Unit 12

  
Intrusion Detection and Recovery
Objectives

Upon completion of this unit, you should be able to:
  • Intrusion risks
  • Developing a security policy
  • Investigating and documenting intrusions
  • Recovering from intrusions
Intrusion Risks

  • System downtime
  • Theft of data
  • Modification or destruction of data
  • Installation of hostile software
  • Bad publicity and financial impacts
Security Policy

  • Your organization should have a policy on
    • Detection of possible intrusions
    • Verification and investigation of intrusions
    • Recovery from intrusions
    • Reporting of intrusions
    • Documentation of the policy's execution
  • The policy should be developed with the support of management and legal counsel
Detecting Possible Intrusions

  • Regular monitoring of...
    • Log files
    • Network traffic
    • Open ports
    • Modified files
Detecting Possible Intrusions (Continued)

  • Monitoring log files
    • Systems should log to local files and to a dedicated remote host
    • Logs should be analyzed on at least a daily basis using logwatch
    • Logwatch results should be delivered to a separate system
    • Look for signs of subverted services
Monitoring Network Traffic

  • Intrusion Detection Systems
  • Use iptables rules to log suspicious access attempts
  • Use tools like tcpdump and wireshark to capture and store suspicious traffic
  • Implement a honeypot
Monitoring Open Ports

  • netstat (from the local system)
    • Show listening daemons: $ netstat -tulpn
    • Show active connections: $ netstat -tupn
  • nmap (from a remote system)
    • Make sure you are authorized to scan first!
    • Scan a host: $ nmap -P0 server1.example.com
    • Scan a subnet: $ nmap -sV 192.168.0.0/24
    • GUI front-end: nmapfe
Detecting Modified Files

  • md5sum
    • Compare to listings at rhn.redhat.com
    • Fingerprints can be stored in a file for later comparison
  • cmp
    • Byte-by-byte comparison of two files
    • Slower than md5sum, but harder to fool
    • Must have known-good version of file available
  • prelink modifies ELF shared libraries and ELF dynamically linked binaries
Detecting Modified Files

  • aide
    • File integrity checker
    • Highly configurable catalog of file properties
    • Shipped with Red Hat Enterprise Linux version 5
  • rpm
    • Keep a backup database as a baseline
      • # rpm -V package
      • # rpm -Vf /path/to/file
      • # rpm -Va
Investigating and Verifying Detected Intrusions

  • Work from a secure environment
    • Rescue mode
    • Using a trusted system
    • Linux-on-CD custom distributions
  • Image suspect block devices for analysis
  • Perform file integrity checks
Creating a Disk Image

  • Create a copy to study, do not use the original evidence
    • Do this from a trusted rescue environment!
    • $ dd if=/dev/sdb1 of=/evidence/sdb1.img conv=noerror,sync
  • Partition p_w_picpaths can be mounted for analysis
    • $ mount -o loop sdb1.img /mnt/victim-sdb1/
  • Whole disk p_w_picpaths can be used to duplicate a system for study
Detecting and Defeating Backdoors

  • Strict inbound and outbound firewall rules
  • Regular checks of listening ports and files compared to a known baseline
  • Network traffic monitoring and recording with tools like tcpdump or Snort
  • Monitoring open files with lsof and fuser
Detecting and Defeating Root Kits

  • Regular checks of log files and network traffic for suspicious activity
  • Regular checks for promiscuous network interfaces
  • Test system binaries on a trusted system
  • Break automated root kit installs
  • Root kit detectors
Detecting and Defeating Root Kits

  • Special considerations for loadable kernel module (“LKM”) root kits
    • Can subvert processes without altering files
    • Can hide processes, services, and files from local tools
  • Defenses against LKM root kits
    • Investigate from a trusted environment
    • Use root kit detection tools
    • Use a static kernel (not recommended)
Recovering from an Intrusion

  • Restore from a known-good backup
    • Do not attempt to repair the compromised system!
  • Monitor the system for further attacks
    • The attacker may attempt to regain access
    • The attacker may succeed in regaining access
Reporting and Documenting the Intrusion

  • How and when the intrusion was detected
  • What actions were taken by whom
  • What the nature of the intrusion was
  • What was done to recover from the intrusion
    • Were policy changes needed?
    • Can you detect similar future intrusions like this?
  • Notification of law enforcement if necessary
    • What evidence was gathered?
End of Unit 12

  • Questions and Answers
  • Summary
    • Intrusion risks
    • Developing a security policy
    • Investigating and documenting intrusions
    • Recovering from intrusions