Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Incident reponse to local attacks

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    46

    Default Incident reponse to local attacks

    I'm curious as to how network admins would respond to an internal attack. Specifically how one would go about tracking down the attacker if the attack came from within the local network. Is this possible? I saw a lot of documentation and guidelines online about finding the weaknesses that could have been exploited, which machines could have been compromised, changing passwords, making sure no rootkits/virii were left behind, and so on but nothing on actually finding the individual who committed the breach and involving the police.

    And before I get scolded for this post, no I'm not up to anything illegal or unethical. I'm just curious.

  2. #2
    Member Mr-Protocol's Avatar
    Join Date
    Jan 2010
    Location
    Ohio
    Posts
    142

    Default Re: Incident reponse to local attacks

    This really doesn't relate to backtrack. But what you are looking for is Network security with Digital Forensics. I currently am enrolled in a computer/digital forensics degree program. The first steps are all planning mostly. Having an IDS in place and proper security measures in place BEFORE an attack happens to be able to track down malicious activity. And if it is internal, say an employee at a business, there is a policy typically that says the company ownes all your traffic and can take your computer and dig into it at any time. Handling Corporate cases are a lot easier than Criminal cases because with corporate you pretty much have full access to do analysis on machines. Read up on Computer Forensics and network security to better fit your curiosity. A computer forensic law course wouldn't hurt either :P.

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Re: Incident reponse to local attacks

    Quote Originally Posted by clutch View Post
    ... but nothing on actually finding the individual who committed the breach and involving the police.
    The procedure is generally:

    1) Run wireshark or similar tools to track malicious traffic to the internal machine.

    2) Collect packet captures. Document as needed.

    3) Polish baseball bat, and prepare a shovel and a roll of old carpet in anticipation of "separation meeting" with user of said machine.
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default Re: Incident reponse to local attacks

    Quote Originally Posted by clutch View Post
    I'm curious as to how network admins would respond to an internal attack. Specifically how one would go about tracking down the attacker if the attack came from within the local network. Is this possible? I saw a lot of documentation and guidelines online about finding the weaknesses that could have been exploited, which machines could have been compromised, changing passwords, making sure no rootkits/virii were left behind, and so on but nothing on actually finding the individual who committed the breach and involving the police.

    And before I get scolded for this post, no I'm not up to anything illegal or unethical. I'm just curious.
    If it is an internal thread, meaning an employee, all disciplinary measures up to and including arrest would be implemented at my location. If it is not an employee, but a third party, then logs would need to be collected an analyzed immediately. Of course passwords would need to be changed, and quite possibly internet access turned off until said time that the network can be deemed safe.

    Of course, a wise net admin doesn't allow such things to happen in the first place.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Posts
    46

    Default Re: Incident reponse to local attacks

    Thanks for your answers. I have a particular interest in wireless (in)security (planning on taking the Wifu course as soon as I can scrounge up the cash for it), and it seems to me that a local attack originating from a non-company-owned machine that had gained unauthorized wireless access would be impossible to trace back to the individual at the keyboard. So I suppose I wasn't quite specific enough with my original post.

    Also, you're right - this isn't necessarily BackTrack related, so I will take my further questions on the subject elsewhere.

    Thanks,

    clutch

  6. #6
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Re: Incident reponse to local attacks

    Quote Originally Posted by clutch View Post
    ... it seems to me that a local attack originating from a non-company-owned machine that had gained unauthorized wireless access would be impossible to trace back to the individual at the keyboard.
    That's an incorrect assumption. You do have to know and understand how RF works, but it isn't that difficult.
    Thorn
    Stop the TSA now! Boycott the airlines.

  7. #7
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default Re: Incident reponse to local attacks

    Quote Originally Posted by clutch View Post
    and it seems to me that a local attack originating from a non-company-owned machine that had gained unauthorized wireless access would be impossible to trace back to the individual at the keyboard.
    clutch
    I've done it with a pda. Like Thorn said, once you know what you're looking for, it's not that difficult.

  8. #8
    Just burned his ISO R3104d's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    8

    Default Re: Incident reponse to local attacks

    Quote Originally Posted by Thorn View Post
    The procedure is generally:

    1) Run wireshark or similar tools to track malicious traffic to the internal machine.

    2) Collect packet captures. Document as needed.

    3) Polish baseball bat, and prepare a shovel and a roll of old carpet in anticipation of "separation meeting" with user of said machine.
    Unfortunately as with most cases involving breeches (inner or outer in origin) in security wireshark and the like don't really fit the bill. You would have to have it running 24-7 and, in doing so, would create a TON of data. I guess if your company can/will afford that then it's a beautiful thing (until you have to dig through the output :}).

  9. #9
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Re: Incident reponse to local attacks

    Quote Originally Posted by R3104d View Post
    Unfortunately as with most cases involving breeches (inner or outer in origin) in security wireshark and the like don't really fit the bill. You would have to have it running 24-7 and, in doing so, would create a TON of data. I guess if your company can/will afford that then it's a beautiful thing (until you have to dig through the output :}).
    I'm sorry to resurrect an old thread, but I hadn't seen the above reply before today.

    R310d, I'd respectfully disagree. Wireshark is a great tool for this kind of application, and I've used it any number of times in security situations. While a raw capture can result in a huge amount of data, dealing with that is usually a matter of filtering and knowing what kind of data you're seeking. Wireshark has a number of built in filters, and custom filters are very easy to write.
    Thorn
    Stop the TSA now! Boycott the airlines.

  10. #10
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Incident reponse to local attacks

    Quote Originally Posted by Thorn View Post
    3) Polish baseball bat, and prepare a shovel and a roll of old carpet in anticipation of "separation meeting" with user of said machine.
    I prefer a bag of quicklime or a bathtub and a large amount of acid to the roll of old carpet, but you go with what works for you I guess

    Quote Originally Posted by streaker69 View Post
    Of course, a wise net admin doesn't allow such things to happen in the first place.
    Its easy to prevent the majority of these types of attacks I agree, but unfortunately not all admins are wise enough to do so, and some of those who are wise enough are overruled by those in a higher position of authority who.... lack the same level of wisdom.

    Quote Originally Posted by Thorn View Post
    I'm sorry to resurrect an old thread, but I hadn't seen the above reply before today.

    R310d, I'd respectfully disagree. Wireshark is a great tool for this kind of application, and I've used it any number of times in security situations. While a raw capture can result in a huge amount of data, dealing with that is usually a matter of filtering and knowing what kind of data you're seeking. Wireshark has a number of built in filters, and custom filters are very easy to write.
    A number of places actually do perform full content packet captures, at least in some areas of their networks, so use of Wireshark in the way explained above by Thorn is possible and useful in IR situations. Of course if you happen to find out about an intrusion while its in progress then Wireshark can also be useful then too. Of course it may be necessary or desirable to filter out the packet capture before feeding it to Wireshark - tcpdump is excellent for this. In the later releases Wireshark has gotten better and better at dealing with large packet captures though, so this is not as necessary as it used to be.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •