Transcript Slide

Andy Malone MVP, MCT
CEO / Trainer / Consultant
Quality Training (Scotland) Ltd &
Dive Deeper Technology Events EMEA
Session Code: SIA318
The Disclaimer!
In attending this session you agree that any software
demonstrated comes absolutely with NO WARRANTY.
Use entirely at your own risk. Microsoft Corporation,
Quality Training (Scotland) Ltd, Dive Deeper
Technology Events EMEA & the other 3rd party
vendors whose software is demonstrated as part of
this session are not responsible for any subsequent
loss or damage whatsoever...You have been warned!
Session Overview
Introductions
Identifying the Dark Arts
Risk Management - Costs Vs Benefits
Incident Response
Defining & Resolving Incidents
Computer Forensics
How it Works
The Tools
Anti Forensics Tools – Hiding your Tracks!
Conclusions & Q&A
Question...What’s your Price?
The Dark Arts – Include but not Limited to:
• Technology Based
•
•
Hacking
Spamming Etc
• Physical Intrusion
•
•
•
•
•
•
•
•
Hijacking
Spying
Theft
Industrial Espionage
Identity Theft
Malicious Employees
Stupidity
Temptation
The old Excuse is no Excuse!
•
•
•
•
•
•
•
It will never happen to me!
I forget “why” we do it this
way.
“It’s the way we've always
done it.
It’s standard practice
throughout the company.
Costs too much money!
Too much training is
required.
We simply don’t have
enough resources.
LEARN TO LOOK FOR WEAKNESS...
It’s Good to Share!
But not To Much!
Do you Have Assets Worth Stealing?
Database
Plans / Blueprints /
designs
Formula
Software / Program
Drug / Medicine
Technology, Car, Cell
Phone, Computer etc
A Person!
Etc
How a Bad Guy Select’s a Target!
Person
Resource
Company
Government
Target Selection – A Person
Predator
For Financial Gain
For Political Gain
Invasion of Privacy
Cyberbullie
Revenge
Identity Fraud –
Impersonation
Espionage
Coercion
Target Selection – Company (Business)
Trade Secrets
Competitor
Insider trading
Product or Service
Secret Formula
Hostile Takeover
Spread Malicious
Rumours
Industrial Espionage
Force Share Price Fall
Target Selection – Government
Military Coup
Political Corruption
Bribery
Country
Destabilisation
Vote Manipulation
Cyber warfare
Estonia Vs Russia
India Vs China
“In order to defend. One must first learn
how to attack” Andy Malone
INCIDENT RESPONSE
Learning to Defend:
Form an Incident Response Team
Defining an Incident:
System outages
Power outages
Natural Disaster
Denial of Service
Malicious Code
Network Intrusion
Child Pornography
Malware Outbreak (i.e. virus, worms)
Acceptable Usage Policy / Malpractice
The CIA Triad
Confidentiality
Integrity
Availability
• Protecting information
from unauthorized
disclosure
• Ensuring data is unchanged
and trustworthy
• Ensure access to data and
resources
Defining Incident Impact
Compromise
Destruction
Denial
• violation of Confidentiality
• violation of Integrity
• violation of Availability
Preparation: Strategy!
Preparation is the most
important phase of
Incident Response
Proper preparation can
will ensure that the
organization can
respond properly
Potential evidence for
civil or criminal cases
may be loss
Preparation: Legal
Obtain advice from a
lawyer to determine your
rights as an organization.
Require all system users to
sign acceptable usage
agreements.
Implement legally binding
click through log-in
banners
Preparation: - Training
Establish trust between
systems administrators
and end users.
Train everyone on basic
security concepts.
Ensure everyone knows
their role in Incident
Response.
Role play disaster
scenarios.
Threat Identification Example:
Understand File Signatures!
Every File Type has a Unique File Signature
A Skilled Security Professional can detect
changes to a file's content or attributes.
Useful in Forensic Analysis
Reveals if File has been Encrypted or Changed
Analyzing the File Signatures
Analyzing File Signatures
File Signature Examples:
E3 82 85 96
PWL
[512 byte offset]
EC A5 C1 00
DOC
ED AB EE DB
[512 byte offset]
FD FF FF FF 04
SUO
[512 byte offset]
FD FF FF FF nn 00 00 00
PPT
[512 byte offset]
FD FF FF FF nn 02
XLS
FF D8 FF E1 xx xx 45 78
69 66 00
FF Ex
FF Fx
ã...
Windows password file
[512 byte offset]
ì¥Á.
Word document subheader (MS Office)
í"îÛ
[512 byte offset]
ýÿÿÿ.
Visual Studio Solution User Options subheader (MS
Office)
[512 byte offset]
ýÿÿÿ....
PowerPoint presentation subheader (MS Office)
(where nn has been seen with values 0x0E, 0x1C, and
0x43)
[512 byte offset]
ýÿÿÿ..
Excel spreadsheet subheader (MS Office) (where nn =
0x10, 0x22, 0x23, 0x28, or 0x29)
ÿØÿá. JFIF
JPG Digital camera JPG using Exchangeable Image File Format (EXIF)
ÿ.
ÿ.
MPEG, MPG, MP3 MPEG audio file frame synch pattern
Analyzing File Signatures
Use Multi-Layer Defence Strategies
Network Traffic Encryption.
I.e. IPSec, SSL, SSTP
Intrusion Detection System
Intrusion Prevention System
Anti Virus / Anti Malware Protection
Biometrics, Smart Cards, Strong Passphrase
Physical Security & Social Networking
Security
Which Tools to Use!
Intrusion
Detection System
(IDS
Vs
Intrusion
Prevention
System (IPS)
IDS Origins
Originally built for US Government use to
protect against malicious employees.
Then integrated into Security industry.
Listens to all types of protocols TCP, UDP, RIP,
ICMP, Routable protocols.
IDS first installs in learning mode. Behaviour
creates a profile
Ensure that No attacks are going on otherwise
it could be a disaster.
Intrusion Detection System (IDS)
Intrusion Detection Systems
Architecture
Signature Based
Analysis
Behavioural Based
Analysis
Intrusion Detection system
Implementation
HIDS (Host Based)
NIDS (Network Based)
IPS (Intrusion Prevention System)
Analyzes packets rather than traffic or protocol
type.
Similar to Firewall but undertakes deeper
inspection of packets, headers etc.
Access control decisions based on Application
content rather than IP address or ports as
traditional firewall have done.
Gartner said that IDS is dead IPS is a
preventative and proactive technology whereas
IDS is a detective and after the fact technology.
Best Solution
Intrusion
Detection
System (IDS
Intrusion
Prevention
System (IPS)
Vs
Best Advice: Get Both!!
Introducing an IPS & IDS to your
business.
Honeypot Software
False systems that lure intruders and
gather information on methods and
techniques they use to penetrate
networks—by purposely becoming victims
of their attacks
Simulate unsecured network services
Make forensic process easy for
investigators
Honeypot Software
Commercial
ManTrap
Specter
Smoke Detector
NetFacade
Open source
BackOfficer Friendly
BigEye
Deception Toolkit
LaBrea Tarpit
Honeyd
Honeynets
User Mode Linux
Honeypots, Ethics, and the Law
Nothing wrong with deceiving an attacker
into thinking that he/she is penetrating an
actual host
Honeypot does not convince one to attack
it; it merely appears to be a vulnerable
target
Doubtful that Honeypots could be used as
evidence in court
The Honeynet Project
The Aftermath: Containment,
Eradication, and Recovery
Schedule enterprise
outage.
Disconnect from the
Internet.
Wipe systems
enterprise wide.
The Aftermath:
Containment, Eradication, and Recovery
Re-image all computers with patched installation.
Follow Good Backup / Recovery Procedures
Change administrator accounts and passwords.
Create new strong passwords for all users.
Ensure all Anti-Virus & Anti Malware software is
updated.
Perform a digital hash on all files on your image so
you can eliminate known good hashes
If Internal attack: Disable User Account & take
appropriate disciplinary action.
Incident Response: Learn from
Mistakes!
Complete a detailed
report documenting
the incident.
Continue to monitor
for artifact traces
Utilized lessons learned
and prepare for next
incident.
COMPUTER FORENSICS
Network Forensics:
Carry out Random Packet Captures
Full binary packet
captures allow replay of
attacks
Can be provided as
evidence of a computer
crime
Equivalent to video
camera surveillance
What is Forensic Duplication
In its simple form it is a method of creating a near
perfect duplicate image of a data environment
Personal
Computers
Peripherals
i.e. printers,
scanners,
IPods, etc.
Entire
Networks i.e.
LAN,WAN,
Wireless, etc.
How it Works!
Write Blocker prevents
Contamination
Imaging Victim Systems
Digital Hashes
Network Protocol Analysis
Intrusion Detection
Volatile Data Collection
Autopsy
Definitions
Forensic Duplicate: File that contains every bit
of information from the source in a raw bit
stream format.
Qualified Duplicate: Same as above, but allows
embedded metadata or certain types of
compression.
Mirror Image: Created from hardware that does
a bit-to-bit copy from one hard drive to another.
Reasons for Forensics Duplication
The examination can
destroy evidence
inadvertently.
The original computer
system might only be
available for capturing.
Issues with disk and file
system metadata such as
boot sectors.
Crimes Include:
Theft of trade secrets
Fraud
Extortion
Industrial espionage
Position of pornography
SPAM investigations
Virus/Trojan distribution
Homicide investigations
Intellectual property breaches
Unauthorized use of personal information
Plus many more…
Forensics: Top Tips.
Get Legal Advice
DO NOT begin by exploring files on system
randomly
Establish evidence custodian - start a detailed
journal with the date and time and
date/information discovered
If possible, designate suspected equipment as
“off-limits” to normal activity. This includes backups, remotely or locally scheduled
house-keeping, and configuration
changes
Collect email, DNS, and other network
service logs
The Tools: Forensics Toolkits $12.995
Cell Phone Forensics Toolkits
Forensics Software: EnCase
Forensics Software: Unshredder
Forensics Software: Helix
Helix
Customized Knoppix disk that
is forensically safe
Includes improved versions of ‘dd’
Terminal windows log everything
for good documentation
Includes Sleuthkit, Autopsy,
chkrootkit, and others
Includes tools that can be used on a live Windows
machine, including precompiled binaries and live
acquisition tools
Forensics Tools: MDD
mdd -o OUTPUTFILENAME
Example:
C:\tools\mdd> mdd -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for
details use option `-w'
This is free software, and you are welcome to
redistribute it
under certain conditions; use option `-c' for details.
-> Dumping 255.48 MB of physical memory to file 'memory.dd'.
65404 map operations succeeded (1.00)
0 map operations failed
took 21 seconds to write
MD5 is: a48986bb0558498684414e9399ca19fc
Disk Cloning!
Digital Forensics
Anti Forensic Methods / Tools
Steganography Vs
steganalysis
Alternate Data Streams (ADS)
Secure Deletion Tools
In Private Internet Browsing
Encryption Products
Bitlocker
True Crypt
CrossCrypt
FreeOTFE etc
Alternate Data Streams
The ability to hide data behind a file, such as text,
graphics or executable code (Games, Trojans, etc).
NTFS Streams only visible to specialized software.
Public awareness of NTFS streams very low.
Streams can attach themselves to directories as well
as files.
Disk space used by Streams are not reported by
programs such as Windows Explorer or commands
such as 'DIR'
Streams can be executed. Executed streams do not
have their filenames displayed correctly in Windows
Task Manager.
Alternate Data Stream Example
c:\> type c:\winnt\notepad.exe >
hello.txt:np.exe
c:\> type c:\winnt\system32\sol.exe >
hello.txt:sol2.exe
Similarly, image files, audio files, or any other
stream of data can be hidden in ADSs.
Sysinternals: Streams
Windows 7 & Server 2008 R2
dir /r in Windows 7 & Vista will reveal an ADS
Hiding Data
ADS – Secure deletion - Encryption
Beware: The Inside Man!
Job opening are an ideal
vehicle for industrial
espionage
Bypass firewalls
Assumed Trust
Access to sensitive Materials
Prevention if difficult
Disgruntled employees are
perfect! Easily recuruted by
bad guy’s.
10 IT Nuggets to Protect Your Business!
1. Form an Incident Response Team
2. Conduct a Risk Analysis
3. Establish Clear Internal & external Access
Control Guidelines
4. Administrator Responsibilities
5. Establish Clear Audit Trails & Monitoring
10 IT Nuggets to Protect Your Business!
6. Secure Workstations / Laptops / Software
etc Remote Access. Encryption.
7. Network Security: Firewalls, IDS, IPS Etc
8. Ensure Patching & Backups are up to Date
9. Anti Virus & Anti Spyware
10.Establish Clear Remote Access Guidelines
Top 10 Non IT Nuggets to Protect Your Business!
1. Secure Physical Access to Sites
2. Monitor Visitors On-Site: Badges etc
3. Human Resources: Adopt & Follow Clear
Guidelines!
4. Always Follow up on Job Applications,
References, skills etc.
5. Ensure you adopt Security Awareness
Programme
Top 10 Non IT Nuggets to Protect Your
Business!
6. Have an Acceptable Usage Policy
7. Social Engineering: Be Aware of Dangers
8. Security Implementation: Timings etc
9. Audit...Audit & Audit!!!!
10.Ensure Contractors are Insured!!
Most Important: Make your solution Workable!
Here are the
draft guidelines
on improving
security!
Review:
Introductions
Identifying the Dark Arts
Risk Management - Costs Vs Benefits
Incident Response
Defining & Resolving Incidents
Computer Forensics
How it Works
The Tools
Anti Forensics Tools – Hiding your Tracks!
Conclusions & Q&A
Related Content
SIA308- Useful Hacker Techniques: Which Part of Hackers' Knowledge Will Help You in
Efficient IT Administration?
SIA313- Attacking the Windows Stack and How to Protect against These Attacks
SIA403 - A Deep Dive on the New Microsoft Forefront Threat Management Gateway
Interactive Session: SIA07 IS Security Assessment Planning and Implementation
Thanks for
Attending!
Andy Malone MVP, MCT
CEO / Consultant
Quality Training (Scotland) Ltd & Dive
Deeper Technology Events EMEA
[email protected]
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
Complete an evaluation
on CommNet and enter to
win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.