incident detection, recovery and forensics (plus a few selected threat remarks) presentation to the...
Post on 19-Dec-2015
214 Views
Preview:
TRANSCRIPT
Incident Detection, Recovery and Forensics (Plus a Few Selected
Threat Remarks)Presentation to the Common
Solutions Group
September 22, 2005
Abandon hope all ye who enter here…
Dante’s Inferno
General
• No computer is inherently secure; networks compound the issue
• Decisions made during software design can help (or hurt)– Convenience versus protection spectrum– Reasonable protection can be convenient and
largely transparent, but costs rise
University Environments
• Distributed governance
• Differing user needs
• Cultural tradition of independence
• Emphasis on committees and consensus– Comparatively slow process facing a fast-
moving threat
Challenging Network Threat Environment
• Global network is a hostile place– Constant probes
• Security is dependent on non-technical users– Insecurity anywhere can affect the whole
• “Monoculture” intensifies attack effects– If a new Windows flaw is discovered, it could enable
rapid exploit spread due to Microsoft’s market dominance
Carnac the Not-So-Magnificent
• 10,866
• 1,862
• 1.04 Billion
• ~6 and 54
• 22
Threat Numbers: 10,866
• The number of new Windows viruses and worms documented by Symantec from January to June 2005– Up 48% from the previous six months
Golden Oldies
• And the old ones are still around– We’ve had to notify people of Blaster and Klez
infections within the last 3 weeks
1862
• New vulnerabilities identified – highest since they began tracking 6 month intervals)– 59% in Web applications
10,352
• Bots detected per day for the first six months of 2005 – Up from 5000 the previous 6 months– Customized bot binary will cost you $200 to
$300
Phishing and Spam
• Symantec blocked 1.04 billion phishing scams in the 6 month period– Up from 546 million the previous six months
• Grew from 2.99 million per day to 5.70 million
• 61% of all email is now spam – (1 of every 125 of these involves a phishing scam)
~6 and 54…What’s Wrong with This Picture??
• Average time between public disclosure of a vulnerability and the existence of an exploit for it - ~ 6 days
• Average time between public disclosure of a vulnerability and a patch for it - 54 days– A full 48 days (average) from the time an
exploit was released until there is a patch for it
22 (Minutes)
• The approximate time on September 21, 2005 that an unprotected system could survive before being compromised – Source: Internet Storm Center– Varies by day, month and network– Represents the time interval between hostile
probes reaching a given system on a monitored network
They Like Us…They Really Like Us
• “Between January 1 and June 30, 2005 education was the most frequently targeted industry, followed by small business…”
• Internet Security Threat Report, Vol VIII, Symantec Corporation, September 2005
– Based on 24,000 sensors in 180 countries
Trends: What’s Increasing?
• Sophistication level of network attacks
• Complexity of detecting and removing residual malicious software
• Number of vendor security updates
• Mobility – Laptops and PDA’s connecting to uncontrolled
networks and returning
Trends: What’s Decreasing?
• Amount of time for global spread (worms)
• Ability to prevent intrusions at the network border
• Amount of time available to install vendor security updates
• Amount of time to detect and defeat a network-based attack
Incident Response
• From everything presented so far, you will have incidents. The only question is whether you will handle them well– Tools (Choose wisely…)
• Steps: Prevent, Detect, React, Recover, Report/Analyze– Then Do-Si-Do and do it all over again
Prevention
• Education and Awareness
• Scanning
• Network Access Control (Barriers)
• Patch Management
• Prayer (Just Kidding)
“Take Control” Campaign
Education Continued
• Twice a Year: What users can do
• Conferences (Penn State Security Day)
• Full-time security trainer, also WBT
• Brochures– Responsible Computing
– Privacy
– Desktop Protection
– Password Protection
– Reporting Incidents
What’s Wrong with Education…
• “It’s an important part of a defense-in-depth strategy”
• Will not reach everyone (~6000 of 82000 students and 20,000 faculty/staff)
• May have turned a corner -- Many users now realize they need to do something, but the technical something they need to do exceeds their skill level
Scanning
• For us right now, ISS and custom scans
• Will transition to Nessus as the baseline scanner
ISS
• Commercial scanner ($$)
• Tests a wide range of vulnerabilities
• Windows tests sometimes require administrator rights – lessens value of central scanning
Nessus
• Project to develop a free/open source vulnerability scanner
• Platforms: – Server: Unix, Linux– Client: X Windows GTK (Unix, Linux), Java,
Win32
• Many, many security checks.
• Now also a commercial package
What’s Wrong with Vulnerability Scanning
• To the Chorus: It’s an important part of a defense-in- depth strategy…
• Zero Day. Plus 6 and 54 phenomenon• We’re being probed at a rate where central
scanning doesn’t beat the bad guys to the punch
• Can be incorporated into network access control strategy
Patch Management
• Must be automated anymore
• Limits test time
• Domain control can push changes – but what about the unmanaged systems and operating systems/applications not spelled Windows
What’s Wrong with Patch Management
• Chorus: “It’s an important part of a defense-in-depth strategy”
• 6 and 54 phenomenon
• Zero Day
• Unmanaged systems still largely the responsibility of non-technical users
Network Access Control
• Barrier Technologies – Firewalls and Router ACL’s– Edge devices/switches with authentication
requirements– Network Registration– Combine with scan to determine whether a new
system is good enough for admission• Good paper by I2/SALSA on Netauth
What’s Wrong with Network Access Control
• Chorus…• With firewalls and router acl’s, may have
performance issues• If too much is disallowed, impacts legitimate users• 6 and 54 plus zero day• Exploits occurring via ports that must be kept
open• Scanning takes time – can usually only do a
limited number of checks for admission
Prayer
• What’s wrong with prayer?– Hey, I’m not touching that one…– Chorus…
Incident Handling
Response, Detection et al
Key Decisions
• What is an incident?
• Formal team? Centralized?
• Scope of Responsibility (All, Only Central, Abuse too?)
• Release of information (internal, external)
• Who needs to be informed when?
• And finally, technology to use
Penn State Incident Response
• Approximately 9,000 incidents handled annually– Some major (death threats, multi-system
compromises)
• Extensive coordination with law enforcement and global incident response teams
• Full computer forensics capability available
We Are…Penn State
Most Commonly Used Tools at PSU
• Scanning (ISS, custom)
• Tracking – email– Will transition to Footprints
• IDS (Snort, custom scripts for data reduction, Sourcefire, Mirage)– Have also evaluated Tipping Point and Lancope
Intrusion Detection and Prevention
• Matches patterns of network activity to that of known automated attacks
• Also identifies systems behaving unusually or inconsistently with their normal pattern
• Allows rapid notification to University network contacts for remedial action
• Slowly introducing automated prevention of certain attack categories
Intrusion Detection and Prevention
• 39 locations University-wide
• Monitoring done at University Park
• Provides crucial early-warning function
• More than 10,000 compromised systems detected since 2002– Enables action mostly
before rather than after damage
Basic IDSNetwork Configuration
• Location: local area network level
• “Mirroring” network traffic is required
• IDS implementation can be deployed with or without a firewall
Residence Hall Firewall
Residence Hall Firewall
MS Fileshare and some P2P
Not Blocked
Blocked
(Initiated Inside RH)
(Blocked – Special Rules)
(Initiated Outside RH)
(Initiated Inside RH - Attempts to Cross Subnets)
(Cannot Block – DoesNot Cross Firewall)
(Special IDS Network)
Outbound email (Port 25) restricted to smtp.psu.edu and authsmtp.psu.edu, departmental smtp servers if requested by network contact/approved
(Special IDS Network)
SOS Scanning Machines)
Residence Hall Firewall and IDS/IPS – Fall 2005
The Future Requirement
• Detect and defeat a previously unknown network-based attack, in seconds or less.
• Be able to do so 24/7, 52 weeks of the year– Without substantial staff increases– Without requiring a “client” installed on every
computer University-wide, if possible– Difficult to say how close we will come
What’s Wrong with IDS/IPS
• Chorus…• Can Zero Day really be detected in the
timeframes necessary, vendor claims aside• False Positives• Still reactive versus proactive• Encryption may impact – particularly
if/when we get to an era of encapsulated headers
• Still staff-intensive
Forensics
• Preserves evidence in a manner suitable for lawyers…
• In-house has been more timely for us versus outsourcing (One month turnaround versus six)
• Used for cases that have a computer component versus strictly computer abuse– Missing student example
Incidents
• Incidents range from the minor/annoying to very serious:– Viruses and Spam– Unauthorized Access Attempts (probes)– Denial of Service Attacks (DoS)– Compromised computer systems– Data Leaks– Copyright Violations – Commercial Use of Penn State Resources– Electronic Harassment– Spam, Relays & Chain Letters– E-Mail (or other) Electronic Forgeries
Common Tools
• Anything that can do a mirror image
• Coroner’s Toolkit
• Encase
• Autopsy
• A good rootkit revealer
Autopsy Screenshot
http://www.atstake.com/research/tools/autopsy/images/timeline1.gif
Where to find tools…
• http://www.insecure.org/tools.html• http://www.rootkit.com• http://www.sysinternals.com/utilities/rootkitrevealer.html
• http://www.porcupine.org/forensics/tct.html• http://www.atstake.com/research/tools/task• http://www.atstake.com/research/tools/autopsy• http://www.foundstone.com/knowledge/forensics.html
Questions?
top related