|
-
June 7th, 2006, 03:26 PM
#9
PART II
300+ views and only 4 responses..disappointing.
Anyways..
Here are some key steps that should be taken.
- Contact the other CSIRT member, arrange to meet them in the lobby or parking lot of the branch office.
- Contact the Branch office. Let them know you'll be coming and that there is a possible service affecting problem.
- Pack a jump bag containing your incident response toolkit and forensics tools.
- Travel to the site.
- Identify the affected systems. You can't react appropriately unless you know what you are dealing with.
PART II
4:00 rolls around and while travelling to the branch office you get a call the network engineer that called you at 2:30.
Engineer: "Hey, sorry about that we got called in to an infrastructure meeting and couldn't get out of it"
You: "yeah yeah, so what's happening at this office?"
Engineer: "Well, here's what I know. We got an alert from one of the hosts today that transferred about 6GB of data since midnight. That host usually hovers around 10MB of WAN traffic per day. That host is 102.13.84.199. I have the following IP's running rogue FTP servers on high numbered ports. 102.13.84.43, .46, .55, .58, .143, .179, .199, .210, .215. The problem is, I've got three different banners showing up and the ports differ. Some are on port 65000, others on 5883. We've blocked the .199 host at the perimeter so it can't get out but the system is still live. The others don't seem to be overly active at this moment. Want me to put in a block on them at the router?"
You:[1]
You've contacted your partner and arranged to meet in the parking lot at the branch office. You're partner contacted the network administrator at the branch office ahead of time to let him know you were coming.
[B]4:40[B]
When you arrive at his office you gather the following information.
They run a 10BaseT infrastructure at the branch office.
They have two Class C networks. 102.13.84.0/24 and 102.13.26.0/24.
They run a DHCP server that allows anyone to get an IP address, including unknown hosts.
They have two FreeBSD firewalls, one per subnet, that block the reserved port range of 0-1024, but allows traffic on every other port. Logging is NOT enabled.
This branch office deals with customer records for an e-commerce business.
You show him the list of IP addresses you received from the network engineer and this is what he tells you.
.43 is a workstation running windows xp. The main operator is an intern.
.46 is a workstation running windows xp The main operator is an intern.
.55 is a domain controller running windows 2003
.58 is a domain controller running windows 2003
.143 is a workstation running windows xp. The main operator is an HR officer.
.179 is a workstation running windows xp. The main operator is a data analyst.
.199 is a workstation running windows xp. The main operator is a data analyst.
.210 is a domain controller running windows 2003
.215 is a domain controller running windows 2003
The 2 domain controllers run snort IDSCenter and mysql. The snort sensor is placed inside the firewall. They are also connected to a MiSAN (http://www.cybernetics.com/backup_so...san/misan.html)
In addition you discover that the domain controllers are multihomed and have IP addresses on the other network
[2]
The network administrator tells you that the intrastructure is old and they've had to install ad-hoc switches to expand the network over time. A wiring upgrade is due to occur next year.
You visit the BDF which measures (12x20) and see no less than 8 switches mounted to the walls instead of the racks. You see an excess of 50' of CAT 3 cable bundled on the floor rising up to the patch panels. You see no less than 4 patch panels spread throughout the room.[3]
At this point, your partner decides to remind you of something you almost forgot about..
Partner: "You realize that with this many systems we may have to deal with the notification laws."
You:"****....that's right".
http://www.cscic.state.ny.us/security/securitybreach/
[4]
[5]
[1] Well, what do you say?
[2] How do you prioritize which system to visit? What is your process for analyzing the systems? What tools do you run? How do you run them? Do you take any systems offline? What do you do about the multihomed systems? Which logs do you collect and analyze?
[3] Due to the mess of cabling and the network administrator's slowness, it takes an estimated 5 hours to physically locate each affected system.
[4] Does this change your tactics?
[5] If this post continues to receive poor response then I will not write a Part III.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote