Unit 12
|
Intrusion Detection and Recovery
|
Objectives
Upon completion of this unit, you should be able to:
- Intrusion risks
- Developing a security policy
- Investigating and documenting intrusions
- Recovering from intrusions
|
Intrusion Risks
- System downtime
- Theft of data
- Modification or destruction of data
- Installation of hostile software
- Bad publicity and financial impacts
|
Security Policy
- Your organization should have a policy on
- Detection of possible intrusions
- Verification and investigation of intrusions
- Recovery from intrusions
- Reporting of intrusions
- Documentation of the policy's execution
- The policy should be developed with the support of management and legal counsel
|
Detecting Possible Intrusions
- Regular monitoring of...
- Log files
- Network traffic
- Open ports
- Modified files
|
Detecting Possible Intrusions (Continued)
- Monitoring log files
- Systems should log to local files and to a dedicated remote host
- Logs should be analyzed on at least a daily basis using logwatch
- Logwatch results should be delivered to a separate system
- Look for signs of subverted services
|
Monitoring Network Traffic
- Intrusion Detection Systems
- Use iptables rules to log suspicious access attempts
- Use tools like tcpdump and wireshark to capture and store suspicious traffic
- Implement a honeypot
|
Monitoring Open Ports
- netstat (from the local system)
- Show listening daemons: $ netstat -tulpn
- Show active connections: $ netstat -tupn
- nmap (from a remote system)
- Make sure you are authorized to scan first!
- Scan a host: $ nmap -P0 server1.example.com
- Scan a subnet: $ nmap -sV 192.168.0.0/24
- GUI front-end: nmapfe
|
Detecting Modified Files
- md5sum
- Compare to listings at rhn.redhat.com
- Fingerprints can be stored in a file for later comparison
- cmp
- Byte-by-byte comparison of two files
- Slower than md5sum, but harder to fool
- Must have known-good version of file available
- prelink modifies ELF shared libraries and ELF dynamically linked binaries
|
Detecting Modified Files
- aide
- File integrity checker
- Highly configurable catalog of file properties
- Shipped with Red Hat Enterprise Linux version 5
- rpm
- Keep a backup database as a baseline
- # rpm -V package
- # rpm -Vf /path/to/file
- # rpm -Va
|
Investigating and Verifying Detected Intrusions
- Work from a secure environment
- Rescue mode
- Using a trusted system
- Linux-on-CD custom distributions
- Image suspect block devices for analysis
- Perform file integrity checks
|
Creating a Disk Image
- Create a copy to study, do not use the original evidence
- Do this from a trusted rescue environment!
- $ dd if=/dev/sdb1 of=/evidence/sdb1.img conv=noerror,sync
- Partition p_w_picpaths can be mounted for analysis
- $ mount -o loop sdb1.img /mnt/victim-sdb1/
- Whole disk p_w_picpaths can be used to duplicate a system for study
|
Detecting and Defeating Backdoors
- Strict inbound and outbound firewall rules
- Regular checks of listening ports and files compared to a known baseline
- Network traffic monitoring and recording with tools like tcpdump or Snort
- Monitoring open files with lsof and fuser
|
Detecting and Defeating Root Kits
- Regular checks of log files and network traffic for suspicious activity
- Regular checks for promiscuous network interfaces
- Test system binaries on a trusted system
- Break automated root kit installs
- Root kit detectors
|
Detecting and Defeating Root Kits
- Special considerations for loadable kernel module (“LKM”) root kits
- Can subvert processes without altering files
- Can hide processes, services, and files from local tools
- Defenses against LKM root kits
- Investigate from a trusted environment
- Use root kit detection tools
- Use a static kernel (not recommended)
|
Recovering from an Intrusion
- Restore from a known-good backup
- Do not attempt to repair the compromised system!
- Monitor the system for further attacks
- The attacker may attempt to regain access
- The attacker may succeed in regaining access
|
Reporting and Documenting the Intrusion
- How and when the intrusion was detected
- What actions were taken by whom
- What the nature of the intrusion was
- What was done to recover from the intrusion
- Were policy changes needed?
- Can you detect similar future intrusions like this?
- Notification of law enforcement if necessary
- What evidence was gathered?
|
End of Unit 12
- Questions and Answers
- Summary
- Intrusion risks
- Developing a security policy
- Investigating and documenting intrusions
- Recovering from intrusions
|
转载于:https://blog.51cto.com/mangodata/575848