Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

First Response - Session 11 - Incident Response [2004]

188 views

Published on

The eleventh session from a two day course I ran for potential first responders in a large financial services client.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

First Response - Session 11 - Incident Response [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Description Isolation & Mitigation Letter of Preservation Additional Monitoring External Notifications Restoring the Systems Securing the Systems Summary Meeting
  3. 3.  The goal of this phase is to respond to thedata and conclusions drawn in theassessment phase This includes: Isolating compromised systems Acquisition of systems Increased logging and monitoring Restoring systems Increasing security
  4. 4.  This phase restores the system/s to a knownand trusted state The secondary goal of this phase is securingsimilar hosts to prevent additional attacks orat least increase monitoring to identify futureattacks The lessons learned will be shared so thatfuture incidents are more successful
  5. 5.  The goal of acquisition is to save the state ofthe system Document everything (even mistakes) Trust nothing on the suspect system Suspect systems should be modified as littleas possible Chain of Custody must be kept for allpotential court evidence
  6. 6.  Systems that have been identified as compromisedmust be isolated to prevent damage to othersystems and further damage to it When possible, unplug from the network and pluginto an empty hub or switch (to prevent networkunreachable errors) If it must be kept online, restrict access to and fromit using ACLs on routers and switches Apply network monitoring to those systems that arenot removed from the network
  7. 7.  When external systems are identified, a Letter ofPreservation should be issued Carries legal weight in the US It requests that logs and other data be preserved and notdeleted Additional legal procedures are typically required before thedata is actually transferred The letter must specify a given host or person to save dataabout An example can be found in the EnCase Legal Journal
  8. 8.  Additional network monitoring devices may need tobe deployed to: Detect and observe future attacks Collect additional evidence of an ongoing attack Provide data to help identify the incident scope These devices can be built during the ReadinessPhase Logging levels on firewalls, IDS, and servers mayneed to be increased Some monitoring may not be allowed depending onUser Privacy Policies
  9. 9.  Snort (http://www.snort.org) Ethereal (http://www.ethereal.com) tcpdump (http://tcpdump.org) snoop (Included in Solaris) NetWitness(http://www.forensicexplorers.com)
  10. 10.  Windump (http://windump.polito.it) Snort (http://www.snort.org) Etherpeek (http://www.wildpackets.com) Ethereal (http://www.ethereal) Net X-Ray (http://www.netxray.co.uk) SnifferTechnologies(http://www.networkassociates.com/us/products/sniffer/home.asp) eEye Iris(http://www.eeye.com/html/Products/Iris/index.html)
  11. 11.  Niksun(http://www.axial.co.uk/niksun/niksun_products.asp)DigitalGuardian (http://www.verdasys.com)
  12. 12.  FBI Local Police Force FIRST (www.first.org) incidents.org (SANS) incidents@securityfocus.com Any public postings must be from a genericemail account (watch out for X-headers withfree HTML-email)
  13. 13.  It is important to not restore data that hastrojans or backdoors If a backup is known to not be compromised,it can be used Otherwise, start with a new install Ensure that the system has all patchesinstalled
  14. 14.  If the method of attack is known, secure thecompromised host from it first After, secure hosts with the same vulnerability If the exact method is not known yet, ensure thatmonitoring is in place to detect future attacks After a forensic analysis is performed, secure anyvulnerabilities that were found Additional filters may be applied to the recoveredhost to detect future attempts
  15. 15.  Each person involved with the incident shouldattend a summary meeting This will cover what worked and what did notwork Policies and procedures should be modifiedappropriately Any ‘tricks’ that were discovered should bedocumented to help future responders
  16. 16.  This phase performs actions based on datafound in the Assessment Phase Additional monitoring and logging can beused to collect more data and ensure thatnew attacks are detected External organizations may provide supportor assistance Ensure security holes are plugged and risksmitigated

×