educause marccopyright 2002, marchany 1 unit 3 incident response: creating the computer incident...

Educause MARC Copyright 2002, Marchany 1

Unit 3

Incident Response: Creating the Computer Incident Response Team

(CIRT)


How Easy Is It?

% set term=cterm100

% telnet victim.comTrying 0.0.0.0...Connected to victim.com.Escape character is '^]'.

UNIX(r) System V Release 4.0 (victim.com)

# iduid=0(root) gid=0(root)#


Incident Response Steps

Dave Dittrich, Univ. of Washington, wrote a good checklist describing the Incident Response Cycle.

6 major steps Preparation Detection Containment Eradication Recovery Follow-up


Preparation – Creating the CIRT

Need to create a Computer Incident Response Team (CIRT) before we can use it.

How do we create it? Read an excellent paper on issues that need

to be considered when building a CIRT.


What Do I Do?

An excellent reference document for things to consider when setting up the CIRT “Handbook for Computer Security Incident Response

Teams (CSIRTs), Moira West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, 12/98

Available from www.cert.org Describes basic issues that should be considered when

setting up the CIRT (CSIRT). The following slides summarize this document


Setting Up the CIRT

CIRT is like the fire department Our CIRT is like the volunteer fire department or rescue

squad. No full time members except the University Information

Security Officer Other members called in as needed. They have

management approval to drop whatever they’re doing in order to respond to the incident.

Fixing the problem is top priority.


Setting Up the CIRT

Information Confidentiality Critical! The CIRT must be trusted to handle sensitive

information responsibly. Otherwise, no one will report incidents to it.

What type of CIRT? International? Build trust with external CIRTs. University? Respond to incidents within the university.

Dept sysadmins and users will use the service. Overlaps?


Setting Up the CIRT

Authority and Scope FULL – the CIRT has the authority to undertake any

necessary action on behalf of their constituency in order to protect University resources

SHARED – CIRT provides direct support and share in the decision making process. Can influence dept sysadmins but can’t dictate to them

NONE – CIRT acts in an advisory or advocate capacity only.


CIRT Authority

FULL CIRT could require disconnection until the threat

is removed. CIRT may actually do the disconnection.

SHARED CIRT could advise and influence victims to

disconnect from the net until the problem is fixed but can’t force them.


CIRT Services

Mandatory Provide a focal point for reporting computer

security incidents. Provide coordinated support in response to such

reports Common/Typical

Incident tracingTracking and tracing intruder activity


CIRT Services

Typical/Common Intrusion Detection

Support active detection of intruder activity Education

Conduct training seminars for general users, system administrators, management, faculty, staff, etc.

Vulnerability AnalysisProvide security scanning service to departments


CIRT Information Flow

Important to understand which services are related to each other.

Determine which services rely on info from or provide info to another service.

Determine which services are responsible for providing/requesting info to/from another service.

Assign different priorities depending on the source of the request.


CIRT Flexibility

External Factors affect the CIRT Rate of incident reports is unpredictable

CIRT may get overloaded

New attacks and exploits Type and complexity of Incident reports changes over

time

New Technology Advances CIRT expertise needs to be updated constantly


CIRT Flexibility

Computer crime laws are just now becoming a force CIRT needs to be aware of the changing legal framework

of the environment and adapt accordingly.

Varying demands on the CIRT Situations will arise when an unprepared CIRT may be

insufficient to respond effectively to meet these conflicting demands.


CIRT and Liability

A liability issue is everything that you say, do or write or that you omit to say, do or write, for which people want to sue you, with a reasonable chance of success in court.

Needless to say, this is an issue in the US.


Liability Context: Omission

Lack of information disclosure You receive log-files that indicate an intruder’s activities

and you fail to follow up on the lead. If this fact is discovered, you may be liable for failing to act on the information.

Neglecting side effects You deal with a new vulnerability in a specific incident

but fail to notify the vendor/net/other CIRTs of this vulnerability. Some time later, the net is attacked via the same vulnerability.


Liability Context: Omission

Failure to observe legal reporting or archiving obligations Many countries require you to report to or

generate archives for law enforcement regarding a serious crime. Espionage, murder, drug dealing, etc. are examples.


Liability Context: CIRT and Signed Contracts

Inadequate service definition CIRT service isn’t available during holidays or

after hours. This isn’t stated clearly in the service agreement with your constituents.

Service level isn’t provided CIRT didn’t do what was promised. The quality of the work wasn’t what was

expected.


Liability Context: Information Disclosure

References to individuals/organizations CIRT gives the impression a party is involved in

an attack. The party’s reputation/business is damaged by this disclosure.

Revealing identities Depends on who is requesting the information EDU: FERPA, Medical: HIPPA Revealing the identity w/o prior approval


Liability Context: Information Disclosure

Distributing False Information You release info about a but in an OS but it’s

wrong. The vendor may be upset. You correctly warn of a vulnerability but your

solution doesn’t work Incorrect advice

Your advice is wrong, outdated and causes damages to your constituent.


CIRT Service Functions

Triage Single point of contact for accepting, collecting,

sorting, ordering information about an incident.

Incident Provide support and guidance related to

suspected or confirmed computer security incidents.


CIRT Functions

Announcement Provide general information via sysadmin and

tech support mailing lists, www sites, etc. Feedback

Can be provided by explicit requests by mgt or media

Can be provided as an annual report or case-driven report


CIRT Incident Related Contacts

People the CIRT needs to keep in the loop Upper management Other department’s technical staff Security officer Legal counsel Internal audit Risk management group Network operations center Network information center


CIRT Non-Incident Related Contacts

Site security contacts ISP Other CIRT Law enforcement Vendors External experts media


The CIRT

AUP defines the rules CIRT Composition

Sysadmin - decode syslogs, sniffer Network Management Team - decode router

logs, packet filter, sniffer Legal - proper evidence collection Supervisory/Audit- authority to force change

Legal or not?


Preparation

Client Insecurity Issues

“Mommas, don’t let your kids grow up to be PCs!”

What Types of Attacks to Expect


The Doom Scenario

S C

AttackThe Server

GoodSysadminPractices

Install Sniffer

Install Encryption

EmailAttachments-NetBus-B02K

No EffectiveDefense if theClient is PC/Mac


Types of Attacks

Types of attacks we’ve seen at our site EMAIL PASSWORD/SNIFFER DENIAL OF SERVICE RELAY ATTACKS WWW ATTACKS

The next section describes each of the above attacks using Dittrich’s Incident Response Model.


Case 1: Email Abuse

We handle +2.5M external emails/wk. Need network management help to trace to

internal site need mail administrator to decipher mail logs


Types of Email Abuse at VT

Chain Letters “Good Times”, “recipes” Letter is sent & supposed to be mailed to 10

others Annoying



Mail Spoofing(Forgery) Usually done in conjunction with flames Could impersonate a real person. Too easy to do.



Email Infrastructure Attacks Mail bombs, exploiting sendmail vulnerabilities

(Outlook, sendmail), SPAM SPAM

Site is notified and warnedUnheeded warnings (3) result in 30 day block of

anything from that site.



Flaming Profane, obscene, angry or threatening

comments Messages are sent either by email or Usenet

newsgroups Death threats require immediate attention.


Email Logs

Sendmail Server logs Logs sender/receiver, timestamp, email ID

Terminal Server/Modem Pool Log all users. Used to identify the real owner

of a modem session. Caller ID on modem pool.


Email Logs

POP3 mail logs Logs the PID of the sender, password change dates, etc.

Source/Target system logs Personal Firewall logs, sniffers, etc.

Usenet Logs News Server logs

Logs are sent to central syslog server and dumped to CD once a month. Audit requirement: 18 month retention.


Preparation: Handling Complaints

IS will gather appropriate info from the logs ONLY at the request of a proper authority and only releases the logs to them.

IS DOES NOT prosecute, get involved in policing but 'helps' by gathering log info, helping interpret it, at the request of the proper authority. The 'Proper Authority' is any entity that does the actual prosecution (Provost, Dean, Police, FBI, Secret Service).


Preparation: CIRT

Have a plan of action ready and approved Sample CIRT Checklist


Detection: Email Abuse

Generic mail id to report problems: [email protected] If the user thinks it’s abuse, we have to check. Users are told to send reports there.

Users can call Help Desk to report problems. Help Desk crew notifies mail sysadmins if there is a

problem. System mail log monitors detect large volume of email

traffic. The mail admins check for spam, email flooding.


Containment: Email Abuse

If the email threatens the receiver, every effort is made to identify the sending host and person if possible.

Network router logs determine if the threat came from onsite systems.

Mail system logs give source, destination and intermediate mail system handling information.

Syslogs of sending system yield origin information. These three log types help determine if IP spoofing is active. IMPORTANT: get the original email with complete

headers!


Eradication: Email Abuse

Hard to do Spam filters for sendmail Relay filters for sendmail Isolate the sending machine if onsite Notify the sending machine, if remote system is involved

then they may have a problem. Bodily harm threats must be taken seriously.


Recovery: Email Abuse

Denial of service mail attack remove spam messages use routers to block out offending system process mail as quickly as possible

Disable user account access IF the AUP allows this. Notify the recipient on progress


Followup: Email Abuse

User Education how to spot email trash who to notify if abuse starts SAVE THE ORIGINAL EMAIL!!!! Netiquette

System Manager Education SPAM, Relay filtering rules save the email logs at a central site ask users for the complete email message with headers


Summary

The previous slides list the 6 phases of IR as it applies to 1 category of attack: email abuse

Do the same for the other types of attacks you expect at your site.

Have the Procedure Checklist ready.


Recommendations

Revise your AUP and IRP as needed Construct your response plans according to Dittrich’s Response

model : Preparation, Detection, Containment, Eradication, Recovery, Follow-up

Your IR plans should address the “How do we do …” for each layer of the Response Model

IR is a coordinated action involving all aspects of an org’s IS structure: sysadmin, network mgrs, supervisory, audit, legal, upper mgt.

Liability is an issue! Are you liable for internal (email) as well as external (the NY Times “hacker”) if your response structure is inadequate? Probably!


As It Should Be......

educause marccopyright 2002, marchany 1 unit 3 incident response: creating the computer incident...

Documents

cirt cirt

type of cirt

force cirt

shared cirt

unpredictable cirt

marchany15 cirt

cirt handbook

cirt situations