Security Incident Handlings How can we work together to provide confidence for Internet users?

Security Incident HandlingsSecurity Incident HandlingsHow can we work together to provide confidence for Internet users?How can we work together to provide confidence for Internet users?

Suguru Yamaguchi, Ph.D.JPCERT/CC

(WIDE Project/NAIST)

APNIC OPM - August 2001 2

OverviewOverview "Security Incidents" in the Internet

– Security Incidents have been widely spread in the Internet, and increasing its number observed. Because of its expansion of applications to various areas of activities, security incidents may cause serious impacts on our society.

Fighting against these security incidents– Technical approaches

• Network operations, software development (OS, application)– Non-Technical approaches

• Law-enforcement• Regulations and Law• Incurrence

Current SituationCurrent Situation


Def. Security IncidentsDef. Security IncidentsAny kinds of activities that directly interferer our

communication infrastructure– Intentional / malicious

• Intrusion from outside, information leakage, password theft, malicious code implanted from the outside, denial of service attack, ....

– Non-intentional• Misuse by customers, system down, power failure, ....

Network operators have to handle both activities and protect their system from any troubles.


Security Incidents observed recentlySecurity Incidents observed recently Port Scanning & Probe

– This happen everyday in any environment.– Recognized as a prologue to more significant incidents

Intrusion, break-in– Using weak and/or cracked password to login directly to the system.

• But, it is quite rare in these days because of widely spread of usage of One Time Password system (challenge-response type).

– Using “Buffer Overflow” security hole to implant and execute “shell-code” on the targeted system.

• Almost all of the attack tools are using this method. Amplifier and Open relay

– SPAM, packet smurfing, … Denial of Services (DoS)

– Generate excessive load on the targeted system– Distributed DoS– Targeting major WWW, IRC server, and other services


Statistics@JPCERT/CC (1)Statistics@JPCERT/CC (1)

0

200

400

600

800

1000

1200

96Q4 97Q2 97Q4 98Q2 98Q4 99Q2 99Q4 00Q2 00Q4 01Q2

Num

ber o

f Rep

orts


Statistics@JPCERT/CC (2)Statistics@JPCERT/CC (2)

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

1996Q4 1997 1998 1999 2000 2001

Number of Reports Est. 2001


Statistics@CERT/CCStatistics@CERT/CC

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

0

5000

10000

15000

20000

25000

30000

35000

Number of Reports Est. 2001 (2Q)


Common ScenarioCommon Scenario① Scanning ports to know which port is open for remote access.② Finding out application servers that have buffer overflow security holes.

(sendmail, INN, phf, imap, pop, statd, named...)③ Try to implant “shell-code” and invoke shell program or other program on

the target. If succeeded, the intruder(s) can obtain the way to break-in to the system, without any evidence logged by the system.

④ Once break-in to the system, the intruder(s) can get /etc/passwd for password cracking and other configuration files on the system to know more details of its setup.

⑤ Sometimes, they try to obtain more access privilege, especially “root” access, by means of “Trojan horse” and other exploit codes.

⑥ Modify system log files to erase their “footprint”, and replace some programs on the system to protect their malicious activities, e.g. ps, ls, who, ….

⑦ It’s quite likely to install packet monitoring program to conduct wire-tapping to get passwords in plain-text exchanged over the local networks.

⑧ Try to spread their activities to other systems.


Sophisticated Port ScanSophisticated Port Scan More sophisticated “Port Scanning” technique

– IDS (Intrusion Detection System) is widely installed

Random Access to the system– Attackers have to access the specific port in multiple times to know

if that port can be utilized for their break-in. The fundamental idea of IDS is to catch this phenomena.

– Random Access is a great help for attackers• Because IDS does not have enough memory space to record all the

event they sense.• It’s hard for IDS to sense the port scanning.

– “Slow scan” can masquerade malicious accesses to the system as a series of “mistakes”

• It’s also hard for IDS to determine intentional or non-intentional scans.


Last 3 monthsLast 3 months Using buffer overflow is the main course to break-in. Microsoft IIS is causing major troubles.

– HUC attacks in 2001Q1 and Q2– CodeRed and CodeRed II– Since Windows NT/2kp/2k-as are installed on huge number of systems,

it’s fairly easy for attacks to make attacks as “pandemic”. Dedicated Internet circuit causes more troubles

– xDSL, FTTH services are getting more popular in many countries.– At home or small office, there are many “non-protected” system– Attackers are now using them as DoS handlers– Scanning port 137, 139– Promoting usage of “personal firewall” is required, but ….

Worm on UNIX– Very classic break-in method, e.g., RTM worm in 1988– Ramen, Lion, CodeRed– The break-in method uses “buffer overflow”


Sadmind: traversing various operating systemsSadmind: traversing various operating systems

Windows

Solaris

① using “buffer overflow” security hole in sadmind on Solaris OS, then implant Worm program on the system

② Scan IIS on the local networks, and then put special code into the IIS in order to replace WWW pages and crash them

③ making their own copy to the other system on which sadimind on Solaris OS is working. This is an activities as Worm


DDoS (1)DDoS (1)Distributed DoS Attack

– Preparing multiple DoS handler (agent) in the Internet, then simultaneously generating traffic from them.

– Even each DoS handler can generate small amount of traffic, but the aggregated traffic can be 100Mbps or more in many cases

– Automatic DDoS tools are now widely available on the Internet• Trinoo, TFM, TFM2K

Making serious impact on commercial Web sites– Yahoo!, CNN, eBay, Amazon, and etc. were attacked by this

method in Feb. 2000.– Many government recognized that DDoS is “top priority” threat

we have to consider.There is no major solution for this attack….


DDoS (2)DDoS (2)

Attacker Target

Stop services

Agent1. Implant DoS code from outside2. Get trigger to start generating the traffic


Protect Your SystemProtect Your SystemSetting up your “security policy” and operational rules

for all the people involved to the network / system operations– Continuously applying security patches submitted by

software vendors– Auditing and system updating in proper manner– It’s quite rare to face attacks by unknown method.

Making it as “business as usual”– Clearly defined procedures for all of us.

Using technology– IDS, Firewall, audit tools, ….

CSIRT: CSIRT: Computer Security Incident Response TeamComputer Security Incident Response Team


BackgroundBackgroundProblem solution requires to work together with

– various organizations (universities, industries, government, law enforcement [detectives], ….)

– Technical analysis is always required– Organizations / Persons in other countries, because security

incidents may be caused by someone in other countries. Information Switchboard is good idea

– For smooth communication and collaboration– For wide-range analysis on information– As information repository


CSIRTCSIRTComputer Security Incident Response Team

– Organization focused on computer security incidents– Technical professionals for analysis, assistance on problem

solution, and accelerating information exchange among organization involved to the specific security incident

– CERT/CC in US, 1988• Funded by DoD, but not fully involved to law enforcement

– Currently, many country has its own IRT as national contact point

• Sometimes government subsidiary, independent group, university, ….

• “There is” is much better than “there isn’t”• Stable contact point is key idea


Ex. Activities in JPCERT/CCEx. Activities in JPCERT/CC Incident Response

– Gathering reports from users on the Internet– Analyze attack methods observed in our constituency– Exchange information with other IRTs in the world– Promote vendors to develop counter measures for attacks.

Promoting development and deployment of security technologies– Gathering information on Internet technologies– Publish Warning and Security alerts– Organize symposiums, workshops, and conferences on

security technologies and engineering– Provide information on the Internet through WWW and E-

mail list


Analysis on Attacks

Involved sites

Technical Corporation

Involved sitesAdvisorsVendors

Coordination (1)Coordination (1)

Providing help on problem solutions– Information– Coordination– confidentiality


Analysis toknow current situation

Coordination (2)Coordination (2)Providing Information

– Technical Information– Warnings– Periodical Circulation

…

information


Function of National IRTFunction of National IRT

Information Repository for Everybody

Industries

JPCERT/CC

NeutralCompactFocused on Analysis

Technology TransferHuman Resource DevelopmentGathering informationMutual benefits

ReportsRequest for help

UsersInfo. Repository


FIRSTFIRSTForum of Incident Response and Security Teams

– International forum of CSIRTs– Membership based

• Mutual trust infrastructure for exchanging information among CSIRT in the world

• Membership requires annual fee, but it’s not too much– Annual conference

• In Hawaii in 2002– Technical Colloquia– http://www.first.org/


Teams in AP regionTeams in AP region Australia AusCERT www.auscert.org.au China CERCERT www.edu.cn Indonesia ID-CERT www.paume.itb.ac.id/rahard/id-

cert Japan JPCERT/CC www.jpcert.or.jp Korea CERTCC-KR www.certcc.or.kr Malaysia MyCERT www.mycert.mimos.my Philippine PH-CERT www.phcert.org.ph Singapore SingCERT www.singcert.org.sg Taiwan TWCERT www.cert.org.tw

These teams are considered as national contact of IRT. You may have other contacts for incident response, such as security team in your organization, law enforcement, depends on your situation.

If you know other IRT not listed here, please give me information on it. Thanks!


APSIRCAPSIRCAsia-Pacific Security Incident Response CentersVirtual forum for exchanging information / ideas

– Mailing list managed by APNG group• Major persons working in this area are registered.• Mail to [email protected], if you want to subscribe• There is few traffic on the list

– Promoting establishment of IRT in the countries where there is no national contact.

• Org. or persons as stable contact point is highly required.• The IRT does not have to be funded by government.


IRT requires various informationIRT requires various information Information we need…

– Address allocation and domain allocation– Contact point to venders, ISPs, victims, suspects, ….

• Ask situation• Ask collaboration and corporation to solve the specific incident• Address smurf is our headake

– reliable WHOIS database• special access permission to WHOIS database• National and International level

– Contact point to the law enforcement• Security incident is banned in many countries.• Sometimes, contacting law enforcement is mandatory

APNIC has quite important role on maintaining databases for helping IRTS in AP region


Government Activities (1)Government Activities (1) Inter-governmental Network for Law Enforcement

teams– 24/7– ICPO, G8 Lyon Group

Interaction between industries and governments are still under discussion– G8 subgroup on high-tech crime / professional workshop

• Held in Oct. 2000 in Berlin and May 2001 in Tokyo


Government Activities (2)Government Activities (2)European Treaty for fight against High-Tech Crimes

– Discussed since 2000, public comment request in March 2001, finalize in July 2001.

– Will be effective through ratification process in each countries

– This treaty requires a country to maintain / create / modify laws to prepare consistent action against high-tech crimes

• E.g. all the countries ratified should have law to ban computer virus development as well as circulation.


Government Activities (3)Government Activities (3)CSIRT have to work with the government in some

cases– Dialogue with government is very important, because we

does not have to be isolated from government.– Law enforcement is now major group who are working on

computer / network security issues in many countries– Collaborations ….


SummarySummarySecurity Incidents: growing rapidlyCSIRT: always busyAPNIC and country registries: please work with

CSIRT in each member states for providing reliable information on who is using the address and domain.

Country who does not have CSIRT: make it!

Documents

Security Incident Handlings How can we work together to provide confidence for Internet users?