Slide 1 Prepared By: Robert W. Beggs, CISSP CISA Presented To: EnergizeIT 16 June 2007 ©...

Slide 1

Prepared By: Robert W. Beggs, CISSP CISAPresented To: EnergizeIT

16 June 2007

Prepared By: Robert W. Beggs, CISSP CISAPresented To: EnergizeIT

16 June 2007

© DigitalDefence, Inc. 2007 (www.digitaldefence.ca) © DigitalDefence, Inc. 2007 (www.digitaldefence.ca)

- AIM – Agile Incident Management

- AIM – Agile Incident Management

Slide 2


Introduction

•Robert Beggs, CISSP, CISA- 15+ years experience in Information Security

- Military, biomedical research, consulting, financial services background

•DigitalDefence.ca - 9-1-1 for Data Security Incidents

- Focus on providing incident management services

- Professional services, managed services, training

Slide 3


Data Security Incidents

Data security incident: the act of non-compliance with the corporate security policy or procedures, or any event that negatively impacts the confidentiality,

integrity and availability of your corporate data

Slide 4


The Threat

•Attackers financially motivated – skills are rewarded; “business competitors” are hacking

• “Trickle down effect” – powerful, easy to use tools are widely available (Metasploit)

•Focus on hiding attacks, beating forensics

• Internal attacks are commonly detected

•External attacks are focused on the end user, not the network

- Cross-site scripting

- USB devices

Slide 5


Law Enforcement …

•61,000 police officers in Canada

•245 specialize in cybercrime (0.4%)

•Overall, lack budget and training

•Still developing legal infrastructure tosupport criminal investigations (lawfulintercept legislation)

• In short, an effective response is generally up to the victim

•Are you ready? …

Slide 6


Traditional Incident Response, IR

•Event-triggered: you have lost the initiative

•Competing priorities – technical (investigation) versus business (recovery)

•Mistakes are frequently made

Slide 7


Slide 8


Agile Incident Management

Incident management is the totality of proactive and reactive measures undertaken

to help prevent and manage data security incidents across an organization

Slide 9


Proactive Measures

•Develop incident management strategic plan; integrate it into corporate business strategy

•Risk assessment – security / privacy incidents are a business risk

•Develop policy and SOPs (standard operating procedures)

•Assign roles and responsibilities

•Support technical staff

•Augmentation with appropriate 3rd parties

Slide 10


Proactive Measures

•Activity monitoring, including employees

•Pro-active forensics

•End-user education

•Create a culture of security

Slide 11


Reactive Measures

•Emphasize “agility”

- Fast, Focused, Flexible

•Fast data collection (live response)

•Fast data analysis

•Focused and appropriate response / countermeasures

•Focused documentation

•Flexible approach – attacks can change rapidly

Slide 12


Live Response

•Live response = volatile + (sometimes) non-volatile data collected before the system is powered down and recovered

•Why?- Rapid response; provide guidance for traditional

response

- Loss of volatile information (Trojan defence)

- System must be returned to production state

- Too much data to image (750 GB drives common)

- Data will return to encrypted / locked state

Slide 13


Information To Collect

• System time

• RAM contents

• Logged-on user(s)

• Open files

• Network information

• Network connections

• Running process information

• Process – to – port mapping

• Process memory

• Network status

• Clipboard contents

• Service / driver information

• Command history

• Mapped drives

• Shares

• ADS

• Registry (e.g. autoruns)

• Non-volatile information (e.g. event logs, file lists)

• System time

Slide 14


Live Response Tools

•Console-agent architecture

- Enterprise forensic software (EnCase, LiveWire)

- Mandiant’s First Response

•Helix bootable Linux CD or USB

•Open-source IR scripts

•Roll your own script to invoke native MS Windows commands, CLI tools

- MS .BAT files are reliable, easy to explain

- PERL can be more flexible

Slide 15


Make Your Own Response Toolset

•Create a bootable disk (command.com, cmd.exe)

•Use multiple media formats (floppy, CD, DVD, USB)

•Label the disk

•Rename the tools you will use!

•Make sure that all dependencies are included

•Do an MD5 hash of final tools, toolset

• Identify where output will be stored, and how it will be protected

•Test

Slide 16


Step One: Validate Your Tools

•Tools must not alter the target system OR all alterations must be known

•What is the “touch” of the file on the target?- Regmon and Filemon(Sysinternals)

- ListDLLs (Sysinternals) identifies changes to DLL useage, or chaged / updated DLLs

- Dependency Walker (www.dependencywalker.com) identifies any changes to dependent modules

- Wireshark or other sniffer

•What is the “touch” of the delivery system (CD, USB)?

Slide 17


Let’s Begin …

Slide 18


Memory Analysis

• It’s the RAM! (Does not include virtual memory, swapped to the HD

•How do we get it?- Hardware devices

- Firewire (uses direct memory access, DMA)

- Crash dumps

- Suspended virtual sessions

- DD (“data dumper”)

- Other applications (KnTTools,Nigilant32, ProDiscover IR)

Slide 19


Nigilant32 (http://www.agilerm.net/download.html)

•Free

•Black box – does not describe how it is doing it

•Does not provide any analysis tool

Slide 20


Analysis of a Memory Image

•Hex editor + string search

- “Password”, “BOT” “@hotmail”, “backdoor”, “Trojan”, “key”, “logger”, “IRC”, various expletives

•Various open source scripts

- Ptfinder.pl (Andreas Shuster)

- Lsproc.pl, Lspd.pl, Lspi.pl (Harlan Carvey)

•Proprietary tools

Slide 21


DEMO

Slide 22


“Rules of the Tools”

•Understand the tool, and the results

•Test before use

•Have a clear objective; don’t throw everything at a suspect system

•Redundancy – every finding should be validated by at least 2 separate tools, preferably from 2 different vendors

- FPorts (Foundstone)

- OpenPorts (PortExplorer toolkit; www.diamondcs.com.au)

Slide 23


Live Response Tools

Slide 24


DEMO

(Selected Tools)

Slide 25


Open Source – Windows Forensic Toolchest

http://www.foolmoon.net/security/wft/index.htmlhttp://www.foolmoon.net/security/wft/index.html

Slide 26


Open Source and Easy – Helix 1.8

•http://www.e-fense.com/helix/

•Runs on Windows and Unix boxes; well documented

•CD tools may beout of date

Slide 27


Remember

• Toronto Area Security Klatch, TASK• www.task.to • Free monthly meetings, portal site

• SecTor (November, 2007)• www.sector.ca • Technical attacks; technical defences• Dan Kaminsky, Johnny Long, Ira Winkler …

• Free Canadian Information Security Newsletter (www.digitaldefence.ca/subscribe)

Slide 28


Contact

Slide 1 Prepared By: Robert W. Beggs, CISSP CISA Presented To: EnergizeIT 16 June 2007 ©...

Documents

Transcript of Slide 1 Prepared By: Robert W. Beggs, CISSP CISA Presented To: EnergizeIT 16 June 2007 ©...