FORENSIC PROCESS IMPROVEMENT

The purpose of this part of the chapter is to introduce the reader to a process that will enable a system administrator or information security analyst to determine the threat against their systems and networks. If you have ever wanted to know more about who might have attacked or probed your system than just the IP address that appeared in the var/log/messages of your machine, then this part of the chapter may help you. Although it is rare, some of these simple techniques may actually help you identify the perpetrator of an attack on your system. Although most system administrators are rightly concerned with first securing their hosts and networks from attack, part of doing that job correctly also demands that you also have an understanding of the threat against those systems and networks as. The risk any system connected to the net faces is a product of vulnerability and threat. The techniques covered in this part of the chapter will help you in determining possible actions and possible motivations of the attacker. If you can understand your attacker, than you can better defend and respond to attacks against your network. Of course, it is important to understand that hackers will loop through several systems during the attack phase. So why bother researching the apparent source of an attack? What if your system is the first system of many that the hacker will use in his or her attack against other systems? Could you be held liable for damage done by the attacker to someone else’s systems downstream? What if he or she is operating from within a country that has no laws against hacking and can thus operate with impunity? Or, what if the hacker is just unskilled and has left clues behind that a skilled researcher could use to identify him or her? All of these reasons justify taking a small amount of time to research the apparent source of a serious attack or intrusion. Of course, all of these techniques should be used after you have secured your system and/or consulted with law enforcement personnel. This should be done if the level and seriousness of the attack justify such an action. Next, let’s review the tools that are used in the threat identification process.

The Tools

The tools discussed here outline a step-by-step process that will help you to enumerate the attacking host and possible actors that may have used that host to attack your system. This section is not intended to be a tutorial for how to use each tool on its own. There are many sources of information that cover each tool by itself in more detail. Many of you are certainly familiar with or have used many of the tools discussed here at one time or another. Keep in mind that here we are talking about the overall process of characterizing the threat from a domain. The first steps in the threat identification process are simply to know who owns the IP used in the attack. For detailed switchology on the use of each tool, consult the main pages or other sources for each tool listed.

Dig –x /nslookup

The first step in the process is to reverse the offending IP address. The “dig –x ip” command will perform a reverse lookup on an IP address from its domain name server. The “-x” option will ensure that you receive all records possible about your host from the DNS table. This might include nameservers, e-mail servers, and the host’s resolved name. The “nslookup” command, “nslookup ip,” will also perform a reverse lookup of the host IP address, but will only return the resolved name.

Whois

The next step in the process is to perform a whois lookup on the IP address to see who owns or at least who the offending IP is registered to. This can be somewhat of a tricky operation. Use the resolved name previously mentioned to try to determine what country or region the IP address might be based in, and then be sure to use the proper whois gateway for that region of the world. The main gateways are ARIN (the American Registry), APNIC (the Asian Pacific Registry), and RIPE (the European Registry). There are dozens of others, but most addresses should be registered in one of the previously mentioned on-line centralized databases. If your whois data does not match your resolved name, for example the resolved name http://www.cnn.com and whois database ARIN indicates the registered owner is CNN network (a match), then you may have to do some more digging. Whois databases can contain outdated information. You may want to then research your IP with the country-specific whois database to determine the correct registered owner. A good collection of country-specific whois databases can be found at http://www.allwhois.com. For more information on conducting detailed whois queries check out http://www.sans.org/y2k/.

Ping

Conduct the “ping ip” command to determine if your attacking IP is currently on-line. Note that many administrators block ICMP traffic, so this is not conclusive evidence either way.

Traceroute

The next step in the process is to conduct a “traceroute ip” to determine possible paths from your proxy site to the target system. Traceroute may help you in two ways. If your IP does not resolve possible paths from your proxy site to the target system, there may be a clue as to its parentage. Look at the resolved host just before your target. This host’s name may be the upstream provider for the attacking host, and thus a point of contact; or, it may in fact have the same domain as your attacking host, although that is not always true. Also, a traceroute might give you an important clue as to the physical location of the attacking box. Carefully look at the path the packets traveled. Do they tell you what city they are in? Oftentimes they will. If you can determine what city the attack came from, you have just narrowed down considerably the possible pool of candidates of who the attacker might be.

Finger

Conduct a “finger @ip” command to determine who is currently logged onto the system that attacked you. Now, to be frank, this command will rarely work, because most administrators wisely turn this service off. However, it does not hurt to try. Keep in mind that many systems that are compromised and used as lily pads to attack other hosts are poorly configured (that is why they were compromised in the first place!!). They may also have the finger service running. If it is running, finger root@ip sees the last time root was logged on and, more important, from where root was logged on. You might be surprised to see root logged on from a third system in another country. Keep following the trail as long as your commands are not refused. You should be able to trace back hackers through several countries using this simple, often-overlooked technique. Look for strange log-in names and for users logged into the system remotely. This may indicate where the host was compromised from and is the next clue as to where to focus your research.

Anonymous Surfing

Surfing anonymously to the domain from where your attacking IP is hosted, is the next step in the threat identification process. You will know this domain name by looking at the resolved name of the host and the Whois data. One technique that is useful is to use a search engine such as http://www.altavista.com with the specialized advanced search option of “+host:domain name and hack*.” This query will return the Web links of possible hackers who operate from the domain name you queried. You can substitute warez or mp3, and the like, to focus in on terms of interest specific to warez or mp3 dealers. The number of Webpages returned by the query, as well as the details on those pages, gives you an indication of the level of threat to assess to a certain domain. For example, if you were investigating a host registered to demon.co.uk (Demon Internet), you would type “+host:demon.co.uk and hack*” in the Altavista query box. You may be surprised to see a return of some 22,000-plus hacking-related pages hosted on this domain. The Demon Internet seems to harbor many hackers and, as a domain, represents a viable threat to any organization. As a standard practice, you might want to block certain domains at your firewall, if you are not already blocking ALL:ALL. Another possibility to widen the search is to use “+link:domain name” in the Altavista search. This will show all Webpages that have a link to the domain in question listed on their Webpage. In other words, the ever-popular “here is list of my hacker friends and their c001 hacker sites” pages will appear via this search. You will also want to keep in mind the target of the attack. What were the hackers going after? Can you tell? Conduct searches for the resources targeted and combine these terms with Boolean operators such as “and espionage.” Check newswires or other competitive intelligence sources to determine, if possible, who might be going after your companies’ resources. A good site to use to conduct your searches anonymously is http://www.anonymizer.com.

USENET

The last step in the process of threat identification is to conduct a USENET traffic search on your domain. Sites such as http://www.deja.com are excellent for this. Search on the attacking IP address in quotes to see if other people are reporting activity from this IP in any security newsgroups. Search on the domain name or hacker aliases that you might have collected from your anonymous surfing, or from the returns of your finger queries. You can expand the headers of the postings by clicking on “view original posting.” This may show you the actual server that posted the message, even if the hacker attempted to spoof his or her mailing address in the visible header. This method can reveal the true location of your hacker. Clicking on “author profile” can also give you valuable information. Look at the newgroups your hacker posts to and look at the number and sophistication of those postings. Pay attention to off-subject postings. A hacker will often let down his guard when talking about his favorite band or hobby, for example. You can also search sites such as http://www.icq.com if you have a hacker alias from a defaced Webpage or your Altavista search narrowed by the domain “+hacker” criteria previously noted.

Putting It All Together

Once you have completed the process previously outlined and gathered all the information from these tools, you should be able to reach an educated guess about the threat level from the domain that you are analyzing. Hopefully, you were able to collect information about the numbers and sophistication levels of the hackers who operate from the attacking domain, possible candidates for the attack (through finger or specialized Altavista searches), and what other CERTs may be seeing from that domain (via newsgroups or newswire searches). An excellent site to check for archived postings of recently seen attacks is both http://www.sans.org and http://www.securityfocus.com. Ask yourself were there thousands of hacker pages hosted on the domain that you were investigating? Likewise, did you find thousands of postings concerning hacking on USENET? Did you run a search on your organization’s name plus “hack*”? Were there postings from other administrators detailing attacks from this domain? Were the attacks they mentioned similar to yours or different? Now you might be able to determine if that FTP probe, for example, was just a random probe that targeted several other companies as well as yours or targeted your company specifically. Could you tell from the logs that the attacker was attempting to find a vulnerable FTP server to set up a warez or mp3 site perhaps? Being able to provide an educated guess as to the motivation of your hacker is important. Knowing whether your company has been singled out for an attack as opposed to being just randomly selected, will change the level of concern you have with regard to assessing the threat. The process previously listed can be used to narrow down possible candidates or characterize the threat level from responsible domains. And, as a byproduct, it will also provide you with all the necessary names, phone numbers, and points of contact that may be useful when it comes time to notify the pertinent parties involved.

Finally, let’s look at what is probably the most important computer forensics service: training! It has now been expanded to support U. S. Government and U. S. corporate needs, which became more of a priority after 9-11, 2001. It places priority on computer incident responses and now covers computer forensic binary data searches for foreign language (non-Latin based) computer data (Farsi, Chinese, Japanese, etc.).

Training

As has been previously explained, Computer Forensics involves the preservation, identification, extraction, and documentation of computer evidence stored in the form of magnetically encoded information (data). Many times the computer evidence was created transparently by the computer’s operating system and without the knowledge of the computer operator. Such information may actually be hidden from view and, thus, special forensic software tools and techniques are required to preserve, identify, extract, and document the related computer evidence. It is this information that benefits law enforcement and military agencies in intelligence gathering and in the conduct of investigations.

Today computer forensics software tools and processing techniques have become important resources for use in internal investigations, legal electronic document discovery, computer security risk management, and computer incident responses. Computer forensic software tools and methods can be used to identify passwords, computer network log-ons, and other information that is transparently and automatically transferred from the computers memory to floppy diskettes, Iomega Zip Disks, and computer hard disk drives. Such computer forensic software tools and methods can also be used to identify backdated files and to tie a floppy diskette to a specific computer. These techniques should be taught in your specialized training course.

Law enforcement and military agencies have been involved in processing computer evidence for years. Therefore, computer forensics training courses should be taught by certified instructors (see sidebar, “Computer Forensics Certified”) who are experienced computer crime experts (retired federal law enforcement computer evidence trainers and members of law enforcement computer crime units).

According to a Gartner Group study, certification of InfoSec computer-forensic-training professionals is becoming a common condition of employment. The research firm predicts that by 2005, InfoSec certification will be required for 70% of CISOs (chief information security officers) and associated training staff positions and for 30% of day-to-day technical operations positions in Global 2000 companies. Security is the No. 1 issue going forward in an on-line world, whether it’s on-line voting or e-commerce.

The Demands of Security

It’s bad enough when a certified IT employee doesn’t possess claimed skills, but the skills gap is doubly worse in the security realm. What was once the near-exclusive purview of government agencies or companies involved in highly secret research, is now a mainstream discipline for the highly connected enterprise.

This market really didn’t exist 10 years ago. The field has only matured in the last six years.

Protecting a company’s most cherished assets (not just IT systems, but especially the digitally stored proprietary information on those systems) demands knowledgeable personnel, something not always easy to assess. Anyone can hang out a shingle and say: “I’m an InfoSec professional.” Such people must be able to prove their credentials with InfoSec certification.

Good security demands a more proactive approach than the other traditional functions of a system administrator. Security is the system administrator area that requires the most constant learning and relearning.

Information security infrastructure, like the proverbial chain, is only as strong as its weakest link. The breadth of skills and management breadth required for strong information security puts unusual demands on organizations and professionals.

Another Game

A Certified Information Systems Security Professional (CISSP) isn’t the only game in town. There’s also CIW professional certification, coming on strong.

Perhaps the best known security certification player is System Administration, Networking, and Security (SANS) Institute, which sponsors the Global Information Assurance Certifications (GIAC). And, it’s here where the line in the security sand is drawn. The CISSP is a broad top-down certification, whereas the LevelTwo GIAC is a series of specialized and technical certifications.

GIAC responds directly to the skills question. GIAC requires that candidates demonstrate content mastery before they sit for the exam. In intrusion detection, for example, a candidate must accurately analyze 10 real-world intrusion attempts before being allowed to take the exam. For firewalls, a candidate must design a perimeter that solves specific problems.

When comparing CISSPs to GIAC, the metaphor is an MBA (CISSP) versus a CPA (GIAC). You hire a CPA to do your accounting, but not to do your strategic business planning. Research indicates strategic business planning is what the industry desperately needs.

The principal difference is in the target. An analogy suggested by an (ISC)2 board member is that GIAC is for pilots and CISSP is for the managers who schedule the pilots.

SANS certification focuses on specific products. The product focus has limitations, because security professionals need to take into account the whole picture.

The short-term need is for the techie approach. Believe it or not, issues such as buffer overflows still form a large part of the action on security lists. In the long term, though, you need the big-picture view.

You cannot really say the technical issues are more important than management issues. But the technical issues are more solvable.

Indeed, whether approaching information security issues from a management or technical perspective, no one can escape political issues. Even if you had the best of the best techies on your payroll, you wouldn’t be going anywhere unless the issues and policies around corporate standards, user awareness, remote/wireless access policies,^[vii] acceptable authentication methods, and so forth have been decided. The critical success factors in most security jobs are being adept at the politics, possessing business skills and aptitude, good relationship management, and sales and negotiation skills, even in some lower-level jobs.

The product versus politics dilemma will eventually be moot with SANS’ Security Essentials (LevelOne) certification. The basic GIAC certification now covers all the key knowledge sets covered by CISSP as well as additional, more current skills sets.

Growing a Profession

The information security profession draws people from diverse backgrounds into a cohesive group. Security pros may have backgrounds in law enforcement, the military, or traditional IT, each bringing their own jargon and argot. How do we learn to talk to each other? You need an agreed-on taxonomy. And that, certification advocates indicate, is what certification does: It creates a shared body of knowledge to encourage a cohesive professional body.

Such certification is also seen as a big asset to an employee’s resume. CISSP is the gold standard in regards to security management and program development.

But a certification should be the beginning of a learning process, not an end in itself. Security is one area where yesterday’s knowledge does not help today. The security threat is always changing, so security certification tests, more than any others, are out of date before the person even begins to study for them.

There’s another problem: the SAT-prep-test phenomenon. Once (certifications) become widely accepted, some of their value will be lost. The more popular something is, the more likely there will be a “For Dummies” approach.

Although most computer forensics training courses do not answer all possible questions regarding computer evidence and computer security, they should cover most of the common issues and expose the participant to new state-of-the-art computer forensics techniques and computer forensics tools. Training should consist of a Windows NT Computer Forensics course and Restricted-Data-Hiding course. And an Expert Witness Testimony on Electronic Evidence course should fill in the gaps when the participant is ready for those advanced training courses. Training should not be focused on one specific computer forensics software tool or set of tools. This should not be a computer forensics ‘paint by numbers’ training course. Quality computer forensic software tools should be provided with the training course; but, it should be your company’s mission to teach methodologies and the more technical aspects of computer evidence processing and computer incident responses.

The training course should be unique; the participants are expected to have a high degree of computer proficiency, know the difference between clusters and sectors, and have experience in the use of Norton Utilities, DOS, and Microsoft Windows. The course should not be an overview of computer forensics. It should be a technical hands-on training course that will tax your knowledge and computer skills. However, it should provide you with more information about computer security risks and evidence-processing information than can be found anywhere else.

Because the course should deal with computer security issues and computer risk management as well as computer evidence issues, it should be well suited for computer security specialists, computer incident response team members, and computer crime investigators. Most of your participants should be challenged by this course for it to be considered a success.

^[vii]John R. Vacca, Wireless Broadband Networks Handbook, McGraw-Hill Professional, 2001.