• No results found

INVESTIGATING A COMPUTER SECURITY INCIDENT

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "INVESTIGATING A COMPUTER SECURITY INCIDENT"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Auerbach Publications

© 1999 CRC Press LLC

DATA SECURITY MANAGEMENT

I

NVESTIGATING

A

C

OMPUTER

S

ECURITY

I

NCIDENT

Peter Stephenson

I N S I D E

Infrastructure Issues, Technologies Involved, Intrusion Detection, Forensic Analysis, Back Tracing, Conducting an Investigation

Y o u a r e a s e c u r i t y p r o f e s s i o n a l . I t i s 3 A.M. o n a S u n d a y . Y o u r p a g e r g o e s o f f a n d , u p o n c a l l i n g t h e n e t w o r k c o n t r o l c e n t e r , y o u f i n d t h a t t h e r e h a s been a serious intrusion into a critical system. What do you do?

I t i s l a t e i n t h e w o r k d a y o n a F r i d a y . Y o u r p h o n e r i n g s . A f r a u d e x a m -i n e r f r o m -i n t e r n a l a u d -i t -i n g b e l -i e v e s t h a t a c o m p a n y c o m p u t e r w a s u s e d to commit fraud in the payroll department. She wants your help. What do you do?

Y o u r e c e i v e a c a l l f r o m c o r p o r a t e s e c u r i t y . T h e y h a v e r e c e i v e d a c o m -p l a i n t t h a t s o m e o n e f r o m i n s i d e y o u r c o m -p a n y Õ s n e t w o r k h a s b r o k e n into an outside system. Security wants your help. What do you do?

A l l o f t h e s e s c e n a r i o s h a v e o n e t h i n g i n c o m m o n : t h e y a r e c o m p u t e r s e c u r i t y r e l a t e d i n c i d e n t s . T h e h a n d l i n g o f s u c h i n c i d e n t s m u s t b e m e -t h o d i c a l , p r e p l a n n e d , a n d c o n s i s -t e n -t w i -t h p r a c -t i c e s -t h a -t w i l l s -t a n d u p i n a c o u r t o f l a w s h o u l d t h e n e c e s s i t y a r i s e . T h a t r e q u i r e s a l o t o f p r e p a r a -tion, training, and implementation of the right tools, procedures, and pol-i c pol-i e s . O v e r t h e c o u r s e o f t h e n e x t f e w p a g e s w e w pol-i l l e x p l o r e t h e i m p l i c a t i o n s o f t h e s e a n d o t h e r t y p e s o f i n c i d e n t s a n d p r o v i d e y o u w i t h a s e t o f g u i d e l i n e s f o r m a n a g i n g t h e m effectively. INFRASTRUCTURE ISSUES N o i n v e s t i g a t i o n c a n b e s u c c e s s f u l i f t h e c o m p u t i n g i n f r a s t r u c t u r e w i l l n o t s u p p o r t t h e b a s i c r e q u i r e m e n t s o f P A Y O F F I D E A

When a security incident occurs and you are re-sponsible for conducting the investigation, that is no time to begin determining how to perform an investigation. The procedures must already be established. This article provides a structured ap-proach, with helpful checklists, to enable estab-lishment of the policies and procedures neces-sary to conduct a security incident investigation effectively.

(2)

g o o d i n f o r m a t i o n s e c u r i t y . I n t h e c a s e o f a n i n t r u s i o n , f o r e x a m p l e , c o m -p l e t e s y s t e m l o g s m a y b e t h e k e y . V e r y o f t e n e i t h e r t h e r e a r e n o s y s t e m l o g s o r t h e l o g s a r e i n c o m p l e t e . I f t h e r e a r e n o p o l i c i e s a n d p r o c e d u r e s i n p l a c e f o r r o u t i n e l y g a t h e r i n g l o g g i n g i n f o r m a t i o n , i n s t i t u t i n g a n i n v e s -t i g a -t i o n , a n d f o l l o w i n g e x p l i c i -t g u i d e l i n e s f o r i n v e s -t i g a -t i o n a n d r e c o v e r y , it is likely that your investigation will lead nowhere.

Most computer security incidents do not result in the capture and suc-c e s s f u l p r o s e suc-c u t i o n o f t h e p e r p e t r a t o r . T h e F B I h a s e s t i m a t e d t h a t f e w e r t h a n t e n p e r c e n t o f a l l c o m p u t e r i n c i d e n t s g e t r e p o r t e d , f e w e r t h a n t e n p e r c e n t o f t h o s e g e t i n v e s t i g a t e d , f e w e r t h a n t e n p e r c e n t o f t h o s e r e s u l t i n p r o s e c u t i o n , a n d f e w e r t h a n t e n p e r c e n t o f t h e p r o s e c u t i o n s r e s u l t i n c o n v i c t i o n a n d p u n i s h m e n t . T h a t m e a n s t h e c o m p u t e r c r i m i n a l h a s a o n e i n t e n t h o u s a n d c h a n c e o f g o i n g t o j a i l f o r a c o m p u t e r - r e l a t e d c r i m e Ñ g r e a t o d d s f o r a n y e n d e a v o r . S o l i d i n v e s t i g a t i o n c a n c h a n g e t h o s e o d d s materially. A d d i t i o n a l l y , t h e F B I a n d t h e C o m p u t e r S e c u r i t y I n s t i t u t e , i n t h e i r a n -n u a l s u r v e y o -n c o m p u t e r c r i m e a -n d i -n f o r m a t i o -n s e c u r i t y , g a t h e r e d t h e following disturbing facts in 1998:

¥ 6 4 p e r c e n t o f r e s p o n d e n t s r e p o r t e d a s e c u r i t y b r e a c h i n 1 9 9 8 Ñ u p 16 percent from the previous year

¥ s e c u r i t y b r e a c h e s c o s t t h e r e s p o n d e n t s w h o c o u l d q u a n t i f y l o s s e s a total of $136,822,000 Ñ up 35 percent over the previous year

¥ 1 8 p e r c e n t o f r e s p o n d e n t s h a d n o i d e a w h e t h e r o r n o t t h e y h a d b e e n hacked

¥ o n l y 3 8 p e r c e n t o f r e s p o n d e n t s h a d a w r i t t e n i n t r u s i o n p o l i c y , a n d only 22 percent had an evidence handling policy

¥ 7 4 p e r c e n t o f r e s p o n d e n t s r e p o r t e d a t t a c k s f r o m i n s i d e t h e i r n e t -works, and 70 percent reported attacks initiated from outside

¥ d i s g r u n t l e d e m p l o y e e s a c c o u n t e d f o r a t t a c k s r e p o r t e d b y 8 9 p e r c e n t o f t h e r e s p o n d e n t s , w h i l e o u t s i d e h a c k e r s a c c o u n t e d f o r 7 9 p e r c e n t (all respondents reported attacks from multiple sources)

It is clear from these statistics that there is a real problem. Fortunately, there are solutions.

I n o r d e r t o s e t t h e s t a g e f o r i n c i d e n t r e s p o n s e , t h e r e a r e a n u m b e r o f t h i n g s t h a t m u s t b e d o n e . H e r e i s a q u i c k c h e c k l i s t b e f o r e w e g o i n t o more detail.

1. Implement appropriate policies, standards, and practices.

2. E n s u r e t h a t l e g a l i s s u e s ( s u c h a s p r i v a c y a n d o w n e r s h i p o f c o m p a n y information) are documented in appropriate policies.

3. I m p l e m e n t , e q u i p , a n d t h o r o u g h l y t r a i n a c o m p u t e r i n c i d e n t r e -sponse team (CIRT).

(3)

5. Implement appropriate vulnerability testing. 6. Implement realtime intrusion detection and logging. 7. Institute periodic incident response rehearsals and drills.

8. Institute and maintain relationships with local law enforcement agencies.

O n e s t r u c t u r e d a p p r o a c h t h a t a l l o w s i m p l e m e n t a t i o n o f t h e c h e c k l i s t is intrusion management. Although this is a topic for its own article, here i s a b r i e f d e s c r i p t i o n . I n t r u s i o n m a n a g e m e n t i s a f o u r - l e v e l m e t h o d o l o g y that helps secure information assets on a large network. The definition of intrusion management is:

L i m i t i n g t h e p o s s i b i l i t y o f a s u c c e s s f u l i n t r u s i o n t h r o u g h e f f e c t i v e p r e v e n t a -t i v e , q u a l i -t y m a n a g e m e n -t a n d d e -t e c -t i v e p r o c e s s e s , a n d f a c i l i -t a -t i n g s u c c e s s f u l investigation of an intrusion should one occur.

I n t r u s i o n m a n a g e m e n t i s a f o u r - s t e p p r o c e s s . T h e s t e p s a r e a v o i d a n c e , a s s u r a n c e , d e t e c t i o n , a n d i n v e s t i g a t i o n . W e d e f i n e t h e s e s t e p s , o r l e v e l s as follows: ¥ A v o i d a n c e : u s i n g p o l i c i e s , s t a n d a r d s , b e s t p r a c t i c e s , a n d t o o l s s u c h a s f i r e w a l l s , a c c e s s c o n t r o l , a n d e n c r y p t i o n t o d e f l e c t a t t a c k s a g a i n s t information assets ¥ A s s u r a n c e : v u l n e r a b i l i t y t e s t i n g a n d s y s t e m a u d i t s m e a s u r e c o m p l i -ance with policies

¥ D e t e c t i o n : r e a l t i m e l o g g i n g a n d i n t e r c e p t i o n o f i n t r u s i o n o r a b u s e attempts

¥ I n v e s t i g a t i o n : t r a c i n g i n t r u s i o n s a n d a b u s e s i n a m a n n e r t h a t f a c i l i -tates appropriate responses. Lessons learned feed back into Avoidance

I f , a s t h e c o r e o f a n i n f r a s t r u c t u r e p r e p a r a t i o n a f o r m a l i n t r u s i o n m a n a g e m e n t p r o g r a m i s i m p l e m e n t e d , i t w i l l h a v e p r o v i d e d a n a d v a n t a g e t o -w a r d s b e i n g a b l e t o b r i n g t h e i n v e s t i g a t i o n o f a c o m p u t e r s e c u r i t y i n c i d e n t t o a s u c c e s s f u l c o n c l u s i o n . C o m p a r e , f o r e x a m p l e , t h e i t e m s i n t h e q u i c k c h e c k l i s t a b o v e a n d t h e f o u r l e v e l s o f i n t r u s i o n m a n a g e m e n t . It will be found that the checklist fits well in the I/M process.

A f e w w o r d s r e g a r d i n g p o l i c i e s , s t a n d a r d s , a n d p r a c t i c e s a r e i n o r d e r h e r e . M a n y o r g a n i z a t i o n s h a v e b e e n l a x i n k e e p i n g p o l i c i e s , s t a n d a r d s , and practices current with the state of their networks and the state of the art in terms of technology, business requirements, and legal issues. There a r e s e v e r a l s p e c i f i c a r e a s , o t h e r t h a n c o n s i s t e n c y w i t h y o u r b u s i n e s s needs and network infrastructure, that should be considered. Some are:

¥ P r i v a c y I s s u e s . G e n e r a l l y t h e c o u r t s w i l l s i d e w i t h t h e i n d i v i d u a l against the organization in matters of privacy if the organization does n o t h a v e s p e c i f i c p o l i c i e s t o p r o t e c t i t . O n e s u g g e s t e d p o l i c y i s t h a t

(4)

e m p l o y e e s h a v e n o e x p e c t a t i o n o f p r i v a c y i n t h e w o r k p l a c e a n d t h a t a l l d a t a i n a n y f o r m i s s u b j e c t t o s c r u t i n y b y t h e c o m p a n y a t i t s o w n will and pleasure.

¥ S e a r c h a n d S e i z u r e . A l l c o m p u t e r s b e i n g u s e d o n c o m p a n y p r o p e r -ty are subject to seizure in the event of an investigation. This includes both user-owned computers and corporate-owned computers.

¥ I n v e s t i g a t i o n P r o c e s s a n d A u t h o r i t y . T h e r e s h o u l d b e a p o l i c y t h a t c r e a t e s a C I R T a n d v e s t s i t w i t h a p p r o p r i a t e a u t h o r i t y . A d d i t i o n -a l l y , t h e r e s h o u l d b e -a d e t -a i l e d s t -a n d -a r d p r -a c t i c e t h -a t d i c t -a t e s h o w t h e C I R T f u n c t i o n s , i n c l u d i n g p r o c e d u r e s , e q u i p m e n t a n d s o f t w a r e t o be used, mandatory training, and periodic drills.

¥ L o g g i n g . T h e r e s h o u l d b e a s t a n d a r d p r a c t i c e ( s u p p o r t e d b y p o l i c y , o f c o u r s e ) t h a t m a n d a t e s l o g g i n g , d e f i n e s l o g g e d e v e n t s , a n d m a n -dates a log retention period (six months at minimum).

TECHNOLOGIES INVOLVED

T h e r e a r e s o m e s p e c i f i c e n a b l i n g t e c h n o l o g i e s t h a t c a n h e l p e n s u r e a s u c c e s s f u l i n v e s t i g a t i o n . S o m e o f t h e s e a r e i m p l e m e n t e d i n a d v a n c e ( a s part of the infrastructure) and some relate to investigative tools.

Intrusion Detection

I n t r u s i o n d e t e c t i o n ( i m p l e m e n t e d a s p a r t o f l e v e l 3 o f i n t r u s i o n m a n a g e -ment) is a set of technologies, tools, and techniques intended to intercept e f f o r t s t o a b u s e c o m p u t e r s , d a t a , o r c o m m u n i c a t i o n s c h a n n e l s . T h e I D S (intrusion detection systems) FAQ (frequently asked questions) by Robert D a v i d G r a h a m d e f i n e s i n t r u s i o n d e t e c t i o n a s f o l l o w s ( w i t h o u r c o r r e c -tions to the inevitable typing errors in Internet FAQs):

A n i n t r u s i o n i s s o m e b o d y ( a k a , h a c k e r o r c r a c k e r ) a t t e m p t i n g t o b r e a k i n t o o r m i s u s e y o u r s y s t e m . T h e w o r d Ò m i s u s e Ó i s b r o a d , a n d c a n r e f l e c t s o m e t h i n g a s s e v e r e a s s t e a l i n g c o n f i d e n t i a l d a t a t o s o m e t h i n g m i n o r s u c h a s m i s -u s i n g y o -u r e - m a i l s y s t e m f o r s p a m ( t h o -u g h f o r m a n y o f -u s , t h a t i s a m a j o r issue!). A n i n t r u s i o n d e t e c t i o n s y s t e m ( I D S ) i s a s y s t e m f o r d e t e c t i n g s u c h i n -t r u s i o n s . F o r -t h e p u r p o s e s o f -t h i s F A Q , I D S c a n b e b r o k e n d o w n i n -t o -t h e following categories: 1. N e t w o r k i n t r u s i o n d e t e c t i o n s y s t e m s ( N I D S ) m o n i t o r p a c k e t s o n t h e n e t w o r k w i r e a n d a t t e m p t s t o d i s c o v e r i f a h a c k e r / c r a c k e r i s a t t e m p t -ing to break into a system (or cause a denial of service attack). A typ-i c a l e x a m p l e typ-i s a s y s t e m t h a t w a t c h e s f o r a l a r g e n u m b e r o f T C P c o n n e c t i o n r e q u e s t s ( S Y N ) t o m a n y d i f f e r e n t p o r t s o n a t a r g e t m a -c h i n e , t h u s d i s -c o v e r i n g i f s o m e o n e i s a t t e m p t i n g a T C P p o r t s -c a n . A n N I D S m a y r u n e i t h e r o n t h e t a r g e t m a c h i n e t h a t w a t c h e s i t s o w n t r a f

(5)

-f i c ( u s u a l l y i n t e g r a t e d w i t h t h e s t a c k a n d s e r v i c e s t h e m s e l v e s ) , o r o n a n i n d e p e n d e n t m a c h i n e p r o m i s c u o u s l y w a t c h i n g a l l n e t w o r k t r a f f i c (hub, router, probe).

2. System integrity verifiers (SIV) monitor system files to find when a i n t r u d e r c h a n g e s t h e m ( t h e r e b y l e a v i n g b e h i n d a b a c k d o o r ) . T h e most famous of such systems is Tripwire.

3. L o g f i l e m o n i t o r s ( L F M ) m o n i t o r l o g f i l e s g e n e r a t e d b y n e t w o r k s e r v i c e s . I n a s i m i l a r m a n n e r t o N I D S , t h e s e s y s t e m s l o o k f o r p a t -terns in the log files that suggest an intruder is attacking. A typical e x a m p l e w o u l d b e a p a r s e r f o r H T T P s e r v e r l o g f i l e s t h a t i s l o o k -i n g f o r -i n t r u d e r s w h o t r y w e l l - k n o w n s e c u r -i t y h o l e s , s u c h a s t h e p h f a t t a c k . N o t e t h a t a n e t w o r k I D S m o n i t o r s m a n y m a c h i n e s , w h e r e a s t h e o t h e r s m o n i t o r o n l y a s i n g l e m a c h i n e ( t h e o n e t h e y are installed on).

Logging. I n o r d e r f o r s o m e t y p e s o f I D S t o w o r k , l o g s m u s t b e c o m p r e -h e n s i v e a n d t i m e l y ( e . g . , t -h e y s -h o u l d b e c r e a t e d a n d m a d e a v a i l a b l e t o t h e L F M i n r e a l t i m e ) . H o w e v e r , i n a d d i t i o n , t h e y s h o u l d b e r e t a i n e d f o r a p e r i o d o f n o l e s s t h a n s i x m o n t h s . T h e u s u a l p r o b l e m w i t h l o g s i s t h a t they are incomplete (i.e., they do not contain enough useful information) a n d t h e y a r e n o t a v a i l a b l e f o r a n a l y s i s w h e n t h e e v e n t i s d i s c o v e r e d . T h e c o m b i n a t i o n o f g o o d i n t r u s i o n d e t e c t i o n a n d a l o g r e t e n t i o n p o l i c y c a n mitigate both of those problems.

T h e u s u a l e x c u s e s f o r n o t c r e a t i n g c o m p r e h e n s i v e l o g s a r e s i z e o f t h e logs and performance hits due to their creation. The former is not a prob-l e m i f a prob-l o g p a r s e r s u c h a s A X E N T T e c h n o prob-l o g y Õ s I n t r u d e r A prob-l e r t ( I D A ) i s u s e d a s a n L F M . T h e I D A w a t c h e s l o g s , n o m a t t e r h o w d e t a i l e d , a n d r e -p o r t s i m -p o r t a n t ( a s d e f i n e d b y y o u ) e v e n t s i m m e d i a t e l y , t h u s r e m o v i n g t h e r e q u i r e m e n t f o r h u m a n a n a l y s i s o n a n o n g o i n g b a s i s . T h e l a t t e r i s a g e n u i n e p r o b l e m a n d r e q u i r e s c a r e i n d e s i g n i n g t h e l o g g i n g s y s t e m t o avoid. L o g s s h o u l d b e o f f l o a d e d f r o m t h e m a c h i n e w h e r e t h e y a r e l o g g i n g a n d s t o r e d o n a l o g h o s t s p e c i f i c a l l y d e d i c a t e d t o p r e s e r v i n g a n d p r o t e c t -i n g l o g s . T h -i s p r e s e r v e s r e s o u r c e s o n t h e s y s t e m b e -i n g l o g g e d , p r o t e c t s t h e l o g s t h e m s e l v e s , a n d p r o v i d e s a m e c h a n i s m f o r a d j u s t i n g n e t w o r k a n d h o s t p e r f o r m a n c e . F i n a l l y , i t a l l o w s p r o d u c t s s u c h a s t h e I T A t o w o r k o n g r o u p s o f l o g s w i t h v i r t u a l l y n o p e r f o r m a n c e e f f e c t s a g a i n s t t h e m a -chine being logged.

Forensic Analysis

F o r e n s i c c o m p u t e r a n a l y s i s i s t h e s c i e n c e o f c o l l e c t i n g c l u e s o r l e a d s f r o m a c o m p u t e r i n v o l v e d i n a s e c u r i t y e v e n t . I t r e q u i r e s s p e c i a l i z e d t o o l s , s u c h a s n o n i n v a s i v e b i t s t r e a m b a c k u p s o f t w a r e ( s u c h a s S a f e B a c k f r o m S y d e x ) o r I P F i l t e r ( f r o m N T I i n G r e s h a m , O R ) w h i c h e x t r a c t s e - m a i l

(6)

a d d r e s s e s f r o m a d i s k . T h e s e t o o l s h a v e , a s t h e i r p u r p o s e , g a t h e r i n g e v i -d e n c e a n -d l e a -d s f r o m t h e -d i s k s o f c o m p u t e r s i n v o l v e -d i n a n i n c i -d e n t without disturbing the integrity of the disk or the data on it. They are spe-c i f i spe-c a l l y d e s i g n e d t o p r o d u spe-c e i n f o r m a t i o n t h a t spe-c a n b e u s e d i n a spe-c o u r t o f l a w . T h e i r u s e r e q u i r e s s p e c i f i c a n d s i g n i f i c a n t t r a i n i n g a n d e x p e r i e n c e . A d i s c u s s i o n o f t h e d e t a i l s o f f o r e n s i c c o m p u t e r a n a l y s i s i s w e l l b e y o n d the scope of this article.

Back Tracing B a c k t r a c i n g i s t h e t e c h n i q u e o f t r a c i n g a n i n t r u s i o n t o i t s s o u r c e . T h e r e a r e t w o g e n e r a l t y p e s o f b a c k t r a c i n g : n e t w o r k a n d t e l e p h o n e . N e t w o r k b a c k t r a c i n g i n v o l v e s t r a c i n g a n i n t r u d e r b a c k w a r d s t h r o u g h r o u t e r s a n d h o s t s o n a l a r g e n e t w o r k . I n t r u d e r s w i l l g e n e r a l l y j u m p f r o m s y s t e m t o s y s t e m , u s i n g p r e c r a c k e d c o m p u t e r s a s i n t e r m e d i a t e p l a t f o r m s f r o m w h i c h t o l a u n c h a t t a c k s . B y s o d o i n g t h e y m a s k t h e i r t r u e o r i g i n . N e t w o r k b a c k t r a c i n g r e q u i r e s c o o p e r a t i o n f r o m t h e a d m i n i s t r a t o r s o f i n t e r -mediate systems. T e l e p h o n e b a c k t r a c i n g a l w a y s r e q u i r e s t h e a s s i s t a n c e o f t h e t e l e p h o n e c o m p a n y ( a n d , t h u s , a c o u r t o r d e r ) . S k i l l e d i n t r u d e r s u s e a t e c h -n i q u e c a l l e d p h r e a k i -n g t o b r e a k i -n t o t e l e p h o -n e s w i t c h e s a -n d j u m p f r o m s w i t c h ( o r P B X ) t o s w i t c h , m a s k i n g t h e p h o n e n u m b e r f r o m w h i c h t h e y are actually calling.

CONDUCTING AN INVESTIGATION

T h e r e a r e s e v e r a l a p p r o a c h e s t o m a n a g i n g a n i n t r u s i o n a n d c o n d u c t i n g a n i n v e s t i g a t i o n . T h e S A N S I n s t i t u t e p u b l i s h e s a t e n s t e p a p p r o a c h t o r e s p o n d i n g t o a s e c u r i t y i n c i d e n t . W h i l e t h e s e s t e p s d o n o t , e x p l i c i t l y , a d -dress investigation, they are a very good starting point.

Step 1. Remain calm Step 2. Take good notes

Step 3. Notify the right people and get help Step 4. Enforce a Òneed to knowÓ policy Step 5. Use out-of-band communications Step 6. Contain the problem

Step 7. Make a backup of the affected system(s) as soon as practicable Step 8. Get rid of the problem

Step 9. Get back in business Step 10. Learn from this experience

Kenneth Rosenblatt, an assistant district attorney in Santa Clara County, C A , i s a w e l l - k n o w n p r o s e c u t o r o f c o m p u t e r - r e l a t e d c r i m e . I n h i s b o o k , High Technology Crime Ñ Investigating Cases Involving Computers,

(7)

(Ken-neth S. Rosenblatt, KSK Publications, San Jose, CA), the author defines six specific goals of an investigation of a computer security incident:

1. To understand how the intruder is entering the system

2. T o o b t a i n t h e i n f o r m a t i o n y o u n e e d t o j u s t i f y a t r a p a n d t r a c e o f t h e phone line the intruder is using

3. To discover why the intruder has chosen the victimÕs computer 4. To gather as much evidence of the intrusion as possible

5. T o o b t a i n i n f o r m a t i o n t h a t m a y n a r r o w y o u r l i s t o f s u s p e c t s , o r a t least confirm that the intruder is not a current employee

6. T o d o c u m e n t t h e d a m a g e t o t h e v i c t i m c a u s e d b y t h e i n t r u d e r , i n -cluding the time and effort spent by the victim in investigating the in-cident and determining the amount of damage to its computer

I n t h i s a u t h o r Õ s u p c o m i n g b o o k o n t h e t o p i c , c o r p o r a t e i n v e s t i g a t i o n teams are offered a specific set of seven steps for meeting those goals:

1. Eliminate the obvious 2. Hypothesize the attack 3. Reconstruct the crime

4. Perform a traceback to the suspected source computer 5. Analyze the source, target, and intermediate computers 6. Collect evidence including, possibly, the computers themselves

7. T u r n y o u r f i n d i n g s a n d e v i d e n t i a r y m a t e r i a l o v e r t o c o r p o r a t e i n v e s -tigators or law enforcement for follow-up

O n e s h o u l d b e g i n t h e i n v e s t i g a t i o n b y g e t t i n g t h e l a y o f t h e l a n d . T w o t h i n g s m u s t b e d o n e i m m e d i a t e l y . F i r s t , p r e s e r v e t h e c r i m e s c e n e a n d s e c o n d , g a t h e r b a s i c w i t n e s s i n f o r m a t i o n t o g e t a n i d e a o f w h a t h a p -pened and when.

T h e c r i m e s c e n e c a n b e p r e s e r v e d b y g e t t i n g p e o p l e a w a y f r o m a n y c o m p u t e r s o r d e v i c e s c o n s i d e r e d p a r t o f t h e v i r t u a l c r i m e s c e n e , d i s c o n -n e c t i -n g a -n y c o m m u -n i c a t i o -n s l i -n k s t o t h o s e c o m p u t e r s , a -n d p e r f o r m i -n g a physical, or bit stream backup for the purpose of preserving evidence. Then conduct preliminary witness interviews, very informally at this point, to get a r o u g h p i c t u r e o f w h a t h a p p e n e d . T h e n e w s r e p o r t e r Õ s f i v e W s ( W h o , What, Where, When, Why) are a good guideline for this questioning.

O n c e t h i s p o i n t h a s b e e n r e a c h e d , o b v i o u s l y w r o n g e x p l a n a t i o n s f o r t h e e v e n t c a n b e e l i m i n a t e d a n d o n e c a n b e g i n t o h y p o t h e s i z e h o w t h e a t t a c k , o r o t h e r i n c i d e n t , o c c u r r e d . N e x t , a c o p y o f t h e b a c k u p w i l l b e u s e d ( t h e r e s h o u l d b e t w o : o n e f o r e v i d e n c e a n d o n e a s a w o r k i n g c o p y ) to create a mirror of the affected computer(s). Never work on the original computer or the evidence copy of backup. On the mirror, begin to recon-s t r u c t t h e c r i m e a n d t e recon-s t t h e h y p o t h e recon-s e recon-s . A r e p l i c a o f t h e n e t w o r k m a y

(8)

need to be created in the lab; at this point, one may be ready to start the process of tracing back to the suspected origin of the event.

B a c k t r a c i n g i s v e r y d i f f i c u l t a n d , i n m a n y c a s e s , i t c a n n o t b e d o n e u n -l e s s t h e i n t r u d e r i s o n -l i n e . H o w e v e r , i f t h e i n t r u d e r w a s c a r e -l e s s , t h e r e m a y b e f o o t p r i n t s l e f t o n i n t e r m e d i a t e m a c h i n e s . A m a t e u r s m a y n o t h a v e used intermediate systems and will be very easy to back trace.

N e x t , b e g i n u s i n g f o r e n s i c t e c h n i q u e s t o e x t r a c t c l u e s f r o m t h e c o m -p u t e r s i n v o l v e d . T h e t o o l s m u s t b e s -p e c i f i c a l l y f o r t h i s a c t i v i t y a n d t h e y must meet several criteria:

¥ they must not alter the data as a side effect of the collection process ¥ they must collect all of the data we want and only the data we want

¥ w e m u s t b e a b l e t o e s t a b l i s h t h a t t h e y w o r k e d p r o p e r l y , e . g . , a s a d -vertised

¥ t h e y m u s t b e a c c e p t e d , g e n e r a l l y , b y t h e c o m p u t e r f o r e n s i c i n v e s t i -gative community

¥ the results produced must be repeatable

O u r n e x t s t e p i s e v i d e n c e p r e s e r v a t i o n a n d i t w i l l c e r t a i n l y i n c l u d e a l l b i t s t r e a m b a c k u p s , r e l a t e d f l o p p y d i s k s , a n d , p e r h a p s , t h e i n v o l v e d c o m -p u t e r s t h e m s e l v e s . R e m e m b e r n o t t o t u r n o n t h e c o m -p u t e r s u n l e s s t h e r e i s a b o o t a b l e f l o p p y i n t h e A : d r i v e , t o p r e v e n t t h e c o m p u t e r f r o m b o o t -ing from its hard drive, and perhaps, writ-ing information to the hard disk.

F i n a l l y , t h e f i n d i n g s w i l l b e a n a l y z e d , c o n c l u s i o n s d r a w n , a n d f i n a l r e p o r t p r e p a r e d . T h e r e p o r t p r e s e n t s t h e c o n c l u s i o n s , t h e e v i d e n t i a r y m a -t e r i a l -t o s u p p o r -t -t h e m , r e c o m m e n d a -t i o n s , a n d l e s s o n s l e a r n e d . I -t i s n o -t oneÕs place to take action unless directed by management to do so.

During the course of the investigation, it may be necessary to get back o n l i n e w i t h t h e s y s t e m s t h a t w e r e i n c l u d e d i n t h e i n v e s t i g a t i o n . I n f a c t , t h e r e m a y b e s y s t e m s ( s e r v e r s , f o r e x a m p l e ) w h i c h c a n n o t b e t a k e n o u t of service at all. That complicates the work, but it is important to remem-b e r t h a t remem-b u s i n e s s n e e d s d r i v e s e c u r i t y ( i n c l u d i n g i n v e s t i g a t i o n s ) , n o t t h e o t h e r w a y a r o u n d . B u s i n e s s n e e d s a r e n e v e r s u b o r d i n a t e d t o t h e i n v e s t i g a t i o n u n l e s s f o r c e d t o b y o u t s i d e i n f l u e n c e s ( d a m a g e t o t h e s y s t e m , i n -tervention by law enforcement, etc.).

SUMMARY T h e i n v e s t i g a t i o n o f a c o m p u t e r s e c u r i t y i n c i d e n t i s c o m p l e x . S e c u r i t y p r o f e s s i o n a l s m u s t b a l a n c e t h e n e e d f o r a Ò c l e a n Ó i n v e s t i g a t i o n w i t h t h e o v e r r i d i n g n e e d t o k e e p t h e b u s i n e s s r u n n i n g s m o o t h l y a n d i m p l e m e n t -i n g m -i t -i g a t -i n g c o n t r o l s f o r t h e f u t u r e . M o s t o f -i n v e s t -i g a t -i v e w o r k -i s d o n e b e f o r e t h e e v e n t e v e n o c c u r s . T h a t w o r k i s i n t h e f o r m o f i n f r a s t r u c t u r e p r e p a r a t i o n , t r a i n i n g o f t h e C I R T , a n d r e h e a r s a l s o f m o c k i n c i d e n t s . I f p r e p a r e d f o r a n e v e n t b e f o r e i t e v e r o c c u r s , t h e i n t r u s i v e p o r t i o n s o f i n

(9)

-v e s t i g a t i o n s c a n b e c o n d u c t e d r a p i d l y a n d t h e o r g a n i z a t i o n c a n g e t b a c k to the business of doing business.

A most important lesson to be taken from this discussion is that the inv e s t i g a t i o n o f c o m p u t e r s e c u r i t y i n c i d e n t s c a n n o t e x i s t i n a inv a c u u m . I n -v e s t i g a t i o n i s n o t a s t a n d - a l o n e e f f o r t . I t i s , r a t h e r , a n i n t e g r a l p a r t o f a c o m p r e h e n s i v e i n t r u s i o n m a n a g e m e n t p r o g r a m . A s u c c e s s f u l i n v e s t i g a t i o n i s s u p p o r t e d a n d e n a b l e d b y g o o d p r e p a r a t i o n i n t h e f o r m o f p o l i -c i e s , s t a n d a r d s , a n d p r a -c t i -c e s , a s w e l l a s a w e l l - t r a i n e d a n d e q u i p p e d C I R T , i n t r u s i o n d e t e c t i o n , a n d l o g g i n g m e c h a n i s m s , a n d a g e n e r a l l y s e -cure network. I n v e s t i g a t i o n o f c o m p u t e r s e c u r i t y i n c i d e n t s i s , a s s t a t e d a b o v e , v e r y c o m p l e x . T h e s u r f a c e h a s m e r e l y b e e n t o u c h e d h e r e . H o w e v e r , e n o u g h h a s b e e n p r o v i d e d t o g e t t h i n g s s t a r t e d t o p r e p a r e f o r w h a t m o s t r e s p o n d e n t s t o t h e F B I / C S I 1 9 9 8 s t u d y f o u n d : i n t r u s i o n s a r e b e c o m i n g a n i n e v -itable fact of business life.

Peter Stephenson is currently President of InfoSEC Technologies, Inc., an information security consultancy. He has 32 years of experience in technology fields, including 17 as a consultant. He has written or contributed to 12 books, written numerous training courses, lectured worldwide on security, and has published many articles in industry publications. He can be reached via e-mail at pstephen@versalink.com.

References

Download now ( PDF - 9 Page - 126.58 KB )

Related documents

Report 51 New Businesses Page 1 of 6 March 03, 2014 For the Month of February 2014 As of March 02, 2014 As of Date: March 03, :33 AM

[r]

FOSSC Oman Michael Meskes. Mission impossible? Can I Replace My Business Critical IT With Open Source?

FOSSC Oman 2013 credativ group Open Source for business One-stop Shop for Open Source Support TM?. Open Source

CASE MANAGEMENT SYSTEM

Recommendation: The Commission should implement the appropriate network security controls and IT disaster recovery plan provisions to ensure the continued confidentiality,

WALLBRIDGE MINING COMPANY LIMITED

The accompanying unaudited condensed interim financial statements of Wallbridge Mining Company Limited for the three and six months ended June 30, 2017 with

INDEX AKERMAK TECHNIC MARKET ALP WELDING ADAM MACHINE BEMİS ELECTRICS BEMPA MARKETING BURKAL HARWARE BEFAŞ ELECTRICS COŞKUNKAN ENGINEERING

AKERMAK TECHNIC MARKET ALP WELDING ADAM MACHINE BEMİS ELECTRICS BEMPA MARKETING BURKAL HARWARE BEFAŞ ELECTRICS COŞKUNKAN ENGINEERING DEMİTAŞ IMPORT & EXPORT DETAY SYSTEMS DOSTKAR

Objective Quantification of Daytime Sleepiness

The Epworth Sleepiness Scale, sleep efficiency percentage, total sleep time, the presence of a sleep disorder, and limb movement index were positively associated with a mean

UNIVERSITY FACULTY SENATE FORMS

The Environmental Science major and the coastal geology minor meet the needs of a group of UD students, however, there is an unmet need for a broader focus on marine

Short-term Exchange Programs and the Internationalization of Japanese Universities: A Case-study

Niigata University 2002 about 20 Humanities, Social Sciences, Education Tokyo Gakugei University 2001 about 20 Humanities, Soc.. University of the Ryukyus 2000 about 20