What Would Sun Tzu Do: The Lessons We Can Apply in Cyberspace

1
What Would Sun Tzu DoThe Lessons We Can Apply
in Cyberspace
IS-3523 Review
2
10 Propositions on Network Defense

• Networks are critical business support
  systems...if not the sole reason for the business
• Networks exist to operate
• Security should ensure you operate
• All good systems have fail safes
• Vulnerability Alerts are not only a Sys Admin
  Issue
• The threat to our network is real
• There is no distant end on a network
• There is no distant end in network defense
• You are only as good as your weakest link
• You do not want to be the weakest link
• Incident Response exposes your weak links

3
Dangers in Cyberspace

• Early Virus/Worms
• Melissa (Mar/Apr 99)
• Loveletter (May 00)
• Kournikova (12-13 Feb 01)
• Present Day Virus/Worms
• Code Red Worm ( Jul 2001...)
• Sir Cam Worm (July 2001)
• Nimda Worm (Sept 2001...)
• Goner Worm (Dec 01)
• Bugbear (Sep 02)
• Sobig (Jan 03)
• Slammer Worm (Jan 03)

4
Economic Impacts

• Melissa
• 1.2B
• Love Letter
• 8.7B, Most of Fortune 500 Companies
• Kournikova
• Sircam
• 1B
• Code Red
• 2.6B estimated Jul/Aug 01 alone
• Nimda
• Network Saturation in 6 hours

5
The Worst Can Happen
"Don't look at the past and assume that's the
future. Look at the enemy's strengths and your
vulnerability. You've got to realize that the
worst case does sometimes happen." -Richard
Clarke Special Advisor for Cybersecurity
6
The Cost Is High
15 Billion cost of eSecurity breaches to U.S.
businesses in one year Source Datamonitor
7
Scope of the Problem

• 85 of respondents detected computer security
  breaches in last 12 months
• 64 acknowledged financial losses
• Hackers systematically stole customer data for
  more than a year including a million credit
  card numbers
• 2001 Computer Security Institute survey of
  538 organizations
• SANS Institute

8
Scope of the Problem, cont.

• Average bank holdup 14,000
• Average computer theft 2 million (Associatio
  n of Certified Fraud Examiners)
• NIMDA virus compromised over 86,000 internet
  hosts (Source SANS Institute)
• Code Red - 359,000 servers in less than 14 hours
  (Source CAIDA)

9
Incident Response Overview

• Goals
• Methodology
• Preparation
• Detection
• Initial Response
• Strategy Formulation
• Investigation
• Monitoring
• Recovery
• Reporting

10
What is an Incident?

• Incident - an event in an information
• system/network
• Time based security
• Protection time detection time reaction time

Some say its all about vulnerability management
11
Goals of Incident Response

• Confirm or dispel incident
• Promote accurate info accumulation
• Establish controls for evidence
• Protects privacy rights
• Minimize disruption to operations
• Allow for legal/civil recriminations
• Provide accurate reports/recommendations

12
Incident Response Methodology

• Pre-incident preparation
• Detection
• Initial Response
• Strategy formulation
• Duplication
• Investigation

• Security measure implementation
• Network monitoring
• Recovery
• Reporting
• Follow-up

13
7 Components of Incident Response
Investigate the Incident
Pre-Incident Preparation
Formulate Response Strategy
Data Collection
Data Analysis
Reporting
Detection of Incidents
Initial Response
Resolution Recovery Implement Security Measures
Page 15, Fig 2-1, Mandia 2nd Edition
14
Pre-Incident Preparation
Detection of Incidents
Incident Response Team Formed
Notification Checklist Completed
Initial Response
Is it really an Incident?
No
Yes
Formulate Response Strategy
Pursue and accumulate evidence and/or secure
system
Secure System
Can Pursue Both Paths Simultaneously
Accumulate Evidence
Forensic duplication?
Yes
Forensic Duplication
No
Implement Security Measures
Investigation
Perform Network Monitoring
Isolate and Contain
Reporting
Follow-Up
Ref Incident Response by Mandia and Procise,
Page 18, Fig 2-1
15
Detection
D E T E C T
Firewall Logs
IDS Logs
Response Team Activated
Notification Checklist Completed
Suspicious User
Sys Admin
16
Initial Critical Details

• Current time and date
• Who/what is reporting the incident
• Nature of the incident
• When the incident occurred
• Hardware/software involved
• Point of contact for involved personnel

17
INITIAL RESPONSE
Success
Details from notification checklist
I R N E I S T P I O A N L S E
Verified information about the incident
Prepared response team
How much info is enough?
Failure
18
Response Strategy Formulation
Verified information about the incident
Mgt Approved Action Plan
Formulate Response Strategy
Response Posture
Goal determine most appropriate response
strategy
19
Factors for Strategy

• How critical are the impacted systems?
• Data sensitivity
• Who are the perpetrators?
• Does the incident have publicity
• Level of access to the hacker
• Apparent skill of the attacker
• How much downtime can be tolerated
• Overall dollar loss involved

20
Common Incidents

• Denial of Service Attack
• Unauthorized Use
• Vandalism
• Information Theft
• Computer Intrusion

Management Support
network downtime user downtime legal
liability publcity theft of intellectual property
21
Investigation Stage
Live System
Investigation
Network Logs
Investigative Report
Forensic Duplicate
22
Security Measure Implementation Stage
Verified Info
Implementing Security Remedies
Monitor
Network Logs
Response Posture
Isolate and Contain
Prevent Same Exposure!
Fishbowling the attacker
23
Recovery/Reporting Process
Recovery backups hardening user education COOP
Conclusions
Report
Support Criminal Actions Lessons
Learned Prevent Repeats
Successful containment
24
What Will You Do?

• We Need a Initial Response that
• Supports the Goals of Computer Security
• Supports the Business Practices
• Supports Administrative and Legal Policy
• Is Forensically Sound
• Is Simple and Efficient (KISS)
• Provides an Accurate Snapshot for Decision Makers
• Supports Civil, Administrative, or Criminal
  Action.

25
Common Mistakes

• Failure to Document Findings Appropriately
• Failure to Notify or Provide Accurate Information
  to Decision Makers
• Failure to Record and Control Access to Digital
  Evidence
• Wait Too Long Before Reporting
• Underestimating the Scope of Evidence that may be
  found

26
Common Mistakes

• Technical Blunders
• Altering Time/Date Stamps on Evidence Systems
• Killing Rogue Processes
• Patching the System
• Not Recording the Steps Taken on the System
• Not Acting Passively

27
Brave New Battles
Each new technology will bring with it new forms
of crime, demanding innovative security. That is
the dynamic which drives our modern progress not
dreams, not ideas, but the simple desire on the
part of criminals to take what is not theirs by
law, and the determination of others to keep them
from doing so.
This Alien Shore, C. S. Friedman (C) 1998
28
Summary

• You have to plan for the worst case
• You must pick a diverse team
• You must practice your plan
• You must expect to fail early