Assignment 2- NIST Sp 800-86

Assignment Two- NIST SP 800-86

Guide to Integrating Forensic Techniques into Incident Response

1. Name and briefly describe the four process phases for performing digital forensics.

Ø Collection: In this phase, related data is identified, labeled, recorded, and collected, and data integrity is preserved.

Ø Examination: In this phase, some or a combination of forensic tools and techniques are used to identify and extract the relevant information from the collected data with data integrity.

Ø Analysis: In this phase, some useful information is derived from the results of the examination by analyzing.

Ø Reporting: In this phase, the results of the analysis forms the reporting that includes performed actions description, actions need to be performed, and improvement recommendation to policies, guidelines, procedures, tools, and other aspects of the forensic process.

2. Name the three organizational groups that are the primary forensic tool users.

Ø Investigators

Ø IT Professionals

Ø Incident Handlers

3. What is incident (handling) response?

Incident handling/response is a computer security strategy to respond to an event by investigating suspect systems, gathering and preserving evidence, reconstructing events, and assessing the current state of an event.

4. What is an incident response team?

An incident response team is a group responding to a variety of computer security incidents, like unauthorized data access, inappropriate system usage, malicious code infections, and denial of service attacks by using different kinds of forensic techniques and tools.

5. When reporting an incident, what information should be provided?

Alternative explanations, audience consideration, and actionable information should be provided when reporting an incident.

6. Name and describe for categories of tools that should be available to respond to an incident.

Ø Data file system analysis tools: Software that you can use to examine a file system or disk image and show the file content and other meta data.

Ø Operating system analysis tools: Software that you can use to collect, examine and analyze data from common workstation or server OSs.

Ø Network traffic analysis tools: Software that you can use to analyze network packets and traffic.

Ø Application analysis tools: Software that you can use to analyze the application data, like data from e-mail, Web browsers, and word processors.

7. What is a Denial of Service (DoS) attack?

A Denial of Service attack is an action that prevents or impairs the authorized use of network, system, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.

8. Name and describe five DoS attack containment strategies.

Ø Correct the vulnerability or weakness that is being exploited: Patch the vulnerability.

Ø Implement filtering based on the characteristics of the attack: The filtering can be a border router or firewall that blocks suspect attack.

Ø Have the ISP implement filtering: Rely on ISPs to implement filtering to block DoS attack.

Ø Relocate the target: The targeted service could be transferred to a different host.

Ø Attack the attackers: Administrators may modify network or server configurations to bounce attack traffic back to its source.

9. Briefly define malicious code.

Malicious code is a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the security or integrity of the host’s data.

10. Briefly define an unauthorized access incident. Give several examples.

An unauthorized access incident refers that at any time a user gains access to a computer network without the consent of the computer's administrator.

Examples:

Ø Cracking passwords

Ø Copy secret data without permit

Ø Read some files without reading right

Ø Change some data without right

Ø Running backdoor software to do remote control

11. Briefly describe a multiple component incident.

A multiple component incident is a single incident that encompasses two or more incidents.

Lab Narrative for Introduction of Knoppix-Network Security Monitoring

Title: Introduction to network security monitoring with Knoppix – NSM

Time: March 16, 2008
Objective: Get to know how the Network Security Monitoring works in Knoppix-NSM to capture package stream and the differences between Knoppix and Knoppix-NSM.

Procedures & Results:
A team of two worked together on this lab session, my partner is Lee James.
I used Knoppix and Lee used Knoppix-NSM.
Knoppix boot process:
For the booting of Knoppix into the RAM, a live CD is loaded into the CD drive. The initial Knoppix screen has come up. Later I opened the Console terminal program icon which opened the Console window. In that Console window I typed in ifconfig.

My IP address is 129.7.236.112, and Lee's computer IP address is 129.7.236.230

Knoppix-NSM boot process:
Step-1:
Lee: The Knoppix-NSM CD is loaded into the CD drive and the system is turned on.
He opened the Root console and cleared all the iptables by executing the following command
/etc/init.d/iptables clear
This clears the firewall. Next the DHCP server is enabled to assign the TCP configuration information by using the pump command which is
pump –I eth0.
Step-2: Once the system is successfully booted mysql, apache2 and sguild servers are started by the following commands
/etc/init.d/mysql start
/etc/init.d/apache2 start
/etc/init.d/sguild start
Next the sguil-sensor is started by typing ‘sensor default start’
ntop is started by typing
/etc/init.d/ntop.default start.


Step-3: Start Sguil client
Open the NSM sguil client which shows up the following screen
The username and password are sguil and password respectively.

Step 4 - Start BASE client
Base client is started by opening the firefox and then type the following
https://localhost/base/
The following screen appears then enter the username as admin and the password as password.

Step 5 - View Statistical data with Ntop
Statistical data is observed by clicking on the ntop button in a new browser.


Step 6 - Test it
It is all my part of hand-on lab. I opend a console and do several Nmap scans for Lee's computer.

Null Scan
Command: nmap -sN 129.7.236.230
Screenshot:


X-mas Scan
Command I input: nmap -sX 129.7.236.230
Screenshot:


Then I used Hping2 to do a DP based ping of Lee's computer:
command: hping2 129.7.236.230
ctrl+c ->to stop hping2 command
Screenshot:


Lee monitored what I did to his computer:


Reflections:
1. What is Network Security Monitoring?
NSM can be defined as the collection analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a detective rather than a preventative process.
2. Briefly, compare and contrast Knoppix-NSM and Knoppix?
Knoppix is a desktop Linux system, which has a window flat for users to interact, more friendly and easily to use. But Knoppix-NSM has a focus on Network Security Monitoring, which almost gives professional users instant NSM. Knoppix has some functions to track traffic in the network like Wireshark. For Knoppix-NSM, it provides a complete package for detective tracking, including Sguil and Snort, ntop, SANCP, Wireshark and even BASE（web-based consoles）.
3. How would you use Knoppix-NSM to establish a network baseline? Be specific in your answers and be sure to capture and display relevant screens.
By starting BASE client and viewing statistical data with Ntop. The process and screenshots are shown in Step 4-5.


4. Squil has several major elements. Present and define these elements.
Sguil is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to real-time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
5. Identify interesting traffic that you received during the lab from other people in your class.
Refer to Step 6 screenshots.
6. Identify interesting traffic that your system received from systems other than those involved in the lab.
Refer to Step 6 screenshots.

Online Journal-Incident Response2

Incident response success in five quick steps

This article written by Mike Rothman talks about five quick steps for incident response.

Here, his special point is "Grace under Pressure".

The five quick steps are:
1. Write down the plan
A overview plan is a good guidance for what we should do after an incident. We can prepare more before anything bad happen. We can learn from the history, compare the fact, and draw out a plan fit for current situation.
2. Get buy-in
Once the plan is written down, it needs to be circulated amongst the organization's internal IT power brokers to make sure that everyone understands the document the same way and knows their responsibilities.
3. Understand escalation
Having someone accessible at all times to make those kinds of calls is absolutely critical.
4. Practice, practice and then practice some more
Practice always makes perfect. Even in incident response, we may not nature professionals to take calm and effective response to a security incident, but we can make us more professional through practice. We have our plans but never practiced it; then the plan will always be a plan not a practical method.
5. Learn from mistakes
Trial from fault is an important method in Learning Psychology, which is a summary from people's experience. No one can take care of all things perfectly. But we can't let the mistakes alone. Mistake in this time should be a lesson for next time. We can avoid it in the future, that means, we have less chance to make mistake.


Original article links is http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1303541,00.html