480 likes | 587 Views
Guide to Network Defense and Countermeasures Second Edition. Chapter 8 Intrusion Detection: Incident Response. Objectives. Configure an IDS and develop filter rules Develop a security incident response team for your organization Explain the six-step incident response process
E N D
Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response
Objectives • Configure an IDS and develop filter rules • Develop a security incident response team for your organization • Explain the six-step incident response process • Describe how to respond to false alarms to reduce reoccurrences • Explain options for dealing with legitimate security alerts Guide to Network Defense and Countermeasures, Second Edition
Developing IDS Filter Rules • IDS effectiveness depends on its database • Database should be complete and up to date • IDS can have its own set of rules • You can edit it in response to scans and attacks • IDS can be used proactively • Block attacks • Move from intrusion detection to intrusion prevention Guide to Network Defense and Countermeasures, Second Edition
Rule Actions • IDS has a passive and reactive nature • Configure IDS to take actions • Other than simply triggering alarms • Provides another layer of network defense • IDSs include documentation for writing rules • Customized rules can increase false positives during the learning process • Test your rules before using them in a real system Guide to Network Defense and Countermeasures, Second Edition
Rule Actions (continued) • Snort actions for rules • Alert • Log • Pass • Activate • Dynamic Guide to Network Defense and Countermeasures, Second Edition
Rule Data • Specify the action you want Snort to perform • Specify the rest of the data that applies to the rule • Protocol • Source and destination IP addresses • Port number • Direction Guide to Network Defense and Countermeasures, Second Edition
Rule Options • Make Snort more precise • Options are enclosed in parentheses • Snort options • msg • ttl • id • flags • ack • content • logo Guide to Network Defense and Countermeasures, Second Edition
Rule Options (continued) • TCP flags are designated by a single character • Rule base for an IDS is different from a packet-filtering rule base • IDS rules assume packets have been already filtered • Log any traffic that gets through the packet filter • And matches a signature in the IDS Guide to Network Defense and Countermeasures, Second Edition
Developing a Security Incident Response Team (SIRT) • Response options • Taking countermeasures to block intrusion • Making corrections to packet-filtering rules and proxy servers • Modifying security policies to cover new vulnerabilities • Security Incident Response Team (SIRT) • Gives your organization flexibility to carry out these response options Guide to Network Defense and Countermeasures, Second Edition
Goals of a Security Incident Response Team (SIRT) • Security Incident Response Team (SIRT) • Known as computer incident response team (CIRT) • Group of people assigned to respond effectively to security breaches • Primary functions • Preparation • Notification • Response • Countermeasures • Recovery • Follow-up Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Responsibilities of Team Members • Look within the organization for SIRT members • SIRT members should stop any work they have • To respond to a security incident • They should have enough authority to take decisions • Deciding what roles team members will assume • SIRT should contain employees representing a cross-section of the organization • This ensures all parts of the organization are represented Guide to Network Defense and Countermeasures, Second Edition
Responsibilities of Team Members (continued) • Typically, SIRT members come from • Management • Legal • Information Technology (IT) • Physical security • Information Security Services (ISS) • Human Resources (HR) • Public Relations (PR) • Finance/Accounting Guide to Network Defense and Countermeasures, Second Edition
Responsibilities of Team Members (continued) • Staffing and training • Virtual team • Consists of employees with other jobs • Team exists only during meetings or when an incident becomes serious enough • Tends to get out of touch and need retraining • If budget allows it, assemble a team whose sole responsibility is security incident response • Might be economically feasible only to large organizations Guide to Network Defense and Countermeasures, Second Edition
Responsibilities of Team Members (continued) • Staging Fire Drills • Conduct a security drill • You might need to convince upper management • Drills can pay off in the long run • Making response more effective and coordinated • Pick a time for the drill and follow a scenario • Drills can be scheduled or spontaneous • Intended to identify any holes in security procedures • And make sure SIRT members know their duties and responsibilities Guide to Network Defense and Countermeasures, Second Edition
Public Resource Teams • Teams around the world publish notices and articles about serious security incidents • You can notify these teams if you encounter a significant security event • These groups also provide training for response team members • CERT Coordination Center • DFN-CERT Guide to Network Defense and Countermeasures, Second Edition
Outsourcing Incident Response • Hire a company that monitors your network and IDS sensors • Tells you whether an intrusion has occurred • Advantages • Result in lower overall costs • Disadvantages • Hard to achieve timely, effective incident response • Get references from current and former customers before hiring an incident response service Guide to Network Defense and Countermeasures, Second Edition
How to Respond: The Incident Respond Process • Steps • Preparation • Notification • Response • Countermeasures • Recovery • Follow-Up Guide to Network Defense and Countermeasures, Second Edition
Step 1: Preparation • Using risk analysis to prepare your responses • Risk analysis identifies what needs to be protected • It is used to prepare a security policy • Use security policy as a guideline when responding to incidents • Many security policies include a section on incident response • Everyone involved in incident response should know where these guidelines are Guide to Network Defense and Countermeasures, Second Edition
Step 1: Preparation (continued) • Active network monitoring • Essential activity • SIRT members might be dedicated to this task • Considered a proactive task • Can prevent incidents from occurring • Can reduce false positives • Involves actively testing your network • Use a network vulnerability analyzer • Security Administrator’s Integrated Network Tool (SAINT) • WebSAINT • Nessus Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Step 2: Notification • Process by which SIRT members receive news about security incidents • Notifications come from • Firewalls or IDSs • SIRT members • Network administrators • Employees • After notification, SIRT members should assess level of damage • Not all incidents should be reported to all SIRT members Guide to Network Defense and Countermeasures, Second Edition
Step 3: Response • SIRT members should keep in mind • Do not panic • Follow established procedures • Take time to analyze all reported events • Do not simply react • Important to have clear escalation procedures • Key to efficient response • Create a flowchart for the escalation procedures Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Step 3: Response (continued) • Determining the need for escalation • Determine • What needs to be reported • Who needs to know it • How quickly you need to do the reporting • Report the basic facts surrounding the incidents • Figure out how people will be notified • Out-of-band notification using other communication devices • Consider reporting to the community serious security incidents Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Step 3: Response (continued) • Following standard response procedures • Avoid contacting everyone by e-mail • Attacker can be in control of your mail servers • Set up a hotline • Set up a list of people to contact • Try not to overreact to intrusions • Follow procedures in place that tell you exactly what to do for each situation Guide to Network Defense and Countermeasures, Second Edition
Step 4: Countermeasures • Containment of damage • Containment • Preventing spreading to other resources • Consider doing the following • Shut down the affected system • Disable user and group accounts • Disable services that were exploited • Make backups of affected systems to protect the originals as evidence • Define a set of containment procedures Guide to Network Defense and Countermeasures, Second Edition
Step 4: Countermeasures (continued) • Eradication of data introduced by an intrusion • Eradication • Removing any files or programs that resulted from the intrusion • Can be tedious and time consuming • SIRT members should do the following • Check user accounts to make sure no additional users have been added • Check services • Check .dll files and the Windows Registry • Make sure files created during the attack are legitimate Guide to Network Defense and Countermeasures, Second Edition
Step 5: Recovery • Putting compromised items back in service • Monitor restored devices for at least 24 hours • Make sure network is operating properly • SIRT members can require users to sign a document • Agreeing the computer has been serviced and returned in working order • Adjust packet-filtering rules • To block communications to or from Web sites involved in the attack Guide to Network Defense and Countermeasures, Second Edition
Step 6: Follow-Up • Follow-up • Process of documenting • What took place after an intrusion was detected • And a response occurred • Prevents similar intrusions from reoccurring • Recordkeeping • Recording all events associated with security incident • Helps fellow SIRT members deal with similar situations Guide to Network Defense and Countermeasures, Second Edition
Step 6: Follow-Up (continued) • Recordkeeping (continued) • Do not keep your notes on your computer • Documentation is essential for prosecuting offenders • Reevaluation policies • You can recommend changes to the security policy based on previous attacks • Information should be included in a follow-up database • Details on security incidents are for internal use only • Security policy should state this • Prevent bad public relations Guide to Network Defense and Countermeasures, Second Edition
Dealing with False Alarms • Minimize false positives and false negatives • Essential part of managing an IDS • Tuning your system can degrade its performance • Better to adjust existing rules if needed • Create new rules only if absolutely necessary Guide to Network Defense and Countermeasures, Second Edition
Filtering Alerts • To reduce false alarms adjust rules used by • Firewalls • Packet filters • IDSs • Exclude specific signature from connecting to a selected IP address • Both internal and external addresses • Can even exclude an entire subnet or network Guide to Network Defense and Countermeasures, Second Edition
Disabling Signatures • You might want to disable entire signatures • So they do not trigger alarms • Disable signatures when testing your network • False alarms should be recorded on a tracking chart • Exclude duplicated signatures from IDSs • To improve efficiency Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Dealing with Legitimate Security Alerts • Determine whether the attack is a false alarm • Look for indications such as • You notice system crashes • New user accounts suddenly appear on the network • Sporadic user accounts suddenly have heavy activity • New files appear, often with strange file names • A series of unsuccessful logon attempts occurs • Respond calmly and follow established procedures • Call law enforcement personnel if necessary • To handle the intrusion Guide to Network Defense and Countermeasures, Second Edition
Assessing the Impact • Was any host on your network compromised • Determine the extend of the damage • Determine the scope and impact of the problem • Determine if the firewall was compromised • If firewall was compromised, computers on network could be accessed • Reconstruct firewall from scratch Guide to Network Defense and Countermeasures, Second Edition
Developing an Action Plan • Action plan might involve the following steps: • Assess seriousness of the attack • Notify team leader immediately • Begin to document all actions • Contain the threat • Determine the extend of the damage • Make a complete bit-stream backup of the media • If you plan to prosecute • Eradicate the problem • Restore the system • Record a summary of the incident Guide to Network Defense and Countermeasures, Second Edition
Handling Internal Versus External Incidents • Intrusions and security breaches often originate from inside an organization • Your response needs to be more measured • Avoid notifying the entire staff • Human Resources and Legal departments should be made aware of the problem • Notify the entire staff only when they need to know something serious happened Guide to Network Defense and Countermeasures, Second Edition
Taking Corrective Measures to Prevent Reoccurrences • Take steps to prevent intrusions from recurring • Set up intrusion rules that send alarms when the same intrusions are detected • Notify others on the Internet about your attack Guide to Network Defense and Countermeasures, Second Edition
Working Under Pressure • Incident response activities need to be carried out with discretion • Sometimes it is best to allow the incident to continue for a while • This gives you time to monitor the attack • Gather evidence according to the goal of your actions • Prosecution • Corrective measures • Do not rush to respond to incidents Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Gathering Data for Prosecution • Rules to handle evidence • Make sure two people handle the data at all times • Write everything down • Lock it up! • Chain of custody • Record of who handled an object to be used as evidence in court • Decide SIRT members that will handle the evidence • Before an incident occurs, decide whether you will prosecute or not • Include this in your security policy Guide to Network Defense and Countermeasures, Second Edition
Gathering Data for Prosecution (continued) • Steps for handling and examining hard disks and other computer data • Secure the area • Prepare the system • Examine the system • Shut down the system • Secure the system • Prepare the system for acquisition • Examine the system • Connect target media • Secure evidence Guide to Network Defense and Countermeasures, Second Edition
Summary • IDS devices can have their own set of filter rules • SIRT members should come from all major departments • Incident response steps • Preparation • Notification • Response • Countermeasures • Recovery • Follow-up Guide to Network Defense and Countermeasures, Second Edition
Summary (continued) • Response procedures should be stated in a document • SIRT members should assess the level of the incident • Types of countermeasures • Containment • Eradication • After eradication is complete, affected media need to be recovered • And monitored for a couple of days Guide to Network Defense and Countermeasures, Second Edition
Summary (continued) • False alarms are almost inevitable with any IDS • Reduce them adjusting rules in your security devices • Legitimate attacks require a calm, systematic, and thorough response • External attacks by attackers you can identify might call for prosecution in court Guide to Network Defense and Countermeasures, Second Edition