SlideShare a Scribd company logo

Incident Response

Kaspersky Lab
Kaspersky Lab

This document provides an overview of incident response. It defines a security incident, lists common incident categories and the intrusion process. It discusses common cyber threats in 2010 like malware, botnets, and cybercrime-as-a-service business models. The document outlines the stages of incident response, types of digital evidence, and strategies to prevent incidents like scanning, auditing, deploying intrusion detection/prevention systems, and establishing defense in depth. It provides examples of incident response forms and discusses challenges of digital evidence analysis.

1 of 25
Download to read offline
Incident Response Roberto Martínez Owner – Consultant ITlligent Security Certified EC Council Instructor Latam CEH, ECSA, ENSA, CHFI, EDRP, ECVP, PMIT, ECSP MCT, MCSE, MCAD, MCTS, MCSA, Security+
Agenda • Security Incidents • Cyber Threats • Incident response • Digital Evidence • How to prevent an Incident
Incident Computer security incident is defined as “Any real or suspected adverse event in relation to the security of computer systems or computer networks.”
Incidents include: • Violation of an explicit or implied security policy • Attempts to gain unauthorized access • Unwanted denial of resources • Unauthorized use of electronic resources
Incident Categories
High Impact Incidents
The intrusion process
Cyber Threats in 2010 Malware Data thefts Botnets Threats to Cyber VOIP and warfare mobile convergence
Cybercrime-as-a-Service (CaaS) market model. September, 2009’s “Measuring the in-the-wild effectiveness of Antivirus against Zeus” report by Trusteer, indicated that “the effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23%.” meaning that cybercriminals have clearly started excelling into the practice of bypassing signature-based malware scanners.
Incident Response Well Defined set of procedures that address the post incident scenario. An Incident Response Plan includes: • Immediate action • Investigation • Restoration of resources • Reporting the incident to proper channels.
Incident Handling Incident handling helps to find out trends and pattern regarding intruder activity by analyzing it. • It involves three basic functions: Incident reporting Incident Analysis Incident Response
Security Incident Response Form
Digital Evidence • Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form.” Digital evidence is found in the files, such as: – Graphic files – Audio and video recording and files – Web browser history – Server logs – Word processing and spreadsheet files – E-mails – Log files
Challenging Aspects of Digital Evidence • Digital evidence are fragile in nature • During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently. • During the investigation, digital evidence can be altered maliciously or unintentionally without leaving any clear signs of alteration. • Digital evidence is circumstantial that makes it difficult for the forensics investigator to differentiate the system´s activity. • After the incident, if a user writes some data to the system, it may overwrite the crime scene.
Forensic Policy • Forensic policy is a set of procedures describing the actions to be taken when an incident is observed. • It defines the roles and responsibilities of all people performing or assisting the forensic activities. • It should include all internal and external parties that may be involved. • It explains what actions should and should not be performed under normal and special conditions.
Forensic Analysis Guidelines Organizations should: • Have a capability to perform computer and network forensics • Determine which parties should handle each aspect of forensics • Create and maintain guidelines and procedures for performing forensic tasks • Perform forensics using a consistent process • Be proactive in collecting useful data • Adhere to standard operating procedure as specified by local laws and standard making bodies such as IOCE & SWGDE while collecting evidence
How to prevent an incident A key to preventing security incident is to eliminate as many vulnerabilities as possible. • Scanning the network • Auditing the network • Deploying Intrusion Detection / Prevention systems • Establishing Defense in Depth
Normalization Security monitoring environment is multi-vendor Events from different devices and vendors have different formats Need to compare similar—normalized—events from multiple vendors “apples-to-apples”
Event Correlation  Log/Alert               Firewall  Logs            NIDS Logs                     
Log Consolidation A defense in depth strategy utilizes multiple devices Firewalls, NIPS, HIPS, AV, AAA, VPN, Application Events, OS Logs Need to consolidate and normalize similar events from multiple vendors Universal SYSLOG support AAA
Threat Correlation – Post Incident Analysis (IV) Post incident analysis to adjust incident severity based on context Did the attack reach destination? Is the victim vulnerable? How important is the victim system? Further events indicated a possible compromise? Analysis can be static or dynamic
Demo
Resources Certifications EC Council Certified Incident Handler • http://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspx Computer Hacking Forensic Investigator • http://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspx Concepti • http://www.concepti.com Tools XPLICO - Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT) • http://www.xplico.org/ Netwitness - Threat management solutions, monitoring and real-time network forensics. • http://www.netwitness.com/ OSSIM - Open Source Security Information Management • http://www.alienvault.com/community.php?section=Home Web Sites FIRST is the global Forum for Incident Response and Security Teams • http://www.first.org/
Questions ?
Thank you! Roberto Martínez ITlligent Security Email: roberto.martinez@itlligent.com.mx MSN: frml@live.com.mx Skype: skp_roberto.martinez @r0bertmart1nez

Recommended

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
What's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceWhat's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing Conference
Cengage Learning
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Network Security
Network SecurityNetwork Security
Network Security
Jitin Kollamkudy
 
Ch01
Ch01Ch01
Ch01Alitta Aisyawati
 
CNIT 140: Perimeter Security
CNIT 140: Perimeter SecurityCNIT 140: Perimeter Security
CNIT 140: Perimeter Security
Sam Bowne
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Network security
Network securityNetwork security
Network securityUjjwal 'Shanu'
 

Recommended

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
What's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceWhat's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing Conference
Cengage Learning
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Network Security
Network SecurityNetwork Security
Network Security
Jitin Kollamkudy
 
Ch01
Ch01Ch01
Ch01Alitta Aisyawati
 
CNIT 140: Perimeter Security
CNIT 140: Perimeter SecurityCNIT 140: Perimeter Security
CNIT 140: Perimeter Security
Sam Bowne
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Network security
Network securityNetwork security
Network securityUjjwal 'Shanu'
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
AVEVA
 
CNIT 123: Ch 1 Ethical Hacking Overview
CNIT 123: Ch 1 Ethical Hacking OverviewCNIT 123: Ch 1 Ethical Hacking Overview
CNIT 123: Ch 1 Ethical Hacking Overview
Sam Bowne
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises
isc2-hellenic
 
Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5sabtolinux
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPS
MLG College of Learning, Inc
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
Resilient Systems
 
Information Security Overview
Information Security OverviewInformation Security Overview
Information Security Overview
SupriyaGaikwad28
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Ulf Mattsson
 
5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More
Community IT Innovators
 
Select idps
Select idpsSelect idps
Select idps
Info-Tech Research Group
 
Lessson 2 - Application Layer
Lessson 2 - Application LayerLessson 2 - Application Layer
Lessson 2 - Application Layer
MLG College of Learning, Inc
 
Intro to Security
Intro to SecurityIntro to Security
Intro to Security
primeteacher32
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover Tridium
Cimetrics Inc
 
Lesson 2 Cryptography tools
Lesson 2 Cryptography toolsLesson 2 Cryptography tools
Lesson 2 Cryptography tools
MLG College of Learning, Inc
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
MLG College of Learning, Inc
 
Information Security Overview
Information Security OverviewInformation Security Overview
Information Security Overview
n|u - The Open Security Community
 
Security technologies
Security technologiesSecurity technologies
Security technologies
Dhani Ahmad
 
выставка
выставкавыставка
выставка
guest37a40a
 
Que Es Un Puerto Usb
Que Es Un Puerto UsbQue Es Un Puerto Usb
Que Es Un Puerto Usb
Azeneth Palomo
 

More Related Content

What's hot

SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
AVEVA
 
CNIT 123: Ch 1 Ethical Hacking Overview
CNIT 123: Ch 1 Ethical Hacking OverviewCNIT 123: Ch 1 Ethical Hacking Overview
CNIT 123: Ch 1 Ethical Hacking Overview
Sam Bowne
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises
isc2-hellenic
 
Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5sabtolinux
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
Resilient Systems
 
Information Security Overview
Information Security OverviewInformation Security Overview
Information Security Overview
SupriyaGaikwad28
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Ulf Mattsson
 
5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More
Community IT Innovators
 
Select idps
Select idpsSelect idps
Select idps
Info-Tech Research Group
 
Lessson 2 - Application Layer
Lessson 2 - Application LayerLessson 2 - Application Layer
Lessson 2 - Application Layer
MLG College of Learning, Inc
 
Intro to Security
Intro to SecurityIntro to Security
Intro to Security
primeteacher32
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover Tridium
Cimetrics Inc
 
Lesson 2 Cryptography tools
Lesson 2 Cryptography toolsLesson 2 Cryptography tools
Lesson 2 Cryptography tools
MLG College of Learning, Inc
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
MLG College of Learning, Inc
 
Information Security Overview
Information Security OverviewInformation Security Overview
Information Security Overview
n|u - The Open Security Community
 
Security technologies
Security technologiesSecurity technologies
Security technologies
Dhani Ahmad
 

What's hot (20)

SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
CNIT 123: Ch 1 Ethical Hacking Overview
CNIT 123: Ch 1 Ethical Hacking OverviewCNIT 123: Ch 1 Ethical Hacking Overview
CNIT 123: Ch 1 Ethical Hacking Overview
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises
 
Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPS
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
Information Security Overview
Information Security OverviewInformation Security Overview
Information Security Overview
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
 
5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More5 Security Tips to Protect Your Login Credentials and More
5 Security Tips to Protect Your Login Credentials and More
 
Select idps
Select idpsSelect idps
Select idps
 
Lessson 2 - Application Layer
Lessson 2 - Application LayerLessson 2 - Application Layer
Lessson 2 - Application Layer
 
Intro to Security
Intro to SecurityIntro to Security
Intro to Security
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover Tridium
 
Lesson 2 Cryptography tools
Lesson 2 Cryptography toolsLesson 2 Cryptography tools
Lesson 2 Cryptography tools
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
 
Information Security Overview
Information Security OverviewInformation Security Overview
Information Security Overview
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 

Viewers also liked

выставка
выставкавыставка
выставка
guest37a40a
 
Que Es Un Puerto Usb
Que Es Un Puerto UsbQue Es Un Puerto Usb
Que Es Un Puerto Usb
Azeneth Palomo
 
Keys for reading
Keys for readingKeys for reading
Keys for readingEDWIN
 
pertengahan-tahun-2014-tahun-4-tmk
pertengahan-tahun-2014-tahun-4-tmkpertengahan-tahun-2014-tahun-4-tmk
pertengahan-tahun-2014-tahun-4-tmk
Kayhebat
 
Eft quickstart slides
Eft quickstart slidesEft quickstart slides
Eft quickstart slides
Penny Croal
 
Kh thn 5 akhir thn 2009
Kh thn 5 akhir thn 2009Kh thn 5 akhir thn 2009
Kh thn 5 akhir thn 2009Kayhebat
 
Introduction To 7 N India
Introduction To 7 N IndiaIntroduction To 7 N India
Introduction To 7 N India
Sachin Rastogi
 
Soalan pj-tahun-3-50 soalan 2014
Soalan pj-tahun-3-50 soalan 2014Soalan pj-tahun-3-50 soalan 2014
Soalan pj-tahun-3-50 soalan 2014
Kayhebat
 
Introduction To AMF
Introduction To AMFIntroduction To AMF
Introduction To AMF
tomhensel
 
Asas pendidikan di indonesia
Asas pendidikan di indonesiaAsas pendidikan di indonesia
Asas pendidikan di indonesiawidemulia
 

Viewers also liked (13)

выставка
выставкавыставка
выставка
 
Que Es Un Puerto Usb
Que Es Un Puerto UsbQue Es Un Puerto Usb
Que Es Un Puerto Usb
 
Knights World Game
Knights World GameKnights World Game
Knights World Game
 
Keys for reading
Keys for readingKeys for reading
Keys for reading
 
pertengahan-tahun-2014-tahun-4-tmk
pertengahan-tahun-2014-tahun-4-tmkpertengahan-tahun-2014-tahun-4-tmk
pertengahan-tahun-2014-tahun-4-tmk
 
Eft quickstart slides
Eft quickstart slidesEft quickstart slides
Eft quickstart slides
 
革命の時代
革命の時代革命の時代
革命の時代
 
Kh thn 5 akhir thn 2009
Kh thn 5 akhir thn 2009Kh thn 5 akhir thn 2009
Kh thn 5 akhir thn 2009
 
Introduction To 7 N India
Introduction To 7 N IndiaIntroduction To 7 N India
Introduction To 7 N India
 
Soalan pj-tahun-3-50 soalan 2014
Soalan pj-tahun-3-50 soalan 2014Soalan pj-tahun-3-50 soalan 2014
Soalan pj-tahun-3-50 soalan 2014
 
Introduction To AMF
Introduction To AMFIntroduction To AMF
Introduction To AMF
 
住宅読本
住宅読本住宅読本
住宅読本
 
Asas pendidikan di indonesia
Asas pendidikan di indonesiaAsas pendidikan di indonesia
Asas pendidikan di indonesia
 

Similar to Incident Response

Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​
Zoho Corporation
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
Ambuj Kumar
 
Logging "BrainBox" Short Article
Logging "BrainBox" Short ArticleLogging "BrainBox" Short Article
Logging "BrainBox" Short Article
Anton Chuvakin
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
Novell
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
ahmad abdelhafeez
 
NIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
Linux for Cybersecurity CYB110 - Unit 8.ppsx
Linux for Cybersecurity CYB110 - Unit 8.ppsxLinux for Cybersecurity CYB110 - Unit 8.ppsx
Linux for Cybersecurity CYB110 - Unit 8.ppsx
BrenoMeister
 
Security Incident Handling for Schools
Security Incident Handling for Schools Security Incident Handling for Schools
Security Incident Handling for Schools
eLearning Consortium 電子學習聯盟
 
Wc4
Wc4Wc4
Wc4
Said Wali
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviour
Kasper de Waard
 
Nagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPSNagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPS
Nagios
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
Precisely
 
Karunia Wijaya - Proactive Incident Handling
Karunia Wijaya - Proactive Incident HandlingKarunia Wijaya - Proactive Incident Handling
Karunia Wijaya - Proactive Incident Handling
Indonesia Honeynet Chapter
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
gagan deep
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
neoalt
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 

Similar to Incident Response (20)

Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
 
Logging "BrainBox" Short Article
Logging "BrainBox" Short ArticleLogging "BrainBox" Short Article
Logging "BrainBox" Short Article
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
NIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real World
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Linux for Cybersecurity CYB110 - Unit 8.ppsx
Linux for Cybersecurity CYB110 - Unit 8.ppsxLinux for Cybersecurity CYB110 - Unit 8.ppsx
Linux for Cybersecurity CYB110 - Unit 8.ppsx
 
Security Incident Handling for Schools
Security Incident Handling for Schools Security Incident Handling for Schools
Security Incident Handling for Schools
 
Wc4
Wc4Wc4
Wc4
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviour
 
Nagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPSNagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPS
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
 
Karunia Wijaya - Proactive Incident Handling
Karunia Wijaya - Proactive Incident HandlingKarunia Wijaya - Proactive Incident Handling
Karunia Wijaya - Proactive Incident Handling
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
 
File000138
File000138File000138
File000138
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 

Incident Response

  • 1. Incident Response Roberto Martínez Owner – Consultant ITlligent Security Certified EC Council Instructor Latam CEH, ECSA, ENSA, CHFI, EDRP, ECVP, PMIT, ECSP MCT, MCSE, MCAD, MCTS, MCSA, Security+
  • 2. Agenda • Security Incidents • Cyber Threats • Incident response • Digital Evidence • How to prevent an Incident
  • 3. Incident Computer security incident is defined as “Any real or suspected adverse event in relation to the security of computer systems or computer networks.”
  • 4. Incidents include: • Violation of an explicit or implied security policy • Attempts to gain unauthorized access • Unwanted denial of resources • Unauthorized use of electronic resources
  • 8. Cyber Threats in 2010 Malware Data thefts Botnets Threats to Cyber VOIP and warfare mobile convergence
  • 9. Cybercrime-as-a-Service (CaaS) market model. September, 2009’s “Measuring the in-the-wild effectiveness of Antivirus against Zeus” report by Trusteer, indicated that “the effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23%.” meaning that cybercriminals have clearly started excelling into the practice of bypassing signature-based malware scanners.
  • 10. Incident Response Well Defined set of procedures that address the post incident scenario. An Incident Response Plan includes: • Immediate action • Investigation • Restoration of resources • Reporting the incident to proper channels.
  • 11. Incident Handling Incident handling helps to find out trends and pattern regarding intruder activity by analyzing it. • It involves three basic functions: Incident reporting Incident Analysis Incident Response
  • 13. Digital Evidence • Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form.” Digital evidence is found in the files, such as: – Graphic files – Audio and video recording and files – Web browser history – Server logs – Word processing and spreadsheet files – E-mails – Log files
  • 14. Challenging Aspects of Digital Evidence • Digital evidence are fragile in nature • During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently. • During the investigation, digital evidence can be altered maliciously or unintentionally without leaving any clear signs of alteration. • Digital evidence is circumstantial that makes it difficult for the forensics investigator to differentiate the system´s activity. • After the incident, if a user writes some data to the system, it may overwrite the crime scene.
  • 15. Forensic Policy • Forensic policy is a set of procedures describing the actions to be taken when an incident is observed. • It defines the roles and responsibilities of all people performing or assisting the forensic activities. • It should include all internal and external parties that may be involved. • It explains what actions should and should not be performed under normal and special conditions.
  • 16. Forensic Analysis Guidelines Organizations should: • Have a capability to perform computer and network forensics • Determine which parties should handle each aspect of forensics • Create and maintain guidelines and procedures for performing forensic tasks • Perform forensics using a consistent process • Be proactive in collecting useful data • Adhere to standard operating procedure as specified by local laws and standard making bodies such as IOCE & SWGDE while collecting evidence
  • 17. How to prevent an incident A key to preventing security incident is to eliminate as many vulnerabilities as possible. • Scanning the network • Auditing the network • Deploying Intrusion Detection / Prevention systems • Establishing Defense in Depth
  • 18. Normalization Security monitoring environment is multi-vendor Events from different devices and vendors have different formats Need to compare similar—normalized—events from multiple vendors “apples-to-apples”
  • 19. Event Correlation  Log/Alert               Firewall  Logs            NIDS Logs                     
  • 20. Log Consolidation A defense in depth strategy utilizes multiple devices Firewalls, NIPS, HIPS, AV, AAA, VPN, Application Events, OS Logs Need to consolidate and normalize similar events from multiple vendors Universal SYSLOG support AAA
  • 21. Threat Correlation – Post Incident Analysis (IV) Post incident analysis to adjust incident severity based on context Did the attack reach destination? Is the victim vulnerable? How important is the victim system? Further events indicated a possible compromise? Analysis can be static or dynamic
  • 22. Demo
  • 23. Resources Certifications EC Council Certified Incident Handler • http://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspx Computer Hacking Forensic Investigator • http://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspx Concepti • http://www.concepti.com Tools XPLICO - Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT) • http://www.xplico.org/ Netwitness - Threat management solutions, monitoring and real-time network forensics. • http://www.netwitness.com/ OSSIM - Open Source Security Information Management • http://www.alienvault.com/community.php?section=Home Web Sites FIRST is the global Forum for Incident Response and Security Teams • http://www.first.org/
  • 25. Thank you! Roberto Martínez ITlligent Security Email: roberto.martinez@itlligent.com.mx MSN: frml@live.com.mx Skype: skp_roberto.martinez @r0bertmart1nez