First Response - Session 11 - Incident Response [2004]

175 views

Published on

The eleventh session from a two day course I ran for potential first responders in a large financial services client.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
175
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

First Response - Session 11 - Incident Response [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Description Isolation & Mitigation Letter of Preservation Additional Monitoring External Notifications Restoring the Systems Securing the Systems Summary Meeting
  3. 3.  The goal of this phase is to respond to thedata and conclusions drawn in theassessment phase This includes: Isolating compromised systems Acquisition of systems Increased logging and monitoring Restoring systems Increasing security
  4. 4.  This phase restores the system/s to a knownand trusted state The secondary goal of this phase is securingsimilar hosts to prevent additional attacks orat least increase monitoring to identify futureattacks The lessons learned will be shared so thatfuture incidents are more successful
  5. 5.  The goal of acquisition is to save the state ofthe system Document everything (even mistakes) Trust nothing on the suspect system Suspect systems should be modified as littleas possible Chain of Custody must be kept for allpotential court evidence
  6. 6.  Systems that have been identified as compromisedmust be isolated to prevent damage to othersystems and further damage to it When possible, unplug from the network and pluginto an empty hub or switch (to prevent networkunreachable errors) If it must be kept online, restrict access to and fromit using ACLs on routers and switches Apply network monitoring to those systems that arenot removed from the network
  7. 7.  When external systems are identified, a Letter ofPreservation should be issued Carries legal weight in the US It requests that logs and other data be preserved and notdeleted Additional legal procedures are typically required before thedata is actually transferred The letter must specify a given host or person to save dataabout An example can be found in the EnCase Legal Journal
  8. 8.  Additional network monitoring devices may need tobe deployed to: Detect and observe future attacks Collect additional evidence of an ongoing attack Provide data to help identify the incident scope These devices can be built during the ReadinessPhase Logging levels on firewalls, IDS, and servers mayneed to be increased Some monitoring may not be allowed depending onUser Privacy Policies
  9. 9.  Snort (http://www.snort.org) Ethereal (http://www.ethereal.com) tcpdump (http://tcpdump.org) snoop (Included in Solaris) NetWitness(http://www.forensicexplorers.com)
  10. 10.  Windump (http://windump.polito.it) Snort (http://www.snort.org) Etherpeek (http://www.wildpackets.com) Ethereal (http://www.ethereal) Net X-Ray (http://www.netxray.co.uk) SnifferTechnologies(http://www.networkassociates.com/us/products/sniffer/home.asp) eEye Iris(http://www.eeye.com/html/Products/Iris/index.html)
  11. 11.  Niksun(http://www.axial.co.uk/niksun/niksun_products.asp)DigitalGuardian (http://www.verdasys.com)
  12. 12.  FBI Local Police Force FIRST (www.first.org) incidents.org (SANS) incidents@securityfocus.com Any public postings must be from a genericemail account (watch out for X-headers withfree HTML-email)
  13. 13.  It is important to not restore data that hastrojans or backdoors If a backup is known to not be compromised,it can be used Otherwise, start with a new install Ensure that the system has all patchesinstalled
  14. 14.  If the method of attack is known, secure thecompromised host from it first After, secure hosts with the same vulnerability If the exact method is not known yet, ensure thatmonitoring is in place to detect future attacks After a forensic analysis is performed, secure anyvulnerabilities that were found Additional filters may be applied to the recoveredhost to detect future attempts
  15. 15.  Each person involved with the incident shouldattend a summary meeting This will cover what worked and what did notwork Policies and procedures should be modifiedappropriately Any ‘tricks’ that were discovered should bedocumented to help future responders
  16. 16.  This phase performs actions based on datafound in the Assessment Phase Additional monitoring and logging can beused to collect more data and ensure thatnew attacks are detected External organizations may provide supportor assistance Ensure security holes are plugged and risksmitigated

×