Planning for Incident
Response
Security Planning
Susan Lincke
Title of the Presentation | 3/12/2016 | 2
Objectives
Students should be able to:
Define and describe an incident response plan and business continuity plan
Describe incident management team, incident response team, proactive detection,
triage
Define and describe computer forensics: authenticity, continuity, forensic copy, chain
of custody, root cause,
Define external test, internal test, blind test, double blind test, targeted test.
Develop a high-level incident response plan.
Describe steps to obtain computer forensic information during an investigation.
Describe general capabilities of a forensic tool.
Describe steps to copy a disk.
Define discovery, e-discovery, deposition, declaration, affidavit, fact witness, expert
consultant, expert witness.
Title of the Presentation | 3/12/2016 | 3
Stolen Laptop
Theft of Proprietary Information
System Failure
Fire!
Denial of Service
How to React to…?
Title of the Presentation | 3/12/2016 | 4
Incident Response vs.
Business Continuity
Incident Response
Planning (IRP)
Security-related threats to
systems, networks & data
Data confidentiality
Non-repudiable
transactions
Business Continuity
Planning
Disaster Recovery Plan
Continuity of Business
Operations
IRP is part of BCP and can
be *the first step*
NIST SP 800-61 defines an incident as “a violation or
imminent threat of violation of computer security
policies, acceptable use policies, or standard security
practices.”
Title of the Presentation | 3/12/2016 | 5
Review: Business Continuity Recovery Terms
Interruption Window: Time duration organization can wait between
point of failure and service resumption
Service Delivery Objective (SDO): Level of service in Alternate Mode
Maximum Tolerable Outage: Max time in Alternate Mode
Disaster
Recovery
Plan Implemented
Regular Service
SDO
Alternate Mode
Time…
Interruption
Regular
Service
(Acceptable)
Interruption
Window
Maximum Tolerable Outage
Restoration
Plan Implemented
Title of the Presentation | 3/12/2016 | 6
Vocabulary
Attack vectors = source methods: Can include removable media, flash drive, email,
web, improper use, loss or theft, physical abuse, social engineering, …
Title of the Presentation | 3/12/2016 | 7
Vocabulary
IMT: Incident Management Team
IS Mgr leads, includes steering committee, IRT members
Develop strategies & design plan for Incident Response,
integrating business, IT, BCP, and risk management
Obtain funding, Review postmortems
Meet performance & reporting requirements
IRT: Incident Response Team
Handles the specific incident. Has specific knowledge relating to:
Security, network protocols, operating systems, physical
security issues, malicious code, etc.
Permanent (Full Time) Members: IT security specialists,
incident handlers, investigator
Virtual (Part Time) Members: Business (middle mgmt), legal,
public relations, human resources, physical security, risk, IT
Title of the Presentation | 3/12/2016 | 8
Stages in Incident Response
Preparation
Identification
Containment
& Escalation
Analysis &
Eradication
Recovery
Lessons
Learned
Plan PRIOR to Incident
Determine what is/has happened
Limit incident
[If data breach]
Determine and remove Notification
root cause
Return operations
to normal
Process improvement:
Plan for the future
Ex-Post
Response
Notify any data
breach victims
Establish call center,
reparation activities
Title of the Presentation | 3/12/2016 | 9
Why is incident response important?
$201: average cost per breached record
66% of incidents took > 1 month to years to discover
82% of incidents detected by outsiders
78% of initial intrusions rated as low difficulty
Title of the Presentation | 3/12/2016 | 10
Stage 1: Preparation
What shall we do if different types of incidents occur? (BIA helps)
When is the incident management team called?
How can governmental agencies or law enforcement help?
When do we involve law enforcement?
What equipment do we need to handle an incident?
What shall we do to prevent or discourage incidents from
occurring? (e.g. banners, policies)
Where on-site & off-site shall we keep the IRP?
Title of the Presentation | 3/12/2016 | 11
(1) Detection Technologies
Organization must have sufficient detection & monitoring capabilities to detect
incidents in a timely manner
Proactive Detection includes:
Network Intrusion Detection/Prevention System (NIDS/NIPS)
Host Intrusion Detection/Prevention System (HIDS/HIPS)
Antivirus, Endpoint Security Suite
Security Information and Event Management (Logs)
Vulnerability/audit testing
System Baselines, Sniffer
Centralized Incident Management System
• Input: Server, system logs
• Coordinates & co-relates logs from many systems
• Tracks status of incidents to closure
Reactive Detection: Reports of unusual or suspicious activity
Title of the Presentation | 3/12/2016 | 12
Logs to Collect & Monitor
Security
Authent.
Network
Config
Failures
Irregularity
Changes to
sec. config.
Unauthorized acceses
Unusual
packets
Changes to
network
device
config.
Change in
privileges
Change to
files: system
code/data
All actions by
admin
Log Issues
Normal
Events
Software App
Deleted logs
Logins,
logoffs
Attacks: SQL
injection,
invalid input,
DDOS
New Users
Blocked
packets
Overflowing
log files
Access to
sensitive
data
Others, listed
in prev.
columns
Lockouts &
expired
passwd accts
Transfer of
sensitive
data
Clear/
change log
config
Change in
traffic
patterns
Title of the Presentation | 3/12/2016 | 13
Incidents may include…
IT Detects
a device (firewall, router or
server) issues serious alarm(s)
change in configuration
an IDS/IPS recognizes an
irregular pattern:
• unusually high traffic,
• inappropriate file transfer
• changes in protocol use
unexplained system crashes or
unexplained connection
terminations
Employees Reports
Malware
Violations of policy
Data breach:
• stolen laptop, memory
• employee mistake
Social engineering/fraud:
• caller, e-mail, visitors
Unusual event:
• inappropriate login
• unusual system aborts
• server slow
• deleted files
• defaced website
Title of the Presentation | 3/12/2016 | 14
(1) Management Participation
Management makes final decision
As always, senior management has to be convinced that this is
worth the money.
Actual Costs: Ponemon Data Breach Study, 2014,
Sponsored by Symantec
Expenses Following a Breach
Detection and Escalation: forensic investigation, audit, crisis mgmt.,
board of directors involvement
Notification: legal expertise, contact database development, customer
communications
Post Breach Response: help desk and incoming communications, identity
protection services, legal and regulatory expenses, special investigations
Average Cost
$420,000
Lost Business: abnormal customer churn, customer procurement,
goodwill
$3,320,000
$510,000
$1,600,000
Title of the Presentation | 3/12/2016 | 15
Workbook
Incident Types
Incident
Intruder
accesses
internal
network
Break-in or
theft
Description
Methods of Detection
Procedural Response
Firewall, database, IDS, Daily log evaluations,
IT/Security addresses incident within
or server log indicates a high priority email alerts 1 hour: Follow: Network Incident
probable intrusion.
Procedure Section.
Computers, laptops or Security alarm set for
Email/call Management & IT
memory is stolen or
off-hours; or employee immediately. Management calls
lost.
reports missing device. police, if theft. Security initiates
tracing of laptops via location
software, writes Incident Report,
evaluates if breach occurred.
Social
Suspicious social
Training of staff leads to Report to Management & Security.
Engineering engineering attempt
report from staff
Warn employees of attempt as
was recognized OR
added training.
information was
Security evaluates if breach occurred,
divulged that was
writes incident report.
recognized after the fact
as being inappropriate.
Trojan
A new WLAN
Key confidential areas Security or network administrator is
Wireless LAN masquerades as us.
are inspected daily for notified immediately. Incident is
WLAN availability
acted upon within 2 hours.
Title of the Presentation | 3/12/2016 | 16
Stage 2: Identification
Triage: Categorize, prioritize and assign events and incidents
What type of incident just occurred?
What is the severity of the incident?
• Severity may increase if recovery is delayed
Who should be called?
Establish chain of custody for evidence
Title of the Presentation | 3/12/2016 | 17
(2) Triage
Snapshot of the known status of all reported incident
activity
• Sort, Categorize, Correlate, Prioritize & Assign
Categorize: DoS, Malicious code, Unauthorized access,
Inappropriate usage, Multiple components
Prioritize: Limited resources requires prioritizing
response to minimize impact
Assign: Who is free/on duty, competent in this area?
Title of the Presentation | 3/12/2016 | 18
(2) Chain of Custody
Evidence must follow Chain of Custody law to be
admissible/acceptable in court
• Include: specially trained staff, 3rd party specialist, law enforcement,
security response team
System administrator can:
Retrieve info to confirm an incident
Identify scope and size of affected environment
(system/network)
Determine degree of loss/alteration/damage
Identify possible path of attack
Title of the Presentation | 3/12/2016 | 19
Stage 3: Containment
Activate Incident Response Team to contain threat
• IT/security, public relations, mgmt, business
Isolate the problem
• Disable server or network zone comm.
• Disable user access
• Change firewall configurations to halt connection
Obtain & preserve evidence
Title of the Presentation | 3/12/2016 | 20
(3) Containment - Response
Technical
Collect data
Analyze log files
Obtain further technical
assistance
Deploy patches & workarounds
Managerial
Business impacts result in mgmt
intervention, notification,
escalation, approval
Legal
Issues related to: investigation,
prosecution, liability, privacy,
laws & regulation, nondisclosure
Title of the Presentation | 3/12/2016 | 21
Stage 4: Analysis & Eradication
Determine how the attack occurred: who, when, how, and why?
• What is impact & threat? What damage occurred?
Remove root cause: initial vulnerability(s)
• Rebuild System
• Talk to ISP to get more information
• Perform vulnerability analysis
• Improve defenses with enhanced protection techniques
Discuss recovery with management, who must make decisions on
handling affecting other areas of business
Title of the Presentation | 3/12/2016 | 22
(4) Analysis
What happened?
Who was involved?
What was the reason for the attack?
Where did attack originate from?
When did the initial attack occur?
How did it happen?
What vulnerability enabled the attack?
Title of the Presentation | 3/12/2016 | 23
(4) Remove root cause
If Admin or Root compromised, rebuild system
Implement recent patches & recent antivirus
Fortify defenses with enhanced security controls
Change all passwords
Retest with vulnerability analysis tools
Title of the Presentation | 3/12/2016 | 24
Stage 5: Recovery
Restore operations to normal
Ensure that restore is fully tested and operational
Title of the Presentation | 3/12/2016 | 25
Workbook
Incident Handling Response
Incident Type: Malware detected by Antivirus software
Contact Name & Information: Computer Technology Services Desk:
www.univ.edu/CTS/help 262-252-3344(O)
Emergency Triage Procedure:
Disconnect computer from Internet/WLAN. Do not reconnect. Allow anti-virus to fix
problem, if possible. Report to IT first thing during next business day.
Containment & Escalation Conditions and Steps:
If laptop contained confidential information, investigate malware to determine if intruder
obtained entry. Determine if Breach Law applies.
Analysis & Eradication Procedure:
If confidential information was on the computer (even though encrypted), malware may have
sent sensitive data across the internet; A forensic investigation is required.
Next, determine if virus=dangerous and user=admin:
Type A: return computer. (A=Virus not dangerous and user not admin.)
Type B: Rebuild computer. (B=Either virus was dangerous and/or user was admin)
Password is changed for all users on the computer.
Other Notes (Prevention techniques):
Note: Antivirus should record type of malware to log system.
Title of the Presentation | 3/12/2016 | 26
Stage 6: Lessons Learned
Follow-up includes:
Writing an Incident Report
• What went right or wrong in the incident response?
• How can process improvement occur?
• How much did the incident cost (in loss & handling & time)
Present report to relevant stakeholders
Title of the Presentation | 3/12/2016 | 27
Planning Processes
Risk & Business Impact Assessment
Response & Recovery Strategy Definition
Document IRP and DRP
Train for response & recovery
Update IRP & DRP
Test response & recovery
Audit IRP & DRP
Title of the Presentation | 3/12/2016 | 28
Training
Introductory Training: First day
as IMT
Mentoring: Buddy system with
longer-term member
Formal Training
On-the-job-training
Training due to changes in
IRP/DRP
Title of the Presentation | 3/12/2016 | 29
Types of Penetration Tests
External Testing: Tests from outside network perimeter
Internal Testing: Tests from within network
Blind Testing: Penetration tester knows nothing in advance and
must do web research on company
Double Blind Testing: System and security administrators also are
not aware of test
Targeted Testing: Have internal information about a target. May
have access to an account.
Written permission must always be obtained first
Title of the Presentation | 3/12/2016 | 30
Incident Management Metrics
# of Reported Incidents
# of Detected Incidents
Average time to respond to incident
Average time to resolve an incident
Total number of incidents successfully resolved
Proactive & Preventative measures taken
Total damage from reported or detected incidents
Total damage if incidents had not been contained in a timely
manner
Title of the Presentation | 3/12/2016 | 31
Challenges
Management buy-in: Management does not allocate
time/staff to develop IRP
• Top reason for failure
Organization goals/structure mismatch: e.g., National
scope for international organization
IMT Member Turnover
Communication problems: Too much or too little
Plan is to complex and wide
Title of the Presentation | 3/12/2016 | 32
Question
The MAIN challenge in putting together an IRP is likely to be:
1.
Getting management and department support
2.
Understanding the requirements for chain of custody
3.
Keeping the IRP up-to-date
4.
Ensuring the IRP is correct
Title of the Presentation | 3/12/2016 | 33
Question
The PRIMARY reason for Triage is:
1.
To coordinate limited resources
2.
To disinfect a compromised system
3.
To determine the reasons for the incident
4.
To detect an incident
Title of the Presentation | 3/12/2016 | 34
Question
When a system has been compromised at the administrator
level, the MOST IMPORTANT action is:
1. Ensure patches and anti-virus are up-to-date
2. Change admin password
3. Request law enforcement assistance to investigate incident
4. Rebuild system
Title of the Presentation | 3/12/2016 | 35
Question
The BEST method of detecting an incident is:
1.
Investigating reports of discrepancies
2.
NIDS/HIDS technology
3.
Regular vulnerability scans
4.
Job rotation
Title of the Presentation | 3/12/2016 | 36
Question
The person or group who develops strategies for incident
response includes:
1.
CISO
2.
CRO
3.
IRT
4.
IMT
Title of the Presentation | 3/12/2016 | 37
Question
The FIRST thing that should be done when you discover an
intruder has hacked into your computer system is to:
1. Disconnect the computer facilities from the computer
network to hopefully disconnect the attacker
2. Power down the server to prevent further loss of
confidentiality and data integrity
3. Call the police
4. Follow the directions of the Incident Response Plan
Title of the Presentation | 3/12/2016 | 38
Computer Forensics
The process of identifying preserving, analyzing and
presenting digital evidence for a legal proceeding
Title of the Presentation | 3/12/2016 | 39
The Investigation
Avoid Infringing on the rights of the suspect
Warrant required unless…
• Organization/home gives permission; the crime is communicated to a third
party; the evidence is in plain site or is in danger of being destroyed;
evidence is found during a normal arrest process; or if police are in hot
pursuit.
Computer searches generally require a warrant except:
• When a signed acceptable use policy authorizes permission
• If computer repair person notices illegal activities (e.g., child pornography)
they can report the computer to law enforcement
Title of the Presentation | 3/12/2016 | 40
Computer Crime Investigation
Call Police
Or Incident
Response
Copy memory,
processes
files, connections
In progress
Power
down
Copy disk
Analyze
copied
images
Take photos of
surrounding area
Preserve
original system
In locked storage
w. min. access
Evidence must be unaltered
Chain of custody
professionally maintained
Four considerations:
Identify evidence
Preserve evidence
Analyze copy of evidence
Present evidence
Title of the Presentation | 3/12/2016 | 41
Initial Incident Investigation
A forensic jumpkit includes:
• a laptop preconfigured with protocol sniffers and forensic software
• network taps and cables
• Since the attacked computer may be contaminated, the jumpkit must be
considered reliable
The investigator is likely to:
• Get a full memory image snapshot, to obtain network connections, open
files, in progress processes
• Photograph computer: active screen, inside, outside computer for full
configuration
• Take disk image snapshot to analyze disk contents.
The investigator must not taint the evidence.
• E.g., a cell phone left on to retain evidence must be kept in a Faraday bag to
shield phone from connecting to networks
Title of the Presentation | 3/12/2016 | 42
Computer Forensics
Did a crime occur?
If so, what occurred?
Evidence must pass tests for:
Authenticity: Evidence is a true unmodified original from
the crime scene
• Computer Forensics does not destroy or alter the evidence
Continuity: “Chain of custody” assures that the
evidence is intact and history is known
Title of the Presentation | 3/12/2016 | 43
Chain of Custody
11:04
Inc. Resp.
team arrives
10:53 AM
Attack
observed
Jan K
11:05-11:44
System
copied
PKB & RFT
11:15
System
brought
Offline
RFT
11:47-1:05
Disk
Copied
RFT & PKB
Time
Line
11:45
System
Powered
down
PKB & RFT
Who did what to evidence when?
(Witness is required)
1:15
System locked in
static-free bag
in storage room
RFT & PKB
Title of the Presentation | 3/12/2016 | 44
Chain of Custody
A chain of custody document tracks:
Case number
Device’s model and serial number (if available)
When and where the evidence was held/stored
For each person who held or had access to the evidence (at every
time)
• name, title, contact information and signature
• why they had access
It is useful to have a witness at each point
Evidence is stored in evidence bags, sealed with evidence tape
Title of the Presentation | 3/12/2016 | 45
Creating a Forensic Copy
2) Accuracy Feature:
Tool is accepted as accurate by the scientific community:
Original
4) One-way Copy:
Cannot modify
original
5) Bit-by-Bit Copy:
Mirror image
1) & 6) Calculate Message Digest:
Before and after copy
Mirror
Image
3) Forensically Sterile:
Wipes existing data;
Records sterility
7) Calculate Message Digest
Validate correctness of copy
Title of the Presentation | 3/12/2016 | 46
Forensic Tools
Normalizing data = converting disk data to easily readable form
Forensic tools analyze disk or media copy for:
• logs
• file timestamps
• file contents
• recycle bin contents
• unallocated disk memory contents (or file slack)
• specific keywords anywhere on disk
• application behavior. The investigator:
launches the application on a virtual machine
runs identical versions of OS and software packages.
Title of the Presentation | 3/12/2016 | 47
Forensic Software Tools
EnCase: Interprets hard drives of various OS, tablets, smartphones and removable
media for use in court. (www.guidancesoftware.com)
Forensic Tool Kit (FTK): Supports Windows, Apple, UNIX/Linux OS including analysis of
volatile (RAM and O.S. structures) and nonvolatile data for use in a court.
(www.accessdata.com)
Cellebrite: Handles commercial mobile devices for use in a court. Mobile devices are
connected via appropriate cables to a workstation with the forensic tool installed, or
via a travel kit. (www.cellebrite.com)
ProDiscover: Analyzes hard disks for Windows, Linux and Solaris OS. An Incident
Response tool can remotely evaluate a live system. (www.techpathways.com)
X-ways: Specializes in Windows OS. X-ways can evaluate a system via a USB-stick
without installation, and requires less memory. (www.x-ways.net)
Sleuthkit: An open-source tool evaluates Windows, Unix, Linux and OS-X. It is
programmer-extendable. Sleuth Kit (TSK) = command-line tool; Autopsy = graphical
interface. (www.sleuthkit.org)
Title of the Presentation | 3/12/2016 | 48
Preparing for Court
When the case is brought to court, the tools & techniques used
will be qualified for court:
Disk copy tool and forensic analysis tools must be standard
Investigator’s qualifications include education level, forensic
training & certification:
• forensic software vendors (e.g., EnCase, FTK) OR
• independent organizations (e.g.: Certified Computer Forensics
Examiner or Certified Forensic Computer Examiner).
Some states require a private detective license.
Title of the Presentation | 3/12/2016 | 49
The Investigation Report
The Investigation Report describes the incident
accurately. It:
Provides full details of all evidence, easily referenced
Describes forensic tools used in the investigation
Includes interview and communication info
Provides actual results data of forensic analysis
Describes how all conclusions are reached in an unambiguous
and understandable way
Includes the investigator’s contact information and dates of the
investigation
Is signed by the investigator
Title of the Presentation | 3/12/2016 | 50
A Judicial Procedure
Civil Case
Criminal Case
Plaintiff files Complaint
(or lawsuit)
Law enforcement arrests
defendant
Reads Miranda rights
Defendant sends Answer
within 20 days
Discovery
Prosecutor files an
Information with charges or
Grand Jury issues an
indictment
Plaintiff & Defendant provide list
of evidence and witnesses to
other side
Phase
Plaintiff & Defendant request
testimony, files, documents
The Trial
Responsive
documents
Title of the Presentation | 3/12/2016 | 51
E-Discovery
Electronic Responsive Documents = Electronically Stored Info (ESI) or E-Discovery
The U.S. Federal Rules of Civil Procedure define how ESI should be requested and
formatted
E-requests can be general or specific:
• specific document
• set of emails referencing a particular topic.
Discovery usually ends 1-2 months before trial, or when both sides agree
All court reports become public documents unless specifically sealed.
Title of the Presentation | 3/12/2016 | 52
Discovery Stage
Depositions: interviews of the key parties, e.g., witnesses or consultants
• question-and-answer session
• all statements recorded by court reporter; possible video
• The deponent (person being questioned) may correct transcript before it is
entered into court record.
Declarations: written documents
• Declarer states publicly their findings and conclusions
• Full references to public documents helps believability
• Includes name, title, employer, qualifications, often billing rate, role,
signature
Affidavit: a declaration signed by a notary
• Both declarations and affidavits are limited to support motions
Title of the Presentation | 3/12/2016 | 53
Witnesses
Witnesses must present their qualifications
Notes accessible during discovery?
• NO: Email correspondence with lawyers is given attorney-client privilege
• YES: Notes, reports, and chain of custody documents are discoverable.
Witnesses may include (least to most qualified):
Fact witnesses report on their participation in the case, generally in obtaining and
analyzing evidence.
Expert consultants help lawyers understand technical details, but do not testify or give
depositions
Expert witnesses provide expert opinions within reports and/or testimony
• E.g., Computer forensic examiners
• Do not need first-hand knowledge of case; can interpret evidence
• Expert witness mistakes can ruin reputation
Title of the Presentation | 3/12/2016 | 54
The Trial
Stages of the Trial
In U.S. and U.K.
Case law is determined by:
Opening
Arguments
Plaintiff’s
case
Defendant’s
case
Closing
arguments
• Regulation AND/OR
• precedence: previous decisions hold
weight when regulation is not explicit and
must be interpreted
Burden of Proof:
• In U.S. & U.K. criminal case :“beyond a
reasonable doubt” that the defendant
committed the crime
• In U.K. civil case: “the balance of
probabilities” or “more sure than not”
Title of the Presentation | 3/12/2016 | 55
Question
Authenticity requires:
1.
Chain of custody forms are completed
2.
The original equipment is not touched during the
investigation
3.
Law enforcement assists in investigating evidence
4.
The data is a true and faithful copy of the crime scene
Title of the Presentation | 3/12/2016 | 56
Question
You are developing an Incident Response Plan. An executive
order is that the network shall remain up, and intruders are to be
pursued. Your first step is to…
1. Use commands off the local disk to record what is in memory
2. Use commands off of a memory stick to record what is in
memory
3. Find a witness and log times of events
4. Call your manager and a lawyer in that order
Title of the Presentation | 3/12/2016 | 57
Question
What is NOT TRUE about forensic disk copies?
1. The first step in a copy is to calculate the message digest
2. Forensic analysis for presentation in court should always
occur on the original disk
3. Normalization is a forensics stage which converts raw data to
an understood format (e.g., ASCII, graphs, …)
4. Forensic copies requires a bit-by-bit copy
Title of the Presentation | 3/12/2016 | 58
Summary
Planning is necessary
• Without preparation, no incident will be detected
• Incident handlers should not decide what needs to be done.
Stages:
• Identification: Determine what has happened
• Containment & Escalation: Limit incident
• Analysis & Eradication: Analyze root cause, repair
• Restore: Test and return to normal
• Process Improvement
• (Possibly) Breach Notification
If case is to be prosecuted:
• Evidence must be carefully handled: Authenticity & Continuity
• Expert testimony must be qualified, accurate, bullet-proof