John Hoffoss, profile picture
Uploaded byJohn Hoffoss
685 views

Drop, Stop & Roll

The document outlines the Computer Security Incident Response System guideline, emphasizing the importance of having an incident response plan which includes phases like detection, containment, and recovery. It provides practical steps and tools for identifying and addressing IT security incidents while ensuring proper documentation and testing of the plan. Additionally, it offers templates for organizations to customize their response strategies based on their specific needs.

Embed presentation

Drop, Stop and Roll John Hoffoss and Scott St. Aubin Access more information security training for campus technical staff and earn CEUs: its.mnscu.edu/security/training/
An introduction to the Computer Security Incident Response System Guideline
Outline • Step Zero: Plan Your Escape Route • Smell Smoke? Detecting an Incident • Drop! • Stop! • Roll!
What is an incident? • A situation that presents a significant or imminent threat to the security of IT resources or data. • Unauthorized access or compromise of data or systems with perceived malicious intent • A significant threat or actual loss of nonpublic data via IT resources • A reasonable basis to believe that IT resources are being used for criminal activity
flickr//d-workx Before the Fire: Plan Your Escape Route
What is incident response? • Your set of [hopefully calm] actions taken as response to an incident. • heart-valve-surgery.com icanhascheezburger
About the Route Incident response is easier and goes better if you have a plan in place before you need it. • Management Support • Your incident response plan, tested! • Tools: hard drives, write blockers, analysis environment • Knowledge to perform this analysis
What goes in a plan? Good question...we made a guideline to answer that! (You can thank us later...)
The Guideline The Computer Security Incident Response System Guideline: • requires that you have a plan; • outlines the response process; • outlines the composition of your CSIRT; • requires that you test your plan.
mmm...phases 1. Detection and Reporting 2. Initial Classification and Notification 3. Containment 4. Eradication 5. Recovery 6. Closure
The Team
Anything else? • Your plan should tie in with other relevant processes • Continuity of Operations • Disaster Recovery • Breach Notification • Your plan must be tested! • Data gathered as part of incident response is nonpublic -- label it as such!
So I have write all that stuff? Are you joking? • You can if you want... • Some of you may have a plan already--it may only require tweaking to satisfy these. • But we have a template you can use! • www.its.mnscu.edu/security
Oooh, template! • Scott wrote all of it with my input. • Mostly-ready, but you’ll want to tweak a few areas: • Team Info - Table 1 • Constituencies - Table 3 • Reporting Process - Figure 2
Smell Smoke? Detecting an Incident flickr//lilcrabbygal
• errant mouse movement • missing system settings // system not in state an Detection employee left it // missing icons/folders/ programs • extreme performance issues
Now get out your log book Take notes! eaas.co.uk
Reporting • Houston, we have a problem. • Your users should know who to contact • Calling is always better than email
Classification & Notification • Yep, that computer is on fire. • Contact your response team
Drop! flickr//arbyreed
Containment • Actually unplug or cut the network cable • Mark the system as "borked - do not use" • Do not use or interact with the system yet • Log your actions in your logbook.
• Interview the user about what he/she saw. What data is stored or accessed from the suspect system? Is there nonpublic data stored? Online banking activity? • Confirm any new information pertaining to the incident with IDS, Firewall, AD logs, etc. • Log your actions in your logbook. • Sanity check: Do you think there's a fire? Or is it just smoke?
If you're certain there is no sensitive activity or data that could've been compromised, then move on to the eradication step. Log your actions in your logbook.
If you're not certain, or if you know there is sensitive activity or data, use your incident response tools to create an image of the system's memory in a forensically sound manner. Now pull the power plug (do not use the power button or hit Start->Shut Down).
• Depending on your classification, create two forensic copies of the suspect hard drive: • One to place back into the workstation (if necessary) for investigation or emergency return to operations • One to retain as an investigative copy of the original • Retain the original with that copy. • Chain of Custody
flickr//jeshuanace Stop!
Eradication Log your actions in your logbook. Keep the system air-gapped and off any network. Now you can interact with the system to see if there is persistent malware present (e.g. Mebroot, a boot-sector trojan) Log your actions in your logbook.
Analysis Tools • Sysinternals - netmon, • VirusTotal procmon, sysmon • Autopsy • Dumpevt • FTK • SilentRunners • EnCase • Malware Bytes Antimalware • Paraben Forensics • Antivirus software • Your Actions, Log Them.
Forensics! gizmodo
More Eradication Once you have some idea of how you got your nasty, figure out how to prevent it from returning. • User privileges • Network • Patches segmentation • Firewall and • IDS router ACLs
Roll! flickr//telstar
Recovery • Reimage • Log your actions • Restore data from known-good backups • Return to operation
Recovery Follow-up • Monitoring • Breach Notification
Closure • Schedule the Incident Recap meeting • Log your actions in your logbook. • Give the all-clear signal
Incident Follow-up • Incident Recap • Report or Brief

More Related Content

PPTX
Incident Response
byprimeteacher32
 
PPTX
Malware in the Wild: Evolving to Evade Detection
byLastline, Inc.
 
ODP
Incident response
byJarno Niemela
 
PPTX
Incident Response in the wake of Dear CEO
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PPTX
IT Security Basics For Managers
byDaniel Owens
 
PPT
Introduction to Malware - Part 1
byLastline, Inc.
 
PDF
Network Forensics and Practical Packet Analysis
byPriyanka Aash
 
PPTX
The Six Stages of Incident Response - Auscert 2016
byAshley Deuble
 
Incident Response
byprimeteacher32
 
Malware in the Wild: Evolving to Evade Detection
byLastline, Inc.
 
Incident response
byJarno Niemela
 
Incident Response in the wake of Dear CEO
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
IT Security Basics For Managers
byDaniel Owens
 
Introduction to Malware - Part 1
byLastline, Inc.
 
Network Forensics and Practical Packet Analysis
byPriyanka Aash
 
The Six Stages of Incident Response - Auscert 2016
byAshley Deuble
 

What's hot

PPTX
Effective Vulnerability Management
byVicky Ames
 
DOC
Importance Of Structured Incident Response Process
byAnton Chuvakin
 
PPTX
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
byLastline, Inc.
 
PPTX
Malewareanalysis
byahmad abdelhafeez
 
PPTX
encase enterprise
byDamir Delija
 
PDF
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
byLastline, Inc.
 
PPTX
How to Build a Successful Incident Response Program
byResilient Systems
 
PDF
CNIT 121: 17 Remediation Introduction (Part 1)
bySam Bowne
 
PPTX
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
byRod Soto
 
PPTX
Incident response
byAnshul Gupta
 
PDF
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PDF
Physical Penetration Testing - RootedCON 2015
byHykeos
 
PPTX
Advanced persistent threat (apt)
bymmubashirkhan
 
PDF
EnCase Enterprise Basic File Collection
byDamir Delija
 
PPTX
SplunkLive! Customer Presentation – Virtustream
bySplunk
 
PPTX
501 ch 8 risk management tools
bygocybersec
 
PPTX
Purple Teaming - The Collaborative Future of Penetration Testing
byFRSecure
 
PDF
CNIT 121: 16 Report Writing
bySam Bowne
 
PDF
Search & Seizure of Electronic Evidence by Pelorus Technologies
byurjarathi
 
Effective Vulnerability Management
byVicky Ames
 
Importance Of Structured Incident Response Process
byAnton Chuvakin
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
byLastline, Inc.
 
Malewareanalysis
byahmad abdelhafeez
 
encase enterprise
byDamir Delija
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
byLastline, Inc.
 
How to Build a Successful Incident Response Program
byResilient Systems
 
CNIT 121: 17 Remediation Introduction (Part 1)
bySam Bowne
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
byRod Soto
 
Incident response
byAnshul Gupta
 
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
WTF is Penetration Testing v.2
byScott Sutherland
 
Physical Penetration Testing - RootedCON 2015
byHykeos
 
Advanced persistent threat (apt)
bymmubashirkhan
 
EnCase Enterprise Basic File Collection
byDamir Delija
 
SplunkLive! Customer Presentation – Virtustream
bySplunk
 
501 ch 8 risk management tools
bygocybersec
 
Purple Teaming - The Collaborative Future of Penetration Testing
byFRSecure
 
CNIT 121: 16 Report Writing
bySam Bowne
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
byurjarathi
 

Viewers also liked

PPT
La ultima
byMalikoatl
 
PDF
Creativity
byGrintex India Ltd
 
PPT
Kotler01 mkt.crm
bykitturashmikittu
 
PPT
Brain storming-rules
byGrintex India Ltd
 
PPT
Scientific method
bykitturashmikittu
 
PDF
Report on torture
byTawanda Kanhema
 
PPT
Smart Phones
byEKMom
 
PPTX
Daily routines
byLilian Mierez
 
PPS
Thewiseoldman
byRikkasdaddy
 
PPTX
A rnau cairo
byarnau19
 
PDF
How Lean, UCD and Agile can propel designers into the future
byCyber-Duck
 
PPT
Cauchuyendang xem
byDamPhan
 
PPT
Bf c mp.january 08.pps
bykitturashmikittu
 
PPT
sistema eragilea
byleire
 
PDF
Midterm presentation 2.27.2010 small
byguestc8839dc3
 
PPT
Chanlycuocdoi
byDamPhan
 
PPTX
Why VietnamWorks
byChris Shayan
 
PPT
Larynx modified
byKarl Daniel, M.D.
 
PDF
SVEA Presentazione progetto
byCSP Scarl
 
PPT
W SAN FRANCISCO
bylisaleonor
 
La ultima
byMalikoatl
 
Creativity
byGrintex India Ltd
 
Kotler01 mkt.crm
bykitturashmikittu
 
Brain storming-rules
byGrintex India Ltd
 
Scientific method
bykitturashmikittu
 
Report on torture
byTawanda Kanhema
 
Smart Phones
byEKMom
 
Daily routines
byLilian Mierez
 
Thewiseoldman
byRikkasdaddy
 
A rnau cairo
byarnau19
 
How Lean, UCD and Agile can propel designers into the future
byCyber-Duck
 
Cauchuyendang xem
byDamPhan
 
Bf c mp.january 08.pps
bykitturashmikittu
 
sistema eragilea
byleire
 
Midterm presentation 2.27.2010 small
byguestc8839dc3
 
Chanlycuocdoi
byDamPhan
 
Why VietnamWorks
byChris Shayan
 
Larynx modified
byKarl Daniel, M.D.
 
SVEA Presentazione progetto
byCSP Scarl
 
W SAN FRANCISCO
bylisaleonor
 

Similar to Drop, Stop & Roll

PPT
FIRST 2006 Full-day Tutorial on Logs for Incident Response
byAnton Chuvakin
 
PDF
Chapter 15 incident handling
bynewbie2019
 
PDF
Incident response, Hacker Techniques and Countermeasures
byJose L. Quiñones-Borrero
 
PDF
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
PDF
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 
PDF
Incident response before:after breach
bySumedt Jitpukdebodin
 
PPTX
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
PPTX
chapter on Incident Response Management.
bySuhail Qadir Mir
 
PPT
Incident handling.final
byahmad abdelhafeez
 
PDF
4 Getting Started & 5 Leads
bySam Bowne
 
PDF
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
byNoNameCon
 
PDF
CNIT 121: 2 IR Management Handbook
bySam Bowne
 
PPT
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
byguestc0c304
 
PPT
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
byAnton Chuvakin
 
PDF
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
byIGN MANTRA
 
PDF
Loggin alerting and hunting technology hub 2016
byScot Berner
 
PPTX
Intrusion detection system
bySweta Sharma
 
PPTX
Security Operation Center Presentat.pptx
byImranKhan441149
 
PPT
Secure Financial Intelligence System
byJoseph Yosi Margalit
 
DOC
Audit logs for Security and Compliance
byAnton Chuvakin
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
byAnton Chuvakin
 
Chapter 15 incident handling
bynewbie2019
 
Incident response, Hacker Techniques and Countermeasures
byJose L. Quiñones-Borrero
 
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
Enabling effective hunt teaming and incident response
byjeffmcjunkin
 
Incident response before:after breach
bySumedt Jitpukdebodin
 
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
chapter on Incident Response Management.
bySuhail Qadir Mir
 
Incident handling.final
byahmad abdelhafeez
 
4 Getting Started & 5 Leads
bySam Bowne
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
byNoNameCon
 
CNIT 121: 2 IR Management Handbook
bySam Bowne
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
byguestc0c304
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
byAnton Chuvakin
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
byIGN MANTRA
 
Loggin alerting and hunting technology hub 2016
byScot Berner
 
Intrusion detection system
bySweta Sharma
 
Security Operation Center Presentat.pptx
byImranKhan441149
 
Secure Financial Intelligence System
byJoseph Yosi Margalit
 
Audit logs for Security and Compliance
byAnton Chuvakin
 

Recently uploaded

PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 

Drop, Stop & Roll

  • 1.
    Drop, Stop andRoll John Hoffoss and Scott St. Aubin Access more information security training for campus technical staff and earn CEUs: its.mnscu.edu/security/training/
  • 2.
    An introduction tothe Computer Security Incident Response System Guideline
  • 3.
    Outline • Step Zero:Plan Your Escape Route • Smell Smoke? Detecting an Incident • Drop! • Stop! • Roll!
  • 4.
    What is anincident? • A situation that presents a significant or imminent threat to the security of IT resources or data. • Unauthorized access or compromise of data or systems with perceived malicious intent • A significant threat or actual loss of nonpublic data via IT resources • A reasonable basis to believe that IT resources are being used for criminal activity
  • 5.
    flickr//d-workx Before the Fire: Plan Your Escape Route
  • 6.
    What is incident response? • Your set of [hopefully calm] actions taken as response to an incident. • heart-valve-surgery.com icanhascheezburger
  • 7.
    About the Route Incidentresponse is easier and goes better if you have a plan in place before you need it. • Management Support • Your incident response plan, tested! • Tools: hard drives, write blockers, analysis environment • Knowledge to perform this analysis
  • 8.
    What goes ina plan? Good question...we made a guideline to answer that! (You can thank us later...)
  • 9.
    The Guideline The ComputerSecurity Incident Response System Guideline: • requires that you have a plan; • outlines the response process; • outlines the composition of your CSIRT; • requires that you test your plan.
  • 10.
    mmm...phases 1. Detection andReporting 2. Initial Classification and Notification 3. Containment 4. Eradication 5. Recovery 6. Closure
  • 11.
  • 12.
    Anything else? • Yourplan should tie in with other relevant processes • Continuity of Operations • Disaster Recovery • Breach Notification • Your plan must be tested! • Data gathered as part of incident response is nonpublic -- label it as such!
  • 13.
    So I havewrite all that stuff? Are you joking? • You can if you want... • Some of you may have a plan already--it may only require tweaking to satisfy these. • But we have a template you can use! • www.its.mnscu.edu/security
  • 14.
    Oooh, template! • Scottwrote all of it with my input. • Mostly-ready, but you’ll want to tweak a few areas: • Team Info - Table 1 • Constituencies - Table 3 • Reporting Process - Figure 2
  • 15.
    Smell Smoke? Detecting an Incident flickr//lilcrabbygal
  • 16.
    errant mouse movement • missing system settings // system not in state an Detection employee left it // missing icons/folders/ programs • extreme performance issues
  • 17.
    Now get out yourlog book Take notes! eaas.co.uk
  • 18.
    Reporting • Houston, wehave a problem. • Your users should know who to contact • Calling is always better than email
  • 19.
    Classification & Notification • Yep, that computer is on fire. • Contact your response team
  • 20.
  • 21.
    Containment • Actually unplugor cut the network cable • Mark the system as "borked - do not use" • Do not use or interact with the system yet • Log your actions in your logbook.
  • 22.
    • Interview theuser about what he/she saw. What data is stored or accessed from the suspect system? Is there nonpublic data stored? Online banking activity? • Confirm any new information pertaining to the incident with IDS, Firewall, AD logs, etc. • Log your actions in your logbook. • Sanity check: Do you think there's a fire? Or is it just smoke?
  • 23.
    If you're certainthere is no sensitive activity or data that could've been compromised, then move on to the eradication step. Log your actions in your logbook.
  • 24.
    If you're notcertain, or if you know there is sensitive activity or data, use your incident response tools to create an image of the system's memory in a forensically sound manner. Now pull the power plug (do not use the power button or hit Start->Shut Down).
  • 25.
    • Depending onyour classification, create two forensic copies of the suspect hard drive: • One to place back into the workstation (if necessary) for investigation or emergency return to operations • One to retain as an investigative copy of the original • Retain the original with that copy. • Chain of Custody
  • 26.
  • 27.
    Eradication Log your actionsin your logbook. Keep the system air-gapped and off any network. Now you can interact with the system to see if there is persistent malware present (e.g. Mebroot, a boot-sector trojan) Log your actions in your logbook.
  • 28.
    Analysis Tools • Sysinternals - netmon, • VirusTotal procmon, sysmon • Autopsy • Dumpevt • FTK • SilentRunners • EnCase • Malware Bytes Antimalware • Paraben Forensics • Antivirus software • Your Actions, Log Them.
  • 29.
    Forensics! gizmodo
  • 30.
    More Eradication Once youhave some idea of how you got your nasty, figure out how to prevent it from returning. • User privileges • Network • Patches segmentation • Firewall and • IDS router ACLs
  • 31.
    Roll! flickr//telstar
  • 32.
    Recovery • Reimage • Logyour actions • Restore data from known-good backups • Return to operation
  • 33.
  • 34.
    Closure • Schedule theIncident Recap meeting • Log your actions in your logbook. • Give the all-clear signal
  • 35.
    Incident Follow-up • IncidentRecap • Report or Brief

Editor's Notes

  • #2 John Hoffoss works in the Information Security Office, part of the Information Technology Services division of the Office of the Chancellor. He’s been with MnSCU for 3 years, likes carpentry and curls well. Scott St. Aubin is a consultant with NetSPI who has been working with MnSCU for about two years. He’s an active photographer, shoots an Olympus, and doesn’t own enough lenses.
  • #3 This talk will introduce the incident response guideline, the plan, the process, and share a war story or two.
  • #5 What is an incident? a situation that presents a significant or imminent threat to the security of system information technology resources or information resources; it includes, but is not limited to the following: •Unauthorized access or compromise of information resources or information technology resources with perceived malicious intent; •A significant threat or actual loss of not-public data via information technology resources; •A reasonable basis to believe that system information technology resources are being used for criminal activity.
  • #6 You need to be prepared. Have a process, toolbox, whatever. Running to buy a fire extinguisher while your house burns down won’t help.
  • #7 Incident response is your set of actions taken as response to an incident. You don’t want to be pulling your hair out or panicking when you discover a potential incident. Calm, cool and collected is always more effective. •Could mean you run like hell, or activate your incident response team, or pull out your response kit and start investigating on your own with the ultimate goal of returning to service-as-normal. •More often than not, it'll be a combination of the last two.
  • #8 The route: your management's support and your response team •They'll keep the heat off you while you work! Your plan, of course, distributed and tested so that your team members know what “we may have an incident” means. Your toolbox •Spare hard drive(s) larger than your most media-heavy user's drives •If you're getting too much "practice" at this, a write-blocker - Firefly, Ultrablock, or Tableau -- around $300 (for one) or $1500 (for complete Firewire/USB/SATA/PATA set) •Copy of BackTrack, Helix, or similar Knowledge and understanding of how to use these tools! - You wouldn't want to have to learn how to put on firefighter gear, learn how to drive a hook and ladder, and learn how the ladder works in the middle of a fire...
  • #10 The guideline is fairly straightforward. It lays out definitions and minimum requirements: •You must have a plan -- reasonable and appropriate methods to control and remediate information security incidents •Your response process should cover the process that we’ll go over •Your computer security incident response team should be multi-disciplinary That response process covers several phases...
  • #11 Six phases, to be exact: 1. Detection and Reporting. The method(s) of detecting and reporting an incident should be identified, as well as the path of information flows. Do your users know to call the help desk? Does your help desk know the signs of a potential incident? 2. Initial Classification and Notification. Each incident should be evaluated to ensure it is handled with the appropriate urgency, and the correct individuals are notified for the type of incident being investigated. External processes, like COOP, Breach Notification, Law Enforcement contact, etc. may be initiated when necessary. Breach notification and forensics will usually come later, though. 3. Containment. Initial steps to immediately stop the spread of the incident. This involves things like removing network connectivity from the system, creating forensically-sound copies of hard drives, performing a cursory examination of neighboring systems to identify additionally compromised systems, etc. 4. Eradication. Steps taken to remove the cause of the incident. This is where forensic analysis might be initiated, otherwise generally this is your workstation imaging process. 5. Recovery. Steps taken to return the computer systems to a full production mode. Restoring data, reconfiguring the workstation, and closing the hole that allowed the compromise in the first place. Then placing the system back in use with a period of elevated logging and monitoring to confirm the intruder is not still present. 6. Incident Closure. Complete all documentation and review the incident to determine how the systems, processes, or incident response plan could be improved to prevent recurrence in the future, or decrease recovery time. This is a lot to take on alone, which is why you have an incident response team...
  • #12 There are a lot of potential players in a CSIRT--you will hopefully never have to activate all of these groups, except for testing your plan, of course. Mostly, the team is you, your peers and your CIO. These lines don’t so much delineate control as they do communication paths. You as incident handler recommend action as it pertains to responding, but your CIO and campus leadership are the final authority--they decide if a system gets pulled, or if a system gets returned to operation, whether you think it premature or not. The ISO and OGC can help you coordinate Forensics and Law Enforcement activity.
  • #13 •Link your plan to existing processes--DR, COOP, Breach Notification--and vice versa •Your plan must be tested at least annually -- as in full-team training & exercise kind of test. 4 hours should be sufficient, and it doesn’t have to be fancy. This is as much a discussion and communication opportunity than anything else. •Data collected through this process is assumed nonpublic, classified as security data in MGDPA That, in a nutshell, is what the Guideline requires.
  • #14 This slide is fairly self-explanatory.
  • #15 •you'll need to customize your team information and introduce the plan and process to your local institution resources (Table 1) •Constituencies - Define the role and authority your institution's CSIRT will have over faculty, staff and student constituencies. (Table 3) •You'll also need to fill in details about your local process for reporting and responding to incidents, which you can model after the OOC information included in the template. (Figure 2) Enough about the guideline and template for now, let’s talk incident response in a little more depth.
  • #17 Detecting and Reporting isn’t a huge or difficult process, but it’s absolutely critical to effective incident response. •Your users are probably your first line of detection -- erratic behavior, sudden decline in performance, changed or missing icons/programs/etc, sudden decline in bank account balances, etc. Make sure your helpdesk is mindful of this. •Your IDS, firewalls, antivirus system, and other logs are additional sources for incident detection and confirmation, along with the network team, OET, REN-ISAC, law enforcement, and other randoms.
  • #18 When a suspicious event is detected or reported, get out your incident log book - paper, preferably hard-bound with numbered pages, written in ink. If it’s not numbered, number the pages by hand before you start using it. Keep this with you to document your steps through the entire response process. Never skip more than a page, and write "SKIPPED" on the skipped page. Never tear out a page of that book. Date and timestamp each page, if not each section of a page.
  • #19 So someone has detected an incident, and they want to report it. You need to make sure they know who to contact to do that! A phone call is better than an email--an intruder will have an easier time reading that user’s email than they will getting into your phone system to snoop the call. If you have an intruder and they get tipped off that they’ve been found, they’ll make a quick exit, potentially trashing your workstation. Your helpdesk should also know how to respond, asking that user to step away, come to IT to discuss what they’ve seen, something, anything, to get them away from the keyboard and preserve any evidence still left until someone can get to their workstation.
  • #20 Once you’ve received notification of a suspicious event, conduct some cursory analysis--preferably anywhere else BUT on the suspect system--to look for clues that your event should be escalated to an incident or not. This is where your plan gets activated. Your response will be different if this is inappropriate use, a virus, an insider, a drive-by browser malware issue, or an elite Russian hax0r pwning your datas. Your analysis should include examining Novell and ActiveDirectory logs, AV, firewalls & routers, and perhaps most importantly, an interview with the user reporting the event. Take notes in your log book throughout this process! You may need to recall why you decided to activate this plan two years later--I guarantee you will not remember if you don’t have it written down.
  • #21 Drop -- Initial Classification and Notification So after reporting and confirmation, you either found enough evidence that you think you have an incident, or you’re not comfortable saying you don’t have an incident. Congratulations! The first thing we need to do is drop network connectivity from a system under attack or suspected to be breached. This is like applying a tourniquet when you see blood. It may be overkill, but what if it’s necessary and you skip it?
  • #22 If this is your-institution-dot-e-d-u or some other high-impact system, you’ll need to communicate with some of your IR team members to get approval. This isn’t usually needed with workstations. So with permission attained, disconnect the network on the suspect device. And I mean really disconnect. Don’t just close a switch port--unplug or cut the cable. (The intruder may have access to your switches, too! Thankfully, most of you have fully isolated management VLANs, so this risk is much lower in MnSCU than elsewhere. Like banks or credit unions. *shudder*) Mark the system “dead” or “broken” or however you’d mark a system as not functioning so your users don’t touch. If it’s a sensitive system, do what you have to in order to guarantee the system doesn’t get modified. Log your actions!
  • #23 If you didn’t do so already, talk with your user to learn what they did or didn’t do, what they’ve installed, where they were clicking, etc. It’s worth confirming information the user gives you with log data. If they say they weren’t on Facebook but you see in logs they were, talk to the user about it. You’re not investigating them. (Yet.) Their cooperation and full honesty will help get their system back and running faster. Log your actions. (Is this getting repetitive yet? That’s because none of you will want to do this in the midst of responding...) Sanity check -- you can always close out an incident early if you realize it’s not actually an incident. <story of bank hacked by wireless mouse>
  • #24 If you’re in doubt, continue in the containment phase to create forensically sound images of the system state and hard drive.
  • #25 Image the memory while the system is still in its current state This is not for the faint of heart, and you really, really, really need to have documented procedures and a thorough understanding of what you’re doing.
  • #26 Create two forensic copies of the system hard disk and retain the original with one copy. Or at the very least pull the original altogether. Complete a chain of custody form for the hard disk, including information about the PC the disk came out of. If you don’t already have procedures for this that you’ve tested, call the ISO.
  • #27 Stop -- Eradication
  • #28 Remember, you’re only doing this after determining there is no further need to preserve evidence due to data compromise, or you’re working off of a copy of the original, still preserved. If you have no alternative, you can now interact with the system to continue investigating the incident. The ideal, though, is to use one of the copies you took to examine the system in a write-protected environment to investigate.
  • #29 There are many tools available to conduct this analysis. Some of these tools are expensive. You need to know what you’re doing (perhaps some of you attended Dan Nash’s malware investigation talk yesterday...) If you've determined what bits of malware you're dealing with, and they spread on their own, you'll want to look at other systems -- call the ISO, this is too incident-specific to give you a pithy slide (and potentially even a non-pithy slide) describing how to do this.
  • #30 Depending on what you've found, it may be time to ship your copy and your original off to a forensic specialist to continue the investigation. Some options are the state’s enterprise security office or a third-party like NetSPI or Kroll OnTrack. Leave the forensics to the pros.
  • #31 Ideally, before moving on, you know exactly how the compromise occurred and you have taken steps to both prevent reinfection and detect a reinfection--eradicating that threat.
  • #32 Roll -- Recovery; Incident Closure; Breach notifications and other administrative follow-up
  • #33 Once you believe the incident has been contained and eradicated, and your investigation is complete, you may commence eradication with prejudice. Or just use Ghost or whatever your standard desktop imaging/deployment toolset involves. Don't ever think you can completely clean a Windows workstation. (You can, but it's prohibitively expensive.) Servers are another story, but talk to us in the ISO before you start down this path--we may still advise you to start fresh and restore data either from your copies or from data backups. You should now be ready to return the freshly reimaged suspect system back to production.
  • #34 Don't floor it -- monitoring is key at this point to ensure you eradicated the nasties. After an appropriate length of time, step down your monitoring. This completely depends on the nature of the event. Depending on the outcome of your investigation, this is where you would notify individuals of the breach of their nonpublic data, if appropriate and advised to do so by general counsel.
  • #35 At this time, once all steps and phases are complete, the incident is closed. Schedule a meeting with your incident response team and all other individuals involved--helpdesk, users, ISO, OGC, etc. to conduct a lessons-learned session.
  • #36 The incident recap exists to help you determine if there are changes that should be made to your IR process or procedures for future incidents. Should someone have been involved earlier? Should actions have been taken in a different order? etc.