Information Security Level Set• Core Principles of Information Security – Confidentiality – Keeping information private – Integrity – Keeping information accurate – Availability – Keeping information available (even in disasters) to authorized parties
Why Incident Response?• Legal and Compliance obligations require notification when sensitive information is acquired by unauthorized parties• University Policy requires a process for responding to incidents• Computing environments at large are under constant attack. (We are no exception)• Attack Stats
What is an incident?• Acceptance Criteria – How do we determine the difference between an incident and an event? • Could sensitive information/critical system be at risk? • Was event malicious? – Maintaining a publicly accessible definition of sensitive data helps bring clarity during events – Trust support personnel and the campus community, but maintain the ability to verify when validation is needed
Incident Management Methodologies• One approach—see SANS.org—Course 504 – Planning • Your departmental contacts • Communication strategies • Failover systems and strategies, data archives/backups – Identification-Is it an incident? – Containment-Are intrusions contained? – Eradication-Is intrusion over? – Recovery-Are your business functions back to normal? – Lessons Learned-Recommendations
Incident Management• Incident Environment? – Higher education institutions compared with business or military – Governance/Culture – Mission – Technology types/Infrastructure
How are incidents discovered?• Intrusion Detection/Prevention Systems• Centrally Managed Anti-Virus• Complaints by attacked parties• Support Personnel - Often our first responders – Help contain the incident and preserve data – Help balance forensics with business continuity
Response, Evidence Acquisition• Preserve Evidence – Disconnect from the network? – How do we power down? – Preserve “last accessed” times (No AV scans) – Log access can overwrite valuable information• What evidence? – A forensic image, an exact copy of the disk(s) – Preserving timestamps is key – Network data, Off-site logs, etc
Business Impact• Must be mindful of business impact – How will incident response/forensics impact… • University mission – Teaching – Research – Public Service • The Department/Group – When will systems be back up and running? – Will intruders have a way back into the systems? • The User
Investigation and AnalysisAsk the question:“Was there unauthorized acquisition of sensitive information?”
Investigation and Analysis• Provide context for decision makers – From the perspective of sensitive information: • Where did sensitive information exist, if at all? – From the technical perspective: • Create timelines that detail (for example)… – File creation and access – When was malware introduced? • Capabilities of the malware? • When was sensitive information last accessed?
Forensic Processes and Tools• Integrity and confidentiality of evidence – Chain of custody forms – Cryptographic Hash of hard drives, images – Storage of hard drives and hard drive images• Tools – Guidance Software EnCase, AccessData FTK – Open source tools like log2timeline – Anti-malware software (SEP) – Registry/Log/Browser/OS Artifact data viewers – Identity Finder – Finds sensitive information
Reporting Results• Cases can be presented to… – Information Security management – Office of University Counsel – Office of Research Compliance – Internal Audit – Law Enforcement• Decision makers help determine next steps – Is a notification appropriate? – How can we prevent recurrence?
Lessons Learned/Recommendations• Behavior Modification – User learns best practices to prevent future incidents – Sys Admin configures systems to resist similar attacks• Software Modifications – Harden software if flaws are found during investigation – Introduce vulnerability management to be proactive• Process Modifications – Business processes may be modified to reduce risk
References• How to Reach Us? – firstname.lastname@example.org• Documents: – NIST 800-61 – “Computer Security Incident Handling Guide” (csrc.nist.gov)• Courses: – SANS 504 – “Hacker Techniques, Exploits and Incident Handling” (sans.org)• Tools: – Guidance Software / EnCase – www.guidancesoftware.com – Access Data / FTK – www.accessdata.com – log2timeline – www.log2timeline.net – Identity Finder – www.identityfinder.com• Online Resources: – Forensics Wiki – www.forensicswiki.org – Forensic Focus – www.forensicfocus.com – Windows Incident Response – windowsir.blogspot.com