Incident response: Introduction

Author:BillBuchananAuthor:BillBuchanan
StatefulfirewallNetworkSecurity
Stateful firewall
PIX/ASAConfigNetworkSecurity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Incident Response
 Introduction.
 Risk Analysis.
 Risk Management.
 Outline of threats.
 Data Loss.
 Fundamentals.
Alice
Bob
Eve
Trent
Bob

Stateful firewall
PIX/ASA
Author: Prof Bill Buchanan
TypesIncResponse
Some data breaches

Stateful firewall
PIX/ASA
IncidentResponse
Incident Taxonomy

Stateful firewall
PIX/ASA

Stateful firewall
PIX/ASA
IncidentResponse
Data Sources/Timeline

Stateful firewall
PIX/ASA
IncidentsIntroduction
Incidents
During IncidentBefore Incident After Incident
Intruder
Intrusion Detection

Stateful firewall
PIX/ASA
DatastatesInc.Response
Data in-motion, data in-use and data at-rest
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
Internet
Switch
Router
Proxy
server
Email
server
Web
server
DMZ
FTP
server
Firewall
Domain name
server
Database
server
Bob
Alice
Eve
Data in-
motion
Data at-
rest
Data in-
use Data at-
rest

Stateful firewall
PIX/ASA
IncidentsIntroduction
Incidents
During IncidentBefore Incident After Incident
Timeline
Data At Rest
Data In-Motion
Data In-Process
Files, Directories, File Rights,
Domain Rights, etc.
File changes, File CRUD
(Create, Delete, Update,
Delete), Thumbprints
Network packet logs, Web
logs, Security logs
Network scanners, Intrusion
Detection Systems, Firewall
logs, etc
Processes, Threads, Memory,
etc.
Security Log, Application Log,
Registry, Domain Rights.
Intruder

Stateful firewall
PIX/ASA
IntroductionIncResponse
Four Vs of Big Data
Intrusion
Detection
System
Firewall
Router
Proxy
server
Email
server
Web
server
FTP
server
Switch
Alice
Management report
Sales analysis
Targeted marketing
Trending/Correlation
V- Volume
[Scale of data]
V- Variety
[Different forms of
data]
V- Velocity
[Speed of data generation]
V- Veracity
[Trustworthiness]
Incident Response
Eve
Bob

Stateful firewall
PIX/ASA
Data Capture
Web
server
IT Ops
Nagios.
NetApp.
Cisco UCS.
Apache.
IIS.
Web Services
Firewall
Router
Proxy
server
Email
server
FTP
server
Switch
Eve
Bob
Microsoft
Infrastructure
Active Directory.
Exchange.
SharePoint.
Structured Data
CSV.
JSON.
XML.
Database Sys
Oracle.
My SQL.
Microsoft SQL.
Network/Security
Syslog/SNMP.
Cisco NetFlow.
Snort.
Intrusion
Detection
System
Alice
Cloud
AWS Cloudtrail.
Amazon S3.
Azure.
Application Serv
Weblogic.
WebSphere.
Tomcat

Stateful firewall
PIX/ASA
Investigation sources
Web
server
Firewall
Router
Proxy
server
Email
server
FTP
server
Bob
Eve
Internal systems
Cloud service providers
Communication service
providers
Trusted partners

Stateful firewall
PIX/ASA
Basic timeline
Eve
Cloud service providers
Communication service
providers
Web services
Phone
call
Wifi
connect
Tweet
Facebook
post
Email
send
Web page
access
Web log
Call record
Location
record
Corporate login
Web/Domain
Log
Device
switch-on
Logs/Email
Time line
Device logs
System Log Internet cache

Stateful firewall
PIX/ASA
Eve
Eve
Logs/alerts
Bob
SIEM Package (Splunk)
News feeds
Security alerts

Stateful firewall
PIX/ASA
IncidentResponse
Patterns of Intrusion

Stateful firewall
PIX/ASA
TypesIncResponse
Typical pattern of intrusion …
Outside
reconnaissance
Inside
reconnaissance
Exploit
FootholdProfit
Intruder gains public information
about the systems, such as DNS and
IP information
Intruder gains more specific
information such as subnet layout, and
networked devices.
Intruder finds a
weakness, such as
cracking a password,
breaching
a firewall, and so on.
Once into the system, the
intruder can then advance
up the privilege levels,
Data stealing, system
damage,
user abuse, and so on.
From code yellow to code
red ...
Intrusion
Detection
Intrusion
Detection
Intrusion
Detection
Intrusion
Detection
Eve
Bob
Intrusion
Detection

Stateful firewall
PIX/ASA
TypesIncResponse
Cyber Kill Chain ®
From code yellow to
code red ...
Eve
Reconnaissance Weaponization
Preparation (hrs to mons)
Delivery
Explotation
Installation
Intrusion
(minutes)
Command and
Control
Action on
Objective
Bob
Active Breach (months)

Stateful firewall
PIX/ASA
IncidentResponse
Risk Analysis

Stateful firewall
PIX/ASA
RiskanalysisIntroduction
Risk analysis (Cost/likelihood)
Highly Likely, Low Cost
- Worth mitigating against
High Likelihood, High
Cost
- Maybe worth mitigating
against.
Low Likelihood, Low
Cost
- Maybe worth mitigating
against.
Low Likelihood, High
Cost
- Probably not worth
mitigating against
Cost
Likelihood
High
cost
Low
cost
High
likelihood
Low
likelihood
Intruder

Stateful firewall
PIX/ASA
IncidentResponse
Risk Management

Stateful firewall
PIX/ASA
IncidentResponse
Some Threats

Stateful firewall
PIX/ASA
Risk 2: Rogue SSID/Gateway
Free Moonbucks Wireless
Moonbucks Wireless
Rogue Gateway
Internet Gateway

Stateful firewall
PIX/ASA
Risk 3: Lack of Separation
Business Life
Home Life
Corporate Firewall

Stateful firewall
PIX/ASA
Risk 4: One Password Fits All
150 million accounts
compromised
# Count Ciphertext Plaintext
--------------------------------------------------------------
1. 1911938 EQ7fIpT7i/Q= 123456
2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789
3. 345834 L8qbAD3jl3jioxG6CatHBw== password
4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123
5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678
6. 130832 5djv7ZCI2ws= qwerty
7. 124253 dQi0asWPYvQ= 1234567
8. 113884 7LqYzKVeq8I= 111111
9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop
10. 82694 e6MPXQ5G6a8= 123123
1 million accounts – in
plain text. 77 million
compromised
47 million accounts
200,000 client accounts
Dropbox
compromised 2013
One account hack … leads to others
6.5 million accounts
(June 2013)

Stateful firewall
PIX/ASA
Risk 4: One Password Fits All
150 million accounts
compromised
# Count Ciphertext Plaintext
--------------------------------------------------------------
1. 1911938 EQ7fIpT7i/Q= 123456
2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789
3. 345834 L8qbAD3jl3jioxG6CatHBw== password
4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123
5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678
6. 130832 5djv7ZCI2ws= qwerty
7. 124253 dQi0asWPYvQ= 1234567
8. 113884 7LqYzKVeq8I= 111111
9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop
10. 82694 e6MPXQ5G6a8= 123123
Two-factor everything in
the Cloud

Stateful firewall
PIX/ASA
Risk 5: Device Poisoning
Gateway
(192.168.0.1)
Who has this IP
address (192.168.0.1)?
Here is my MAC
address
(11:22:33:44:55:66)
Eve
Here is my MAC
address
(22:33:44:55:66)DHCP Request ...
Eve
1 0.000000 0.0.0.0 255.255.255.255 DHCP 314 DHCP Discover - Transaction ID 0x3d1d
Frame 1: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits)
Ethernet II, Src: Grandstr_01:fc:42 (00:0b:82:01:fc:42), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
2 0.000295 192.168.0.1 192.168.0.10 DHCP 342 DHCP Offer - Transaction ID 0x3d1d
Ethernet II, Src: DellComp_ad:f1:9b (00:08:74:ad:f1:9b), Dst: Grandstr_01:fc:42 (00:0b:82:01:fc:42)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
3 0.070031 0.0.0.0 255.255.255.255 DHCP 314 DHCP Request - Transaction ID 0x3d1e
Ethernet II, Src: Grandstr_01:fc:42 (00:0b:82:01:fc:42), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
4 0.070345 192.168.0.1 192.168.0.10 DHCP 342 DHCP ACK - Transaction ID 0x3d1e
Ethernet II, Src: DellComp_ad:f1:9b (00:08:74:ad:f1:9b), Dst: Grandstr_01:fc:42 (00:0b:82:01:fc:42)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
ARP
Poisoning
DNS
Poisoning
Here is your IP address,
Gateway, and DNS IP

Stateful firewall
PIX/ASA
Risk 6: Unpatched Systems
Eve
CVE-2013-5331
Adobe Flash Player.
Run code on
machine.
CVE-2007-0071
Adobe Flash Player.
Integer overflow
CVE-2013-1723
Java Exploit
CrimeBoss
Phoenix Exploit Kit
http://asecuritysite.com/subjects/chapter14

Stateful firewall
PIX/ASA
IncidentResponse
A Few Fundamentals

Stateful firewall
PIX/ASA
DataFormatsDLP
Hex and Base-64
Bob
Encryption/
Encoding
01000001 01000010
01000011 01000100
‘A’ ‘B’ ‘C’ ‘D’
Byte values
ASCII characters
01011110 00100000
11100110 10101010
5e 20 e6 aa
Hex
XiDmqg==
Base-64
13610163252
^ æª
Octal
ASCII

Stateful firewall
PIX/ASA
DataFormatsDLP
Hex
Bob
0101 1110 0010 0000 1110 0110 1010 1010
5 e 2 0 e 6 a a
Hex
Bit stream
What is 0100111011110001?
Decimal Binary Oct
0 000 0
1 001 1
2 010 2
3 011 3
4 100 4
5 101 5
6 110 6
7 111 7
Decimal Binary Hex
0 0000 0
1 0001 1
2 0010 2
3 0011 3
4 0100 4
5 0101 5
6 0110 6
7 0111 7
8 1000 8
9 1001 9
10 1010 A
11 1011 B
12 1100 C
13 1101 D
14 1110 E
15 1111 F

Stateful firewall
PIX/ASA
DataFormatsDLP
Base-64
Bob
010111 100010 000011 100110 101010 100000
X I D m q g = = Base-64
Bit stream
0101 1110 0010 0000 1110 0110 1010 1010
010111 100010 000011 100110 101010 100000 = =
24-bit width
Val Enc Val Enc Val Enc Val Enc
0 A 16 Q 32 g 48 w
1 B 17 R 33 h 49 x
2 C 18 S 34 i 50 y
3 D 19 T 35 j 51 z
4 E 20 U 36 k 52 0
5 F 21 V 37 l 53 1
6 G 22 W 38 m 54 2
7 H 23 X 39 n 55 3
8 I 24 Y 40 o 56 4
9 J 25 Z 41 p 57 5
10 K 26 a 42 q 58 6
11 L 27 b 43 r 59 7
12 M 28 c 44 s 60 8
13 N 29 d 45 t 61 9
14 O 30 e 46 u 62 +
15 P 31 f 47 v 63 /
abc 24 bits (4*6) YWJj
abcd 32 bits (5*6) + (2+4) + 12 bits YWJjZA==
abcde 40 bits (8*6) + (2+4) + 4 bits YWJjZGU=

Stateful firewall
PIX/ASA
DataFormatsDLP
MD5
hello
5D41402ABC4B2A76B9719D911017C592MD5
128 bits (32 hex characters)
AAF4C61DDCC5E8A2DABEDE0F3B482CD9AEA9434DSHA-1
160 bits (40 hex characters)
SHA-256 SHA-384 SHA-512
$ cat hello.txt
Hello
$ openssl md5 hello.txt
MD5(c:hello.txt)=
5d41402abc4b2a76b9719d911017c592
$ echo -n "hello" | openssl md5
(stdin)= 5d41402abc4b2a76b9719d911017c592

Stateful firewall
PIX/ASA
[ character_group ]
Matches any single character in character_group. By default, the match is case-sensitive.
DataFormatsDLP
RegEx
[ character_group ] Match any single character in character_group Example: gr[ae]y – gray, grey
[ ^character_group ] Match any single character in character_group Example: gr[^ae]y – grby, grcy
[a-z] Character range Example a, b, c … z
{n} Matches previous character repeated n times
a{n,m} Matches between n and m or a
d Matches a digit
. Single character
(a | b) Matches a or b
a? Zero or one match of a
a* Zero or more match of a
a+ One or more match of a
$ Match at the end
Escape: s (space)
Telephone: d{3}[-.]?d{3}[-.]?d{4}
Email: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9._%+-]
444.444.2312
test@home.com
Master: 5d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}
Am Ex: 3d{3}(s|-)?d{6}(s|-)?d{5}
Visa: 4d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}
5555-1234-3456-4312
Year: [0-9]{4}
IP: [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}
1.2.3.4
1961

Incident response: Introduction

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (15)

More from Napier University

More from Napier University (20)

Recently uploaded

Recently uploaded (20)

Incident response: Introduction