Last active
August 29, 2015 14:07
-
-
Save JensRantil/447c5f1c10c4fe77c897 to your computer and use it in GitHub Desktop.
Intrusion presentation (present with `tpp`)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--withborder | |
--author Jens Rantil, Tink AB | |
--title Intrusion | |
--date 2014-10-06 | |
--center If a bad day strikes you. | |
--newpage goal | |
--heading Agenda | |
--beginslideleft | |
* Definition. | |
* My experiences with intrusions. | |
* General observations and thoughts. | |
* Discussion | |
--endslideleft | |
--newpage | |
--heading But before... | |
--center I hope you never have to experience this... | |
--newpage | |
--heading Definition (scope) | |
--center An intrusion is when someone/something has access to a server shell/remote execution. | |
--center ...or access to an internal network. | |
--newpage | |
--heading Previous experiences | |
--- | |
* ~2005 at a student organization in Lund. | |
--- | |
* We get an e-mail from security team at Bank of Scotland. | |
--- | |
* Bank of Scotland tells us we are running a copy of their website. Are we?! | |
--- | |
--beginshelloutput | |
$ ssh jrantil@student-server.helsingkrona.se | |
... | |
$ ps -ef | |
...all good... | |
--endshelloutput | |
--newpage | |
--heading Previous experiences | |
* ~2005 at a student organization in Lund. | |
--- | |
* Scam. | |
* Old version of bug tracking software "Mantis". | |
* The old machine was reformatted. | |
* All passwords changed. | |
--newpage | |
--heading Previous experiences | |
* ~2010 at a unnamed company | |
* ~08:00 - a developer notices someone/something is logged in as root on a machine. | |
* ~08:10 - I am asked to take a look at this. Good way to start a day! | |
--newpage | |
--heading First 20 minutes of intrusion | |
1. DON'T PANIC (and keep a journal from now on)! I cannot stress this enough... | |
--- | |
2. (Quickly) Lock-down. | |
--newpage | |
--heading Lock-down | |
- Are there other similar machines? | |
--- | |
- Notify the team that the server is off-limits. | |
- Every command on a breached machine can wreck havoc. | |
- Every file touched can modify `atime`, which can destroy evidence. | |
--- | |
- Evaluate scope of attack. Can be HARD! | |
- Does the machine have access to sensitive data? Passwords? Change passwords or lock down those resources immediately. | |
--- | |
- Who has logged into the machine recently? If authentication has been tampered with, the attacker has a working password. | |
- Patch vulnerable software (or shut it down). | |
--- | |
- If possible, lock down trafic to/from the instance. | |
--newpage | |
--heading First 20 minutes of intrusion | |
1. DON'T PANIC! I cannot stress this enough... | |
2. (Quickly) Lock-down. | |
3. Gather evidence. | |
--newpage | |
--heading Gather evidence | |
* If possible, create an image of the host. | |
--- | |
* Collect logs. | |
--- | |
* Write down times and IP addresses. Generally, it's good to make notes throughout the whole intrusion. | |
--newpage | |
--heading First 20 minutes of intrusion | |
1. DON'T PANIC! I cannot stress this enough... | |
2. (Quickly) Lock-down. | |
3. Gather evidence. | |
4. Offline analysis. | |
--newpage | |
--heading Offline analysis | |
* What was tampered with on the machine? Maybe patch was not enough? | |
* Host templates are awesome. Cross-checksum everything. | |
* Should customers be notified? | |
* Root cause analysis. How did this happen? | |
--newpage | |
--heading ~2010 at a unnamed company | |
* Summary: | |
* The machine was running a really old version of exim. Forgotten about... | |
* Exim runs as user root/admin. | |
* Binaries had been replaced and renamed themselves. "bash" was really a perl script.. | |
* sshd had been replaced with one that logged all usernames and cleartext passwords... | |
* The attack was not, AFAIK, not targetted at Unnamed Company. | |
* An identical intrusion happened to another machine a week later. Missed we had two... | |
--newpage | |
--heading Some general insights | |
* Every application fronting the Internet is susceptible to attacks. Minimize those. | |
--- | |
* Enable automatic security upgrades. | |
* Enroll to security advisories to keep track of security vulnerabilities. | |
--- | |
* Layer infrastructure into bounded contexts and isolate each layer from others as much as possible. | |
--- | |
* Try to use authentication inside "secure" internal network. | |
--- | |
* Intrusion Detection Systems. | |
--- | |
* Log everything. Fraud ~6 months back was once saved... | |
--- | |
* Use a configuration management system to make sure all of your patches are applied to all machines. | |
--newpage | |
--heading Things NOT in mentioned in this talk | |
* Breaches in switches, firewalls, routers. In those case you should be happy if you are encrypting your trafic! | |
* Physical security of servers and passwords. | |
* Log storage and authenticity can be much talked about. | |
--newpage | |
--heading Discussion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment