolution shall be swift.Scenario One.Basic Information to gather

36、:Time and date reported (specify time zone)Name of contact.Phone number and/or email of contact.System suspected to be affected.Technical details of system if known.IP address(es), OS, patches loaded,physical location, services running, suspected access point (vulnerability).Time and date incident n

37、oticed by contact.Description of incident.Scenario One.Time: 2020Helpdesk finishes entering information into log.Helpdesk verifies that page has been modified.Per security policy all incidents affecting thecompany in a Public manner are considered Priority 1. Scenario One.Time: 2021Helpdesk reviews

38、POC list and calls the SecurityManagers pager.This specific SecManager insists on notificationof all Priority 1s.Another approach would be an on callsecurity member that updates the Managerafter reviewing situation.Scenario One.Time: 2027Helpdesk reviews POC list and calls the SecurityManagers pager

39、.After being updated of current situation SMrequests helpdesk to contact NT serveron call person and have him meet himat office in 30 minutes.SM gets ready for a late night at the office.Scenario One.Time: 2030Helpdesk checks POC list and calls on call SA.Helpdesk explains basic situation to SA.SA a

40、ssures he is getting ready to go.Scenario One.Time: 2035Per intra-department policy SA calls departmenthead while enroute to office to notify aboutsituation and to ensure response is in process.Department head receives information andrequests update if any new/important information arises. Otherwise

41、 he will want full update in themorning.Scenario One.Time: 2100SA and SM meet at server room.Quick discussion of current assets reveals that thereis a backup server available with recently loaded OS, services, and patches.SA begins process of restoring data from backuptape while SM begins process of

42、 bit by bit copy of compromised server.Scenario One.Time: 2300SA finishes restoring webserver data and verifies that data restored has not been manipulated.Since current backup policy states full backups at0100 every day this gives a roughly 18 hour window for the data manipulation to have occurred.

43、SA brings new server online and updates logs forIncident.Scenario One.Time: 2330As forensic backups become available the originalHard drives are removed and locked in a safe logs are noted with time of entry and an evidence log is created for those specific items.SA and SM will work through the nigh

44、t looking forevidence of how the manipulation occurred.Scenario One.Time: 0800Good news! Through the diligent work of the SAand SM information was found that showed that the data was manipulated at 1957 by a dial in account.This shows that the incident may haveremained unseen by public.Further revie

45、w of online web defacement authorities (attrition.org) shows no mention of defacement.Scenario One.Time: 0800Coordination with HR reveals that the owner of the account had recently been passed over for a promotion.Normally that user account would not have rightsto the webserver directories but an ea

46、rlier update to the server created a hole for internal users. The SA quickly reconfigured file access for the server and closed that hole. Scenario One.Time: 1000Coordination with HR, Legal, and the employees direct supervisor showed thatdue to previous poor work record and misconduct it would be in

47、 the best interest of the company to terminate theemployment of the individual in question.Scenario One.Conclusion:Due to proper procedures and quick response ofall personnel involved the incident was quickly contained, resolved, and business returned to normal.Communication and coordination is espe

48、ciallyimportant in Incident Response.Any break down in the chain can cause the entireprocess to fail.Scenario One.Time: 1000Helpdesk operator Julie has been especially busythis morning.Aside from the normal calls of users not being able to properly format documents in Word and find the any key. Ther

49、e was a spurt of usercomplaints from being locked out.In addition one of the traveling salespeople (Frank)has returned from being in the field and haslogged numerous complaints about his systemnot working right.Scenario Two.Julie diligently logged all of the calls today and sentthem off to the appro

50、priate queues.System Admin received the lockouts.Technical Support received Frank.Scenario Two.During the day Julie will check on assigned ticketsto ensure that adequate response is being given.She noticed that at 1003 System admin hadfixed all of the lockouts and was researchingwhy they had happene

51、d.At 1012 technical support accepted Franksticket and were enroute.Scenario Two.Time: 1030Chris in Technical support meets with Frank.Frank explains that this morning after helogged in, the system said something aboutperforming maintenance please wait. So he went off and had a cup of coffee and chec

52、ked with coworkers on latest news.Upon return to his computer it appeared to bedone with its program but “acted” weird during the morning. Sometimes it would beep and sometimes the cd tray would eject for no reason. Very weird.Scenario Two.Time: 1040Chris quickly took a look at the system to see wha

53、twas running and didnt notice anything obvious.He did notice that contrary to Policy Frank hadappeared to have installed some custom programs like a stock ticker and a themefrom the television show Baywatch.Scenario Two.Time: 1044While looking at the laptop computer the cd romDrive opened. Within wa

54、s a copy of Quake.Chris decided to reboot to see if the symptomswould continue.Scenario Two.Time: 1047After the system finished rebooting Chris noticedthat the anti-virus software was not running.Further investigation showed that it had been disabled.After enabling the anti-virus software he had itu

55、pdate to the latest dat file and then runa full scan against the system. Last scan had been over 6 months ago.Scenario Two.Time: 1100After the anti-virus program finished its scan itreported that Back Orifice 2000 was found.Chris immediately disconnected the infectedmachine from the network.He then

56、contacted the Helpdesk to update Julieand have her contact the SecurityDepartment.Scenario Two.Time: 1107Julie contacted the Security Manager and updatedhim on the situation. The SM requested the phone number for whereChris was currently located.He then called Chris and told him to make sure thecomp

57、uter was not disturbed until his arrival.Scenario Two.Time: 1115After having Chris update him in person the SMconfiscated the computer to be taken backto the lab and have proper forensics ranagainst it.Scenario Two.Time: 1125Upon return to his office there was a message fromthe System Admin departme

58、nt stating that logs show repeated attempts to log in to numerous accounts from a users machine. The owner of the machine is listed as Frank.Scenario Two.Time: 1130The SM contacts HR, Legal, and Franks direct Supervisor to discuss that due to deliberateviolation of Policy it appears that Frank has e

59、nabled an outside presence to mount an attack on the companies computer systems.With the agreement of HR, Franks supervisor sendsFrank home while investigation proceeds. The SM ensures that all of Franks access is disabled.In addition a network wide password change isenforced.Scenario Two.Time: 0900

60、 (the next day)Analysis of Franks machine shows that he receivedan email claiming to be themes for the TV show Baywatch.One of the themes was wrapped with BO2K.Headers show that the email originated fromthe Ukraine.Scenario Two.Time: 0900 (the next day)Due to the difficulty in coordinating investiga

61、tionsin Ukraine further research has been deemed not cost productive.Current logs and evidence have been stored in caseof further activity from that area.CERT was notified on incident with particularsgiven about Ukraine activity.Scenario Two.Time: 0900 (the next day)Due to the lack of previous probl

62、ems with Frankand his excellent work history Frank has had the Incident recorded in his record. In addition Frank will assist Security in further classes by being an example of what can happen by violating Policy.Scenario Two.Time: 0900 (the next day)Research is being done in regards to implementing

63、a server controlled anti-virus program.This will help locate systems without virus protection and force feedupdates to the users.In addition Intrusion Detection Systems are beingevaluated to improve network awareness.Scenario Two.Conclusion:At first a problem may not seem to be a securityincident bu

64、t further investigation is alwaysneeded to ensure what the total scope is.Seemingly unrelated incidents can be part of onelarge incident when observed after theinitial report.Policy must be enforced.Scenario Two.Incident Response: An act of responding to an action likely to lead to grave consequence

65、s especially indiplomatic matters.Sometimes referred to as a Knee Jerk reaction.With the knowledge you are now armed with youcan ensure your company is on the way from usingKnee Jerk reactionary tactics to creating IncidentResponse skills that can overcome any adversary.Conclusion (0uttro)Minimize o

66、verall impact. Hide from public scrutiny.Stop further progression.Involve Key personnel.Control situation.Recover Quickly & Efficiently.Respond as if going to prosecute.If possible replace system with new one.Priority one, business back to normal.Ensure all participants are notified.Document every action, backup all data.Conclusion (0uttro)Secure System. Lock down all known avenues of attack.Assess system for unseen vulnerabilities.Implement proper auditing.Implement new security measures.Contro