160 likes | 256 Views
Incident Response. IMT551 31 st October 2007. Christian Seifert. Definition.
E N D
Incident Response IMT551 31st October 2007 Christian Seifert
Definition Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs. (http://it.jhu.edu/glossary/ghi.html)
Examples • Lost notebook • Positive anti-virus classification on workstation • Denial of Service on web server • Database server sends SPAM • Unauthorized access on the premise • Deleted budget files on the file server
Traditional Attack Pattern • Locate • Gain user access • Escalate privileges • Cover tracks • Ensure future access (backdoor) • Launch further attacks (stepping stone)
Incident Response Phases • Preparation • Identification • Containment • Eradication • Recovery • Follow-Up Phases per incident
Preparation • Create your Incident Response Plan. • Form a Incident Response Team • Educate users & inform management • Forensic Readiness • Ability of an organization to maximize its potential to use digital evidence whilst minimizing the cost of an investigation
Incident Response Plan • Background • Definitions • Incident classification • Reporting • Business Continuity • Process Flow • Example Incidents
Incident Classification & Handling • What constitutes an incident? • What happens when an incident is detected? • Things to consider: • Business needs • Costs/ Resources • Legal aspects • Chain of custody
Proactive/Reactive Incident Response • Term “Response” indicates a reactive setup • However, proactive incident “response” is also possible and recommended: • Staying informed about vulnerabilities • Education • Auditing/ Penetration Testing
Identification • Recognize and report an incident • Users via help desk • IDS/ Honeypots • Could be an outside source • Determine whether it is an incident • Assessment & Prioritize (Triage process) • Communication • KEEP A LOG BOOK!
Containment • Limit the scope and magnitude of the incident • Steps to take: • Stay low – do not alert the attacker • Create backups for analysis • Put your attention to systems at risk (i.e. systems the compromised system has access to or interact with regularly)
Eradication • Problem is eliminated • Steps to take: • Determine the problem • Determine mitigation (for example, patching the system)
Recovery • System is returned into functional status • Steps to take: • Restore system • Apply mitigation strategy • Closely monitor the system
Follow Up • Identify lessons learned that will prevent future incidents • Determine costs • Steps to take • Create incident report with recommended changes • Send recommendations to management • Implement changes
Challenges • Incident Response difficult to do right • High level of experience required to investigate and assess technical incidents • Tendency to restore systems without following incident response procedures
Resources • http://www.ussecurityawareness.org/highres/incident-response.html • DOD CSIRTM Training CD-ROMs: http://www2.norwich.edu/mkabay/infosecmgmt/disa_cirtm_cdrom.zip • http://staff.washington.edu/dittrich/