Intrusion Analysis 101

1
Intrusion Analysis 101

• Beth E. Binde
• Rutgers University

2
Overview

• Prevention
• Detection
• Response and Recovery

3
Prevention

• Advice to users
• http//netsecurity.rutgers.edu
• Advice to departments
• http//rusecure.rutgers.edu/
• University Systems Scanning
• http//infoprotect.rutgers.edu/scans/intro.htm

4
Detection

• Notification from abuse_at_rutgers.edu
• Top Talkers notification
• Something doesnt look right.

5
First Steps

• Plan your approach to the problem
• Notify your management
• Prepare to keep records and logs of activity
• Secure and isolate the system
• Image the system

6
Indications and Warnings

• Services and applications
• Load and responsiveness
• Disk Utilization
• Installed software
• System event logs
• Configuration changes

7
Windows Tools
8
Services and Applications

• Taskmanager
• Add/remove programs
• Start ? Settings ? Control Panel ? Administrative
  Tools ? Services
• Vision
• http//www.foundstone.com/
• netstat

9
Load and responsiveness

• Taskmanager
• View ? Select Columns

10
Disk Utilization

• My Computer ? Local Disk ? Properties
• Start ? Settings ? Control Panel ? Administrative
  Tools ? Computer Management ? Shared Folders
• Net Share (command line)

11
Installed Software

• Add/Remove programs
• dir /q /-c /od /ta /s gt files.txt (updates the
  access time)

12
System Logs

• Event Viewer
• Start ?Settings ? Control Panel ? Administrative
  Tools ? Event Viewer
• Security Logs
• Application Logs
• System Logs

13
Configuration Changes

• Examine the registry
• Regedt32.exe
• Review Scheduled Tasks
• Start ? Settings ? Control Panel ? Scheduled
  Tasks

14
UNIX Tools
15
Services and Applications

• ps
• lsof
• /etc/services, /etc/inetd.conf
• netstat

16
Load and responsiveness

• uptime
• vmstat
• iostat
• mpstat
• top

17
Disk Utilization

• df
• du
• /etc/vfstab and /etc/mnttab

18
Installed software

• pkginfo
• rpm qa
• find (changes access time on directories)
• find / -mtime -3 -print
• check /dev

19
System Logs

• /var/adm/messages
• /var/adm/auth.log
• Other accounting logs

20
Configuration Changes

• /etc/shadow and /etc/passwd
• /etc/inetd.conf
• /etc/syslog.conf
• Changes in startup files
• /var/spool/cron/crontabs
• /var/spool/cron/atjobs
• cfengine

21
Playing with FIRE

• Forensic and Incident Response Environment on a
  bootable CD-ROM
• http//fire.dmzs.com/
• Tools for Linux, Windows, Solaris

22
Response and Recovery

• Determine causes and symptoms
• Remove the cause of the incident
• Restore and validate the system
• Decide when to restore operations
• Monitor for further problems
• After action review
• Report the incident
• Keep records

23
Reporting the incident

• Your management
• Contact owner of attacking host

24
Reporting Contacts

• Attack from inside Rutgers
• abuse_at_rutgers.edu
• Attack from outside Rutgers
• http//www.geektools.com
• http//www.abuse.net
• http//samspade.org
• Attack analysis
• https//roar.rutgers.edu

25
Rutgers Online Analysis and Reporting

• Access ROAR via http//cirt.rutgers.edu (look for
  REPORTING section)
• Access ROAR directly (outside of Power Point) at
  https//roar.rutgers.edu
• See the ROAR web page roar.htm
• Report intrusions
• Provide intrusion analysis
• Request assistance from Information Protection

26
Conclusions

• Establish a baseline for your system
• Analyze the cause of intrusion
• Keep your management informed
• Report the incident

27
Contact Information

• Rutgers University Computing Services
• Information Protection and Security
• 56 Bevier Road, ASB Annex 1
• Busch Campus
• Voice 732-445-8011
• FAX 732-445-8023
• Email cirt_at_cirt.rutgers.edu
• Web page http//cirt.rutgers.edu