Overview of UTSA's IS-6353 Incident Response Course

Introduction to the IS-6353 Incident Response course at UTSA covering topics such as course administration, information assurance, incident response, intrusion detection, and more. The course includes details on the schedule, grading criteria, required textbooks, and notable SQL injection breaches in recent years. Students are encouraged to email the instructor for further details.

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

• UTSA
• Incident Response
• Information Assurance
• Intrusion Detection
• Cybersecurity

elestren Follow

Uploaded on Apr 03, 2024 | 4 Views

Presentation Transcript

1. Lesson 1 IS-6353 Course Introduction

2. Overview Course Administrivia Info Assurance Review Incident Response UTSA IS 6353 Incident Response

3. IS6353 Intrusion Detection and Incident Response 6:00-7:50 PM T/TH Robert Kaufman Background Contact information Syllabus and Class Schedule Student Background Information Email to robert.kaufman@utsa.edu UTSA IS 6353 Incident Response

4. Student Information Send an email to me with: Name Reliable email address Email to: robkaufmaniii@sbcglobal.net UTSA IS 6353 Incident Response

5. Text Books Course Text: Incident Response and Computer Forensics McGraw Hill Publishing, 2014. ISBN 978-0071798686 Additional References: Principles of Computer Security, Conklin, White, Cothren, Williams, and Davis Hacking Exposed, by McClure, Scambray, Kurtz Cyber crime Investigator s Field Guide, by Bruce Middleton UTSA IS 6353 Incident Response

6. Grading Grades 2 Tests Final (maybe) 1 Paper 5 Labs UTSA IS 6353 Incident Response

7. 7

8. Mandiant APT 1 2006 2007 2008 2009 2010 2011 2012 Information Information Technology Transportation High Tech Electronics Financial Services Navigation Legal Services Engineering Services Media, Advertising, & Entertainment Food and Agriculture Satellites & Telecommunications Chemicals Energy International Organizations Scientific Research and Consulting Public Adminstration Construction & Manufacturing 8

9. Noteable SQL Injection Breaches Fed Resv 4000 Fed Gov t 100,000 2013 LivingSocial 50,000,000 FBI/NASA 1,600,000 Gamingo 11,000,000Ingenicard Target? 70,000,000 LinkedIn 6,500,000 $9,000,000 2012 Domino s Pizza 37,000 Sony Playstation 7,000,000 GlobalPayments $92,000,000 Sony Pictures 1,000,000 Adobe 150,000 VISA (Jordan) 800,000 2011 Diner s Club 500,000 Yahoo 450,000 $254M loss 2010 Heartland 130,000,000 Dexia Bank 1,700,000 2009 Hannaford 4,200,000 2007 TJX $455M loss 47,000,000 Source: http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/ Source: codecurmudgeon.com/wp/sql-injection-hall-of-shame 9

10. Notable Recent Activity SONY Hack Anthem Medical Data $1B Worldwide Bank Heist Target Heartland Systems (aka TJ Max Credit Cards) Traffic reroutes (Russia Venom--for virtualized environment neglected operations manipulation, shatters myth of cloud security WannaCry Ransomware China, China Belarus)

11. A Sampling of Malicious Activity March 1999 - EBay gets hacked March 1999 - Melissa virus hits Internet April 1999 - Chernobyl Virus hits May 1999 - Hackers shut down web sites of FBI, Senate, and DOE June 1999 - Worm.Explore.Zip virus hits July 1999 - Cult of the Dead Cow (CDC) releases Back Orifice Sept 1999 - Hacker pleads guilty to attacking NATO and Gore web sites Oct 1999 - Teenage hacker admits to breaking into AOL

12. A Sampling of Malicious Activity Nov 1999 - BubbleBoy virus hits Dec 1999 - Babylonia virus spreads Feb 2000 - Several sites experience DOS attacks Feb 2000 - Alaska Airlines site hacked May 2000 - Love Bug virus ravages net July 2001 Code Red Runs Rampant Sept 2001 Nimda Explodes

13. A Sampling of Malicious Activity Jan 2003 Sapphire/Slammer Worm Aug 2003 Blaster (LoveSan) Worm Jan 2004 MyDoom Mar 2004 Witty Worm May 2004 Sasser Worm Dec 2006 TJX Credit/Debit Card Theft Jan 2007 Storm Worm Mar 2009 - Conficker June 2010 - Stuxnet http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms

14. Spread of Slammer25 Jan 05:29 UTC https://www.caida.org/publications/papers/2003/sapphire/sapphire.htmlS 6353 Incident Response

15. Spread of Slammer25 Jan 06:00 UTC UTSA IS 6353 Incident Response

16. CSI Survey: Average Loss Ref: 2008 CSI Survey UTSA IS 6353 Incident Response

17. Current Landscape Q1 2018 BY THE NUMBERS Botnets 1.8 active botnets per firm (0%) -- 2.8% saw 10 botnets (-1%) 58% of botnet infections last 1 day 5% of botnet infections last >1 week Exploits 6,623 unique detections (+11%) 238 detections per firm (-13%) 73% saw severe exploits (+1%) <1% recorded ICS-related exploits Malware 15,071 unique variants (-15%) 3,078 different families (-2%) 3 variants spread to 1/10 firms (-67%) 28% saw cryptojacking malware (+15%) Ref: Fortinet Q1 CY18 Trend Report UTSA IS 6353 Incident Response

18. Early DISA Vulnerabilty Assessment Program Results P R O T E C T I O N D E T E C T I O N R E A C T I O N 267 24,700 Succeed Reported 38,000 Attacks 721 Not Reported 988 23,712 Undetected Detected 13,300 Blocked UTSA IS 6353 Incident Response

19. Computer Security The Prevention and/or detection of unauthorized actions by users of a computer system. In the beginning, this meant ensuring privacy on shared systems. Today, interesting aspect of security is in enabling different access levels. UTSA IS 6353 Incident Response

20. What are our goals in Security? The CIA of security Confidentiality Integrity Data integrity Software Integrity Availability Accessible and usable on demand (authentication) (nonrepudiation) UTSA IS 6353 Incident Response

21. The root of the problem Most security problems can be grouped into one of the following categories: Network and host misconfigurations Lack of qualified people in the field Operating system and application flaws Deficiencies in vendor quality assurance efforts Lack of qualified people in the field Lack of understanding of/concern for security UTSA IS 6353 Incident Response

22. Computer Security Operational Model Protection = Prevention + (Detection + Response) Access Controls Encryption Firewalls Intrusion Detection Incident Handling UTSA IS 6353 Incident Response

23. Proactive vs- Reactive Models Most organizations only react to security threats, and, often times, those reactions come after the damage has already been done. The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you. UTSA IS 6353 Incident Response

24. So What Happens When Computer Security Fails? Incident Response Methodology--7 Step Process Preparation: Proactive Computer Security Detection of Incidents Initial Response Formulate Response Strategy Investigate the Incident Reporting Resolution UTSA IS 6353 Incident Response

25. 7 Components of Incident Response Investigate the Incident Formulate Response Strategy Detection of Incidents Pre-Incident Preparation Data Data Analysis Initial Response Reporting Collection Resolution Recovery Implement Security Measures UTSA IS 6353 Incident Response Page 15, Fig 2-1, Mandia 2nd Edition

26. Resources in the Fight SANS CERT CC FIRST CERIAS NIST CIAS UTSA IS 6353 Incident Response

27. SANS System Administration, Networking, and Security (SANS) Institute Global Incident Analysis Center Security Alerts, Updates, & Education NewsBites, Security Digest, Windows Digest Certification http://www.sans.org/ UTSA IS 6353 Incident Response

28. Carnegie Mellon CERT CC Computer Emergency Response Team Coordination Center Started by DARPA Alerts & Response Services Training and CERT Standup Clearing House http://www.cert.org UTSA IS 6353 Incident Response

29. FIRST Forum of Incident Response and Security Teams Established 1988 Govt & Private Sector Membership Over 70 Members Coordinate Global Response http://www.first.org UTSA IS 6353 Incident Response

30. CERIAS Center for Education and Research in Information Assurance and Security Home of Gene Spafford A "University Center" InfoSec Research & Education Members: Academia, Govt, & Industry http://www.cerias.purdue.edu/coast/) UTSA IS 6353 Incident Response

31. NIST National Institute of Science and Technology (NIST) Operares Computer Security Resource Clearinghouse (CSRC) Raising Awarenss Multiple Disciplines Main Source of Fed Govt Standards http://csrc.ncsl.nist.gov/ UTSA IS 6353 Incident Response

32. CIAS UTSA s Center for Infrastructure Assurance and Security (CIAS) Multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security. National Cyber Exercises Cyber Security Training Cyber Competitions http://www.utsa.edu/cias/ UTSA IS 6353 Incident Response

33. How Many Vulnerabilities Are Out There Lets See What the CERT CMU Says. http://www.cert.org/ U.S. CERT https://www.us-cert.gov/ UTSA IS 6353 Incident Response

34. History Lesson The Art of War, Sun Tzu Lesson for you Know the enemy Know yourself and in a 100 battles you will never be defeated If ignorant both of your enemy and of yourself you are certain in every battle to be in peril UTSA IS 6353 Incident Response

35. History Lesson The Art of War, Sun Tzu Lesson for the Hacker Probe him and learn where his strength is abundant and where deficient To subdue the enemy without fighting is the acme of skill One able to gain victory by modifying his tactics IAW with enemy situation may be said to be divine UTSA IS 6353 Incident Response

36. Hacker Attacks Intent is for you to know your enemy Not intended to make you a hacker Need to know defensive techniques Need to know where to start recovery process Need to assess extent of investigative environment UTSA IS 6353 Incident Response

37. Anatomy of a Hack FOOTPRINTING SCANNING ENUMERATION ESCALATING PRIVILEGE GAINING ACCESS PILFERING CREATING BACKDOORS COVERING TRACKS DENIAL OF SERVICE Click on each block for description of activity UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

38. Footprinting Objective Target Address Range Acquire Namespace Information Gathering Surgical Attack Don t Miss Details Technique Open Source Search whois Web Interface to whois ARIN whois DNS Zone Transfer UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

39. Scanning Objective Bulk target assessment Determine Listening Services Focus attack vector Technique Ping Sweep TCP/UDP Scan OS Detection UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

40. Enumeration Objective Intrusive Probing Commences Identify valid accounts Identify poorly protected shares Technique List user accounts List file shares Identify applications UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

41. Gaining Access Objective Informed attempt to access target Technique Password sniffing File share brute forcing Password file grab Buffer overflows Typically User level access UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

42. Escalating Privilege Objective Gain Root level access Technique Password cracking Known exploits UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

43. Pilfering Objective Info gathering to access trusted systems Technique Evaluate trusts Search for cleartext passwords UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

44. Cover Tracks Objective Ensure highest access Technique Clear logs Hide tools Hide access from system administrator or owner UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

45. Creating Back Doors Objective Deploy trap doors Technique Create rogue user accounts Schedule batch jobs Infect startup files Plant remote control services Install monitors Trojanize Ensure easy return access UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

46. Denial of Service Objective If unable to escalate privilege then kill Technique SYN Flood ICMP Attacks Identical src/dst SYN requests Out of bounds TCP options DDOS Build DDOS network UTSA IS 6353 Incident Response Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

47. Hacking Summary Threat: Hacking on the rise Security posture usually reactive Losses increasing 7 Step Process Hacker Techniques UTSA IS 6353 Incident Response