Book 1 Flashcards
6 Steps, Incident Handling
Preparation (in steady-state bounce between this and identification), Identification (in steady-state bounce between this and preparation, Declare Incident (move to containment)), Containment (Start cleanup (move to eradication)), Eradication (Finish cleanup (move to recovery)), Recovery (Back in production (move to lessons learned)), Lessons Learned (Done (jump back to another step if necessary))
Unusual Log Entries
System Admins should periodically review their system logs, looking for signs of unusual behavior.
Look for:
- That an interface has entered promiscuous mode.
- That someone has repeatedly tried unsuccessfully to log into the machine via telnet or sshd.
- Remote Procedure Calls (RPC programs) being accessed with strange sequences of characters, which are possibly buffer overflows or format string attacks.
- Large number of Apache error messages.
Remote Procedure Call
Remote Procedure Calls (RPC programs) being accessed with strange sequences of characters, which are possibly buffer overflows or format string attacks.
(-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM)
7 Deadly Sins
- Failure to report or ask or help
- Incomplete/non-existing notes
- Mishandling/destroying evidence
- Failure to create working images
- Failure to contain or eradicate
- Failure to prevent follow-on compromise months later
- Failure to apply lessons learned
Absolute and Relative Referencing
$ cd /etc/sysconfig/network-scripts (is an absolute reference);
$ cd sysconfig/network-scripts (is relative, and only works from the /etc folder)
Account Management
look for new unexpected accounts:
GUI “C:> lusermgr.msc”,
Command line “C:> net user” search groups
command line “C:> net localgroup administrators
Adding Directories to PATH
To add directories to your path.
Temporarily PATH:
$ PATH=$PATH: [another_dir]
To change your path permanently for this account, you must edit the .bash_profile file:
$ PATH=$PATH:[new_directory];
$ PATH=$PATH:/home/tools
Analysis of Perimeter and Host Perimeter Detects
When you determine a listening port, you should look up the port to see its official assignment, as well as potential malicious use of that port.
How can you find out if the service is running?
Try “lsof -i” on unix and also “netstat -a” on unix or windows.
Application-Level Detection (Incident Identification)
Application logs can be reviewed by incident handlers at this level (web app, appserver, cloud service, etc..)
Network Perimeter Detection
- Identification occurs on network
- Firewall, routers, external-facing network-based IDS, IPS, DMZ systems etc.
Host Perimeter Detection
- Identification occurs when data enters or leaves a host
- Personal firewall/IPS, local firewalls, port sentry tools
System-level (i.e., host) detection
- Identification occurs based on activity on the host itself
- Anti-virus tools, endpoint security suites, file integrity tools, user noticing “strange” behavior
Application-level detection
- Application logs (web app, app server, cloud services, etc. Checking logs important.
Applying Cheat Sheets
Need a communications plan, print one out for each sys admin, distribute to ops management, weekly/monthly sys admin meeting, periodic conference calls, serperate calls for windows and linux
Applying Network Config Changes
To make your changes happen, you have to restart the interface. # service network restart
