Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Building an Incident Response Plan


Published on

A Rational Guide to Incident Response and Digital Forensics. Learn the correct ways to handle security incidents and how to develop and Incident Response Plan

A Rational Guide to Incident Response and Digital Forensics. Learn the correct ways to handle security incidents and how to develop and Incident Response Plan

Published in: Technology, Business

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Incident Response & Digital Forensics BUILDING A RATIONAL RESPONSE PLAN SECURITY:ServicesSolutionsSupport
  • 2. Biography • Andrew Plato, CISSP, CISM, QSA • President / CEO – Anitian Enterprise Security • 20 years of experience in IT & security • • • • Completed thousands of security assessments & projects Discovered SQL injection attack tactic in 1995 Helped develop first in-line IPS engine (BlackICE) Championed movement toward practical, pragmatic information security solutions SECURITY:ServicesSolutionsSupport
  • 3. We believe information security can make the world a better place. • Security is necessary for innovation and growth • Security can be empowering when it is practical and pragmatic • Good security comes from rational, scientific methods of analysis SECURITY:ServicesSolutionsSupport
  • 4. Overview • Intruder Alert: How NOT to Respond to an Incident • How to Build an Incident Response Plan • How to Respond to an Incident (Correctly) • The Shopping List SECURITY:ServicesSolutionsSupport
  • 5. Intruder Alert HOW NOT TO RESPOND TO AN INCIDENT SECURITY:ServicesSolutionsSupport
  • 6. Stages of Bad IR • Denial • Assign blame & responsibility • Throw a tantrum, froth Помолись, хакерских сволочь* • Start calling everybody • FBI • Forensic experts • Police • Attorney general • Tiger teams • State Department • Lawyers • Cyberpolice Call Vladimir Putin!!! * Say your prayers, hacker scum SECURITY:ServicesSolutionsSupport
  • 7. STOP! Or There Will Be…Trouble • Why do you think you have an incident? • Has a real crime taken place? • Is there really a breach? • • • • What evidence do you have? Do you have an Incident Response plan? Who is involved with this? Do you know what you’re doing here? SECURITY:ServicesSolutionsSupport
  • 8. I Pity the Fool Who Jumps to Conclusions • Do not rush and … • Call law enforcement • Announce an incident • Shut down your business • Panic or freak out • Shut down affected systems • Prematurely hire forensic experts • Don’t overreact • Don’t deny the problem, if there is evidence SECURITY:ServicesSolutionsSupport
  • 9. Why Incident Response & Digital Forensics Fail 1. Denial 2. Lack of Plan 3. Jump to Conclusions (Emotional Response) 4. Lack of evidence 5. Overreaction SECURITY:ServicesSolutionsSupport
  • 10. Investigator vs. Forensics – There is a Difference I want the name of everybody who has seen Inception more than once, Danno My WoW character is a level 60 Night Elf! Investigator Forensics Expert Forensics – finds & analyzes evidence Investigator – analyzes incidents (crimes) SECURITY:ServicesSolutionsSupport
  • 11. What Are Your Intentions? • Answer this question carefully… • Do not intend to prosecute? (informal response) • Simple, inexpensive • Just reformat the affected hosts and move along • You cannot prosecute later (probably) • Intend to prosecute? (formal response) • You’ll need a formal investigation • You’ll need money, perhaps a lot of money • Not sure – then plan for prosecution. SECURITY:ServicesSolutionsSupport
  • 12. BUILDING THE PLAN SECURITY:ServicesSolutionsSupport
  • 13. Why You Need an IR Plan • Investigating security incidents is a core security function • IR is how you address numerous risks – like APT • The ability to respond to an incident, large or small, is what can make the difference between a meltdown and a minor annoyance • A good IR plan helps you sort out the real problems from the noise • IR + DR/BC =  • An IR plan is required for PCI compliance SECURITY:ServicesSolutionsSupport
  • 14. 1. Effective Security Controls • All investigations require data (evidence) • Without evidence, you can’t prove anything • Security controls are very important to an investigation • Intrusion detection & prevention (IDS/IPS) • Log aggregation, management and storage (SIM) • Data loss monitoring (DLP) • Web filtering / internet proxy • Application & database monitoring • Ideally, you are alerted before an incident SECURITY:ServicesSolutionsSupport
  • 15. Incidentally… YOU HAVE TO HAVE SOMEBODY LOOKING AT ALL THAT DATA!!!! SECURITY:ServicesSolutionsSupport
  • 16. 2. Inventory Systems, Applications, Data, etc. • The middle of a crisis is just about the worst possible time to discover what you have • You need to know: • What you have • What it does • How important is it • Where is it located • Who is responsible for it • How to recover, rebuild or restore it • Dependencies SECURITY:ServicesSolutionsSupport
  • 17. 3. Define “Incident” • How do you identify and define an incident? • This varies for every organization • Define criteria that outline what an incident is to your organization. • Internal vs. external • Disruptive vs. non disruptive • Data leak or not • Which means you need some kind of reporting system…. SECURITY:ServicesSolutionsSupport
  • 18. 4. Reporting & Monitoring • You must have a method of tracking, reporting & analyzing events • This is why you need event and/or ticketing systems. • Events need to be rated or categorized… SECURITY:ServicesSolutionsSupport
  • 19. 5. Establish a Severity System • How do you weed out the nothing events from the serious events? • Create an severity system. • Critical – Disruptive, destructive, widespread risk • High – Disruptive, but not to critical systems • Medium – Non disruptive, but noticeable • Low – No risk to organization • Now, who do you call? You need an escalation tree… SECURITY:ServicesSolutionsSupport
  • 20. 6. Create a Contact Escalation Tree • Determine the investigative effort applicable for each event type. • Define roles & responsibilities • Define contacts • Security staff • Legal contacts • Executive contacts • Law enforcement • Vendor contacts • Digital forensics & investigators • Business partners (whose data may be at risk) SECURITY:ServicesSolutionsSupport
  • 21. 7. Document the Plan • Write it down • Create flow charts of how events are handled • Make the plan available to all key staff members • • • • List all the key event sources and who monitors them Integrate with the inventory Print the plan out! Now you are ready to… SECURITY:ServicesSolutionsSupport
  • 22. RESPONDING TO AN INCIDENT SECURITY:ServicesSolutionsSupport
  • 23. Step 1 – Answer the Big Questions • What evidence do you have of an incident? • Are confidential or protected data at risk? • Are business operations at risk? • Is there threat to public perception of the organization? • What are your intentions? • Is Chuck Norris in the lobby? (You have one, right??!?) SECURITY:ServicesSolutionsSupport
  • 24. Step 2 - Document the Incident • Go slow and do this right! • Date/time of event • Who detected / reported event • • • • Detailed description of the event Affected hosts, data and networks Evidence of event Don’t jump to conclusions SECURITY:ServicesSolutionsSupport
  • 25. Step 3 – Follow Your Contact Escalation Plan • IT Management – Critical incident per the plan • Legal – for any serious incident, they should drive the process for notification • Law enforcement – when there is evidence of a crime that resulted in financial loss or child pornography • Human Resources – when there is evidence of an internal employee involved in the incident • Forensics investigators – when you need to preserve evidence and conduct a sound investigation • Business partners – when contractually obliged SECURITY:ServicesSolutionsSupport
  • 26. Step 4– Assess Breach Notification Issues • Each state is different, but there is a lot in common • Only confidential or PII is covered, such as: • Payment card numbers (PAN) • Social Security Numbers • Health information • Financial data (that is identifiable to a person) • You only have to notify if there is evidence of a breach…this is why you need an investigator • Encrypted data is almost always excluded • Lawyer up – they need to run the show here SECURITY:ServicesSolutionsSupport
  • 27. Step 5 – Conduct Forensics • Preserve and gather evidence • Forensics without investigation is largely pointless. • There is a limit to what digital forensics can do • You need a trained investigator to: • Establish chain of custody • Catalog evidence • Interview people • Objectively analyze the incident SECURITY:ServicesSolutionsSupport
  • 28. Step 6 – Collaborate for a Plan of Action • Engage legal, investigators and any other relevant parties to determine the correct course of action • Make decisions based on the EVIDENCE • Don’t buy any new security technologies until the issue is resolved • Do not allow sales people to lead the effort • Control information and perception SECURITY:ServicesSolutionsSupport
  • 29. Remember… • Determine your intentions • Get an outside investigator • Follow your plan • Document everything • Don’t destroy evidence, leave things in place and running • Be careful who you call - management and your legal counsel should be the first people involved • Take it slow and act rationally SECURITY:ServicesSolutionsSupport
  • 30. THE SHOPPING LIST SECURITY:ServicesSolutionsSupport
  • 31. The Shopping List • An incident response plan • A disaster recovery / business continuity plan • Inventory of all apps, systems, networks, etc. • • • • • Event & log management (SIEM) Intrusion detection/prevention (IDS/IPS) Web filtering / proxy Data loss prevention Third party investigators / forensic analysts SECURITY:ServicesSolutionsSupport
  • 32. Thank You EMAIL: WEB: BLOG: SLIDES: SECURITY:ServicesSolutionsSupport