- 1 Overview
- 2 Ensure That the Software Used to Examine Systems Has Not Been Compromised
- 3 Monitor and Inspect Network Activities
- 4 Monitor and Inspect System Activities
- 5 Inspect Files and Directories for Unexpected Changes
- 6 Investigate Unauthorized Hardware Attached to the Network
- 7 Look for Signs of Unauthorized Access to Physical Resources
- 8 Review Reports of Suspicious System and Network Behavior and Events
- 9 Take Appropriate Actions
- Chapter 6 Checklist
6.5 Inspect Files and Directories for Unexpected Changes
The file systems in your network environment contain a variety of software and data files. Unexpected changes in directories and files, especially those to which access is normally restricted, may indicate an intrusion. Changes could include modifying, creating, or deleting directories and files. What makes such changes unexpected may depend on who changed them and where, when, and how the changes were made.
Private data files and files containing mission-critical information are common targets of modification or corruption by intruders. Information about your organization that is accessible to the public or to subscribers via public networks and the Internet is also a common target. Numerous documented cases exist of prominent organizations that have had their web sites modified to include offensive content and other erroneous information.
Intruders often create, substitute, modify, and damage files on systems to which they have gained access, as described in Section 6.2 Introduction. Intruders may create new files on your systems. For example, they may install backdoor programs or tools used to gain privileged access on the system. Intruders may make use of the disk space on compromised systems to store their tools and other artifacts.
If you permit access to your systems and networks by third parties (vendors, contractors, suppliers, partners, customers, etc.), it is critical that you actively monitor their access to your systems and networks as well as any processing they do. This precaution helps ensure that all actions are authentic and authorized. Monitoring access includes examining all relevant directories and files.
6.5.1 Verify Integrity
Examine the directories and files on your system and prioritize how frequently you should check them. The more mission- or security-critical the file, the more frequently you should check it.
We recommend checking at least daily, perhaps at the start of the business day, to cover all processing done during the preceding 24 hours.
Compare the attributes and contents of files and directories to the authoritative reference (either complete copies or cryptographic checksums). Identify any files and directories whose contents or other attributes have changed, as described in Section 5.3.
Always access authoritative reference data directly from its secured, read-only media. Never transmit authoritative reference data over unsecured network connections unless you use mechanisms such as digital signatures and cryptographic checksums to verify data integrity.
6.5.2 Identify Unexpected Changes and Their Implications
Data from log files and other data collection mechanisms will help you to analyze changes to files and directories. These include the following (refer to Section 5.3, Table 5.2):
Cryptographic checksums for all files and directories
Lists of files, directories, attributes
Accesses (open, create, modify, execute, delete), time, date
Changes to sizes, contents, protections, types, locations
Additions and deletions of files and directories
Results of virus scanners
Also look for the following extraordinary occurrences:
Unexpected file or directory access, creation, or deletion.
Unexpected changes to file or directory protections or access control lists. Identifying these can aid, for example, in detecting the creation of files in user home directories that can be later used for backdoor access. Improperly set access control lists on system tools may indicate that an intruder has located and executed security tools that were installed by the authorized system administrator.
Unexpected changes to file or directory sizes, contents, and other attributes. These may signify that a file or service has been replaced with the intruder's version, including the installation of a Trojan horse or backdoor. An intruder inadvertently enabling debugging can easily quadruple the size of a file.
Unexpected changes to password files, such as unauthorized creation of new accounts and accounts with no passwords.
Unexpected changes to system configuration files and other restricted and sensitive information, including firewall-filtering rules.
Unusual or unexpected open files. These can reveal the presence of sniffer logs or programs.
Violations of log file consistency (unexpected changes in file size, gaps in time between log records).
The presence of viruses, backdoors, and Trojan horses detected by scanning tools, as described in Section 2.12.
Intruders can use compromised systems that support a promiscuous network interface to collect host and user authentication information that is visible on the network. Sniffers are able to capture user keystrokes containing host, account, and password information. The presence of some sniffers can be detected by looking for Trojan horse programs, suspect processes, and unexpected modifications to files. See the discussion on network sniffers in Section 6.4.7.
6.5.3 Policy Considerations
Your organization's networked systems security policy should establish the following guidelines:
Users should be notified that files and directories will be examined, and informed of the objective of such examinations.
The responsibilities and authority of designated systems administrators and security personnel to examine files and directories on a regular basis for unexpected changes should be specified.
Users should report any unexpected changes to their software and data files to system administrators or your organization's designated security point of contact.
6.5.4 Additional information
Some types of important files, such as log files and database tables, are expected to change frequently (perhaps several times per second). In general, the techniques described above will not be useful in distinguishing normal changes to these file types from those that might have been caused by intruders. Techniques based on transaction auditing are more useful in these cases.
As noted in Sections 6.3 and 6.4, whenever possible you should analyze and correlate data collected from multiple sources, as described in the other practices of this chapter. Refer to Section 7.2.