SlideShare a Scribd company logo

Drop, Stop and Roll: An Introduction to Computer Security Incident Response

John Hoffoss
John Hoffoss

An introduction to computer security incident response and the incident response guideline in Minnesota State Colleges & Universities

Technology
1 of 35
Drop, Stop and Roll John Hoffoss and Scott St. Aubin Access more information security training for campus technical staff and earn CEUs: its.mnscu.edu/security/training/
An introduction to the Computer Security Incident Response System Guideline
Outline • Step Zero: Plan Your Escape Route • Smell Smoke? Detecting an Incident • Drop! • Stop! • Roll!
What is an incident? • A situation that presents a significant or imminent threat to the security of IT resources or data. • Unauthorized access or compromise of data or systems with perceived malicious intent • A significant threat or actual loss of nonpublic data via IT resources • A reasonable basis to believe that IT resources are being used for criminal activity
flickr//d-workx Before the Fire: Plan Your Escape Route
What is incident response? • Your set of [hopefully calm] actions taken as response to an incident. • heart-valve-surgery.com icanhascheezburger
About the Route Incident response is easier and goes better if you have a plan in place before you need it. • Management Support • Your incident response plan, tested! • Tools: hard drives, write blockers, analysis environment • Knowledge to perform this analysis
What goes in a plan? Good question...we made a guideline to answer that! (You can thank us later...)
The Guideline The Computer Security Incident Response System Guideline: • requires that you have a plan; • outlines the response process; • outlines the composition of your CSIRT; • requires that you test your plan.
mmm...phases 1. Detection and Reporting 2. Initial Classification and Notification 3. Containment 4. Eradication 5. Recovery 6. Closure
The Team
Anything else? • Your plan should tie in with other relevant processes • Continuity of Operations • Disaster Recovery • Breach Notification • Your plan must be tested! • Data gathered as part of incident response is nonpublic -- label it as such!
So I have write all that stuff? Are you joking? • You can if you want... • Some of you may have a plan already--it may only require tweaking to satisfy these. • But we have a template you can use! • www.its.mnscu.edu/security
Oooh, template! • Scott wrote all of it with my input. • Mostly-ready, but you’ll want to tweak a few areas: • Team Info - Table 1 • Constituencies - Table 3 • Reporting Process - Figure 2
Smell Smoke? Detecting an Incident flickr//lilcrabbygal
• errant mouse movement • missing system settings // system not in state an Detection employee left it // missing icons/folders/ programs • extreme performance issues
Now get out your log book Take notes! eaas.co.uk
Reporting • Houston, we have a problem. • Your users should know who to contact • Calling is always better than email
Classification & Notification • Yep, that computer is on fire. • Contact your response team
Drop! flickr//arbyreed
Containment • Actually unplug or cut the network cable • Mark the system as "borked - do not use" • Do not use or interact with the system yet • Log your actions in your logbook.
• Interview the user about what he/she saw. What data is stored or accessed from the suspect system? Is there nonpublic data stored? Online banking activity? • Confirm any new information pertaining to the incident with IDS, Firewall, AD logs, etc. • Log your actions in your logbook. • Sanity check: Do you think there's a fire? Or is it just smoke?
If you're certain there is no sensitive activity or data that could've been compromised, then move on to the eradication step. Log your actions in your logbook.
If you're not certain, or if you know there is sensitive activity or data, use your incident response tools to create an image of the system's memory in a forensically sound manner. Now pull the power plug (do not use the power button or hit Start->Shut Down).
• Depending on your classification, create two forensic copies of the suspect hard drive: • One to place back into the workstation (if necessary) for investigation or emergency return to operations • One to retain as an investigative copy of the original • Retain the original with that copy. • Chain of Custody
flickr//jeshuanace Stop!
Eradication Log your actions in your logbook. Keep the system air-gapped and off any network. Now you can interact with the system to see if there is persistent malware present (e.g. Mebroot, a boot-sector trojan) Log your actions in your logbook.
Analysis Tools • Sysinternals - netmon, • VirusTotal procmon, sysmon • Autopsy • Dumpevt • FTK • SilentRunners • EnCase • Malware Bytes Antimalware • Paraben Forensics • Antivirus software • Your Actions, Log Them.
Forensics! gizmodo
More Eradication Once you have some idea of how you got your nasty, figure out how to prevent it from returning. • User privileges • Network • Patches segmentation • Firewall and • IDS router ACLs
Roll! flickr//telstar
Recovery • Reimage • Log your actions • Restore data from known-good backups • Return to operation
Recovery Follow-up • Monitoring • Breach Notification
Closure • Schedule the Incident Recap meeting • Log your actions in your logbook. • Give the all-clear signal
Incident Follow-up • Incident Recap • Report or Brief

Recommended

Incident Response
Incident ResponseIncident Response
Incident Responseprimeteacher32
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
Incident response
Incident responseIncident response
Incident responseJarno Niemela
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
IT Security Basics For Managers
IT Security Basics For ManagersIT Security Basics For Managers
IT Security Basics For ManagersDaniel Owens
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 

Recommended

Incident Response
Incident ResponseIncident Response
Incident Responseprimeteacher32
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
Incident response
Incident responseIncident response
Incident responseJarno Niemela
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
IT Security Basics For Managers
IT Security Basics For ManagersIT Security Basics For Managers
IT Security Basics For ManagersDaniel Owens
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessAnton Chuvakin
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Malewareanalysis
Malewareanalysis Malewareanalysis
Malewareanalysis ahmad abdelhafeez
 
encase enterprise
encase enterprise encase enterprise
encase enterprise Damir Delija
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
SplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunk
 
501 ch 8 risk management tools
501 ch 8 risk management tools501 ch 8 risk management tools
501 ch 8 risk management toolsgocybersec
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
CNIT 121: 16 Report Writing
CNIT 121: 16 Report WritingCNIT 121: 16 Report Writing
CNIT 121: 16 Report WritingSam Bowne
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologiesurjarathi
 
La ultima
La ultimaLa ultima
La ultimaMalikoatl
 
Creativity
CreativityCreativity
CreativityGrintex India Ltd
 

More Related Content

What's hot

Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessAnton Chuvakin
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
SplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunk
 
501 ch 8 risk management tools
501 ch 8 risk management tools501 ch 8 risk management tools
501 ch 8 risk management toolsgocybersec
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
CNIT 121: 16 Report Writing
CNIT 121: 16 Report WritingCNIT 121: 16 Report Writing
CNIT 121: 16 Report WritingSam Bowne
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologiesurjarathi
 

What's hot (20)

Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability Management
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response Process
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
 
Malewareanalysis
Malewareanalysis Malewareanalysis
Malewareanalysis
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Incident response
Incident responseIncident response
Incident response
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
 
SplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – Virtustream
 
501 ch 8 risk management tools
501 ch 8 risk management tools501 ch 8 risk management tools
501 ch 8 risk management tools
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
CNIT 121: 16 Report Writing
CNIT 121: 16 Report WritingCNIT 121: 16 Report Writing
CNIT 121: 16 Report Writing
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus TechnologiesSearch & Seizure of Electronic Evidence by Pelorus Technologies
Search & Seizure of Electronic Evidence by Pelorus Technologies
 

Viewers also liked

Smart Phones
Smart PhonesSmart Phones
Smart PhonesEKMom
 
A rnau cairo
A rnau cairoA rnau cairo
A rnau cairoarnau19
 
How Lean, UCD and Agile can propel designers into the future
How Lean, UCD and Agile can propel designers into the futureHow Lean, UCD and Agile can propel designers into the future
How Lean, UCD and Agile can propel designers into the futureCyber-Duck
 
Cauchuyendang xem
Cauchuyendang xem Cauchuyendang xem
Cauchuyendang xemDamPhan
 
sistema eragilea
sistema eragileasistema eragilea
sistema eragilealeire
 
Midterm presentation 2.27.2010 small
Midterm presentation 2.27.2010 smallMidterm presentation 2.27.2010 small
Midterm presentation 2.27.2010 smallguestc8839dc3
 
Chanlycuocdoi
ChanlycuocdoiChanlycuocdoi
ChanlycuocdoiDamPhan
 
SVEA Presentazione progetto
SVEA Presentazione progettoSVEA Presentazione progetto
SVEA Presentazione progettoCSP Scarl
 
W SAN FRANCISCO
W SAN FRANCISCOW SAN FRANCISCO
W SAN FRANCISCOlisaleonor
 

Viewers also liked (20)

La ultima
La ultimaLa ultima
La ultima
 
Creativity
CreativityCreativity
Creativity
 
Kotler01 mkt.crm
Kotler01 mkt.crmKotler01 mkt.crm
Kotler01 mkt.crm
 
Brain storming-rules
Brain storming-rulesBrain storming-rules
Brain storming-rules
 
Scientific method
Scientific methodScientific method
Scientific method
 
Report on torture
Report on tortureReport on torture
Report on torture
 
Smart Phones
Smart PhonesSmart Phones
Smart Phones
 
Daily routines
Daily routinesDaily routines
Daily routines
 
Thewiseoldman
ThewiseoldmanThewiseoldman
Thewiseoldman
 
A rnau cairo
A rnau cairoA rnau cairo
A rnau cairo
 
How Lean, UCD and Agile can propel designers into the future
How Lean, UCD and Agile can propel designers into the futureHow Lean, UCD and Agile can propel designers into the future
How Lean, UCD and Agile can propel designers into the future
 
Cauchuyendang xem
Cauchuyendang xem Cauchuyendang xem
Cauchuyendang xem
 
Bf c mp.january 08.pps
Bf c mp.january 08.ppsBf c mp.january 08.pps
Bf c mp.january 08.pps
 
sistema eragilea
sistema eragileasistema eragilea
sistema eragilea
 
Midterm presentation 2.27.2010 small
Midterm presentation 2.27.2010 smallMidterm presentation 2.27.2010 small
Midterm presentation 2.27.2010 small
 
Chanlycuocdoi
ChanlycuocdoiChanlycuocdoi
Chanlycuocdoi
 
Why VietnamWorks
Why VietnamWorksWhy VietnamWorks
Why VietnamWorks
 
Larynx modified
Larynx modifiedLarynx modified
Larynx modified
 
SVEA Presentazione progetto
SVEA Presentazione progettoSVEA Presentazione progetto
SVEA Presentazione progetto
 
W SAN FRANCISCO
W SAN FRANCISCOW SAN FRANCISCO
W SAN FRANCISCO
 

Similar to Drop, Stop and Roll: An Introduction to Computer Security Incident Response

Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresJose L. Quiñones-Borrero
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsSam Bowne
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security OperationsSam Bowne
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 

Similar to Drop, Stop and Roll: An Introduction to Computer Security Incident Response (20)

Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Drop, Stop and Roll: An Introduction to Computer Security Incident Response

  • 1. Drop, Stop and Roll John Hoffoss and Scott St. Aubin Access more information security training for campus technical staff and earn CEUs: its.mnscu.edu/security/training/
  • 2. An introduction to the Computer Security Incident Response System Guideline
  • 3. Outline • Step Zero: Plan Your Escape Route • Smell Smoke? Detecting an Incident • Drop! • Stop! • Roll!
  • 4. What is an incident? • A situation that presents a significant or imminent threat to the security of IT resources or data. • Unauthorized access or compromise of data or systems with perceived malicious intent • A significant threat or actual loss of nonpublic data via IT resources • A reasonable basis to believe that IT resources are being used for criminal activity
  • 5. flickr//d-workx Before the Fire: Plan Your Escape Route
  • 6. What is incident response? • Your set of [hopefully calm] actions taken as response to an incident. • heart-valve-surgery.com icanhascheezburger
  • 7. About the Route Incident response is easier and goes better if you have a plan in place before you need it. • Management Support • Your incident response plan, tested! • Tools: hard drives, write blockers, analysis environment • Knowledge to perform this analysis
  • 8. What goes in a plan? Good question...we made a guideline to answer that! (You can thank us later...)
  • 9. The Guideline The Computer Security Incident Response System Guideline: • requires that you have a plan; • outlines the response process; • outlines the composition of your CSIRT; • requires that you test your plan.
  • 10. mmm...phases 1. Detection and Reporting 2. Initial Classification and Notification 3. Containment 4. Eradication 5. Recovery 6. Closure
  • 12. Anything else? • Your plan should tie in with other relevant processes • Continuity of Operations • Disaster Recovery • Breach Notification • Your plan must be tested! • Data gathered as part of incident response is nonpublic -- label it as such!
  • 13. So I have write all that stuff? Are you joking? • You can if you want... • Some of you may have a plan already--it may only require tweaking to satisfy these. • But we have a template you can use! • www.its.mnscu.edu/security
  • 14. Oooh, template! • Scott wrote all of it with my input. • Mostly-ready, but you’ll want to tweak a few areas: • Team Info - Table 1 • Constituencies - Table 3 • Reporting Process - Figure 2
  • 15. Smell Smoke? Detecting an Incident flickr//lilcrabbygal
  • 16. errant mouse movement • missing system settings // system not in state an Detection employee left it // missing icons/folders/ programs • extreme performance issues
  • 17. Now get out your log book Take notes! eaas.co.uk
  • 18. Reporting • Houston, we have a problem. • Your users should know who to contact • Calling is always better than email
  • 19. Classification & Notification • Yep, that computer is on fire. • Contact your response team
  • 21. Containment • Actually unplug or cut the network cable • Mark the system as "borked - do not use" • Do not use or interact with the system yet • Log your actions in your logbook.
  • 22. • Interview the user about what he/she saw. What data is stored or accessed from the suspect system? Is there nonpublic data stored? Online banking activity? • Confirm any new information pertaining to the incident with IDS, Firewall, AD logs, etc. • Log your actions in your logbook. • Sanity check: Do you think there's a fire? Or is it just smoke?
  • 23. If you're certain there is no sensitive activity or data that could've been compromised, then move on to the eradication step. Log your actions in your logbook.
  • 24. If you're not certain, or if you know there is sensitive activity or data, use your incident response tools to create an image of the system's memory in a forensically sound manner. Now pull the power plug (do not use the power button or hit Start->Shut Down).
  • 25. • Depending on your classification, create two forensic copies of the suspect hard drive: • One to place back into the workstation (if necessary) for investigation or emergency return to operations • One to retain as an investigative copy of the original • Retain the original with that copy. • Chain of Custody
  • 27. Eradication Log your actions in your logbook. Keep the system air-gapped and off any network. Now you can interact with the system to see if there is persistent malware present (e.g. Mebroot, a boot-sector trojan) Log your actions in your logbook.
  • 28. Analysis Tools • Sysinternals - netmon, • VirusTotal procmon, sysmon • Autopsy • Dumpevt • FTK • SilentRunners • EnCase • Malware Bytes Antimalware • Paraben Forensics • Antivirus software • Your Actions, Log Them.
  • 29. Forensics! gizmodo
  • 30. More Eradication Once you have some idea of how you got your nasty, figure out how to prevent it from returning. • User privileges • Network • Patches segmentation • Firewall and • IDS router ACLs
  • 31. Roll! flickr//telstar
  • 32. Recovery • Reimage • Log your actions • Restore data from known-good backups • Return to operation
  • 34. Closure • Schedule the Incident Recap meeting • Log your actions in your logbook. • Give the all-clear signal
  • 35. Incident Follow-up • Incident Recap • Report or Brief

Editor's Notes

  1. John Hoffoss works in the Information Security Office, part of the Information Technology Services division of the Office of the Chancellor. He’s been with MnSCU for 3 years, likes carpentry and curls well. Scott St. Aubin is a consultant with NetSPI who has been working with MnSCU for about two years. He’s an active photographer, shoots an Olympus, and doesn’t own enough lenses.
  2. This talk will introduce the incident response guideline, the plan, the process, and share a war story or two.
  4. What is an incident? a situation that presents a significant or imminent threat to the security of system information technology resources or information resources; it includes, but is not limited to the following: •Unauthorized access or compromise of information resources or information technology resources with perceived malicious intent; •A significant threat or actual loss of not-public data via information technology resources; •A reasonable basis to believe that system information technology resources are being used for criminal activity.
  5. You need to be prepared. Have a process, toolbox, whatever. Running to buy a fire extinguisher while your house burns down won’t help.
  6. Incident response is your set of actions taken as response to an incident. You don’t want to be pulling your hair out or panicking when you discover a potential incident. Calm, cool and collected is always more effective. •Could mean you run like hell, or activate your incident response team, or pull out your response kit and start investigating on your own with the ultimate goal of returning to service-as-normal. •More often than not, it'll be a combination of the last two.
  7. The route: your management's support and your response team •They'll keep the heat off you while you work! Your plan, of course, distributed and tested so that your team members know what “we may have an incident” means. Your toolbox •Spare hard drive(s) larger than your most media-heavy user's drives •If you're getting too much "practice" at this, a write-blocker - Firefly, Ultrablock, or Tableau -- around $300 (for one) or $1500 (for complete Firewire/USB/SATA/PATA set) •Copy of BackTrack, Helix, or similar Knowledge and understanding of how to use these tools! - You wouldn't want to have to learn how to put on firefighter gear, learn how to drive a hook and ladder, and learn how the ladder works in the middle of a fire...
  9. The guideline is fairly straightforward. It lays out definitions and minimum requirements: •You must have a plan -- reasonable and appropriate methods to control and remediate information security incidents •Your response process should cover the process that we’ll go over •Your computer security incident response team should be multi-disciplinary That response process covers several phases...
  10. Six phases, to be exact: 1. Detection and Reporting. The method(s) of detecting and reporting an incident should be identified, as well as the path of information flows. Do your users know to call the help desk? Does your help desk know the signs of a potential incident? 2. Initial Classification and Notification. Each incident should be evaluated to ensure it is handled with the appropriate urgency, and the correct individuals are notified for the type of incident being investigated. External processes, like COOP, Breach Notification, Law Enforcement contact, etc. may be initiated when necessary. Breach notification and forensics will usually come later, though. 3. Containment. Initial steps to immediately stop the spread of the incident. This involves things like removing network connectivity from the system, creating forensically-sound copies of hard drives, performing a cursory examination of neighboring systems to identify additionally compromised systems, etc. 4. Eradication. Steps taken to remove the cause of the incident. This is where forensic analysis might be initiated, otherwise generally this is your workstation imaging process. 5. Recovery. Steps taken to return the computer systems to a full production mode. Restoring data, reconfiguring the workstation, and closing the hole that allowed the compromise in the first place. Then placing the system back in use with a period of elevated logging and monitoring to confirm the intruder is not still present. 6. Incident Closure. Complete all documentation and review the incident to determine how the systems, processes, or incident response plan could be improved to prevent recurrence in the future, or decrease recovery time. This is a lot to take on alone, which is why you have an incident response team...
  11. There are a lot of potential players in a CSIRT--you will hopefully never have to activate all of these groups, except for testing your plan, of course. Mostly, the team is you, your peers and your CIO. These lines don’t so much delineate control as they do communication paths. You as incident handler recommend action as it pertains to responding, but your CIO and campus leadership are the final authority--they decide if a system gets pulled, or if a system gets returned to operation, whether you think it premature or not. The ISO and OGC can help you coordinate Forensics and Law Enforcement activity.
  12. •Link your plan to existing processes--DR, COOP, Breach Notification--and vice versa •Your plan must be tested at least annually -- as in full-team training & exercise kind of test. 4 hours should be sufficient, and it doesn’t have to be fancy. This is as much a discussion and communication opportunity than anything else. •Data collected through this process is assumed nonpublic, classified as security data in MGDPA That, in a nutshell, is what the Guideline requires.
  13. This slide is fairly self-explanatory.
  14. •you'll need to customize your team information and introduce the plan and process to your local institution resources (Table 1) •Constituencies - Define the role and authority your institution's CSIRT will have over faculty, staff and student constituencies. (Table 3) •You'll also need to fill in details about your local process for reporting and responding to incidents, which you can model after the OOC information included in the template. (Figure 2) Enough about the guideline and template for now, let’s talk incident response in a little more depth.
  16. Detecting and Reporting isn’t a huge or difficult process, but it’s absolutely critical to effective incident response. •Your users are probably your first line of detection -- erratic behavior, sudden decline in performance, changed or missing icons/programs/etc, sudden decline in bank account balances, etc. Make sure your helpdesk is mindful of this. •Your IDS, firewalls, antivirus system, and other logs are additional sources for incident detection and confirmation, along with the network team, OET, REN-ISAC, law enforcement, and other randoms.
  17. When a suspicious event is detected or reported, get out your incident log book - paper, preferably hard-bound with numbered pages, written in ink. If it’s not numbered, number the pages by hand before you start using it. Keep this with you to document your steps through the entire response process. Never skip more than a page, and write "SKIPPED" on the skipped page. Never tear out a page of that book. Date and timestamp each page, if not each section of a page.
  18. So someone has detected an incident, and they want to report it. You need to make sure they know who to contact to do that! A phone call is better than an email--an intruder will have an easier time reading that user’s email than they will getting into your phone system to snoop the call. If you have an intruder and they get tipped off that they’ve been found, they’ll make a quick exit, potentially trashing your workstation. Your helpdesk should also know how to respond, asking that user to step away, come to IT to discuss what they’ve seen, something, anything, to get them away from the keyboard and preserve any evidence still left until someone can get to their workstation.
  19. Once you’ve received notification of a suspicious event, conduct some cursory analysis--preferably anywhere else BUT on the suspect system--to look for clues that your event should be escalated to an incident or not. This is where your plan gets activated. Your response will be different if this is inappropriate use, a virus, an insider, a drive-by browser malware issue, or an elite Russian hax0r pwning your datas. Your analysis should include examining Novell and ActiveDirectory logs, AV, firewalls & routers, and perhaps most importantly, an interview with the user reporting the event. Take notes in your log book throughout this process! You may need to recall why you decided to activate this plan two years later--I guarantee you will not remember if you don’t have it written down.
  20. Drop -- Initial Classification and Notification So after reporting and confirmation, you either found enough evidence that you think you have an incident, or you’re not comfortable saying you don’t have an incident. Congratulations! The first thing we need to do is drop network connectivity from a system under attack or suspected to be breached. This is like applying a tourniquet when you see blood. It may be overkill, but what if it’s necessary and you skip it?
  21. If this is your-institution-dot-e-d-u or some other high-impact system, you’ll need to communicate with some of your IR team members to get approval. This isn’t usually needed with workstations. So with permission attained, disconnect the network on the suspect device. And I mean really disconnect. Don’t just close a switch port--unplug or cut the cable. (The intruder may have access to your switches, too! Thankfully, most of you have fully isolated management VLANs, so this risk is much lower in MnSCU than elsewhere. Like banks or credit unions. *shudder*) Mark the system “dead” or “broken” or however you’d mark a system as not functioning so your users don’t touch. If it’s a sensitive system, do what you have to in order to guarantee the system doesn’t get modified. Log your actions!
  22. If you didn’t do so already, talk with your user to learn what they did or didn’t do, what they’ve installed, where they were clicking, etc. It’s worth confirming information the user gives you with log data. If they say they weren’t on Facebook but you see in logs they were, talk to the user about it. You’re not investigating them. (Yet.) Their cooperation and full honesty will help get their system back and running faster. Log your actions. (Is this getting repetitive yet? That’s because none of you will want to do this in the midst of responding...) Sanity check -- you can always close out an incident early if you realize it’s not actually an incident. <story of bank hacked by wireless mouse>
  23. If you’re in doubt, continue in the containment phase to create forensically sound images of the system state and hard drive.
  24. Image the memory while the system is still in its current state This is not for the faint of heart, and you really, really, really need to have documented procedures and a thorough understanding of what you’re doing.
  25. Create two forensic copies of the system hard disk and retain the original with one copy. Or at the very least pull the original altogether. Complete a chain of custody form for the hard disk, including information about the PC the disk came out of. If you don’t already have procedures for this that you’ve tested, call the ISO.
  26. Stop -- Eradication
  27. Remember, you’re only doing this after determining there is no further need to preserve evidence due to data compromise, or you’re working off of a copy of the original, still preserved. If you have no alternative, you can now interact with the system to continue investigating the incident. The ideal, though, is to use one of the copies you took to examine the system in a write-protected environment to investigate.
  28. There are many tools available to conduct this analysis. Some of these tools are expensive. You need to know what you’re doing (perhaps some of you attended Dan Nash’s malware investigation talk yesterday...) If you've determined what bits of malware you're dealing with, and they spread on their own, you'll want to look at other systems -- call the ISO, this is too incident-specific to give you a pithy slide (and potentially even a non-pithy slide) describing how to do this.
  29. Depending on what you've found, it may be time to ship your copy and your original off to a forensic specialist to continue the investigation. Some options are the state’s enterprise security office or a third-party like NetSPI or Kroll OnTrack. Leave the forensics to the pros.
  30. Ideally, before moving on, you know exactly how the compromise occurred and you have taken steps to both prevent reinfection and detect a reinfection--eradicating that threat.
  31. Roll -- Recovery; Incident Closure; Breach notifications and other administrative follow-up
  32. Once you believe the incident has been contained and eradicated, and your investigation is complete, you may commence eradication with prejudice. Or just use Ghost or whatever your standard desktop imaging/deployment toolset involves. Don't ever think you can completely clean a Windows workstation. (You can, but it's prohibitively expensive.) Servers are another story, but talk to us in the ISO before you start down this path--we may still advise you to start fresh and restore data either from your copies or from data backups. You should now be ready to return the freshly reimaged suspect system back to production.
  33. Don't floor it -- monitoring is key at this point to ensure you eradicated the nasties. After an appropriate length of time, step down your monitoring. This completely depends on the nature of the event. Depending on the outcome of your investigation, this is where you would notify individuals of the breach of their nonpublic data, if appropriate and advised to do so by general counsel.
  34. At this time, once all steps and phases are complete, the incident is closed. Schedule a meeting with your incident response team and all other individuals involved--helpdesk, users, ISO, OGC, etc. to conduct a lessons-learned session.
  35. The incident recap exists to help you determine if there are changes that should be made to your IR process or procedures for future incidents. Should someone have been involved earlier? Should actions have been taken in a different order? etc.