By Kenneth R. van Wyk, Richard Forno
Cover | Table of Contents | Colophon
Index
[ A ], [ B ], [ C ], [ D ], [ E ], [ F ], [ G ], [ H ], [ I ], [ J ], [ K ], [ L ], [ M ], [ N ], [ O ], [ P ], [ R ], [ S ], [ T ], [ U ], [ V ], [ W ], [ X ], [ Z ]
A[ Top ]
access to computer systems, removing or restricting, 52
administration (IRTs), flexibility of, 45
administrative support, IRT, 49
administrator privileges
gaining in buffer overflow attacks, 82
setuid exploits, attacks involving, 83
adversarial customer relationships, 65
adversary, defined, 8
advertising IRT services, 58
advisories and threat monitoring, commercial IRTs, 23
alphanumeric messages, pager support for, 140
analog connections, modem
analog converters, 141
phone lines for, 141
wireless communications, using instead of, 142
analysis and documentation process, support needed in tools, 153
analyst, information protection, 48
analyzing
attacks, 111
forensic information, 94
(see also forensics)
incidents, 10
antivirus software
distributing over intranet, 20
Trend Micro products, 159
vendor web sites, 159
applications
checksums, forensic data from, 94
default configuration residue, attacks involving, 89
design or implementation flaws, exploiting, 79
detecting unauthorized changes with host-based tools, 133
Tripwire, 137
forensic data provided by, 92
viruses in macro languages, 88
vulnerabilities, Internet discussion groups, 71
array index, signed integers and, 3
attachments (email)
network attacks with, 72
scanning for infection, commercial firewall products, 89
Attacker/Defender Training, U.S. Department of Defense, 78
attackers, 8
attacks
analysis and visualization, 111
categories of, 79-90
buffer overflows, 82
default configuration residue, 89
denial of service, 79
distributed denial of service (DDOS), 81
email-borne vermin, 88
implementation flaws, 84
network sniffers, 84
race condition attacks, 82
setuid exploits, 83
stealthing tools, 87
Trojan horses and back doors, 86
tunneling, 85
viruses and worms, 87
denial of service, blueprint for mitigating, 71
detecting, 111
diagnosing, 111
with host-based tools, 133
email bombing program, Windows-based, 72
event log data, modifying, 92
IRT reporting on, 18
known, IDS monitoring for, 120
network sniffers, 70
profiles, keeping up with, 72-75
understanding technology used, 74
rootkit, using for, 139
signature definitions, adding with Dragon, 121
audit records, forensic analysis of, 91
authority, incident response programs, 37
automation, incident response, 41
attack profile information processing, 74
failures of, 42
awareness of IRT services, promoting, 58
awareness training for employees, offered by internal IRTs, 20
B[ Top ]
back doors
attacks involving, 86
detecting with host-based tools, 133
detecting with network vulnerability scanners, 125
backbone network systems (ISP), network sniffer attacks on, 84
bad guys, 8
basic activities, incident response, 9-11
batch files, writing for incident response tools, 109
Berkeley Unix
/bin/mail program, race condition attack on, 83
finger daemon program, buffer overflow attack, 82
beta versions of tools, avoiding, 151
binary executable files, viruses infecting, 88
Bindview, BV-Control, 135
/bin/login program (Unix), Trojan horse attacks on, 86
/bin/mail program, race condition attack on, 83
/bin/sh program, buffer overflow attack involving, 82
Blackbox Network Services, MicroRACK media converter, 132
blackening network monitors, 113, 141
blocking email attachments, problems with, 89
board of directors, role in incident response, 54
bombing tools, email, 72
Bourne shell program (/bin/sh), attack involving, 82
buffer overflow attacks, 82
bugtraq (vendor vulnerability discussion site), 27
Unix sendmail program vulnerability, 72
business activities, priority over IRT role, 62
business decisions, making during crises, 52
business processes, incidents affecting, 7
business units
adversarial view of IRTs, 65
confidentiality, protecting in incident reporting, 38
incident response programs, adotping own, 36
involving in incident response, 54
IRT allegiance to, 20
IRT incident reporting, problems with, 37
business-like incident response, 8
buy-in for incident response programs
enlisting support of business units and departments, 35
entire corporate hierarchy, need for, 39
executive level, 34
BV-Control host-based scanner, 135
C[ Top ]
Cabletron Systems (Network Security Wizards), Dragon IDS, 121
CAM (Crisis Action Meeting), 101
capabilities, IRT, 46-69
testing with fire drills, 59-62
Carnegie Mellon CERT/CC, 3, 96
personnel selection process, 50
case studies, security incidents, 34
CD recorder, using for removable storage, 148
CDPD (Cellular Digital Packet Data) devices, 143
cellular (PCS) carriers, 142
Century Network Tap, 132
CERT/CC (Computer Emergency Response Team Coordination Center), 3
customer service model, 39
denial of service attacks, blueprint for mitigating, 71
establishment of, 96
founding of, 13
incident reports, filing with, 101
incident summaries published by, 44
personnel selection process, 50
as public resource team, 17
(see also IRTs, public resource teams)
certificates (digital), PGP, 145
certifications
computer crime investigation, 77
IRT training and, 75
web sites for programs, 161-162
Certified Information Systems Security Professional (CISSP), 76
chain of command, incident response programs, 37, 38
checklists for incident symptoms, developing, 100
checksums
forensic data from, 94
Tiger scanner, checking with, 135
Tripwire database for, 137
choosegirl.game, Trojan horse program, 86
CIAC (Computer Incident Advisory Capability), 17
CIRT (Computer Incident Response Team), 17
clients, incident response
identifying, 44
promoting IRT services to, 58
CMDS IDS, 135
code errors, exploiting in denial of service attacks, 79
collecting
evidence, 109
support needed in tools, 153
symptom data, incident response, 100
commercial IRTs (see IRTs, commercial)
commercial software
bugs causing incidents, sharing information about, 6
configuration profile diagnostic tools, 90
illegal exchange over FTP site, 4
trouble-ticket tracking database, 57
commercial training, 76
Common Vulnerabilities and Exposures (CVE) standard, 154
communications, incident response, 102, 139-143
dial-in data retrieval, 141-143
encrypting data, 143-145
tools for, 144
hotline, setting up, 56
network under investigation, danger of using, 139
page-back mechanisns, 140
community and professional groups, incident information from, 74
computer crime
freezing the scene, 93
investigating, IACIS organization, 77
jurisdiction, difficulty establishing, 67
law enforcement and, 53
legal resources, 163
U.S. federal laws on, 164
Computer Emergency Response Team Coordination Center (see CERT/CC)
computer forensic training (see forensics)
computer game containing ICMP tunneling network daemon, 86
Computer Incident Advisory Capability (CIAC), 17
Computer Incident Response Team (CIRT), 17
Computer Oracle and Password System (COPS), 134
computer security forensics, 90-95
Computer Security Incident Response Teams (CSIRT), 17
computer viruses (see viruses)
conferences, training, 77
web site information on, 161-162
confidentiality in incident response, 38
customers, preserving for, 64
reporting, discretion in, 106
stealth in operations, 108
configuration
default, attacks involving, 89
detecting changes with Tripwire, 137
gathering data on affected systems, 100
network interfaces, stealthing tool attacks using, 87
system, returning to secure baseline, 10
constituency, incident response, 17, 44
contact lists, maintining for incident response, 55
containing damage from incidents, 10
convincing management of need for incident response program, 34
coordination, incident response, 26, 101
coordinator position, 29, 48
(see also CERT/CC; IRTs)
COPS (Computer Oracle and Password System), 134
core services, IRT, 46
Coroner's Toolkit, 139
corporate politics, incident response programs and, 34
corporation-wide support, need for, 39
penetration test as persuasion tool, 35
presenting your case, 34
corporate web sites, defacement by intruders, 7
cost analysis
cost effectiveness, incident response, 8
IRTs, internal vs. commercial, 42
security incidents, 34
cpager, sending page via modem, 140
crackers, 8
crashes
operating systems interacting to cause, 2-4
ping of death attack, Windows NT systems, 79
crime (see computer crime; forensics)
Crisis Action Meeting (CAM), 101
critical events, notification of, 108
critical players, involving in incident response, 51-55
listing of, 52
cryptography
countering network sniffer attacks, 71
encrypting incident response data, 102, 143-145
tools for, 144
encrypting network traffic, 85
tool support needed for, 153
CSIRT (Computer Security Incident Response Teams), 17
customer base (vendor products), informing of vulnerability, 26
customer confidentiality, preserving, 64
customer expectations, meeting, 68
customer service attitude, importance for IRTs, 65
CVE (Common Vulnerabilities and Exposures) standard, 154
Cybercop Scanner, 129
D[ Top ]
daemons
attack, networks of, 81
finger, buffer overflow attack on, 82
telnet, use by attackers, 71, 85
damage control, incident response, 10, 102
data collection, 108
data formats, incident response tools
Ethereal, support for, 115
need for common, 154
data remnants (deleted text), storage by word processors, 92
data retrieval
out-of-band, support needed in tools, 154
wireless communications, using, 142
data tunneling attacks, 85
ICMP network daemon in computer game, 86
databases
checksum, for operating systems and applications (Tripwire), 137
enterprise systems, forensic data from, 92
incident tracking, 100
tracking IRT communications, 57
vulnerability, ISS Network Scanner, 130
datagram visualization, Sniffer, 113
DDOS (see denial of service attacks, distributed)
DEC (Digital Equipment Corporation) workstations and IBM mainframe interaction causing crashes, 2-4
defacement of web sites, 7
default configuration residue, attacks involving, 89
Defense Advanced Research Projects Agency (DARPA), founding of CERT team, 13
definitions, establishing for incidents, 63
deleted text, storage by word processors, 92
denial of service attacks, 79
blueprint for mitigating, 71
distributed (DDOS), 81
detecting agents with Cybercop scanner, 129
February 2000, mitigating damage from, 103
floods/storms, 80
network infrastructure, attacking, 80
ping of death, Windows NT computers, 79
deployment logistics support officer, 49
design flaws, exploiting, 79
race condition attacks and, 83
designs (security), support by internal IRTs, 21
destination and source, incidents, 102
detecting incidents, 10
intrusion detection system (IDS) architecture, 111
testing firewalls for, 20
(see also intrusion detection systems; tools)
diagnosing attacks, 111
host-based tools, 133
network sniffers, using for, 3
diagnostic tools
configuration profile, 90
stealth, attacks involving, 87
(see also tools; host-based tools; network-based tools)
dial-in data retrieval, 141-143
digital phone switches for modems, 141
directory access permissions, attacks involving, 89
discussion groups
incident response, web sites, 159
state of the hack information, 73
training, references on, 76
vendor vulnerabilities, 27
disks, raw data on, 92
reloading from disk, 114
distributed denial of service (DDOS) attacks (see denial of service attacks, distributed)
distributing incident response policies and procedures, 33
DNS entries, causing errors in (denial of service attacks), 80
documentation, support needed in tools, 153
documenting
conclusions in forensic process, 95
evidence-handling procedures, 67, 109
incidents for law enforcement, 103
vendor product vulnerability, 25
DoS (see denial of service attacks)
Dragon IDS, 121
vendor web page, 121
dynamic analysis of affected systems, 91
dynamic password mechanisms, 85
E[ Top ]
eavesdropping programs (see sniffers)
e-commerce sites, attacks on, 18
education phase, incident response, 103
efficiency, incident response, 8
email
/bin/mail program, race condition attack on, 83
bombing program, Windows-based, 72
privacy rights, employee, 68
tunneling attacks and, 85
virus scares, effects on systems, 44
email-borne vermin, 88
Emerald IDS, 136
emergency-driven services, IRT, 46
employees
computer security awareness, training in, 20, 58
involving in incident response, 51-55
privacy rights, 67
selling trade secrets to competitors, 7
training to recognize incidents, 9, 10
enabling vulnerabilities
detecting with host-based tools, 134
detecting with network-based scanners, 126
(see also vulnerabilities)
encryption (see cryptography)
engineers, information protection, 48
enterprise application systems
forensic data supplied by, 92
logging capabilities, 91
equipment custodian, IRT, 48
eradicating system in incident response, 10
/etc/passwd file, Trojan horse attacks on, 86
Ethereal (network protocol analyzer), 114-116
ethernet (wireless), data transfer with, 143
event logs
attack detection, using for, 111
forensic analysis of, 91
Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD), 136
events
incident, notification of, 108
network, notifying IRT of, 112
evidence
collection support, needed in tools, 153
handling, 66
computer security forensics, 95
sealing and locking away collected data, 110
processing, 10
incident response tool capabilities, 109
Excel documents, macro viruses infecting, 88
executable files
PC, self-decrypting, 144
system (vendor-supplied), detecting changes to, 134
viruses infecting, 88
executives
incident response, roles in, 52
persuading to establish incident response programs
penetration test as persuasion tool, 35
presenting your case, 34
expertise of technical personnel, commercial IRTs, 23
exposures, standard for (CVE), 154
external hard drives, using for removable storage, 149
F[ Top ]
FBI (Federal Bureau of Investigation)
financial fraud or theft, investigation of, 53
InfraGuard program, 74
federal government (see U.S. government)
files
access permissions, attacks involving, 89
access/modification data, Unix, 92
financial fraud or theft, USSS investigation of, 53
financial performance data, theft by rival corporation, 7
finger daemon program, buffer overflow attack on, 82
fire drills for incident response, 20
commercial IRTs, providing, 23
testing IRT capabilities, 59-62
live drills, 61
firewalls
bug, causing security incident, 6
commercial products scanning email attachments, 89
testing incident detection and response, 20
tunneling attacks and, 85
FIRST (Forum of Incident Response and Security Teams), 14, 28, 167-193
annual conference and technical colloquia, 28
member teams, contact information, 168-193
mission statement, 167
security tools, information on practical experience, 108
strategic goals, 168
fixes (temporary), restoring operations with, 103
flexibility, incident response tools, 108
floods/storms, denial of service attacks, 80
floppy disks, using for removable storage, 147
fly-away kit, 149-152
beta versions of tools, avoiding, 151
tool inventory, 150
tool vendors, 150
tools in, 110
forensics, 90-95
analysis of affected system, level of detail, 91
computer, training in, 67
data, types of
event logs or audit records, 91
forensic, 92
hardware, 93
raw data on disks, 92
dynamic vs. static analysis of affected systems, 91
evidence handling, 95
process, characteristics of, 90
process, description of, 93-95
analyzing information, 94
documenting conclusions, 95
freezing the scene, 93
gathering all information, 94
theorizing and proving hypotheses, 94
formats (data, in response tools), need for common, 154
Forum of Incident Response and Security Teams (see FIRST)
freeware
configuration profile diagnostic tools, 90
trouble-ticket tracking databases, 57
freezing the scene, 93
FTP (File Transfer Protocol), illegally exchanging commercial software over, 4
full disclosure of vulnerabilities, 71
full-duplex networks, tapping into, 132
functionality, incident response tools, 108
funding
incident response teams, 29, 36, 64
security training seminars, 59
G[ Top ]
games, attacks involving, 86
general counsel (GC)
evidence handling, consulting on, 67
role in incident response, 52
Good Times virus hoax, 44
GUIs (graphic user interfaces)
Ethereal, 115
frontends to nmap, 128
H[ Top ]
hacker, alternative terms for security violators, 8
hacker tools, released on monthly basis, 72
hard drives (external), using for removable storage, 149
hardware, forensic data supplied by, 93
headers (network), examining with Sniffer, 113
high speed, full-duplex networks, tapping into, 132
history, incidence response development, 13
hoaxes
denial of service attacks and, 80
Good Times virus hoax, 44
virus, web site information on, 156
host-based tools, 133-139
attack diagnosis, 133
COPS, 134
detecting malicious code or back doors, 133
detecting unauthorized changes to system or application, 133
IDS products, 135
Tripwire, 137
vulnerability scanners, 134
hotline, setting up, 56
HTML, attacks involving, 89
human resources (HR)
involving in incident response, 52
security training help from IRTs, 59
hybrid function funding, incident response teams, 37
hybrid IRTs, 29-31
hypotheses, developing in forensic process, 94
I[ Top ]
IBM mainframe and DEC workstations, interaction causing crashes, 2-4
ICMP protocol, tunneling attacks and, 85
identifying incidents, 99
IDS (see intrusion detection systems)
image backup (system), forensic analysis of, 94
implementation flaws, attacks involving, 79, 84
"Improvise, Adapt, Overcome", 49
incident data, reviewing and disseminating, 73
incident kits, 149-152
beta versions of tools, avoiding, 151
tool inventory, 150
tool vendors, 150
incident report, 104
sample report, 194-196
incident response
automation of functions, 41
development, history of, 13
effective, characteristics of, 8-11
basic activities, 9-11
improper handling, 5
Internet sites for information, 155-162
antivirus products, 159
commercial IRTs, 157-159
mailing lists and newsgroups, 159
public resource IRTs, 156
security, 155
training conferences and certification programs, 161-162
U.S. government resources, 160
operations (see operations, incident response)
perfect tools, criteria for, 153-154
planning (see planning, incident response)
risk assessment and, 11-13
U.S. federal laws on, 164
incident scenarios, 23
incidents
business processes, affecting, 7
CERT, handling of, 3
definition and listing of types, 7
people who cause, 8
real life, 2-7
commercial firewall, bug in, 6
IBM mainframe/DEC workstation interaction problem, 2-4
pirated software, 4
and responses, listing of (example), 63
types of, 43
in.fingerd program, buffer overflow attacks on, 82
information protection
analyst, 48
certification in (CISSP), 76
insurance for, 25
involving all employees in, 51
policy, problems with, 68
senior engineer role (IRTs), 48
information resources, performing risk assessment for, 11-13
information technology (see IT staff)
InfraGuard program, FBI, 74
in-house training, 78
insurance, information protection, 25
integers (signed), avoiding in array indexes, 3
interface support, Ethereal, 115
internal audit group, IRT as part of, 38
International Association of Computer Investigative Specialists (IACIS), 77
International Information Systems Security Certifications Consortium, 76
Internet
CERT/CC, incident response assistance, 17
discussion groups (see discussion groups; web sites)
state of the hack information resources, 73
worm incident, 1988, 13, 82
automation failure and, 42
Internet Security Systems (see ISS)
Internet service provider backbone network systems, network sniffer attacks on, 84
Internet sites, incident response information (see web sites)
intranet, distributing antivirus software over, 20
intrusion detection systems (IDS), 111
configuring to look for specific events, 120
host-based, CMDS and Emerald, 135
network-based, 120-124
Dragon, 121
Network Flight Recorder (NFR), 123
RealSecure, 124
Snort, 117
investigating computer crime, IACIS organization, 77
investigating incidents, 10, 103
legal aspects, 52
invisibility of network monitors, 113
ipconfig command (Unix), stealthing tool attacks using, 87
IRTs (incident response teams), 15-31
ad hoc, 27
adding value, 39
allegiance to business unit served, 20
CERT/CC and others, founding of, 14
commercial, 22-25
advantages and disadvantages of, 24
growth of, 42
services provided by, 22
strengths and weaknesses, 28
web site information, 157-159
confidentiality about incidents, 38
constituencies served by, 17
contact lists, maintaining, 55
event notification by network-based tools, 112
fire drills, 59-62
FIRST (Forum of Incident Response and Security Teams), 14, 28, 167-193
funding and placing, 16, 29, 36-38
hybrid of four types, 29-31
internal, 19-22
advantages of, 21
disadvantages of, 22
external vs., 42
placement of, 19
services offered by, 20
strengths and weaknesses, 28
involving critical players during incidents, 51-55
issues and pitfalls, 62-69
adversarial relations with customers, 65
business activities, priority of, 62
customer confidentiality, 64
customer expectations, 68
evidence handling, 66
funding and staffing, 64
policy, 68
privacy and legal concerns, 67
statistics, 62-63
matrix organization, 40, 43
mission and capabilities, 46-69
procedures, establishing for, 57
public resource teams, 17-19
advantages and disadvantages of, 18
clients, defining, 44
services provided by, 17
summary of strengths and weaknesses, 28
web sites, 156
resourcing options, 40
responsibility and services, 15
roles and responsibilities, 47-49
services (see services, IRT)
summary of types, strengths and weaknesses, 28
technology, keeping abreast of, 70-95
attack profiles, maintaining, 72-75
training, 75-95
understanding technology, 74
vendor, 25-27
coordinating incident response, 26
Internet discussion groups, product vulnerability, 27
reliability of, 26
services, 25
isolating affected systems or networks, 102
ISS (Internet Security Systems)
Network Scanner, 130
output (example), 131
RealSecure IDS, 124
System Scanner, 135
issues in IRT setup (see IRTs, issues and pitfalls)
IT (information technology) staff
acting as incident response team, 29
convincing of need for incident response program, 35
incident response team, acting as, 36
role in incident response, 53
security incidents, causing, 4
security vs. IT, training in, 75
J[ Top ]
JavaScript programs, use in email attacks, 89
Jaz drives, using for removable storage, 148
job descriptions, IRT, 47
journaling logs (transaction), forensic information in, 92
jurisdiction, computer crimes, 67
Justice Department (U.S.) (see U.S. government)
K[ Top ]
key players, incident response, 52
kit (fly-away) (see fly-away kit)
known attacks, IDS monitoring of, 120
L[ Top ]
law enforcement
computer crime laws, 163
documenting incidents for, 103
evidence handling, consulting on, 67
evidentiary information, requirements for, 109
incident investigation, involving in, 10
incident response planning, involving in, 53
U.S. federal laws, computer crime and incident response, 164
layers, network, 113
legal advice, incident response, 52
legal concerns, privacy issues, 67
legal evidence (see evidence)
legal resources, computer crime, 163
library, training materials, 77
Linux security (web site), 156
lists of contacts, maintaining for incident response, 55
literature, training, 77
live drills, incident response, 60, 61
logging capabilities, 91
logging responses, 61
login program (/bin/login), Trojan horse attacks on, 86
logistics, incident response, 49
LoveLetter (I-LOVE-YOU) virus, 34, 88
M[ Top ]
macro viruses, 88
mail bombing tools, 72
mailing lists and newsgroups, incident response information, 159
malicious code
detecting with host-based tools, 133
detecting with network vulnerability scanners, 125
self-replicating (viruses and worms), 87
SMTP packets, 3
worms, 13
malicious mobile code viruses, 88
management (see executives)
manager, IRT team, 48
marketing IRT services, 58
massively parallel attacks, 81
matrix organization, IRTs, 40
augmenting with external contractors, 43
measuring incident responses, 61
media inquiries, dealing with, 53
media (network)
adaptors for network-based tools, 112
storage, removable, 146-149
CD recorder, 148
external hard drives, 149
floppy disks, 147
Jaz drive, 148
Orb drive, 148
selection criteria, 146
tape, 149
ZIP drives, 147
Metricom, Richochet wireless network, 143
metrics and definitions, establishing for incidents, 63
MicroRACK (media conversion box), 131
Microsoft
Office products, macro viruses infecting, 88
Windows (see Windows systems)
Word, forensic data from documents, 92
mission, IRTs, 46-69
FIRST, 167
mistakes in IRT setup (see IRTs, issues and pitfalls)
mitigation phase, incident response, 102
modems
dial-in data retrieval with, 141
wireless, problems with availability, 142
monitors (network), 112-119
blackened, retrieving data from, 141
blackening, 113
Morris, Robert T., Internet worm attack, 13, 82
N[ Top ]
nCode programming language (Network Flight Recorder), 123
Net4 (network protocol analyzer), 119
NetDetector (network protocol analyzer), 119
NetRecon (network vulnerability scanner), 130
Network Associates
Cybercop Scanner, 129
Sniffer products, 113
Network Flight Recorder (NFR), 123
alert screen (example), 123
queries screen (example), 124
Network General (see Network Associates)
Network Mapper (nmap), 127
Network Operations Center, dispatching IRTs, 56
network security penetration tests, live drills vs., 61
Network Security Wizards (Cabletron Systems), Dragon IDS, 121
network sniffers, 3, 70, 84
network switches, countering sniffers with, 85
network-based tools, 111-133
Century Network Tap, 132
intrusion detection systems (IDS), 120-124
Dragon, 121
Network Flight Recorder, 123
RealSecure, 124
media adaptors for, 112
MicroRACK media converter, 131
monitors and protocol analyzers, 112-119
Ethereal, 114-116
Net4, 119
NetDetector, 119
Sniffer, 113
Snort, 117
TCdump/Review, 116
TCP.Demux, 118
vulnerability scanners, 125-130
Cybercop, 129
detecting back doors and malicious code, 125
ISS Network Scanner, 130
NetRecon, 130
nmap, 127
SATAN/SAINT, 126
networks
data tunneling attacks on, 85
denial of service attacks on, 80
distributed denial of service attacks on, 81
isolating infected portion, 102
knowledge of, security and, 76
layering model (OSI), 113
sockets, encrypting, 145
storage media, removable, 146-149
CD recorder, 148
external hard drives, 149
floppy disks, 147
Jaz drives, 148
Orb drives, 148
selection criteria, 146
tape, 149
ZIP drives, 147
newsgroups, incident response information, 159
NFR (see Network Flight Recorder)
Niksun, NetDetector, 119
nmap (network port scanner), 127
capabilities, description of, 127
graphical frontends, KMAP output, 130
graphical frontends, nmapFE output, 129
textual output from, 128
nonprofit training conferences, 77
Norton Utilities, 138, 159
notification of critical events, 108
NetDetector program, 119
out-of-band, 112
NTBugtraq (vendor vulnerability discussion site), 27
O[ Top ]
objectivity in forensics process, 90
Office applications, macro viruses and, 88
Ohio State University (OSU), Review program, 117
one-off tools, 109
online criminal activity, FBI investigation of, 53
on-site incident coordination, internal IRTs, 20
open source software
Ethereal protocol analyzer, 114-116
Review, 117
Snort, 117
open sources of information, state of the hack, 73
operating procedures, establishing for IRTs, 57
operating systems
default configuration residue, attacks involving, 89
knowledge of, security and, 76
logging capabilities, 91
modifying with stealthing tools, 87
raw data on disks, analysis of, 93
unauthorized changes to, detecting with Tripwire, 137
unexpected interaction causing crashes, 2-4
vendor IRTS, 25-27
vulnerabilities (see vulnerabilities)
operations, incident response, 96-106
collecting symptom data, 100
configuration data, gathering for affected systems, 100
coordination, 101
database systems, tracking incidents with, 100
dealing with stress, 104-106
avoiding assumptions, 105
being discreet, 106
understanding roles, 106
written procedures, following, 104
process, description of, 98-104
strategic value of affected information or process, 100
Orb drives, using for removable storage, 148
OSI network layering model, 113
Outlook program, LoveLetter virus, 88
out-of-band data retrieval and page-back, 154
out-of-band notification, network-based tools, 112, 120
overflowing buffers, attacks involving, 82
P[ Top ]
page-backs, 140
tools, support needed for, 154
pagers
alerting mechanism, Dragon IDS, 121
alphanumeric messages, support for, 140
sending diagnostic information to with IDS, 120
passwords
Computer Oracle and Password System, 134
default, attacks involving, 89
sniffing, 70, 84
Trojan horse atttacks on, 86
patches
installing before connecting new system, 78
product vulnerability, including in new/upgraded equipment, 26
payload, viruses and worms, 87
PC Card modems (wireless), 143
peer groups, training offered by, 77
penetration tests
live drills vs., 61
as selling point for incident response program, 35
perfect tool collection, criteria for, 153-154
performance evaluations, IRT, 47
Perl scripts, using for incident response tools, 109
permissions for file and directory access, attacks involving, 89
Personal Communications Services (PCS) cellular carriers, 142
PGP (Pretty Good Privacy) encryption package, 145
phone lines for modems, 141
physical security, role in incident response, 52
ping of death attack, 79
pirated software, 4
pitfalls in IRT setup (see IRTs, issues and pitfalls)
PKI (Public Key Infrastructure) encryption products, 145
placing IRTs, 36-38
planning, incident response, 1, 32-45
establishing program, 32-42
adding value, 39
basics, training in, 33
confidentiality, 38
corporate politics and buy-in, 34
distributing how-to policies and procedures, 33
funding and placing team, 36-38
incidents, types of, 43
for instances, 10
law enforcement, involving in, 53
point-and-click email bombing program, 72
policies
employee email privacy, 68
information protection, operational issues vs., 68
prohibiting use of dial-in or dial-out modems, 142
security, support by internal IRTs, 21
politics, corporate
acceptance of incident response program, 39
IRT funding and, 65
ports (network), nmap scanner, 127
postmortem reviews (see reviewing)
power users, assisting in incident response, 49
practicality of training, 76
precision in forensics process, 90
predictability, incident response, 9
presenting case for incident response program, 34
pressures of incident response operations (see operations, incident response, dealing with stress)
Pretty Good Privacy (PGP) package, 145
preventing incidents, 9
vendor IRT feedback to development team on vulnerability, 26
privacy and legal concerns, incident response, 52, 67
procedures
establishing for IRTs, 57
evidence-handling, documenting before use, 67
following in incident response operations, 104
processes, incident response, 98-104
documenting for evidence gathering, 109
education, 103
identifying incidents, 99
investigation, 103
mitigating damage, 102
professional organizations
incident information from, 74
training offered by, 77
programs (incident response)
establishing, 32-42
adding value, 39
basics, training in, 33
confidentiality, 38
corporate politics and buy-in, 34
distributing how-to policies and procedures, 33
funding and placing team, 36-38
setting up, 32-45
programs (see applications)
protocol analyzers (network), using for incident response, 112-119
Ethereal, 114-116
Net4, 119
NetDetector, 119
Sniffer product line, 113
Snort, 117
TCPdump, 116
proving hypotheses, forensic process, 94
public certificates (PGP), 145
public information sources, state of the hack technology, 73
Public Key Infrastructure (PKI) encryption products, 145
public relations, involving in incident response, 53
public resource IRTs (see IRTs, public resource teams)
R[ Top ]
race condition attacks, 82
raw data on disks, 92
reloading, 114
rdist program, attacking with setuid exploits, 84
RealSecure IDS, 124
recommending course of action, vendor IRTs, 26
reconstructing incidents, 94
recording responses, 61
reloading data from disk, Sniffer, 114
repeatability, incident response, 9
replaying sessions with Review, 117
reporting incidents, 37, 98
confidentiality, protecting in, 38, 64, 106
incident report, 104
example of, 194-196
resources (incident response), dealing with limited, 49
responsibilities, incident response, 37
IRTs, 47-49
Review program (for TCPdump), 117
reviewing
incident data, 73
incident resolution, 11, 104
Ricochet wireless network, 143
risk assessment, 11-13
for incident types, 44
threat and vulnerability, weighing, 11
role-playing training exercises, 60, 78
roles, incident response
critical players, 52
IRTs, 47-49
understanding, 106
root kit attacks, 87
rootkit, attacks, 139
RSA, SecurePC encryption tool, 144
S[ Top ]
Sandstorm Enterprises, Inc., TCP.Demux tool, 118
SATAN/SAINT network vulnerability scanner, 126
saving to disk, Sniffer products, 114
scanners for vulnerability (see host-based scanners and network scanners under vulnerabilities)
scenarios for incidents, 23
script kiddie, 8
point-and-click email bombing program, 72
Secret Service (USSS), 53
secure software, writing, 83
SecurePC encryption tool, 144
security
dial-in data retrieval, modem connections, 142
fixes and information, distributing over intranet, 20
penetration tests, live drills vs., 61
physical, in incident response, 52
products, purchase by internal IRTs, 21
technology development, keeping up with, 70-95
attack profiles, maintaining, 72-75
training, 75-95
understanding attack technology, 74
tools, 107-154
FIRST, information on, 108
training employees in, 18, 59
validation services, internal IRTs, 21
vulnerability information, Internet discussion groups, 71
web sites for information, 155
security incidents (see attacks; incidents; IRTs)
security policy support, internal IRTs, 21
security teams (see IRTs)
self-replicating malicious software, 87
sendmail program
setuid exploits, attacks involving, 84
vulnerability, 72
senior executive staff, incident response roles, 52
senior information protection engineer, 48
services, IRT, 46-69
awareness of, promoting, 58
commercial teams, 22
advisories and threat monitoring, 23
expert technical personnel, 23
fire drills, 23
incident scenarios, 23
core, 46
internal teams, 20
fire drills for incident response, 20
security engineering support, 21
security policy support, 21
security validation, 21
public teams, 17
statistical reporting, 18
technical and procedural guidance, 17
vendor teams, 25
informing customer base of vulnerability, 26
session playback
IDS products, 120
(see also intrusion detection systems)
Review program, 117
setuid exploits, 83
shell scripts
Bourne (/bin/sh), buffer overflow attack involving, 82
incident response tools, writing in, 109
Shomiti, Century Network Tap tools, 132
"shoot first and ask questions later" approaches, 5
shutting down business services, problems with, 102
signed integers, avoiding in array index, 3
SMTP (Simple Mail Transfer Protocol)
malicious packets, 3
tunneling attacks and, 85
Sniffer product line, 113
sniffers, 3, 70, 84
Snort (protocol analyzer/IDS), 117
software
coding flaws, exploiting in denial of service attacks, 81
commercial, pirating, 4
implementation flaws, attacks involving, 84
patches for vendor products, incorporating, 26
secure, writing, 83
security, purchase by internal IRTs, 21
SOPs (standard operating procedures), establishing, 57
source and destination, incidents, 102
speakers on modems, turning off, 142
staffing, IRT, 40, 50, 64
standard operating procedured (SOPs), 57
state of the hack, 70
description of current, 79-90
(see also technology development, keeping up with)
static analysis of affected systems, 91
static usernames and passwords, security risks of, 85
statistics, 62-63
gathering, analyzing, and reporting by IRTs, 18
incident, importance of, 40
stealth
in incident response operations, 108
incident response tools, needed support for, 154
stealthing tool attacks, 87
storage media (removable), for network data, 146-149
CD recorder, 148
external hard drives, 149
floppy disks, 147
Jaz drives, 148
Orb drives, 148
selection criteria, 146
tape, 149
ZIP drives, 147
storage requirements, evidentiary information, 109
storms/floods, denial of service attacks, 80
stress of incident response operations (see operations, incident response, dealing with stress)
super user privileges, xterm program, 83
swatch (System Watch), page-back capability, 140
Symantec, Norton Utilities, 138, 159
symptom data, collecting for incidents, 100
system administration, security and, 76
system administrators
affected systems, hands-on repair, 102
incident response, drafing power users for, 49
System Scanner (ISS), 135
systems
detecting unauthorized changes with host-based tools, 133
information sources, forensic, 94
restoring to secure baseline configuration, 10
restricting or removing access to, 52
vendor-supplied executable files, detecting changes to, 134
vulnerabilities (see vulnerabilities)
T[ Top ]
tape, using for removable storage, 149
tapping into networks (Century Network Tap), 132
TCP
flag registers, examining with Sniffer, 113
stream reconstruction, Ethereal, 116
TCP.Demux (protocol analyzer postprocessing tool), 118
TCPdump (network protocol analyzer), 116
TCP/IP networking code, exploiting flaw in, 3, 80
TCT (The Coroner's Toolkit), 139
team leader/incident coordinator, 48
team manager (IRT), 48
technical and procedural guidance from IRTs, 17
Technical Colloquia (TCs), information on security tools, 108
technology development, keeping up with, 70-95
attack profiles, maintaining, 72-75
training, 75-95
forensics, 90-95
state of the hack, current, 79-90
understanding attack technology, 74
telnet daemons, use in attacks, 71, 85
temporary fixes, restoring operations with, 103
testing IRT capabilities with fire drills, 59-62
text
deleted, storage by word processors, 92
nmap output, 128
theorizing in forensic process, 94
threat
monitoring services, commercial IRTs, 23
weighing in risk assessment, 11
"threat inflation" by commercial IRT marketers, 24
Tiger (host-based vulnerability scanner), 134
timestamps for data and events, support needed in tools, 153
tools
attack, 79
rootkit, 87
stealthing, 87
data analysis, 91
fly-away kit (see fly-away kit)
forensic
raw data on disk, examining, 93
The Coroner's Toolkit (TCT), 139
incident response, 107-154
criteria for perfect, 153-154
host-based, 133-139
network-based, 111-133
requirements for, 108
sealing and locking away, 110
tracking incidents with database systems, 100
trade secrets, selling to competitor, 7
training
conferences, 77
web sites, 161-162
forensic, for computers, 67
in general computer security by IRT staff, 18, 59
incident scenarios from commercial IRTs, 23
IRT staff, 50
live drills, 61
role-playing exercises, 60
in new technologies, listing of sources, 73
(see also training, state of the hack)
security awareness for employees, 20
state of the hack, 75-95
description of, 79-90
determining requirements for, 75
forensics, 90-95
transaction journal logs, forensic information in, 92
trigger events, monitoring and alerting with IDS tools, 120
Tripwire IDS, 137
Trojan horses
back door programs and, 86
in tunneling attacks, 85
trouble-ticket tracking databases, 57
trust among PGP users, 145
tunneling attacks, 85
ICMP network daemon in computer game, 86
two-person rule, evidence handling, 109
U[ Top ]
Ultrix 3.1 operating system (DEC), 3
unattended operation, modems, 142
unauthorized software on systems (see back doors)
United States (see U.S. government)
Unix
AIX 370 (IBM mainframe version), 3
/bin/mail program, race condition attack on, 83
finger program, buffer overflow attacks on, 82
forensic data, file access, 92
ipconfig command, stealthing tool attacks involving, 87
login program (/bin/login), Trojan horse attacks on, 86
sendmail program vulnerability, 72
setuid exploits, 83
swatch (System Watch), page-back capabilities, 140
updates to vulnerability database, ISS Network Scanner, 130
U.S. government
Department of Defense
Advanced Research Projects Agency (DARPA), 17
Attacker/Defender Training, 78
Department of Justice, evidence handling guidelines, 67
FBI
InfraGuard program, 74
online criminal activity, investigation of, 53
federal laws on computer crime and incident response, 164
incident response resources (web sites), 160
Secret Service (USSS), 53
usernames and passwords
capturing with network sniffers, 70, 84
default, attacks involving, 89
V[ Top ]
validating security services, internal IRTs, 21
value added by IRTs, 39
vendor IRTs, 25-27
services provided by, 25
summary of strengths and weaknesses, 28
vendor-supplied system executable files, detecting changes to, 134
verifying vendor product vulnerability, 25
Virtual Private Networks (VPNs), 145
viruses, 7, 87
antivirus software
distributing over intranet, 20
vendors of, 159
web sites of producers, 159
hoaxes, 44
power of, 80
web site information on, 156
LoveLetter (I-LOVE-YOU), 34
macro, 88
malicious mobile code, 88
scares (see hoaxes)
Visual Basic Scripting Language, macro virus infecting, 88
visualization
of attacks, tools supporting, 111
of network datagrams, 113
of sessions, 117
IDS product support for, 120
vulnerabilities
analysis, reporting, and advice from IRTs, 17
Common Vulnerabilities and Exposures (CVE), 154
default configuration residue, 89
direct distribution of fixes, internal IRTs, 20
event log data, integrity of, 91
host-based scanners for
enabling vulnerabilities, detecting, 134
Tiger and ISS System Scanner, 134
Internet discussion groups, 71
network scanners for, 125-130
back door and malicious code, detecting, 125
Cybercop, 129
enabling vulnerabilities, detecting, 126
ISS Network Scanner, 130
NetRecon, 130
nmap, 127
SATAN/SAINT, 126
Unix sendmail, 72
vendor IRTs, services provided, 25
vendor products
determining cause of, 25
documenting, 25
Internet discussion groups, 27
reliability of statements about, 26
weighing in risk assessment, 11
W[ Top ]
warez, 4
web of trust, 145
web sites
defacement by intruders, 7
incident response information, 155-162
antivirus products, 159
commercial IRTs, 157-159
mailing lists and newsgroups, 159
public resource IRTs, 156
security, 155
training conferences and certification programs, 161-162
U.S. government resources, 160
Windows systems
NT
ping of death attack, 79
scanning domain with BV-Control, 135
vendor vulnerability web site, 27
NT and 2000, forensic data capabilities, 92
page-back mechanisms, 140
point-and-click email bombing program, 72
TCP.Demux program, postprocessing for protocol analyzers, 118
Windows 95/98, inadequate logging capabilities, 92
wireless communications
ethernet, 143
modems, problems with availability, 142
PCS cellular, 142
Word documents, macro viruses infecting, 88
word processors, forensic data from, 92
workload, IRTs, 40
worms, 13, 87
Internet attack (Morris program), 82
automation failures and, 42
write-once media for event log data, 92
X[ Top ]
X windowing systems, xterm program running setuid root, 83
Z[ Top ]
ZIP drives, using for removable storage, 147
Return to Incident Response
About O'Reilly | Contact | Jobs | Press Room | How to Advertise | Privacy Policy
|
© 2008, O'Reilly Media, Inc. | (707) 827-7000 / (800) 998-9938
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.