Forensics What To Do When You Get Hacked - Security Assessment

23 downloads 3563 Views 5MB Size Report
If your going to get hacked, it‟s going to start with your web application. ▫ We do it every day ... SA.com are not the only people hacking web apps. ▫ Zone-h.org.
Forensics What To Do When You Get Hacked Paul Craig Lead Forensic Investigator

 Hello everyone, my name is Paul Craig  I work as a principal security consultant at Security-Assessment.com  I am also the lead forensic investigator  Personally I love IT forensics, it‟s a passion of mine.  I bust Brazilian hacking groups  Take down Russian credit card cloners  Defeating Turkish hacking armies

 Agenda:  Everything you ever wanted to know about forensics  What is it, and how does it work ?  Forensics and NZ law  Common misconceptions of forensics  Incident Response Guidelines  How SA does forensics

 Case studies

 What is forensics ?  Forensics is the process of discovering facts which prove or disprove a series of events.  The key word here is facts.  The goal of forensics is to produce reputable evidence that can be used to prove a fact without reasonable doubt.  All forensic results must be reproducible by another forensic investigator.

 Forensics often starts with a web applications  Why you ask ? : Firewalls  Most networks only allow port 80/443 inbound  If your going to get hacked, it‟s going to start with your web application

 We do it every day at SA.com  I have seen many web applications fall at the hands of SA  We use web applications as an entry point into networks  And then we hack the domain server, database, backup, intranet …  For a hacker, it all starts with the web application.

 SA.com are not the only people hacking web apps.  Zone-h.org  Archives statics of web server defacements  “When Zone-​H started back in 2002, we were receiving an average of 2,500 defacements monthly, this number keeps on increasing year after year. For example, the last month we registered over 95,090 defacements, while we only had 60,471 in 2009 for the same period.”  95 thousand hacked and defaced websites in April!  That a lot of forensics

 Forensics and the law.  When doing forensics we treat all results as possible legal evidence  IT forensics evidence is used in murder, drug dealing, fraud, computer intrusion, employee misuse cases.

 The Caylee Anthony Case  Missing child case in Florida.  Mother didn‟t report the disappearance of daughter for a month.  Forensics on her home PC found „stuff‟

 NZ Law and Forensics  Forensics requires a basic knowledge of the NZ legal system  You never know when an incident is going to go to court  Your production web server/database server gets hacked!  Forensic responder conducts an investigation  You get a report which details the findings of the review: 1. Hackers compromised the web server through SQL injection 2. The “creditcardorders” table was exported and saved remotely 3. Hacked from an IP address registered in Wellington  Your CEO files a police report  Forensic report is submitted with the police report

 The accused  If the accused is not known a police file is opened and assigned to a detective.  Since the accused is known:  The Police may arrest the accused under a warrant issued by a District Court Judge or JP.  The Police may conduct an arrest without a warrant if they have reasonable cause to believe that a crime has been committed, or going to be committed.  IT forensic report may provide reasonable cause

 The accused must enter a plea  An accused has three choices  No Plea  Guilty  Not Guilty  Guilty pleas are often sentenced on the same day  Evidence is not required

 Not guilty pleas go to trial.  Crown/Police have to prove guilt

 Not Guilty Plea  Criminal charges under NZ law come in two varieties.  Summary offences Minor offence: carries a penalty of up to three months‟ imprisonment.  Indictable offences Serious crimes: carries a penalty of greater than 3 months' imprisonment. Right to a jury trial if less than 10 years.  All computer crime offences are indictable offences in NZ Accessing computer system for dishonest purpose

5-7 years max

Damaging or interfering with computer system

7-10 years max

Making, selling, or distributing software for committing a crime

2 years max

Accessing computer system without authorisation

2 years max

 Court trial  The Prosecution  I am an expert witness for the prosecution  I stand behind the IT forensic evidence  It may be the only evidence in the case  The Defence  Punk kid hacker, rich daddy hired a fancy lawyer  Who hired their own forensic examiner!

“A jury consists of twelve persons chosen to decide who has the better lawyer.”

 The Defence is given the same evidence the Prosecution entered into court.  Defence forensic examiner conducts their own forensic investigation  They hope to find discrepancies in my results to throw my evidence out!

 The defence will try to discredit the evidence  How was the evidence was collected and analysed ?  Did the forensic investigation follow correct process and procedure  Did the defence find contrary forensic results to mine ?

 and discredit the investigator (me)  Are you trained in this field ?  Can you support your claims as an expert  Why didn‟t you follow best practice ?

 Quality forensics counts!  Every case “could” go to court

 Common Forensic Misconceptions    

Most of our clients have no idea about forensics They don‟t know what to do or say. They often say and do the wrong things  Which often impacts the forensic results

 6pm, Friday, just before a long weekend.  “Our server got defaced, we need you here right away for a meeting”  Here I am, sitting in a room with 5-10 stressed people  No one wants the incident to exist, or be to their problem  No one wants to be here

“Why bother doing forensics at all. You will only find some IP address in China or Russia, and then what? Its just some kid defacing websites.  This is called an assumption.  You have no idea who hacked the server or their motive  Did multiple parties hack it?

 Rule #1: We don’t make assumptions in forensics.  Only facts count! If you cant prove it, don‟t say it!

“They only compromised one server we don’t use anymore! They didn’t compromise our database server. This is not a big deal, lets just turn the server off and go home!” “Can the compromised server communicate with the database server”

“Oh, uhm, actually… Yes it can”

“If I hacked your web server, I would go for the database!”

“We already dealt to the incident we did a full format and installed from backups, crisis averted!”

 Nice one, you have likely destroyed all forensic evidence  Do you know what other servers the hacker accessed ?  Do you know if any information was stolen ?  Did they compromise the backups ?  Do you know if your server was used to commit another crime?  What do you do when NZ Police contact you in two months time ?

“This is not my problem, this is too hard, we cant do forensics.”  This is a common problem I face  The forensic process can seem overwhelming and scary!  Clients just want it to „Go Away‟!  I often end up having to convince at least one person  As the client: you must realize the potential impact of a compromise  Front page media attention, in a bad way..  Every customers credit card number stolen  Very unhappy board of directors, CEO, Investors

 Incident Response Guidelines  How you act when an incident occurs can make the all difference  Smooth engagements are and engagements !  You get answers faster and are left with a smaller bill!  Forensic guidelines come in two streams:  Business Process  What the business should do (now) before an incident occurs

 Technical Incident Response  What you should do on the day (when it hits the fan)

 Business Process:  You need a single point of contact for all security incidents.  Incidents are often spotted by staff members  Do they know who to talk to ?

“You can count on me to get stuff done!”

 Appoint an internal Incident Team  Forensics is not just a technical problem  Input is required across the business  Technical staff (DBA, Lead Developer, Sys Admin, Network Admin)  Someone with power: Senior Executive (CIO / CTO / CSO)  Legal department

 Find a preferred forensic supplier, now!  Yes you have skilled IT staff, but leave the forensics up to the pro‟s.

 Find a forensic services supplier and say “  Document their response capabilities  Lead time on work (call outs)  Rate & contact details



 Sign an NDA with them now and work out any logistical issues

 Prepare for an incident before it happens!  Finding a supplier on the day will take time and cause stress  Time is a precious commodity in forensics

 The Media  Unfortunately the media love a good hacking story  If too many people know about your incident, it might make the news  When it hits the media your level of stress will

 The bottom draw letter  A pre-written press statement for when something happens  Provide an instant response to the media when they come knocking  Avoid any media speculation regarding an incident

“We are aware that an incident has occurred and we are currently in the process of investigating the nature and impact. We take security seriously and investigate all incidents”

 Technical Incident Response  When you discover an incident has occurred treat it with urgency  All incidents are real, live and critical  Never underestimate the situation  Never ignore an incident  Never assume any facts regarding an incident  Gather the Incident Team  Assess the situation internally in a confidential context  Meetings are held in a secure location (not Starbucks!)  Make contact with your forensic supplier

 Technical Incident Response  How you treat a compromised server/desktop depends on how fast the incident responder can arrive  Forensic evidence is often volatile  Evidence is lost as time progresses

 If the incident responder can be onsite “right now” Captain Forensic Away!  Leave the server on, connected to the internet  Don‟t touch anything!  Maximum available volatile information  Who is connected, active routes, ARP cache, system memory

 Incident Response  If the incident responder is busy and cant make it till tomorrow  Disable any scheduled patches, upgrades or restarts  Unplug the server from the internet, or firewall it  Leave the server powered on  Put a large sign on the server indicating no one should touch it

 Less volatile information available

 The incident responder cant make it till next week  Unplug the server from the internet and turn it off.  No volatile information available

 Get a new incident responder!  Real forensic responders “Stop Drop and Roll”

 Response time can make all the difference!

zzzzzzz…..

 Give the incident responder everything they need  Forensic analysts need a lot of information and access  The most common place I waste time!

 A forensic review may need:  Physical access to the server  Active network port in the same network segment  Network diagrams and firewall topology  Third party vendors, outsourced services  The approval to take your server image offsite (a pre-signed NDA)

 When do you file a Police report ?  Evidence shows that a criminal crime has been committed  Or is going to be committed  Financial fraud, child pornography, blackmail, IP theft  File a police report when the initial forensic investigation has been completed  File the police report with the forensic results  Provide the police with all information discovered

 What are your chances of catching a bad guy?  All depends on how well the two countries work together  Extradition agreements in place.  Origin of the hacker is in NZ / Australia = Done Deal  Origin of the hacker is from a UN/NATO based country  Still a good chance!  IPTF – International Police Task Force  All UN countries must have a local representative  Easier for NZ police to work with UN countries

 China is part of the UN  Will not extradite to other countries  Hired by the Chinese cyber military

“I wasted my life stealing magnetic card track 2 data from credit cards.”

 Vendor Contact  Microsoft and Google can provide information to law enforcement  Hotmail/ Gmail activity  Local warrant not required

 Computer crimes (hacking) are not considered important enough!  Grievous bodily harm (Murder)  Large scale fraud  Terrorism

 When its OK to not file a Police report ?    

There was no loss of finances No increase in fraud risk No chance of repercussions or fines in the future Information compromised was not valuable, protected or sensitive

 Your chances of actually catching that .cn hacker are very low!  Even if you knew his IP!

You are likely untouchable in China

 How SA does forensics  SA performs forensics in accordance to the ACPO  Association of Chief Police Officers  Legal guidelines which cover evidence collection and analysis  Courts to do not distinguish between digital and physical evidence  We must conduct all of our work in a manner accepted by the court  Evidence we produce should be water-tight  Our forensic methods cannot be disputed.

I dispute that your honour!

 Limited Access Controls  We work in a secure environment

   

Swipe card + PIN access to the forensic laboratory Access control logs maintained No authorised access to rooms where evidence is kept Cleaners are not allowed in without an escort

 Working on forensics at your home / insecure office is amateur!  Dangerous, Damaging and Unprofessional

 Dedicated Forensic Lab  Doing forensics from an every day use laptop is pure amateur!  Opens legal dispute regarding evidence analysis methods  “Oh my girlfriend used that laptop too”  “Oh my laptop got stolen…”  Considered contrary to best practice!  Our forensic lab : Two dedicated desktops on a closed Gig-E network  Central vault server with 9TB of disk storage

 We use Open Source and Closed Source software  Helix 3 Professional (open source, commercial Linux distribution)  ENCase 6 Enterprise (closed source, very commercial application)  100‟s of other open source forensic analysis tools  It‟s a myth that you have to use commercial software to do forensics  Software has to be accepted by the forensic community  “All results must be reproducible by another forensic analyst”

 Fully Stocked Forensic Kit  Ready to roll to any country in the world  FED-STD101C & MIL-STD 801F compliant  27kg of forensic equipment  We get strange looks at airports!      

Hardware write blockers Memory card cloners Cell phone forensics Memory acquisition tools Disks, Disks, Disks. Every cable, connector, power supply possible

 and a safe!    

Sure, its not the worlds most sophisticated safe Reduces the likelihood of authorised tampering with evidence The safe is full of disks! We retain evidence from all cases for 5 years

 Our Technical Approach  Most people think forensics is about pawing through disk images

 SA.com does forensics in 3D: ,

,

1. We collect all available evidence from, every possible source  Logs from Firewall, IDS, Router, Syslog  Registry, File System, Logs, Events, Services, Scheduled Tasks 2. Convert all evidence into a common format (mactime) 3. Sort into a “Super TimeLine” : Chorological timeline of all evidence!  Replay a users actions by cross-correlating evidence  You can “watch” the hacker.

 Conclusion  I could talk about forensics all day...

 Take home key concepts:  Sooner or later one of your web applications will get hacked  Take incidents and forensics seriously  Prepare for that incident now  Stay cool when an incident happens: Follow the game plan  Never assume anything!

 Thank you so much for your attention

 Questions ?  You are also welcome to email me:  Paul Craig – [email protected]