Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Incident Response

advertisement 
Lesson 7
Preparing for Incident Response
and the
Investigative Process
Overview
• Preparing for Incident Response
• Investigative Guidelines
UTSA IS 6353 Incident Response
Ranum on Forensics
• “The real value of intrusion detection is
diagnosing what is going on…never collect
more data than you could conceivably want
to look at. If you don’t know what to do
with the data, it doesn’t matter how much
you’ve got.”
Marcus Ranum
Network Flight Recorder
UTSA IS 6353 Incident Response
Preparing for Incident Response
Identify Vital Assets
•
•
•
•
What can damage your organization the most?
What concerns you?
Who could be a threat?
Do hackers concern you?
This step saves you time & $ later
UTSA IS 6353 Incident Response
Applicable Security Maxims
• Ignorance is Bliss Maxim: The confidence that people have in
• security is inversely proportional to how much they know about it.
• Ass Sets Maxim: Most security programs focus on protecting the
wrong assets.
• Takes One to Know One Maxim: The fourth most common excuse
for not fixing security vulnerabilities is that “our adversaries are too
stupid and/or unresourceful to figure that out.”
UTSA IS 6353 Incident Response
Preparing Systems
• Record cryptographic checksums of critical
files (MD5)
– Tripwire is widely accepted commercial product
•
•
•
•
Increase or enable secure audit logging
Build up your host’s defenses
Backup critical data and store media securely
Educate users about security
UTSA IS 6353 Incident Response
Critical File Preparation
• Cryptographic checksums or Message Digest
(MD)
– Basically a digital signature
• MD5 creates a 128-bit checksum from a large file
• System Administrator can create checksum of
critical file (use separate media) then compare
against subsequent MD5 runs
UTSA IS 6353 Incident Response
Unix Auditing
Turn on system logging
– /var/log/syslog
– Create Central Syslog server
• run syslogd -r
– Enable Process Accounting
• Tracks the command each user executes
– accton command
– /usr/lib/acct/startup
UTSA IS 6353 Incident Response
Windows Auditing
• By default security auditing is not enabled
• NT: Start|Programs|Administrative Tools| User
Manager
– User Manager select Policies|Audit
– Logs => C:\WINNT\System32\Config\*.evt
• WIN2K: Administrative Tools| Local Security
Policy
– Logs => C:\WINNT\System32\Config\*.evt
UTSA IS 6353 Incident Response
Other Steps
• Application Logging
• Backup Critical Data
– Unix: dump, restor, cpio, tar & dd
– WIN2K: Start|Programs|Accessories| System
Utilities| Backup
– NT: NT Backup (NT Resources Kit)
– WIN98: Start|Accessories| System Utilities| Backup
UTSA IS 6353 Incident Response
Network Preparations
• Know your network: document,
document, document
– hardware, software, users
• Smart topology/architecture
• Use access control list (ACL) on
router
UTSA IS 6353 Incident Response
Network Preparations-contd
• Require authentication (host, network,
kerberos, IPsec)
• Audit regularly (manpower intensive)
• Use network time protocol (NTP) to
synchronize all events
UTSA IS 6353 Incident Response
Organizational Preparations
• Institute comprehensive policies
• Institute comprehensive procedures
• Develop response procedures
– Firedrills?
• Create a response toolkit
• Establish an Incident Response Team
• Obtain top-level management support
– Agree to ground rules/ rules of engagement
UTSA IS 6353 Incident Response
Often overlooked
Response Toolkits
• High-end processor w/lots of memory
• Large IDE and SCSI drives
• Backup storage: CD-RW and Tape Drives
• Spare cables
• Router/Hub and network interface card
• Digital camera
• Trusted software
ref: www.computer-forensics.com
UTSA IS 6353 Incident Response
Establish Incident Response Team
• Technical experts
• Management POC
• Team leader/principal investigator
• Decide on mission/goal
“Critical thinking team players who
enjoy hardwork and long hours”
UTSA IS 6353 Incident Response
IR Professional Organizations
Training
Organizations
• WWW.SANS.ORG
• WWW.FOUNDSTONE.COM
• WWW.CERT.ORG
• Information Sharing and
Analysis Centers (ISACs)
• InfraGard
• High Tech Investigation
Association
• Information Systems
Security Association
(ISSA)
• Forum of Incident
Response and Security
Teams (FIRST)
UTSA IS 6353 Incident Response
Investigative Guidelines
Investigative Guidelines
•
•
•
•
Initial assessment
Incident notification checklist
Investigating
Formulating Response Strategy
Initial assessment not always accurate
UTSA IS 6353 Incident Response
Initial Assessment
• What probably happened?
– Uncertainty regins
– Each situation unique
– Need to learn enough to determine course of action
• What is the best response strategy?
– Does it meet pre-established goals/ROEs?
– Does it have management support?
– Will your team need outside help?
UTSA IS 6353 Incident Response
Incident Notification Checklist
• WWW.CERT.ORG
• Collect network maps and know
architecture
• Verify corporate policies
– Many actions can only be taken if appropriate
policies exist
UTSA IS 6353 Incident Response
Investigating the Incident
•
•
•
•
Prime directive: DO NO HARM
Personnel interviews
Hands-on activities
Many suspected incidents turn into nonevents
• Will the investigation do more damage than
the incident itself?
UTSA IS 6353 Incident Response
Investigating the Incident-contd
• Personnel interviews
– System administrators: logs
– Managers: know workforce, critical data
– End-users
• Taking hands-on actions
– Step carefully
– My contaminate “crime scene”
UTSA IS 6353 Incident Response
Formulate Response Strategy
• Declare Incident
• Restore Normal Operations?
– Off-line recovery
– On-line recovery
• Determine public relations play
– “To spin or not to spin?”
UTSA IS 6353 Incident Response
Formulate Response Strategy-contd
• Determine probable attacker
– Internal: handle internally
– External: prosecute?
• Determine Type of Attack
– DOS, Theft, Vandalism, Policy violation,
ongoing intrusion
• Classify victim system
– Critical server/application?
– # of users?
UTSA IS 6353 Incident Response
Closing Thought
• “The biggest problem for 2001 was keeping
servers running MS-Windows products properly
patched. We have numerous servers, and it’s
constant fight to keep up with the patch level and
test to confirm that the new patch doesn’t break
something. This is the same problem for 2002.”
• J.G.
• Peace of mind depends on the action plan
for response.
UTSA IS 6353 Incident Response
Summary
•
•
•
•
•
•
Prepare for Incidents
Build a good team
Rehearse/Practice procedures
Perform initial assessment
Formulate response
Do No Harm
UTSA IS 6353 Incident Response
Related documents
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
Lesson 10
Lesson 10
PN Incident Powerpt
PN Incident Powerpt
One Source One Message
One Source One Message
Writing a Biographical Narrative v2
Writing a Biographical Narrative v2
first_2014_-_westphal-_kristy_-_don
first_2014_-_westphal-_kristy_-_don
Command - Fire Corps
Command - Fire Corps
*Mrs. Flowers* from I Know Why The Caged Bird Sings By Maya
*Mrs. Flowers* from I Know Why The Caged Bird Sings By Maya
Command
Command
Download
advertisement