Incident Response

1. INCIDENT RESPONSE

3. THREAT LANDSCAPE
• The Advanced Persistent Threat (APT) concern
• –The “UFO” of hacking/cracking activities
• •Malice—Malicious insiders (employees, contractors, vendors) may be higher risk
than outsiders
• •Poor Practices—Newer systems allow for more connectivity and higher risk—
users may not see risk of business as usual
• •Emerging threats and reports
• –New vulnerabilities and exploits are released daily
• •Enhanced media focus leads to ineffective quick-fixes and attracts all manner of
new attackers and threats.
• –The cyber “copycat” is increasingly common

8. FIRST RESPONDER
• Individuals, who in the early stages of an incident, are responsible for the
protection and preservation of life, property, evidence, and the environment,
including emergency response providers as defined in section 2 of the
Homeland Security Act of 2002 (6 U.S.C. 101), as well as emergency
management, public health, clinical care, public works, and other skilled
support personnel (such as equipment operators) that provide immediate
support services during prevention, response, and recovery operations.

9. THE FIRST RESPONDER ROLE
• As a First Responder, you are the first person notified and reacting to an
information security related incident launched against potential critical
infrastructure or key resources (CI/KR).
• •Responsibilities include:
• –Assessing the severity of the threat, the scope of the breach and targets, and the
associated appropriate response
• –Containing the threat or breach
• –Eradicating the threat or breach
• –Restoring critical cyber services
• –Conveying support to secondary response personnel
• –Assisting with the reestablishment of security controls

10. FIRST RESPONDERS ROLES
• Internal:
• –System/network staff performing regular duties
• –IT Security staff responding to any incident
• –Helpdesk support, collecting and providing solutions to user issues and concerns
• •External:
• –A DHS-designated, trained CFR
• –Locally recognized response expert
• –Law enforcement emergency cyber response personnel
• –Government trained and delegated cyber response personnel (local, state, or
federal)

11. RESPONSE EVOLUTION
• Technology has evolved.
• Security threats have evolved.
• Incident Response has not.
• Security and Incident Response professionals must find ways to more
proactively, efficiently, and effectively respond to the escalating cyber threat
landscape.
• The Internet is the Wild West of old. We either train to be the Sheriff, or we
wait to become the victim.

12. THE FIRST RESPONDER METHODOLOGY
• Step 1: Emergency Assessment
• The ability to quickly assess the potential breach to determine attack type, potential targets, and severity.
• The intent is to focus on most critical systems, and most severe breach to quickly combat an attack.
• Step 2: Emergency Containment
• Once the emergency assessment is completed, immediate containment efforts must be initiated.
• A cyber triage system must be established to contain the critical systems and the most severe breaches.
• Step 3: Emergency Eradication
• Building on the prior steps, the eradication process focuses on eliminating the most severe threats against the most critical targets.
• This eradication step is intended to provide a temporary remediation for the breach, leading to restored services.
• Step 4: Emergency Restoration
• This final emergency step provides for the immediate restoration of critical systems and associated services.
• This is a short-term restoration that re-establishes critical services, while a more thorough response is initiated.
• Step 5: Post-Emergency Response
• More thorough response activities are conducted to ensure that ongoing security of restored services is maintained.
• This includes assessment, containment, eradication, and restoration processes.
• Step 6: The Hand-Off
• The final active CFR step is the transfer of responsibility to investigative and forensics personnel.
• Documentation and oral updates are provided to follow-up incident response personnel for ongoing forensic and law enforcement activities.

13. FIRST RESPONDER PREPARATION
• The CFR Incident Response Team
• Core Response Team
• Smaller, more nimble and broadly experienced first response group
• Support Team
• Diverse, specific skillset, on call as needed
• Management Liaison Team
• Focused on executive-level updates, external updates, communication and
coordination

14. THE FIRST RESPONDER TOOLKIT
• The CFR should maintain a kit of response tools that are readily available, easily
useable, and guaranteed secure/authentic.
• Create hashes of stored tools
• The CFR should be very familiar with the tools and the proper use of each
application.
• •Sample Toolkit Options
• System Tools
• Fport,, Process Explorer , Netstat , PsList , PsService
• Network Tools
• Wireshark, Arp , Kismet , TCPDump , Cain and Abel
• Post-Restoration Tools
• Nessus , NMap , Snort , NetStumbler , Nikto

15. THE CYBER ATTACK METHOD
• Cyber attacks typically follow logical patterns:
• –Target Research
• Review of available information regarding potential target(s)
• Public data, Google hacking, corporate records, etc.
• –Information Gathering and Reconnaissance
• Slow, precise discovery of target’s footprint
• Creating an electronic blueprint
• –Vulnerability Assessments
• Methodical discovery of potential weaknesses
• Time consuming and deliberate step in the process
• –Exploitation of Vulnerabilities
• Subtle exploitation to avoid discovery
• Establishing the initial entry point

16. THE CYBER ATTACK METHOD
• Cyber attacks typically follow logical patterns:
• –Privilege Escalation
• Turning initial entry point into elevated access
• Reinforcing access and providing improved expansion opportunities
• –Conducting Breach Goals
• Data or monetary theft, service disruption or elimination, etc.
• –Maintaining Access
• Anticipating the discovery and removal of the initial ingress point, the attacker will create a
point of return
• Backdoors with possible outbound connections
• –Anti-Forensics
• Working to eliminate responders’ research tools such as event logs, alert messages, etc.
• Eliminating evidence

17. ATTACK INDICATORS
• Attack steps have notable traits, and learning these traits can help you more
quickly identify a potential problem.
• Know your enemies and know yourself!
• Learning how an attack is conducted and knowing how tools appear when used
against your environment will help you more quickly respond.
• For example, consider what is done for information gathering and reconnaissance:
• –Fast-paced port scanning versus slow, methodical probing
• Precursors and Indicators: Certain events or anomalies can indicate the existence of
a potential cyber threat.
• There are few specific, definitive notices of a breach, but a collection of indicative
activities can be correlated to determine that a security event has occurred (or is
currently occurring). Initially, the incident may be reported by an end user,
detected by a system administrator, identified by IDS alerts, or discovered by many
other means.

18. IDENTIFICATION
• Look for system anomalies, deviations
• Unusual network traffic patterns
• Notable IDS/IPS alerts
• Logon attempts/activities (failed or successful)
• Newly active services or open ports
• Newly created user accounts
• Newly installed programs
• Related system alerts, warnings (SIEM)
• Spiked CPU, memory, or hard drive utilization

19. CONTAINMENT
• The primary goal of containment is to
quickly track down, identify, and isolate a
breach or threat.
• –Once the impacted systems have been
identified, the scope of the review can
be more targeted.
• –Identification of the breach will lead
to the proper containment and
eradication steps.
• –Isolation of the breach will prevent a
potential spread or relocation of the
infection/breach.
• –Isolation of the breach will also ensure
that additional data loss or progressive
system loss is minimized.
• Tracking down impacted systems
• –Information gathered during the
emergency assessment process will
help to determine breached systems.
• –IP addresses, system names,
logical/physical network locations, and
impacted databases or applications can
be used to locate breached systems.
• –Assumptions must be made that
similarly configured systems with
similar connections and similar
protective mechanisms may also have
been targeted.
• –Systems on the same network
segments or systems that are logically
connected to impacted systems must
also be assumed to have been
breached.

20. ERADICATION
• The most critical and difficult step of the FR response methodology is the
removal of the breach from the impacted network/systems, regardless of
type.
• Eradication is not limited to only initial removal of a threat, but can also
include the ongoing review of the impacted network/systems to prevent a
recurring breach.
• Eradication processes can consist of two primary removal methods:
• –“The scalpel versus the machete”
VS.

21. ERADICATION
• Network-based eradication
• –If multiple systems within the same network segments have been breached, a full network compromise must be suspected.
• –A network eradication process can entail a variety of actions to eliminate continued unwanted access.
• Changing SNMP strings
• Changing device passwords (standard, enable, etc.)
• Changing IP address schemes, assignments
• Changing centralized network management tool accounts
• Modifying firewall rules, IPS scanning filters
• Server/Desktop-based eradication
• –If a system is known to have been compromised, eradication steps must include a review of connected systems to ensure a spread is contained.
• –Removing a breach against a server or desktop can entail multiple steps, with variations based on OS.
• Deleting any non-mandatory accounts
• Changing system passwords (local and domain) for ALL accounts on the impacted systems
• Running full anti-virus scans for possible malware
• Thoroughly reviewing all running processes and listening ports, while looking for correlated file activity

22. RESTORATION
• Restoration from Backup
• If adequate backups are available, system restoration from tape (or other storage
media) will likely be the second most desirable option.
• Tape/media restoration from backup should be quickly reviewed in an offline test
environment to ensure that a breach and/or infection was not backed up.
• This restoration may be for an entire system, specific operating systems files, or
specific database or application files.
• –Correlated to the Emergency Eradication technique selected; Scalpel versus Machete
• –Reinstallation of system files
• Another emergency restoration technique is the reinstallation of verified, valid
operating systems, applications, etc.
• Attention to software versions, patch levels, protective applications.

23. POST-EMERGENCY RESPONSE
• After emergency steps 1-4 are completed, follow-up activities are necessary to ensure that the
existing threat is completely eliminated.
• –Conduct ongoing system monitoring for pending new or returned threats.
• –Conduct fast-paced vulnerability assessments to make sure systems are appropriately patched, secure after
conclusion of emergency response activities.
• –Gather additional logs, records for more in-depth review
• –Findings and associated activities conducted during the emergency response activities should be analyzed to
begin standard, complex incident response.
• Lessons Learned
• –Convey knowledge and responsibility for ongoing activities to secondary response personnel
• –Respond to questions, concerns, needs of investigative personnel for possible prosecution, legal recourse
• –Educate on-site security operations personnel about the breaches found, characteristics and similarities of
the targeted systems, and the successful countering methods conducted during the CFR process.
• In short, impart knowledge to those responsible for ensuring that a similar breach does not happen again