First Response - Session 11 - Incident Response [2004]


Published on

The eleventh session from a two day course I ran for potential first responders in a large financial services client.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

First Response - Session 11 - Incident Response [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Description Isolation & Mitigation Letter of Preservation Additional Monitoring External Notifications Restoring the Systems Securing the Systems Summary Meeting
  3. 3.  The goal of this phase is to respond to thedata and conclusions drawn in theassessment phase This includes: Isolating compromised systems Acquisition of systems Increased logging and monitoring Restoring systems Increasing security
  4. 4.  This phase restores the system/s to a knownand trusted state The secondary goal of this phase is securingsimilar hosts to prevent additional attacks orat least increase monitoring to identify futureattacks The lessons learned will be shared so thatfuture incidents are more successful
  5. 5.  The goal of acquisition is to save the state ofthe system Document everything (even mistakes) Trust nothing on the suspect system Suspect systems should be modified as littleas possible Chain of Custody must be kept for allpotential court evidence
  6. 6.  Systems that have been identified as compromisedmust be isolated to prevent damage to othersystems and further damage to it When possible, unplug from the network and pluginto an empty hub or switch (to prevent networkunreachable errors) If it must be kept online, restrict access to and fromit using ACLs on routers and switches Apply network monitoring to those systems that arenot removed from the network
  7. 7.  When external systems are identified, a Letter ofPreservation should be issued Carries legal weight in the US It requests that logs and other data be preserved and notdeleted Additional legal procedures are typically required before thedata is actually transferred The letter must specify a given host or person to save dataabout An example can be found in the EnCase Legal Journal
  8. 8.  Additional network monitoring devices may need tobe deployed to: Detect and observe future attacks Collect additional evidence of an ongoing attack Provide data to help identify the incident scope These devices can be built during the ReadinessPhase Logging levels on firewalls, IDS, and servers mayneed to be increased Some monitoring may not be allowed depending onUser Privacy Policies
  9. 9.  Snort ( Ethereal ( tcpdump ( snoop (Included in Solaris) NetWitness(
  10. 10.  Windump ( Snort ( Etherpeek ( Ethereal (http://www.ethereal) Net X-Ray ( SnifferTechnologies( eEye Iris(
  11. 11.  Niksun( (
  12. 12.  FBI Local Police Force FIRST ( (SANS) Any public postings must be from a genericemail account (watch out for X-headers withfree HTML-email)
  13. 13.  It is important to not restore data that hastrojans or backdoors If a backup is known to not be compromised,it can be used Otherwise, start with a new install Ensure that the system has all patchesinstalled
  14. 14.  If the method of attack is known, secure thecompromised host from it first After, secure hosts with the same vulnerability If the exact method is not known yet, ensure thatmonitoring is in place to detect future attacks After a forensic analysis is performed, secure anyvulnerabilities that were found Additional filters may be applied to the recoveredhost to detect future attempts
  15. 15.  Each person involved with the incident shouldattend a summary meeting This will cover what worked and what did notwork Policies and procedures should be modifiedappropriately Any ‘tricks’ that were discovered should bedocumented to help future responders
  16. 16.  This phase performs actions based on datafound in the Assessment Phase Additional monitoring and logging can beused to collect more data and ensure thatnew attacks are detected External organizations may provide supportor assistance Ensure security holes are plugged and risksmitigated