Andy Malone MVP, MCT CEO / Trainer / Consultant Quality Training (Scotland) Ltd & Dive Deeper Technology Events EMEA Session Code: SIA318
Download ReportTranscript Andy Malone MVP, MCT CEO / Trainer / Consultant Quality Training (Scotland) Ltd & Dive Deeper Technology Events EMEA Session Code: SIA318
Andy Malone MVP, MCT CEO / Trainer / Consultant Quality Training (Scotland) Ltd & Dive Deeper Technology Events EMEA Session Code: SIA318 The Disclaimer! In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk. Microsoft Corporation, Quality Training (Scotland) Ltd, Dive Deeper Technology Events EMEA & the other 3rd party vendors whose software is demonstrated as part of this session are not responsible for any subsequent loss or damage whatsoever...You have been warned! Session Overview Introductions Identifying the Dark Arts Risk Management - Costs Vs Benefits Incident Response Defining & Resolving Incidents Computer Forensics How it Works The Tools Anti Forensics Tools – Hiding your Tracks! Conclusions & Q&A Question...What’s your Price? The Dark Arts – Include but not Limited to: • Technology Based • • Hacking Spamming Etc • Physical Intrusion • • • • • • • • Hijacking Spying Theft Industrial Espionage Identity Theft Malicious Employees Stupidity Temptation The old Excuse is no Excuse! • • • • • • • It will never happen to me! I forget “why” we do it this way. “It’s the way we've always done it. It’s standard practice throughout the company. Costs too much money! Too much training is required. We simply don’t have enough resources. LEARN TO LOOK FOR WEAKNESS... It’s Good to Share! But not To Much! Do you Have Assets Worth Stealing? Database Plans / Blueprints / designs Formula Software / Program Drug / Medicine Technology, Car, Cell Phone, Computer etc A Person! Etc How a Bad Guy Select’s a Target! Person Resource Company Government Target Selection – A Person Predator For Financial Gain For Political Gain Invasion of Privacy Cyberbullie Revenge Identity Fraud – Impersonation Espionage Coercion Target Selection – Company (Business) Trade Secrets Competitor Insider trading Product or Service Secret Formula Hostile Takeover Spread Malicious Rumours Industrial Espionage Force Share Price Fall Target Selection – Government Military Coup Political Corruption Bribery Country Destabilisation Vote Manipulation Cyber warfare Estonia Vs Russia India Vs China “In order to defend. One must first learn how to attack” Andy Malone INCIDENT RESPONSE Learning to Defend: Form an Incident Response Team Defining an Incident: System outages Power outages Natural Disaster Denial of Service Malicious Code Network Intrusion Child Pornography Malware Outbreak (i.e. virus, worms) Acceptable Usage Policy / Malpractice The CIA Triad Confidentiality Integrity Availability • Protecting information from unauthorized disclosure • Ensuring data is unchanged and trustworthy • Ensure access to data and resources Defining Incident Impact Compromise Destruction Denial • violation of Confidentiality • violation of Integrity • violation of Availability Preparation: Strategy! Preparation is the most important phase of Incident Response Proper preparation can will ensure that the organization can respond properly Potential evidence for civil or criminal cases may be loss Preparation: Legal Obtain advice from a lawyer to determine your rights as an organization. Require all system users to sign acceptable usage agreements. Implement legally binding click through log-in banners Preparation: - Training Establish trust between systems administrators and end users. Train everyone on basic security concepts. Ensure everyone knows their role in Incident Response. Role play disaster scenarios. Threat Identification Example: Understand File Signatures! Every File Type has a Unique File Signature A Skilled Security Professional can detect changes to a file's content or attributes. Useful in Forensic Analysis Reveals if File has been Encrypted or Changed Analyzing the File Signatures Analyzing File Signatures File Signature Examples: E3 82 85 96 PWL [512 byte offset] EC A5 C1 00 DOC ED AB EE DB [512 byte offset] FD FF FF FF 04 SUO [512 byte offset] FD FF FF FF nn 00 00 00 PPT [512 byte offset] FD FF FF FF nn 02 XLS FF D8 FF E1 xx xx 45 78 69 66 00 FF Ex FF Fx ã... Windows password file [512 byte offset] ì¥Á. Word document subheader (MS Office) í"îÛ [512 byte offset] ýÿÿÿ. Visual Studio Solution User Options subheader (MS Office) [512 byte offset] ýÿÿÿ.... PowerPoint presentation subheader (MS Office) (where nn has been seen with values 0x0E, 0x1C, and 0x43) [512 byte offset] ýÿÿÿ.. Excel spreadsheet subheader (MS Office) (where nn = 0x10, 0x22, 0x23, 0x28, or 0x29) ÿØÿá. JFIF JPG Digital camera JPG using Exchangeable Image File Format (EXIF) ÿ. ÿ. MPEG, MPG, MP3 MPEG audio file frame synch pattern Analyzing File Signatures Use Multi-Layer Defence Strategies Network Traffic Encryption. I.e. IPSec, SSL, SSTP Intrusion Detection System Intrusion Prevention System Anti Virus / Anti Malware Protection Biometrics, Smart Cards, Strong Passphrase Physical Security & Social Networking Security Which Tools to Use! Intrusion Detection System (IDS Vs Intrusion Prevention System (IPS) IDS Origins Originally built for US Government use to protect against malicious employees. Then integrated into Security industry. Listens to all types of protocols TCP, UDP, RIP, ICMP, Routable protocols. IDS first installs in learning mode. Behaviour creates a profile Ensure that No attacks are going on otherwise it could be a disaster. Intrusion Detection System (IDS) Intrusion Detection Systems Architecture Signature Based Analysis Behavioural Based Analysis Intrusion Detection system Implementation HIDS (Host Based) NIDS (Network Based) IPS (Intrusion Prevention System) Analyzes packets rather than traffic or protocol type. Similar to Firewall but undertakes deeper inspection of packets, headers etc. Access control decisions based on Application content rather than IP address or ports as traditional firewall have done. Gartner said that IDS is dead IPS is a preventative and proactive technology whereas IDS is a detective and after the fact technology. Best Solution Intrusion Detection System (IDS Intrusion Prevention System (IPS) Vs Best Advice: Get Both!! Introducing an IPS & IDS to your business. Honeypot Software False systems that lure intruders and gather information on methods and techniques they use to penetrate networks—by purposely becoming victims of their attacks Simulate unsecured network services Make forensic process easy for investigators Honeypot Software Commercial ManTrap Specter Smoke Detector NetFacade Open source BackOfficer Friendly BigEye Deception Toolkit LaBrea Tarpit Honeyd Honeynets User Mode Linux Honeypots, Ethics, and the Law Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host Honeypot does not convince one to attack it; it merely appears to be a vulnerable target Doubtful that Honeypots could be used as evidence in court The Honeynet Project The Aftermath: Containment, Eradication, and Recovery Schedule enterprise outage. Disconnect from the Internet. Wipe systems enterprise wide. The Aftermath: Containment, Eradication, and Recovery Re-image all computers with patched installation. Follow Good Backup / Recovery Procedures Change administrator accounts and passwords. Create new strong passwords for all users. Ensure all Anti-Virus & Anti Malware software is updated. Perform a digital hash on all files on your image so you can eliminate known good hashes If Internal attack: Disable User Account & take appropriate disciplinary action. Incident Response: Learn from Mistakes! Complete a detailed report documenting the incident. Continue to monitor for artifact traces Utilized lessons learned and prepare for next incident. COMPUTER FORENSICS Network Forensics: Carry out Random Packet Captures Full binary packet captures allow replay of attacks Can be provided as evidence of a computer crime Equivalent to video camera surveillance What is Forensic Duplication In its simple form it is a method of creating a near perfect duplicate image of a data environment Personal Computers Peripherals i.e. printers, scanners, IPods, etc. Entire Networks i.e. LAN,WAN, Wireless, etc. How it Works! Write Blocker prevents Contamination Imaging Victim Systems Digital Hashes Network Protocol Analysis Intrusion Detection Volatile Data Collection Autopsy Definitions Forensic Duplicate: File that contains every bit of information from the source in a raw bit stream format. Qualified Duplicate: Same as above, but allows embedded metadata or certain types of compression. Mirror Image: Created from hardware that does a bit-to-bit copy from one hard drive to another. Reasons for Forensics Duplication The examination can destroy evidence inadvertently. The original computer system might only be available for capturing. Issues with disk and file system metadata such as boot sectors. Crimes Include: Theft of trade secrets Fraud Extortion Industrial espionage Position of pornography SPAM investigations Virus/Trojan distribution Homicide investigations Intellectual property breaches Unauthorized use of personal information Plus many more… Forensics: Top Tips. Get Legal Advice DO NOT begin by exploring files on system randomly Establish evidence custodian - start a detailed journal with the date and time and date/information discovered If possible, designate suspected equipment as “off-limits” to normal activity. This includes backups, remotely or locally scheduled house-keeping, and configuration changes Collect email, DNS, and other network service logs The Tools: Forensics Toolkits $12.995 Cell Phone Forensics Toolkits Forensics Software: EnCase Forensics Software: Unshredder Forensics Software: Helix Helix Customized Knoppix disk that is forensically safe Includes improved versions of ‘dd’ Terminal windows log everything for good documentation Includes Sleuthkit, Autopsy, chkrootkit, and others Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools Forensics Tools: MDD mdd -o OUTPUTFILENAME Example: C:\tools\mdd> mdd -o memory.dd -> mdd -> ManTech Physical Memory Dump Utility Copyright (C) 2008 ManTech Security & Mission Assurance -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w' This is free software, and you are welcome to redistribute it under certain conditions; use option `-c' for details. -> Dumping 255.48 MB of physical memory to file 'memory.dd'. 65404 map operations succeeded (1.00) 0 map operations failed took 21 seconds to write MD5 is: a48986bb0558498684414e9399ca19fc Disk Cloning! Digital Forensics Anti Forensic Methods / Tools Steganography Vs steganalysis Alternate Data Streams (ADS) Secure Deletion Tools In Private Internet Browsing Encryption Products Bitlocker True Crypt CrossCrypt FreeOTFE etc Alternate Data Streams The ability to hide data behind a file, such as text, graphics or executable code (Games, Trojans, etc). NTFS Streams only visible to specialized software. Public awareness of NTFS streams very low. Streams can attach themselves to directories as well as files. Disk space used by Streams are not reported by programs such as Windows Explorer or commands such as 'DIR' Streams can be executed. Executed streams do not have their filenames displayed correctly in Windows Task Manager. Alternate Data Stream Example c:\> type c:\winnt\notepad.exe > hello.txt:np.exe c:\> type c:\winnt\system32\sol.exe > hello.txt:sol2.exe Similarly, image files, audio files, or any other stream of data can be hidden in ADSs. Sysinternals: Streams Windows 7 & Server 2008 R2 dir /r in Windows 7 & Vista will reveal an ADS Hiding Data ADS – Secure deletion - Encryption Beware: The Inside Man! Job opening are an ideal vehicle for industrial espionage Bypass firewalls Assumed Trust Access to sensitive Materials Prevention if difficult Disgruntled employees are perfect! Easily recuruted by bad guy’s. 10 IT Nuggets to Protect Your Business! 1. Form an Incident Response Team 2. Conduct a Risk Analysis 3. Establish Clear Internal & external Access Control Guidelines 4. Administrator Responsibilities 5. Establish Clear Audit Trails & Monitoring 10 IT Nuggets to Protect Your Business! 6. Secure Workstations / Laptops / Software etc Remote Access. Encryption. 7. Network Security: Firewalls, IDS, IPS Etc 8. Ensure Patching & Backups are up to Date 9. Anti Virus & Anti Spyware 10.Establish Clear Remote Access Guidelines Top 10 Non IT Nuggets to Protect Your Business! 1. Secure Physical Access to Sites 2. Monitor Visitors On-Site: Badges etc 3. Human Resources: Adopt & Follow Clear Guidelines! 4. Always Follow up on Job Applications, References, skills etc. 5. Ensure you adopt Security Awareness Programme Top 10 Non IT Nuggets to Protect Your Business! 6. Have an Acceptable Usage Policy 7. Social Engineering: Be Aware of Dangers 8. Security Implementation: Timings etc 9. Audit...Audit & Audit!!!! 10.Ensure Contractors are Insured!! Most Important: Make your solution Workable! Here are the draft guidelines on improving security! Review: Introductions Identifying the Dark Arts Risk Management - Costs Vs Benefits Incident Response Defining & Resolving Incidents Computer Forensics How it Works The Tools Anti Forensics Tools – Hiding your Tracks! Conclusions & Q&A Related Content SIA308- Useful Hacker Techniques: Which Part of Hackers' Knowledge Will Help You in Efficient IT Administration? SIA313- Attacking the Windows Stack and How to Protect against These Attacks SIA403 - A Deep Dive on the New Microsoft Forefront Threat Management Gateway Interactive Session: SIA07 IS Security Assessment Planning and Implementation Thanks for Attending! Andy Malone MVP, MCT CEO / Consultant Quality Training (Scotland) Ltd & Dive Deeper Technology Events EMEA [email protected] Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.