IINS 210-260

IINS 210-260

Testing tools, Incident Response, Crime Investigation

There are wide variety of tools that we can use to do security testing in our development life cycle. This is going to happen in the acquisition and development phase, and it'll also be an ongoing activity in the operations and management phase. We can use network scanning tools – like Nessus, NMAP and a lot more scanning tools as well, looking for vulnerabilities in service packs and unpatched machines. We can also look for vulnerabilities in our old antivirus, old antispyware programs. There are password cracking tools that we can use to assess the complexity of our passwords. We can review logs, Syslog messages, logs from firewalls and intrusion detection systems, also application logs. There are integrity checking tools, obviously, we mentioned virus detection and prevention. We can also look for war dialers with our IP telephony, and war driving with our wireless networks, and of course, a wide variety of different penetration testing tools. Let's take a look at some common testing tools.

NMAP is very popular, you can use NMAP on almost any Linux or Unix based operating system. There is also graphical versions of NMAP as well to do port scans and sweeping, ping sweeping for example. You can also do stealth port scans in the sense that the TCP flags – it turns on, or the UDP packets that sends are basically not going to be triggering any red flags on the target system. You can also do passive operating system identification based on the behavior of the TCP/IP three-way handshake.

There is also GFI LANguard – very popular program; tripwire and Nessus are also used for vulnerability testing.

Metasploit is an entire framework that runs on Windows or Linux and has a bunch of exploit tools in it. You can also build your own exploit tools, it's very popular. It's also included in a lot of things, like BackTrack Linux for example, which is an actual Linux build that's used by forensics and penetration testers.

There is also SuperScan that can allow you to adjust your scanning speeds, which can be used to circumvent intrusion prevention systems and IDS, for example.

So a wide variety of tools, this is only just a handful of, and there is really literally hundreds of tools out there. If you were to install backtrack or install SANS SIFT workstation among others, you would just have a plethora of a wide variety of tools that you could use that go beyond just testing, okay.

The incident response phase

Well, since you can never completely eliminate risk and since there's going to be no 100% certainty that you're going to avoid all threats and all threat agents, you need to prepare for the inevitable, okay. You will have incidents. You need to have an incident response team, a well planned and tested incident response methodology. So this capability needs to be fast, it needs to be relatively simple at the outset, and needs to contain the impact of incidents. We want to minimize loss and destruction, we want to reduce the scope of weakness, hopefully not going beyond one security domain or security zone into another. Again, that's kind of the goal of a firewall really when it gets right down to it. We want to be able to rapidly restore services if you have an outage based on an incident, for example. So our first step is to deploy an effective intrusion detection and prevention capability, and it has to be framed within the incident response plan because there is going to be outbreaks, right.

So you need to first assess the current and potential business impact or business impact analysis of incidents, also implementing effective methods of collecting, and analyzing, and reporting on data that you get on a regular basis. You also want to have good communication between your team – the technical team, human resources, legal, forensics, and possibly law enforcement – both local and beyond.

Here we can see a four-phased incident management workflow starting with preparation in phase 1, with detection and analysis in phase 2, phase 3 being containment, eradication, and recovery, and then in step four or phase four, the post-incident activities.

Incident Management

Preparation, okay, obviously policies, incident handling, good communication with your team, facilities, and analyzing your hardware and software that you're going to use – for example your IDS and your IPS systems, and other penetration testing techniques. You want to have your resources together – your financial and your human resources – for incident analysis, which involves really people who are good at may be Perl programming and XML programming so that they can actually analyze web traffic and put together day-zero countermeasures, also incident mitigation software.

Then of course, you have to do your detection and analysis, that's your detection infrastructure, which goes beyond just having IDS (Intrusion Detection Systems). There is full-blown defense-in-depth security intelligence you'll need. You also want to be able to correlate events with something like Cisco MARS, for example. Obviously, good documentation and prioritization here, and making sure you have a notification process to all the stakeholders definitely up the chain command.

Then you have the containment, eradication, recovery phase 3 where you gather evidence, you handle it, and you preserve it, and that's kind of data forensics. You'll do some further device and system hardening because the bottom line is unless you make your systems better, you're going to have these incidents again. You have a high recidivism rate if you do not put in some proactive steps to prevent this from happening again. You need to make sure you have a disaster recovery plan here, able to restore your systems, your databases, your end-user systems, your application servers, and some type of methodology for notifying external parties, and law enforcement.

And then finally, after the incident, you're going to conduct further forensics and investigation, possibly using in-house investigators and forensic people, possibly bringing in third-party consultants. You'll be using the collected incident data to possibly go and find certain employees, and discipline them, or release them from their job roles. You'll retain evidence, you'll document, feel, assess your weaknesses, right. And then you'll notify if your lessons learned, and draw some reports and some summaries, and come to some conclusions about some things you can do to prevent this from happening again. And then you go back to phase 1, this is an iterative process. Forensics is an iterative process and so is incident management.

Computer crime investigations

Obviously there are three aspects to committing a crime: it's motive, opportunity, and means. As a forensics officer at your organization or a contract, you have to establish these three things to prove that an employee, for example a perpetrator, is guilty. Motive is why they did it, so you want to have some motive for their computer crime. In a forensics case, you have to maintain integrity of data. So you want to make sure that you use things like write blockers and hashing of everything so that you can establish that it wasn't changed at any point in time. You want to have a chain of custody – the minute that law enforcement takes possession of anything, like a hard drive. Usually you want to not shut the machines down, you want to go ahead and do a memory scan or a memory dump – with something like FTK Imager, and get what's in RAM before you shut the machine down. So let's talk more about collecting evidence in forensics.

There has been a huge trend towards pulling data out of RAM, and scraping RAM, and analyzing RAM before you shut systems down as opposed to the older method of imaging hard drives. One of the reasons is because hard drives are so huge now. It just takes so long to get an image of that drive and then to do a hash of that information so that you can prove that it hasn't been modified before you go to court, for example. So dumping memory to disk or USB drive, using some type of system is critical. There is a lot of information in RAM, there is a gold mine, because if you think about it, there is a lot of information that resides there. I think that some statistics show that average system that's not shutdown and restarted, actually has data in it from 43 days ago. So there is a lot of information that that needs to be gleaned. And so beyond just doing a drive image and photographing equipment, we want to do a memory dump as well with some very well known tools out there. It's critical, a couple of things that the forensics officer does not modify the data in any way, okay. That's why we use write blockers so that we can't make any changes to the hard drive, and we're just working on copies of information, and of course maintain that chain of custody. So good documentation, good timestamps is very important!

Law enforcement and liability

You know, as I go through some of this information here in this lesson, it reminds me of kind of a CISSP light. There is a lot of similarities here between the CISSP exam on a much smaller scale. For example this legal information, three types of law: criminal law, civil law, administrative law, okay.

Criminal law, obviously of course with crimes. Usually the penalties are fine, or imprisonment, or both.

Civil law is basically correcting a wrong - compensation, infringement on a patent. They can be monetary, which is usually the compensation or you could have a cease and desist order, for example. If money is awarded, it's given to the party that wins the lawsuit. And in civil lawsuit, imprisonment is not possible.

Administrative law involves government agencies enforcing regulations, for example HIPAA or Sarbanes-Oxley. A company might owe its employees vacation pay and so an administrative court would force the company to pay. A lot of times, this is going to come out of arbitration. In these law cases, monetary awards are often split between the government agency and the wronged victim. There is also ethics and there's several different sources for ethics. There is the computer ethics institute, there is the Internet Architecture Board (the IAB), there is also Generally Accepted System Security Principles (GASSP), also I mentioned CISSP, that organization – the ISE squared – also has their own code of ethics.

Couple of terms that tie to liability would be due diligence and due care, okay. Due diligence means pretty much everything from putting a firewall system in place, application layer gateways, and content filtering, as well as doing vulnerability analysis and penetration testing along with virtual private networks. Making sure that you have best practices in place for continuous risk assessment and vulnerability testing – that's due diligence. Due care means that in the operation and maintenance of these security mechanisms, you're taking the proper steps – the proper care – to make sure that you're doing your due diligence. So a best effort to make sure that due diligence is in place is what due care actually consists of.