SlideShare a Scribd company logo

First Response - Session 11 - Incident Response [2004]

Download as PPTX, PDF
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

The eleventh session from a two day course I ran for potential first responders in a large financial services client.

BusinessTechnology
1 of 16
Phil Huggins February 2004
 Description  Isolation & Mitigation  Letter of Preservation  Additional Monitoring  External Notifications  Restoring the Systems  Securing the Systems  Summary Meeting
 The goal of this phase is to respond to the data and conclusions drawn in the assessment phase  This includes:  Isolating compromised systems  Acquisition of systems  Increased logging and monitoring  Restoring systems  Increasing security
 This phase restores the system/s to a known and trusted state  The secondary goal of this phase is securing similar hosts to prevent additional attacks or at least increase monitoring to identify future attacks  The lessons learned will be shared so that future incidents are more successful
 The goal of acquisition is to save the state of the system  Document everything (even mistakes)  Trust nothing on the suspect system  Suspect systems should be modified as little as possible  Chain of Custody must be kept for all potential court evidence
 Systems that have been identified as compromised must be isolated to prevent damage to other systems and further damage to it  When possible, unplug from the network and plug into an empty hub or switch (to prevent network unreachable errors)  If it must be kept online, restrict access to and from it using ACLs on routers and switches  Apply network monitoring to those systems that are not removed from the network
 When external systems are identified, a Letter of Preservation should be issued  Carries legal weight in the US  It requests that logs and other data be preserved and not deleted  Additional legal procedures are typically required before the data is actually transferred  The letter must specify a given host or person to save data about  An example can be found in the EnCase Legal Journal
 Additional network monitoring devices may need to be deployed to:  Detect and observe future attacks  Collect additional evidence of an ongoing attack  Provide data to help identify the incident scope  These devices can be built during the Readiness Phase  Logging levels on firewalls, IDS, and servers may need to be increased  Some monitoring may not be allowed depending on User Privacy Policies
 Snort (http://www.snort.org)  Ethereal (http://www.ethereal.com)  tcpdump (http://tcpdump.org)  snoop (Included in Solaris)  NetWitness (http://www.forensicexplorers.com)
 Windump (http://windump.polito.it)  Snort (http://www.snort.org)  Etherpeek (http://www.wildpackets.com)  Ethereal (http://www.ethereal)  Net X-Ray (http://www.netxray.co.uk)  SnifferTechnologies (http://www.networkassociates.com/us/products/sn iffer/home.asp)  eEye Iris (http://www.eeye.com/html/Products/Iris/index.htm l)
 Niksun (http://www.axial.co.uk/niksun/niksun_produ cts.asp) DigitalGuardian (http://www.verdasys.com)
 FBI  Local Police Force  FIRST (www.first.org)  incidents.org (SANS)  incidents@securityfocus.com  Any public postings must be from a generic email account (watch out for X-headers with free HTML-email)
 It is important to not restore data that has trojans or backdoors  If a backup is known to not be compromised, it can be used  Otherwise, start with a new install  Ensure that the system has all patches installed
 If the method of attack is known, secure the compromised host from it first  After, secure hosts with the same vulnerability  If the exact method is not known yet, ensure that monitoring is in place to detect future attacks  After a forensic analysis is performed, secure any vulnerabilities that were found  Additional filters may be applied to the recovered host to detect future attempts
 Each person involved with the incident should attend a summary meeting  This will cover what worked and what did not work  Policies and procedures should be modified appropriately  Any ‘tricks’ that were discovered should be documented to help future responders
 This phase performs actions based on data found in the Assessment Phase  Additional monitoring and logging can be used to collect more data and ensure that new attacks are detected  External organizations may provide support or assistance  Ensure security holes are plugged and risks mitigated

Recommended

Ch19
Ch19Ch19
Ch19Joe Christensen
 
Threat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringThreat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringTalha Riaz
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
Alisha Henderson
 
Enhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningEnhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through Baselining
Ertugrul Akbas
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426Todd Deshane
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
Ertugrul Akbas
 
Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008
Donald E. Hester
 
Lumension Security Solutions
Lumension Security SolutionsLumension Security Solutions
Lumension Security Solutions
HassaanSahloul
 

Recommended

Ch19
Ch19Ch19
Ch19Joe Christensen
 
Threat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringThreat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringTalha Riaz
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
Alisha Henderson
 
Enhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningEnhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through Baselining
Ertugrul Akbas
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426Todd Deshane
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
Ertugrul Akbas
 
Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008
Donald E. Hester
 
Lumension Security Solutions
Lumension Security SolutionsLumension Security Solutions
Lumension Security Solutions
HassaanSahloul
 
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Tripwire
 
Writing Nagios Plugins in Python
Writing Nagios Plugins in PythonWriting Nagios Plugins in Python
Writing Nagios Plugins in Python
guesta6e653
 
SureLog SIEM Profiler
SureLog SIEM ProfilerSureLog SIEM Profiler
SureLog SIEM Profiler
Ertugrul Akbas
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
Tripwire
 
Outlier+Overview
Outlier+OverviewOutlier+Overview
Outlier+OverviewRami Mardini
 
IDS
IDSIDS
IDS
primeteacher32
 
Splunk for fisma
Splunk for fismaSplunk for fisma
Splunk for fisma
Greg Hanchin
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Donald E. Hester
 
Security assessment
Security assessmentSecurity assessment
Security assessment
Antonio Bristow
 
Trusted systems1
Trusted systems1Trusted systems1
Trusted systems1
Sumita Das
 
Firewalls
FirewallsFirewalls
Firewalls
Sanjeevsharma620
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Ertugrul Akbas
 
Ids 015 architecture and implementation of ids
Ids 015 architecture and implementation of idsIds 015 architecture and implementation of ids
Ids 015 architecture and implementation of ids
jyoti_lakhani
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
Ertugrul Akbas
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Donald E. Hester
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewSusan Rantall
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
agathachristie113
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
VSNaipaul15
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
agathachristie266
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
KeatonJennings104
 
Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure Projects
Phil Huggins FBCS CITP
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
Phil Huggins FBCS CITP
 

More Related Content

What's hot

Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Tripwire
 
Writing Nagios Plugins in Python
Writing Nagios Plugins in PythonWriting Nagios Plugins in Python
Writing Nagios Plugins in Python
guesta6e653
 
SureLog SIEM Profiler
SureLog SIEM ProfilerSureLog SIEM Profiler
SureLog SIEM Profiler
Ertugrul Akbas
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
Tripwire
 
Splunk for fisma
Splunk for fismaSplunk for fisma
Splunk for fisma
Greg Hanchin
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Donald E. Hester
 
Security assessment
Security assessmentSecurity assessment
Security assessment
Antonio Bristow
 
Trusted systems1
Trusted systems1Trusted systems1
Trusted systems1
Sumita Das
 
Firewalls
FirewallsFirewalls
Firewalls
Sanjeevsharma620
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Ertugrul Akbas
 
Ids 015 architecture and implementation of ids
Ids 015 architecture and implementation of idsIds 015 architecture and implementation of ids
Ids 015 architecture and implementation of ids
jyoti_lakhani
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
Ertugrul Akbas
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Donald E. Hester
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewSusan Rantall
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
agathachristie113
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
VSNaipaul15
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
agathachristie266
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
KeatonJennings104
 

What's hot (20)

Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing Risk
 
Writing Nagios Plugins in Python
Writing Nagios Plugins in PythonWriting Nagios Plugins in Python
Writing Nagios Plugins in Python
 
SureLog SIEM Profiler
SureLog SIEM ProfilerSureLog SIEM Profiler
SureLog SIEM Profiler
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
 
Outlier+Overview
Outlier+OverviewOutlier+Overview
Outlier+Overview
 
IDS
IDSIDS
IDS
 
Splunk for fisma
Splunk for fismaSplunk for fisma
Splunk for fisma
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
 
Security assessment
Security assessmentSecurity assessment
Security assessment
 
Trusted systems1
Trusted systems1Trusted systems1
Trusted systems1
 
Firewalls
FirewallsFirewalls
Firewalls
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
 
Ids 015 architecture and implementation of ids
Ids 015 architecture and implementation of idsIds 015 architecture and implementation of ids
Ids 015 architecture and implementation of ids
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) Overview
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
 

Viewers also liked

Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure Projects
Phil Huggins FBCS CITP
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
Phil Huggins FBCS CITP
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
Phil Huggins FBCS CITP
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber security
Phil Huggins FBCS CITP
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
Phil Huggins FBCS CITP
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]
Phil Huggins FBCS CITP
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
Phil Huggins FBCS CITP
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
Phil Huggins FBCS CITP
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
Phil Huggins FBCS CITP
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Phil Huggins FBCS CITP
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
Phil Huggins FBCS CITP
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
Phil Huggins FBCS CITP
 
Network Reconnaissance Infographic
Network Reconnaissance InfographicNetwork Reconnaissance Infographic
Network Reconnaissance Infographic
Phil Huggins FBCS CITP
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspective
Phil Huggins FBCS CITP
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
Phil Huggins FBCS CITP
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
Phil Huggins FBCS CITP
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
Phil Huggins FBCS CITP
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
Phil Huggins FBCS CITP
 

Viewers also liked (20)

Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure Projects
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber security
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
 
Network Reconnaissance Infographic
Network Reconnaissance InfographicNetwork Reconnaissance Infographic
Network Reconnaissance Infographic
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspective
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
 

Similar to First Response - Session 11 - Incident Response [2004]

Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
Information Technology
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
Darren Pauli
 
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
Phil Huggins FBCS CITP
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
amiable_indian
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
pranjal dutta
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
abhichowdary16
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
EstelaJeffery653
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
Cal Bryant
 
CH18-CompSec4e.pptx
CH18-CompSec4e.pptxCH18-CompSec4e.pptx
CH18-CompSec4e.pptx
MuhammadYasirKhan36
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1
Ankit Gupta
 
Security auditing architecture
Security auditing architectureSecurity auditing architecture
Security auditing architecture
Vishnupriya T H
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration Testing
KiwiQA
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
Anton Chuvakin
 
22-ch7.pptx
22-ch7.pptx22-ch7.pptx
22-ch7.pptx
nokedo123
 
Intruders
IntrudersIntruders
Intruderstechn
 
Intruders
IntrudersIntruders
Intruderstechn
 

Similar to First Response - Session 11 - Incident Response [2004] (20)

Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Ch18
Ch18Ch18
Ch18
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
 
CH18-CompSec4e.pptx
CH18-CompSec4e.pptxCH18-CompSec4e.pptx
CH18-CompSec4e.pptx
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1
 
Security auditing architecture
Security auditing architectureSecurity auditing architecture
Security auditing architecture
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration Testing
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
 
22-ch7.pptx
22-ch7.pptx22-ch7.pptx
22-ch7.pptx
 
Intruders
IntrudersIntruders
Intruders
 
Intruders
IntrudersIntruders
Intruders
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 

Recently uploaded

Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
RajPriye
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
marketingjdass
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
Nicola Wreford-Howard
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
anasabutalha2013
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
Lital Barkan
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Lviv Startup Club
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
usawebmarket
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
balatucanapplelovely
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
Operational Excellence Consulting
 
The-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic managementThe-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic management
Bojamma2
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
HumanResourceDimensi1
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
Lviv Startup Club
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
Erika906060
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
BBPMedia1
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
Workforce Group
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
Sam H
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
seoforlegalpillers
 

Recently uploaded (20)

Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
 
The-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic managementThe-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic management
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
 

First Response - Session 11 - Incident Response [2004]

  • 2.  Description  Isolation & Mitigation  Letter of Preservation  Additional Monitoring  External Notifications  Restoring the Systems  Securing the Systems  Summary Meeting
  • 3.  The goal of this phase is to respond to the data and conclusions drawn in the assessment phase  This includes:  Isolating compromised systems  Acquisition of systems  Increased logging and monitoring  Restoring systems  Increasing security
  • 4.  This phase restores the system/s to a known and trusted state  The secondary goal of this phase is securing similar hosts to prevent additional attacks or at least increase monitoring to identify future attacks  The lessons learned will be shared so that future incidents are more successful
  • 5.  The goal of acquisition is to save the state of the system  Document everything (even mistakes)  Trust nothing on the suspect system  Suspect systems should be modified as little as possible  Chain of Custody must be kept for all potential court evidence
  • 6.  Systems that have been identified as compromised must be isolated to prevent damage to other systems and further damage to it  When possible, unplug from the network and plug into an empty hub or switch (to prevent network unreachable errors)  If it must be kept online, restrict access to and from it using ACLs on routers and switches  Apply network monitoring to those systems that are not removed from the network
  • 7.  When external systems are identified, a Letter of Preservation should be issued  Carries legal weight in the US  It requests that logs and other data be preserved and not deleted  Additional legal procedures are typically required before the data is actually transferred  The letter must specify a given host or person to save data about  An example can be found in the EnCase Legal Journal
  • 8.  Additional network monitoring devices may need to be deployed to:  Detect and observe future attacks  Collect additional evidence of an ongoing attack  Provide data to help identify the incident scope  These devices can be built during the Readiness Phase  Logging levels on firewalls, IDS, and servers may need to be increased  Some monitoring may not be allowed depending on User Privacy Policies
  • 9.  Snort (http://www.snort.org)  Ethereal (http://www.ethereal.com)  tcpdump (http://tcpdump.org)  snoop (Included in Solaris)  NetWitness (http://www.forensicexplorers.com)
  • 10.  Windump (http://windump.polito.it)  Snort (http://www.snort.org)  Etherpeek (http://www.wildpackets.com)  Ethereal (http://www.ethereal)  Net X-Ray (http://www.netxray.co.uk)  SnifferTechnologies (http://www.networkassociates.com/us/products/sn iffer/home.asp)  eEye Iris (http://www.eeye.com/html/Products/Iris/index.htm l)
  • 12.  FBI  Local Police Force  FIRST (www.first.org)  incidents.org (SANS)  incidents@securityfocus.com  Any public postings must be from a generic email account (watch out for X-headers with free HTML-email)
  • 13.  It is important to not restore data that has trojans or backdoors  If a backup is known to not be compromised, it can be used  Otherwise, start with a new install  Ensure that the system has all patches installed
  • 14.  If the method of attack is known, secure the compromised host from it first  After, secure hosts with the same vulnerability  If the exact method is not known yet, ensure that monitoring is in place to detect future attacks  After a forensic analysis is performed, secure any vulnerabilities that were found  Additional filters may be applied to the recovered host to detect future attempts
  • 15.  Each person involved with the incident should attend a summary meeting  This will cover what worked and what did not work  Policies and procedures should be modified appropriately  Any ‘tricks’ that were discovered should be documented to help future responders
  • 16.  This phase performs actions based on data found in the Assessment Phase  Additional monitoring and logging can be used to collect more data and ensure that new attacks are detected  External organizations may provide support or assistance  Ensure security holes are plugged and risks mitigated