M01_L05 M01_L05 Incident Analysis Scenario links ../M01_L05/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked disaiar05_01 1 Welcome to Bringing It All Together: Incident Analysis Scenario. When you have completed this lesson, you will be able to apply incident analysis procedures to a given incident. There are five topics in this lesson. You will first be introduced to an incident that will serve as your scenario throughout this lesson. You will then gather information related to the incident and analyze the information you have collected. Finally, you will review concepts related to incident prevention. Rich Media Text Description. Course: D O D Intrusion Detection System (I D S) Analysis, Part 4: C N D Analysis: Incident Response and Analysis, Lesson 5: Bringing It All Together: Incident Analysis Scenario. For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 13. Lesson title: Bringing It All Together: Incident Analysis Scenario. Topic title: Introduction. Screen title: Objectives and Topics. One learning objective displays in support of audio. Five topics display. The first topic is titled Introduction. The second topic is titled Gather Information. The third topic is titled Analyze Information. The fourth topic is titled Prevention. The fifth and final topic is the Conclusion. Text displays as follows: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service, or agency for guidance on the use of these products. disaiar05_02 2 You have just received an alert notifying you that several users on the network received a suspicious e-mail message. The reported message includes a link to a news story on a reputable news organization's website. You need to determine whether any users have clicked on the link and, if so, whether there have been any negative impacts to your organization's network and resources. To investigate this incident, we will use the incident analysis portion of the incident handling methodology that we have learned about in the previous lessons. We will gather information, validate the incident, identify the attack vectors, identify any information system weaknesses, identify possible root causes, and determine the impact of the incident. As we conduct our analysis, keep in mind that this approach is not the only one. There is more than one correct way to approach incident analysis. Screen 2 of 13. Screen title: Setting the Scene. Images display of e-mail message and person at a desk. E-mail message reads as follows. From: siss admin at S A I C dash S A S T dot local. Date: Thursday, May 24, 20 12, 4 29 P M. To: undisclosed dash recipients. Subject: Journalists Charged in Hacking Scandal. Message Have you seen this story on ZNN? The phrase “story on ZNN” is underlined as a hyperlink in the e-mail message. I P address is displayed at bottom of e-mail message window. Image displays of Incident Analysis Methodology diagram, showing steps one through six. Text displays in support of audio. disaiar05_03 3 The first steps in our incident analysis process are to determine whether an incident has actually occurred, identify any potential events related to the e-mail, and gather any and all relevant information. First, after we have moved a copy of the e-mail to an isolated environment for analysis, we must examine the e-mail for potential signs of malice and any other evidence that may help us during our investigation. By hovering over the link in the e-mail, we find our first piece of evidence: an external IP address for the remote site at 10.167.197.38 linked as the story on the reputable news site. To learn more, we must perform a WHOIS lookup. Select WHOIS Lookup. disaiar05_03_01 3 By performing a WHOIS lookup on that IP address, we see that it belongs to a foreign netblock. While that alone is not inherently malicious, we consider it suspicious as it is unlikely that a well-known and reputable news service is linking stories through foreign IP addresses. We also know there will be at least one SMTP connection on TCP port 25 from the e-mail being sent as well as possibly one or more HTTP connections on TCP Port 80 if any users clicked the link. We will use our primary detection tool, our IDS, to investigate the known external IP address of 10.167.197.38. Who is LookupPopup 1 of 1. Popup title: Who is Lookup. Image displays of Who is lookup screen containing text as follows: Pound sign who is 10 dot 1 6 7 dot 1 9 7 dot 3 8. Role KATOELNET dash NT Bold eye. Address Number 352 Selenium Way, Bold eye, New Tosbec, 3 1 0 0 0 3. Country K A T. Phone 5 5 dash 4 6 0 dash 7 4 0 4 6 8 1 8. Fax number 5 5 dash 4 6 0 dash 7 4 0 4 6 8 1 8. E mail anti underscore spam at mail dot b d dot n t dot k a. admin c K A T 5 4 dash A P. tech c K A T 5 4 dash A P. nic h d l K A T 1 2 2 A P. m n t by MAINT dash KATOELNET dash N T. changed master at d c b dot b d dot n t dot k a 2 0 0 3 1 2 0 4. Source ap nick. Person Lechel Jane. Nick h d l H H 3 5 3 dash A P. E mail z s m u at x s dot n t dot k a. Address number 13 Selenium Way, Reglash Town, mina nosine, Bold eye, New Tosbec Province, 3 1 1 2 0 0. Phone plus 5 5 dash 4 6 0 dash 7 1 7 8 7 9 3 9. Country K A T. Changed auto dash d b m at d c b dot b d dot n t dot k a 0 0 4 0 6 1 1. M n t by MAINT dash K A dash KATOELNET dash N T dash B D. Source ap nick. Callout displays pointing to address line of who is lookup text. Callout reads The I P address originates from a foreign netblock. Text displays in support of audio. The term S M T P becomes a rollover that reads simple mail transfer protocol. The term T C P becomes a rollover that reads transmission control protocol. The term H T T P becomes a rollover that reads hypertext transfer protocol. Screen 3 of 13. Topic title: Gather Information. Screen title: Detection and Data Gathering. Reprised image displays of C N D analyst and e-mail message from previous screen. Callout displays pointing to hyperlink text. Callout reads Hovering mouse over link shows site at 10 dot 1 6 7 dot 1 9 7 dot 3 8. Callout displays pointing to I P address at bottom of e-mail message window. Callout reads The remote site. Text displays in support of audio. The words who is lookup become selectable as a popup. disaiar05_04 4 The IDS shows three events related to our external IP address: a "POLICY VNC server response," a "WEB-IIS view source via translate header," and a "POLICY Inbound potentially malicious file download attempt." Looking at the packet data for each of these alerts, we see that the "POLICY Inbound potentially malicious file download attempt" alert shows an internal system, 192.168.2.33, connecting to the suspicious external IP via an HTTP GET request for an LNK file. LNK files are subject to many security vulnerabilities, so we can classify this event as potentially malicious. Moving on to the POLICY VNC alert, we see the same internal system conducting a client-server connection with the same suspicious external IP address immediately after the GET request. VNC, or Virtual Network Computing, is a way to access a desktop remotely. The external IP now has remote GUI access to our internal system. This may not be malicious, but at the very least, it is a violation of policy. Looking at the source and destination ports, we see a source port of 4444, which is the default port for Metasploit. Metasploit is an open-source exploitation framework often used by threat actors. A source port of 4444 could be a randomly selected ephemeral port, but because it is known to be the default port for Metasploit, this is another possible indicator of malicious intent. Screen 4 of 13. Screen title: Events Revealed by the I D S. Images display in support of audio. disaiar05_05 5 So what do we know thus far? We know that an e-mail was sent from a probable malicious actor at 10.167.197.38. The IDS alert showing a download of the LNK file tells us that at least one user has clicked on the link in the e-mail. We also know that a VNC, or remote desktop, session has occurred between our internal system and 10.167.197.38. Finally, we have identified a source port of 4444, which is the default port for Metasploit. Based on the evidence gathered from the IDS, we can be fairly certain that a significant incident has occurred. From here, we should move on to other data sources for correlation purposes. Screen 5 of 13. Screen title: What Have We Learned? Images and text display in support of audio. disaiar05_06 6 Our next stop is going to be to check our firewall logs. Depending on what type of connection the firewall is logging, we should be able to validate what we already know and identify any other users who may have clicked on the link. Searching the firewall for our external IP, we see that our firewall is logging accepted connections. First, we see that the attacker sent the e-mail to our mail server at 192.168.2.38. Later we see that our internal host at 192.168.2.33 connected to the external system over port 80. Further investigation reveals the VNC session. The IP addresses and ports correlate to what we found in the IDS, so we make a bit of an inference here that this is the correct log in the firewall. Notice the new source and destination ports indicating a new connection. We don't see any other internal systems connecting out to 10.167.197.38. However, that does not mean that no other users clicked the link. Due diligence requires that we check all other potential data sources, such as host-based IDS alerts, Netflow or session data, packet capture data, web content filters, and other available log data. Screen 6 of 13. Screen title: Firewall Analysis. Image displays of firewall log. Text displays in support of audio. Various segments of firewall log are highlighted in support of audio. disaiar05_07 7 In the course of investigating the incident, correlating data, and gathering evidence, we have been performing Step 2 of the incident analysis procedure: validating the incident. Throughout the investigation, we also should have been reviewing and updating our reports and developing our narrative. Furthermore, as part of validating the incident, we also need to properly categorize the event. To do this, we can use the Incident and Reportable Event Categories table in the CJCSM 6510.01A as guidance. Because a user triggered the VNC session and there is no evidence of privilege escalation, we can initially classify this event as a Category 2 - User Level Intrusion. Screen 7 of 13. Topic title: Analyze Information. Screen title: Validate the Incident. Reprised image displays of Incident and Reportable Event Category table from Lesson 3. Image displays of C J C S M sixty-five ten dot oh one A. The term C J C S M sixty-five ten dot oh one A becomes a rollover that reads as follows: Chairman of the Joint Chiefs of Staff Manual 6510.01A, Information Assurance (I A) and Computer Network Defense (C N D) Volume I (Incident Handling Program). disaiar05_08 8 So what method or methods did our threat actor employ to compromise our system? We know that an e-mail sent to users on our network contained a link to the malicious external system disguised as a news story. We also know that the threat actor exploited a vulnerability in how Windows handles LNK files, thus allowing VNC to be injected onto the system. Because VNC is not included in our standard system build, its presence on the system indicates that at least one user clicked on the link. Based on the Attack Vector Categories table in Appendix B of CJCSM 6510.01A, this incident should be categorized as 3B, 4A, 4B, and 5B. In this incident, social engineering was used to deceive the user into accessing a malicious website, which subsequently caused the compromise of an improperly or inadequately configured system. Screen 8 of 13. Screen title: Identify Attack Vectors. Reprised image displays of Attack Vector Categories table from Lesson 3. Image displays of C J C S M sixty-five ten dot oh one A. disaiar05_09 9 Our system fell victim to an easily preventable and glaring weakness: a lack of patching. The threat actor took advantage of a vulnerability in the way that Microsoft Windows handles LNK files, even though a patch has been readily available for some time. A failure in the configuration and patch management process is ultimately what led to the system being compromised. The system owner should also determine whether any other systems are potentially vulnerable to this exploitation technique. Select Are other systems vulnerable? to learn more. disaiar05_09_01 9 Are other systems vulnerable? Popup 1 of 1. Popup title: Are other systems vulnerable? Text displays as follows: To determine whether other systems are vulnerable. Consult I A V Ays, I A V Bees, and I A T Ays identified and distributed by D O D sert. Review protection T T Peas distributed by assigned C N D S P. Review latest V A A results. Are there other systems that aren't patched? Was compromised system scanned? Was vulnerability identified during last scan of compromised system? Review latest red team assessments of potentially affected systems. Investigate baseline images for appropriate patches and fixes. Consult the following H B S S components. Asset Configuration Compliance Module (A C C M). Asset Baseline Module (A B M). Policy Auditor (P A). The acronym I A V A becomes a rollover that reads Information Assurance Vulnerability Alert. The acronym I A V B becomes a rollover that reads Information Assurance Vulnerability Bulletin. The acronym I A T A becomes a rollover that reads Information Assurance Technical Alert. The acronym D OD dash sert becomes a rollover that reads Department of Defense - Computer Emergency Response Team. The acronym T T P becomes a rollover that reads tactic, technique, or procedure. The acronym C N D S P becomes a rollover that reads Computer Network Defense Service Provider. The acronym V A A becomes a rollover that reads Vulnerability Analysis and Assessment. The acronym H B S S becomes a rollover that reads Host-Based Security System. Screen 9 of 13. Screen title: Identify Information System Weaknesses. Reprised images display of network and adversary. Text displays in support of audio. Text Are other systems vulnerable becomes selectable as popup. disaiar05_10 10 In our analysis of system weaknesses, we discovered that a missing patch most likely led to the compromise. We could also point to inadequate user awareness training as an additional root cause. Users should know not to click on links contained in unsolicited e-mail messages, because such links may contain malware or have an otherwise negative effect on DoD systems and resources. An indirect root cause of this incident is a suboptimal firewall rule set. Egress filtering, or a simple drop rule, for all sessions with a source port of 4444, the default Metasploit port, could have prevented the VNC connection. Screen 10 of 13. Screen title: Identify Root Causes. Reprised images display of basic network, adversary, and global network. Text displays in support of audio. The term Technical Impact becomes selectable as a popup. disaiar05_11 11 To determine the full impact of the incident, we need to consider the affected system. The affected system is a standard user workstation. It is a Mission Assurance Category, or MAC, III system. Select technical impact and operational impact to learn more. disaiar05_11_01 11 Let's determine the technical impact of the incident. With no evidence of unauthorized disclosure of information, the impact on confidentiality is LOW. Our investigation shows only one affected system, and even though the threat actor has GUI access to the system, we don't see any indication that information was modified or destroyed. Therefore, the impact on integrity is also LOW. The technical impact on availability is also LOW, because there is nothing to make us believe that the user's system has become inaccessible. Finally, the overall potential impact of the incident should be categorized as MODERATE due to the nature of the exploitation. The threat actor employed a frequently used exploitation method against an unpatched system. Until the threat is mitigated, the threat actor will have remote access to the system and possibly to other connected DoD systems. Technical ImpactPopup 1 of 2. Popup title: Technical Impact. Reprised image displays of Impact Assessment Matrix showing descriptions for Confidentiality, Integrity, and Availability. X displays in Low column for Confidentiality, Integrity, and Availability. Text displays in support of audio. disaiar05_11_02 11 Now let's determine the operational impact of the incident. Again, with no evidence of unauthorized information disclosure, the impact on confidentiality is LOW. Without knowing what types of data are stored on the compromised system, it is difficult to determine the specific impact on integrity or availability. However, because this is a MAC III system, we will categorize both of these as LOW. Finally, we have no notification of any significant impact on the mission due to the compromise of this system, so we will classify the overall impact as LOW. Operational ImpactPopup 2 of 2. Popup title: Operational Impact. Reprised image displays of Impact Assessment Matrix showing descriptions for Confidentiality, Integrity, and Availability. X displays in Low column for Confidentiality, Integrity, and Availability. Text displays in support of audio. Screen 11 of 13. Screen title: Impact Analysis. Reprised image displays of basic network and Impact Assessment Matrix from Lesson 3. Top row reads Potential Impact and has three impact ratings beneath it: Low, Moderate, and High. The left-hand column is titled Security Objective and has three rows beneath it: Confidentiality, Integrity, and Availability. The terms Technical Impact and Operational Impact become selectable as popups. The term mack three system becomes a rollover that reads as follows: Mack three systems handle information that is necessary for day-to-day operations, but not directly related to the effectiveness of a mission. MAC III systems are required to maintain basic levels of integrity and availability and must be protected by measures that are considered industry best practices. disaiar05_12 12 There are several lessons to be learned from this incident. How can future events of this nature be better detected and prevented? As discussed throughout this course, it is essential that information from incidents be correlated with other agencies and organizations to ensure a proactive and coordinated approach in detecting and responding to threats, events, and incidents. Our tools did a good job of detecting the events and providing us with actionable data. But it is clear that there are two areas of our security posture that could use work to help prevent similar threat events in the future. We are fairly certain that only one user clicked on the link, but we need to take a look at our user security awareness training to ensure that it is being effectively disseminated and reinforced. Secondly, a vulnerability with a readily available patch was exploited in this incident. This could have been due to a rogue system or to a more fundamental flaw in the configuration and patch management at either the technical or policy level. In either case, ensuring that patches are applied for both the operating system and any installed client software is an effective way to prevent many system compromises. Screen 12 of 13. Topic title: Prevention. Screen title: How to Prevent Future Threat Events? Reprised images display of C N D analyst and basic network. Images and text display in support of audio. disaiar05_13 13 Congratulations! You have completed the incident analysis scenario. You should now be able to apply incident analysis procedures to a given incident. Screen 13 of 13. Topic title: Conclusion. Screen title: Summary and Conclusion. Congratulations text displays. Text displays in support of audio. Objectives bullet changes to checkmark in sync with audio.