Welcome to Volume 3, Issue 10 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
Today we present the second column in the "Triangulation" series, by Jeff Stutzman. In this column, Jeff explains the concept of first phase analysis, the initial act of profiling and characterizing the attack and attacker. Jeff also discusses the essential activity of time line analysis
Many thanks to Dave Lemmon of the Air Force Information Warfare Center for providing additional insights that pulled this column together nicely.
Part I of this series of columns introduced the concept of Triangulation, and how it might be applied to post incident response attack analysis. Part II will discuss one methodology for performing the analysis.
Depending on the circumstances, this methodology may be a very long and arduous process. It must therefore be understood that each "line of bearing" really represents not only another direction of exploration, but also a "go, no go" point, at which a decision must be made whether or not to dedicate more resources to the analysis of this attack.
This column is broken down into two sections. Section One will discuss the basics of first phase analysis. Section Two will discuss timeline analysis, and other factors that might motivate a hacker to move from the "thinking about it" stage, to actually performing the attack. During this stage, the analyst will attempt to determine what motivated the attacker to perform the attack, as well as time-lining attacks according to the attack continuum.
Computer incident/emergency response teams are usually overwhelmed. One analyst recently told me that he looks at as many as four hundred incidents per day, then decides which ones to analyze further. His team had a staff of two! This anecdote reinforces our conviction that first phase analysis is really the triage phase. During this phase, the analyst must quickly determine which incidents are worth the time and resources to explore further. First phase analysis is essentially a cursory profile determination of the type of hacker and his/her intentions, characterizing the source IP, and identifying target characteristics that might have led this hacker to attack this specific machine.
First, let's characterize the attack. We really like the to attack characterizations provided in the book Hacking Exposed (2nd Ed)*. These offer a risk rating based on popularity, simplicity, and impact of each type of attack. If you don't own a copy of this book, get one. When you brief an attack to senior management, you need an easy concise methodology that will convey your point quickly and accurately, and the attack characterizations in Hacking Exposed do very nicely. Also, for the inexperienced analyst, these can be an invaluable resource. Here's a sample of the Hacking Exposed risk profile for a hack to the Windows 9x registry:
Popularity: 2
Simplicity: 3
Impact: 8
Risk Rating: 4
In other words, if someone hacks the registry in your Windows machine, Hacking Exposed states this hacker is performing an unpopular attack, which is more difficult, but has a significant impact. The risk rating is low because of the popularity and difficulty of the attack, but the impact is high. This would be an incident deserving a second look.
This rating system is easy to understand and offers a nice way to present the attack characteristics to both junior analysts and senior management alike
Next, attempt to determine which modus operandi (MO) most closely resembles your attack. In other words, what did this hacker want to (or did) accomplish during his/her visit?
Now decide how many resources are you willing to spend to analyze the attack. Generally, the resources you expend investigating an attack are commensurate with the seriousness of the attack
So, at this point we've characterized the skill level the hacker has exhibited for this attack, possibly the motive, and potentially the MO.
At some point, you will be interested in the information that can be gained from chasing the last IP address before the attack. This is sometimes referred to inaccurately as the "source IP". While it is true that many newer hackers might not understand how to use proxies, attack relays, lily pads, or whatever you want to call them, or lack an understanding of basic operational security and how to cover themselves, the vast majority of the blackhats do understand these principles, and practice them. IP addresses are easily spoofed, and it is therefore likely that the last IP is in fact not the true source .
That said, there is still value in profiling the last IP. The instruction set for performing this level of analysis is borrowed from Mr. David Lemon, of the Air Force Information Warfare Center as posted at the SANS website (www.sans.org). In addition to performing the following analysis on the last IP, I recommend also performing the same analysis on the target as well. This may offer some insights as to why this particular target was picked.
Create a worksheet with the following steps. There is no need to follow any particular order, but try and perform every check. Each one offers a different piece of the puzzle:
Dig -x /nslookup: The first step in the process is to reverse map the offending IP address into a domain name. The "dig -x ip" *NIX command will perform a reverse lookup on an IP address from its domain name server. The "-x" option ensures you receive all records possible about your host from the DNS table. This might information may include nameservers, email servers, as well as the host' resolved name.
WHOIS: The next step in the process is to perform a WHOIS lookup to see who owns the IP address, or at least to whom the offending IP is registered. This can be somewhat of a tricky operation. Use the resolved name to try to determine what country or region the IP address might be based in. Be sure to use the proper whois gateway for that region of the world. The main gateways are ARIN - the American Registry, APNIC - the Asian Pacific Registry, and RIPE - the European Registry. If your WHOIS data does not match your resolved name, you may have to do some more digging. Realize that WHOIS databases can and frequently contain outdated information. You may want to then research your IP with the country specific whois database to determine the correct registered owner. A good collection of country specific WHOIS databases can be found at http://www.allwhois.com. For more information on conducting detailed whois queries check out http://www.sans.org/y2k/, by Donald McLachlan.
Ping: Use the "ping <ip-address>" command to determine if the last IP is currently on-line. Many administrators block ICMP traffic at firewalls, so this may not be an accurate indicator.
Traceroute: The next step in the process is to conduct a "traceroute <ip-address>" to determine possible paths from your proxy site to the target system. Traceroute may help you in two ways. If your IP does not resolve it may give you a clue as to its parentage. Look at the resolved host just before your target, this host's name may be the upstream provider for the attacking host, and a point of contact. Also, a traceroute may offer important clues as to the physical (geographic) location of the IP. Look at the path the packets traveled. Often times you may be able to determine what geographic path your packet has traveled simply by performing a traceroute. Again, since many administrators block ICMP traffic, this may not be an accurate indicator, but it still may help narrow down the geographic area by watching the hops as they proceed.
Finger: A "finger @<ip-address>" command is used to determine who is currently logged onto the system that attacked you. Smart system administrators typically turn this service off. Therefore, if your targeted machine returns a finger, it may not be a secure box, and has a higher likelihood of being an attack relay machine. If the finger service is running, the command "finger root@<ip-address>" will return the last time root was logged on and more importantly, from where. You might be surprised to see root logged on from a third system in yet another country. Recursively apply finger at each host until your commands are refused. We have been able to trace back hackers through several countries using this simple, often overlooked technique. Look for unusual login names and users logged into the system remotely. This may indicate from were the host was compromised from and is the next clue on where to focus your research.
Anonymous Surfing: Surf anonymously to the domain from where your attacking IP is hosted. You obtained this domain name from the resolved name of the host and the WHOIS data. One technique that is very useful is to use a search engine such as www.altavista.com. Enter the search term "+host:domain <offending domain name> and hack*." This query will return the web links of possible hackers that operate from the domain name you queried. You can substitute warez or mp3, etc., to focus in on terms of interest specific to warez or mp3 dealers. The number of webpages returned by the query, as well as the details on those pages gives you an indication of what level of threat to assess to a certain domain. For example, if you were investigating a host registered to demon.co.uk (Demon Internet) you would type +host:demon.co.uk and hack* in the altavista query box. You may be surprised to see a return of some 22,000 plus hacking related pages hosted on this domain. As a threat analyst, I can conclude that Demon Internet seems to harbor many hackers and as a domain, represents a viable threat to my organization. As a standard practice you might want to block certain domains at your firewall, if you are not already blocking ALL:ALL. Another possibility to widen the search is to use "+link:domain name" in the altavista search. This will show all webpages that have a link to the domain in question listed on their webpage. In other words, the ever popular "here is list of my hacker friends and their c001 hacker sites" pages will appear via this search. You will also want to keep in mind the target of the attack. What were the hackers going after? Can you tell? Conduct searches for the resources targeted and combine these terms with Boolean operators like "and espionage." Check newswires or other competitive intelligence sources to determine if possible who might be going after your companies' resources. A good site to use to conduct your searches anonymously is www.anonymizer.com, or www.the-cloak.com.
USENET: The last step in the process of threat identification is to conduct a USENET traffic search on your domain. Sites such as www.deja.com (now at google.com) are excellent for this process. Search on the attacking IP address in quotes to see if other people are reporting activity from this IP in any security newsgroups. Search on the domain name or hacker aliases that you might have collected from your anonymous surfing above, or from the returns of your finger queries. You can expand the headers of the postings by clicking on "view original posting." This may show you the actual server that posted the message, even if the hacker attempted to spoof his mailing address in the visible header. This method can reveal the true location of your hacker. Clicking on author profile can also give you valuable information. Look at the newgroups your hacker posts to and look at the number and sophistication of those postings. Pay attention to off subject postings. A hacker will often let down his guard when talking about his favorite band or hobby, for example. You can also search on sites such as www.icq.com if you have a hacker alias from a defaced webpage or from your altavista search narrowed by the domain +hacker criteria noted above.
NMAP: Perform on simple nmap or similar scan on the site in question. (NOTE: NMAP when used improperly can be detected, and may give the sysadmin at the target system the wrong impression. Be careful. Be non-invasive. Don't be a hacker. Be an analyst.) Default settings will work fine, and will give a perspective of what ports are running. Detecting that IRC, RPC, or VNC (Virtual Network Controller) are listening are dead giveaways that the site may be an attackrelay host.
At this point we've covered a lot of ground, and very likely have a pretty good perspective of what the hacker did, and what his/her intentions were. Next, lets discuss ways of tracking clues that might be left by a hacker.
One method was discussed above in the USENET subparagraph. This is particularly fun. Let's put our spy caps on for a moment. Try a search under your own pseudonym (come on, everyone has one - mine is henrybasset - henry is my basset hound :-). Unfortunately, Deja recently sold to Google, and Google has yet to load all of the Usenet archives. However, a search under my pseudonym "henrybasset" would yield several resulting newsgroup postings. Many times these results will appear with several different names and e-mail addresses. These can then be cross-referenced to locate different names or addresses used by the attacker. Next, for an off subject posting, meaning non-hacking related. If the hacker wants to appear as a professional, he/she will almost always use their real name! It's also awkward to sign a posting with your hacker name. When you get into the groove of posting a particularly thought provoking response to someone, it's very hard to remember to sign your hacker name. Usually it's signed with a first name (the real first name!)
Another great place to look is attrition.org (www.attrition.org). If your attacker is in attrition, there is a pretty good chance he/she is a simple defacer. One good thing about attrition is that for a period of time they listed the operating system of the target. At a minimum this give you a basic feeling for how many operating systems this hacker can attack. Also when looking at attrition, be sure to view the source html of the defacement. Sometimes there are surprises (clues) included in the source that won't show up in the defacement.
If you have no luck in attrition, try e-bay. If you have an e-mail, IP address, or piece of a name found in Usenet, IRC, etc., search e-bay for all buyers or sellers using that string in their identity. Hackers love to auction used computer equipment. This is really a low risk, high payoff search. There is a better chance that you won't find anything, but if you do, the payoff is BIG. You will know the identity of your attacker, and you will know how to reach him: e-bay maintains records of their financial dealings with their customer base - all of which can be subpoenaed should the need arise.
Adding other variables into the equation...
Before jumping in to timeline analysis, lets recall the attack continuum. Very simply, the attack continuum shows, in a timeline format, the things that lead up to the final attack on your system. It might look something like this:
---------------------------------------------------------------------------------------------------------------------->
|
Web |
Network |
Probing |
Attempted |
Intrusion |
Escalation of privileges |
Web surfing is the phase where an attacker might gain interest in attacking your network. This would be prevalent when the attack is not simply an attack of opportunity -a simple hacker trolling for operating systems or services he knows. Scanning is the probing or intelligence gathering of multiple hosts -mapping a network. Probing involves one machine. Attempted intrusions, user level intrusions, and finally escalation of privileges follow.
With the basics out of the way, second phase analysis is the addition of timeline and traffic analysis in the continuum format. The most effective way of explaining what happened is in a timeline analysis format. Lay out one simple line, horizontally on a page (or PowerPoint slide). Don't try to create tick marks for time. Everything is relative. On the right, plot a single red dot above the line showing the point of attack. Working backward, attempt to locate where your system was probed (one machine). Plot that in red as well, showing a length of time for the activity. Now look for the time when your network was scanned. Plot that as well. Check your web logs. Note any abnormal activity -downloading of specific types of information, harvesting (wget requests), etc. Plot that timeline in blue below the line. Your plot might look like this:
***********************************************+ (root gained)
------------------* (significant event)----------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++
|
Web |
Network |
Probing |
Attempted |
Intrusion |
Escalation of privileges |
Now, add in significant events. For example, suppose a press release acknowledges a new technology being developed by your company. A point should be noted in the timeline annotating when the announcement was made (the star). You might be surprised to see that many hack for a reason. Something caught their eye, and caused them to check your site or network out. When they got there they for some reason, decided to hack it. I guarantee that after doing this a few times you will be shocked. You will also have grounds to ask your boss for a bigger budget -to hire a full time analyst and more security administrators.
The last point I'd like to cover in second phase analysis is the use of traffic analysis techniques. In the nutshell, traffic analysis is the monitoring of traffic volume to and from your network. Spikes in volume will normally occur during normal working hours. The trends are very predictable. Abnormalities will also follow significant events.
We will discuss these matters in more detail in Part III of this series: Introduction to predictive analysis.
© 2001 - 2006 Core Competence & Mactivity, Inc.