Tag Archives: Incident Handling

Security Hands-On-Training – Part 2

This article follows the first part of the security hands-on-training series. The focus will be on adding system components to the environment that was built on part one.

After you have setup the host environment with your virtualization software, additional components need to be installed. It is important to install and test one component at a time to minimize complexity and to keep good notes. Document each step and relevant configurations like passwords and IP addresses.

The environment needs Microsoft Windows systems. When building a Windows environment start with a Domain Controller and a Member server (TechNet, 2009). A more complex configuration is described in the Windows Server System Reference Architecture (WSSRA) documentation (Microsoft, 2005). It uses a modular approach that allows users to focus on the scenarios or services that are more relevant for their needs. With overview documents, reference blueprints, architecture blueprints, service blueprints and exhaustive implementation guides that will help the users design and implement IT services based on the use of Windows Server Systems products within the context of a real-world enterprise scenario using a fictitious organization, named Contoso (Microsoft, 2005). This documentation was written in 2005 and considers Windows Server 2003 to build foundational infrastructure services. Even though, the WSSRA is a complex set of guidance spanning more than 3,500 pages and contains more information than what is needed, it is a great guide and helps to build a Windows environment. Over time, the services covered by WSSRA are being updated and replaced with the Infrastructure Planning and Design (IPD) Series which will cover Windows Server 2008 (Microsoft, 2012). Below is the logical diagram that illustrates the infrastructure that is build throughout those guides.


In the small environment that we are building in order to perform hands-on security, two Windows machines were used. After having the first Windows machine deployed with a baseline configuration and device drivers installed from VMware Tools, the reader should sysprep it. Next, shutdown the system, compress it, and save it to a separate folder. This folder will be the repository of ready to deploy gold images. Please consider that the sysprep method is to avoid SID duplications when cloning windows machines. Mark Russinovich explains it perfectly: “The Microsoft-supported way to create a Windows installation that’s ready for deployment to a group of computers is to install Windows on a reference computer and prepare the system for cloning by running the Sysprep tool. This is called generalizing the image, because when you boot an image created using this process, Sysprep specializes the installation by generating a new machine SID, triggering plug-and-play hardware detection, resetting the product activation clock, and setting other configuration data like the new computer name” (Russinovich, 2009). In addition, after finishing the operating system and driver installation, create a snapshot to save the state of the virtual machine which will allow you to return to any point previously saved. This allows the reset of the virtual machines to a known-good previous state without the need to rebuild the systems from scratch.

The scenario that is described trough these article series uses two Windows 2008 Standard edition servers. One will have the role of Domain controller and Primary DNS server. The other will run a web server, a database server and a development framework. To get the Windows 2008 operating system media the reader can download an evaluation copy from Microsoft’s download center portal or from MSDN if it has a MSDN subscription.

The high level steps needed to create the first Windows Server 2008 are described below:

  • Install and configure Windows Server 2008.
  • Install VMware Tools.
  • Execute Sysprep.
  • Shutdown and compress to a golden image.
  • Start the new system and activate it (or use a trial).
  • Assign the VM network adapter to a custom specific network e.g. VMnet3
  • Assign a static IP address, DNS and default gateway in the desired range.
  • Ping the default gateway.
  • Run dcpromo to install Active Directory Domain Services.
  • Choose to install DNS Server and Create a new Domain in a new Forest e.g. ville.com.
  • Create a VM snapshot.

Web Stack

The next step is to build the second windows machine. This machine will be the web stack with a web server, database and a development framework. Using Windows, IIS, SQL Server and ASP.NET is one option. Another popular choice is Linux, Apache, MySQL and PHP. The first option was chosen. After some research the book “Build Your Own ASP.NET 4 Web Site Using C# & VB” was used because it gives a step-by-step approach to build a web stack using ASP.NET framework (Posey, Barnett & Darie, 2011).

The first steps are to install the required software i.e., Visual Web Developer 2010 Express Edition, .NET Framework 4 and the .NET Framework Software Development Kit (SDK), Microsoft SQL Server 2008 R2 Express Edition and SQL Server Management Studio Express  (Posey, Barnett & Darie, 2011).

Then with the web stack ready, the reader can start by creating the first Hello ASP.NET page and getting an understanding how it works in the background. While following the book and advancing trough the chapters to build the web application you will start to get familiar with topics like view state, global configuration, server and client side data validation, visual design and code-behind files, debugging and error handling and interacting with a relational database via ADO.NET (Posey, Barnett & Darie, 2011).

Below are the high level steps needed to do install the Windows Server 2008 and Web Stack:

  • Deploy Windows Server 2008 from previous golden image.
  • Start the new system, define the hostname, admin password and activate it (or use a trial).
  • Assign the VM network adapter to a custom specific network e.g. Vmnet3.
  • Assign a static IP address, DNS and default gateway in the desired range.
  • Ping the default gateway.
  • Join the system to the Domain.
  • Create a VM snapshot.

Next the high level steps to create the web stack by following the Build Your Own ASP.NET 4 Web Site Using C# & VB book  (Posey, Barnett & Darie, 2011).

  • Install IIS 7.x with ASP.NET application development support.
  • Install Visual Studio 2010 Web Express Edition.
  • Install .NET 3.5 SP1.
  • Install KB942288.
  • Install SQL Server 2008 Express R2.
  • Build the ASP.NET application.

Artillery – Tools of the Trade

After having the initial infrastructure in place the reader will need to build an arsenal of tools that will get him well equipped to practice, learn and perform offensive techniques. One of the best suites available is the Kali Linux. This distribution brings the instruments needed in order to execute the steps an intruder will eventually perform during an attack. Depending on the reader’s choice, Kali Linux is available in ISO or VMware image format.  Similarly arsenals are available like the Samurai Web Testing Framework created by Kevin Johnson of Secure Ideas and Justin Searle of UtilSec which focus on web application penetration testing (Johnson). Other alternatives exist such as Pentoo, Matrix, NodeZero, or Katana which consists of a multi-boot DVD that gathers a number of different tools and distributions in a single location (Engebretson, 2013). Moreover, the reader can choose a preferred operating system and start collecting and installing the tools needed depending on the task or technique. In our environment ,Backtrack R5, which is a precursor of Kali, will be used (Security).

Even though the BackTrack distribution is well known in the security community, many of the tools have malicious capabilities, can cause damage and take systems offline. Make sure to keep those tools in a controlled environment and behind a firewall to minimize the possibility of misuse. You never know if the tools have a hidden feature that targets the user system. In some cases, after trying the tools and techniques, the target operating system needs to be rebuilt. This is another area where VMware shines. Rather than physically reinstalling the operating system or application, its original configuration can be easily restored using snapshots.

In this case the BackTrack was installed from the ISO image and positioned into the bridge network as illustrated in part one. The default gateway on the system points to the virtual firewall’s IP address. The installation of BackTrack or Kali is easy and simple and allows the reader to have a ready system with all the tools needed.

Part 3 will describing how the ASP.NET web site code was modified in order to make the application less secure. This will allow us to understand the security techniques employed by the application in order to make it defenseless and practice our security tools and techniques!


TechNet, M. (2009, 06). Step 1: Setting up the infrastructure. Retrieved from http://technet.microsoft.com/en-us/library/dd883274(v=ws.10).aspx
Microsoft. (2005, 12 04). Windows server system reference architecture (wssra). Retrieved from http://www.microsoft.com/en-gb/download/confirmation.aspx?id=15777
Microsoft. (2012, 03 1). Infrastructure planning and design guide series. Retrieved from http://technet.microsoft.com/en-gb/solutionaccelerators/ee382254.aspx
Microsoft. (2013, 11 16). Memory limits for windows releases. Retrieved from http://msdn.microsoft.com/en-us/library/windows/desktop/aa366778(v=vs.85).aspx
Russinovich, M. (2009, 11 3). [Web log message]. Retrieved from http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx
Posey, T., Barnett, W., & Darie, C. (2011). Build your own asp.net 4 web site using c# & VB, 4th edition. SitePoint
Security, O. (n.d.). Kali Linux. . Retrieved , from http://www.offensive-security.com/community-projects/kali-linux/
Engebretson, P. (2013). the basics of hacking and penetration testing, 2nd edition. Syngress.

Tagged , , , , , ,

Computer Security Incident Handling – 6 Steps

incidentresponseActionable information to deal with computer security Incidents. Repeatable and effective steps. Steps that are unanimous among security practitioners.
It’s a good way to describe the SANS methodology for incident handling, compelled by Stephen Northcutt and others. With its origins on the Computer Incident Response Guidebook (pub. #: 5239-19) from US Navy Staff Office back in 1996. It is a 6 steps methodology. It will help you quickly and efficiently recover from a security incident.

The purpose of these 6 steps is to respond systematically to incidents. It includes the ability to minimize loss or theft of information or disruption of services when an incident occurs.

Types of incidents might include malicious code attacks, denial of service, espionage, sabotage, hoaxes, unauthorized access, insider threats, policy violations and many others.The six steps are preparation, identifications, containment, eradication, recovery and lessons learned.

A very similar process has also been brought to life by NIST on the Computer Security Incident Handling Guide (pub. #: 800-61) published in 2004. This special publication is very consistent with SANS methodology. In fact it is also a 6 step methodology with the difference that step two is named detection instead of identification.

Below a short and high level introduction of the 6 Computer Security Incident Handling steps:

Preparation : It’s at this stage that you develop the formal incident response capability. It’s at this stage where you create an incident response process defining the organizational structure with roles and responsibilities. It’s on this stage that you create your procedures with detailed guidance in order to respond to an incident. Its where you select the right people with the appropriate skill set. Its where you define the criteria do declare an incident. Its where you define the right tools to handle an incident. It’s where you define what you are going to report. To whom are you going to communicate.
This step is crucial to ensure response actions are known and coordinated. Good preparations will help you limits the potential damage by ensuring quick and effective response actions.

Identification: This is the step where you determine if an incident has occurred. Based on events observation, indicators, you look for deviations from normal operations. You look for malicious acts or attempts to do harm. The security mechanism in place will help you doing the identification. Your incident handler team will use their experience to look at the signs and indicators. The observation could occur at network level, host level or system level. It’s where you leverage the alerts and logs from your routers, firewalls, IDS, SIEM, AV gateways, operating system, network flows, etc.  After identifying an incident you need to assess the impact. Notify the appropriate individuals or external parties. If there are reasons to believe that you will engage law enforcement it’s where you ensure chain of custody. It’s also at this stage that you define next steps such as containment.

Containment: The third stage of responding to incidents. It consists of limiting the damage. Stop the bleeding. Stop the attacker. It’s where you make decision on which strategy you will use to contain the incident bases on your processes and procedures. It’s where you engage the business owners and decide to shut down the system or disconnect the network or continue operations and monitor the activity. All depends on the scope, magnitude and impact of the incident.

Eradication:  After successfully contained the incident. The next step entails removing the cause of the incident. In the case of a virus incident it may simply require removing the virus. On other complex incident cases you might need to identify and mitigate exploited vulnerabilities. It’s on this step that you should determine how it was initially executed and apply the necessary measures to ensure don’t happen again.

Recovery: It means back in production. Eventually, restoring a backup or re-image a system. It’s where you return to normal operational status.  After successfully restoration is important to monitor it for a certain time period. Why? Because you want to potentially identify signs that evaded detection.

Lessons Learned: Follow up activity is crucial. It’s where you can reflect and document what happen. Where you can learn what failed and what worked. It’s where you identify improvements for your incident handling processes and procedures. It’s where you write your final report.

References and further reading:

Computer Incident Response Guidebook (pub. #: 5239-19), 1996, US Navy Staff Office
Computer Security Incident Handling Guide (pub. #: 800-61), 2004, US NIST
Incident Handling Step by Step ver. 2.2, 2001, SANS Institute
RFC 2350: Expectations for Computer Incident Response, 1998, IETF
Handbook for Computer Security Incident Response Teams (CSIRTs), 2003, CERT / Carnegie Mellon Software Engineering Institute
Essential Incident Response Activities during the First 24 Hours, 2006, Gartner, Inc.
Good Practice Guide for Incident Management,2o1o, ENISA

Tagged , , , ,