Rethinking incident response

As businesses face increasing regulatory-compliance pressure from Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley, many companies are finding themselves deploying intrusion detection systems, log analyzers, and other security tools to assist in finding when an incident has occurred. But when an alarm’s been triggered, every security analyst faces the problem of what to do next.

Should your IT security group or forensics team seize the affected machine for analysis, even if it means that an employee may be sitting idle for some time? Assuming you even have a dedicated security or forensics team (wouldn’t that be nice?), launching a full search and seizure typically isn’t the best use of company resources, considering that the vast majority of alarms turn out to be false ones.

Instead of the conventional forensics process, Guidance Software suggests an alternative that it calls automated incident response. Incorporating the same investigative tools as Guidance’s well-known Forensic software for law enforcement, and the ability to reach out to virtually any operating system and file system over the network, EnCase Enterprise makes a compelling argument as an incident-response solution.

EnCase opens the door

EnCase Enterprise is built around three components: Examiner, the SAFE (Secure Authentication For EnCase) authentication server, and EnCase Enterprise Servlets. In addition to installing and configuring these pieces, you must also configure EnCase to receive alerts from your IDS.

SAFE ensures that Examiner and Servlets not only communicate securely but also handle the evidence in a way that will subsequently stand up in court. SAFE also manages the granting of discretionary access to examiners. Examiner rights can be limited to viewing snapshots, acquiring data from hard drives, killing running processes, and so on. In addition to granting the privileges, SAFE logs the events to track all reads or writes to evidence.

The Servlet component, which is installed on network hosts, facilitates communication between the Examiner and the host being analyzed. SAFE and Servlet communication is secured with certificate-based 128-bit AES encryption. New Servlet features in Enterprise 5.0 include the ability to change the default listening port and rename the process or hide the process from the user. The Servlet can run on Windows, Linux 2.4 and later, and Solaris 8 and 9, but not on BSD Unix platforms.

As soon as EnCase Enterprise receives an alarm from your IDS, it takes a snapshot of the target computer’s processes, loaded drivers, registry, network connections, and other information to be stored in a secured database. You can then analyze the captured data using EnScripts -- EnCase’s scripting language -- or SQL database queries.

For example, during our testing, our IDS detected that a command prompt was returned to a remote host from an internal host over 8080/tcp. EnCase received the alarm and took a snapshot of the host, allowing us to quickly determine the process that was sending the 8080/tcp traffic.

Furthermore, we could compare the current snapshot with a historical one to see whether any new network services or processes were running. Then we built a query to search snapshots of other hosts on the network for the hash sum of the malicious process, to see how far the infection may have spread. Finally, we conducted forensics on the affected machines to determine how much data was compromised and potentially to prepare for legal proceedings. All of this can be done without disturbing the work of employees using the compromised computers.

Needles and haystacks

Examiner is where the investigator can load the EnCase GUI and analyze the snapshots, or connect directly to the Servlet running on a network host. Being able to undelete files from host hard disks, search slack space for hidden data, and discover running processes is a short list of Examiner’s useful capabilities.

An especially nice enhancement to Enterprise 5 is its capability of detecting hidden processes running on hosts -- a telltale sign of a kernel rootkit infestation. EnCase also allows you to search your network for rootkits using quick, compact snapshot criteria. The ability to schedule snapshots, to acquire selected files, and to quickly view file properties without parsing the entire disk proved to be among the more useful improvements to this version of EnCase.

The EnCase Examiner interface is both powerful and intimidating. Guidance was on-site with us for about six hours helping us set up the system and learn how to get the "magic" out of it. By the time the Guidance team had left us, we were comfortable remotely installing Servlets, searching for rootkits, navigating file structures, and viewing Internet file caches, among other functions. Every installation of Enterprise includes one week of on-site training and support, and you’ll want to take advantage of it.

Armed with our new Examiner skills, we used prepackaged EnScripts to detect some Windows kernel rootkits on several hosts. EnCase easily and unerringly detected both types of rootkits we had hidden (Hacker Defender and FU), but it might have done so with a little more fanfare. The query we used was simply to find hidden processes, and the snapshot returned a list of running processes in a column titled Hidden. A dot in the column was the only indicator that something bad was going on. Luckily for us, this part of the training came after we had finished our morning coffee or we could have missed it.

We also found that navigating whole hard drives remotely -- via the installed Servlet -- was remarkably quick. It took less than 5 seconds to grab an initial inventory of a remote 40GB drive, and we could swiftly navigate through the file structure looking at time stamps. For more granular detail, we could easily hash the files -- to take a fingerprint or nonwriteable image -- and open and view them. And we were able to reconstruct Web-based e-mail and view Firefox and Internet Explorer caches on the target drive.

Feeling adventurous, we wrote our own EnScripts looking for a handful of spyware processes, open peer-to-peer ports, and certain registry keys associated with the installation of popular multiplayer Internet games. Even with our limited experience using automation languages, we found it easy to build effective EnScripts. In addition to the scripts, EnCase provides a filter-building interface that we found very intuitive. However, we sometimes found ourselves trying to perform operations that the interface didn’t like, and we became frustrated when the presented results were different than anticipated. Our frustrations were always the result of user error, but we often wished the GUI was more forgiving.

EnCase Enterprise 5 allows for the optional incorporation of an ODBC-compatible database server to store snapshot information. We found this capability to be particularly useful. Simple SQL queries allowed us to determine which computers had remote desktop protocols open or were running outdated anti-virus software.

Also noteworthy is the ability to kill processes when they have been deemed malicious, making EnCase useful for containing worm outbreaks.

EnCase Enterprise is a powerful tool that allows security personnel to dive deeply into a system that warrants investigation, and it gathers information in a way designed to stand up in a court of law. Nevertheless, this software still requires an investigator who is skilled enough to ask the right questions. Coupled with the right training, EnCase Enterprise has the potential to bring accurate closure to every intrusion alarm. As regulatory pressure increases to protect consumer data, due diligence can come in the form of EnCase Enterprise.