1 / 22

Incidence Response & Computer Forensics, Second Edition

Incidence Response & Computer Forensics, Second Edition. Chris Prosise Kevin Mandia. Outline. Introduction to the Incident Response Process What is a computer security incident ? What are the goals of incident response ? Who is involved in the Incident response process ?

madeline-boone
Download Presentation

Incidence Response & Computer Forensics, Second Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia Ryan J.w.Chen@INSA

  2. Outline • Introduction to the Incident Response Process • What is a computer security incident ? • What are the goals of incident response ? • Who is involved in the Incident response process ? • Incident response methodology. Ryan J.w.Chen@INSA

  3. What is a computer security incident ? • Computer security incident: Any unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network. • Theft of trade secrets. • Email spam or harassment. • Unauthorized or unlawful intrusion into computing systems. • Denial-of-service (DoS) attacks. Ryan J.w.Chen@INSA

  4. What are the goals of incident response ? • In incident response methodology, it emphasized the goals of corporate security professionals with legitimate business concerns, but it also take into the concerns of law enforcement officials. • Confirms or dispels whether an incident occurred. • Establishes controls for proper retrieval and handling of evidence. • Minimizes disruption to business and network operations. • Provides accurate reports and useful recommendation. • Provides rapid detection and containment. • Education senior management. Ryan J.w.Chen@INSA

  5. Who is involved in the incident response process ? • Incident response is a multifaceted discipline. It demands a myriad of capabilities that usually require resources from several different operational units of an organization. • Computer Security Incident Response Team (CSIRT), to respond to any computer security incident. Ryan J.w.Chen@INSA

  6. Incident response methodology • There are seven major components of incident response: • Pre-incident preparation • Detection of incidents • Initial response • Formulate response strategy • Investigate the incident • Reporting • Resolution Ryan J.w.Chen@INSA

  7. Investigate the Incident Data Collection Data Analysis Seven components of incident response Incident Occurs: Point-In-Time or Ongoing Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Reporting Resolution Recovery Implement Security Measures Ryan J.w.Chen@INSA

  8. Pre-incident Preparation (1/2) • Preparing the Organization: • Implement host-based security measures. • Implement network-based security measures. • Training end user. • Employing an intrusion detection system (IDS) • Creating strong access control. • Performing timely vulnerability assessments. • Ensuring backups are performed on a regular basis. Ryan J.w.Chen@INSA

  9. Pre-incident Preparation (2/2) • Preparing the CSIRT: • The hardware needed to investigate computer security incidents. • The software needed to investigate computer security incidents. • The documentation needed to investigate computer security incidents. • The appropriate policies and operating procedures to implement your response strategies. • The training your staff or employee require to perform incident response in a manner that promotes successful forensics, investigations, and remediation. Ryan J.w.Chen@INSA

  10. Detection of Incidents (1/2) Company X Indicator IDS Detection of Remote Attack Numerous Failed Logon Attempts Logins into Dormant or Default Accounts Activity during Nonworking Hours Unfamiliar Files or Executable Programs Altered Pages on Web Server Gaps in Log files or Erasure of Log Files Slower System Performance System Crash Functional Areas IDS End User Help Desk System Administrator Security Human Resources Ryan J.w.Chen@INSA

  11. Detection of Incidents (2/2) • Some of the critical details include the following: • Current time and date • Who/What reported the incident • Nature of the incident • When the incident occurred • Hardware/software involved • Points of contact for involved personnel Ryan J.w.Chen@INSA

  12. Initial Response • One of the first steps of any investigation is to obtain enough information an appropriate response. • Assembling the CSIRT • Collecting network-based and other data • Determining the type of incident that has occurred • Assessing the impact of the incident. • Initial Response will not involve touching the affected system(s). Ryan J.w.Chen@INSA

  13. Formulate response strategy(1/3) • Considering the Totality of Circumstances: • How many resources are need to investigate an incident ? • How critical are the affected systems ? • How sensitive is the compromised or stolen information ? • Who are potential perpetrators ? • What is the apparent skill of the attacker ? • How much system and user downtime is involved ? • What is the overall dollar loss ? Ryan J.w.Chen@INSA

  14. Formulate response strategy(2/3) • Considering Appropriate Responses: Incident Example Response Strategy Likely Outcome Effect of attack mitigated by router countermeasures. Establishment of perpetrator’s identity may require too many resources to be worthwhile investment. Reconfigure router to minimize effect of the flooding. Dos Attack TFN DDoS attack Ryan J.w.Chen@INSA

  15. Formulate response strategy(3/3) Response strategy option should be quantified with pros and cons related to the following: • Estimated dollar loss • Network downtime and its impact to operations. • User downtime and its impact to operations. • Whether or not your organization is legally compelled to take certain action. • Public disclosure of the incident and its impact to the organization’s reputation/business. • Tacking Action • Legal Action • Administrative Action Ryan J.w.Chen@INSA

  16. Investigate the Incident • The investigation phase involves determining the who, what, when, where, how, and why surrounding an incident. • A computer security investigation can be divided into two phases: • Data Collection • Forensic Analysis Ryan J.w.Chen@INSA

  17. Possible investigation phase steps Data Collection Analysis • Network-Based Evidence • Obtain IDS Logs • Obtain Existing Router Logs • Obtain Relevant Firewall Logs • Obtain Remote Logs from a • Centralized Host (SYSLOG) • Perform Network Monitoring • Obtain Backups • Host-Based Evidence • Obtain the Volatile Data • during a Live Response • Obtain the System time • Obtain the Time/Data stamps • for Every File on the Victim System • Obtain all Relevant Files that • Confirm or Dispel Allegation • Obtain Backups • Other Evidence • Obtain Oral testimony from Witnesses • 1.Review the Volatile Data. • Review the Network Connections. • Identify Any Rogue Processes (Backdoors, • Sniffers). • 2.Analyze the Relevant Time/Data Stamps. • Identify Files Uploaded to the system by an • Attacker. • Identify File Downloaded or taken from the • System. • 3.Review the Log Files. • 4.Identify Unauthorized User Accounts. • 5.Look for Unusual or Hidden Files. • 6.Examine Jobs Run by the Scheduler Service. • 7.Review the Registry. • 8.Perform Keyword searches. Ryan J.w.Chen@INSA

  18. Performing Forensic Analysis Analysis of Data Preparation of Data Extract Email and Attachments Review Browser History Files Review Installed Application Create File Lists Perform Statistical Data Partition Table File System Review Data Collected During Live Response Search for Relevant Strings Review all the Network-Based Evidence Create a Working Copy of all Evidence Media Perform Forensic Duplication Recover Deleted Data Perform File Signature Analysis Perform Software Analysis Identify and Decrypt Encrypted Files Recover Unallocated Space Identify Known System File Perform File-by-File Review Perform Specialized Analysis Ryan J.w.Chen@INSA

  19. Reporting • Some guidelines to ensure that the reporting phase does not become your CSIRT’s nemesis: • Document immediately • Write concisely and clearly • Use a standard format • Use editor Ryan J.w.Chen@INSA

  20. Resolution • In this phase, you contain the problem, solve the problem, and take steps to prevent the problem from occurring again. • Following steps are often taken to resolve a computer security incident: • Identify your organization’s top priority. • Determine the nature of the incident. • Determine if there are underlying or systemic causes for the incident. • Restore any affected or compromised system. Ryan J.w.Chen@INSA

  21. Apply corrections required to address any host-based vulnerabilities. • Apply network-based countermeasures such as access control lists, firewalls, or IDS. • Assign responsibility for correcting any systemic issue. • Track progress on all corrections. • Validate that all remedial steps or countermeasures are effective. • Update your security policy and procedures as needed to improve your response process. Ryan J.w.Chen@INSA

  22. Investigate the Incident Data Collection Data Analysis Conclusion Incident Occurs: Point-In-Time or Ongoing Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Reporting Resolution Recovery Implement Security Measures Ryan J.w.Chen@INSA

More Related