This document provides an overview of incident response handling and methodology. It discusses defining incidents, the goals of incident handling, and the incident response lifecycle which consists of preparation, detection, containment, eradication, recovery, and follow-up stages. It emphasizes the importance of having proper policies, procedures, training, and resources in place to effectively handle security incidents.
Operations Security
Week 5
Incident Management, Investigations, and Physical Security
Incidence Response
Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).
The Steps of Incidence Handling
Triage – Is it an actual incident or a false alarm? How serious is it?
Investigation – Gathering evidence
Containment – Limit the damage by isolation and mitigation
Analysis – Reconstruct the incident. Who is responsible? How did they do it? When did it occur? Why did they do it?
Tracking – Document the incident and determine the source
Recovery – Mitigate the incident and apply lessons learned to reduce risk of recurrence
Triage
The term Triage is used within the medical community. Triage is the art of rapidly assessing the severity of the incident and following the right protocols, in the right order, to reduce the consequences of the incident and doing it all in the midst of crisis, when every second counts.
Different incidents require different responses – A Denial of Service attack (DOS) has to be addressed differently than a malware infection.
Establishing baselines can help identify unusual activity. The number of indicators to potential incidents are very high, so false positives are common.
Investigation
The Incident Scene – The Environment where potential evidence may exist
Principles of criminalistics apply
Identify the scene
Protect the Environment
Identify evidence and potential sources of evidence
Collect Evidence
Minimize the degree of contamination
General Guidelines
All general forensic and procedural procedures must be applied
Seizing digital evidence must not alter the evidence
Any person accessing original digital evidence must be trained
All activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review
While an individual is in possession of digital evidence, he or she is responsible for all actions
Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles
Roles and Responsibilities
A solid foundation of knowledge and policy
A properly trained response team
Core areas must be represented
Chain of Custody
Tracks Evidence Handling
A formal, well-documented procedure MUST be followed – NO EXCEPTIONS
Locard’s Exchange Principle
When a crime is committed, the perpetrators leave something behind and take something with them.
Digital Forensics
Be Authentic
Be Accurate
Be Complete
Be Convincing
Be Admissible
Live Evidence
Data that is dynamic and exists in processes that disappear in a relatively short time frame once the system is powered down
Short Term Containment
The short term goal is to prevent more damage from occurring and provide time for additional analysis and mitigation. Isolate the system from the production network and create a backup cop.
The presentation of 'Management Information System' subject of TEIT under 'University of Pune' INDIA.
Author and Teacher: Tushar B Kute http://www.tusharkute.com
tbkute@gmail.com
Operations Security
Week 5
Incident Management, Investigations, and Physical Security
Incidence Response
Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).
The Steps of Incidence Handling
Triage – Is it an actual incident or a false alarm? How serious is it?
Investigation – Gathering evidence
Containment – Limit the damage by isolation and mitigation
Analysis – Reconstruct the incident. Who is responsible? How did they do it? When did it occur? Why did they do it?
Tracking – Document the incident and determine the source
Recovery – Mitigate the incident and apply lessons learned to reduce risk of recurrence
Triage
The term Triage is used within the medical community. Triage is the art of rapidly assessing the severity of the incident and following the right protocols, in the right order, to reduce the consequences of the incident and doing it all in the midst of crisis, when every second counts.
Different incidents require different responses – A Denial of Service attack (DOS) has to be addressed differently than a malware infection.
Establishing baselines can help identify unusual activity. The number of indicators to potential incidents are very high, so false positives are common.
Investigation
The Incident Scene – The Environment where potential evidence may exist
Principles of criminalistics apply
Identify the scene
Protect the Environment
Identify evidence and potential sources of evidence
Collect Evidence
Minimize the degree of contamination
General Guidelines
All general forensic and procedural procedures must be applied
Seizing digital evidence must not alter the evidence
Any person accessing original digital evidence must be trained
All activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review
While an individual is in possession of digital evidence, he or she is responsible for all actions
Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles
Roles and Responsibilities
A solid foundation of knowledge and policy
A properly trained response team
Core areas must be represented
Chain of Custody
Tracks Evidence Handling
A formal, well-documented procedure MUST be followed – NO EXCEPTIONS
Locard’s Exchange Principle
When a crime is committed, the perpetrators leave something behind and take something with them.
Digital Forensics
Be Authentic
Be Accurate
Be Complete
Be Convincing
Be Admissible
Live Evidence
Data that is dynamic and exists in processes that disappear in a relatively short time frame once the system is powered down
Short Term Containment
The short term goal is to prevent more damage from occurring and provide time for additional analysis and mitigation. Isolate the system from the production network and create a backup cop.
The presentation of 'Management Information System' subject of TEIT under 'University of Pune' INDIA.
Author and Teacher: Tushar B Kute http://www.tusharkute.com
tbkute@gmail.com
Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...Accellis Technology Group
A cyberattack can easily cripple your law firm so even a basic plan can save your firm in the long run. Learn how to build a plan that will protect your firm from being damaged.
Practical Guide to Managing Incidents Using LLM's and NLP.pdfChris Galvan
This is a project that was created to enable Cybersecurity Defenders in positions such as Forensics, Incident Response, SOC, and Threat Hunting to have a starting place to investigate logs across AWS, GCP, and and Windows Systems.
The last section includes 3 case studies and research done by Christian Galvan and Lawren Epstein on real world attacks to large companies.
Microsoft Navigating Incident Response [EN].pdfSnarky Security
The document titled "Navigating the Maze of Incident Response" by Microsoft Security provides a guide on how to structure an incident response (IR) effectively. It emphasizes the importance of people and processes in responding to a cybersecurity incident.
This guide, developed by the Microsoft Incident Response team, is designed to help you avoid common pitfalls during the outset of a response. It's not meant to replace comprehensive incident response planning, but rather to serve as a tactical guide to help both security teams and senior stakeholders navigate an incident response investigation.
The guide also outlines the incident response lifecycle, which includes preparation, detection, containment, eradication, recovery, and post-incident activity or lessons learned. It's like a recipe for disaster management, with each step as crucial as the next.
The guide also emphasizes the importance of governance and the roles of different stakeholders in the incident response process. It's like a well-oiled machine, with each part playing a crucial role in the overall function.
So, there you have it. A snarky Microsoft's guide to navigating the maze of incident response. It's a wild, complex, and often frustrating world, but with the right plan and people, you can navigate it like a pro.
Task 1.Complete the BIA table below and use it for the remaialehosickg3
Task 1.
Complete the BIA table below and use it for the remainder of the assignment.
You may want to review your Lab #07 assignment where you developed a BIA table.
Information needed to create the Business Functions and Processes below are in the “Project Management Plan” scenario and the “Project Health Network Visual”.
Hint: look at the processes that go from the customers and into the systems/applications in the “Project Health Network Visual”.
Business Function or Process
Business Impact Factor
Recovery Time Objective
IT Systems/Apps Infrastructure Impacts
Task 1: Business Impact Analysis – extracts from the Boiler Plate
1.
Overview
This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system
.
It was prepared for Health Network, Inc (Health Network).
2.
System Description
Indicate the
operating environment (i.e. Data Center, etc)
,
physical location
,
general location of users
, and
partnerships with external organizations/systems
.
Include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures or the
lack of backup procedures
.>
3.1.1
Identify Outage Impacts and Estimated Downtime
Estimated Downtime
The table below identifies the MTD, RTO, and RPO for the organizational business processes that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system.
Mission/Business Process
For HNetExchange
MTD
RTO
RPO
Mission/Business Process
For HNetConnect
MTD
RTO
RPO
Mission/Business Process
For HNetPay
MTD
RTO
RPO
Task 2: Business Continuity Plan – extracts from the Boiler Plate
These tapes are then stored offsite.
The HNetPay data is backed-up daily and retained for 6 months.
The HNetMessage messages are backed-up daily and retained for 3 months.
All other data is backed-up weekly and retained for 60 days.
If the BCP is executed, the most current tapes are copied and mailed to the alternate site.
Modify the statements below to reflect this decision.>
Emergency management standards
Data backup policy
Full and incremental backups preserve corporate information assets and should be performed on a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media should be stored in a secure, geographically separate location from the original and isolated from environmental hazards.
Department-specific data and document retention policies specify what records must be retained and for how long. All organizations are accountable for carrying out the provisions of the instruction for records in their organization.
IT follows these standards for its data backup and archiving:
Tape retention policy
Backup media is stored at locations that are secure, isolated from envir ...
Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...Accellis Technology Group
A cyberattack can easily cripple your law firm so even a basic plan can save your firm in the long run. Learn how to build a plan that will protect your firm from being damaged.
Practical Guide to Managing Incidents Using LLM's and NLP.pdfChris Galvan
This is a project that was created to enable Cybersecurity Defenders in positions such as Forensics, Incident Response, SOC, and Threat Hunting to have a starting place to investigate logs across AWS, GCP, and and Windows Systems.
The last section includes 3 case studies and research done by Christian Galvan and Lawren Epstein on real world attacks to large companies.
Microsoft Navigating Incident Response [EN].pdfSnarky Security
The document titled "Navigating the Maze of Incident Response" by Microsoft Security provides a guide on how to structure an incident response (IR) effectively. It emphasizes the importance of people and processes in responding to a cybersecurity incident.
This guide, developed by the Microsoft Incident Response team, is designed to help you avoid common pitfalls during the outset of a response. It's not meant to replace comprehensive incident response planning, but rather to serve as a tactical guide to help both security teams and senior stakeholders navigate an incident response investigation.
The guide also outlines the incident response lifecycle, which includes preparation, detection, containment, eradication, recovery, and post-incident activity or lessons learned. It's like a recipe for disaster management, with each step as crucial as the next.
The guide also emphasizes the importance of governance and the roles of different stakeholders in the incident response process. It's like a well-oiled machine, with each part playing a crucial role in the overall function.
So, there you have it. A snarky Microsoft's guide to navigating the maze of incident response. It's a wild, complex, and often frustrating world, but with the right plan and people, you can navigate it like a pro.
Task 1.Complete the BIA table below and use it for the remaialehosickg3
Task 1.
Complete the BIA table below and use it for the remainder of the assignment.
You may want to review your Lab #07 assignment where you developed a BIA table.
Information needed to create the Business Functions and Processes below are in the “Project Management Plan” scenario and the “Project Health Network Visual”.
Hint: look at the processes that go from the customers and into the systems/applications in the “Project Health Network Visual”.
Business Function or Process
Business Impact Factor
Recovery Time Objective
IT Systems/Apps Infrastructure Impacts
Task 1: Business Impact Analysis – extracts from the Boiler Plate
1.
Overview
This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system
.
It was prepared for Health Network, Inc (Health Network).
2.
System Description
Indicate the
operating environment (i.e. Data Center, etc)
,
physical location
,
general location of users
, and
partnerships with external organizations/systems
.
Include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures or the
lack of backup procedures
.>
3.1.1
Identify Outage Impacts and Estimated Downtime
Estimated Downtime
The table below identifies the MTD, RTO, and RPO for the organizational business processes that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system.
Mission/Business Process
For HNetExchange
MTD
RTO
RPO
Mission/Business Process
For HNetConnect
MTD
RTO
RPO
Mission/Business Process
For HNetPay
MTD
RTO
RPO
Task 2: Business Continuity Plan – extracts from the Boiler Plate
These tapes are then stored offsite.
The HNetPay data is backed-up daily and retained for 6 months.
The HNetMessage messages are backed-up daily and retained for 3 months.
All other data is backed-up weekly and retained for 60 days.
If the BCP is executed, the most current tapes are copied and mailed to the alternate site.
Modify the statements below to reflect this decision.>
Emergency management standards
Data backup policy
Full and incremental backups preserve corporate information assets and should be performed on a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media should be stored in a secure, geographically separate location from the original and isolated from environmental hazards.
Department-specific data and document retention policies specify what records must be retained and for how long. All organizations are accountable for carrying out the provisions of the instruction for records in their organization.
IT follows these standards for its data backup and archiving:
Tape retention policy
Backup media is stored at locations that are secure, isolated from envir ...
Quality defects in TMT Bars, Possible causes and Potential Solutions.PrashantGoswami42
Maintaining high-quality standards in the production of TMT bars is crucial for ensuring structural integrity in construction. Addressing common defects through careful monitoring, standardized processes, and advanced technology can significantly improve the quality of TMT bars. Continuous training and adherence to quality control measures will also play a pivotal role in minimizing these defects.
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Event Management System Vb Net Project Report.pdfKamal Acharya
In present era, the scopes of information technology growing with a very fast .We do not see any are untouched from this industry. The scope of information technology has become wider includes: Business and industry. Household Business, Communication, Education, Entertainment, Science, Medicine, Engineering, Distance Learning, Weather Forecasting. Carrier Searching and so on.
My project named “Event Management System” is software that store and maintained all events coordinated in college. It also helpful to print related reports. My project will help to record the events coordinated by faculties with their Name, Event subject, date & details in an efficient & effective ways.
In my system we have to make a system by which a user can record all events coordinated by a particular faculty. In our proposed system some more featured are added which differs it from the existing system such as security.
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSEDuvanRamosGarzon1
AIRCRAFT GENERAL
The Single Aisle is the most advanced family aircraft in service today, with fly-by-wire flight controls.
The A318, A319, A320 and A321 are twin-engine subsonic medium range aircraft.
The family offers a choice of engines
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Democratizing Fuzzing at Scale by Abhishek Aryaabh.arya
Presented at NUS: Fuzzing and Software Security Summer School 2024
This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
3. >
Definition of “Incident”
WHAT TO KNOW FIRST:
3
» An incident is an adverse event (or threat of an adverse event) in a
computer system
» Adverse events include the following general categories:
Compromise of Confidentiality
Compromise of Integrity
Denial of Resources
Intrusions
Misuse
Damage
Hoaxes
4. >
What is Incident Handling?
» Incident Handling is actions taken to protect and restore the
normal operating condition of computers and the information
stored in them when an adverse event occurs
INCIDENTS HAPPEN ALL AROUND US:
4
6. >
Reasons For Incident Handling
» Economic
» Protecting Proprietary / Classified / Sensitive Information
» Operational / Business Continuity
» Public Relations
» Legal / Regulatory Compliance
» Safety
INCENTIVES FOR EFFICIENT INCIDENT HANDLING:
6
7. >
Management’s Point of View
» Issues:
It is often difficult to obtain the necessary resources
Incident response is often not done correctly, which can create
obstacles for follow up analysis
» Solutions:
Careful planning and intelligent justification of incident handling
capabilities is imperative
INCIDENT HANDLING FROM A MANAGER’S POINT OF VIEW:
7
8. >
The Bottom Line
» Direct Financial Loss
» Unfavorable Media Exposure
» Outages and Disruption
» Fraud, Waste and Abuse
» Loss of Valuable Information
» Compromise of Proprietary / Sensitive / Classified Data and
Information
» Lawsuits
INFORMATION SECURITY RISKS CAUSE:
8
9. >
Incident Handling Methodology
» Provides structure and organization
» Improves efficiency
» Facilitates understanding the process of responding
» Helps dealing with the unexpected
WHY USE AN INCIDENT HANDLING METHODOLOGY?
9
10. >
Incident Response Lifecycle
THE INCIDENT RESPONSE LIFECYCLE CONSISTS OF SIX STAGES:
10
Preparation
Detection
Containment
Eradication
Follow-up
Recovery
11. >
High Level Preparation
» Develop an incident response policy (see next slide)
» Create procedures for dealing with incidents as efficiently as
possible
» Ensure that a suitable management infrastructure is in place
» Implement a reasonable set of defenses for systems that are to be
used in responding to incidents
YOUR DIRECTION:
11
12. >
Preparation - 1
» Is the anchor of an entire incident response effort
» A suitable incident response policy should address/include
» Purpose and objectives
» Scope (to whom does the policy apply and when?)
» Events that are considered/not considered security-related incidents
» Acceptable risk limits
» Roles, responsibilities and authority of incident response effort
» Evaluation criteria
» Reporting requirements
INCIDENT RESPONSE POLICY:
12
13. >
Preparation - 2
» Ensure that existing policies and procedures are current and
appropriate--update and expand as necessary
» Have an objective evaluation of your incident response team’s
charter, policy, procedures and accomplishments performed!
» Ensure that your team is especially well prepared to deal with
incidents you are most likely to encounter
» Participate in FIRST (Forum of Incident Response and Security
Teams)--FIRST works only if teams contribute
HAVE POLICIES AND PROCEDURES REVIEWED BY LEGAL EXPERTS:
13
14. >
Preparation - 3
» Management's responsibilities include ensuring that:
Policy and procedures for incident handling are written, well-distributed,
and followed
Each person who handles incidents is adequately trained
Appropriate tasks are assigned to each person who performs incident
response duties
Each person involved in handling incidents make suitable progress
Resources are available to ensure that necessary software tools,
hardware and technical personnel are available
Contact lists are created and updated
Provide Support to Enable Evidence Acquisition
MANAGEMENT’S ROLE:
14
15. >
Detection - 1
» Determine what the problem is and to assess its magnitude
» Major sources of information
» Log files
» Personal firewalls (e.g., Windows Firewall, BlackIce Defender)
» Firewall logs
» Intrusion detection systems (IDSs)
» Analyze all anomalies
DETERMINE IF INCIDENT OCCURRED:
15
16. >
Detection - 2
» If feasible, promptly obtain full backup and gather a copy of any
compromised files/bogus code for analysis
In systems in which the likelihood that a security compromise has occurred
» Turn on or increase auditing
» Ensure that the system clock is set correctly
» Start documenting everything that happens
» Initiate notification process
Other members of incident response effort
Information security contact
Public relations office (if warranted by magnitude of incident)
Legal department (this is likely to be more appropriate than you might
think!)
UPON INCIDENT IDENTIFICATION:
16
17. >
Containment - 1
» To keep incident from spreading
» Important decisions need to be made during this stage (shutting
down, disconnecting from a network, monitoring, shunning, setting
traps, disabling features, disabling accounts, etc.)
DECISIONS AND GOALS:
17
Shut Down Or
Disconnect
Keep It
Running
18. >
Containment - 2
» Some users may have to be advised of status of attacked system
(avoid using e-mail during network intrusions!)
» Continue to log all activities
» Consider issuing “cease and desist” message
» Try to get users “out of the loop”
» Continue to keep your public relations and legal offices advised (if
appropriate)--do not talk directly to the media
» Special considerations apply when proprietary, classified and/or
sensitive systems are involved
ACTIVE CONTAINMENT:
18
19. >
Eradication
» To eliminate cause of incident
» Be sure to save any copies of malicious programs before deleting
them
» May require the use of eradication software
» Clean/reformat disks (if appropriate)
» Ensure that backups are clean
» Continue to document all activities
» Continue to keep your public relations and legal offices advised (if
warranted)
KEY STEPS:
19
20. >
Recovery
» To return system / network to mission status
» Follow technical procedures for system recovery
» Users may need to be given an "all clear" message
» Restore data (if appropriate)--may require deletion of all files
and a full restore from a backup tape
» All passwords must be changed if there has been
administrative level compromise
» Continue to log all activities
» If classified/sensitive/proprietary systems are involved, may
require verification of integrity of data stored on systems
BUSINESS RESUMPTION:
20
21. >
Follow-up
» Overall goal: to review and integrate information related to incident
» Although the most frequently neglected stage of the computer
security process, this stage is potentially the most valuable to the
computer security effort
» Perform postmortem analysis of incident
» Reevaluate/modify procedures on basis of "lessons learned“
» Assess time and resources used, and any damage incurred to create
monetary cost estimates
» Prepare report(s)
» Support prosecution activity (if applicable)
MAKE THINGS BETTER:
21
22. >
Hints Moving Forward
» Verify the incident, ruling out alternative explanations of what has
happened
» Follow written procedures during incidents
» Ensure that you have backups very early during the course of an
incident
» Coordinate and consult with other technical experts
» Keep management advised of status of incident and your efforts
» Log all activities
HANDY HINTS FOR HANDLING INCIDENTS:
22
23. >
Legal Considerations - 1
» National laws and directives
» EU directives
» State/province laws
» Civil liabilities
» Legally-advisable practices
INCIDENT RESPONSE HAS LEGAL IMPLICATION :
23
24. >
Legal Considerations - 2
» Start gathering evidence early during an incident’s onset
» Always consider the possibility of a coordinated effort with
appropriate law enforcement agency
» Don’t allow evidence to be contaminated in any way
» Ensure that all evidence is properly accounted for at all times
» Put one person in charge of gathering evidence
» In general, keep the number of people involved to a minimum
» Document virtually everything that you do
DOCUMENTATION AS A LEGAL FOUNDATION:
24
25. >
Legal Considerations - 3
» Nature of analysis to be performed depends on type of incident
than anything else
» Keyword searches are used more than any other type of search
» Some forensics analysis tools support searches using conditional
logic
» Be sure to record the results of each search in a special logbook,
PDA, voice recorder or incident case handling software programs
KEEP GOOD RECORDS:
25
26. >
Incident Response Team - 1
» Information security incidents are becoming increasingly complex--
incident handling experts are needed
» Efficiency
» Proactive element
» Agency or corporate requirements
» Liaison function
» May be given authority to engage in activities that a normal
organization does not get
WHY FORM AN INCIDENT RESPONSE TEAM?
26
27. >
Incident Response Team - 2
» Basic notion: execute incident handling procedures by
simulating a computer security incident and having employees
respond
» Validation of procedures
» “Practice makes perfect”
» Enables you to gauge the magnitude and complexity of the
process
» Exercise benefits are greatly increased if there is an external
objective observer to identify issues
MOCK INCIDENT RESPONSE EXERCISES:
27
28. >
Incident Response Team - 3
» Require development of a variety of incident scenarios
» Record critical data and evaluate
» Should be conducted at regular intervals
» Warning--Carefully plan any mock incident handling exercises to
avoid disruption of operational environments
MOCK INCIDENT HANDLING EXERCISES:
28
29. >
Management’s Responsibility
» Over time incident handling becomes a stressful, difficult activity
Convey a positive, supportive management style
Keep things organized as much as possible
Unless you see trouble, don’t constantly intervene in team members’
efforts
» Develop communication channels accordingly
» Take all feedback seriously
MANAGING AN INCIDENT PROPERLY IS KEY:
29
30. >
Matters That Managers Too Often Overlook - 1
» Conducting regular follow-up activity
» Ensuring that the incident response effort is well-aligned with
business drivers
» Ensuring that team members document their handling of incidents
sufficiently
THINGS CHANGE:
30
31. >
Matters That Managers Too Often Overlook - 2
» Initiating vertical communication
» Interdependencies with other organizations
Information security
IT and business units
Telecommunications
Public affairs
Legal
Human resources
Business continuity
Physical security
Others
KEEP EVERYONE IN THE LOOP THAT NEEDS TO KNOW:
31
32. >
Technical Considerations
» Some incidents occur in large servers with special
complications
They cannot be taken off-line, OR
They have so much storage that it cannot be successfully
imaged (or have RAID, so an image will be technically
infeasible)
» The best option is still to perform some sort of backup, at least
of the suspicious files and logs, then analyze them off-line
» A tape backup will not include all the information such as slack
space data, but it may be the only alternative
REACT ACCORDINGLY:
32
33. >
Session Summary
» Computer forensics requires
The right hardware and software
A great amount of technical proficiency
» To be successful, an incident response effort needs to have a
strong proactive element
KNOW WHAT TO DO:
33