Cyber Attack Incident Response & Recovery

CS4684

Cyber Security Incident Response & Recovery
CS4684
The Reference Intrusion Model (RIM)
JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 1

Reference For This Material
Chapter 4 from "The

Tao..."

Tao (or Dao) is a Chinese concept signifying

'way', 'path', 'route', or someJmes more
loosely 'doctrine' or 'principle'. Within the
context of Chinese philosophy and religion, the
Tao is the intuiJve knowing of "life", that of
which cannot be grasped full-‐heartedly as just a
concept, but known nonetheless through actual
living experiences of one's everyday being.
-‐Wikipedia

Main Topics of Discussion
§  Purpose of the Reference Intrusion Model (RIM)
in this course
§  The scenario/incident: step-‐by-‐step
§  Look/see/ponder typical aXacker tradecraY
§  Consider where aXacker is in Cyber Kill Chain as
each "step" is described
§  Consider aXacker's acJons on the objecJve
§  IdenJfy/discuss AS&W most likely to be noJced

Purpose of Ref. Int. Model (RIM)
For the goals of this course, we use the RIM as
our first foray into the complex world of Incident
Response. This is a good starJng point as the inci-‐
dent is completely explained, and there is an
enJre textbook (“The Tao of Network Security
Monitoring”) dedicated to explaining the the
various aspects of detecJon and analysis, and
introducing various tools useful to the incident
responder/invesJgator.

The "Environment"-‐1
Fic+onal Company: CHMPlans

Internet = 172.27.20.0 /24
Fic+onal Company: CHMPlans
Intranet DMZ = 192.168.60.0 /24
Intranet Private = 10.10.10.0 /24

172.27.20.* is considered “the Internet”
192.168.60.* is CHMPlans' DMZ
10.10.10.* is CHMPlans' Internal (Private) network
CHMPlans is employing a

_______________ (type) DMZ

NoJce that all IP space is

______________ IP space from
RFC1918

AMacker's ObjecRve
Note: AXacker (Ardala) is assumed to be aXacking from
the Internet (IP range) system(s)
The aXacker’s target is
development plans for a
new X-‐wing aircraY that
are located on a WinNT
machine (IP: 10.10.10.3)
which happens to be
running Terminal
Services

Target: CHM’s X-‐wing Plans

The Incident: Step-‐1
Who puts Ardala up to this?
Ans: Dragos Design, CHM’s compeJtor
Ardala's first move?

Find a disgruntled CHM

employee, and have
him acJvate an _____
server in the _____
(IP: 192.168.60.5)

Step-‐2
JD FJD
ulp Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP, ISSEP, ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School 11
Step-‐2
-‐sS à ______________________________
-‐p à _______________________________
-‐O à ______________________________
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 12
The IThe
ncident: Step-‐by-‐Step-‐6
Incident: Step-‐2
AXacker uses ______ (tool) to scan the DMZ,
looking for systems with ports ____ or ____
open. She finds two, and also learns the
names of three systems in the DMZ. What are
those systems and names? (previous 2 slides)
.3 is named _________________ and is listening on port ___

.5 is named _____________ and is listening on ports ___ & ___
Router is named à ____________________
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 13
Step-‐3

Step-‐3
2nd aXempt of wuYpd exploit gives Ardala
root access on 192.168.60.5, the old and
buggy system placed into the network by
the disgruntled CHM employee

Res ea rch
NVD (NaJonal Vulnerability Database, at NIST)

Step-‐4
Look what the aXacker
does first with her root
level access on the DMZ.5
machine

Res ea rch

The Incident:
The Step-‐by-‐Step-‐6
Incident: Steps-‐3&4
AXacker runs an FTP exploit and gets ______-‐level

access (Step-‐5). Then (Step-‐6) copies the two files
__________________ and __________________
to the DMZ machine's /tmp directory, then FTPs
those files to 172.27.20.____
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 19
The IThe
Incident: Step-‐5
Ardala FTPs to her “drop site” to save the two
password files (Step-‐6) and also to download:
Server.c for use in a ________ aXack, and
Datapipe for use in _______-‐_______________
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 20
The IThe
Incident: Step-‐6
AXacker adds two new accounts on

the Linux box: user ____________
with UID 0, and user _____________
with normal user privileges.
What was aXacker’s thinking on
adding a user with “normal” user
privileges? Ans:________________
_____________________________
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 21
The IThe
Incident: Step-‐7
AXacker runs
cracking tool on
her dot-‐5 system
which succeeds
in discovering
several of the
CHMPlans
account
credenJals
AXacker logs in from dot-‐105 via ssh as
normal user pete, then uses the ______
command to elevate to root privileges, then
compiles ________________.c to acJvate it
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 22
11
The Incident:
The Step-‐by-‐Step-‐6
Incident: Steps-‐8&9
AXacker then compiles
Server.c and runs the
Datapipe program,
telling it to accept
connecJons on port
_____ then to forward
those on to port
________ on machine
________________
AXacker uses one of the cracked accounts

(Step-‐9) to SSH from the DMZ dot-‐5 to the
10
DMZ dot-‐3 machine, then retrieves Server.c
and Datapipe from her dot-‐5 drop site
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 23
The The
Incident: Step-‐by-‐Step-‐6
Incident: Step-‐10
Datapipe on 172.27.20.3 is confi-‐
gured to accept connecJons to TCP
port _______ (RDP) & forward them
to port _____ on ____________ (IP)
Datapipe on 192.168.60.3 is confi-‐

gured to accept connecJons to TCP
port _____ & forward them to port
________ on _______________ (IP)
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 24
The The
3389
Or more simply…
53
3389
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 25
The The
3389
Note how 192.168.60.3 has

been set up as a __________
53
_________ for transiJve con-‐
necJvity into CHM’s private,
internal network
3389
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 26
The The
3389
53
AXacker runs _______________
(program) through this relay
network to brute-‐force crack
usernames & passwords on
systems running MicrosoY
3389 Terminal Services
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 27
TSgrinder running Step-‐11
from 172.27.20.105
to 172.27.20.3 (but
forwarded via
Datapipe all the
way to 10.10.10.3
Tsgrinder video (5.7 mins) at hXps://www.youtube.com/watch?v=uXuuy2ZBQRg
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 28
The The
AXacker discovers the admin
password on 10.10.10.3, then
connects, via her pivot-‐point
system, to the RDP (Terminal
Service) running on the target
machine
53
3389
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 29
Step-‐13
Where are the plans being copied to?

Ans:_____________________
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 30
The Incident: Step-‐14
Do you recognize the “nc” command?

Ans: It’s short for ____________, aXacker is connecJng to
her own machine to access her mstream program
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 31
The The
What else does the aXacker do Ans: ___________________

that will likely divert aXenJon
_______________________
(redirect “eyeballs”) away from
this data _____________ aXack? _______________________
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 32
Sample Google result for “Port 6723”, this one from
hXp://www.auditmypc.com/tcp-‐port-‐6723.asp
Res ea rch

InformaJve mstream overview for the inquisiJve Incident Analyst at à
hXp://www.giac.org/paper/gcih/132/mstream-‐ddos-‐plain-‐simple/100598
Res ea rch

Res ea rch
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 35
Res ea rch
JD FJD
ulp Fulp
CSIH,
Naval
Naval
Postgraduate
Postgraduate
School
School 36
IniRal Incident Lead(s)?
Discussion: Assuming you’re an incident handler for CHM; which of the
above I&W or AS&W will you have invesJgaJve access to? What would
you “search for” among your millions of logged packets?
Delivery Vectors Involved
(Table D-‐A-‐1 of CJCSM 6510.01B)
38
Finished

Cyber Attack Incident Response & Recovery

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Attack Incident Response & Recovery

Uploaded by

Copyright:

Available Formats

CS4684

The Reference Intrusion Model (RIM)

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 1

Chapter 4 from "The

Tao (or Dao) is a Chinese concept signifying

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 2

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 3

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 4

Fic+onal Company: CHMPlans

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 5

Internet = 172.27.20.0 /24

Fic+onal Company: CHMPlans

Intranet DMZ = 192.168.60.0 /24

Intranet Private = 10.10.10.0 /24

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 6

CHMPlans is employing a

NoJce that all IP space is

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 7

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 8

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 9

Ardala's ﬁrst move?

Find a disgruntled CHM

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 10

-­‐p à _______________________________

-­‐O à ______________________________

.3 is named _________________ and is listening on port ___

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 14

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 15

NVD (NaJonal Vulnerability Database, at NIST)

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 16

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 17

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 18

AXacker runs an FTP exploit and gets ______-­‐level

AXacker adds two new accounts on

AXacker uses one of the cracked accounts

Datapipe on 192.168.60.3 is conﬁ-­‐

Note how 192.168.60.3 has

Tsgrinder video (5.7 mins) at hXps://www.youtube.com/watch?v=uXuuy2ZBQRg

Where are the plans being copied to?

Do you recognize the “nc” command?

What else does the aXacker do Ans: ___________________

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 33

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 34

JD Fulp CSIH, CISSP, ISSEP, ISSAP, Naval Postgraduate School 39

You might also like

-‐p à _______________________________

-‐O à ______________________________

.3 is named _______________ and is listening on port _

AXacker runs an FTP exploit and gets ______-‐level

Datapipe on 192.168.60.3 is conﬁ-‐