Operations Security Week 5 Incident Management, Investigations, and Physical Security Incidence Response Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The Steps of Incidence Handling Triage – Is it an actual incident or a false alarm? How serious is it? Investigation – Gathering evidence Containment – Limit the damage by isolation and mitigation Analysis – Reconstruct the incident. Who is responsible? How did they do it? When did it occur? Why did they do it? Tracking – Document the incident and determine the source Recovery – Mitigate the incident and apply lessons learned to reduce risk of recurrence Triage The term Triage is used within the medical community. Triage is the art of rapidly assessing the severity of the incident and following the right protocols, in the right order, to reduce the consequences of the incident and doing it all in the midst of crisis, when every second counts. Different incidents require different responses – A Denial of Service attack (DOS) has to be addressed differently than a malware infection. Establishing baselines can help identify unusual activity. The number of indicators to potential incidents are very high, so false positives are common. Investigation The Incident Scene – The Environment where potential evidence may exist Principles of criminalistics apply Identify the scene Protect the Environment Identify evidence and potential sources of evidence Collect Evidence Minimize the degree of contamination General Guidelines All general forensic and procedural procedures must be applied Seizing digital evidence must not alter the evidence Any person accessing original digital evidence must be trained All activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review While an individual is in possession of digital evidence, he or she is responsible for all actions Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles Roles and Responsibilities A solid foundation of knowledge and policy A properly trained response team Core areas must be represented Chain of Custody Tracks Evidence Handling A formal, well-documented procedure MUST be followed – NO EXCEPTIONS Locard’s Exchange Principle When a crime is committed, the perpetrators leave something behind and take something with them. Digital Forensics Be Authentic Be Accurate Be Complete Be Convincing Be Admissible Live Evidence Data that is dynamic and exists in processes that disappear in a relatively short time frame once the system is powered down Short Term Containment The short term goal is to prevent more damage from occurring and provide time for additional analysis and mitigation. Isolate the system from the production network and create a backup cop.