Foundstone ERS remediation System



Similar documents
Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network and Host-based Vulnerability Assessment

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Penetration Testing Service. By Comsec Information Security Consulting

Penetration Testing. Presented by

IBM Managed Security Services Vulnerability Scanning:

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Global Partner Management Notice

Internet Security and Acceleration Server 2000 with Service Pack 1 Audit. An analysis by Foundstone, Inc.

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

ICTN Enterprise Database Security Issues and Solutions

An Introduction to Network Vulnerability Testing

Metasploit The Elixir of Network Security

Protecting Your Organisation from Targeted Cyber Intrusion

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Rapid Vulnerability Assessment Report

The Trivial Cisco IP Phones Compromise

Windows Operating Systems. Basic Security

Penetration Testing Report Client: Business Solutions June 15 th 2015

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Data Security Incident Response Plan. [Insert Organization Name]

TSA audit - How Well Does It Measure Network Security?

Network Security Audit. Vulnerability Assessment (VA)

Attachment A. Identification of Risks/Cybersecurity Governance

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Presented by Evan Sylvester, CISSP

Critical Security Controls

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

External Supplier Control Requirements

Windows Remote Access

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Information Technology Security Review April 16, 2012

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

SECURITY. Risk & Compliance Services

A Decision Maker s Guide to Securing an IT Infrastructure

Hands-on Hacking Unlimited

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Using Foundstone CookieDigger to Analyze Web Session Management

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Protecting Critical Infrastructure

Why The Security You Bought Yesterday, Won t Save You Today

Name. Description. Rationale

Security Management. Keeping the IT Security Administrator Busy

NETWORK PENETRATION TESTING

Web Application Security

OCIE CYBERSECURITY INITIATIVE

Cisco Security Optimization Service

2012 Data Breach Investigations Report

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Top 20 Critical Security Controls

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Security Implications Associated with Mass Notification Systems

Information Security Incident Management Guidelines

Network Security Policy

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Establishing a Secure, HIPAA-Compliant Network Perimeter

The monsters under the bed are real World Tour

Vulnerability assessment tools

Managing IT Security with Penetration Testing

Evaluation Report. Office of Inspector General

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

KEY STEPS FOLLOWING A DATA BREACH

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

White Paper. Five Steps to Firewall Planning and Design

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Taxonomic Modeling of Security Threats in Software Defined Networking

Defensible Strategy To. Cyber Incident Response

INCIDENT RESPONSE CHECKLIST

Penetration Testing //Vulnerability Assessment //Remedy

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

SANS Top 20 Critical Controls for Effective Cyber Defense

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

The Importance of Vulnerability Assessment For Your Organisation

Building A Secure Microsoft Exchange Continuity Appliance

How To Audit The Mint'S Information Technology

Guideline on Auditing and Log Management

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Top 5 Essential Log Reports

GFI White Paper PCI-DSS compliance and GFI Software products

Ethical Hacking Agreement for External Network Security Unannounced Penetration Test

Vulnerability management lifecycle: defining vulnerability management

Transcription:

Expediting Incident Response with Foundstone ERS Foundstone Inc. August, 2003

Enterprise Risk Solutions Platform Supports Successful Response and Remediation Introduction The Foundstone Enterprise Risk Solutions (ERS) platform is typically used to identify and mitigate security weaknesses prior to any exploitation. Available as a large-scale enterprise solution, dedicated hardware, a hosted service, and a desktop application, Foundstone ERS helps organizations preserve the confidentiality, integrity, and availability of their data by preventing compromise before it happens. If an intrusion occurs, however, Foundstone ERS also offers powerful tools for computer security incident response teams (CSIRTs) and forensic investigators. Foundstone ERS must be used with care. It is primarily a remedial tool and does not replace the other elements of a sound security plan. Yet it can help a CSIRT decide on the most appropriate course of action. In fact, Foundstone consultants have successfully leveraged Foundstone ERS in the field to achieve effective, cost-efficient incident response. CSIRTs in Action When an intrusion is detected, the CSIRT must quickly answer several questions. What is the scope of the incident? How many resources are affected, and what is the damage? When and how was the organization penetrated? How does the organization limit the impact of the current intrusion and prevent future ones? The CSIRT first looks for evidence of past intrusions. Unfortunately, after being compromised, most organizations realize they were not collecting or storing the right kinds of data. Ideally, the CSIRT has access to host-based evidence such as server and application logs, suspicious files, and other material stored on affected computers. Network-based evidence, including logs generated by firewalls, routers, and intrusion detection systems, is also very valuable. Interviewing staff, perusing newsgroups and IRC, and contacting law enforcement agencies that might be aware of similar intrusions are other ways to obtain useful information. The next step for the CSIRT is managing certain aspects of the organization s existing security posture. This involves increasing the data collected from hosts and the network at large. At this late stage, many intruders have taken steps to hide their activities. Only the most skilled incident responders with the best tools will be able to bring their actions to light. After examining what happened in the past and taking a closer look at what is happening in the present, the CSIRT can begin to theorize about the full nature of the intrusion. Although theorizing doesn t prove anything about the compromise, it is a valid way to guide ongoing incident response. www.foundstone.com 2003 Foundstone, Inc. All Rights Reserved - 1

Determining Incident Scope To understand the scope of an incident, the CSIRT must see the enterprise from the vantage point of the attacker. An accurate depiction of the network architecture including all access methods, systems, services, and weaknesses is essential. Unfortunately, incident responders often find that available network blueprints are outdated and potentially misleading. Organizations that suffer ongoing intrusions frequently identify subnets or systems they cannot account for, or thought were unavailable or disconnected. On these test or obsolete subnets, malicious users can quickly find and exploit unpatched and undefended hosts. With its powerful enumeration capabilities, Foundstone ERS creates a clear, accurate picture of the enterprise. It discovers hosts and network devices, collects data about them, and illustrates this information in easy-toread tables and diagrams. Foundstone ERS also helps the CSIRT understand a device s context, how it fits within the overall network topology. Although the concept is simple, the value of an up-to-date network diagram cannot be underestimated when determining incident scope. Countering Unauthorized Access In addition to understanding a network s topology, CSIRTs must know what is and what is not accessible from the Internet. Intruders already know the routes to gain unauthorized access, but CSIRTs might not. There are three primary methods that intruders use to compromise target computers: abuse, subversion, and breach. By associating a list of services, versions, and vulnerabilities with every device and network node, Foundstone ERS offers a powerful way to find applications and services susceptible to the three types of exploits. Although security professionals typically use this inventory to assign remediation duties, CSIRTs can use it to identify the ways an intruder might have penetrated an organization. Abuse Illegitimate use of legitimate access modes is called abuse of a service. For example, an intruder might access a server via telnet, secure shell, or Microsoft Terminal Services, and then log in using a valid but stolen or guessed username and password (credentials). This fully compromises the computer, its data, and the credentials. Through its service enumeration techniques, Foundstone ERS identifies how intruders might abuse a service. Foundstone ERS checks for default or easily guessed username/password combinations. It also lists the services that can be used to gain remote access to a computer, such as telnet, secure shell, Microsoft Terminal Services, www.foundstone.com 2003 Foundstone, Inc. All Rights Reserved - 2

and others. This can head off unpleasant surprises. Expecting to find only secure shell available to Internet users, the CSIRT might discover thanks to Foundstone ERS that telnet and Microsoft Terminal Services are available as well. Subversion Subversion involves making a service perform in a manner not anticipated by its programmers. Analyzing systems that offer easily subverted services is an important aspect of incident response. For example, unpatched Microsoft IIS 5.0 Web servers are susceptible to manipulation via Unicode data encoding. Malicious users can pass specially formatted Unicode strings to the Web server, forcing it to execute commands outside its intended mode of operation. Although these techniques do not stop the Web server from running, they subvert its functionality. Foundstone ERS detects Web servers and other systems that have these types of vulnerabilities. If the CSIRT finds publicly facing Web servers that can be subverted, it is extremely likely that an intruder knows about them also. Breach To breach a service means to break it and stop it from running. This differs from subversion, which does not interrupt service. At its basic level, breaking an application is a form of denial of service shutting down an organization s Web server, for instance. Intruders can also instruct a broken application to perform new, illegitimate actions. Buffer overflows are well-known examples. Intruders use buffer overflows to break a target service and then replace it with a shell that gives command-line access. Like the discovery of services vulnerable to subversion, Foundstone ERS identifies services susceptible to being broken. These classes of attacks, often called silver bullets, can be very damaging. Although a subverted service might act as an unprivileged user, a broken application more frequently acts with system privileges. Guiding Remediation The most effective remediation happens before a compromise takes place, preventing an intrusion or limiting its extent. Vulnerable Internet-facing computers with sensitive information must be patched or reconfigured as quickly as possible, for instance. During or after a compromise, however, the issues are different. Naturally, remediation should limit the impact of the intrusion and prevent further loss of information. However, within this imperative, two courses of action are possible: protect and proceed or pursue and prosecute. www.foundstone.com 2003 Foundstone, Inc. All Rights Reserved - 3

Protect and proceed focuses on limiting damage and restoring service. The CSIRT collects evidence for these ends, not to put an intruder in jail. Pursue and prosecute takes a different approach. An intruder might be allowed limited access to a target network to determine the scope of the compromise and collect evidence of guilt. When an intruder s capabilities and intentions are sufficiently understood, access is terminated. The CSIRT reports what it has learned to law enforcement, which may or may not prosecute. Foundstone ERS helps in both scenarios because, at some point, the CSIRT limits the intruder s access. This is where Foundstone ERS really shines during incident response. And by integrating the information that Foundstone ERS gathers about a network and its vulnerabilities, the CSIRT can plan and complete an effective, cost-efficient remediation. For example, the CSIRT s investigation might discover that an intruder gained access to the enterprise via NetBIOS/Server Message Block (SMB) services and the psexec tool available at www.sysinternals.com. Using assessment results from Foundstone ERS, the CSIRT might see that NetBIOS/SMB ports (UDP: 137-138; TCP: 139, 445) are available to the Internet. The CSIRT knows it must deny these ports at the border router and/or the firewall. Taking this example to the next level illustrates the value of knowing which services and access methods are exposed to the Internet. Assume that the CSIRT denies the NetBIOS/SMB as stated. What if Foundstone ERS also identifies unpatched IIS and SQL servers? Intruders are tenacious. Once evicted from a network, they are determined to regain access. In this case, an intruder denied NetBIOS/SMB access would quickly exploit these Web and database vulnerabilities. Proper Use of Foundstone ERS CSIRTs must use Foundstone ERS with care. Foundstone ERS is best suited for incident response when no reliable network topology exists, when there is no clue about the entry point of an attack, or when remediation is deemed more important than fully determining the motivations, goals, and methods behind an attack. After a compromise, CSIRTs should perform host- and network-based data collection prior to using Foundstone ERS enumeration capabilities. Foundstone ERS is best thought of as a lead generator. Any theories that it helps foster should be proven with host- and network-based data. www.foundstone.com 2003 Foundstone, Inc. All Rights Reserved - 4

Also, because Foundstone ERS is an overt process, intruders are likely to alter their behavior when they detect its presence. Using Foundstone ERS before exhausting the clues in host-based data could likewise complicate law enforcement investigation. Foundstone ERS in the Field Foundstone recently responded to a security compromise in which an external intruder gained unauthorized access to an ISP s internal network. Foundstone equipped the ISP with the knowledge and tools to eliminate the unauthorized means of access and to collect evidence for potential legal action. Foundstone ERS played a significant role in this response and remediation. Foundstone dealt with the incident in three ways. First, we gathered and analyzed host-based evidence from computers suspected of compromise. Second, we implemented emergency network monitoring to collect event, session, content, and other data needed to identify the intruder s means of access. Using Foundstone ERS, we then performed a limited vulnerability assessment of key areas of the ISP s enterprise. This helped Foundstone guide the ISP s CSIRT during remediation. Because the ISP s network exposed several high-risk services, remediation via host- and network-based methods rated a high priority. Eliminating weak username/password combinations would be futile, for instance, if the ISP s servers ran unpatched versions of IIS and SQL. Summary Using information from Foundstone ERS, CSIRTs can determine the scope of a security incident, find the routes of unauthorized access, and guide remediation efforts. By identifying existing vulnerabilities, Foundstone ERS lets a CSIRT know if a proposed response plan is sufficient. Foundstone ERS is best suited for incident response in only certain situations, and a CSIRT must use it in certain ways. It is crucial, for instance, to perform host- and network-based data collection before employing Foundstone ERS enumeration tools. When appropriately used, however, Foundstone ERS is a powerful tool for successful incident response. www.foundstone.com 2003 Foundstone, Inc. All Rights Reserved - 5

About Foundstone Foundstone Inc., experts in strategic security, offers a unique combination of software, services, and education to help organizations continuously and measurably protect the most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The company has one of the most dominant security talent pools ever assembled, and has authored ten books, including the best seller Hacking Exposed. Foundstone is headquartered in Orange County, CA, and has offices in New York, Washington, D.C., and Seattle. For more information about Foundstone and Foundstone Enterprise Risk Solutions, visit www.foundstone.com, or call 877.91.FOUND within the U.S, and 949.297.5600 outside the U.S. www.foundstone.com 2003 Foundstone, Inc. All Rights Reserved - 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information