Download Expediting Incident Response with Foundstone ERS

Expediting Incident Response with Foundstone ERS
Foundstone Inc.
August, 2003
Enterprise Risk Solutions Platform Supports Successful Response and Remediation
Introduction
The Foundstone Enterprise Risk Solutions (ERS) platform is typically used to identify and mitigate security
weaknesses prior to any exploitation. Available as a large-scale enterprise solution, dedicated hardware, a
hosted service, and a desktop application, Foundstone ERS helps organizations preserve the confidentiality,
integrity, and availability of their data by preventing compromise before it happens.
If an intrusion occurs, however, Foundstone ERS also offers powerful tools for computer security incident
response teams (CSIRTs) and forensic investigators. Foundstone ERS must be used with care. It is primarily a
remedial tool and does not replace the other elements of a sound security plan. Yet it can help a CSIRT decide
on the most appropriate course of action. In fact, Foundstone consultants have successfully leveraged
Foundstone ERS in the field to achieve effective, cost-efficient incident response.
CSIRTs in Action
When an intrusion is detected, the CSIRT must quickly answer several questions. What is the scope of the
incident? How many resources are affected, and what is the damage? When and how was the organization
penetrated? How does the organization limit the impact of the current intrusion and prevent future ones?
The CSIRT first looks for evidence of past intrusions. Unfortunately, after being compromised, most
organizations realize they were not collecting or storing the right kinds of data. Ideally, the CSIRT has access
to host-based evidence such as server and application logs, suspicious files, and other material stored on
affected computers. Network-based evidence, including logs generated by firewalls, routers, and intrusion
detection systems, is also very valuable. Interviewing staff, perusing newsgroups and IRC, and contacting law
enforcement agencies that might be aware of similar intrusions are other ways to obtain useful information.
The next step for the CSIRT is managing certain aspects of the organization’s existing security posture. This
involves increasing the data collected from hosts and the network at large. At this late stage, many intruders
have taken steps to hide their activities. Only the most skilled incident responders with the best tools will be
able to bring their actions to light.
After examining what happened in the past and taking a closer look at what is happening in the present, the
CSIRT can begin to theorize about the full nature of the intrusion. Although theorizing doesn’t prove anything
about the compromise, it is a valid way to guide ongoing incident response.
www.foundstone.com
© 2003 Foundstone, Inc. All Rights Reserved - 1
Determining Incident Scope
To understand the scope of an incident, the CSIRT must see the enterprise from the vantage point of the
attacker. An accurate depiction of the network architecture—including all access methods, systems, services,
and weaknesses—is essential. Unfortunately, incident responders often find that available network blueprints
are outdated and potentially misleading.
Organizations that suffer ongoing intrusions frequently identify subnets or systems they cannot account for, or
thought were unavailable or disconnected. On these “test” or “obsolete” subnets, malicious users can quickly
find and exploit unpatched and undefended hosts.
With its powerful enumeration capabilities, Foundstone ERS creates a clear, accurate picture of the enterprise.
It discovers hosts and network devices, collects data about them, and illustrates this information in easy-toread tables and diagrams. Foundstone ERS also helps the CSIRT understand a device’s context, how it fits
within the overall network topology. Although the concept is simple, the value of an up-to-date network
diagram cannot be underestimated when determining incident scope.
Countering Unauthorized Access
In addition to understanding a network’s topology, CSIRTs must know what is and what is not accessible
from the Internet. Intruders already know the routes to gain unauthorized access, but CSIRTs might not.
There are three primary methods that intruders use to compromise target computers: abuse, subversion, and
breach. By associating a list of services, versions, and vulnerabilities with every device and network node,
Foundstone ERS offers a powerful way to find applications and services susceptible to the three types of
exploits. Although security professionals typically use this inventory to assign remediation duties, CSIRTs can
use it to identify the ways an intruder might have penetrated an organization.
Abuse
Illegitimate use of legitimate access modes is called abuse of a service. For example, an intruder might access a
server via telnet, secure shell, or Microsoft Terminal Services, and then log in using a valid but stolen or
guessed username and password (credentials). This fully compromises the computer, its data, and the
credentials.
Through its service enumeration techniques, Foundstone ERS identifies how intruders might abuse a service.
Foundstone ERS checks for default or easily guessed username/password combinations. It also lists the services
that can be used to gain remote access to a computer, such as telnet, secure shell, Microsoft Terminal Services,
www.foundstone.com
© 2003 Foundstone, Inc. All Rights Reserved - 2
and others. This can head off unpleasant surprises. Expecting to find only secure shell available to Internet
users, the CSIRT might discover—thanks to Foundstone ERS—that telnet and Microsoft Terminal Services are
available as well.
Subversion
Subversion involves making a service perform in a manner not anticipated by its programmers. Analyzing
systems that offer easily subverted services is an important aspect of incident response. For example,
unpatched Microsoft IIS 5.0 Web servers are susceptible to manipulation via Unicode data encoding.
Malicious users can pass specially formatted Unicode strings to the Web server, forcing it to execute
commands outside its intended mode of operation. Although these techniques do not stop the Web server from
running, they subvert its functionality.
Foundstone ERS detects Web servers and other systems that have these types of vulnerabilities. If the CSIRT
finds publicly facing Web servers that can be subverted, it is extremely likely that an intruder knows about
them also.
Breach
To breach a service means to “break” it and stop it from running. This differs from subversion, which does
not interrupt service. At its basic level, breaking an application is a form of denial of service—shutting down
an organization’s Web server, for instance. Intruders can also instruct a broken application to perform new,
illegitimate actions. Buffer overflows are well-known examples. Intruders use buffer overflows to break a
target service and then replace it with a shell that gives command-line access.
Like the discovery of services vulnerable to subversion, Foundstone ERS identifies services susceptible to being
broken. These classes of attacks, often called “silver bullets,” can be very damaging. Although a subverted
service might act as an unprivileged user, a broken application more frequently acts with system privileges.
Guiding Remediation
The most effective remediation happens before a compromise takes place, preventing an intrusion or limiting
its extent. Vulnerable Internet-facing computers with sensitive information must be patched or reconfigured as
quickly as possible, for instance.
During or after a compromise, however, the issues are different. Naturally, remediation should limit the
impact of the intrusion and prevent further loss of information. However, within this imperative, two courses
of action are possible: “protect and proceed” or “pursue and prosecute.”
www.foundstone.com
© 2003 Foundstone, Inc. All Rights Reserved - 3
“Protect and proceed” focuses on limiting damage and restoring service. The CSIRT collects evidence for these
ends, not to put an intruder in jail. “Pursue and prosecute” takes a different approach. An intruder might be
allowed limited access to a target network to determine the scope of the compromise and collect evidence of
guilt. When an intruder’s capabilities and intentions are sufficiently understood, access is terminated. The
CSIRT reports what it has learned to law enforcement, which may or may not prosecute.
Foundstone ERS helps in both scenarios because, at some point, the CSIRT limits the intruder’s access. This is
where Foundstone ERS really shines during incident response. And by integrating the information that
Foundstone ERS gathers about a network and its vulnerabilities, the CSIRT can plan and complete an
effective, cost-efficient remediation.
For example, the CSIRT’s investigation might discover that an intruder gained access to the enterprise via
NetBIOS/Server Message Block (SMB) services and the “psexec” tool available at www.sysinternals.com.
Using assessment results from Foundstone ERS, the CSIRT might see that NetBIOS/SMB ports (UDP: 137-138;
TCP: 139, 445) are available to the Internet. The CSIRT knows it must deny these ports at the border router
and/or the firewall.
Taking this example to the next level illustrates the value of knowing which services and access methods are
exposed to the Internet. Assume that the CSIRT denies the NetBIOS/SMB as stated. What if Foundstone ERS
also identifies unpatched IIS and SQL servers? Intruders are tenacious. Once evicted from a network, they are
determined to regain access. In this case, an intruder denied NetBIOS/SMB access would quickly exploit these
Web and database vulnerabilities.
Proper Use of Foundstone ERS
CSIRTs must use Foundstone ERS with care. Foundstone ERS is best suited for incident response when no
reliable network topology exists, when there is no clue about the entry point of an attack, or when remediation
is deemed more important than fully determining the motivations, goals, and methods behind an attack.
After a compromise, CSIRTs should perform host- and network-based data collection prior to using
Foundstone ERS’ enumeration capabilities. Foundstone ERS is best thought of as a lead generator. Any
theories that it helps foster should be proven with host- and network-based data.
www.foundstone.com
© 2003 Foundstone, Inc. All Rights Reserved - 4
Also, because Foundstone ERS is an overt process, intruders are likely to alter their behavior when they detect
its presence. Using Foundstone ERS before exhausting the clues in host-based data could likewise complicate
law enforcement investigation.
Foundstone ERS in the Field
Foundstone recently responded to a security compromise in which an external intruder gained unauthorized
access to an ISP’s internal network. Foundstone equipped the ISP with the knowledge and tools to eliminate
the unauthorized means of access and to collect evidence for potential legal action. Foundstone ERS played a
significant role in this response and remediation.
Foundstone dealt with the incident in three ways. First, we gathered and analyzed host-based evidence from
computers suspected of compromise. Second, we implemented emergency network monitoring to collect event,
session, content, and other data needed to identify the intruder’s means of access.
Using Foundstone ERS, we then performed a limited vulnerability assessment of key areas of the ISP’s
enterprise. This helped Foundstone guide the ISP’s CSIRT during remediation. Because the ISP’s network
exposed several high-risk services, remediation via host- and network-based methods rated a high priority.
Eliminating weak username/password combinations would be futile, for instance, if the ISP’s servers ran
unpatched versions of IIS and SQL.
Summary
Using information from Foundstone ERS, CSIRTs can determine the scope of a security incident, find the
routes of unauthorized access, and guide remediation efforts. By identifying existing vulnerabilities,
Foundstone ERS lets a CSIRT know if a proposed response plan is sufficient.
Foundstone ERS is best suited for incident response in only certain situations, and a CSIRT must use it in
certain ways. It is crucial, for instance, to perform host- and network-based data collection before employing
Foundstone ERS’ enumeration tools. When appropriately used, however, Foundstone ERS is a powerful tool
for successful incident response.
www.foundstone.com
© 2003 Foundstone, Inc. All Rights Reserved - 5
About Foundstone
Foundstone® Inc., experts in strategic security, offers a unique combination of software, services, and
education to help organizations continuously and measurably protect the most important assets from the most
critical threats. Through a strategic approach to security, Foundstone identifies and implements the right
balance of technology, people, and process to manage digital risk and leverage security investments more
effectively. The company has one of the most dominant security talent pools ever assembled, and has authored
ten books, including the best seller Hacking Exposed. Foundstone is headquartered in Orange County, CA,
and has offices in New York, Washington, D.C., and Seattle. For more information about Foundstone and
Foundstone Enterprise Risk Solutions, visit www.foundstone.com, or call 877.91.FOUND within the U.S, and
949.297.5600 outside the U.S.
www.foundstone.com
© 2003 Foundstone, Inc. All Rights Reserved - 6