Identifying Computer Attacks –

Tips, Tricks and Tools

Kai Axford, CISSP, MCSE-Security
Sr. Security Strategist
Microsoft Corporation
kaiax@microsoft.com
http://blogs.technet.com/kaiaxford

“The server is acting weird.”

The Demo Disclaimer…
Is everyone paying attention now?
Remember, SQL Injection is the result of improper form
validation…..and can happen on ANY database server that
supports ANSI 99 (incl MySQL, Oracle, DB2).
No, I will not give you those tools. I don’t care what
you do or who you work for….
(besides, if you really DO work for the NSA, you’ve got
better tools than this anyway).
If you don’t ask, I don’t have to say no.

Agenda The Incident and the 31337 h4XØr Identifying the Attack and Proving it Summary & Resources .

What is an “incident”? As defined by AUS-CERT – “An attack against a computer or network which harmed.” May include the following general categories: Compromise of Confidentiality Compromise of Integrity Denial of Resources Intrusions Misuse Damage Hoaxes . integrity or availability of network data or systems. or potentially may harm. the confidentiality.

org/research/taxonomy_988667.pdf . John D. http://www.The components of an incident Howard. “A Common Language for Computer Security Incidents” 1998.cert.

Intelligence T H If you’re a GREAT Terrorists R E hacker…nobody knows.” Organized Crime Competitors (Foreign & Domestic) A -Anonymous Organized Hacker groups T “Hacktivists” Real Hackers Script Kiddies CAPABILITY . they’re just criminals. “If you’re a goodCyberWar hacker…everybodyForeign knows. …but first and foremost.But who are these “31337 H4xØrz”? Not all are as elite as you (or they) may think….

Got disk space and CPU? .

5 million SYN packets /second 930..000 Bots A BotNet of 10.and you thought he only helped Luke) .000 HTTP-GET requests /second 1.Attack of the 10.8 GBPS Uplink 4.000 machines can: 4.5 GBPS Downlink (.

It’s getting worse… .

So what is “Incident Handling”? Incident Handling . Incentives for efficient incident handling: Economic Protecting Proprietary / Classified / Sensitive Information Operational / Business Continuity Public Relations Legal / Regulatory Compliance Safety .Actions taken to protect and restore the normal operating condition of computers and the information stored in them when an adverse event occurs.

TCP wrapper) Firewall logs (personal and network) Intrusion detection systems (IDS) and prevention systems (IPS) Analyze all anomalies Gather proof! .Did something occur? How do you know? Determine what the problem is and to assess its magnitude Major sources of information Log files and syslog output Wrapper tools (e..g.

Understanding the dreaded IP Header Version Length TOS Total Length Identification Flags Offset TTL Protocol Header Checksum Source IP Address Destination IP address Options Data .

Kevin and Chris Prosise. Osborne/McGraw Hill. What should I be looking for? Are any IP Header fields suspect? Is the Source IP address suspect? Is odd fragmentation occurring? Does the size of the packet raise concerns? Are any TCP header fields suspect? Is the destination port a valid service? Does the traffic follow RFC standards? What are the timestamps of the traffic? Mandia. . 2001. “Incident Response: Fighting Computer Crime”.

Logon Failure: Account currently disabled 532 .Event logs: Some Logon/Logoff Event IDs 528 .Logon Failure: User not granted requested logon type at this machine 535 . 2003 Only) .Logon Failure: Account logon time restriction violation 531 . XP.Logon Failure: Unknown user name or bad password 530 .Successful Logon 529 .Logon Failure: User not allowed to logon at this computer 534 .Logon Failure: The specified user account has expired 533 .Successful Network Logon (Win2000.Logon Failure: The specified account’s password has expired 539 .Logon Failure: Account locked out 540 .

Event logs: Event IDs on your Domain Controller 675 – Failed logon from workstation (usually a bad password) 676/672 – Other AutN failure 681/680 – Failed logon with a domain account 642 – Reset PW or Disabled account was re-enabled 632/636/660 – User was added to a group 624 – New user account created 644 – Account lockout after repeated logon failures 517 – User cleared the logs .

“Are you sure they did it?” - Electronic Discovery .

. md5sum – Free file integrity verifier. Very pretty. EventCombMT – Free event ID parser.there are TONS more free tools! . Task manager on steroids AutoRuns – Free util that checks all the startup folders and reg keys Wire Shark (formerly Ethereal)– Free OSS network sniffer. Part of the ….Kai’s Tools and Tips…(see a common trend?) Process Explorer – Free tool that provides detailed process info. Get a hash from a “known good” file.

Got proof….now what? Upon Identification: Obtain full backup and copy any hacked files or bogus code for analysis If it’s likely you’ve been “Øwn3d”: Turn on or increase auditing Set system clock correctly Document! Document! Document! Initiate notification process The IR Team Your InfoSec contact Your PR people Your Legal team Law Enforcement!!!! .

Always consult your local law enforcement agency and legal department first! Digital forensics is SERIOUS BUSINESS You can easily shoot yourself in the foot by doing it incorrectly Get some in-depth training …this is not in-depth training!!! (Nor is it legal advice. . The job you save may be your own.) I just want to spend a few minutes showing you some common forensic tools and how they can help. Be smart.Digital Forensics First and foremost: Kai is not a lawyer.

com Very popular in private corporations EnScript Macro Language allows for creation of powerful scripts and filters to automate tasks Safely preview a disk before acquisition Picture gallery shows thumbnails of all images Virtually boot disk image using VMWare to allow first-hand view of the system . Inc. http://www.Encase – Guidance Software.guidancesoftware.

com/ Full indexed searches in addition to regex searches Preprocess of all files. http://www.) for easy sorting Ability to rule out “common files” using the Known File Filter plug-in Detection of encrypted / compressed files .Forensic Tool Kit – Access Data. email. etc.accessdata. which makes for faster searching Data is categorized by type (document. Inc. image. archive.

Autopsy. and others Includes tools that can be used on a live Windows machine. Autopsy provides GUI for TSK.Open Source Forensics Tools The Sleuth Kit (TSK) and Autopsy Written by Brian Carrier (www. including precompiled binaries and live acquisition tools .org) TSK is command line. Runs on *nix platforms. chkrootkit.sleuthkit. Client server architecture allows multiple examiners to use one central server Allows basic recovery of deleted data and searching Lots of manual control to the investigator. but is light on the automation Helix – e-Fense Customized Knoppix disk that is forensically safe Includes improved versions of ‘dd’ Terminal windows log everything for good documentation Includes Sleuthkit.

Vader Digital Forensics .“I have you now….” – D.

Acquiring Data should always be done carefully… Always preserve originals Write Blocker and ONLY work on copies! Utilize HW write blockers to ensure MAC times are not altered Your legal team and law enforcement will thank you! Suspect Hard Drive .

Have a forensics jumpkit! Critical for the success of the investigation .

at least of the suspicious files and logs. then analyze them off-line A tape backup will not include all the information such as slack space data. but it may be the only alternative .Other stuff Some incidents may occur on a SAN or large servers with special complications Cannot go offline OR They have so much storage that it cannot be successfully imaged (or have RAID. so an image will be technically infeasible) The best option is still to perform some sort of backup.

Additional Microsoft Resources • NEW! Fundamental Computer Investigation Guide For Windows http://www.com/ericfitz/ • The Security Monitoring and Attack Detection Planning Guide http://www.com/technet/security/guidance/disasterre covery/computer_investigation • Windows Security Logging and Other Esoterica http://blogs.microsoft.mspx • Microsoft Windows Security Resource Kit v2.msdn.microsoft.0.com/technet/security/topics/auditingandm onitoring/securitymonitoring/default. ISBN: 0735621748 .

ISBN: 012162885X Incident Response: Investigating Computer Crime. Eoghan Casey.My Digital Forensics Reading List File System Forensic Analysis. Kevin Mandia & Chris Prosise ISBN: 007222696X Hacking Exposed: Computer Forensics. Chris Davis. Aaron Phillip ISBN: 0072256753 . Brian Carrier ISBN: 0-321-26817-2 Digital Evidence and Computer Crime.

Questions and Answers .

AS TO THE INFORMATION IN THIS PRESENTATION. Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U. it should not be interpreted to be a commitment on the part of Microsoft.S. Microsoft. and/or other countries. © 2006 Microsoft Corporation. Because Microsoft must respond to changing market conditions. . Windows. MICROSOFT MAKES NO WARRANTIES. All rights reserved. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. EXPRESS. IMPLIED OR STATUTORY.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.