Incident reponse to local attacks

[clutch]

I'm curious as to how network admins would respond to an internal attack. Specifically how one would go about tracking down the attacker if the attack came from within the local network. Is this possible? I saw a lot of documentation and guidelines online about finding the weaknesses that could have been exploited, which machines could have been compromised, changing passwords, making sure no rootkits/virii were left behind, and so on but nothing on actually finding the individual who committed the breach and involving the police.

And before I get scolded for this post, no I'm not up to anything illegal or unethical. I'm just curious.

[Mr-Protocol]

This really doesn't relate to backtrack. But what you are looking for is Network security with Digital Forensics. I currently am enrolled in a computer/digital forensics degree program. The first steps are all planning mostly. Having an IDS in place and proper security measures in place BEFORE an attack happens to be able to track down malicious activity. And if it is internal, say an employee at a business, there is a policy typically that says the company ownes all your traffic and can take your computer and dig into it at any time. Handling Corporate cases are a lot easier than Criminal cases because with corporate you pretty much have full access to do analysis on machines. Read up on Computer Forensics and network security to better fit your curiosity. A computer forensic law course wouldn't hurt either :P.

[Thorn]

... but nothing on actually finding the individual who committed the breach and involving the police.

The procedure is generally:

1) Run wireshark or similar tools to track malicious traffic to the internal machine.

2) Collect packet captures. Document as needed.

3) Polish baseball bat, and prepare a shovel and a roll of old carpet in anticipation of "separation meeting" with user of said machine.

[streaker69]

I'm curious as to how network admins would respond to an internal attack. Specifically how one would go about tracking down the attacker if the attack came from within the local network. Is this possible? I saw a lot of documentation and guidelines online about finding the weaknesses that could have been exploited, which machines could have been compromised, changing passwords, making sure no rootkits/virii were left behind, and so on but nothing on actually finding the individual who committed the breach and involving the police.

And before I get scolded for this post, no I'm not up to anything illegal or unethical. I'm just curious.

If it is an internal thread, meaning an employee, all disciplinary measures up to and including arrest would be implemented at my location. If it is not an employee, but a third party, then logs would need to be collected an analyzed immediately. Of course passwords would need to be changed, and quite possibly internet access turned off until said time that the network can be deemed safe.

Of course, a wise net admin doesn't allow such things to happen in the first place.

[clutch]

Thanks for your answers. I have a particular interest in wireless (in)security (planning on taking the Wifu course as soon as I can scrounge up the cash for it), and it seems to me that a local attack originating from a non-company-owned machine that had gained unauthorized wireless access would be impossible to trace back to the individual at the keyboard. So I suppose I wasn't quite specific enough with my original post.

Also, you're right - this isn't necessarily BackTrack related, so I will take my further questions on the subject elsewhere.

Thanks,

clutch

[Thorn]

... it seems to me that a local attack originating from a non-company-owned machine that had gained unauthorized wireless access would be impossible to trace back to the individual at the keyboard.

That's an incorrect assumption. You do have to know and understand how RF works, but it isn't that difficult.

[Barry]

and it seems to me that a local attack originating from a non-company-owned machine that had gained unauthorized wireless access would be impossible to trace back to the individual at the keyboard.
clutch

I've done it with a pda. Like Thorn said, once you know what you're looking for, it's not that difficult.

[R3104d]

The procedure is generally:

1) Run wireshark or similar tools to track malicious traffic to the internal machine.

2) Collect packet captures. Document as needed.

3) Polish baseball bat, and prepare a shovel and a roll of old carpet in anticipation of "separation meeting" with user of said machine.

Unfortunately as with most cases involving breeches (inner or outer in origin) in security wireshark and the like don't really fit the bill. You would have to have it running 24-7 and, in doing so, would create a TON of data. I guess if your company can/will afford that then it's a beautiful thing (until you have to dig through the output :}).

[Thorn]

Unfortunately as with most cases involving breeches (inner or outer in origin) in security wireshark and the like don't really fit the bill. You would have to have it running 24-7 and, in doing so, would create a TON of data. I guess if your company can/will afford that then it's a beautiful thing (until you have to dig through the output :}).

I'm sorry to resurrect an old thread, but I hadn't seen the above reply before today.

R310d, I'd respectfully disagree. Wireshark is a great tool for this kind of application, and I've used it any number of times in security situations. While a raw capture can result in a huge amount of data, dealing with that is usually a matter of filtering and knowing what kind of data you're seeking. Wireshark has a number of built in filters, and custom filters are very easy to write.

[lupin]

3) Polish baseball bat, and prepare a shovel and a roll of old carpet in anticipation of "separation meeting" with user of said machine.

I prefer a bag of quicklime or a bathtub and a large amount of acid to the roll of old carpet, but you go with what works for you I guess

Of course, a wise net admin doesn't allow such things to happen in the first place.

Its easy to prevent the majority of these types of attacks I agree, but unfortunately not all admins are wise enough to do so, and some of those who are wise enough are overruled by those in a higher position of authority who.... lack the same level of wisdom.

I'm sorry to resurrect an old thread, but I hadn't seen the above reply before today.

R310d, I'd respectfully disagree. Wireshark is a great tool for this kind of application, and I've used it any number of times in security situations. While a raw capture can result in a huge amount of data, dealing with that is usually a matter of filtering and knowing what kind of data you're seeking. Wireshark has a number of built in filters, and custom filters are very easy to write.

A number of places actually do perform full content packet captures, at least in some areas of their networks, so use of Wireshark in the way explained above by Thorn is possible and useful in IR situations. Of course if you happen to find out about an intrusion while its in progress then Wireshark can also be useful then too. Of course it may be necessary or desirable to filter out the packet capture before feeding it to Wireshark - tcpdump is excellent for this. In the later releases Wireshark has gotten better and better at dealing with large packet captures though, so this is not as necessary as it used to be.