Incident Response: The First 10 Minutes

1
Incident ResponseThe First 10 Minutes

• Matt Bing
• Incident Response Coordinator
• The University of Michigan
• mattbing_at_umich.edu

2
Who am I?

• 10 years experience in IT security
• 2 years at U-M
• ITSS (IT Security Services)
• Incident Response Coordinator
• Ensure consistent handling of serious incidents
  University-wide
• Expert advice computer forensics, network and
  malware analysis
• Please understand due to confidentiality, I will
  not be discussing real incidents

3
Agenda

• What is an incident?
• Incident lifecycle
• First steps in incident handling
• Tools
• What you can do

4
What is an incident?

• IT security incidents have three faces
• Data - attempted or successful unauthorized
  access, use, disclosure, modification, or
  destruction of information
• Resources - interference with IT operation
• People - violation of explicit or implied policy
• Impact
• Not all incidents are equal

5
Goals of incident response

• Minimize consequences of incidents
• Enable informed decisions to be made by
  appropriate stakeholders
• Not just an IT problem
• Understand the cause and effect of an incident
• Incorporate lessons learned
• Processes and procedures
• Countermeasures

6
Incident lifecycle

• Phase 1 The first 10 minutes
• Notification
• Initial assessment
• Escalation
• Containment
• Phase 2
• Analysis
• Further action
• Lessons learned

7
First steps

• Notification
• First signs of an incident
• IDS alert / abuse report / user notification
• Amount of information is typically low
• Initial assessment
• What is the possible impact?
• How confident are you this is an incident?
• Almost always requires further investigation

8
Risk of actions

• Availability of data goes down as your
  understanding of an incident goes up
• File system MAC times are overwritten
• Logs are rotated
• Attackers cover traces
• Examining a system changes it, possibly
  destroying valuable volatile data
• Can that crucial deleted log entry in slack space
  be overwritten?
• Every action taken when examining an incident is
  a risk benefit/decision
• Increasing level of intrusiveness

9
Risk of actions

• Does pulling the network cable have no risk?
• while true do ping -c 1 www.yahoo.com rm
  -rf / sleep 30 done
• What about pulling the power cable?
• Lose ALL volatile information on the system
• Active processes, network connections

10
Initial assessment

• Scenario
• We receive an abuse e-mail from Merit that a
  Windows XP machine on our network
  (192.168.109.132) is generating a large amount of
  traffic. We dont know what could be causing
  this, but this machine might contain student
  SSNs.
• How do we determine with a high-degree of
  confidence whether this machine is compromised?

11
Portscan
12
Portscan
13
Portscan
14
Portscan

• Nmap
• http//insecure.org/nmap/
• Netcat
• http//www.vulnwatch.org/netcat/
• Risks depends entirely on the services probed,
  possibly modified MAC times on daemons, or
  generated log entries

15
TCPView
16
TCPView
17
TCPView

• TCPView
• http//www.sysinternals.com/Utilities/TcpView.html
  
• Risks copied a binary to the system and executed
  it
• Can we trust the output if there is a rootkit
  installed?
• Requires Administrator access, was a keyboard
  sniffer installed when we logged on?
• Modified registry if run from USB or CDROM
• Utility installs new system device driver
• New entry in Prefetch cache

18
Event Viewer
19
Event Viewer

• Risks modifies access time on MMC.EXE, file
  containing event logs windir\SYSTEM32\config\.e
  vt

20
Virus Scan

• Identifies any potential malicious code on the
  system, but.
• Risks overwrites the Access time on all files
  scanned
• High level of intrusiveness

21
What next?

• Escalation
• Notify the appropriate business owners
• Devise a containment plan together
• Explain the risks
• Containment
• Pull the network plug?
• Add a firewall rule or router filter?

22
After the first 10 minutes

• Analysis
• What other information about the system do you
  have?
• Netflow, firewall, antivirus logs
• Analyze to determine root cause and effect
• Escalate to other stakeholders, as necessary
• Further action
• Notification to affected individuals?
• Involve law enforcement?
• Lessons learned

23
Other tools

• EnCase
• http//www.guidancesoftware.com/
• Helix
• http//www.e-fense.com/helix/
• VMWare
• http//www.vmware.com/
• IDA Pro
• http//www.datarescue.com/idabase/index.htm

24
What you can do

• Develop a toolset
• Stay current in the security community
• Identify critical systems and locations of
  sensitive data
• Know your business owners
• Introduce yourself to law enforcement

25
Questions / Comments

• Thank You