KULIAH 12 INCIDENT RESPONSE (dirangkum dari buku Incident Response: A strategic Guide to Handling System and Network Security) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 Definisi • Incident: event (kejadian) yang mengancam keamanan sistem komputer dan jaringan. • Event adalah semua hal yang bisa diobservasi (diukur) • Contoh event: connect ke sistem lain dalam jaringan, mengakses file, mengirim paket, sistem shutdown, dsb. • Event yang mengancam antara lain, system crashes, packet flood, penggunaan akun oleh orang yang tidak berhak, web deface, bencana alam, dan hal-hal lain yang membahayakan kinerja sistem Incident Types • CIA related incidents: – Confidentiality: Upaya masuk ke dalam sistem rahasia militer – Integrity – Availability • Other Types – Reconnaissance Attacks – Repudiation • Someone takes action and denies it later on. Kenapa perlu incident response? • Bagi Organisasi Respon yang sistematis terhadap insiden Recover quickly Mencegah insiden serupa di masa depan Menyiapkan langkah-langkah yang berkaitan dengan hukum Incident Response Scope • Technical: – Incident detection and investigation tools and procedures • Management-related – Policy – Formation of incident response capability • In-house vs. out-sourced Incident Handling Preparation Post-incident activity Detection and Analysis Containment, Eradication and Recovery PDCERF incident response method Preparation Incident Handling: Preparation • Incident Handler Communications and Facilities – Contact information On-call information for other teams within the organization, including escalation information Incident reporting mechanisms – Pagers or cell phones to be carried by team members for off-hour support, onsite communications – Encryption software – War room for central communication and coordination – Secure storage facility for securing evidence and other sensitive materials Incident Handling: Preparation • Incident Analysis Hardware and Software – Computer forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data – Blank portable media – Easily portable printer – Packet sniffers and protocol analyzers – Computer forensic software – Floppies and CDs with trusted versions of programs to be used to gather evidence from systems – Evidence gathering accessories • hard-bound notebooks • digital cameras • audio recorders • chain of custody forms • evidence storage bags and tags • evidence tape Incident Handling: Preparation • Incident Analysis Resources – Port lists, including commonly used ports and Trojan horse ports – Documentation for OSs, applications, protocols, and intrusion detection and antivirus signatures – Network diagrams and lists of critical assets, such as Web, e-mail, and File Transfer Protocol (FTP) servers – Baselines of expected network, system and application activity – Cryptographic hashes of critical files to speed the analysis, verification, and eradication of incidents Incident Handling: Preparation • Incident Mitigation Software – Media, including OS boot disks and CD-ROMs, OS media, and application media – Security patches from OS and application vendors – Backup images of OS, applications, and data stored on secondary media Incident Handling: Detection and Analysis • Incident Categories – – – – – Denial of Service Malicious code Unauthorized access Inappropriate usage Multiple component incidents Incident Handling: Detection and Analysis • Signs of an incident – – – – – Intrusion detection systems Antivirus software Log analyzers File integrity checking Third-party monitoring of critical services • Incident indications vs. precursors – Precursor is a sign that an incident may occur in the future • E.g. scanning – Indication is a sign that an incident is occurring or has occurred Incident Handling: Detection and Analysis • Incident documentation – If incident is suspected, start recording facts • Incident Prioritization based on – Current and potential technical effects – Criticality of affected resources • Incident notification – – – – – CIO Head of information system Local information security officer Other incident teams Other agency departments such as HR, public affairs, legal department Incident Handling: Containment, Eradication, Recovery • Containment strategies – Vary based on type of incident – Criteria for choosing strategy include • Potential damage / theft of resources • Need for evidence information • Service availability • Resource consumption of strategy • Effectiveness of strategy • Duration of solution Incident Handling: Containment, Eradication, Recovery • Evidence gathering – For incident analysis – For legal proceedings • Chain of custody • Authentication of evidence Incident Handling: Containment, Eradication, Recovery • Attacker identification – – – – – Validation of attacker IP address Scanning attacker’s system Research attacker through search engines Using Incident Databases Monitoring possible attacker communication channels Incident Handling: Containment, Eradication, Recovery • Eradication – Deleting malicious code – Disabling breached user accounts • Recovery – Restoration of system(s) to normal operations • • • • • • • Restoring from clean backups Rebuilding systems from scratch Replacing compromised files Installing patches Changing passwords Tighten perimeter security Strengthen logging Incident Handling: Post-Incident Activity • Evidence Retention – Prosecution of attacker – Data retention policies – Cost That’s All