Rootkits and Incident Response

lesson 6 basics of n.w
1 / 32
Embed
Share

Learn about the basics of incident response, hacker lexicon, rootkits, their history, functionality, tools, and types. Understand how traditional and LKM rootkits operate and their impact on systems.

  • Rootkits
  • Incident Response
  • Hacker Lexicon
  • Security
  • Rootkit History
rayaanacharya
rher846 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Lesson 6 Basics of Incident Response

  2. Overview Hacker Lexicon Incident Response UTSA IS 6353 Security Incident Response

  3. Hacker Lexicon Rootkit - a collection of tools an intruder loads onto a compromised computer Usually Consists of: trojanized utilities network sniffers log-cleaning scripts UTSA IS 6353 Security Incident Response

  4. Root Kits Three primary types: traditional loadable kernel modules (LKMs) for Unix/Linux kernel -level rootkit for Windows Hundreds of Root-kits in existence Hackers sites contain click and choose smorgasbord (KNOW THY ENEMY) UTSA IS 6353 Security Incident Response

  5. Rootkit History 1989: First log cleaners on hacked systems 1994: Early SunOS rootkits detected 1996: First Linux Rootkits seen publicly 1997: LKMs proposed in Phrack 1998: non-LKM patching proposed by S. Cesare 1999: Adore rootkit released by TESO 2000: T0rnkit V8 libproc Trojan released 2001: KIS trojan and SucKit released 2002: Sniffer backdoors start to show up

  6. Basic RootKit Functionality Maintain Access Attack other Systems Destroy Evidence UTSA IS 6353 Security Incident Response

  7. Traditional Rootkit Tools Backdoors - programs that listen on TCP/UDP ports that allow intruder stealthy access Log wipers - utility which erases log files to hide signs of intruders presence Packet sniffers - software designed to monitor network traffic to capture packets of interest Internet Relay Chat (IRC) utilities for comms DDOS agents - S/W that sends UDP/ICMP floods UTSA IS 6353 Security Incident Response

  8. LKM Rootkits Most rootkits used against Unix/Linux systems are Loadable Kernel Modules (LKMs) Kernel is transparently modified: Execute Redirection: remaps system utility calls Remote execution: commands transmitted via the net Promiscuous mode hiding: hides sniffers Task hacking: changing the user id (UID), effective user id (EUID), and file system user id (FSUID) of any process UTSA IS 6353 Security Incident Response

  9. LKM Rootkits Kernel is transparently modified (contd): Real-time process hiding -sending the following: kill -31 process id allows kernel to suppress all info about the given process Kernel Module Hiding: LKMs can actually mask their own presence (stealthy LKMs) UTSA IS 6353 Security Incident Response

  10. WINDOWS Rootkits Contains: Kernel Mode Device Driver: _root_.sys Launcher program: deploy.exe Capabilities: Back doors Hide files: files with _root_ will be hidden from dir Hide processes and registry entries Keystroke Intercept UTSA IS 6353 Security Incident Response

  11. Incident Response Overview Goals Methodology Preparation Detection Initial Response Strategy Formulation Investigation Monitoring Recovery Reporting UTSA IS 6353 Security Incident Response

  12. SANS in The Fight Started as SANS/FBI Top 20 Vulnerabilities 20 Critical Security Controls UTSA IS 6353 Security Incident Response

  13. General Vulnerabilities 1. Default installs of OSs and applications 2. Weak or non-existent passwords 3. Incomplete or non-existent backups 4. Large number of open ports 5. Lack of packet filtering 6. Incomplete or non-existent logging 7. Vulnerable CGI programs Source: The SANS Institute UTSA IS 6353 Security Incident Response

  14. Windows Vulnerabilities 8. Unicode Vulnerability 9. ISAPI Extension Buffer Overflows 10. MS Remote Data Services Exploit 11. NETBIOS Unprotected Windows Networking Shares 12. Leakage via Null Session Connections 13. Weak Hashing in SAM (Lan Manager Hash) Source: The SANS Institute UTSA IS 6353 Security Incident Response

  15. Unix Vulnerabilities 14. Buffer Overflows in Remote Procedure Call Services 15. Sendmail Vulnerabilities 16. Bind Weaknesses 17. R Commands 18. LPD Remote Print Protocol Daemon 19. Sadmind and Mountd 20. Default SNMP Strings Source: The SANS Institute UTSA IS 6353 Security Incident Response

  16. Home User Guidelines Use strong passwords (alpha-numeric, over 8 characters) Make regular backups of critical data Use virus protection software Use a firewall as a gatekeeper between your computer and the Internet Do not leave computers online Do not open attachments from strangers Source: FBI UTSA IS 6353 Security Incident Response

  17. The Worst Can Happen "Don't look at the past and assume that's the future. Look at the enemy's strengths and your vulnerability. You've got to realize that the worst case does sometimes happen." -Richard Clarke Special Advisor for Cybersecurity UTSA IS 6353 Security Incident Response

  18. Goals of Incident Response Confirm or dispel incident Promote accurate info accumulation Establish controls for evidence Protects privacy rights Minimize disruption to operations Allow for legal/civil recriminations Provide accurate reports/recommendations UTSA IS 6353 Security Incident Response

  19. Incident Response Methodology Pre-incident preparation Detection Initial Response Strategy formulation Duplication Investigation Security measure implementation Network monitoring Recovery Reporting Follow-up UTSA IS 6353 Security Incident Response

  20. 7 Components of Incident Response Investigate the Incident Formulate Response Strategy Detection of Incidents Pre-Incident Preparation Data Data Analysis Initial Response Reporting Collection Resolution Recovery Implement Security Measures UTSA IS 6353 Security Incident Response Page 15, Fig 2-1, Mandia 2nd Edition

  21. Detection Firewall Logs D E T E C T IDS Logs Response Team Activated Notification Checklist Completed Suspicious User Sys Admin UTSA IS 6353 Security Incident Response

  22. Initial Critical Details Current time and date Who/what is reporting the incident Nature of the incident When the incident occurred Hardware/software involved Point of contact for involved personnel UTSA IS 6353 Security Incident Response

  23. INITIAL RESPONSE Success I R N E I S T P I O A N L S E Details from notification checklist Verified information about the incident Prepared response team Failure How much info is enough? UTSA IS 6353 Security Incident Response

  24. Response Strategy Formulation Verified information about the incident Mgt Formulate Response Strategy Approved Action Plan Response Posture Goal: determine most appropriate response strategy UTSA IS 6353 Security Incident Response

  25. Factors for Strategy How critical are the impacted systems? Data sensitivity Who are the perpetrators? Does the incident have publicity Level of access to the hacker Apparent skill of the attacker How much downtime can be tolerated Overall dollar loss involved UTSA IS 6353 Security Incident Response

  26. Common Incidents Denial of Service Attack Unauthorized Use Vandalism Information Theft Computer Intrusion Management Support network downtime user downtime legal liability publcity theft of intellectual property Type of incident + response likely outcome UTSA IS 6353 Security Incident Response

  27. Investigation Stage Live System Network Logs Investigation Investigative Report Forensic Duplicate UTSA IS 6353 Security Incident Response

  28. Security Measure Implementation Stage Verified Info Implementing Security Remedies Network Logs Monitor Response Posture Isolate and Contain Prevent Same Exposure! Fishbowling the attacker UTSA IS 6353 Security Incident Response

  29. Recovery/Reporting Process Recovery Conclusions backups hardening user education COOP Report Support Criminal Actions Lessons Learned Prevent Repeats Successful containment UTSA IS 6353 Security Incident Response

  30. What Will You Do? We Need a Initial Response that: Supports the Goals of Computer Security Supports the Business Practices Supports Administrative and Legal Policy Is Forensically Sound Is Simple and Efficient (KISS) Provides an Accurate Snapshot for Decision Makers Supports Civil, Administrative, or Criminal Action. UTSA IS 6353 Security Incident Response

  31. Common Mistakes Failure to Document Findings Appropriately. Failure to Notify or Provide Accurate Information to Decision Makers. Failure to Record and Control Access to Digital Evidence. Wait Too Long Before Reporting. Underestimating the Scope of Evidence that may be found. UTSA IS 6353 Security Incident Response

  32. Common Mistakes Technical Blunders: Altering Time/Date Stamps on Evidence Systems Killing Rogue Processes Patching the System Not Recording the Steps Taken on the System Not Acting Passively UTSA IS 6353 Security Incident Response

Related


Overview of UTSA's IS-6353 Incident Response Course

Overview of UTSA's IS-6353 Incident Response Course

elestren

More Related Content