special agent chris buechner ([email protected]) denver fbi computer analysis response team cart
TRANSCRIPT
Computer Crime Before and After the Attack
Cyber Investigations
• Computer Crimes• Before you’re a Victim• When You’re a Victim
Are you a victim?
• What type of victim are you?
• How do you know you’re a victim?
• How to protect the information
• Getting your system back up
• Who should you contact
• Who are the hackers/crackers
What type of Victim
• System hacked– Gain information– Gain band width– Revenge (insider)
• Silent host– Capture additional sites– Cover tracks
How do you know you’re a victim?
• Logs show unauthorized access– Telnet– Ftp
• Creation of new accounts• Loss of computer resources
– DOS (denial of service)
• New files and directories appear• Information on system, made public
– Grades, salaries, personnel information, credit card information
Protect the information
• Take computer off line
• Determine the location of the attack– What if any information was taken– The identity of the attackers– Methods of intrusion used
Getting system back online
• Replace the computer if possible
• Make a copy of system files
• Restore the backups from trusted source– Backups may have back doors installed
• Install all upgrades and patches
Who should you contact
• Local law enforcement vs. the feds– Local law enforcement
• Can better handle juveniles• Lower thresholds for prosecution• Minimal resources• Limited by boundaries
– The feds• Unlimited resources• Nationally and International coverage• No juvenile system• Minimum threshold for prosecution
When you make contact
• Do not make contact from compromised system
• Have procedures in place to control the situation
• Select one individual to control and maintain evidence
• Maintain log of costs and steps taken in the process
THREATSTHREATS
Hacker/Cracker Criminal Profiles
• Majority are white males
• THIS is changing...
• 16-40! Most likely 16-26
• Interview: most will go as far as they THINK you know. Often ask for counsel.
• Very loyal to friends - to a point
Hacker/Cracker Criminal Profiles
• Ego maniacs
• Socially withdrawn
• Generally still don’t understand Law Enforcement
Are WE catching the really GOOD ones?
METHODS OF ATTACKS
Dumpster diving
Brute force hacking
Social engineering
Data scope programs
Sniffer programs
IP spoofing
DDOS
“To Watch” Sites/Lists
• Sites:– antionline.com, wired.com, 2600.com, rootshell.com,
csu.purdue.edu/coast/, etc.
• Newsgroups/Lists:– Bugtraq, NTbugtraq, Best of Security (BoS)– CERT.org– alt.security, comp.security.misc, etc.
• Tools (www.network-tools.com)
Before you’re a Victim
DEVELOP A PLAN!
Preparation
• Post warning banners:– Every system should display banner
• Display at every login – at every port accessed– FTP, Telnet
• System is property of your organization• System is subject to monitoring• No expectation of privacy while using system
– Management and legal counsel should approve– DO NOT reveal system purpose/OS/etc
Preparation
• Be Proactive to Prevent Incidents– Establish Security Policy– Monitor and Analyze Network Traffic– Assess Vulnerabilities (System Scans)– Configure Systems Wisely
• Limit Services (FTP/telnet)
• Patches
– Establish Training for Employees
Preparation
• Establish Policy on Employee Privacy– Email: Owned by Corp. or Employee– Data Files– Encryption okay?
• Keys
• Disgruntled Employees
Preparation
• Establish Organizational Approach to Intrusions (2 ways)– Contain, Clean and Deny
• STOP Intruder. Remove system from Net
• Repair System and block access
• IP Filtering, Firewalls, etc.
Preparation
• Establish Organizational Approach to Intrusions– Monitor and Gather Information
• Fishbowl
• Proceed with Caution
Preparation
• Policy for Peer Notification– DDOS
• Remote Computing– Telecommuters
• Laptop Privacy (temps, contractors too)
– Acceptable Use Policy (Sign Yearly)
– Revoke Access when no longer required
– Log Remote Access (Radius/Caller ID/Remote Callback)
Preparation
• Develop Management Support
• Develop a Incident Response Team– Assign Specific Duties
• Call - duty and phone list
• Legal Counsel
• PR/Law Enforcement Liaison
• Assign a Person to be Responsible for Incident
System Preparation
• System Backups– Original O/S– Log Files– Admin Files/Applications– Data
• When restoring systems, be careful not to re-introduce problem
System Preparation
• Acquire and install some level of intrusion detection and audit capability.– Advanced Logging programs– TCP Wrappers, Tripwire, etc.
• Install and configure a firewall
• Monitor industry information regarding intrusions/hacker techniques
The Security Investment
• Recruit and hire security capable staff
• Keep current on system vulnerabilities
• Ensure networked systems are maintained and patched
• Train administrators and users in security and protection measures
• Adequate password security
When you’re a Victim
What the FBI can do
• Combine technical skills and investigative experience
• National and global coverage
• Apply more traditional investigative techniques
• Long-term commitment of resources
• Integration of law enforcement and national security concerns
• Pattern analysis
• Can provide deterrent effect . . . even if hacker not prosecuted
The FBI won’t:
• Take over your systems
• Repair your systems
• Share proprietary information with competitors
• Provide investigation-related information to the media or your shareholders
When You’re a Victim
• Stop and Think -- REMAIN CALM– Take Notes (who, what, why, where, when,
how and why)– Notify appropriate persons
• Supervisor• Security Coordinator• Legal Counsel• Etc
– Enforce a Need to Know Policy
When You’re a Victim
• Communicate Wisely– Email/chat -- intruder may be listening– Use telephone/voicemail/fax/etc.– If email, use encryption or secure system
• Remove system from Net
When You’re a Victim
• Make a Bit by Bit copy of system– Use NEW media & VERIFY the backup!!– Initial and date backup…time too– Secure in a locked limited access location
• Chain of Custody
• Collect other evidence in the same manner– Always preserve originals!
When You’re a Victim
• Best Evidence Rule– Original Drives – Bit by Bit Copy
• Linux dd
• Safeback
– Copy of relevant files
When You’re a Victim
• Begin analysis to determine what happened– Work from copy– Review system, firewall, router logs– Look for trojan system files– Look for new, suspicious users– Contact ISP for additional logs and possible
filtering
When You’re a Victim
• Start to determine cost of attack– Recovery costs– Lost business– Legal expenses– Salaries– Technical and Security Contractors
• Maintain incident log and chronology
When You’re a Victim
• Know When to Contact Law Enforcement– Intrusions, theft, espionage, child pornography,
hate crimes, and threats– Dollar losses due to intrusions exceed $5K
• Law Enforcement Difficulties– keystroke monitoring and wire taps– legal restrictions (subpoena’s/orders/warrants)
Final Thoughts
• 2001 CSI/FBI security survey revealed:– 91% of respondents had detected security
breach within last year– 64% reported significant loss due to intrusion
• Any computer system is vulnerable– Through Internet or by local user
Contact Us
Federal Bureau of Investigation
Computer Crime Squad
Denver Division
(303) 629-7171 (24 Hours)
(303) 628-3267 (Direct)