Slide 1

L esson 4 Basics of Incident Detection

Slide 2

UTSA IS 3523 ID & Incident Response Overview Detection of Incidents Basic IDS Theory Types of IDSes

Slide 3

UTSA IS 3523 ID & Incident Response What is an Incident? Incident - an event in an information system/network Time based security: Protection time >> detection time + reaction time Some say its all about vulnerability management

Slide 4

UTSA IS 3523 ID & Incident Response Detection of Incidents Human Resources IDS Security System Administrators Help Desk End Users IDS Detection of remote attack Numerous Failed Logons Logins into Dormant or Default Accounts Activity During non-working hours New Accounts not created by SysAdmins Unfamiliar files or executable programs Unexplained escalation of privileges Altered web pages Gaps in logs files or erasure in log files Slower system performance System crash Receipt of extortion email Notification by upstream/downstream sites Pornography/Music files/Movies Company X Indicators

Slide 5

UTSA IS 3523 ID & Incident Response Detection of Incident Process Firewall Logs IDS Logs Suspicious user System Admin DETECT Begin IR Checklist Activate CIRT

Slide 6

UTSA IS 3523 ID & Incident Response Are Firewalls Enough? You have the world's best firewall, your Windows computers update their antivirus software regularly and your Information Security staffers enforce your policies with an iron fist. Does this mean you're safe? Maybe not. In 1998, a news story asserted that the firewall for the New York Times was one of the best. Yet at 7:08 a.m. on Sunday, Sept. 13, 1998, someone on the paper's network e-mailed reporters: ...COM3 V1S1T HTTP://WWW.NYTIMES.COM AND S33 0UR LAT3ST P13C3 0F ART. 1F 1T D0ESN'T L0AD, JUST H1T 'REL0AD' A F3W T1MES. CL3V3R ADMINZ HAD S0M3 W3IRD CR0NTABZ OR S0METHING. 0H. W3 0WN YOU. Y0U JUST HAV3NT N0T1C3D US 0N Y3R N3TW0RK Y3T. UNT1L THE N3XT T1M3... No one at the Times had noticed weeks worth of the Hacking for Girliez gang on their network. The intruders finally chose to go public by defacing the opening page of their Web siteon the day the Times expected millions of visitors to view the Monica Lewinsky transcripts. Instead, visitors encountered soft porn...

Slide 7

UTSA IS 3523 ID & Incident Response Personal Firewall

Slide 8

UTSA IS 3523 ID & Incident Response Firewall Traffic Monitor

Slide 9

UTSA IS 3523 ID & Incident Response Firewall Configuration

Slide 10

UTSA IS 3523 ID & Incident Response Firewall Settings

Slide 11

UTSA IS 3523 ID & Incident Response Firewall Event Summary

Slide 12

UTSA IS 3523 ID & Incident Response Hostile Event?

Slide 13

UTSA IS 3523 ID & Incident Response Traceback Option

Slide 14

UTSA IS 3523 ID & Incident Response Ranum on Intrusion Detection The real value of intrusion detection is diagnosing what is going onnever collect more data than you could conceivably want to look at. If you dont know what to do with the data, it doesnt matter how much youve got. Marcus Ranum Network Flight Recorder

Slide 15

UTSA IS 3523 ID & Incident Response Intrusion and Misuse Detection Remember the operational model of security protection = prevention + (detection + response) Access controls and filters seek to prevent unauthorized or damaging activity. Intrusion and misuse detection mechanisms aim to detect it at its outset or after the fact. Has its roots in audit log files Operate on the principle that it is neither practical nor feasible to prevent all attacks.

Slide 16

UTSA IS 3523 ID & Incident Response Intrusion Detection Can be manual (review of logs), automated, or a combination. Closely related to monitoring. Workplace monitoring used to Ensure quality Assess performance Comply with regulations (e.g. ensure stockbrokers arent using high-pressure tactics in violation of stock exchange rules)

Slide 17

UTSA IS 3523 ID & Incident Response Audit Trails Early intrusion detection involved reviewing system log or audit files. What events can be audited varies from system to system. Examples of auditable events include Reading/opening of a file Writing to or modifying a file Creation or deletion of an object Logins and Logouts Other administrative actions Special operations (e.g. changing a password)

Slide 18

UTSA IS 3523 ID & Incident Response Unix Logging Several sources of log files in Unix syslog the system log sulog records actions to switch users (su) utmp keeps track of users currently logged on wtmp stores historical data on login, logout, shutdown, and restart events. lastlog tracks each users most recent login time and the point of origin of the user. Successful and unsuccessful logins can be tracked. At login, this information (about the last login) is often displayed

Slide 19

UTSA IS 3523 ID & Incident Response Windows NT/2K Auditing By default security auditing is not enabled NT: Start|Programs|Administrative Tools| User Manager User Manager select Policies|Audit Logs => C:\WINNT\System32\Config\*.evt WIN2K: Administrative Tools| Local Security Policy Logs => C:\WINNT\System32\Config\*.evt

Slide 20

UTSA IS 3523 ID & Incident Response The Use of Tools An apprentice carpenter may want only a hammer and a saw, but a master craftsman employs many precision tools. Computer programming likewise requires sophisticated tools to cope with the complexity of real applications, and only practice with these tools will build skill in their use. Robert L. Kruse Data Structures and Program Design

Slide 21

UTSA IS 3523 ID & Incident Response Windows XP Logs

Slide 22

UTSA IS 3523 ID & Incident Response Computer Management

Slide 23

UTSA IS 3523 ID & Incident Response Computer Management Window

Slide 24

UTSA IS 3523 ID & Incident Response Event Viewer Application Log

Slide 25

UTSA IS 3523 ID & Incident Response Event Viewer Application Log

Slide 26

UTSA IS 3523 ID & Incident Response Audit Policy Settings

Slide 27

UTSA IS 3523 ID & Incident Response Event Viewer Security Log

Slide 28

UTSA IS 3523 ID & Incident Response Event Viewer System Log

Slide 29

UTSA IS 3523 ID & Incident Response System Event

Slide 30

UTSA IS 3523 ID & Incident Response Performance Logs

Slide 31

UTSA IS 3523 ID & Incident Response Schneier on Auditing Audit is vital whereever security is taken seriously. Audit is there so that you can detect a successful attack, figure out what happened after the fact, and then prove it in court. Bruce Schneier Secrets & Lies Digital Security in a Networked World

Slide 32

UTSA IS 3523 ID & Incident Response Another Obvious Quick Look Tool Your Anti-virus software Check AV log to see when last scan conducted Check Quarantine area If only interested in root cause analysis Execute the AV software to see what turns up

Slide 33

Slide 34

UTSA IS 3523 ID & Incident Response

Slide 35

Slide 36

Intrusion Detection Systems Various types of activities that an IDS checks for Attempted/successful break-ins Masquerading Penetration by legitimate users Leakage by legitimate users Inference by legitimate users Trojan horses Viruses Denial-of-service

Slide 37

UTSA IS 3523 ID & Incident Response Approaches to IDS Attempt to define and detect abnormal behavior Attempt to define and detect anomalous activity

Slide 38

UTSA IS 3523 ID & Incident Response Methods to perform IDS Four major methods attempted to perform intrusion detection: User Profiling Intruder Profiling Signature Analysis Action-based (attack signatures)

Slide 39

UTSA IS 3523 ID & Incident Response User Profiling Basic Premise: the identity of any specific user can be described by a profile of commonly performed actions. The users pattern of behavior is observed and established over a period of time. Each user tends to use certain commands more than others, access the same files, login at certain times and at specific frequencies, and Execute the same programs. A user profile can be established based on these activities and maintained through frequent updating. A masquerading intruder will not match this profile.

Slide 40

UTSA IS 3523 ID & Incident Response User Profiling Types of activity to record may include CPU and I/O usage Connect time and time of connection as well as duration Location of use Command usage Mailer usage Editor and compiler usage Directories and files accessed/modified Errors Network activity Initial profile takes time & can generate many alarms. Weighted actions often used (more recent activities more important than activities accomplished in past)

Slide 41

UTSA IS 3523 ID & Incident Response Intruder Profiling Concept similar to criminal profiles used in the Law Enforcement community. Attempt to define the actions that an intruder will take when unauthorized action is obtained. For example: when an intruder first gains access the action often taken is to check to see who else is on, will examine files and directories, Can also apply to insiders gaining access to files they are not authorized to access. Problem with this method is that it is hard to define all possible intruder profiles and often the actions of a new user will appear similar to the actions of an intruder.

Slide 42

UTSA IS 3523 ID & Incident Response Signature Analysis Just as an individual has a unique written signature which can be used for identification purposes, individuals also have a typing signature. This characteristic first noticed in telegraph days. The time it takes to type certain pairs or triplets of letters can be measured and the collection of these digraphs and trigraphs together form a unique collections used to characterize individuals. This technique requires special equipment. Variation on this is to watch for certain abbreviations for commands and common errors.

Slide 43

UTSA IS 3523 ID & Incident Response Action Based Also sometimes referred to as signature based. Specific activities or actions (attack signatures) known to be indicative of intrusive activity are watched for. E.g. attempts to exploit known security holes. Can also be used to look for unauthorized activity by insiders. Problem is that not all methods are known so new signatures are constantly being created and thus intrusion detection systems constantly need to be updated.

Slide 44

UTSA IS 3523 ID & Incident Response Summary Detection of Incidents Log File Analysis Firewall Logs Basic of IDS