1 / 69

Incident Handling

Incident Handling. COEN 250. Definitions. Event – An observable occurrence Adverse Events – Events with negative consequences Computer Security Incident: traditional

asa
Download Presentation

Incident Handling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incident Handling COEN 250

  2. Definitions • Event – An observable occurrence • Adverse Events – Events with negative consequences • Computer Security Incident: • traditional • security-related adverse event in which there was a loss of data confidentiality, disruption of data or system integrity, or disruption or denial of availability • newer • a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices

  3. Incident Types • CIA related incidents: • Confidentiality • Integrity • Availability • Other Types • Reconnaissance Attacks • Repudiation • Someone takes action and denies it later on.

  4. Need for Incident Response • All organizations • Systematic response to incidents • Help in recovering quickly and efficiently • Prepare for handling and avoidance of future incidents • Deal properly with legal issues • Federal Agencies • Federal Information Security Management Act (FISMA) of 2002 • Provide “procedures for detecting, reporting, and responding to security incidents” • Establishes centralized Federal information security incident center. • Civilian agency • Establish point of contact (POC) with FedCIRC (Federal Computer Incident Reporting Center ) • OMB’s Circular No. A-130, Appendix III • Capability to provide help to users when an incident occurs

  5. Incident Response Scope • Technical: • Incident detection and investigation tools and procedures • Management-related • Policy • Formation of incident response capability • In-house vs. out-sourced

  6. Stake Holders • Organization’s ability to fulfill mission • Users • Administrators (Organization’s ISP) • Providers • Software vendors • Telecommunications providers • Third Party • Clients • Affected external party • Other incident response teams • Owner of attacking address • Reporting Agencies • Media • Law Enforcement Agencies • Incident Reporting Agencies

  7. Incident Response Policy • Typical elements • Statement of management commitment • Purpose and objectives of the policy • Scope of the policy (to whom and what it applies and under what circumstances) • Definition of computer security incidents and their consequences • Organizational structure and delineation of roles, responsibilities, and levels of authority • Includes confiscation / disconnection of equipment • Monitoring of activity • Requirements for reporting • Prioritization or severity ratings of incidents • Performance measures • Reporting and contact forms.

  8. Sharing Information with Outside Parties • Media • Establish media communications procedures • Designate single Point of Contact (PoC) • Prepare for media interaction • Do not reveal sensitive, technical information • Appreciate the importance to communicate the public fully and effectively • Brief media contacts on issues and sensitivities before discussion with media

  9. Sharing Information with Outside Parties • Law Enforcement • Which agency? • Federal investigatory agencies • FBI • US Secret Service • State law enforcement • Local law enforcement • Office of the Inspector General (OIG) for federal agencies

  10. Sharing Information with Outside Parties • Law Enforcement • What incidents? • Discuss beforehand. • How to report • Discuss beforehand. • Collection of evidence • What? • How?

  11. Sharing Information with Outside Parties • Incident Reporting Organizations • Federal agencies only to FedCIRC • Information Analysis Infrastructure Protection (IAIP) • CERT® Coordination Center (CERT®/CC). • Information Sharing and Analysis Centers (ISAC)

  12. Incident Response Team Structure • Team Models • Central Incident Response Team • Distributed Incident Response Teams • Coordinating Team • Provides guidance and advice • Does not have authority • Staffing Models • Employees • Partially outsourced • Fully outsourced

  13. Incident Response Team Structure • Criteria • In house: • Need for 24/7 availability • Full time vs. part time team members • Volunteer fire department model • Employee morale • Incident response demands on-call responsibilities for most team members • Cost • Staff Expertise • Organizational structure of the organizations

  14. Incident Response Team Structure • Criteria • Outsourcer • Current and Future Quality of Work • Division of Responsibilities • Sensitive Information Revealed to the Contractor • Lack of Organization-Specific Knowledge • Lack of Correlation • Outsourcer requires administrative access to systems and to logs • Location • Incident response often requires physical presence

  15. Incident Response Team Structure • Team Development • Budget for training, publications, references • Mentoring program • Rotation between incident response and other duties • Training exercises

  16. Incident Response Team Structure • Interactions with other groups • Management • Support, buy-in • Information security staff • Telecommunications staff • Some incidents involve unauthorized access to telephone lines • IT support staff • Legal department • Public affairs / media relations • Human resources • Business continuity planning • Physical security and facilities management

  17. Incident Response Team Structure • Incident response team services • Determine the scope of the incident response team • Incident response • Advisory distribution • Vulnerability assessment • Intrusion detection • Education and awareness • Technology watch • Patch management • Usually not recommended

  18. Incident Handling Detection and Analysis Preparation Containment, Eradication and Recovery Post-incident activity

  19. Incident Handling: Preparation • Incident Handler Communications and Facilities • Contact information On-call information for other teams within the organization, including escalation information Incident reporting mechanisms • Pagers or cell phones to be carried by team members for off-hour support, onsite communications • Encryption software • War room for central communication and coordination • Secure storage facility for securing evidence and other sensitive materials

  20. Incident Handling: Preparation • Incident Analysis Hardware and Software • Computer forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data • Blank portable media • Easily portable printer • Packet sniffers and protocol analyzers • Computer forensic software • Floppies and CDs with trusted versions of programs to be used to gather evidence from systems • Evidence gathering accessories • hard-bound notebooks • digital cameras • audio recorders • chain of custody forms • evidence storage bags and tags • evidence tape

  21. Incident Handling: Preparation • Incident Analysis Resources • Port lists, including commonly used ports and Trojan horse ports • Documentation for OSs, applications, protocols, and intrusion detection and antivirus signatures • Network diagrams and lists of critical assets, such as Web, e-mail, and File Transfer Protocol (FTP) servers • Baselines of expected network, system and application activity • Cryptographic hashes of critical files to speed the analysis, verification, and eradication of incidents

  22. Incident Handling: Preparation • Incident Mitigation Software • Media, including OS boot disks and CD-ROMs, OS media, and application media • Security patches from OS and application vendors • Backup images of OS, applications, and data stored on secondary media

  23. Incident Handling: Detection and Analysis • Incident Categories • Denial of Service • Malicious code • Unauthorized access • Inappropriate usage • Multiple component incidents

  24. Incident Handling: Detection and Analysis • Signs of an incident • Intrusion detection systems • Antivirus software • Log analyzers • File integrity checking • Third-party monitoring of critical services • Incident indications vs. precursors • Precursor is a sign that an incident may occur in the future • E.g. scanning • Indication is a sign that an incident is occurring or has occurred

  25. Incident Handling: Detection and Analysis • Indication of incident is no proof that incident has occurred • Number of indications exceedingly high • Recommendations • Profile networks and systems • Understand normal behavior • Use centralized logging and create a log retention policy • Perform event correlation • Keep hosts synchronized (Network time protocol) • Run packet sniffers

  26. Incident Handling: Detection and Analysis • Incident documentation • If incident is suspected, start recording facts • Incident Prioritization based on • Current and potential technical effects • Criticality of affected resources • Incident notification • CIO • Head of information system • Local information security officer • Other incident teams • Other agency departments such as HR, public affairs, legal department

  27. Incident Handling: Containment, Eradication, Recovery • Containment strategies • Vary based on type of incident • Criteria for choosing strategy include • Potential damage / theft of resources • Need for evidence information • Service availability • Resource consumption of strategy • Effectiveness of strategy • Duration of solution

  28. Incident Handling: Containment, Eradication, Recovery • Evidence gathering • For incident analysis • For legal proceedings • Chain of custody • Authentication of evidence

  29. Incident Handling: Containment, Eradication, Recovery • Attacker identification • Validation of attacker IP address • Scanning attacker’s system • Research attacker through search engines • Using Incident Databases • Monitoring possible attacker communication channels

  30. Incident Handling: Containment, Eradication, Recovery • Eradication • Deleting malicious code • Disabling breached user accounts • Recovery • Restoration of system(s) to normal operations • Restoring from clean backups • Rebuilding systems from scratch • Replacing compromised files • Installing patches • Changing passwords • Tighten perimeter security • Strengthen logging

  31. Incident Handling: Post-Incident Activity • Evidence Retention • Prosecution of attacker • Data retention policies • Cost

  32. Denial of Service Incidents • DoS prevents authorized used of IT resources • Crashing OS through malformed TCP/IP packets • Crashing an application through malformed requests • Consume available resources • Network • Memory • Disk space

  33. Denial of Service Incidents • DoS prevents authorized used of IT resources • Crashing OS through malformed TCP/IP packets • Crashing an application through malformed requests • Consume available resources • Network • Memory • Disk space

  34. Denial of Service Attacks • Reflector attack • Spoof source address • Responder floods system with that source address • Double reflector attacks

  35. Port 7 is echo – reflection service If DNS server responds echoed packet, a loop is possible

  36. Denial of Service Attacks • Amplifier attacks

  37. Denial of Service Attacks • Distributed Denial of Service

  38. Denial of Service Attacks • Syn Floods

  39. Denial of Service Attacks • Preparation • Talk with organization’s ISP • Filtering / limiting traffic • Coordinated response through CERT / FedCIRC • Intrusion detection software to detect DoS and DDoS • Resource monitoring • Internet health monitoring • Monitoring of WWW response times

  40. Denial of Service Attacks • Incident prevention • Perimeter configuration • Block use of services that no longer serve a legitimate purpose • Perform ingress and egress filtering • Implement rate limiting • Use host hardening (disable services) • Implement DoS prevention software • Implement redundancy for services

  41. Denial of Service Attacks • Detection and Analysis • Precursors • Reconnaissance activity • Newly released DoS tool • Indications

  42. Denial of Service Attacks • Network-based DoS against a particular host • User reports of system unavailability • Unexplained connection losses • Network intrusion detection alerts • Host intrusion detection alerts (until the host is overwhelmed) • Increased network bandwidth utilization • Large number of connections to a single host • Asymmetric network traffic pattern (large amount of traffic going to the host, little traffic coming from the host) • Firewall and router log entries • Packets with unusual source addresses

  43. Denial of Service Attacks • Network-based DoS against a network • User reports of system and network unavailability • Unexplained connection losses • Network intrusion detection alerts • Increased network bandwidth utilization • Asymmetric network traffic pattern (large amount of traffic entering the network, little traffic leaving the network) • Firewall and router log entries • Packets with unusual source addresses • Packets with nonexistent destination addresses

  44. Denial of Service Attacks • DoS against the operating system of a particular host • User reports of system and application unavailability • Network and host intrusion detection alerts • Operating system log entries • Packets with unusual source addresses • DoS against an application on a particular host • User reports of application unavailability • Network and host intrusion detection alerts • Application log entries • Packets with unusual source addresses

  45. Denial of Service Attacks • Containment, Eradication, and Recovery • Correct vulnerability that is being exploited • Implement filtering • Relocate target • Do not Hack Back

  46. Denial of Service Attacks • Evidence Gathering • Identifying the Source of Attacks From Observed Traffic • Tracing Attacks Back Through ISPs • Learning How the Attacking DDoS Hosts Were Compromised • Reviewing a Large Number of Log Entries

  47. Malicious Code • Malicious Code Types • Viruses • File infectors • Boot sector viruses • Macro viruses • Virus hoaxes • Trojan horses • Worms • Mobile code • Blended • Email • Windows shares • Web server attacks (Nimda) • Web clients (Nimda)

  48. Malicious CodeIncident Preparation • User awareness • Subscribe to antivirus vendor bulletins • Deploy host-based intrusion detection systems to critical hosts • IDS detects • Configuration changes (Registry, …) • System executable modifications • Black list Trojan horse ports • Ineffective, because • There are too many ports • Newer trojan horses can be configured for any port

  49. Malicious CodeIncident Prevention • Use of antivirus software • Block suspicious attached files • Configure email clients to act more securely • No preview, no automatic opening, no execution, … • Limit the use of non-essential programs with file transfer capabilities • P2P file & music sharing • Instant messaging • IRC clients / servers • Educate users on safe handling of email attachments • Eliminate open windows shares • Infection can quickly spread from one system to many others. • Prevent incoming / outgoing traffic on NetBIOS ports • Use web browser setting to limit mobile code

  50. Malicious CodeDetection • Precursors • Alerts for software that the organization uses • Antivirus software quarantines files • Indications • Many different categories

More Related