1 / 38

Incident Response

Incident Response. James Moore, CIFI/CISSP Chief Executive Officer, T3i, Inc. Chairman, Information Systems Forensics Association. What is an Incident?.

walden
Download Presentation

Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incident Response James Moore, CIFI/CISSP Chief Executive Officer, T3i, Inc. Chairman, Information Systems Forensics Association

  2. What is an Incident? An event in which an information asset is compromised in terms of theft, defacement, alteration, destruction, or disclosure either maliciously or unintentionally.

  3. Examples of Incidents • Web site defacement • Customer Credit Cards #s stolen • Laptop stolen • Computer room flooded • Power outage • Employee terminated • Company secrets sent to competitors • Complaints of MA from organization against other Internet citizens

  4. The IRT defined Incident Response Team – a group typically comprised of virtual team members from key areas who respond to incidents affecting information assets. This team methodically executes Intrusion Response, Disaster Recovery and Business Continuity plans (as appropriate).

  5. IRTThe Perfect World • Information Security technical staff augments traditional I.T. staff. • Director of Information Security or CISO has IRT as a dedicated team and full authority to act • A trained and empowered Public Relations team for dissemination

  6. Example IRT Organizational Chart

  7. Team OrganizationWhere you and I live.. • Management may not understand the implications of not supporting an IRT until AFTER an incident • Budgets are limited • Skill sets for the team leadership are rare and expensive • Often times there will be “jurisdiction” issues with the I.T. or other groups

  8. Team Organization • In most instances, the size/budget of a company will dictate the team organization. • Rarely will a dedicated IRT exists except in the largest of companies • Most often utilized approach is leveraging the “virtual team” method

  9. Team OrganizationThe Virtual Team • Leader is highly trained and a dedicated role • Virtual team consists of elements from various internal organizations • Stronger empowerment is required • During an incident, members are dedicated and responsible to the IRT Leader

  10. Training the IRT Clear understanding of the Policies and Mission Goals of the organization and the IRT

  11. Training the IRT • Policy understanding • Involved in the creation of the policy • Involved in the policy reviews • Regular process reviews • Walkthroughs • Members tasked with audits • “Live Fire” • Expertise Training When NOT to discover your parachute isn’t packed correctly

  12. Team authority • One of the most critical factors in development of the IRT • Often overlooked by senior management • Lack of authority causes process to break down • Can often increase the recovery time significantly. • IRT Leader should have the authority of an executive during an incident.

  13. Team authority Issues to consider when granting team authority: • Signing authority for purchasing new equipment • Working with public organizations (FBI, Local law enforcement, etc.) • HR Issues • Denying access to building / restricted areas to suspect employees • Sequestering of evidence • Decision to prosecute or recover • Release of information

  14. Gaining management support • Probably the most difficult task in the IRT process • Best approach: • Business Impact Analysis!!! • Cost justifies expenditures • Identifies the risks and costs of mitigation

  15. BIA • Targets costs to organization for events or all types…. • The IRT can reduce impact by: • Lowering time to recovery • Stopping an intrusion in progress

  16. BIA • Identifies potential impact on customer confidence and market perception

  17. BIA • BIA allows executive teams to see the real dangers that face their information assets

  18. BIA • Identify time & cost sensitive business operations and systems • Determines financial exposure • Recommended Disaster Readiness Strategies

  19. Retail Brokerage Credit Card Sales Authorization Home Shopping Channels Airline Reservation Centers Package Shipping Service Manufacturing Industry Banking Industry Transportation Industry $6.5 Million $2.6 Million $110,000 $90,000 $28,250 $26,761 $17,093 $9,435 Business Impact Analysis Cost of Data Loss (per hour) Source: Contingency Planning Research & Strategic Research Corporation

  20. Impact of an Event A serious event can irrevocably impair or destroy the largest company • Over 40% of companies hit by a serious disaster never resume operations • Of those that do resume operations, another 30% still fail within two years Source: Contingency Planning Research & Strategic Research Corporation

  21. The Risk Management Sphere

  22. What is Business Continuity Planning? Planning for maintaining/resuming normal operations during events caused by nature, technical problems or human error. • Large time commitment and expense associated with creating a BCP • Selling BCP to executive management

  23. What does BCP consist of? • Disaster Recovery • Emergency Response (ERT, IRT) • Crisis Management • Includes steps to take • Before an event • During a event • After a event

  24. Disaster Recovery Procedures written on how to respond, coordinate, and document the event • Risk Impact Analysis • Determine cost of impact • Determine probability

  25. Threats • Natural • Flood • Fire • Storm • Man Made • Vandalism • Terrorism • Hardware failure • Intrusions • Virus, Trojan Horse, Worms • Denial of Service Attacks • Data Diddling • Social Engineering

  26. Cyber Threat

  27. Insiders • Often motivated by a perception of unfair treatment by management, or if suborned by an outsider • Use authorized access for unauthorized disruptive purposes. 78% of all Intrusions !!

  28. Levels of Alert • Level Green • Nominal Vigilance • Level Blue • Heightened Awareness. • May suggest out-of-schedule Vulnerability Analysis be performed. • Level Yellow • Alert with active monitoring and all teams on standby • Level Red • Alert High with 24x7 monitoring and IRT on hot standby

  29. Alert and Response • Effective monitoring systems • IDS and HIDS • Signature based • Heurist • Anomaly based • Flow based • Trip Wires • SMNP Monitoring • Surveillance Systems • Remember Information Assets are not just computer!

  30. Alert and Response • Operational framework for alert and response • SNMP Alert Systems • Pager Alert Systems • 24x7 Staff • Outsourced monitoring

  31. Alert and Response • Effective Triage team • Technical in nature • Determine extent and status of incident • Should be able to determine if incident is Malicious or Unintentional • Should be able to perform triage without evidence spoiling

  32. Alert and Response • Understanding of “Investigate or Recover” policy • Critical to the success of the process • Can save an organization significant dollars • It recovery is initiated, investigation may be impossible

  33. Investigate or Recover? • Recovery most likely will “spoil” evidence • Rebooting many systems “pops” log files • Some Trojans remove themselves by the booting process • Investigation most likely will delay systems interruptions • A detailed forensic investigation may take days

  34. Investigate or Recover? • Planning is key! • Have warm standby systems • Effective DR or BCP plan can allow for an investigation to proceed while recovery is effected • Logging • Centralized logging (according to DOJ guidelines)

  35. INVESTIGATIVE AXIOM: Treat every incident as if it will end up in a criminal prosecution.

  36. Testing the IRT • The IRT should periodically and regularly test the plan and report the results • Methods of testing include: • Mock intrusion • Walkthrough • Document Lessons Learned • Adjustments to policy if necessary

  37. Review • Incidents are made of a variety of events • The IRT is a highly trained group with far reaching authority • Management support is critical to IRT success • Justification for IRT expenditure is done through BIA • Risk Management – Foundation for IRT • BCP and DR • Threats to Information Assets • Alert and Response • Investigate or Recover • Testing the plan

  38. Questions James Moore Chief Executive Officer, T3i, Inc. Chairman, Information Systems Forensics Association mahakala@cyberwarrior.org www.gaissa.org www.infoforensics.org

More Related