Intelligence Concepts - The SANS Incident Response Process

Getting away from the abstract to something a bit more distinctly DFIR we get to the (in)famous SANS Incident Response Process. The basis of SANS 504: Incident Response & Hacker Techniques this process attempts to codify the typical incident process into key steps. This is an essential process that helps form a cogent understanding of the incident process, but it’s limitations need to be just as well understood.

SANS Incident Response Process

SANS Incident Response Cycle
Preparation Identification Containment Eradication Recovery Lessons Learned

Preparation: Getting ready for incident response, creating documentation, building tools, etc.
Identification: This is about the first moment where the victim becomes aware an attack has occurred, hopefully by an internal process or alert.
Containment: Containment is the processes of keeping further damage from occurring. This could involve deploying patches, blocking C2 access, or pulling a systems power cord out of the wall.
Eradication: In a malware centric response this is about remediating compromised hosts, removing implants, etc.
Recovery: Recovery is the process of restoring all business functions, such as bringing a compromised server back online.
Lessons Learned: The most commonly forgotten aspect lessons learned is about asking the question “How can we do better next time?” and avoiding the same mistakes twice.

A Walk Through the SANS Incident Response Process

The SANS IR Process focuses on a typical malware based event, focused on a single threaded incident and response. For this case we’ll walk through a typical remote access trojan based incident.

Strategic preparation includes deployment of sensors, development of processes, system & network hardening, etc. For a malware incident such as this tactical preparation includes deployment of signatures based on known indicators and heuristics.

Malware is most commonly identified in one of two ways. The ideal is before or right at the moment of deployment, generally speaking using a wire-line product like FireEye or an intrusion detection system like Snort.

In my experience this is the number one action that teams ignore. Teams often respond to malware incidents by jumping straight to eradication. In most cases that’s because containment requires manual intervention. The best teams are able to programatically & remotely contain individual systems as well as entire subnets. This is a powerful capability and worth the effort.

This is the religious battle of the group. Some people trust AV to get rid of malware, but I come from the school of burn it down, wipe, and reload. Most malware is removable, but take a look at Kaspersky’s Equation report and see how you feel.

If you take the AV approach then once your antivirus runs and quarantines the malware I suppose you consider things recovered. If you choose to take my approach recovery tends to come from setting up a new system and restoring from backups.

Aside: Make sure the backups themselves are clean as well. Nothing is worse than reintroducing an infection by restoring a malicious PDF or reinstalling a RAT.

Lessons Learned
After an incident the key is taking any and all information learned and putting it to further use (this is a nascent threat intelligence process). The importance can’t be over stated.

Fool me once, shame on you. Fool me twice, shame on me.

Malware analysis leads to new indicators and new detection. After action reports can show gaps in detection. Thus beginning a new preparation phase. This often happens in the form of an After-action Report.

Takeaways from SANS Incident Response Process

This process is a solid, basic understanding of the incident process that makes it easy to frame the common actions of an incident. As responders get more advanced this process starts showing flaws since an incident response can’t be so rigid. Organizations never have a preparation stage, always being under attack and never able to call a time out to get their house in order. Stages like containment, eradication, and recovery often run concurrently. The process is malware centric, and becomes difficult to apply to other forms of incidents.

The other issue with the traditional SANS IR process was developed before the beginning of intelligence driven incident response. It has no integration with external intelligence sources or dissemination. It’s useful in the short term, but we can do better.

SANS 504: Incident Response & Hacker Techniques


SEC504: Hacker Tools, Techniques, Exploits and Incident Handling

Incident response is the most underused aspect in small companies. SEC504 gives us the ability to help management understand the value. --David Freedman, Nationwide Payment Solutions

It is great to understand how hackers are exploiting a variety of systems. Learning how to prevent these as best as possible is imperative to protect key systems and resources. SEC504 course concepts are great. --Samantha Hanagan, Texel Tek

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

By helping you understand attackers' tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, this course helps you turn the tables on computer attackers. It addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning for, exploiting, and defending systems. It will enable you to discover the holes in your system before the bad guys do!

The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

You Will Learn :

How best to prepare for an eventual breach
The step-by-step approach used by many computer attackers
Proactive and reactive defenses for each stage of a computer attack
How to identify active attacks and compromises
The latest computer attack vectors and how you can stop them
How to properly contain attacks
How to ensure that attackers do not return
How to recover from computer attacks and restore systems for business
How to understand and use hacking tools and techniques
Strategies and tools for detecting each type of attack
Attacks and defenses for Windows, Unix, switches, routers, and other systems
Application-level vulnerabilities, attacks, and defenses
How to develop an incident handling process and prepare a team for battle
Legal issues in incident handling

SEC504.1: Incident Handling Step-by-Step and Computer Crime Investigation

Securing an infrastructure is a complex task of balancing business needs against security risks. With the discovery of new vulnerabilities almost on a daily basis, there is always the potential for an intrusion. In addition to online intrusions, physical incidents like fires, floods, and crime all require a solid methodology for incident handling to be in place to get systems and services back online as quickly and securely as possible.

The first part of this section looks at the invaluable Incident Handling Step-by-Step model, which was created through a consensus process involving experienced incident handlers from corporations, government agencies, and educational institutes, and has been proven effective in hundreds of organizations. This section is designed to provide students a complete introduction to the incident handling process, using the six steps (preparation, identification, containment, eradication, recovery, and lessons learned) one needs to follow to prepare for and deal with a computer incident.

The second part of this section examines from-the-trenches case studies to understand what does and does not work in identifying computer attackers. This section provides valuable information on the steps a systems administrator can take to improve the chances of catching and prosecuting attackers.

Building an incident response kit
Identifying your core incident response team
Instrumentation of the site and system

Signs of an incident
First steps
Chain of custody
Detecting and reacting to Insider Threats

Documentation strategies: video and audio
Containment and quarantine
Pull the network cable, switch and site
Identifying and isolating the trust model

Evaluating whether a backup is compromised
Total rebuild of the Operating System
Moving to a new architecture

Who makes the determination to return to production?
Monitoring to system
Expect an increase in attacks

Special Actions for Responding to Different Types of Incidents
Inappropriate use
Incident Record-keeping
Pre-built forms
Legal acceptability

Incident Follow-up
Lessons learned meeting
Changes in process for the future

SEC504.2: Computer and Network Hacker Exploits - Part 1

Seemingly innocuous data leaking from your network could provide the clue needed by an attacker to blow your systems wide open. This day-long course covers the details associated with reconnaissance and scanning, the first two phases of many computer attacks.

Your networks reveal an enormous amount of information to potential attackers. In addition to looking for information leakage, attackers also conduct detailed scans of systems, scouring for openings to get through your defenses. To break into your network, they scope out targets of opportunity, such as weak DMZ systems and firewalls, unsecured modems, or the increasingly popular wireless LAN attacks. Attackers are increasingly employing inverse scanning, blind scans, and bounce scans to obscure their source and intentions. They are also targeting firewalls, attempting to understand and manipulate rule sets to penetrate our networks. Another very hot area in computer attacks involves Intrusion Detection System evasion, techniques that allow an attacker to avoid detection by these computer burglar alarms.

If you do not have the skills needed to understand these critical phases of an attack in detail, you will not be able to protect your network. Students who take this course and master the material will understand these attacks and the associated defenses.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's systems. You also need to advise your network and computer operations teams of your testing schedule.

Hands-on Exercises with the Following Tools:
InSSIDer for Wireless LAN discovery
Nmap Port Scanner and Operating System fingerprinting tool
Nessus Vulnerability Scanner
Windows Command Line Kung-Fu for extracting Windows data through SMB sessions

What does your network reveal?
Are you leaking too much information?
Using Whois lookups, ARIN, RIPE and APNIC
Domain Name System harvesting
Data gathering from job postings, websites, and government databases
Identifying publicly compromised accounts
FOCA for metadata analysis

Locating and attacking unsecure wireless LANs
War dialing with War-VOX for renegade modems and unsecure phones
Port scanning: Traditional, stealth, and blind scanning
Active and passive Operating System fingerprinting
Determining firewall filtering rules
Vulnerability scanning using Nessus and other tools
CGI scanning with Nikto

Intrusion Detection System (IDS) Evasion
Foiling IDS at the network level: Fragmentation and other tricks
Foiling IDS at the application level: Exploiting the rich syntax of computer languages
Using Fragroute and Web Attack IDS evasion tactics
Bypassing IDS/IPS with TCP obfuscation techniques

SEC504.3: Computer and Network Hacker Exploits - Part 2

Computer attackers are ripping our networks and systems apart in novel ways, while constantly improving their techniques. This day-long course covers the third step of many hacker attacks: gaining access.

Attackers employ a variety of strategies to take over systems from the network level up to the application level. This section covers the attacks in depth, from the details of buffer overflow and format string attack techniques to the latest in session hijacking of supposedly secure protocols. Additionally, you will get hands-on experience in running sniffers and the incredibly flexible Netcat tool.

Administrators need to get into the nitty-gritty of how the attacks and their associated defenses work if they want to effectively defend against these invasions. For each attack, the course explains the vulnerability, how various tools exploit it, the signature of the attack, and how to harden the system or application against the attack. Students who sign an ethics and release form are issued a DVD containing the attack tools examined in class.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.

Hands-on Exercises with the Following Tools:
Sniffers, including Tcpdump
Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect
Netcat for transferring files, creating backdoors, and setting up relays
Metasploit, Metasploit, Metasploit Lots of Metasploit
ARP and MAC analysis for ARP cache poisoning attack detection

Network-Level Attacks
Session hijacking: From Telnet to SSL and SSH
Monkey-in-the-middle attacks
Passive sniffing

Gathering and Parsing Packets
Active sniffing: ARP cache poisoning and DNS injection
DNS cache poisoning: Redirecting traffic on the Internet
Using and abusing Netcat, including backdoors and nasty relays
IP address spoofing variations

Operating System and Application-level Attacks
Buffer overflows in-depth
The Metasploit exploitation framework
Format string attacks

Netcat: The Attacker's Best Friend
Transferring files, creating backdoors, and shoveling shell
Netcat relays to obscure the source of an attack
Replay attacks

SEC504.4: Computer and Network Hacker Exploits - Part 3

This course starts out by covering one of the attackers' favorite techniques for compromising systems: worms. We will analyze worm developments over the last two years and project these trends into the future to get a feel for the coming Super Worms we will face. Then the course turns to another vital area often exploited by attackers: web applications. Because most organizations' homegrown web applications do not get the security scrutiny of commercial software, attackers exploit these targets using SQL injection, cross-site scripting, session cloning, and a variety of other mechanisms discussed in detail.

The course also presents a taxonomy of nasty denial-of-service attacks, illustrating how attackers can stop services or exhaust resources, as well as what you need to do to prevent their nefarious deeds.

Once intruders have gained access into a system, they want to keep that access, preventing pesky system administrators and security personnel from detecting their presence. To fool you, attackers install backdoor tools and manipulate existing software on a system to maintain access to the machine on their own terms. To defend against these attacks, you need to understand how attackers alter systems to discover the sometimes-subtle hints associated with system compromise. This course arms you with the understanding and tools you need to defend against attackers' maintaining access and covering their tracks.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.

Hands-on Exercises with the Following Tools and Topics :
Password cracking
Cross-site scripting and SQL injection web application attacks
Detecting DoS attacks

Password Cracking
Analysis of worm trends
Password cracking with John the Ripper
Rainbow Tables
Password spraying

Web Application Attacks
Account harvesting
SQL Injection: Manipulating back-end databases
Session Cloning: Grabbing other users' web sessions
Cross-Site Scripting

Denial-of-Service Attacks
Distributed Denial of Service: Pulsing zombies and reflected attacks
Local Denial of Service

SEC504.5: Computer and Network Hacker Exploits - Part 4

This day-long course covers the fourth and fifth steps of many hacker attacks: maintaining access and covering their tracks. Computer attackers install backdoors, apply Rootkits, and sometimes even manipulate the underlying kernel itself to hide their nefarious deeds. Each of these categories of tools requires specialized defenses to protect the underlying system. In this course, we will analyze the most commonly used malicious code specimens, as well as explore future trends in malware, including BIOS-level and combo malware possibilities.

Attackers also cover their tracks by hiding files, sniffers, network usage, and active processes. Additionally, super stealthy sniffing backdoors are increasingly being used to thwart investigations. Finally, attackers often alter system logs, all in an attempt to make the compromised system appear normal. This course gives you the tools and techniques you need to detect and respond to these activities on your computers and network.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.

Hands-on Exercises with the Following Tools:

RootKits and detection
Detecting backdoors with Netstat, lsof
Hidden file detection with LADS
Covert channels using Covert_TCP
HTTP Reverse Shells using Base64

Maintaining Access
Backdoors: Using Poison Ivy, VNC, Ghost RAT, and other popular beasts
Trojan horse backdoors: A nasty combo
Rootkits: Substituting binary executables with nasty variations
Kernel-level Rootkits: Attacking the heart of the Operating System (Rooty, Avatar, and Alureon)

Covering the Tracks
File and directory camouflage and hiding
Log file editing on Windows and Unix
Accounting entry editing: UTMP, WTMP, shell histories, etc.
Covert channels over HTTP, ICMP, TCP, and other protocols
Sniffing backdoors and how they can really mess up your investigations unless you are aware of them
Steganography: Hiding data in images, music, binaries, or any other file type
Memory analysis of an attack

Putting It All Together
Specific scenarios showing how attackers use a variety of tools together
Analyzing scenarios based on real-world attacks
Learning from the mistakes of other organizations
Where to go for the latest attack info and trends

SEC504.6: Hacker Tools Workshop

Over the years, the security industry has become smarter and more effective in stopping hackers. Unfortunately, hacker tools are becoming smarter and more complex. One of the most effective methods to stop the enemy is to actually test the environment with the same tools and tactics an attacker might use against you.

This workshop lets you put what you have learned over the past week into practice. You will be connected to one of the most hostile networks on earth. This network simulates the Internet and allows students to try actual attacks against live machines and learn how to protect against these attacks. This workshop will supplement the classroom training that students have already received and give them flight time with the attack tools to better understand how they work. Instructors will give guidance on exactly what is happening as exploits and defensive measures are running. As students work on various exploits and master them, the environment will become increasingly difficult, so students will have to master additional skills in order to successfully complete the exercises.

Additionally, students can participate in the workshop's Capture the Flag event. By penetrating systems, discovering subtle flaws, and using puzzle-solving techniques, you can test the skills you have built over the week in this engaging contest. The Capture the Flag victors will win a prize.

In sum, paranoia is good! Your laptop will be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if (actually, when) someone in the class attacks it in the workshop. Bring the right equipment and prepare it in advance to maximize what you will learn and the fun you will have doing it.

Hands-on Analysis
Nmap port scanner
Nessus vulnerability scanner
Network mapping
Netcat: File transfer, backdoors, and relays
More Metasploit
Exploitation using built in OS commands
Privilege escalation
Advanced pivoting techniques