This document outlines the steps of an incident response process including identification, recording, initial response, communication, containment, response strategy formulation, classification, investigation, and recovery. It discusses strategies for each step such as gathering information, validating incidents, determining appropriate response personnel, containment techniques, and formulating strategies based on business impact and recovery efforts. Common security incidents and appropriate reporting procedures are also addressed.
Operations Security
Week 5
Incident Management, Investigations, and Physical Security
Incidence Response
Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).
The Steps of Incidence Handling
Triage – Is it an actual incident or a false alarm? How serious is it?
Investigation – Gathering evidence
Containment – Limit the damage by isolation and mitigation
Analysis – Reconstruct the incident. Who is responsible? How did they do it? When did it occur? Why did they do it?
Tracking – Document the incident and determine the source
Recovery – Mitigate the incident and apply lessons learned to reduce risk of recurrence
Triage
The term Triage is used within the medical community. Triage is the art of rapidly assessing the severity of the incident and following the right protocols, in the right order, to reduce the consequences of the incident and doing it all in the midst of crisis, when every second counts.
Different incidents require different responses – A Denial of Service attack (DOS) has to be addressed differently than a malware infection.
Establishing baselines can help identify unusual activity. The number of indicators to potential incidents are very high, so false positives are common.
Investigation
The Incident Scene – The Environment where potential evidence may exist
Principles of criminalistics apply
Identify the scene
Protect the Environment
Identify evidence and potential sources of evidence
Collect Evidence
Minimize the degree of contamination
General Guidelines
All general forensic and procedural procedures must be applied
Seizing digital evidence must not alter the evidence
Any person accessing original digital evidence must be trained
All activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review
While an individual is in possession of digital evidence, he or she is responsible for all actions
Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles
Roles and Responsibilities
A solid foundation of knowledge and policy
A properly trained response team
Core areas must be represented
Chain of Custody
Tracks Evidence Handling
A formal, well-documented procedure MUST be followed – NO EXCEPTIONS
Locard’s Exchange Principle
When a crime is committed, the perpetrators leave something behind and take something with them.
Digital Forensics
Be Authentic
Be Accurate
Be Complete
Be Convincing
Be Admissible
Live Evidence
Data that is dynamic and exists in processes that disappear in a relatively short time frame once the system is powered down
Short Term Containment
The short term goal is to prevent more damage from occurring and provide time for additional analysis and mitigation. Isolate the system from the production network and create a backup cop.
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
This white paper covers why incident readiness and response often falls short in ten areas that span people, processes and technology. By tackling these shortcomings, organizations can reduce risk by with early warnings of potential problems.
Microsoft Navigating Incident Response [EN].pdfSnarky Security
The document titled "Navigating the Maze of Incident Response" by Microsoft Security provides a guide on how to structure an incident response (IR) effectively. It emphasizes the importance of people and processes in responding to a cybersecurity incident.
This guide, developed by the Microsoft Incident Response team, is designed to help you avoid common pitfalls during the outset of a response. It's not meant to replace comprehensive incident response planning, but rather to serve as a tactical guide to help both security teams and senior stakeholders navigate an incident response investigation.
The guide also outlines the incident response lifecycle, which includes preparation, detection, containment, eradication, recovery, and post-incident activity or lessons learned. It's like a recipe for disaster management, with each step as crucial as the next.
The guide also emphasizes the importance of governance and the roles of different stakeholders in the incident response process. It's like a well-oiled machine, with each part playing a crucial role in the overall function.
So, there you have it. A snarky Microsoft's guide to navigating the maze of incident response. It's a wild, complex, and often frustrating world, but with the right plan and people, you can navigate it like a pro.
Operations Security
Week 5
Incident Management, Investigations, and Physical Security
Incidence Response
Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).
The Steps of Incidence Handling
Triage – Is it an actual incident or a false alarm? How serious is it?
Investigation – Gathering evidence
Containment – Limit the damage by isolation and mitigation
Analysis – Reconstruct the incident. Who is responsible? How did they do it? When did it occur? Why did they do it?
Tracking – Document the incident and determine the source
Recovery – Mitigate the incident and apply lessons learned to reduce risk of recurrence
Triage
The term Triage is used within the medical community. Triage is the art of rapidly assessing the severity of the incident and following the right protocols, in the right order, to reduce the consequences of the incident and doing it all in the midst of crisis, when every second counts.
Different incidents require different responses – A Denial of Service attack (DOS) has to be addressed differently than a malware infection.
Establishing baselines can help identify unusual activity. The number of indicators to potential incidents are very high, so false positives are common.
Investigation
The Incident Scene – The Environment where potential evidence may exist
Principles of criminalistics apply
Identify the scene
Protect the Environment
Identify evidence and potential sources of evidence
Collect Evidence
Minimize the degree of contamination
General Guidelines
All general forensic and procedural procedures must be applied
Seizing digital evidence must not alter the evidence
Any person accessing original digital evidence must be trained
All activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review
While an individual is in possession of digital evidence, he or she is responsible for all actions
Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles
Roles and Responsibilities
A solid foundation of knowledge and policy
A properly trained response team
Core areas must be represented
Chain of Custody
Tracks Evidence Handling
A formal, well-documented procedure MUST be followed – NO EXCEPTIONS
Locard’s Exchange Principle
When a crime is committed, the perpetrators leave something behind and take something with them.
Digital Forensics
Be Authentic
Be Accurate
Be Complete
Be Convincing
Be Admissible
Live Evidence
Data that is dynamic and exists in processes that disappear in a relatively short time frame once the system is powered down
Short Term Containment
The short term goal is to prevent more damage from occurring and provide time for additional analysis and mitigation. Isolate the system from the production network and create a backup cop.
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
This white paper covers why incident readiness and response often falls short in ten areas that span people, processes and technology. By tackling these shortcomings, organizations can reduce risk by with early warnings of potential problems.
Microsoft Navigating Incident Response [EN].pdfSnarky Security
The document titled "Navigating the Maze of Incident Response" by Microsoft Security provides a guide on how to structure an incident response (IR) effectively. It emphasizes the importance of people and processes in responding to a cybersecurity incident.
This guide, developed by the Microsoft Incident Response team, is designed to help you avoid common pitfalls during the outset of a response. It's not meant to replace comprehensive incident response planning, but rather to serve as a tactical guide to help both security teams and senior stakeholders navigate an incident response investigation.
The guide also outlines the incident response lifecycle, which includes preparation, detection, containment, eradication, recovery, and post-incident activity or lessons learned. It's like a recipe for disaster management, with each step as crucial as the next.
The guide also emphasizes the importance of governance and the roles of different stakeholders in the incident response process. It's like a well-oiled machine, with each part playing a crucial role in the overall function.
So, there you have it. A snarky Microsoft's guide to navigating the maze of incident response. It's a wild, complex, and often frustrating world, but with the right plan and people, you can navigate it like a pro.
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Infocyte
According to recent reports, nearly 1/3rd of all US Businesses experienced a cybersecurity related breach last year.
With hackers increasingly targeting US businesses and insiders mishandling or misusing their privileges and access, its' imperative that all organizations have incident response (IR) capabilities at the ready. We're talking about real capabilities that include: threat visibility, centralized logging, root cause analysis, and assessment.
While we can agree IR capabilities are important, most businesses do not and may never have on-staff responders or organized security operations - if you are one of these, this talk is for you.
In this talk, Chris explores the processes, procedures, and best practices surrounding Incident Response (IR) as it relates to cybersecurity: Finding, containing, investigating, and eliminating attackers from within your network.
Learn more about cyber threat hunting, incident response, and how a strong incident response process will help your organization stay better protected from cyber attackers.
This presentation, reviewing Cybersecurity Incident Response (IR) Readiness, was originally shared during the 2019 DataConnectors Houston Cybersecurity Conference.
In this brief presentation, Chris Gerritz (co-founder and CPO of Infocyte) shares insights on finding and responding to hidden attackers within your network.
Learn about cybersecurity incident response, forensic triage, and the differences between telemetry and protection.
This presentation originally took place at Check Point Software's 2019 CPX 360 conference in Las Vegas.
Practical Guide to Managing Incidents Using LLM's and NLP.pdfChris Galvan
This is a project that was created to enable Cybersecurity Defenders in positions such as Forensics, Incident Response, SOC, and Threat Hunting to have a starting place to investigate logs across AWS, GCP, and and Windows Systems.
The last section includes 3 case studies and research done by Christian Galvan and Lawren Epstein on real world attacks to large companies.
An incident response plan (IRP) is a set of written instructions for.pdfaradhana9856
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the effects of an information security event.Incident response plans provide instructions
for responding to a number of potential scenarios, including data breaches, denial of
service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or
insider threats. Without an incident response plan in place, organizations may either not detect
the attack in the first place, or not follow proper protocol to contain the threat and recover from it
when a breach is detected.
According to the SANS Institute, there are six key phases of an incident response plan:
1. Preparation: Preparing users and IT staff to handle potential incidents should they should arise
2. Identification: Determining whether an event is indeed a security incident
3. Containment: Limiting the damage of the incident and isolating affected systems to prevent
further damage
4. Eradication: Finding the root cause of the incident, removing affected systems from the
production environment
5. Recovery: Permitting affected systems back into the production environment, ensuring no
threat remains
6. Lessons learned: Completing incident documentation, performing analysis to ultimately learn
from incident and potentially improve future response efforts
It is important that an incident response plan is formulated, supported throughout the
organization, and is regularly tested. A good incident response plan can minimize not only the
affects of the actual security breach, but it may also reduce the negative publicity.
From a security team perspective, it does not matter whether a breach occurs (as such
occurrences are an eventual part of doing business using an untrusted carrier network, such as the
Internet), but rather, when a breach occurs. Do not think of a system as weak and vulnerable; it is
important to realize that given enough time and resources, someone can break into even the most
security-hardened system or network. You do not need to look any further than the Security
Focus website at http://www.securityfocus.com/ for updated and detailed information concerning
recent security breaches and vulnerabilities, from the frequent defacement of corporate
webpages, to the 2002 attacks on the root DNS nameservers[1].
The positive aspect of realizing the inevitability of a system breach is that it allows the security
team to develop a course of action that minimizes any potential damage. Combining a course of
action with expertise allows the team to respond to adverse conditions in a formal and responsive
manner.
The incident response plan itself can be separated into four phases:
Immediate action to stop or minimize the incident
Investigation of the incident
Restoration of affected resources
Reporting the incident to the proper channels
Solution
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the eff.
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Infocyte
According to recent reports, nearly 1/3rd of all US Businesses experienced a cybersecurity related breach last year.
With hackers increasingly targeting US businesses and insiders mishandling or misusing their privileges and access, its' imperative that all organizations have incident response (IR) capabilities at the ready. We're talking about real capabilities that include: threat visibility, centralized logging, root cause analysis, and assessment.
While we can agree IR capabilities are important, most businesses do not and may never have on-staff responders or organized security operations - if you are one of these, this talk is for you.
In this talk, Chris explores the processes, procedures, and best practices surrounding Incident Response (IR) as it relates to cybersecurity: Finding, containing, investigating, and eliminating attackers from within your network.
Learn more about cyber threat hunting, incident response, and how a strong incident response process will help your organization stay better protected from cyber attackers.
This presentation, reviewing Cybersecurity Incident Response (IR) Readiness, was originally shared during the 2019 DataConnectors Houston Cybersecurity Conference.
In this brief presentation, Chris Gerritz (co-founder and CPO of Infocyte) shares insights on finding and responding to hidden attackers within your network.
Learn about cybersecurity incident response, forensic triage, and the differences between telemetry and protection.
This presentation originally took place at Check Point Software's 2019 CPX 360 conference in Las Vegas.
Practical Guide to Managing Incidents Using LLM's and NLP.pdfChris Galvan
This is a project that was created to enable Cybersecurity Defenders in positions such as Forensics, Incident Response, SOC, and Threat Hunting to have a starting place to investigate logs across AWS, GCP, and and Windows Systems.
The last section includes 3 case studies and research done by Christian Galvan and Lawren Epstein on real world attacks to large companies.
An incident response plan (IRP) is a set of written instructions for.pdfaradhana9856
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the effects of an information security event.Incident response plans provide instructions
for responding to a number of potential scenarios, including data breaches, denial of
service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or
insider threats. Without an incident response plan in place, organizations may either not detect
the attack in the first place, or not follow proper protocol to contain the threat and recover from it
when a breach is detected.
According to the SANS Institute, there are six key phases of an incident response plan:
1. Preparation: Preparing users and IT staff to handle potential incidents should they should arise
2. Identification: Determining whether an event is indeed a security incident
3. Containment: Limiting the damage of the incident and isolating affected systems to prevent
further damage
4. Eradication: Finding the root cause of the incident, removing affected systems from the
production environment
5. Recovery: Permitting affected systems back into the production environment, ensuring no
threat remains
6. Lessons learned: Completing incident documentation, performing analysis to ultimately learn
from incident and potentially improve future response efforts
It is important that an incident response plan is formulated, supported throughout the
organization, and is regularly tested. A good incident response plan can minimize not only the
affects of the actual security breach, but it may also reduce the negative publicity.
From a security team perspective, it does not matter whether a breach occurs (as such
occurrences are an eventual part of doing business using an untrusted carrier network, such as the
Internet), but rather, when a breach occurs. Do not think of a system as weak and vulnerable; it is
important to realize that given enough time and resources, someone can break into even the most
security-hardened system or network. You do not need to look any further than the Security
Focus website at http://www.securityfocus.com/ for updated and detailed information concerning
recent security breaches and vulnerabilities, from the frequent defacement of corporate
webpages, to the 2002 attacks on the root DNS nameservers[1].
The positive aspect of realizing the inevitability of a system breach is that it allows the security
team to develop a course of action that minimizes any potential damage. Combining a course of
action with expertise allows the team to respond to adverse conditions in a formal and responsive
manner.
The incident response plan itself can be separated into four phases:
Immediate action to stop or minimize the incident
Investigation of the incident
Restoration of affected resources
Reporting the incident to the proper channels
Solution
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the eff.
Similar to 11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt (20)
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
6th International Conference on Machine Learning & Applications (CMLA 2024)ClaraZara1
6th International Conference on Machine Learning & Applications (CMLA 2024) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of on Machine Learning & Applications.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
We have compiled the most important slides from each speaker's presentation. This year’s compilation, available for free, captures the key insights and contributions shared during the DfMAy 2024 conference.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
4. OBTAINING AND VALIDATING INFORMATION RELATED
TO INFORMATION SECURITY ISSUES
information gathering.
Preparing a list most common attack vectors such as external/removable media, web, email,
impersonation, improper use by authorized users etc. can narrow down to the most competent
incident handling procedure.
validate each incident using defined standard procedures and document each step taken accurately.
5. COMMON ISSUES AND INCIDENTS OF INFORMATION
SECURITY THAT MAY REQUIRE ACTION AND WHOM TO
REPORT
An indicator may not always translate into a security incident given the possibility of technical
faults due to human error in cases such as server crash or modification of critical files.
Determining whether a particular event is actually an incident is sometimes a matter of judgment.
It may be necessary to collaborate with other technical and information security personnel to make
a decision.
Therefore, incident handlers need to report the matter to highly experienced and proficient staff
members who can analyse the precursors and indicators effectively and take appropriate actions.
6. Mentioned below are some of the means to conduct initial analysis for validation
Profiling networks and systems in order to measure the characteristics of expected activity so
that changes to it can be more easily identified and used one of the several detection and analysis
techniques.
Studying networks, systems and applications to understand what their normal behavior is so
that abnormal behavior can be recognized more easily.
Creating and implementing a log retention policy that specifies how long log data should be
maintained may be extremely helpful in analysis because older log entries may show
reconnaissance activity or previous instances of similar attacks.
7. Correlating events using evidence of an incident captured in several logs such wherein each may
contain different types of data — a firewall log may have the source IP address that was used,
whereas an application log may contain a username.
Synchronizing hosts clock using protocols such as the network time protocol (NTP) to record
time of attack.
Maintain and use a knowledge base of information that handlers need for referencing quickly
during incident analysis.
Use internet search engines for research to help analysts find information on unusual activity.
Run packet sniffers to collect additional data to record traffic that matches specified criteria
should keep the volume of data manageable and minimize the inadvertent capture of other
Information.
Filter the data to segregate categories of indicators that tend to be insignificant.
8. STEP 2: INCIDENT RECORDING
Any occurrences of incident must be recorded and the incident response team should update the
status of incidents along with other pertinent information.
Observations and facts of the incident may be stored in any of the following sources such as
logbook, laptops, audio recorders and digital cameras etc.
Incident record samples and template
Documenting system events, conversations and observed changes in files can lead to a more
efficient, more systematic and error-free handling of the problem.
Using an application or a database, such as an issue tracking system helps ensure that incidents are
handled and resolved in a timely manner.
9. The following useful information are to be included in an incident record template:
Current status of the incident as new, in progress, forwarded for investigation, resolved etc.
Summary of the incident
Indicators related to the incident
Other incidents related to this incident
Actions taken by all incident handlers on this incident
Chain of custody, if applicable
Impact assessments related to the incident
Contact information for other involved parties (system owners, system administrators etc.)
List of evidence gathered during the incident investigation
Comments from incident handlers
Next steps to be taken (rebuild the host, upgrade an application etc.)
10. STEP 3: INITIAL RESPONSE
Commence initial response to an incident based on the type of incident, the criticality of the
resources and data that are affected, the severity of the incident, existing service level agreements
(SLA) for affected resources, the time and day of the week, and other incidents that the team is
handling.
Generally, the highest priority is handling incidents that are likely to cause the most damage to the
organization or to other organizations.
11. STEP 4: COMMUNICATING THE INCIDENT
The incident should be communicated in appropriate procedures through the organization’s points
of contact (POC) for reporting incidents internally.
Therefore, it is important for an organization to structure their incident response capability so that
all incidents are reported directly to the incident response team, whereas others will use existing
support.
12. Assigning and escalating information on information security incidents
Organizations should also establish an escalation process for those instances when the team does
not respond to an incident within the designated time.
This can happen for many reasons. For example, cell phones may fail or people may have personal
emergencies.
The escalation process should state how long a person should wait for a response and what to do if
no response occurs.
On failure to respond within a stipulated time, then the incident should be escalated again to a
higher level of management. This process should be repeated until the incident is successfully
handled.
13. STEP 5: CONTAINMENT
Containment and quarantine
Containment is important before an incident overwhelms resources or increases damage.
Most incidents require containment so that is an important consideration early in the course of
handling each incident.
Containment provides time for developing a tailored remediation strategy.
An essential part of containment is decision-making where the situation may demand immediate
action such as shut down a system, disconnect it from a network and disable certain functions.
14. Various containment strategies may be considered in the following ways:
Potential damage to and theft of resources
Need for evidence preservation
Service availability (network connectivity, services provided to external parties etc.)
Time and resources needed to implement the strategy
Effectiveness of the strategy (partial containment, full containment etc.)
Duration of the solution (emergency workaround to be removed in four hours, temporary
workaround to be removed in two weeks, permanent solution etc.)
15. QUARANTINE
Handling an incident may necessitate the use of strategies to contain the existing predicament and
one such method being redirecting the attacker to a sandbox (a form of containment) so that they
can monitor the attacker’s activity, usually to gather additional evidence.
Hence, once a system has been compromised and if allowed with the compromise to continue, it
may help the attacker to use the compromised system to attack other systems.
16. UNDERSTAND NETWORK DAMAGE
• On the other hand, containment may give rise to another potential issue and that is some attacks may
cause additional damage when they are contained.
• Hence the incident handler attempts to contain the incident by disconnecting the compromised host
from the network, the subsequent pings will fail.
• As a result of the failure, the malicious process may overwrite or encrypt all the data on the host’s
hard drive.
17. IDENTIFYAND ISOLATE THE TRUST
MODEL
Network information systems are vulnerable to threats and benign nodes often compromised
because of unknown, incomplete or distorted information while interacting with external sources.
In this case, malicious nodes need to be identified and isolated from the environment. The solution
to insecure can be found in the establishment of trust.
Trust model can be formed based on the characteristics, information sources to compute, most
relevant and reliable information source, experience of other members of community etc.
18. STEP 6: FORMULATING A RESPONSE STRATEGY
An analysis of the recoverability from an incident determines the possible responses that the team
may take when handling the incident.
An incident with a high functional impact and low effort to recover from is an ideal candidate for
immediate action from the team.
In situations involving high end data infiltration and exposure of sensitive information the incident
response team may formulate response by transferring the case to strategic level team. Each
response strategy should be formulated
19. Based on business impact caused by the incident and the estimated efforts required to recover from
the incident.
Incident response policies should include provisions concerning incident reporting at a minimum,
what must be reported to whom and at what times.
Important information to be included are cio, head of information security, local information
security officer, other incident response teams within the organization, external incident response
teams (if appropriate), system owner, human resources (for cases involving employees, such as
harassment through email), public affairs etc.
20. STEP 7: INCIDENT CLASSIFICATION
Classifying and prioritizing information security incidents
An incident may be broadly classified based on common attack vectors such as
External/ removable media;
Attrition;
Web;
Email;
Improper usage;
Loss or theft of equipment;
Miscellaneous.
21. INCIDENT PRIORITIZATION
Functional impact of the incident on the existing functionality of the affected systems and future
functional impact of the incident if it is not immediately contained.
Information impact of the incident that may amount to information exfiltration and impact on
organization’s overall mission and impact of exfiltration of sensitive information on other
organizations if any of the data pertain to a partner organization.
Recoverability from the incident and how to determine the amount of time and resources that
must be spent on recovering from that incident. Necessity to actually recover from an incident and
carefully weigh that against the value the recovery effort will create and any requirements related
to incident handling.
22. INCIDENT CLASSIFICATION GUIDELINES AND
TEMPLATES
Organizations should document their guidelines and templates to handle any incident but should
focus on being prepared to handle incidents that use common attack vectors.
Capturing the attack pattern formally with required information may help understand specific parts
of an attack, how it is designed and executed, providing the adversary's perspective on the problem
and the solution, and gives guidance on ways to mitigate the attack's effectiveness.
23. Requirements – identification of relevant security requirements, misuse and abuse cases.
Architecture and design – provide context for architectural risk analysis and guidance for
security architecture.
Implementation and development – prioritize and guide review activities.
Testing and quality assurance – provide context for appropriate risk-based and penetration
testing.
System operation – leverage lessons learned from security incidents into preventative guidance.
Policy and standard generation – guide the identification of appropriate prescriptive
organizational policies and standards
24. INCIDENT PRIORITIZATION GUIDELINES AND
TEMPLATES
Creating written guidelines for prioritizing incidents serve as a good practice and help achieve
effective information sharing within an organization.
The step may also help in identifying situations that are of greater severity and demand immediate
attention.
An ideal template for incident prioritization should be formulated based on relevant factors such as
the functional impact of the incident (e.G. Current and likely future negative impact to business
functions), the information impact of the incident (e.G. Effect on the confidentiality, integrity and
availability of the organization’s information) and the recoverability from the incident (e.G. The
time and types of resources that must be spent on recovering from the incident).
25. STEP 8: INCIDENT INVESTIGATION
One of the key tasks of an incident response team is to receive information on possible incidents,
investigate them, and take action to ensure that the damage caused by the incidents is minimized.
Following up an incident investigation
In the course of the work, the team must adhere to the following procedures deemed
Receive initial investigation and data gathering from IT help desk members and escalate to high
strategic level specialist if situation demands.
Use appropriate materials that may be needed during an investigation.
26. Should become acquainted with various law enforcement representatives before an incident occurs to
discuss conditions under which incidents should be reported to them.
Maintain record of chain of custody forms should detail the transfer and include each party’s signature
while transferring evidence from person to person.
Should be careful to give out only appropriate information — the affected parties may request details
about internal investigations that should not be revealed publicly.
Ensure law enforcement are available to investigate incidents wherever necessary.
Collect required list of evidence gathered during the incident investigation.
Should collect evidence in accordance with procedures that meet all applicable laws and regulations
that have been developed from previous discussions with legal staff and appropriate law enforcement
agencies so that any evidence can be admissible in court.
27. Lessons learnt from security incident
Handling and rectifying security incident work best in a “learning and improving” model. Therefore,
incident handling teams must evolve to reflect on new threats, improved technology and lessons
learned. Each lesson’s learned brief must include the following agenda:
What exactly happened and during times?
How well did staff and management perform in dealing with the incident? Were the documented
procedures followed? Were they adequate?
What information was needed sooner?
28. Were any steps or actions taken that might have inhibited the recovery?
What would the staff and management do differently the next time a similar incident occurs?
How could information sharing with other organizations have been improved?
What corrective actions can prevent similar incidents in the future?
What precursors or indicators should be watched for in the future to detect similar incidents?
What additional tools or resources are needed to detect, analyze and mitigate future incidents?
29. PROCESS CHANGE FOR THE FUTURE
The changing nature of information technology and changes in personnel requires the incident
response team to review all related documentation and procedures for handling incidents at
designated intervals. A study of incident characteristics (data collected of previous incidents) may
indicate systemic security weaknesses and threats as well as changes in incident trends.
Incident data can also be collected to determine if a change to incident response capabilities causes
a corresponding change in the team’s performance (improvements in efficiency, reductions in
costs etc).
30. INCIDENT RECORD KEEPING
Incident record keeping or collecting data that are actionable, rather than collecting data simply
because they are available will be useful in several capacities to the organization.
It may help in deriving at the following information:
Systemic security weaknesses and threats, as well as changes in incident trends.
Selection and implementation of additional controls.
Measure the success of the incident response team.
Expected return on investment from the data.
31. STEP 9: DATA COLLECTION
Chain of custody
Evidences collected should be accounted for at all times whenever evidence is transferred from
person to person, chain of custody forms should detail the transfer and include each party’s signature.
A detailed log should be kept for all evidence, including the following:
Identifying information (e.G. The location, serial number, model number, hostname, media access
control (MAC) addresses and IP addresses of a computer).
Name, title, and phone number of each individual who collected or handled the evidence during the
investigation.
Time and date (including time zone) of each occurrence of evidence handling.
Locations where the evidence was stored.
32. STEP 10: FORENSIC ANALYSIS
Incident handling requires some team members to be specialized in particular technical areas, such
as network intrusion detection, malware analysis or forensics. Many incidents cause a dynamic
chain of events to occur, an initial system snapshot may do more good in identifying the problem
and its source than most other actions that can be taken at this stage.
Therefore, it is appropriate to obtain snapshots through full forensic disk images, not file system
backups. Disk images should be made to sanitized write-protectable or write-once media.
This process is superior to a file system backup for investigatory and evidentiary purposes. Imaging
is also valuable in that it is much safer to analyse an image than it is to perform analysis on the
original system because the analysis may inadvertently alter the original.
Some of the useful resources in forensic aspects of incident analysis may include digital forensic
workstations and/ or backup devices to create disk images, preserve log files, and save other
relevant incident data
33. STEP 11: EVIDENCE PROTECTION
Importance of keeping evidence relating to information security incidents
Collecting evidence from computing resources presents some challenges.
It is generally desirable to acquire evidence from a system of interest as soon as one suspects that an
incident may have occurred.
Users and system administrators should be made aware of the steps that they should take to
preserve evidence.
In addition, evidence should be accounted for at all times whenever evidence is transferred from
person to person, chain of custody forms should detail the transfer and include each party’s signature
and a registry or log be maintained location of the stored evidence.
34. STEP 12: NOTIFY EXTERNALAGENCIES
An organization’s incident response team should plan its incident coordination with those parties
before incidents occur to ensure that all parties know their roles and that effective line of
communication are established.
Some of the organizations’ external agencies may include other or external incident response teams,
law enforcement agencies, internet service providers and constituents, law enforcements/ legal
departments and customers or system owner etc.
35. STEP 13: ERADICATION
Eliminating components of the incident such as deleting malware and disabling breached user
accounts as well as identifying and mitigating all vulnerabilities that were exploited follow next to
successful containment and quarantine.
During the process, it is important to identify all affected hosts within the organization so that they
can be remediated.
In some cases, eradication is either not necessary or is performed during recovery.
36. Identify data backup holes
Verify data back-up and restore procedures. Incident response should be aware of the location of
back-up date storage, maintenance, user access and security procedures for data restoration and
system recovery.
Following are the suggested data back-up sources:
Spare workstations, servers, networking equipment or virtualized equivalents, which may be used
for many purposes, such as restoring back-ups and trying out malware.
Other important materials include back-up devices, blank media, basic networking equipment and
cables.
37. Operating system updates and patch management
All hosts patched appropriately using standard configurations be configured to follow the principle
of least privilege — granting users only the privileges necessary for performing their authorized tasks.
Hosts should have auditing enabled and should log significant security-related events, security of
hosts and their configurations should be continuously monitored.
In some organizations, the use of security content automation protocol (SCAP) expressed operating
system and application configuration checklists to assist in securing hosts consistently and effectively.
38. Infrastructure and security policy improvement
Security cannot be achieved by merely implementing various security systems, tools or products.
However, security failures are less likely through the implementation of security policy, process,
procedure and product(s).
Multiple layers of defence need to be applied to design a fail-safe security system.
The organization should also report all changes and updates made to its IT infrastructure, network
configuration and systems.
Organization should also focus on longer-term changes (e.G. Infrastructure changes) and ongoing
work to keep the enterprise as secure as possible.
39. STEP 14: SYSTEMS RECOVERY
In recovery, administrators restore systems to normal operation, confirm that the systems are
functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents.
Recovery may involve such actions as restoring systems from clean back-ups, rebuilding systems
from scratch, replacing compromised files with clean versions, installing patches, changing
passwords and tightening network perimeter security (e.G. Firewall rulesets, boundary router
access control lists etc.).
Higher levels of system logging or network monitoring are often part of the recovery process.
Once a resource is successfully attacked, it is often attacked again or other resources within the
organization are attacked in a similar manner.
40. STEP 15: INCIDENT DOCUMENTATION
A logbook is an effective and simple medium for recording all facts regarding incidents.
Documenting system events, conversations and observed changes in files can lead to a more
efficient, more systematic and less error prone handling of the problem.
Every step taken from the time the incident was detected to its final resolution should be
documented and time-stamped.
Every document regarding the incident should be dated and signed by the incident handler as such
information can also be used as evidence in a court of law if legal prosecution is pursued.
41. Importance of keeping records and evidence relating to information
security incidents
The incident response team should maintain records about the status of incidents along with other
pertinent information.
Using an application or a database, such as an issue tracking system, helps ensure that incidents
are handled and resolved in a timely manner.
42. Audio and video documentation strategies
Recording details of evidence gathering accessories including hard-bound notebooks, digital
cameras, audio recorders, chain of custody forms etc. is one of the common strategies used to
track incidents and security.
In addition, laptops, audio recorders, and digital cameras can also serve the purpose beside system
events, conversations, and observed changes in files can lead to a more efficient, more systematic
and less error prone handling of the problem.
43. Update the status of information security incidents
Incident handling team may need to provide status updates to certain parties even in some cases the
entire organization.
The team should plan and prepare several communication methods, including out-of-band
methods (in person or on paper), and select the methods that are appropriate for a particular
incident.
44. Possible communication methods include:
Email
Website (internal, external or portal)
Telephone calls
In person (daily briefings)
Voice mailbox greeting (set up a separate voice mailbox for incident updates and update the
greeting message to reflect the current incident status and use the help desk’s voice mail greeting)
Paper (post notices on bulletin boards and doors, hand out notices at all entrance points etc.)
45. INCIDENT STATUS TEMPLATE
An incident status should carry statement of the current status of the incident so that
communications with the media are consistent and up-to-date.
Template may include the following details:
Current status of the incident Summary
of the incident
Indicators related to the incident
Other incidents related to this incident
Actions taken by all incident handlers on this incident
Chain of custody, if applicable
Impact assessments related to the incident
Contact information for other involved parties
(e.G. System owners, system administrators)
List of evidence gathered during the incident
investigation
Comments from incident handlers
Next steps to be taken (e.G. Rebuild the host,
upgrade an application)
46. PREPARING REPORTS ON INFORMATION
SECURITY INCIDENTS
This estimate may become the basis for subsequent prosecution activity by law enforcement
entities.
Follow-up reports should be kept for a period of time as specified in record retention policies
Another important post-incident activity is creating a follow-up report for each incident, which can
be quite valuable for future use.
The report provides a reference that can be used to assist in handling similar incidents.
47. INCIDENT REPORT TEMPLATES
Creating a formal chronology of events in the incident report template for criteria including time-
stamped information such as log data from systems (important for legal reasons) and monetary
estimate of the amount of damage the incident caused.
48. Additionally, the following information may also be a part of the report:
Number of incidents handled
Time per incident
Objective assessment of each incident
Subjective assessment of each incident
Organizations should specify which incidents must be reported, when they must be reported and to
whom.
The parties most commonly notified are the CIO, head of information security, local information
security officer, other incident response teams within the organization and system owners.
49. SUBMITTING INFORMATION SECURITY REPORTS
Security follow-up reports are usually kept for a period of time as specified in record retention
policies.
Most organizations have data retention policies that state how long certain types of data may be
kept.
For example, an organization may state that email messages should be retained for only 180 days.
If a disk image contains thousands of emails, the organization may not want the image to be kept
for more than 180 days unless it is absolutely necessary.
50. STEP 16: INCIDENT DAMAGE AND COST
ASSESSMENT
After the incident is adequately handled, the organization issues a report that details the cause and
cost of the incident and the steps the organization should take to prevent future incidents.
The incident data, particularly the total hours of involvement and the cost, may be used to justify
additional funding of the incident response team.
Cost of storing evidence and the cost of retaining functional computers that can use the stored
hardware and media can be substantial.
Cost is a major factor, especially if employees are required to be onsite 24/7.
Organizations may fail to include incident response-specific costs in budgets, such as sufficient
funding for training and maintaining skills.
51. STEP 17: REVIEW AND UPDATE THE RESPONSE
POLICIES
The organization must review and update response policies, related activities, gather information
from the handlers, provide incident updates to other groups, and ensure that the team’s needs are
met.
The gambit of the work may also include periodically reviewing and updating threat update
information through briefings, web postings, and mailing lists published by authorized agencies or
public bodies
52. STEP 18: TRAINING AND AWARENESS
Organizations must create, provision, and operate a formal incident response capability.
Security awareness and training checklist
Establishing an incident response training and awareness should include the following actions:
Creating an incident response training and awareness policy and plan.
Developing procedures for performing incident handling and reporting.
Setting guidelines for communicating with outside parties regarding incidents.
Training it staff on complying with the organization’s security standards and making users aware of
policies and procedures regarding appropriate use of networks, systems and applications.
53. Training should be provided for sop (delineation of the specific technical processes, techniques,
checklists and forms) users.
Staffing and training the incident response team.
Providing a solid training program for new employees.
Training to maintain networks, systems and applications in accordance with the organization’s
Security standards.
Creating awareness of policies and procedures regarding appropriate use of networks, systems, and
applications.
54. Incident response knowledge base
The knowledge base is the consolidated incident data collected onto common incident database.
Organizations can create their own knowledge base or refer to those established by several groups
and organizations.
Although it is possible to build a knowledge base with a complex structure, a simple approach can
be effective.
Text documents, spreadsheets and relatively simple databases provide effective, flexible and
searchable mechanisms for sharing data among team members.
The knowledge base should also contain a variety of information, including explanations of the
significance and validity of precursors and indicators, such as IDPS alerts, operating system log
entries and application error codes.
55. Accessing and updating knowledge base
An incident handler may access knowledge databases information quickly during incident analysis,
a centralized knowledge base provides a consistent and maintainable source of information.
The knowledge base should include general information such as data on precursors and indicators
of previous incidents.
Importance of tracking progress
Several groups collect and consolidate incident data from various organizations into incident
databases.
This information sharing may take place in many forms such as trackers and real-time blacklists.
The organization can also check its own knowledge base or issue tracking system for related
activity.
56. Corrective and preventative actions for information security incidents
In the absence of security controls higher volumes of incidents may occur overwhelming the
incident response team.
An incident response team may be able to identify problems that the organization is otherwise not
aware of.
The team can play a key role in risk assessment and training by identifying gaps.
57. The following text, however, provides a brief overview of some of the main recommended practices
for securing networks, systems and applications:
Periodic risk assessments of systems and applications to determine what risks posed by
combinations of threats and vulnerabilities.
Hardened hosts appropriately using standard configurations while keeping each host properly
patched, hosts should be configured to follow the principle of least privilege — granting users only
the privileges necessary for performing their authorized tasks.
The network perimeter should be configured to deny all activity that is not expressly permitted.
Software to detect and stop malware should be deployed throughout the organization.
Users should be made aware of policies and procedures regarding appropriate use of networks,
systems and applications
59. INCIDENT HANDLING PREPARATION
Preparation is the first step to handling an incident response and it accounts for establishing an
incident response capability so that the organization is ready to respond to incidents, but also
preventing incidents by ensuring that systems, networks and applications are sufficiently secure.
Incident handling procedures include the following requirements:
Contact information for team members and others within and outside the organization (primary and
back-up contacts) such as law enforcement and other incident response teams etc.
On-call information for other teams within the organization including escalation information.
60. Incident reporting mechanisms, such as phone numbers; email addresses; online forms; and secure
instant messaging systems that users can use to report suspected incidents.
Issue tracking system for tracking incident information, status etc.
Encryption software to be used for communication among team members, within the organization
and with external parties and federal agencies, software must use a fips-validated encryption
algorithm.
Digital forensic workstations and/ or backup devices to create disk images, preserve log files, and
save other relevant incident data.
Laptops for activities such as analyzing data, sniffing packets and writing reports.
61. Portable printer to print copies of log files and other evidence from non-networked systems.
Packet sniffers and protocol analyzers to capture and analyze network traffic.
Port lists, including commonly used ports and trojan horse ports.
Documentation for oss, applications, protocols, and intrusion detection and antivirus products.
Network diagrams and lists of critical assets, such as database servers.
Current baselines of expected network, system and application activity.
Cryptographic hashes of critical files to speed incident analysis, verification and eradication.
Access to images of clean os and application installations for restoration and recovery purposes.
62. For malicious code incidents, the following preparation steps can be taken:
Step 1. Make users aware of malicious code issues – this information should include a basic
review of the methods that malicious code uses to propagate and the symptoms of infections. Holding
regular user education sessions helps to ensure that users are aware of the risks that malicious code
poses.
Step 2. Read antivirus vendor bulletins – sign up for mailing lists from antivirus vendors that
provide timely information on new malicious code threats.
Step 3. Deploy host-based intrusion detection systems to critical hosts – host-based IDS
software can detect signs of malicious code incidents such as configuration changes and system
executable modifications. File integrity checkers are useful in identifying the affected components of
a system.
63. Some organizations configure their network perimeters to block connections to specific common
trojan horse ports, with the goal of preventing trojan horse client and server component
communications.
However, this approach is generally ineffective. Known trojan horses use hundreds of different port
numbers, and many trojan horses can be configured to use any port number.
Also, some trojan horses use the same port numbers that legitimate services use so their
communication cannot be blocked by port number. Some organizations also implement port
blocking incorrectly so legitimate connections are sometimes blocked.
Implementing filtering rules for each trojan horse port will also increase the demands placed on the
filtering device. Generally, a trojan horse port should be blocked only if the organization has a
serious trojan horse infestation.
64.
65. INCIDENT PREVENTION
Incident prevention objectively works on minimizing larger negative business (e.G. More extensive
damage, longer periods of service and data unavailability etc.) Impact and reduced number of
incidents.
Although incident response teams are generally not responsible for securing resources, they can be
advocates of sound security practices.
They can play a key role of identify problems that the organization is otherwise not aware of, the
team can play a key role in risk assessment and training by identifying gaps.
66. Some of the recommended practices for securing networks, systems and applications include:
Periodic risk assessments of systems and applications.
Hardening of hosts appropriately using standard configurations.
Configuring network perimeters such as securing all connection points, such as virtual private
networks (vpns) and dedicated connections to other organizations.
Deploying malware protection at the host level (server and workstation operating systems), the
Application server level (email server, web proxies etc.) And the application client level (email
clients, instant messaging clients etc.)
Applying the learning from previous incidents, and sharing with users so they can see how their
actions could affect the organization.
67. • For preventing malicious code incidents, the following steps can be taken:
Step 1. Use antivirus software: antivirus software is a necessity to combat the threat of malicious
code and limit damage. The software should be running on all hosts throughout the organization,
and all copies should be kept current with the latest virus signatures so that the newest threats can
be thwarted. Antivirus software should also be used for applications used to transfer malicious
code, such as e-mail, file transfer and instant messaging software. The software should be
configured to perform periodic scans of the system as well as real-time scans of each file as it is
downloaded, opened or executed. The antivirus software should also be configured to disinfect and
quarantine infected files. Some antivirus products not only look for viruses, worms and trojan
horses, but they also examine HTML, activex, javascript and other types of mobile code for
malicious content.
68. Step 2. Block suspicious files: configure email servers and clients to block attachments with file
extensions that are associated with malicious code (e.G. .Pif, .Vbs) and suspicious file extension
combinations (e.G. .Txt.Vbs, .Htm.Exe).
Step 3. Limit the use of nonessential programs with file transfer capabilities: examples include
peer- to-peer file and music sharing programs, instant messaging software and IRC clients and
servers. These programs are frequently used to spread malicious code among users.
69. Step 4. Educate users on the safe handling of email attachments: antivirus software should be
configured to scan each attachment before opening it. Users should not open suspicious attachments
or attachments from unknown sources. Users should also not assume that if the sender is known, the
attachment is not infected. Senders may not know that their systems are infected with malicious code
that can extract email addresses from files and send copies of the malicious code to those addresses.
This activity creates the impression that the emails are coming from a trusted person even though the
person is not aware that they have been sent. Users can also be educated on file types that they should
never open (e.G. .Bat, .Com, .Exe, .Pif, .Vbs). Although user awareness of good practices should
lessen the number and severity of malicious code incidents, organizations should assume that users
will make mistakes and infect systems
70. Step 5. Eliminate open windows shares: many worms spread through unsecured shares on hosts
running windows. If one host in the organization is infected with a worm, it could rapidly spread to
hundreds or thousands of other hosts within the organization through their unsecured shares.
Organizations should routinely check all hosts for open shares and direct the system owners to
secure the shares properly. Also, the network perimeter should be configured to prevent traffic that
uses netbios ports from entering or leaving the organization’s networks. This should not only
prevent external hosts from directly infecting internal hosts through open shares but should also
prevent internal worm infections from spreading to other organizations through open shares.
71. Step 6. Use web browser security to limit mobile code: all web browsers should have their security
settings configured so as to prevent unsigned activex and other mobile code vehicles from
unknowingly being downloaded to and executed on local systems. Organizations should consider
establishing an internet security policy that specifies which types of mobile code may be used from
various sources (e.G. Internal servers, external servers).
Step 7. Configure email clients to act more securely: email clients throughout the organization
should be configured to avoid actions that may inadvertently permit infections to occur. For example,
email clients should not automatically execute attachments.
72. DETECTION OF MALICIOUS CODE
Detection of malicious code involves the preparation to handle incidents that use common attack
vectors. Some of the key aspects useful in determining malicious code detection:
Screening attack vectors such as removable media or other peripheral device.
Keeping a tab on network flow information through routers and other networking devices that can
be used to find anomalous network activity caused by malware, data exfiltration and other
malicious acts.
73. Monitoring alerts sent by most idps products that uses attack signatures to identify malicious
activity. The signatures must be kept up to date so that the newest attacks can be detected.
Observing antivirus software alerts for detecting various forms of malware, generates alerts and
prevents the malware from infecting hosts.
Maintaining and using a rich knowledge base replete with explanations of the significance and
validity of precursors and indicators, such as idps alerts, operating system log entries and
application error codes.
74. Following appropriate containment procedures which require disconnection of host from the
network, and cause further damage. Because malicious code incidents can take many forms, they
may be detected via a number of precursors and indications. Some precursors and possible
responses are listed below:
Precursor: an alert warns of new malicious code that targets software that the organization uses.
Response: research the new virus to determine whether it is real or a hoax. This can be done
through antivirus vendor websites and virus hoax sites. If the malicious code is confirmed as
authentic, ensure that antivirus software is updated with virus signatures for the new malicious
code. If a virus signature is not yet available, and the threat is serious and imminent, the activity
might be blocked through other means, such as configuring email servers or clients to block emails
matching characteristics of the new malicious code. The team might also want to notify antivirus
vendors of the new virus.
75. Precursor: antivirus software detects and successfully disinfects or quarantines a newly received
infected file.
Response: determine how the malicious code entered the system and what vulnerability or weakness
it was attempting to exploit. If the malicious code might pose a significant risk to other users and
hosts, mitigate the weaknesses that the malicious code used to reach the system and would have used
to infect the target host.
For example:
Similarly, there are certain indications that can highlight the onset of a malicious action.
76. For example:
Malicious action: a virus that spreads through email infects a host.
Indicators:
Antivirus software alerts of infected files
Sudden increase in the number of emails being sent and received
Changes to templates for word processing documents, spreadsheets etc.
Deleted, corrupted or inaccessible files
Unusual items on the screen such as odd messages and graphics
Programs start slowly, run slowly or do not run at all
System instability and crashes
77. Malicious action: a worm that spreads through a vulnerable service infects a host.
Indicators:
Antivirus software alerts of infected files
Port scans and failed connection attempts targeted at the vulnerable service (e.G.
Open windows shares, HTTP)
Increased network usage
Programs start slowly, run slowly or do not run at all
System instability and crashes
78. Malicious action: malicious mobile code on a web site is used to infect a host with a virus, worm or
Trojan horse.
Indications listed above for the pertinent type of malicious code
Unexpected dialog boxes, requesting permission to do something
Unusual graphics such as overlapping or overlaid message boxes
79. Malicious action: a trojan horse is installed and running on a host.
Indicators:
Antivirus software alerts of trojan horse versions of files
Network intrusion detection alerts of trojan horse client-server communication
Firewall and router log entries for trojan horse client-server communication
Network connections between the host and unknown remote systems
Unusual and unexpected ports open
Unknown processes running
High amounts of network traffic generated by the host, particularly if directed at external host(s)
Programs start slowly, run slowly or do not run at all
System instability and crashes
80. CONTAINMENT STRATEGY
Containment strategies vary based on the type of incident. For example, the strategy for containing an
email-borne malware infection is quite different from that of a network-based ddos attack.
Organizations should create separate containment strategies for each major incident type, with criteria
documented clearly to facilitate decision making.
Criteria for determining the appropriate strategy include:
Potential damage to and theft of resources
Need for evidence preservation
Service availability (e.G. Network connectivity or services provided to external parties)
Time and resources needed to implement the strategy
Effectiveness of the strategy (e.G. Partial containment or full containment)
Duration of the solution (e.G. Emergency workaround to be removed in four hours, temporary
workaround to be removed in two weeks or permanent solution)
Containment strategy for malicious code incidents may include:
81. Identifying and isolating other infected hosts: antivirus alert messages are a good source of information,
but not every infection will be detected by antivirus software.
Incident handlers may need to search for indications of infection through other means such as:
Performing port scans to detect hosts listening on a known trojan horse or backdoor port.
Using antivirus scanning and clean-up tools released to combat a specific instance of malicious
Code.
Reviewing logs from email servers, firewalls and other systems that the malicious code may have
passed through as well as individual host logs.
Configuring network and host intrusion detection software to identify activity associated with
Infections.
Auditing the processes running on systems to confirm that they are all legitimate.
82. SENDING UNKNOWN MALICIOUS CODE TO
ANTIVIRUS VENDORS:
malicious code that cannot be definitively identified by antivirus software may occasionally enter
the environment.
Eradicating the malicious code from systems and preventing additional infections may be difficult
or impossible without having updated antivirus signatures from the vendor.
Incident handlers should be familiar with the procedures for submitting copies of unknown
malicious code to the organization’s antivirus vendors.
83. Configuring email servers and clients to block emails:
many email programs can be configured manually to block emails by particular subjects,
attachment names or other criteria that correspond to the malicious code.
This is neither a foolproof nor an efficient solution, but it may be the best option available if an
imminent threat exists and antivirus signatures are not yet available.
Blocking outbound access:
if the malicious code attempts to generate outbound emails or connections, handlers should consider
blocking access to ip addresses or services to which the infected system may be attempting to
connect.
84. Shutting down email servers:
during the most severe malicious code incidents with hundreds or thousands of internal hosts
infected, email servers may become completely overwhelmed by viruses trying to spread via email.
It may be necessary to shut down an email server to halt the spread of email-borne viruses.
85. Isolating networks from the internet:
networks may become overwhelmed with worm traffic when a severe worm infestation occurs.
Occasionally a worm will generate so much traffic throughout the internet that network perimeters
are completely overwhelmed.
It may be better to disconnect the organization from the internet, particularly if the organization’s
internet access is essentially useless as a result of the volume of worm traffic.
This protects the organization’s systems from being attacked by external worms should the
organization’s systems already be infected. This prevents them from attacking other systems and
adding to the traffic congestion.
86. EVIDENCE GATHERING AND HANDLING
The primary reason for gathering evidence during an incident is to resolve the incident however it
may also be needed for legal proceedings. In the case of incident analysis, the procedure is
implemented through the application of hardware and software and related accessories such as
hard-bound notebooks, digital cameras, audio recorders, chain of custody forms, evidence storage
bags and tags and evidence tape and to preserve evidence for possible legal actions.
With respect to legal proceedings, it is important to clearly document how all evidence, including
compromised systems, has been preserved. Evidence should be collected according to procedures
that meet all applicable laws and regulations that have been developed from previous discussions
with legal staff and appropriate law enforcement agencies so that any evidence can be admissible in
court. Thus, users and system administrators should be made aware of the steps that they should
take to preserve evidence.
87. ERADICATION AND RECOVERY
After an incident has occurred, it is important to identify all affected hosts within the organization
so that they can be remediated.
For some incidents, eradication is either not necessary or is performed during recovery.
In recovery, administrators restore systems to normal operation, confirm that the systems are
functioning normally and (if applicable) remediate vulnerabilities to prevent similar incidents.
88. Eradication procedures may be performed in the following ways:
Identify and mitigate all vulnerabilities that were exploited.
Remove malware, inappropriate materials and other components.
Repeat the detection and analysis steps to identify all other affected hosts, if more affected
hosts are discovered (e.G. New malware infections.
Contain and eradicate the incident in accordance with appropriate procedures.
89. Recovery may involve such actions as restoring systems from clean backups, rebuilding systems
from scratch, replacing compromised files with clean versions, installing patches, changing
passwords and tightening network perimeter security (e.G. Firewall rulesets, boundary router
access control lists).
Some of the recommended practices in recovery procedures are:
Return affected systems to an operationally ready state
Confirm that the affected systems are functioning normally
Implement additional monitoring to look for future related activity, if necessary
Eradication and recovery should be done in a phased approach so that remediation steps are
prioritized.
90. ANTIVIRUS SYSTEMS
Antivirus software effectively identifies and removes malicious code infections however, some
infected files cannot be disinfected. (Files can be deleted and replaced with clean backup copies.
In case of an application, the affected application can be reinstalled.) If the malicious code
provided attackers with root-level access, it may not be possible to determine what other actions
the attackers may have performed.
In such cases, the system should either be restored from a previous, uninfected backup or be
rebuilt from scratch. Of course, the system should then be secured so that it will not be susceptible
to another infection from the same malicious code.
91. Antivirus software sends alerts when it detects that a host is infected with malware.
It detects various forms of malware, generates alerts and prevents the malware from infecting hosts.
Current antivirus products are effective at stopping many instances of malware if their signatures are
kept up to date.
Anti-spam software is used to detect spam and prevent it from reaching users’ mailboxes.
Spam may contain malware, phishing attacks and other malicious content, so alerts from anti-spam
software may indicate attack attempts.
93. THE CHALLENGE
A large, multinational organization was alerted by US-CERT/FBI that it had been the source of a
number of credit cards and details being leaked/sold on underground (carding) forums.
After an initial investigation, the organization's security team discovered a compromised credit-
card processing server but, having insufficient resources and skills in dealing with the incident,
called in OSEC.
94. THE SOLUTION
OSEC sent a team of analysts, including incident response, crisis management, and digital
forensics personnel to the organization's head office and data centres to deal with the incident.
Once there, the team initiated full incident response based on the information supplied by the
organization itself as well as law enforcement/authorities.
95. PLANNING - AFTER THE FACT
The first task was understanding what measures were in place to deal with the incident.
Unfortunately, while the organization had an incident response plan, it had not undertaken the first
step of incident response - preparation.
Osec's incident response manager, along with the team, got to work coming up with a strategy:
analysing the available information, using it to understand the extent of the compromise, and the
incident, and working out how to contain and eradicate it.
All the while, information to the rest of the organization and the world at large had to be
controlled, due to the possible legal and regulatory implications.
Now that you know the security challenge that had been faced by us-cert/fbi, you may now read
the detection and eradication process that was adopted to handle the incident in a controlled
manner:
96. DETECTION AND ANALYSIS
Containment required understanding what data had been exfiltrated, and working back from there to the
compromised resources, as well as examining the rest of the environment for other footholds that the
attackers had.
Quickly gaining an understanding of the network and segmentation, as well as rapidly implementing
network behavioural analysis and performing content inspection between the payment processing
infrastructure and external networks, OSEC detected connections back to command and control servers
that were known to be operated by organized criminal elements ('carders').
From there, we started performing analysis of the compromised systems using forensics techniques to
determine how and what vulnerabilities had been exploited to gain access, correlating that with
available logging information, all the while monitoring network flows to both ensure that no additional
card information was being exfiltrated for the purposes of understanding what machines were under
their control, all without alerting the bad guys.
97. Within a short amount of time, OSEC determined that a third-party web application/site that was
vulnerable to SQL injection had been initially compromised, and then used as a "base of operations"
to penetrate further into the network, ultimately gaining access to the payment processing
segments.
By targeting administrators using social engineering attacks in combination with an internet
explorer vulnerability, they had then stolen credentials that could be used to authenticate to
payment processing servers, and utilized privilege escalation vulnerabilities on the servers
themselves to harvest credit card numbers as they were being processed.
In addition, they had installed customized malware that communicated with the command and
control servers and exfiltrated data through encrypted tunnels, in bursts, to evade detection.
98. CONTAINMENT AND ERADICATION
OSEC then went about stopping the spread of the malware and compromise, and expelling the
attackers from the network. Once we had determined that the malware installed would not respond
negatively to loss of connectivity to command and control servers, we quickly: ensured the initial
point of compromise (SQL injection) was corrected scanned for similar common vulnerabilities in
externally- visible systems, and ensured any identified issues were corrected reset all relevant
authentication credentials blocked the attackers at the network perimeter.
We then set about isolating and cleaning each of the compromised hosts as quickly as we could, in
coordination with IT personnel, to ensure that the processing systems were impacted as little as
possible.
99. In most cases, we were able to wipe hosts and perform recovery to ensure all traces of malware
were eradicated, but a number of systems required manual cleaning, which we undertook with the
relevant organizational resources, and initiated extensive monitoring to ensure no undetected
issues remained.
Finally, once the full extent of the breach was understood - particularly what and how much data
had been stolen, osec coordinated with pr and legal personnel to manage client and other
regulatory- body notifications.
100. POST-INCIDENT ACTIVITY
Once the immediate incident had been dealt with, OSEC performed a post-mortem analysis of the
incident, the organization's response, and compared it to osec's internally-developed IR processes,
procedures, and frameworks to identify what needed to be done to ensure IR, vulnerability
management, as well as overall information security management process and procedures were
improved such that future incidents would be minimized we then sat down with the various
stakeholders in the organization that had been involved and discussed the incident and response,
explaining the relevant issues, identifying organizational problems that also needed to be corrected,
as well as future strategies for avoiding incidents and dealing with them when they occurred,
communicating our recommended incident response strategy and implementation to the
organization's senior levels.
101. Having reviewed osec's recommendations, the organization then asked us back to assist with
implementing them.
Over a 3 months’ period, OSEC led a number of efforts, including implementing protection
mechanisms at the host, application, and network layers; establishing a functioning vulnerability
management within the overall information security management program, verifying processes,
helping with staffing and training, and performing incident response drills to test the final product.
102. THE RESULT
Twelve months after implementing the recommendations, and achieving a practical incident
response program, the organization has not suffered any subsequent breaches.
In addition, it has gained the assurance, through incident response drills, that should a breach
occur, response will be swift and effective.