13computer intrusions dr. john p. abraham professor utpa
TRANSCRIPT
![Page 1: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/1.jpg)
13Computer Intrusions
Dr. John P. AbrahamProfessor
UTPA
![Page 2: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/2.jpg)
Why computer intrusions?
• Businesses and individuals are very dependent on computers today
• They place financial data on it• Private data also is kept on computers• Criminals benefit financially• Extortion
![Page 3: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/3.jpg)
Illegal activities
• Steal valuable information• Eavesdrop on communication• Harassing those who have control over the
systems• Launching attacks against other systems• Storing toolkits and stolen or illegal data• Defacing websites
![Page 4: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/4.jpg)
Computer intrusions can be deadly
• Gaining access to electric grid• Pharmacy database – change drugs• Tempering with emergency civil service
systems
![Page 5: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/5.jpg)
Who are the criminals
• Do not fit the stereotype - teenagers with behavior problems
• Rather committed by organized criminal organizations
• State-sponsored groups
![Page 6: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/6.jpg)
Exploits
• All operating systems and application programs have weaknesses.
• Manufacturers continually modify code to protect systems
• These vulnerabilities are taken advantage by criminals and called exploits.
• Vulnerabilities are published on the internet, even programs are available to launch attack.
![Page 7: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/7.jpg)
How computer intruders operate• Reconnaissance – process of gathering
information about the target computer. Probe the computer for vulnerabilities and attempt to exploit them.
• Attack – gain unauthorized access or start a denial of service attack. Escalate from an unprivileged account to privileged.
• Entrenchment: Ensuring continued access. Hide tracks and instantiate a persistent re-entry. Allow others access the system.
• Abuse: conducting illegal activities such as stealing information.
![Page 8: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/8.jpg)
Intrusion techniques• Reconnaissance: Nslookup of a domain name to determine the
IP address. Scan target computer for open ports (use a port scanner), service or applications with vulnerabilities.
• Attack: Launch exploit against a specific application.• Entrenchment: A backdoor is uploaded through the remote
shell. Registry entries are altered to start backdoor at boot. A rootkit is uploaded to hide all malicious processes, network connections and files. Clean and delete log entries related to attack.
• Abuse: Sensitive documents are placed into password protected archives and moved off the compromised system to the attacker’s computer.
![Page 9: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/9.jpg)
Social Engineering
• When intruders can’t access through known security holes, they us social engineering. May even dig through garbage cans.
• Social engineering refers to any attempt to contact legitimate users of the target system and tricking them to give passwords (such as I am a new employee, or I am the tech).
• Reverse social engineering. Ticking the user to contact the intruder. Send an email about support desk, etc.
![Page 10: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/10.jpg)
Current intrusion tactics• Direct attacks are becoming difficult due to security
measures.• Attack though email or web browsers that visit a
compromised webserver.• Phishing. Sending mass e-mails that appear to have
come from your friend or family. Replying these emails and giving requested info can lead to fraud. Some emails promise large sums of money.
• Spear phishing. More targeted phishing. Email is personalized.
• Downloads – appear as useful free downloads that contain cross site scripting (XSS).
• SQL injection. Placement of sql control characters.
![Page 11: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/11.jpg)
Investigating intrusions
• Act of uncovering the facts with regard to a potential intrusion. Was there an actual intrusion?
• Containment, eradication and remediation steps
• Determine what harm was done (stolen or destroyed)
• Apprehend the intruders• Where there is one, there is often more.
![Page 12: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/12.jpg)
Investigative Methodologies
• Analysis of memory can reveal ports and IP addresses associated with malicious activities.
• System logs may contain info about user accounts and IP addresses.
• Investigate network log files.• System forensics, memory foresnsics, network
forensics and malware forensics.
![Page 13: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/13.jpg)
Leaving compromised systems vulnerable
• It is a challenge. If you protect the system immediately, you may not catch the culprit.
• Should the system be shutdown immediately?• It may be important to observe intruder
progress
![Page 14: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/14.jpg)
Volatile data
• Information in the CPU cache, CPU registers, video RAM, other RAM or buffer. Will disappear as state change or shut down.
• Network packets• Check for unusual processes running• Acquire full memory dumps
![Page 15: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/15.jpg)
Volatile data preservation• Initially check for any windows that are open• Use a clean forensic tool kit (DVD) and launch the shell
executable from the CD (not computer’s) and change default directory to the CD.
• Insert a clean (new) thumb drive to save volatile data.• Send date and time to the thumb drive and execute a script
that will collect a memory dump, list of running processes, list of loaded drivers or modules and libraries, list of open sockets and active network connections, current users logged in and authorized users, and finally create hash values for the files.
• Remote acquisition of volatile data: for this you need to use enCase or Access Data or other such programs.
• Collect network traffic by using a sniffer.
![Page 16: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/16.jpg)
Post-Mortem investigation• File system analysis• Collect file date-time metadata sorted and or
filtered.• Collect file names sorted and or filtered• Collect configuration files and startup
locations from the registry.• Collect system and security logs and
application logs.• Do keyword searching for malicious
executables, and IP addresses
![Page 17: 13Computer Intrusions Dr. John P. Abraham Professor UTPA](https://reader035.vdocument.in/reader035/viewer/2022062321/56649e165503460f94b00de6/html5/thumbnails/17.jpg)
Malicious code examination
• What is purpose of the code?• Does it create, delete or alter any specific
files?• Does it create new processes or inject itself to
running processes?• Does it accept remote network connections,
or initiate new connections? How the hosts are identified?