Incident Detection, Recovery and Forensics (Plus a Few Selected

Threat Remarks)Presentation to the Common

Solutions Group

September 22, 2005

Abandon hope all ye who enter here…

Dante’s Inferno

General

• No computer is inherently secure; networks compound the issue

• Decisions made during software design can help (or hurt)– Convenience versus protection spectrum– Reasonable protection can be convenient and

largely transparent, but costs rise

University Environments

• Distributed governance

• Differing user needs

• Cultural tradition of independence

• Emphasis on committees and consensus– Comparatively slow process facing a fast-

moving threat

Challenging Network Threat Environment

• Global network is a hostile place– Constant probes

• Security is dependent on non-technical users– Insecurity anywhere can affect the whole

• “Monoculture” intensifies attack effects– If a new Windows flaw is discovered, it could enable

rapid exploit spread due to Microsoft’s market dominance

Carnac the Not-So-Magnificent

• 10,866

• 1,862

• 1.04 Billion

• ~6 and 54

• 22

Threat Numbers: 10,866

• The number of new Windows viruses and worms documented by Symantec from January to June 2005– Up 48% from the previous six months

Golden Oldies

• And the old ones are still around– We’ve had to notify people of Blaster and Klez

infections within the last 3 weeks

1862

• New vulnerabilities identified – highest since they began tracking 6 month intervals)– 59% in Web applications

10,352

• Bots detected per day for the first six months of 2005 – Up from 5000 the previous 6 months– Customized bot binary will cost you $200 to

$300

Phishing and Spam

• Symantec blocked 1.04 billion phishing scams in the 6 month period– Up from 546 million the previous six months

• Grew from 2.99 million per day to 5.70 million

• 61% of all email is now spam – (1 of every 125 of these involves a phishing scam)

~6 and 54…What’s Wrong with This Picture??

• Average time between public disclosure of a vulnerability and the existence of an exploit for it - ~ 6 days

• Average time between public disclosure of a vulnerability and a patch for it - 54 days– A full 48 days (average) from the time an

exploit was released until there is a patch for it

22 (Minutes)

• The approximate time on September 21, 2005 that an unprotected system could survive before being compromised – Source: Internet Storm Center– Varies by day, month and network– Represents the time interval between hostile

probes reaching a given system on a monitored network

They Like Us…They Really Like Us

• “Between January 1 and June 30, 2005 education was the most frequently targeted industry, followed by small business…”

• Internet Security Threat Report, Vol VIII, Symantec Corporation, September 2005

– Based on 24,000 sensors in 180 countries

Trends: What’s Increasing?

• Sophistication level of network attacks

• Complexity of detecting and removing residual malicious software

• Number of vendor security updates

• Mobility – Laptops and PDA’s connecting to uncontrolled

networks and returning

Trends: What’s Decreasing?

• Amount of time for global spread (worms)

• Ability to prevent intrusions at the network border

• Amount of time available to install vendor security updates

• Amount of time to detect and defeat a network-based attack

Incident Response

• From everything presented so far, you will have incidents. The only question is whether you will handle them well– Tools (Choose wisely…)

• Steps: Prevent, Detect, React, Recover, Report/Analyze– Then Do-Si-Do and do it all over again

Prevention

• Education and Awareness

• Scanning

• Network Access Control (Barriers)

• Patch Management

• Prayer (Just Kidding)

“Take Control” Campaign

Education Continued

• Twice a Year: What users can do

• Conferences (Penn State Security Day)

• Full-time security trainer, also WBT

• Brochures– Responsible Computing

– Privacy

– Desktop Protection

– Password Protection

– Reporting Incidents

What’s Wrong with Education…

• “It’s an important part of a defense-in-depth strategy”

• Will not reach everyone (~6000 of 82000 students and 20,000 faculty/staff)

• May have turned a corner -- Many users now realize they need to do something, but the technical something they need to do exceeds their skill level

Scanning

• For us right now, ISS and custom scans

• Will transition to Nessus as the baseline scanner

ISS

• Commercial scanner ($$)

• Tests a wide range of vulnerabilities

• Windows tests sometimes require administrator rights – lessens value of central scanning

Nessus

• Project to develop a free/open source vulnerability scanner

• Platforms: – Server: Unix, Linux– Client: X Windows GTK (Unix, Linux), Java,

Win32

• Many, many security checks.

• Now also a commercial package

What’s Wrong with Vulnerability Scanning

• To the Chorus: It’s an important part of a defense-in- depth strategy…

• Zero Day. Plus 6 and 54 phenomenon• We’re being probed at a rate where central

scanning doesn’t beat the bad guys to the punch

• Can be incorporated into network access control strategy

Patch Management

• Must be automated anymore

• Limits test time

• Domain control can push changes – but what about the unmanaged systems and operating systems/applications not spelled Windows

What’s Wrong with Patch Management

• Chorus: “It’s an important part of a defense-in-depth strategy”

• 6 and 54 phenomenon

• Zero Day

• Unmanaged systems still largely the responsibility of non-technical users

Network Access Control

• Barrier Technologies – Firewalls and Router ACL’s– Edge devices/switches with authentication

requirements– Network Registration– Combine with scan to determine whether a new

system is good enough for admission• Good paper by I2/SALSA on Netauth

What’s Wrong with Network Access Control

• Chorus…• With firewalls and router acl’s, may have

performance issues• If too much is disallowed, impacts legitimate users• 6 and 54 plus zero day• Exploits occurring via ports that must be kept

open• Scanning takes time – can usually only do a

limited number of checks for admission

Prayer

• What’s wrong with prayer?– Hey, I’m not touching that one…– Chorus…

Incident Handling

Response, Detection et al

Key Decisions

• What is an incident?

• Formal team? Centralized?

• Scope of Responsibility (All, Only Central, Abuse too?)

• Release of information (internal, external)

• Who needs to be informed when?

• And finally, technology to use

Penn State Incident Response

• Approximately 9,000 incidents handled annually– Some major (death threats, multi-system

compromises)

• Extensive coordination with law enforcement and global incident response teams

• Full computer forensics capability available

We Are…Penn State

Most Commonly Used Tools at PSU

• Scanning (ISS, custom)

• Tracking – email– Will transition to Footprints

• IDS (Snort, custom scripts for data reduction, Sourcefire, Mirage)– Have also evaluated Tipping Point and Lancope

Intrusion Detection and Prevention

• Matches patterns of network activity to that of known automated attacks

• Also identifies systems behaving unusually or inconsistently with their normal pattern

• Allows rapid notification to University network contacts for remedial action

• Slowly introducing automated prevention of certain attack categories

Intrusion Detection and Prevention

• 39 locations University-wide

• Monitoring done at University Park

• Provides crucial early-warning function

• More than 10,000 compromised systems detected since 2002– Enables action mostly

before rather than after damage

Basic IDSNetwork Configuration

• Location: local area network level

• “Mirroring” network traffic is required

• IDS implementation can be deployed with or without a firewall

Residence Hall Firewall

Residence Hall Firewall

MS Fileshare and some P2P

Not Blocked

Blocked

(Initiated Inside RH)

(Blocked – Special Rules)

(Initiated Outside RH)

(Initiated Inside RH - Attempts to Cross Subnets)

(Cannot Block – DoesNot Cross Firewall)

(Special IDS Network)

Outbound email (Port 25) restricted to smtp.psu.edu and authsmtp.psu.edu, departmental smtp servers if requested by network contact/approved

(Special IDS Network)

SOS Scanning Machines)

Residence Hall Firewall and IDS/IPS – Fall 2005

The Future Requirement

• Detect and defeat a previously unknown network-based attack, in seconds or less.

• Be able to do so 24/7, 52 weeks of the year– Without substantial staff increases– Without requiring a “client” installed on every

computer University-wide, if possible– Difficult to say how close we will come

What’s Wrong with IDS/IPS

• Chorus…• Can Zero Day really be detected in the

timeframes necessary, vendor claims aside• False Positives• Still reactive versus proactive• Encryption may impact – particularly

if/when we get to an era of encapsulated headers

• Still staff-intensive

Forensics

• Preserves evidence in a manner suitable for lawyers…

• In-house has been more timely for us versus outsourcing (One month turnaround versus six)

• Used for cases that have a computer component versus strictly computer abuse– Missing student example

Incidents

• Incidents range from the minor/annoying to very serious:– Viruses and Spam– Unauthorized Access Attempts (probes)– Denial of Service Attacks (DoS)– Compromised computer systems– Data Leaks– Copyright Violations – Commercial Use of Penn State Resources– Electronic Harassment– Spam, Relays & Chain Letters– E-Mail (or other) Electronic Forgeries

Common Tools

• Anything that can do a mirror image

• Coroner’s Toolkit

• Encase

• Autopsy

• A good rootkit revealer

Autopsy Screenshot

http://www.atstake.com/research/tools/autopsy/images/timeline1.gif

Where to find tools…

• http://www.insecure.org/tools.html• http://www.rootkit.com• http://www.sysinternals.com/utilities/rootkitrevealer.html

• http://www.porcupine.org/forensics/tct.html• http://www.atstake.com/research/tools/task• http://www.atstake.com/research/tools/autopsy• http://www.foundstone.com/knowledge/forensics.html

Questions?