1 / 58

Planning for Incident Response

Planning for Incident Response. Security Planning Susan Lincke. Objectives. Students should be able to: Define and describe an incident response plan and business continuity plan Describe incident management team, incident response team, proactive detection, triage

kremington
Download Presentation

Planning for Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Planning for Incident Response Security Planning Susan Lincke

  2. Objectives Students should be able to: Define and describe an incident response plan and business continuity plan Describe incident management team, incident response team, proactive detection, triage Define and describe computer forensics: authenticity, continuity, forensic copy, chain of custody, root cause, Define external test, internal test, blind test, double blind test, targeted test. Develop a high-level incident response plan. Describe steps to obtain computer forensic information during an investigation. Describe general capabilities of a forensic tool. Describe steps to copy a disk. Define discovery, e-discovery, deposition, declaration, affidavit, fact witness, expert consultant, expert witness.

  3. How to React to…? Denial of Service Accidents Viruses Stolen Laptop Social Engineering Theft of Proprietary Information System Failure Lost Backup Tape Hacker Intrusion Fire!

  4. Incident Response vs. Business Continuity Incident Response Planning (IRP) • Security-related threats to systems, networks & data • Data confidentiality • Non-repudiable transactions Business Continuity Planning • Disaster Recovery Plan • Continuity of Business Operations • IRP is part of BCP and can be *the first step* NIST SP 800-61 defines an incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”

  5. Review: Business Continuity Recovery Terms Interruption Window: Time duration organization can wait between point of failure and service resumption Service Delivery Objective (SDO): Level of service in Alternate Mode Maximum Tolerable Outage: Max time in Alternate Mode Disaster Recovery Plan Implemented Regular Service Regular Service Alternate Mode SDO Time… Restoration Plan Implemented (Acceptable) Interruption Window Interruption Maximum Tolerable Outage

  6. Vocabulary Attack vectors = source methods: Can include removable media, flash drive, email, web, improper use, loss or theft, physical abuse, social engineering, …

  7. Vocabulary • IMT: Incident Management Team • IS Mgr leads, includes steering committee, IRT members • Develop strategies & design plan for Incident Response, • integrating business, IT, BCP, and risk management • Obtain funding, Review postmortems • Meet performance & reporting requirements IRT: Incident Response Team Handles the specific incident. Has specific knowledge relating to: Security, network protocols, operating systems, physical security issues, malicious code, etc. Permanent (Full Time) Members: IT security specialists, incident handlers, investigator Virtual (Part Time) Members: Business (middle mgmt), legal, public relations, human resources, physical security, risk, IT

  8. Stages in Incident Response Preparation Plan PRIOR to Incident Identification Determine what is/has happened Containment & Escalation Limit incident [If data breach] Notify any data breach victims Analysis & Eradication Notification Determine and remove root cause Ex-Post Response Return operations to normal Establish call center, reparation activities Recovery Process improvement: Plan for the future Lessons Learned

  9. Why is incident response important? $201: average cost per breached record 66% of incidents took > 1 month to years to discover 82% of incidents detected by outsiders 78% of initial intrusions rated as low difficulty

  10. Stage 1: Preparation What shall we do if different types of incidents occur? (BIA helps) When is the incident management team called? How can governmental agencies or law enforcement help? When do we involve law enforcement? What equipment do we need to handle an incident? What shall we do to prevent or discourage incidents from occurring? (e.g. banners, policies) Where on-site & off-site shall we keep the IRP?

  11. (1) Detection Technologies Organization must have sufficient detection & monitoring capabilities to detect incidents in a timely manner Proactive Detection includes: • Network Intrusion Detection/Prevention System (NIDS/NIPS) • Host Intrusion Detection/Prevention System (HIDS/HIPS) • Antivirus, Endpoint Security Suite • Security Information and Event Management (Logs) • Vulnerability/audit testing • System Baselines, Sniffer • Centralized Incident Management System • Input: Server, system logs • Coordinates & co-relates logs from many systems • Tracks status of incidents to closure Reactive Detection: Reports of unusual or suspicious activity

  12. Logs to Collect & Monitor

  13. Incidents may include… IT Detects Employees Reports Malware Violations of policy Data breach: stolen laptop, memory employee mistake Social engineering/fraud: caller, e-mail, visitors Unusual event: inappropriate login unusual system aborts server slow deleted files defaced website • a device (firewall, router or server) issues serious alarm(s) • change in configuration • an IDS/IPS recognizes an irregular pattern: • unusually high traffic, • inappropriate file transfer • changes in protocol use • unexplained system crashes or • unexplained connection terminations

  14. (1) Management Participation • Management makes final decision • As always, senior management has to be convinced that this is worth the money. • Actual Costs: Ponemon Data Breach Study, 2014, Sponsored by Symantec

  15. WorkbookIncident Types

  16. Stage 2: Identification Triage: Categorize, prioritize and assign events and incidents • What type of incident just occurred? • What is the severity of the incident? • Severity may increase if recovery is delayed • Who should be called? • Establish chain of custody for evidence

  17. (2) Triage Snapshot of the known status of all reported incident activity • Sort, Categorize, Correlate, Prioritize & Assign Categorize: DoS, Malicious code, Unauthorized access, Inappropriate usage, Multiple components Prioritize: Limited resources requires prioritizing response to minimize impact Assign: Who is free/on duty, competent in this area?

  18. (2) Chain of Custody • Evidence must follow Chain of Custody law to be admissible/acceptable in court • Include: specially trained staff, 3rd party specialist, law enforcement, security response team System administrator can: • Retrieve info to confirm an incident • Identify scope and size of affected environment (system/network) • Determine degree of loss/alteration/damage • Identify possible path of attack

  19. Stage 3: Containment • Activate Incident Response Team to contain threat • IT/security, public relations, mgmt, business • Isolate the problem • Disable server or network zone comm. • Disable user access • Change firewall configurations to halt connection • Obtain & preserve evidence

  20. (3) Containment - Response Technical • Collect data • Analyze log files • Obtain further technical assistance • Deploy patches & workarounds Managerial • Business impacts result in mgmt intervention, notification, escalation, approval Legal • Issues related to: investigation, prosecution, liability, privacy, laws & regulation, nondisclosure

  21. Stage 4: Analysis & Eradication • Determine how the attack occurred: who, when, how, and why? • What is impact & threat? What damage occurred? • Remove root cause: initial vulnerability(s) • Rebuild System • Talk to ISP to get more information • Perform vulnerability analysis • Improve defenses with enhanced protection techniques • Discuss recovery with management, who must make decisions on handling affecting other areas of business

  22. (4) Analysis What happened? Who was involved? What was the reason for the attack? Where did attack originate from? When did the initial attack occur? How did it happen? What vulnerability enabled the attack?

  23. (4) Remove root cause If Admin or Root compromised, rebuild system Implement recent patches & recent antivirus Fortify defenses with enhanced security controls Change all passwords Retest with vulnerability analysis tools

  24. Stage 5: Recovery Restore operations to normal Ensure that restore is fully tested and operational

  25. WorkbookIncident Handling Response

  26. Stage 6: Lessons Learned • Follow-up includes: • Writing an Incident Report • What went right or wrong in the incident response? • How can process improvement occur? • How much did the incident cost (in loss & handling & time) • Present report to relevant stakeholders

  27. Planning Processes Risk & Business Impact Assessment Response & Recovery Strategy Definition Document IRP and DRP Train for response & recovery Update IRP & DRP Test response & recovery Audit IRP & DRP

  28. Training Introductory Training: First day as IMT Mentoring: Buddy system with longer-term member Formal Training On-the-job-training Training due to changes in IRP/DRP

  29. Types of Penetration Tests External Testing: Tests from outside network perimeter Internal Testing: Tests from within network Blind Testing: Penetration tester knows nothing in advance and must do web research on company Double Blind Testing: System and security administrators also are not aware of test Targeted Testing: Have internal information about a target. May have access to an account. Written permission must always be obtained first

  30. Incident Management Metrics # of Reported Incidents # of Detected Incidents Average time to respond to incident Average time to resolve an incident Total number of incidents successfully resolved Proactive & Preventative measures taken Total damage from reported or detected incidents Total damage if incidents had not been contained in a timely manner

  31. Challenges • Management buy-in: Management does not allocate time/staff to develop IRP • Top reason for failure • Organization goals/structure mismatch: e.g., National scope for international organization • IMT Member Turnover • Communication problems: Too much or too little • Plan is to complex and wide

  32. Question The MAIN challenge in putting together an IRP is likely to be: Getting management and department support Understanding the requirements for chain of custody Keeping the IRP up-to-date Ensuring the IRP is correct

  33. Question The PRIMARY reason for Triage is: To coordinate limited resources To disinfect a compromised system To determine the reasons for the incident To detect an incident

  34. Question When a system has been compromised at the administrator level, the MOST IMPORTANT action is: Ensure patches and anti-virus are up-to-date Change admin password Request law enforcement assistance to investigate incident Rebuild system

  35. Question The BEST method of detecting an incident is: Investigating reports of discrepancies NIDS/HIDS technology Regular vulnerability scans Job rotation

  36. Question The person or group who develops strategies for incident response includes: CISO CRO IRT IMT

  37. Question The FIRST thing that should be done when you discover an intruder has hacked into your computer system is to: • Disconnect the computer facilities from the computer network to hopefully disconnect the attacker • Power down the server to prevent further loss of confidentiality and data integrity • Call the police • Follow the directions of the Incident Response Plan

  38. Computer Forensics The process of identifying preserving, analyzing and presenting digital evidence for a legal proceeding

  39. The Investigation • Avoid Infringing on the rights of the suspect • Warrant required unless… • Organization/home gives permission; the crime is communicated to a third party; the evidence is in plain site or is in danger of being destroyed; evidence is found during a normal arrest process; or if police are in hot pursuit. • Computer searches generally require a warrant except: • When a signed acceptable use policy authorizes permission • If computer repair person notices illegal activities (e.g., child pornography) they can report the computer to law enforcement

  40. Computer Crime Investigation Analyze copied images Call Police Or Incident Response Evidence must be unaltered Chain of custody professionally maintained Four considerations: Identify evidence Preserve evidence Analyze copy of evidence Present evidence Take photos of surrounding area Copy memory, processes files, connections In progress Preserve original system In locked storage w. min. access Power down Copy disk

  41. Initial Incident Investigation A forensic jumpkit includes: a laptop preconfigured with protocol sniffers and forensic software network taps and cables Since the attacked computer may be contaminated, the jumpkit must be considered reliable The investigator is likely to: Get a full memory image snapshot, to obtain network connections, open files, in progress processes Photograph computer: active screen, inside, outside computer for full configuration Take disk image snapshot to analyze disk contents. The investigator must not taint the evidence. E.g., a cell phone left on to retain evidence must be kept in a Faraday bagto shield phone from connecting to networks

  42. Computer Forensics • Did a crime occur? • If so, what occurred? Evidence must pass tests for: • Authenticity: Evidence is a true unmodified original from the crime scene • Computer Forensics does not destroy or alter the evidence • Continuity: “Chain of custody” assures that the evidence is intact and history is known

  43. Chain of Custody 11:47-1:05 Disk Copied RFT & PKB 11:05-11:44 System copied PKB & RFT 11:04 Inc. Resp. team arrives Time Line 10:53 AM Attack observed Jan K 11:15 System brought Offline RFT 11:45 System Powered down PKB & RFT 1:15 System locked in static-free bag in storage room RFT & PKB Who did what to evidence when? (Witness is required)

  44. Chain of Custody A chain of custody document tracks: Case number Device’s model and serial number (if available) When and where the evidence was held/stored For each person who held or had access to the evidence (at every time) name, title, contact information and signature why they had access It is useful to have a witness at each point Evidence is stored in evidence bags, sealed with evidence tape

  45. Creating a Forensic Copy 2) Accuracy Feature: Tool is accepted as accurate by the scientific community: Original Mirror Image 4) One-way Copy: Cannot modify original 5) Bit-by-Bit Copy: Mirror image 3) Forensically Sterile: Wipes existing data; Records sterility 1) & 6) Calculate Message Digest: Before and after copy 7) Calculate Message Digest Validate correctness of copy

  46. Forensic Tools Normalizing data = converting disk data to easily readable form Forensic tools analyze disk or media copy for: logs file timestamps file contents recycle bin contents unallocated disk memory contents (or file slack) specific keywords anywhere on disk application behavior. The investigator: • launches the application on a virtual machine runs identical versions of OS and software packages.

  47. Forensic Software Tools EnCase: Interprets hard drives of various OS, tablets, smartphones and removable media for use in court. (www.guidancesoftware.com) Forensic Tool Kit (FTK): Supports Windows, Apple, UNIX/Linux OS including analysis of volatile (RAM and O.S. structures) and nonvolatile data for use in a court. (www.accessdata.com) Cellebrite: Handles commercial mobile devices for use in a court. Mobile devices are connected via appropriate cables to a workstation with the forensic tool installed, or via a travel kit. (www.cellebrite.com) ProDiscover: Analyzes hard disks for Windows, Linux and Solaris OS. An Incident Response tool can remotely evaluate a live system. (www.techpathways.com) X-ways: Specializes in Windows OS. X-ways can evaluate a system via a USB-stick without installation, and requires less memory. (www.x-ways.net) Sleuthkit: An open-source tool evaluates Windows, Unix, Linux and OS-X. It is programmer-extendable. Sleuth Kit (TSK) = command-line tool; Autopsy = graphical interface. (www.sleuthkit.org)

  48. Preparing for Court When the case is brought to court, the tools & techniques used will be qualified for court: Disk copy tool and forensic analysis tools must be standard Investigator’s qualifications include education level, forensic training& certification: forensic software vendors (e.g., EnCase, FTK) OR independent organizations (e.g.: Certified Computer Forensics Examiner or Certified Forensic Computer Examiner). Some states require a private detective license.

  49. The Investigation Report The Investigation Report describes the incident accurately. It: Provides full details of all evidence, easily referenced Describes forensic tools used in the investigation Includes interview and communication info Provides actual results data of forensic analysis Describes how all conclusions are reached in an unambiguous and understandable way Includes the investigator’s contact information and dates of the investigation Is signed by the investigator

  50. A Judicial Procedure Civil Case Criminal Case Plaintiff files Complaint (or lawsuit) Law enforcement arrests defendant Reads Miranda rights Defendant sends Answer within 20 days Prosecutor files an Information with charges or Grand Jury issues an indictment Plaintiff & Defendant provide list of evidence and witnesses to other side Discovery Phase Plaintiff & Defendant request testimony, files, documents Responsive documents The Trial

More Related