Foundstone ERS remediation System

Transcription

1 Expediting Incident Response with Foundstone ERS Foundstone Inc. August, 2003

2 Enterprise Risk Solutions Platform Supports Successful Response and Remediation Introduction The Foundstone Enterprise Risk Solutions (ERS) platform is typically used to identify and mitigate security weaknesses prior to any exploitation. Available as a large-scale enterprise solution, dedicated hardware, a hosted service, and a desktop application, Foundstone ERS helps organizations preserve the confidentiality, integrity, and availability of their data by preventing compromise before it happens. If an intrusion occurs, however, Foundstone ERS also offers powerful tools for computer security incident response teams (CSIRTs) and forensic investigators. Foundstone ERS must be used with care. It is primarily a remedial tool and does not replace the other elements of a sound security plan. Yet it can help a CSIRT decide on the most appropriate course of action. In fact, Foundstone consultants have successfully leveraged Foundstone ERS in the field to achieve effective, cost-efficient incident response. CSIRTs in Action When an intrusion is detected, the CSIRT must quickly answer several questions. What is the scope of the incident? How many resources are affected, and what is the damage? When and how was the organization penetrated? How does the organization limit the impact of the current intrusion and prevent future ones? The CSIRT first looks for evidence of past intrusions. Unfortunately, after being compromised, most organizations realize they were not collecting or storing the right kinds of data. Ideally, the CSIRT has access to host-based evidence such as server and application logs, suspicious files, and other material stored on affected computers. Network-based evidence, including logs generated by firewalls, routers, and intrusion detection systems, is also very valuable. Interviewing staff, perusing newsgroups and IRC, and contacting law enforcement agencies that might be aware of similar intrusions are other ways to obtain useful information. The next step for the CSIRT is managing certain aspects of the organization s existing security posture. This involves increasing the data collected from hosts and the network at large. At this late stage, many intruders have taken steps to hide their activities. Only the most skilled incident responders with the best tools will be able to bring their actions to light. After examining what happened in the past and taking a closer look at what is happening in the present, the CSIRT can begin to theorize about the full nature of the intrusion. Although theorizing doesn t prove anything about the compromise, it is a valid way to guide ongoing incident response Foundstone, Inc. All Rights Reserved - 1

3 Determining Incident Scope To understand the scope of an incident, the CSIRT must see the enterprise from the vantage point of the attacker. An accurate depiction of the network architecture including all access methods, systems, services, and weaknesses is essential. Unfortunately, incident responders often find that available network blueprints are outdated and potentially misleading. Organizations that suffer ongoing intrusions frequently identify subnets or systems they cannot account for, or thought were unavailable or disconnected. On these test or obsolete subnets, malicious users can quickly find and exploit unpatched and undefended hosts. With its powerful enumeration capabilities, Foundstone ERS creates a clear, accurate picture of the enterprise. It discovers hosts and network devices, collects data about them, and illustrates this information in easy-toread tables and diagrams. Foundstone ERS also helps the CSIRT understand a device s context, how it fits within the overall network topology. Although the concept is simple, the value of an up-to-date network diagram cannot be underestimated when determining incident scope. Countering Unauthorized Access In addition to understanding a network s topology, CSIRTs must know what is and what is not accessible from the Internet. Intruders already know the routes to gain unauthorized access, but CSIRTs might not. There are three primary methods that intruders use to compromise target computers: abuse, subversion, and breach. By associating a list of services, versions, and vulnerabilities with every device and network node, Foundstone ERS offers a powerful way to find applications and services susceptible to the three types of exploits. Although security professionals typically use this inventory to assign remediation duties, CSIRTs can use it to identify the ways an intruder might have penetrated an organization. Abuse Illegitimate use of legitimate access modes is called abuse of a service. For example, an intruder might access a server via telnet, secure shell, or Microsoft Terminal Services, and then log in using a valid but stolen or guessed username and password (credentials). This fully compromises the computer, its data, and the credentials. Through its service enumeration techniques, Foundstone ERS identifies how intruders might abuse a service. Foundstone ERS checks for default or easily guessed username/password combinations. It also lists the services that can be used to gain remote access to a computer, such as telnet, secure shell, Microsoft Terminal Services, Foundstone, Inc. All Rights Reserved - 2

4 and others. This can head off unpleasant surprises. Expecting to find only secure shell available to Internet users, the CSIRT might discover thanks to Foundstone ERS that telnet and Microsoft Terminal Services are available as well. Subversion Subversion involves making a service perform in a manner not anticipated by its programmers. Analyzing systems that offer easily subverted services is an important aspect of incident response. For example, unpatched Microsoft IIS 5.0 Web servers are susceptible to manipulation via Unicode data encoding. Malicious users can pass specially formatted Unicode strings to the Web server, forcing it to execute commands outside its intended mode of operation. Although these techniques do not stop the Web server from running, they subvert its functionality. Foundstone ERS detects Web servers and other systems that have these types of vulnerabilities. If the CSIRT finds publicly facing Web servers that can be subverted, it is extremely likely that an intruder knows about them also. Breach To breach a service means to break it and stop it from running. This differs from subversion, which does not interrupt service. At its basic level, breaking an application is a form of denial of service shutting down an organization s Web server, for instance. Intruders can also instruct a broken application to perform new, illegitimate actions. Buffer overflows are well-known examples. Intruders use buffer overflows to break a target service and then replace it with a shell that gives command-line access. Like the discovery of services vulnerable to subversion, Foundstone ERS identifies services susceptible to being broken. These classes of attacks, often called silver bullets, can be very damaging. Although a subverted service might act as an unprivileged user, a broken application more frequently acts with system privileges. Guiding Remediation The most effective remediation happens before a compromise takes place, preventing an intrusion or limiting its extent. Vulnerable Internet-facing computers with sensitive information must be patched or reconfigured as quickly as possible, for instance. During or after a compromise, however, the issues are different. Naturally, remediation should limit the impact of the intrusion and prevent further loss of information. However, within this imperative, two courses of action are possible: protect and proceed or pursue and prosecute Foundstone, Inc. All Rights Reserved - 3

5 Protect and proceed focuses on limiting damage and restoring service. The CSIRT collects evidence for these ends, not to put an intruder in jail. Pursue and prosecute takes a different approach. An intruder might be allowed limited access to a target network to determine the scope of the compromise and collect evidence of guilt. When an intruder s capabilities and intentions are sufficiently understood, access is terminated. The CSIRT reports what it has learned to law enforcement, which may or may not prosecute. Foundstone ERS helps in both scenarios because, at some point, the CSIRT limits the intruder s access. This is where Foundstone ERS really shines during incident response. And by integrating the information that Foundstone ERS gathers about a network and its vulnerabilities, the CSIRT can plan and complete an effective, cost-efficient remediation. For example, the CSIRT s investigation might discover that an intruder gained access to the enterprise via NetBIOS/Server Message Block (SMB) services and the psexec tool available at Using assessment results from Foundstone ERS, the CSIRT might see that NetBIOS/SMB ports (UDP: ; TCP: 139, 445) are available to the Internet. The CSIRT knows it must deny these ports at the border router and/or the firewall. Taking this example to the next level illustrates the value of knowing which services and access methods are exposed to the Internet. Assume that the CSIRT denies the NetBIOS/SMB as stated. What if Foundstone ERS also identifies unpatched IIS and SQL servers? Intruders are tenacious. Once evicted from a network, they are determined to regain access. In this case, an intruder denied NetBIOS/SMB access would quickly exploit these Web and database vulnerabilities. Proper Use of Foundstone ERS CSIRTs must use Foundstone ERS with care. Foundstone ERS is best suited for incident response when no reliable network topology exists, when there is no clue about the entry point of an attack, or when remediation is deemed more important than fully determining the motivations, goals, and methods behind an attack. After a compromise, CSIRTs should perform host- and network-based data collection prior to using Foundstone ERS enumeration capabilities. Foundstone ERS is best thought of as a lead generator. Any theories that it helps foster should be proven with host- and network-based data Foundstone, Inc. All Rights Reserved - 4

6 Also, because Foundstone ERS is an overt process, intruders are likely to alter their behavior when they detect its presence. Using Foundstone ERS before exhausting the clues in host-based data could likewise complicate law enforcement investigation. Foundstone ERS in the Field Foundstone recently responded to a security compromise in which an external intruder gained unauthorized access to an ISP s internal network. Foundstone equipped the ISP with the knowledge and tools to eliminate the unauthorized means of access and to collect evidence for potential legal action. Foundstone ERS played a significant role in this response and remediation. Foundstone dealt with the incident in three ways. First, we gathered and analyzed host-based evidence from computers suspected of compromise. Second, we implemented emergency network monitoring to collect event, session, content, and other data needed to identify the intruder s means of access. Using Foundstone ERS, we then performed a limited vulnerability assessment of key areas of the ISP s enterprise. This helped Foundstone guide the ISP s CSIRT during remediation. Because the ISP s network exposed several high-risk services, remediation via host- and network-based methods rated a high priority. Eliminating weak username/password combinations would be futile, for instance, if the ISP s servers ran unpatched versions of IIS and SQL. Summary Using information from Foundstone ERS, CSIRTs can determine the scope of a security incident, find the routes of unauthorized access, and guide remediation efforts. By identifying existing vulnerabilities, Foundstone ERS lets a CSIRT know if a proposed response plan is sufficient. Foundstone ERS is best suited for incident response in only certain situations, and a CSIRT must use it in certain ways. It is crucial, for instance, to perform host- and network-based data collection before employing Foundstone ERS enumeration tools. When appropriately used, however, Foundstone ERS is a powerful tool for successful incident response Foundstone, Inc. All Rights Reserved - 5

7 About Foundstone Foundstone Inc., experts in strategic security, offers a unique combination of software, services, and education to help organizations continuously and measurably protect the most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The company has one of the most dominant security talent pools ever assembled, and has authored ten books, including the best seller Hacking Exposed. Foundstone is headquartered in Orange County, CA, and has offices in New York, Washington, D.C., and Seattle. For more information about Foundstone and Foundstone Enterprise Risk Solutions, visit or call FOUND within the U.S, and outside the U.S Foundstone, Inc. All Rights Reserved - 6