incident response incident response process forensics
TRANSCRIPT
Incident Response
Incident Response ProcessForensics
AcknowledgmentsMaterial is sourced from: CISA® Review Manual 2011, ©2010, ISACA. All rights reserved.
Used by permission. CISM® Review Manual 2012, ©2011, ISACA. All rights reserved.
Used by permission.
Author: Susan J Lincke, PhDUniv. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Objectives
Students should be able to:Define and describe an incident response plan and business continuity planDefine recovery terms: interruption window, service delivery objective, maximum tolerable outage, alternate mode, acceptable interruption windowDescribe incident management team, incident response team, proactive detection, triageDefine and describe computer forensics: authenticity, continuity, forensic copy, chain of custody, imaging, extraction, ingestion or normalization, case log, investigation report Develop a high-level incident response plan
How to React to…?
Viruses
Denial of S
ervice
Hacker Intrusion
Accidents
System Failure
Theft of Proprietary Information
Social Engineering
Lost Backup Tape
Stolen Laptop
Fire!
Incident Response vs. Business Continuity
Incident Response Planning (IRP)
Security-related threats to systems, networks & data
Data confidentiality Non-repudiable
transactions
Business Continuity Planning
Disaster Recovery Plan
Continuity of Business Operations
IRP is part of BCP and can be *the first step*
Recovery TermsInterruption Window: Time duration organization can wait
between point of failure and service resumption
Service Delivery Objective (SDO): Level of service in Alternate Mode
Maximum Tolerable Outage: Max time in Alternate Mode
Regular Service
Alternate Mode
RegularService
(Acceptable)InterruptionWindow
Maximum Tolerable Outage
SDO
Interruption
Time…
Disaster Recovery Plan Implemented
RestorationPlan Implemented
Vocabulary
IMT: Incident Management Team IS Mgr leads, includes steering committee, IRT membersDevelop strategies & design plan for Incident Response,
integrating business, IT, BCP, and risk managementObtain funding, Review postmortems
Meet performance & reporting requirements
IRT: Incident Response TeamHandles the specific incident. Has specific knowledge relating to:
Security, network protocols, operating systems, physicalsecurity issues, malicious code, etc.
Permanent (Full Time) Members: IT security specialists, incident handlers, investigator
Virtual (Part Time) Members: Business (middle mgmt), legal, public relations, human resources, physical security, risk, IT
Incident Response Plan (IRP)
Preparation
Identification
Containment& Escalation
Analysis &Eradication
Recovery
LessonsLearned
Plan PRIOR to Incident
Determine what is/has happened
Limit incident
Determine and removeroot cause
Return operationsto normal
Process improvement:Plan for the future
Notification
Ex-PostResponse
Notify any data breach victims
[If data breach]
Establish call center,reparation activities
Stage 1: Preparation
What shall we do if different types of incidents occur? (BIA helps)
When is the incident management team called? How can governmental agencies or law enforcement
help? When do we involve law enforcement? What equipment do we need to handle an incident? What shall we do to prevent or discourage incidents from
occurring? (e.g. banners, policies) Where on-site & off-site shall we keep the IRP?
(1) Detection TechnologiesOrganization must have sufficient detection & monitoring capabilities to
detect incidents in a timely manner
Proactive Detection includes: Network Intrusion Detection/Prevention System (NIDS/NIPS) Host Intrusion Detection/Prevention System (HIDS/HIPS)
Includes personal firewalls Security Information and Event Management (Logs) Vulnerability/audit testing Centralized Incident Management System
Input: Server, system logs Coordinates & co-relates logs from many systems Tracks status of incidents to closure
Reactive Detection: Reports of unusual or suspicious activity
(1) Management Participation Management makes final decision
As always, senior management has to be convinced that this is worth the money.
Actual Costs: Ponemon Data Breach Study, 2013, Sponsored by Symantec
Expenses Following a Breach Average CostDetection and Escalation: forensic investigation, audit, crisis mgmt., board of directors involvement
$400,000
Notification: legal expertise, contact database development, customer communications
$570,000
Post Breach Response: help desk and incoming communications, identity protection services, legal and regulatory expenses, special investigations
$1,410,000
Lost Business: abnormal customer churn, customer procurement, goodwill
$3,030,000
Workbook
Incident TypesIncident Description Methods of
DetectionProcedural Response
Intruder accesses internal network
Firewall, database, IDS, or server log indicates a probable intrusion.
Daily log evaluations,
high priority email alerts
IT/Security addresses incident within 1 hour: Follow: Network Incident Procedure Section.
Break-in or theft
Computers, laptops or memory is stolen.
Security alarm set for off-hours; or employee reports missing device.
Email/call Management & IT immediately. Management calls police. Security initiates tracing of laptops via location software, writes Incident Report, evaluates if breach occurred.
Social Engineering
Suspicious social engineering attempt OR information was divulged later recognized as inappropriate.
Training of staff leads to report from staff
Report to Management & Security. Warn employees of attempt as added training.
Security evaluates if breach occurred, writes incident report.
Stage 2: Identification
Triage: Categorize, prioritize and assign events and incidents
What type of incident just occurred? What is the severity of the incident?
Severity may increase if recovery is delayed Who should be called? Establish chain of custody for evidence
(2) Triage
Snapshot of the known status of all reported incident activity Sort, Categorize, Correlate, Prioritize & Assign
Categorize: DoS, Malicious code, Unauthorized access, Inappropriate usage, Multiple components
Prioritize: Limited resources requires prioritizing response to minimize impact
Assign: Who is free/on duty, competent in this area?
(2) Chain of Custody
Evidence must follow Chain of Custody law to be admissible/acceptable in court Include: specially trained staff, 3rd party specialist, law
enforcement, security response team
System administrator can: Retrieve info to confirm an incident Identify scope and size of affected environment
(system/network) Determine degree of loss/alteration/damage Identify possible path of attack
Stage 3: Containment
Activate Incident Response Team to contain threat IT/security, public relations, mgmt, business
Isolate the problemTake infected server off networkChange firewall configurations to stop
attacker Obtain & preserve evidence
(3) Containment - Response
Technical Collect data Analyze log files Obtain further technical
assistance Deploy patches &
workarounds
Managerial Business impacts result in
mgmt intervention, notification, escalation, approval
Legal Issues related to:
investigation, prosecution, liability, privacy, laws & regulation, nondisclosure
Stage 4: Analysis & Eradication
Determine how the attack occurred: who, when, how, and why? What is impact & threat? What damage occurred?
Remove root cause: Rebuild System Talk to ISP to get more information Perform vulnerability analysis Improve defenses with enhanced protection techniques
Discuss recovery with management, who must make decisions on handling affecting other areas of business
(4) Analysis
What happened? Who was involved? What was the reason for the attack? Where did attack originate from? When did the initial attack occur? How did it happen? What vulnerability enabled the attack?
(4) Remove root cause
If Admin or Root compromised, rebuild system
Implement recent patches & recent antivirus
All passwords should be changed
Stage 5: Recovery
Restore operations to normal Ensure that restore is fully tested and
operational
Workbook
Incident Handling ResponseIncident Type: Malware detected by Antivirus softwareContact Name & Information: Computer Technology Services Desk:
www.univ.edu/CTS/help 262-252-3344(O)Emergency Triage Procedure: Disconnect computer from Internet/WLAN. Do not reconnect. Allow anti-virus
to fix problem, if possible. Report to IT first thing during next business day. Escalation Conditions and Steps:If laptop contained confidential information, investigate malware to determine
if intruder obtained entry. Determine if Breach Law applies.Containment, Analysis & Eradication Procedure: If confidential information was on the computer (even though encrypted),
malware may have sent sensitive data across the internet; A forensic investigation is required.
Next, determine if virus=dangerous and user=admin:Type A: return computer. (A=Virus not dangerous and user not admin.)Type B: Rebuild computer. (B=Either virus was dangerous and/or user was
admin)Password is changed for all users on the computer.Other Notes (Prevention techniques):Note: Antivirus should record type of malware to log system.
Stage 6: Lessons Learned
Follow-up includes: Writing an Incident Report
What went right or wrong in the incident response?
How can process improvement occur?How much did the incident cost (in loss &
handling & time) Present report to relevant stakeholders
Planning Processes
Risk & Business Impact Assessment Response & Recovery Strategy Definition Document IRP and DRP Train for response & recovery Update IRP & DRP Test response & recovery Audit IRP & DRP
Training
Introductory Training: First day as IMT
Mentoring: Buddy system with longer-term member
Formal Training
On-the-job-training
Training due to changes in IRP/DRP
CISA Review Manual 2009
Types of Penetration Tests
External Testing: Tests from outside network perimeter
Internal Testing: Tests from within networkBlind Testing: Penetration tester knows nothing in
advance and must do web research on companyDouble Blind Testing: System and security
administrators also are not aware of testTargeted Testing: Have internal information about
a target. May have access to an account.Written permission must always be obtained first
Incident Management Metrics
# of Reported Incidents # of Detected Incidents Average time to respond to incident Average time to resolve an incident Total number of incidents successfully resolved Proactive & Preventative measures taken Total damage from reported or detected incidents Total damage if incidents had not been contained in a
timely manner
Challenges
Management buy-in: Management does not allocate time/staff to develop IRP Top reason for failure
Organization goals/structure mismatch: e.g., National scope for international organization
IMT Member Turnover Communication problems: Too much or too little Plan is to complex and wide
Question
The MAIN challenge in putting together an IRP is likely to be:
1. Getting management and department support
2. Understanding the requirements for chain of custody
3. Keeping the IRP up-to-date
4. Ensuring the IRP is correct
Question
The PRIMARY reason for Triage is:
1. To coordinate limited resources
2. To disinfect a compromised system
3. To determine the reasons for the incident
4. To detect an incident
Question
When a system has been compromised at the administrator level, the MOST IMPORTANT action is:
1. Ensure patches and anti-virus are up-to-date
2. Change admin password
3. Request law enforcement assistance to investigate incident
4. Rebuild system
Question
The BEST method of detecting an incident is:
1. Investigating reports of discrepancies
2. NIDS/HIDS technology
3. Regular vulnerability scans
4. Job rotation
Question
The person or group who develops strategies for incident response includes:
1. CISO
2. CRO
3. IRT
4. IMT
Question
The FIRST thing that should be done when you discover an intruder has hacked into your computer system is to:
1. Disconnect the computer facilities from the computer network to hopefully disconnect the attacker
2. Power down the server to prevent further loss of confidentiality and data integrity
3. Call the police4. Follow the directions of the Incident Response
Plan
Computer Investigationand Forensics
Computer Crime InvestigationChain of CommandComputer Forensics
Computer Crime Investigation
Call PoliceOr IncidentResponse
Copy memory,processes
files, connectionsIn progress
Powerdown
Analyze copiedimages
Preserveoriginal system
In locked storagew. min. access
Take photos ofsurrounding area
Evidence must be unalteredChain of custody professionally maintained
Four considerations:Identify evidencePreserve evidenceAnalyze copy of evidencePresent evidence
Copy disk
Computer Forensics
Did a crime occur? If so, what occurred?
Evidence must pass tests for: Authenticity: Evidence is a true and faithful
original of the crime scene Computer Forensics does not destroy or alter the
evidence Continuity: “Chain of custody” assures that the
evidence is intact.
Chain of Custody
10:53 AMAttack
observedJan K
11:04Inc. Resp.
team arrives
11:05-11:44System copied
PKB & RFT
11:15SystembroughtOffline
RFT
11:45System
Powered down
PKB & RFT
11:47-1:05Disk
CopiedRFT & PKB
1:15System locked in
static-free bagin storage room
RFT & PKB
Who did what to evidence when?(Witness is required)
TimeLine
Preparing Evidence
Work with police to AVOID: Contaminating the evidence Voiding the chain of custody
Evidence is not impure or tainted Written documentation lists chain of custody: locations, persons
in contact – time & place Infringing on the rights of the suspect
Warrant required unless… Company permission given; in plain site; communicated to third
party; evidence in danger of being destroyed; or normal part of arrest; ...
Computer Forensics
The process of identifying preserving, analyzing and presenting digital evidence for
a legal proceeding
Creating a Forensic Copy
Original MirrorImage
3) Forensically Sterile:Wipes existing data;Records sterility
4) One-way Copy:Cannot modifyoriginal
5) Bit-by-Bit Copy:Mirror image
2) Accuracy Feature:Tool is accepted as accurate by the scientific community:
1) & 6) Calculate Message Digest:Before and after copy
7) Calculate Message DigestValidate correctness of copy
Computer ForensicsData Protection: Notify people that evidence cannot be
modifiedData Acquisition: Transfer data to controlled location Copy volatile data Interview witnesses Write-protect devicesImaging: Bit-for-bit copy of dataExtraction: Select data from image (logs, processes, deleted
files)Interrogation: Obtain info of parties from data (phone/IP
address)Ingestion/Normalization: Convert data to an understood
format (ASCII, graphs, …)Reporting: Complete report to withstand legal process
Legal Report
Describe incident details accurately Be understandable and unambiguous Offer valid conclusions, opinions, or
recommendations Fully describe how conclusion is reached Withstand legal scrutiny Be created in timely manner Be easily referenced
Forensics: Chain of Custody Forms Chain of Custody Form: Tracks where & how evidence
was handled. Includes: Name & Contact info of custodians Detailed identification of evidence (e.g, model, serial #) When, why, and by whom evidence was acquired or moved Where stored When/if returned
Detailed Activity Logs Checklists for acquiring technicians Signed non-disclosure forms
Forensics: Case Log
Case log includes: Case number Case basic notes, requirements, procedures Dates when requests were received Dates investigations were assigned to
investigators Date completed Name and contact information for investigator
and requestor
Forensics:Investigation Report Name and contact info for investigators Case number Dates of investigation Details of interviews or communications Details of devices or data acquired (model, serial #) Details of software/hardware tools used (must be
reputable in law) Details of findings, including actual data Signature of investigator
Question
Authenticity requires:
1. Chain of custody forms are completed
2. The original equipment is not touched during the investigation
3. Law enforcement assists in investigating evidence
4. The data is a true and faithful copy of the crime scene
Question
You are developing an Incident Response Plan. An executive order is that the network shall remain up, and intruders are to be pursued. Your first step is to…
1. Use commands off the local disk to record what is in memory
2. Use commands off of a memory stick to record what is in memory
3. Find a witness and log times of events
4. Call your manager and a lawyer in that order
Question
What is NOT TRUE about forensic disk copies?
1. The first step in a copy is to calculate the message digest
2. Extraction and analysis for presentation in court should always occur on the original disk
3. Normalization is a forensics stage which converts raw data to an understood format (e.g., ASCII, graphs, …)
4. Forensic copies requires a bit-by-bit copy
ReferenceSlide # Slide Title Source of Information
6 Recovery Terms CISM: page 230
8 Incident Response Plan (IRP) CISM: page 221, 222
9 Stage 1: Preparation CISM: page 221, 223
10 (1) Detection Technologies CISM: page 222
14 Stage 2: Identification CISM: page 222, 223
15 (2) Triage CISM: page 222
17 Stage 3: Containment CISM: page 223
18 (3) Containment – Response CISM: page 222
19 Stage 4: Analysis & Eradication CISM: page223 , 224
22 Stage 5: Recovery CISM: page 224
24 Stage 6: Lessons Learned CISM: page 224
25 Planning Processes CISM: page 228
26 Training CISM: page 227
27 Type of Penetration Tests CISA: page 378
28 Incident Management Metrics CISM: page 220
29 Challenges CISM: page 227
37 Computer Crime Investigation CISA: page 380
39 Chain of Custody CISA: page 380
43 Computer Forensics CISA: page 380, 381
44 Legal Report CISA: page 381
45 Forensics: Chain of Custody Forms CISA: page 375 and CISM: page 239
46 Forensics: Case Log CISM: page 239
47 Forensics: Investigation Report CISM: page 239