Incident Handling PPT

advertisement






What is incident handling?
Why is it important?
What is an incident?
Fundamentals
The Six Step process
Legal issues


Incident Handling is an action plan for
dealing with intrusions, cyber-theft, denial of
service, malicious code, fire, floods, and
other security-related events.
Having procedures and policy in place so you
know what to do when an incident occurs




Sooner or later an incident is going to occur.
Do you know what to do?
It is not a matter of .if. but .when.
Planning is everything
Similar to backups
- You might not use it every day, but if a
major problem occurs you are going to be
glad that you did


Plans, policies and procedures developed for
incident handling must comply with
applicable laws.
This is not a legal course, have them reviewed
by legal counsel.
An .incident. is an adverse event in an
information system, and/or network, or the
threat of the occurrence of such an event.


Incident implies harm, or the attempt to do
harm.
The fact that an incident has occurred may
mean a law has been broken












Bombings, Explosions
Earthquakes, Fires, Floods
Power outages, Storms
Hardware/software failures
Strikes, Employees unavailable
Hazard material spills
Cyber-theft, Intellectual property theft
Viruses, worms or other malicious software
Unauthorized use
Intrusions, Internal or external attack
Denial of Service.
An .event. is any observable occurrence in a
system and/or network.
Examples of events include:

the system boot sequence
a system crash
packet flooding within a network


These observable events compose an incident
All incidents are composed of events, but not
all events are incidents
Which of the following is an incident ?
1. An attacker running NetBIOS scans against a
UNIX system.
2. An attacker exploiting Sendmail on a UNIX
system.
3. A backup tape containing sensitive
information is missing.


Incident Handling is similar to first aid. The
caregiver tends to be under pressure and
mistakes can be very costly. A simple, wellunderstood approach is best.
 Preparation
 Identification
 Containment
 Eradication
 Recovery
 Lessons
Learned
Getting your environment and team ready to
handle incidents
The Goal of Preparation is to Get Your
Team ready to handle incidents
◦
◦
◦
◦
◦
◦
Policy
People
Data
Software/Hardware
Communication
Supplies
◦ Transportation
◦ Space
◦ Power and
Environment control
◦ Documentation


Be Calm
Take Notes,Logs,etc..
◦ Hand Written Notes are a great Help
◦ Use Time Stamps in the Notes.

Management Support
◦ Regular Reports (Preferred Monthly)
◦ Graphically illustrated Reports

Build An Incident Handling Team
◦ Identify qualified People
◦ Multi- disciplinary Team is the best





Network
Security
Operations
Systems
HR

Prepare System Built Checklist
◦ Procedures of Backing Up and Rebuilding systems

Getting Access to systems and Data
◦ Incident Handling Team Need to have access the
System(Even without notifying system admins)
◦ Strike a Bargain with the Operation Team

Establish a War Room

Train The Team
◦ Conduct training scenarios
◦ Deploy an internal Honey Pot

Conduct War Games
◦ Pen Tests
◦ Do This with more experienced teams

Cultivate Good Relationships
◦ Helpdesk
◦ Sys admins , network admins

Get a bag and load it with items that you
might use in an incident.

Never steal from this bag

Use check list while loading the bag

Binary image creation software
◦ dd,windd,cryptcat,netcat



Forensics tools
Sleuth Kit , Autospy (Free) , Encase, Xways
Diagnostic Softwares :
◦ No XPE
◦ Helix (Great Tool)
◦ Backtrack







USB Drives
External Hard Disks
HUB OR TAB (No switch)
Patch cables
Laptop with Multi-OS
A Lot of RAM
Jumpers ,Flashlight, Tweezers ,Dental Mirror,
Business Cards
Detecting Deviation from the norm and
attempts to do harm

The Goal is to gather events ,analyze them,
and determine if it is an incident.

Be Willing to alerts early.
◦ Do not be afraid to declare an incident




Maintain situation awareness
Provide current intelligence
Correlate information
Assign Primary Handler
◦ Try to assign a helper (WHY?)

Control the flow of information (Need to
Know)

Communication Channels
◦ You can not trust the network if you suspect you
have an attack
◦ Use out-of-band Communication
◦ Be careful with (VoIP)
 Wireshark
 VOMIT

Network Detection

Host Detection

System detection






IDS tool has an alert
Unexplained entries in a log file
Failed events, such as logon
Unexplained events (new accounts)
System reboots
Poor performance

SANS -Windows cheat sheet

SANS-Linux cheat sheet
Stopping the Damage and making Forensics
images

The Goal is to stop the bleeding.
◦ Stop the attacker to get any deeper.

We will cover the following:
◦
◦
◦
◦
The Sub-phases of containment.
Methods of short-term containment
Backup
Method of long term containment.





Disconnect network cable
Pull power cable
Isolate the attacked server on a separate
switch
Apply filters(FW)
Change the DNS names to point to a different
IP address

Coordinate with your ISP ,regarding external
attacks.
◦ Large packet floods , warms, bot-nets.


Keep low profile
Analyze the copy of the forensic image:
◦
◦
◦
◦
◦
Make an image ASAP
Use Blank Media
If possible take bit-by-bit image
Never analyze the original.
Keep original Pristine for evidence.

First thing you isolate , then image.
◦ Use CD do not use USB.
◦ Do not grace shutdown the system.
◦ Store the image in safe place.





Original (Evidence)
Image1 (May be put back into production)
Image2 (Analysis)
Use drive duplicators if possible
Train on the image creation.




Acquire the logs and other sources of
information.
Review logs from neighboring systems.
How far did the attacker get.
Make recommendation for log term
containment.
◦ It is a business decision



As long as you got your evidence and image
backup , you can make changes to the
system.
Ideal: keep system off line.
Less than ideal :if system must be kept in
production , perform long term Containment.

Numerous potential actions:
◦
◦
◦
◦
◦


Patching the system and nighbourng systems.
Change password
Null routing ???
FW
Remove accounts used by attackers.
Do not forget (you still need to eradicate)
The ideal long-term containment is to apply
temporary solution tell you build a clean
system.
Cleaning up and removing the artifacts done
by the attacker


By stopping the bleeding I need to eradicate,
or to get rid of any attacker’s artifacts.
In this phase we determent the cause and the
effect of the Incident:
◦ By analyzing all data .
◦ Isolating the system and studying the attack
patterns.



Locate the most recent CLEAN backup
In the case of suspecting root kit attack
,please rebuild the system from scratch
Remove malicious soft wares:
◦ Virus
◦ Backdoor
◦ Rootkits or Kernal level rootkits

Now the Attackers got you :
◦ Implement the appropriate protection:





Firewalls.
New name /IP for the system
Null routing
Hardening
Patching

Perform Vulnerability analysis
◦ Network assessment
◦ System assessment
◦ Scan the entire network for interesting ports.
 Nessus, is a big help.
 Remember the attacker often uses the same exploit
and backdoor on multiple machines , so look for them
in multiple environments.
Getting Back to business …
Carefully.


The goal of recovery is to put the impacted
system back to production in safe manner.
Validate the system
◦ Verify the operation of the system.
◦ Let the business unit test with you

Usually at off hours timeslots
◦ It is easier to monitor at these times.


The final decision is in the hands if the
business team.
Provide your advice but remember it is their
call.


Once the system is back online, continues
and deep monitor is required.
Utilize all possible means of monitoring.
◦ You can create a custom signature of the original
attack vector

Check operating system and application logs
extra carefully.
Documentation and improving operations to
prevent the incident to happen again


The hole point of the lesson learned phase is
to Document what happened in the incident
,learn from our mistakes and to improve our
capabilities.
It is the most Important pahse.

Develop a report
◦ Try to get consensus



Conduct lessons learned meeting
Send recommendations to management
Follow-up meeting
1.
2.
3.
4.
5.
6.
7.
Failure to report and ask for help.
Incomplete/non-existent notes
Mishandling/Destroying evidence
Failure to create a working image
Failure to contain or eradicate.
Failure to Prevent re-infection
Failure to apply the lesson learned




Steps must be customized for your
environment
Every incident is different
Planning is everything
Make things simple with checklists and tested
procedures



Regulatory
Criminal Law
Civil Law
◦ Compensation for damage or loss
◦ Damages
 Compensatory
 Punitive
 Statutory



AKA Computer Fraud and Abuse Act
Provides for civil and criminal remedies for
network misconduct
Criminalizes attacks on computer networks
and damage to protected computers

Computer Security Act of 1987

US Privacy Act of 1974


The Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
. The Electronic Communications Privacy Act
of 1986 (ECPA)


Economic Espionage Act of 1996
National Information Infrastructure Protection
of 1996

Patriot Act of 2001

Homeland Security Act of 2002


Warrant should specify computer system
(computer and related equipment, mouse
keyboard)
Warrant should specify computer’s role in
offense (attack tool, storage device)


Arrest is a legal process to deprive an
individual 6of his/her freedom. For an
incident handler, this
would occur only in the unlikely case that you
actually see a crime occurring.
If you don't see it yourself and it isn't urgent,
do
not deprive a person of their freedom.
If a tractor trailer crossing a bridge was hit by a
helicopter, you wouldn't normally expect the
real
evidence to be brought to the courtroom.
Instead,
photos, models and drawings are used. Cyber
cases happen at the speed of light and there
are times when screen shots, network traces,
and so forth must be used. Be ready to prove
these are the best evidence available.


Preparation is very important
. Know what your job is
◦ You are not law enforcement
◦ You are not a lawyer
◦ Do not take on more than you can handle


Learn from the past and keep improving
your incident handling procedures
Download
Study collections