Educause Security Discussion mailing list archives
Re: Incident Response Procedures
From: Clyde Hoadley <hoadleyc () MSCD EDU>
Date: Wed, 21 Jul 2004 14:56:57 -0600
We are probably a little bit behind the curve on this one too. I recently downloaded the "NIST Computer Security Incident Handling Guide #800-61". http://www.csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf I'm also attaching something that came across one of the lists I'm on that might be helpful - I don't remember which list it came across - I am not the author. I'm also attaching the current Worm Clean up procedure that we are using here. -- Clyde Hoadley, CISSP Security & Disaster Recovery Coordinator Department of Information Technology Metropolitan State College of Denver hoadleyc () mscd edu (MSCD business only) hoadleyc () viawest net (NON-mscd only) http://clem.mscd.edu/%7Ehoadleyc/ (303) 556-5074 Jason Brooks wrote:
We are working on formulating an Incident Response Policy and Procedure. We've scoured the net and found little that aids us in the Higher Ed sector; most are geared for business. So, not wanting to unnecessarily reinvent the wheel, we are soliciting input. Does anyone have any IRP/Procedures that they would be willing to share? Thanks, Jason Brooks Jason Brooks Information Security Technician Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 mailto:brooksje () longwood edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Recommendations for cleaning the Korgo worm (v1.3, 07/14/04 09:21) This procedure can also be used effectively to clean viruses and worms other than Korgo. Notify Clyde of any necessary changes. 1) Bring a CD that has the clean up tools and critical patches (both W2K and XP) on it. See James Eck. The following "Critical" patches all need to be applied. This list does not include "Moderate" or "Important" patches. MS03-041 823182 MS03-042 826232 (W2K only) MS03-043 828035 MS03-044 825119 MS03-049 828749 (W2K only) MS04-007 828028 MS04-004 832894 MS04-008 832359 (W2K only) MS04-011 835732 MS04-012 828741 MS04-013 837009 MS04-022 841873 MS04-023 840315 2) Physically disconnect the computer from the network. 3) Logon as the local Administrator 4) Disable System Restore (XP only) [you must be Administrator] ^^^ this is very important to do. a) Click Start > Programs > Accessories > Windows Explorer b) Right-click My Computer, and then click Properties. c) Click the System Restore tab. d) Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box e) Click Apply f) Click Yes to remove all restore points g) Click OK 5) Boot the computer into Safe mode - no networking. 6) Log on as the local Administrator (the utils "pslist.exe, psservices.exe and fport.exe on the CD can be used to list out running processes and services. fport.exe will list out what programs have network connections. The pskill.exe program can be used to kill off a running process. These must be run from the CMD command prompt.) 7) Run the Norton FixKorgo.exe and any other Norton clean up tools from the CD-ROM. It may be necessary to us the pslist.exe and pskill.exe tools to kill the running virus/worm before the clean up tools can repair the computer. 8) Run the McAfee stinger.exe tool from the CD-ROM 9) Install all of the patches in proper order (oldest to newest) from the CD-ROM. The following "Critical" patches all need to be applied. This list does not include "Moderate" or "Important" patches. MS03-041 823182 MS03-042 826232 (W2K only) MS03-043 828035 MS03-044 825119 MS03-049 828749 (W2K only) MS04-007 828028 MS04-004 832894 MS04-008 832359 (W2K only) MS04-011 835732 MS04-012 828741 MS04-013 837009 MS04-022 841873 MS04-023 840315 10) Reconnect the computer to the network 11) Reboot. Logon as local Administrator. 12) Insure Norton has the latest definitions and its update service is pointing to our Norton update service (CVA should get their updates directly from Norton). Insure Norton is running. 13) Run a full Norton scan of all local drives. 14) Insure that automatic update is installed, running, pointing to our SUS service (CVA should point to Microsoft). 15) Install (if not already installed) and run SpyBot spyware removal tool. 16) Insure you can visit the Symantic, McAfee, MicroSoft and MSCD web sites. (http://securityresponse.symantec.com/) (http://vil.nai.com/VIL/newly-discovered-viruses.asp) (http://www.microsoft.com/security/bulletins/default.mspx) (http://metroconnect.mscd.edu/) If NOT, verify network connectivity with "nslookup 147.153.15.11" and "ping clem.mscd.edu". If there is connectivity then check the local hosts file (W2K) "type C:\WINNT\system32\drivers\etc\hosts" (XP) "type C:\WINDOWS\system32\drivers\etc\host" It should only contain "127.0.0.1 localhost" and nothing else. Use notepad to remove anything else. Reboot and re-test the above URL's ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Metaphorical discussion aside, maybe it would be more productive to start with a basic incident response methodology and kick it around a little bit. I have one that I have used - it is for Windows only, and its pretty basic, but maybe it's a starting point. I'll also say that it only lists the basic data collection steps, and nothing about how to actually anaylze the data - I assume that a trained IR engineer will be doing the work. At risk of some putz flaming or otherwise criticizing me, I'll go ahead and post it. At least if everyone who said "help me! help me!" on the list submitted the data collected below, it would be easier for people to respond. Disclaimer: Use at your own risk, no warranty expressed or implied, IANAL (I Am Not A Laywer), this is not the best methodology in the world, and is only a starting point, etc. etc. etc. There are better tools out there, and this doesn't really take into account crafty rootkits, but in my experience, most so called "hacks" aren't much more than pubstros and IRC/FTP servers. Also, note that this assumes you have already made a bootable forensic CD with all the software, as well as "known safe" command interpreters, etc. Mark Lachniet --------8<------------- Phase I - Preparation (Update forensics toolkit) 1) Download updated virus signatures for F-prot at http://www.datafellows.com/download-purchase/updates_manual.shtml#dos 2) Download updated versions of Anti-trojan at http://www.anti-trojan.net/en/download.aspx 3) Burn a CD-R version of the Forensics CD and label it with date it was created 4) Obtain as much information as possible ahead of time from the victim including: a. Detailed information about the event (email threads, logs, screen captures, etc.) b. Target system information (IP Address, operating system, patch level, hardware) c. Target system utilization (is it a running server? Can it be taken down? Who uses the system, and how can they be contacted?) d. Target network configuration (network maps, IP plans) e. Target network logging sources (operating system, routers, firewalls, IDS, etc.) f. Detailed contact information (phone numbers, cell/pager numbers, email addresses, etc.) g. Obtain administrator passwords, others as needed to access the target systems h. If possible, perform a vulnerability assessment on the host ahead of time i. Do research, as needed, to prepare for the analysis j. Obtain at least ten (10) blank, formatted, unused floppy disks k. Obtain at least one pad of paper, pens, etc. 5) Read RFC 3277 "Guidelines for Evidence Collection and Archiving" 6) Discuss the situation and goals of the analysis with the target's administrative staff a. Advise the client that you cannot provide legal advice of any kind, and that they may wish to involve their legal counsel if they feel it is appropriate b. What is the server used for? c. What is the criticality of the data on the server? d. What is the criticality of data not on the server, but in the environment (other servers with critical data that could also be hacked) e. When was the problem discovered? Who discovered it? f. What has been done since that time? g. What type of system backups exist? What program were they created with? Have they been tested? How far back do the backups go? h. What is the ideal outcome of this process? Prosecution? Concerns with internal employees? Stopping further attacks? i. Discuss issues of data preservation (i.e., there are two ways to approach the analysis - with a foot print or without. With a foot print has a chance of altering critical evidence, but is less expensive and can be used on production servers. Without foot print means imaging the disk and working with a forensic disk analysis tool which is outside of the scope of this service) j. If legal recourse is strongly desired, discuss with the client the need for an additional set of eyes (and intials) during the process. If desired, the client will need to sit with the forensic analyst at all times, and "sign off" on each task that was performed, as it was performed. k. Discuss how the incident will be treated with other employees - is the analysis a "secret" or is it openly known? l. Record the highlights of all information discussed with the customer in steps a-j, and re-state them to the client to confirm that you are in agreement Phase II - Data Collection (Manual Analysis on running server) 1) Perform an external vulnerability assessment a. Full port scan, identify all running services b. Perform google searches on the DNS name and IP address c. Also check black-list and open proxy lists for IP address 2) Prepare for analysis of volatile information (Floppy Disk analysis) a. Insert the CD-ROM in the CD-ROM drive b. Label a floppy disk with the customer name, date, computer name, IP address, your name, and the title "Disc#1". Repeat this labeling format for subsequent discs (#2, #3, etc.) c. Insert the floppy disk in the floppy drive (if possible, otherwise run these steps to a shared directory on your laptop) d. Using paper and pen, start your activity log. Title the first page with the same information as the floppy disc (customer name, date, computer name, IP address, your name). Also create the following columns: Date/Time Description Initials Use this format to record the work that you perform. If the customer has 3) Perform the analysis of volatile information (Floppy Disk analysis) a. Run the appropriate command interpreter on the CD-ROM. For Windows 2000 and 4.0 servers, this will be in 'X:\cmd2k' and on Windows 98 will be 'X:\cmd98\command.com' b. Capture the date and time of the system i. date /t > a:\datetime.txt ii. time /t >> a:\datetime.txt c. Record the date and time of the computer, as well as the "real" date and time (a reliable clock, etc) in your written notes. Note the time delta between system time and "real" time. Also note the time zone where the analysis is taking place. d. Capture information about running processes using pslist: i. d:\pstools\pslist -t > a:\pslistt.txt ii. d:\pstools\pslist -x > a:\pslistx.txt e. Capture information about logged on users using psloggedon: i. d:\pstools\psloggedon > a:\psloggedon.txt f. Capture netstat information using netstatp: i. d:\netstatp\release\netstatp -a -n > a:\netstatp.txt g. Capture listening ports to program mappings with fportng i. d:\fportng\fport > a:\fport.txt h. Capture open file handles, first in brief, then in full (compressed) i. d:\handle\handle > a:\handle.txt ii. d:\handle\handle -a | d:\unix\gzip > a:\handle-all.gz i. Capture file system MAC times: i. Insert a new, blank floppy disk ii. d:\perl\perl.exe \sfile\sfile.pl -d c:\ | \unix\gzip > a:\sfile.gz j. Capture AT (command scheduler) information i. at > a:\at.txt k. Capture NBTstat information: i. nbtstat -c > a:\nbtstat.txt l. Capture 'net' information: i. echo Net Accounts: > a:\net.txt ii. net accounts >> a:\net.txt iii. echo Net File: >> a:\net.txt iv. net file >> a:\net.txt v. echo Net Session: >> a:\net.txt vi. net session >> a:\net.txt vii. echo Net Share: >> a:\net.txt viii. net share >> a:\net.txt ix. echo Net Start: >> a:\net.txt x. net start >> a:\net.txt xi. echo Net Use: >> a:\net.txt xii. net use >> a:\net.txt xiii. echo Net User: >> a:\net.txt xiv. net user >> a:\net.txt xv. echo Net View: >> a:\net.txt xvi. net view >> a:\net.txt m. Create MD5 hashes of operating system files: i. C: ii. Cdiii. Echo **** C:\ **** > a:\md5.txt iv. D:\ircr\md5sum *.* >> a:\md5.txt v. Echo **** C:\WINNT **** >> a:\md5.txt vi. Cd\winntvii. D:\ircr\md5sum *.* >> a:\md5.txt viii. Echo **** C:\WINNT\SYSTEM **** >> a:\md5.txt ix. Cd\winnt\system x. D:\ircr\md5sum *.* >> a:\md5.txt xi. Echo **** C:\WINNT\SYSTEM32 **** >> a:\md5.txt xii. Cd\winnt\system32 xiii. D:\ircr\md5sum *.* >> a:\md5.txt 4) Back up large files (Network) a. Create a data directory on your hard drive i. mkdir c:\data b. Map a network drive FROM the laptop TO the target server's C: i. net use o: \\<<ipaddress>>\c$ /user:administrator * c. Copy IIS logs to your laptop: i. xcopy o:\winnt\system32\LogFiles\*.* c:\data /s/e/v d. Copy Windows Event logs to your laptop*: i. xcopy o:\winnt\system32\config\*.evt c:\data /s/e/v e. Copy any suspicious materials to your laptop. Items to consider may include the contents of FTP directories, HTML files, log files, suspicious application software, etc. 5) Scan the target for viruses and Trojans (if possible, boot to boot CD to do this) a. Run F-Prot from the CD-ROM drive: i. d:\f-prot\f-prot /hard > a:\fprot.txt b. Install and run Anti-Trojan on the investigator's laptop i. Ensure that the "Remove found Trojans" check box is UN-checked ii. Run a "filescan" scan of the mapped O: drive 6) Identify and analyze other sources of information, including e-mail, firewalls, routers, switches, etc. to locate additional information about the event 7) Run 'dumpreg' to dump the Windows Registry to disk (optional - to find installed software by date of registry entry) 8) Run 'filemon' to monitor ongoing file accesses (optional - if you believe the system is actively being used by hackers, or want to track suspicious system activity) 9) Run 'regmon' to monitor ongoing registry accesses (optional - if you believe the system is actively being used by hackers, or want to track suspicious system activity) 10) Run 'tdimon' to monitor ongoing TCP/IP activity (optional - if you want to track TCP/IP activity by process) Phase III - Data Analysis 1) Analyze collected data (TBD) 2) Additional follow-up as needed Phase IV - Author and Deliver Report 1) Using provided template, author an incident response report 2) Present the report to the client 3) Discuss findings, limitations, next steps ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Incident Response Procedures Jason Brooks (Jul 21)
- <Possible follow-ups>
- Re: Incident Response Procedures Theresa Semmens (Jul 21)
- Re: Incident Response Procedures Steve Schuster (Jul 21)
- Re: Incident Response Procedures Clyde Hoadley (Jul 21)
- Re: Incident Response Procedures Eric Pancer (Jul 21)
- Re: Incident Response Procedures Tim Howard (Jul 21)
- Re: Incident Response Procedures Melissa Guenther (Jul 21)
- Re: Incident Response Procedures Julia Allen (Jul 22)