SlideShare a Scribd company logo

Chapter 15 incident handling

N
newbie2019

This document discusses incident response and handling. It outlines the key steps in the incident response process: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation involves forming a response team, developing procedures, and gathering resources. Identification involves determining the scope of an incident and preserving evidence. Containment focuses on limiting the damage of an incident through actions like quarantining systems, analyzing initial data, and making backups. Eradication aims to completely remove malicious software from affected systems.

Education
1 of 62
Download to read offline
Chapter 15 Incident Response and Handling 1 INFORMATION SYSTEM SECURITY Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id Bandarlampung, Agustus 2021
Outline • The Incident Response Process • Preparation • Identification • Containment • Eradication • Recovery • Lessons Learned • The Attacker Process • Reconnaissance • Scanning • Exploitation • Keeping Access • Covering Tracks • Conclusion
Incident Response and Digital Forensics  One of the least practiced, most stressful, highly scrutinized areas of Information Security.  Every incident is unique and can incorporate many different areas of the affected organization.  Incident analysts must be able to think quickly, remain calm and consider all possibilities.
Common Incident Types •Economic Espionage • Intellectual Property Theft •Unauthorized Access • Stolen Passwords and Data •Unauthorized Use • Inappropriate E-Mail and Web Habits •Malicious Code • Worms with Backdoors (Sasser) •Insider Threats
6 Steps of the Incident Handler Methodology  Preparation  Identification  Containment  Eradication  Recovery  Lessons Learned
Incident Handling Steps https://www.experts-exchange.com/articles/28821/What's-in-an-Incident-Response-Plan.html
Preparation: • The key to a successful response is preparation. • Form a strategy. • Design a procedure. • Gather Resources. • Practice, practice, practice.
Preparation: • Identify the “Core Team” • Technical (IT, InfoSec and System Owners) • Management • Legal Department • Forensics • Public Relations • Human Resources • Physical Security and Maintenance • Telecommunications
Preparation: • Develop a Procedure • Incident response can be a high-stress time. A well documented procedure, that is easy to follow, can greatly reduce the anxiety. • Develop a call tree and notification procedures • Brainstorm likely scenarios. • Identify general information needed in most scenarios ahead of time. • Make checklists and forms for as much as possible.
Preparation: • Communication • Communication is incredibly important during an incident. Not only the people involved, but the method which it is done. • Updates should be frequent. • Out-of-Band Communications are very important. • Faxes • Cell Phones • Be careful with the Blackberry’s
Preparation: • Access Rights • The incident response team must have access to systems without the administrators authorization. • Controversial Issue • User Accounts, Passwords and Encryption keys • Third-party storage methods are available
Preparation: • Policies • Protect the organization from legal liability and allow investigators to do their job. • Warning Banners are readily displayed. • Search policy is detailed in employee manual. • Human Resources and Legal have signed off. • Employees have acknowledged knowing their expectations on privacy. • Beware of international laws (European Privacy Directive)
Preparation: • Gathering Resources • Incident analysts should have all information ready and be able to respond to the incident. • Procedures, Checklists and Forms are ready. • Access credentials are available or individuals with them are known. • System information, network diagrams, software and intellectual property are documented thoroughly.
Identification: “Incidents can’t always be prevented, but must always be detected.”
Incident: Intentional or Unintentional  Multiple failed logins to the domain administrator account.  Administrator credentials were cached on a users workstation and they are attempting to login.  Someone is actively attempting to brute-force the account.
Identification: • Goals • Determine Scope • Identify what systems, people and informational assets are involved in the event. • Preserve Evidence • Protect the facts of the incident while determining the scenario.
Identification: Suspicious Events • Unexplained Occurrences • New Accounts or Files • File Modifications • IDS Triggers • Firewall Entries • Accounting Discrepancies • Poor Performance/Unresponsive services • System Instability
Identification: Passive Identification • Sniffers and Traffic Analysis • Cyclical Buffers allow full recording of events at the packet level to a point, depending on size and utilization. • Target machine evidence is still preserved. • Assist in determining new attacks for which signatures have not yet been written.
Identification: Passive Identification • Intrusion Detection Systems • Least invasive method • Target machine evidence is preserved • Logs must still be protected • Write-Once, Read-Many Media
Identification: Passive Identification • Tripwire-style File Modification • A hash of the file is taken and stored in a secure database. Any modification to that file results in a change of the hash. • Very indicative of a successful compromise. • Can be noisy during patching and must be tuned after every software upgrade.
Identification: HoneyPots and HoneyTokens • Specific systems or accounts with additional logging and notification to alert on suspicious activity. • Operators must be careful of entrapment. • Systems have to be secured and heavily monitored. • Systems cannot invite intruders – • No “hackme” accounts • No “Salary Database” systems
Containment - Now that the events halve been identified as an incident and a chain- of-custody for evidence has been established, we will take the first step into system modification by beginning our containment.
Containment: • Vendor Coordination • Work closely with your vendors and know how to open security-related tickets with high priority. • ISPs can prevent some Denial of Service situations. • They are more familiar with attacks because they have seen them with other clients and are up-to-date on advisories. • Additional people working towards identification, containment and recovery. • We are used to the pressure!
Containment: • Identifying the Trust Model • The trust model identifies not only the technology, but also the people that are involved in the incident. • What connectivity does the network or system have to other areas in the organization? • What information is contained within it? • Who needs to be involved and to what extent?
Containment: • Documentation Strategies • Documentation should be collected from most volatile to least volatile and least invasive to most invasive. • Volatile evidence includes RAM, running processes and active connections. • Be careful of running system commands from anything but recovery media.
Containment: • Should we Quarantine? • Changes to a system may be easily observed by an active attacker. • Rootkits may identify a pulled network connection or extensive system modification and protect the attacker. • Some exploits are entirely memory resident and will disappear when the power is pulled.
Containment: • Initial Analysis • Keep a low profile • Never analyze the original • Make frequent updates to CSIRT • Acquire log files • Stick to the facts and avoid blame • Consider all possibilities but keep it simple
Containment: • Backups • Numerous backups allow both investigation and preservation of evidence. • Different strategies exist and depend on the situation. • Original is kept as evidence • Backup 1 – Placed back in production • Backup 2 – Forensic Analysis • Backup 3, 4, etc… separate copies for analysis
Containment: • Digital Forensics • Numerous separate analysis all yield the same results. • Requires specialty hardware, software and training. • Bit by Bit copying and analysis of data. • Recovery of deleted data. • Identification of altered system files (trojans) and binaries in a safe environment.
Containment: • Digital Forensics: Hardware Write Blockers • No modification to the data itself, we want to observe and duplicate only. • Hardware device or driver between acquisition machine and target system. • May use NIC, USB, FireWire or IDE/SCSI channels. • Intercepts write commands and gives logical return results. • Allows browsing of the filesystem during acquisition.
Containment: • Digital Forensics: Forensic Software • Allows quick and efficient analysis of the information contained on the device. • Guidance Software’s EnCase used by law enforcement. • Linux Forensics CD’s are coming along in maturity. (still must use write blockers!!!) • Scripts allow quick searching of keywords in files and deleted data. • Hash comparisons verify original files, known dangerous applications and aid the examiner in avoiding the bad stuff.
Containment: • Digital Forensics: What are we looking for? • Many areas of interesting data are forgotten about. • Cached web content • Email Files (PST’s) • Recoverable Deleted Files • Specific Incidents: CAD drawings, Engineering diagrams, Pornography • Known file signatures of hacking tools, backdoors, etc…
Containment: • Digital Forensics: Other devices? • May not be able to submit as evidence in court, but can assist the Incident Handler in their investigation. • Personal Organizers (PIMs): Blackberry, Palm Pilots, IPAQ’s. • SIM Cards/Cell phones • USB Tokens/Flash Drives
Containment: • Digital Forensics: Not Perfect! • Some tools have been written specifically to defeat forensics software. • DoD: 7-Pass, random-write method for secure deletion of magnetic media. (Rainbow Method) • Windows: Eraser • Unix: Wipe
Containment: • Slowing the Attack • Change passwords and access rights. • Change hostnames and IPs. • Null Route suspicious traffic. • Block IPs or Networks. • Apply Patches to similar systems. • Shutdown services.
Eradication - Once an incident has been contained we attempt the total removal of malicious applications from a system or network.
Eradication: • Remove or Restore • The decision of whether to remove malicious files or restore from backups is a difficult task. • Rootkits almost always demand a rebuild. • Verification of backups is a must. • Patches may not be available and a total change of architectures may be necessary.
Eradication: • Improve Defenses • Implement additional detection and protection methods and strengthen existing technologies and processes. • Apply firewall and router filters. • Perform “mini-assessments” using the same tools and techniques as your attackers. • Look for the same exploits and backdoors on multiple machines.
Recovery - Once the threat has been removed the organization must begin the process of returning the business to normal operation.
Recovery: • Returning to Operation • System owners make the final call on returning to production. • Owners depend on the systems and know their true value. • If a disagreement occurs on whether to return to production or not it should be documented by the analysts and the owner should acknowledge responsibility.
Recovery: • Monitoring • At this point in the process you should have enough information to identify the attack if it occurs again. • Create custom IDS signatures if possible. • Verify proper operation to baseline configurations. • Implement additional logging on network, hosts and applications.
Lessons Learned - The lessons learned meeting provides a method for the organization to coordinate knowledge of an incident, suggest changes in procedures and policies for the future and justify the implementation of new safeguards.
Lessons Learned: • Recap Meeting • Should occur promptly after eradication of an incident while details are fresh in the team members heads. • Create a timeline of events. • Provide a consensus of notes and documentation. • Finalize facts for a final report.
7 Deadly Sins • Failure to report/ask for help • Incomplete/Non-Existent Notes • Mishandling/Damaging Evidence • Failure to create backups • Failure to eradicate or contain • Failure to prevent re-infection • Failure to apply lessons learned
Attacker Methodology  Reconnaissance  Profiling the Target  Scanning  Identifying Weaknesses  Exploitation  Breaking the Law  Keeping Access  Backdoors  Covering Tracks  Staying out of Jail
Reconnaissance: • The target is profiled – • Employee Information (name, numbers, titles) • Systems Information (usenet postings, job listings) • Process Information (vendors and transactions) • Location Information (external networks, physical locations)
Scanning: • Port and Vulnerability scanners are run to identify vulnerable systems. • Open Ports and Services • Vulnerable Applications • Default Usernames and Passwords • Weak Encryption Implementations
Exploitation: • Execution of attack – usually the first point at which the law is broken. • Goals • Gaining Access • Elevating Access • Extracting Information • Denying Service (DoS)
Keeping Access: • Addition of Admin-level User Accounts • Enabling of default, insecure services • Installation of “Backdoor” or “root kit” applications allowing the attacker to retain access despite system modifications. • Application Level • Traditional Rootkit • Kernel Level Rootkit
Covering Tracks: • Modification of system logs, applications and processes to prevent identification by administrators. • Hiding files and Directories (… and alt-255 dirs) • Changes in /var/log • Changes in shell history • Removal of events (windows)
Our Example Scenario • An attacker uses a “0-day” exploit to infiltrate the target organization, install a backdoor and retrieve critical intellectual property for a competitor. • Normal security procedures alert the administrators to suspicious activity and the incident response plan is activated.
Attacker Perspective: Reconnaissance • Google and the corporate web site are used to identify the organizational structure of key personnel including HR managers and executive management. • Low-Profile, no data sent directly to organization. • Impossible to detect.
Attacker Perspective: Exploitation • Attacker sends malicious application to email addresses obtained during scanning. • Users open emails (possibly through social engineering) and are immediately infected. • Attacker can be listening for connections from infected machines and have immediate control over systems.
Attacker Perspective: Keeping Access
Incident Timeline
Incident Timeline: Preparation • IR Team established and roles defined. • Daily procedures established for log analysis and identification. • Containment procedures are outlined in policy. (Restoration takes priority) • Roles and Responsibilities are defined
Incident Timeline: Identification • Bandwidth graphing shows abnormal usage • Passive sniffing identifies responsible host
Incident Timeline: Containment • No “watch and learn” policy, power is pulled from the host. • System is imaged using forensic tools and Hardware Write- Blockers which prevent alteration of data during backup. • Employee is interviewed to determine method of infection.
Incident Timeline: Eradication and Recovery • System is restored from the organizations hardened base image and patches are applied. (Analysis can continue through restore)
Incident Timeline: Lessons Learned • Social Engineering Awareness • File attachment blocking • Firewall Rule Revisions • IDS Signature changes • Patch Management • Advisory Alert Services
62

Recommended

Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony David Sweigert
 

Recommended

Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony David Sweigert
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3FRSecure
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 

More Related Content

What's hot

Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3FRSecure
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 

What's hot (20)

SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
 

Similar to Chapter 15 incident handling

2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001eaiti
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 

Similar to Chapter 15 incident handling (20)

2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 

More from newbie2019

Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Pendahuluan it forensik
Pendahuluan it forensikPendahuluan it forensik
Pendahuluan it forensiknewbie2019
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web securitynewbie2019
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Iso iec 27000_2018
Iso iec 27000_2018Iso iec 27000_2018
Iso iec 27000_2018newbie2019
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Chapter 8 cryptography lanjutan
Chapter 8 cryptography lanjutanChapter 8 cryptography lanjutan
Chapter 8 cryptography lanjutannewbie2019
 
Pertemuan 7 cryptography
Pertemuan 7 cryptographyPertemuan 7 cryptography
Pertemuan 7 cryptographynewbie2019
 
Chapter 6 information hiding (steganography)
Chapter 6 information hiding (steganography)Chapter 6 information hiding (steganography)
Chapter 6 information hiding (steganography)newbie2019
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack newbie2019
 
Chapter 3 security principals
Chapter 3 security principalsChapter 3 security principals
Chapter 3 security principalsnewbie2019
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1newbie2019
 
Chapter 1 introduction
Chapter 1 introductionChapter 1 introduction
Chapter 1 introductionnewbie2019
 

More from newbie2019 (20)

Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Pendahuluan it forensik
Pendahuluan it forensikPendahuluan it forensik
Pendahuluan it forensik
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
Iso iec 27000_2018
Iso iec 27000_2018Iso iec 27000_2018
Iso iec 27000_2018
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Chapter 8 cryptography lanjutan
Chapter 8 cryptography lanjutanChapter 8 cryptography lanjutan
Chapter 8 cryptography lanjutan
 
Pertemuan 7 cryptography
Pertemuan 7 cryptographyPertemuan 7 cryptography
Pertemuan 7 cryptography
 
Chapter 6 information hiding (steganography)
Chapter 6 information hiding (steganography)Chapter 6 information hiding (steganography)
Chapter 6 information hiding (steganography)
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack
 
C02
C02C02
C02
 
Chapter 3 security principals
Chapter 3 security principalsChapter 3 security principals
Chapter 3 security principals
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1
 
Chapter 1 introduction
Chapter 1 introductionChapter 1 introduction
Chapter 1 introduction
 

Recently uploaded

INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfINU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfbu07226
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfVivekanand Anglo Vedic Academy
 
How to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPHow to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPCeline George
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resourcesaileywriter
 
Solid waste management & Types of Basic civil Engineering notes by DJ Sir.pptx
Solid waste management & Types of Basic civil Engineering notes by DJ Sir.pptxSolid waste management & Types of Basic civil Engineering notes by DJ Sir.pptx
Solid waste management & Types of Basic civil Engineering notes by DJ Sir.pptxDenish Jangid
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfQucHHunhnh
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxbennyroshan06
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePedroFerreira53928
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
 
[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online Presentation[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online PresentationGDSCYCCE
 
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxJose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxricssacare
 
NLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptxNLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptxssuserbdd3e8
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...Nguyen Thanh Tu Collection
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345beazzy04
 
Industrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportIndustrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportAvinash Rai
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersPedroFerreira53928
 
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxslides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxCapitolTechU
 

Recently uploaded (20)

Ethnobotany and Ethnopharmacology ......
Ethnobotany and Ethnopharmacology ......Ethnobotany and Ethnopharmacology ......
Ethnobotany and Ethnopharmacology ......
 
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfINU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
 
How to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPHow to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERP
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resources
 
Solid waste management & Types of Basic civil Engineering notes by DJ Sir.pptx
Solid waste management & Types of Basic civil Engineering notes by DJ Sir.pptxSolid waste management & Types of Basic civil Engineering notes by DJ Sir.pptx
Solid waste management & Types of Basic civil Engineering notes by DJ Sir.pptx
 
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. SalemOperations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 
[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online Presentation[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online Presentation
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
 
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxJose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
 
NLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptxNLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptx
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
Industrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training ReportIndustrial Training Report- AKTU Industrial Training Report
Industrial Training Report- AKTU Industrial Training Report
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumers
 
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxslides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
 

Chapter 15 incident handling

  • 1. Chapter 15 Incident Response and Handling 1 INFORMATION SYSTEM SECURITY Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id Bandarlampung, Agustus 2021
  • 2. Outline • The Incident Response Process • Preparation • Identification • Containment • Eradication • Recovery • Lessons Learned • The Attacker Process • Reconnaissance • Scanning • Exploitation • Keeping Access • Covering Tracks • Conclusion
  • 3. Incident Response and Digital Forensics  One of the least practiced, most stressful, highly scrutinized areas of Information Security.  Every incident is unique and can incorporate many different areas of the affected organization.  Incident analysts must be able to think quickly, remain calm and consider all possibilities.
  • 4. Common Incident Types •Economic Espionage • Intellectual Property Theft •Unauthorized Access • Stolen Passwords and Data •Unauthorized Use • Inappropriate E-Mail and Web Habits •Malicious Code • Worms with Backdoors (Sasser) •Insider Threats
  • 5. 6 Steps of the Incident Handler Methodology  Preparation  Identification  Containment  Eradication  Recovery  Lessons Learned
  • 7. Preparation: • The key to a successful response is preparation. • Form a strategy. • Design a procedure. • Gather Resources. • Practice, practice, practice.
  • 8. Preparation: • Identify the “Core Team” • Technical (IT, InfoSec and System Owners) • Management • Legal Department • Forensics • Public Relations • Human Resources • Physical Security and Maintenance • Telecommunications
  • 9. Preparation: • Develop a Procedure • Incident response can be a high-stress time. A well documented procedure, that is easy to follow, can greatly reduce the anxiety. • Develop a call tree and notification procedures • Brainstorm likely scenarios. • Identify general information needed in most scenarios ahead of time. • Make checklists and forms for as much as possible.
  • 10. Preparation: • Communication • Communication is incredibly important during an incident. Not only the people involved, but the method which it is done. • Updates should be frequent. • Out-of-Band Communications are very important. • Faxes • Cell Phones • Be careful with the Blackberry’s
  • 11. Preparation: • Access Rights • The incident response team must have access to systems without the administrators authorization. • Controversial Issue • User Accounts, Passwords and Encryption keys • Third-party storage methods are available
  • 12. Preparation: • Policies • Protect the organization from legal liability and allow investigators to do their job. • Warning Banners are readily displayed. • Search policy is detailed in employee manual. • Human Resources and Legal have signed off. • Employees have acknowledged knowing their expectations on privacy. • Beware of international laws (European Privacy Directive)
  • 13. Preparation: • Gathering Resources • Incident analysts should have all information ready and be able to respond to the incident. • Procedures, Checklists and Forms are ready. • Access credentials are available or individuals with them are known. • System information, network diagrams, software and intellectual property are documented thoroughly.
  • 14. Identification: “Incidents can’t always be prevented, but must always be detected.”
  • 15. Incident: Intentional or Unintentional  Multiple failed logins to the domain administrator account.  Administrator credentials were cached on a users workstation and they are attempting to login.  Someone is actively attempting to brute-force the account.
  • 16. Identification: • Goals • Determine Scope • Identify what systems, people and informational assets are involved in the event. • Preserve Evidence • Protect the facts of the incident while determining the scenario.
  • 17. Identification: Suspicious Events • Unexplained Occurrences • New Accounts or Files • File Modifications • IDS Triggers • Firewall Entries • Accounting Discrepancies • Poor Performance/Unresponsive services • System Instability
  • 18. Identification: Passive Identification • Sniffers and Traffic Analysis • Cyclical Buffers allow full recording of events at the packet level to a point, depending on size and utilization. • Target machine evidence is still preserved. • Assist in determining new attacks for which signatures have not yet been written.
  • 19. Identification: Passive Identification • Intrusion Detection Systems • Least invasive method • Target machine evidence is preserved • Logs must still be protected • Write-Once, Read-Many Media
  • 20. Identification: Passive Identification • Tripwire-style File Modification • A hash of the file is taken and stored in a secure database. Any modification to that file results in a change of the hash. • Very indicative of a successful compromise. • Can be noisy during patching and must be tuned after every software upgrade.
  • 21. Identification: HoneyPots and HoneyTokens • Specific systems or accounts with additional logging and notification to alert on suspicious activity. • Operators must be careful of entrapment. • Systems have to be secured and heavily monitored. • Systems cannot invite intruders – • No “hackme” accounts • No “Salary Database” systems
  • 22. Containment - Now that the events halve been identified as an incident and a chain- of-custody for evidence has been established, we will take the first step into system modification by beginning our containment.
  • 23. Containment: • Vendor Coordination • Work closely with your vendors and know how to open security-related tickets with high priority. • ISPs can prevent some Denial of Service situations. • They are more familiar with attacks because they have seen them with other clients and are up-to-date on advisories. • Additional people working towards identification, containment and recovery. • We are used to the pressure!
  • 24. Containment: • Identifying the Trust Model • The trust model identifies not only the technology, but also the people that are involved in the incident. • What connectivity does the network or system have to other areas in the organization? • What information is contained within it? • Who needs to be involved and to what extent?
  • 25. Containment: • Documentation Strategies • Documentation should be collected from most volatile to least volatile and least invasive to most invasive. • Volatile evidence includes RAM, running processes and active connections. • Be careful of running system commands from anything but recovery media.
  • 26. Containment: • Should we Quarantine? • Changes to a system may be easily observed by an active attacker. • Rootkits may identify a pulled network connection or extensive system modification and protect the attacker. • Some exploits are entirely memory resident and will disappear when the power is pulled.
  • 27. Containment: • Initial Analysis • Keep a low profile • Never analyze the original • Make frequent updates to CSIRT • Acquire log files • Stick to the facts and avoid blame • Consider all possibilities but keep it simple
  • 28. Containment: • Backups • Numerous backups allow both investigation and preservation of evidence. • Different strategies exist and depend on the situation. • Original is kept as evidence • Backup 1 – Placed back in production • Backup 2 – Forensic Analysis • Backup 3, 4, etc… separate copies for analysis
  • 29. Containment: • Digital Forensics • Numerous separate analysis all yield the same results. • Requires specialty hardware, software and training. • Bit by Bit copying and analysis of data. • Recovery of deleted data. • Identification of altered system files (trojans) and binaries in a safe environment.
  • 30. Containment: • Digital Forensics: Hardware Write Blockers • No modification to the data itself, we want to observe and duplicate only. • Hardware device or driver between acquisition machine and target system. • May use NIC, USB, FireWire or IDE/SCSI channels. • Intercepts write commands and gives logical return results. • Allows browsing of the filesystem during acquisition.
  • 31. Containment: • Digital Forensics: Forensic Software • Allows quick and efficient analysis of the information contained on the device. • Guidance Software’s EnCase used by law enforcement. • Linux Forensics CD’s are coming along in maturity. (still must use write blockers!!!) • Scripts allow quick searching of keywords in files and deleted data. • Hash comparisons verify original files, known dangerous applications and aid the examiner in avoiding the bad stuff.
  • 32. Containment: • Digital Forensics: What are we looking for? • Many areas of interesting data are forgotten about. • Cached web content • Email Files (PST’s) • Recoverable Deleted Files • Specific Incidents: CAD drawings, Engineering diagrams, Pornography • Known file signatures of hacking tools, backdoors, etc…
  • 33. Containment: • Digital Forensics: Other devices? • May not be able to submit as evidence in court, but can assist the Incident Handler in their investigation. • Personal Organizers (PIMs): Blackberry, Palm Pilots, IPAQ’s. • SIM Cards/Cell phones • USB Tokens/Flash Drives
  • 34. Containment: • Digital Forensics: Not Perfect! • Some tools have been written specifically to defeat forensics software. • DoD: 7-Pass, random-write method for secure deletion of magnetic media. (Rainbow Method) • Windows: Eraser • Unix: Wipe
  • 35. Containment: • Slowing the Attack • Change passwords and access rights. • Change hostnames and IPs. • Null Route suspicious traffic. • Block IPs or Networks. • Apply Patches to similar systems. • Shutdown services.
  • 36. Eradication - Once an incident has been contained we attempt the total removal of malicious applications from a system or network.
  • 37. Eradication: • Remove or Restore • The decision of whether to remove malicious files or restore from backups is a difficult task. • Rootkits almost always demand a rebuild. • Verification of backups is a must. • Patches may not be available and a total change of architectures may be necessary.
  • 38. Eradication: • Improve Defenses • Implement additional detection and protection methods and strengthen existing technologies and processes. • Apply firewall and router filters. • Perform “mini-assessments” using the same tools and techniques as your attackers. • Look for the same exploits and backdoors on multiple machines.
  • 39. Recovery - Once the threat has been removed the organization must begin the process of returning the business to normal operation.
  • 40. Recovery: • Returning to Operation • System owners make the final call on returning to production. • Owners depend on the systems and know their true value. • If a disagreement occurs on whether to return to production or not it should be documented by the analysts and the owner should acknowledge responsibility.
  • 41. Recovery: • Monitoring • At this point in the process you should have enough information to identify the attack if it occurs again. • Create custom IDS signatures if possible. • Verify proper operation to baseline configurations. • Implement additional logging on network, hosts and applications.
  • 42. Lessons Learned - The lessons learned meeting provides a method for the organization to coordinate knowledge of an incident, suggest changes in procedures and policies for the future and justify the implementation of new safeguards.
  • 43. Lessons Learned: • Recap Meeting • Should occur promptly after eradication of an incident while details are fresh in the team members heads. • Create a timeline of events. • Provide a consensus of notes and documentation. • Finalize facts for a final report.
  • 44. 7 Deadly Sins • Failure to report/ask for help • Incomplete/Non-Existent Notes • Mishandling/Damaging Evidence • Failure to create backups • Failure to eradicate or contain • Failure to prevent re-infection • Failure to apply lessons learned
  • 45. Attacker Methodology  Reconnaissance  Profiling the Target  Scanning  Identifying Weaknesses  Exploitation  Breaking the Law  Keeping Access  Backdoors  Covering Tracks  Staying out of Jail
  • 46. Reconnaissance: • The target is profiled – • Employee Information (name, numbers, titles) • Systems Information (usenet postings, job listings) • Process Information (vendors and transactions) • Location Information (external networks, physical locations)
  • 47. Scanning: • Port and Vulnerability scanners are run to identify vulnerable systems. • Open Ports and Services • Vulnerable Applications • Default Usernames and Passwords • Weak Encryption Implementations
  • 48. Exploitation: • Execution of attack – usually the first point at which the law is broken. • Goals • Gaining Access • Elevating Access • Extracting Information • Denying Service (DoS)
  • 49. Keeping Access: • Addition of Admin-level User Accounts • Enabling of default, insecure services • Installation of “Backdoor” or “root kit” applications allowing the attacker to retain access despite system modifications. • Application Level • Traditional Rootkit • Kernel Level Rootkit
  • 50. Covering Tracks: • Modification of system logs, applications and processes to prevent identification by administrators. • Hiding files and Directories (… and alt-255 dirs) • Changes in /var/log • Changes in shell history • Removal of events (windows)
  • 51. Our Example Scenario • An attacker uses a “0-day” exploit to infiltrate the target organization, install a backdoor and retrieve critical intellectual property for a competitor. • Normal security procedures alert the administrators to suspicious activity and the incident response plan is activated.
  • 52. Attacker Perspective: Reconnaissance • Google and the corporate web site are used to identify the organizational structure of key personnel including HR managers and executive management. • Low-Profile, no data sent directly to organization. • Impossible to detect.
  • 53. Attacker Perspective: Exploitation • Attacker sends malicious application to email addresses obtained during scanning. • Users open emails (possibly through social engineering) and are immediately infected. • Attacker can be listening for connections from infected machines and have immediate control over systems.
  • 56. Incident Timeline: Preparation • IR Team established and roles defined. • Daily procedures established for log analysis and identification. • Containment procedures are outlined in policy. (Restoration takes priority) • Roles and Responsibilities are defined
  • 57. Incident Timeline: Identification • Bandwidth graphing shows abnormal usage • Passive sniffing identifies responsible host
  • 58. Incident Timeline: Containment • No “watch and learn” policy, power is pulled from the host. • System is imaged using forensic tools and Hardware Write- Blockers which prevent alteration of data during backup. • Employee is interviewed to determine method of infection.
  • 59. Incident Timeline: Eradication and Recovery • System is restored from the organizations hardened base image and patches are applied. (Analysis can continue through restore)
  • 60. Incident Timeline: Lessons Learned • Social Engineering Awareness • File attachment blocking • Firewall Rule Revisions • IDS Signature changes • Patch Management • Advisory Alert Services
  • 61.
  • 62. 62