KULIAH 12
INCIDENT RESPONSE
(dirangkum dari buku Incident Response:
A strategic Guide to Handling System and Network Security)
Aswin Suharsono
KOM 15008
Keamanan Jaringan
2012/2013
Definisi
• Incident: event (kejadian) yang mengancam
keamanan sistem komputer dan jaringan.
• Event adalah semua hal yang bisa diobservasi
(diukur)
• Contoh event: connect ke sistem lain dalam jaringan,
mengakses file, mengirim paket, sistem shutdown,
dsb.
• Event yang mengancam antara lain, system crashes,
packet flood, penggunaan akun oleh orang yang
tidak berhak, web deface, bencana alam, dan hal-hal
lain yang membahayakan kinerja sistem
Incident Types
• CIA related incidents:
– Confidentiality: Upaya masuk ke dalam sistem rahasia militer
– Integrity
– Availability
• Other Types
– Reconnaissance Attacks
– Repudiation
• Someone takes action and denies it later on.
Kenapa perlu incident response?
• Bagi Organisasi
 Respon yang sistematis terhadap insiden
 Recover quickly
 Mencegah insiden serupa di masa depan
 Menyiapkan langkah-langkah yang berkaitan dengan
hukum
Incident Response Scope
• Technical:
– Incident detection and investigation tools and procedures
• Management-related
– Policy
– Formation of incident response capability
• In-house vs. out-sourced
Incident Handling
Preparation
Post-incident
activity
Detection
and Analysis
Containment, Eradication
and Recovery
PDCERF incident response method
Preparation
Incident Handling: Preparation
• Incident Handler Communications and Facilities
– Contact information On-call information for other teams
within the organization, including escalation information
Incident reporting mechanisms
– Pagers or cell phones to be carried by team members for
off-hour support, onsite communications
– Encryption software
– War room for central communication and coordination
– Secure storage facility for securing evidence and other
sensitive materials
Incident Handling: Preparation
• Incident Analysis Hardware and Software
– Computer forensic workstations and/or backup devices to create disk
images, preserve log files, and save other relevant incident data
– Blank portable media
– Easily portable printer
– Packet sniffers and protocol analyzers
– Computer forensic software
– Floppies and CDs with trusted versions of programs to be used to
gather evidence from systems
– Evidence gathering accessories
• hard-bound notebooks
• digital cameras
• audio recorders
• chain of custody forms
• evidence storage bags and tags
• evidence tape
Incident Handling: Preparation
• Incident Analysis Resources
– Port lists, including commonly used ports and Trojan horse
ports
– Documentation for OSs, applications, protocols, and
intrusion detection and antivirus signatures
– Network diagrams and lists of critical assets, such as Web,
e-mail, and File Transfer Protocol (FTP) servers
– Baselines of expected network, system and application
activity
– Cryptographic hashes of critical files to speed the analysis,
verification, and eradication of incidents
Incident Handling: Preparation
• Incident Mitigation Software
– Media, including OS boot disks and CD-ROMs, OS media, and
application media
– Security patches from OS and application vendors
– Backup images of OS, applications, and data stored on secondary
media
Incident Handling:
Detection and Analysis
• Incident Categories
–
–
–
–
–
Denial of Service
Malicious code
Unauthorized access
Inappropriate usage
Multiple component incidents
Incident Handling:
Detection and Analysis
• Signs of an incident
–
–
–
–
–
Intrusion detection systems
Antivirus software
Log analyzers
File integrity checking
Third-party monitoring of critical services
• Incident indications vs. precursors
– Precursor is a sign that an incident may occur in the future
• E.g. scanning
– Indication is a sign that an incident is occurring or has occurred
Incident Handling:
Detection and Analysis
• Incident documentation
– If incident is suspected, start recording facts
• Incident Prioritization based on
– Current and potential technical effects
– Criticality of affected resources
• Incident notification
–
–
–
–
–
CIO
Head of information system
Local information security officer
Other incident teams
Other agency departments such as HR, public affairs, legal department
Incident Handling:
Containment, Eradication, Recovery
• Containment strategies
– Vary based on type of incident
– Criteria for choosing strategy include
• Potential damage / theft of resources
• Need for evidence information
• Service availability
• Resource consumption of strategy
• Effectiveness of strategy
• Duration of solution
Incident Handling:
Containment, Eradication, Recovery
• Evidence gathering
– For incident analysis
– For legal proceedings
• Chain of custody
• Authentication of evidence
Incident Handling:
Containment, Eradication, Recovery
• Attacker identification
–
–
–
–
–
Validation of attacker IP address
Scanning attacker’s system
Research attacker through search engines
Using Incident Databases
Monitoring possible attacker communication channels
Incident Handling:
Containment, Eradication, Recovery
• Eradication
– Deleting malicious code
– Disabling breached user accounts
• Recovery
– Restoration of system(s) to normal operations
•
•
•
•
•
•
•
Restoring from clean backups
Rebuilding systems from scratch
Replacing compromised files
Installing patches
Changing passwords
Tighten perimeter security
Strengthen logging
Incident Handling:
Post-Incident Activity
• Evidence Retention
– Prosecution of attacker
– Data retention policies
– Cost
That’s All