Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science

Developing an Incident Response Plan

advertisement 
Developing an Incident Response Plan
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
1
Carole Fennelly
• Over 25 years in IT
• Wrote a lot of caustic articles on
Information Security
• Co-founder of Hacker Court
• Presently Security Information Specialist
with Tenable
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
2
Evolution of Incident Response
No longer just a technical issue – it’s a
business concern.
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
3
Past Goals
•
•
•
•
•
Protect Assets
Catch the Wily Hacker
Harden Systems
Resume Operations
Monitor for Repeat Attacks
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
4
Early Guidance
• 1989 – Herbert Zinn (aka) Shadow Hawk
is first person prosecuted under the
Computer Fraud and Abuse Act of 1986
• 1988 – CERT formed in response to Morris
worm
• 1991 - RFC 1244 provides guidance on
Internet Response
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
5
Personnel Involved
• Technical Staff
• Technical Management
• Possibly Law Enforcement
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
6
Current Goals
• Protect Assets
• Demonstrate Compliance
• Save Money
• Catch the Intruder?
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
7
Compliance
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
BASEL II
Control Objectives for Information and related Technology (COBIT)
Federal Information Security Management (FISMA)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
ISO 17799 Security Standards
Information Technology Information Library (ITIL)
Motion Picture Association of America (MPAA) inquiries
National Institute of Standards (NIST)
National Security Agency (NSA)
Payment Card Industry (PCI)
Recording Industry Association of America (RIAA) inquiries
Sarbanes-Oxley (SOX)
Site Data Protection (SDP)
Various State Laws (California’s Database Breach Notification Act SB 1386)
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
8
Dataloss Statistics
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
9
Incident Response Process
•
•
•
•
•
•
•
Preparation
Detection
Containment
Evidence Collection
Investigation
Eradication and Recovery
Post Mortem
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
10
Preparation
•
•
•
•
•
•
Form CSIRT
Develop Policies and Procedures
Assess technology needs
Perform Business Risk Analysis
Develop Security Awareness Program
Test the Plan
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
11
CSIRT Organizational Roles
•
•
•
•
•
•
•
Executive Sponsor
IT Director
CSIRT Coordinator
Technical Subject Matter Experts
Legal representative
HR representative
Business unit representatives
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
12
Role of Law Enforcement
• Who decides to call the cops?
• How much access should law enforcement
have?
• Are you prepared to go to court?
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
13
Policies and Procedures
• Executive Statement - intended for management to establish
overall goals of the security policy and mechanisms in place to
support it.
• Asset Protection and Information Management, - intended for
Project Managers to provide specific standards and guidelines for
information management.
• Acceptable Use Policy – details what users can expect with regard
to privacy and what is expected of them to protect the organization’s
information assets.
• Secure System and Network Administration -intended to
establish requirements for secure system and network
administration.
• Auditing, Monitoring and Compliance - intended for those
responsible for auditing system and network security controls and
ensuring policy compliance.
• Disaster Recovery Plan - covers incidents that may have a
catastrophic effect on business operations.
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
14
Contact Lists
•
•
•
•
Internal Organizations
Vendors
Third Party Connections
Law Enforcement Agencies
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
15
Technology Assessment
Monitoring Tools
Network Segmentation
Investigative Tools
Operating System Hardening
Anti-Virus/Spyware
Patch Management
Vulnerability Management
Backups
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
16
Business Risk Analysis
• Identify Business Information Owners
• Identify Critical applications
• Classify Data
– Patient Health Information
– Credit Card Data
– Client Financial Data
– Material Non-public
– Intellectual Property
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
17
Security Awareness
•
•
•
•
•
•
User training (Early Warning System)
Security mailing lists
Security training
Vulnerability Databases
Patch Databases
Security Conferences
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
18
Detection
It’s Monday. You've got mail! A lot of it… 60
Minutes is holding on line 1, the DA is on
line 2, the CEO is on line 3, and somebody
claiming to be the Omnipotent Stomper is
texting your cell. It’s going to be a bad
day…
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
19
Obvious Indicators
•
•
•
•
•
•
•
Communication from Attacker
Communication from Law Enforcement
Communication from another site
Network Floods
IDS alarm
Damaged or Missing Data
Unusual system behavior
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
20
Sometimes very obvious…
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
21
Subtle Indications
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
22
Evaluating Technical Impact
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
23
Evaluating Business Impact
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
24
Intrusion Response Tasks
•
•
•
•
•
•
Document everything
Notify appropriate contacts
Protect systems and limit data loss
Gather volatile data and logs
Mirror disks
Safeguard evidence
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
25
Containment
•
•
•
•
•
•
•
•
•
•
Disable new login sessions
Un-mount disk drives
Check for dead-man switches
Shut down affected systems if data at risk
Disconnect network interface
Modify firewall and router filtering rules
Monitor system and/or network activity.
Monitor or disable compromised services
Move devices to a containment VLAN
Modify DNS records to point to a different IP
address
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
26
Evidence Gathering
• Collect Volatile Data
– Processes
– Memory
– Network connections
– Open File descriptors
• Mirror Disks
– Use a Write Block to protect source disk
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
27
Evidence Protection
• All evidence delivered to evidence
custodian
• Evidence locked up in a safe place
• Evidence is signed in and out each time it
changes hands
• Chain of custody log stays with evidence
through entire process
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
28
Forensic Analysis
•
•
•
•
•
Use disk mirror for forensic exam
Never use source disk
Follow a set methodology
Write a report
Document any test program created and
used against forensic evidence
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
29
Restoring Operations
•
•
•
•
•
Isolate target system from rest of network
Ensure integrity of installation media
Ensure integrity of backups
Use CIS benchmarks as guides
Change all passwords and keys
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
30
Monitoring for Repeat Attacks
• Attack vector may be same attacker or
copycat
• Consider installing additional monitoring
tools
• Allocate staff hours for extra monitoring
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
31
Post Mortem
• Meeting with CSIRT
• Create post-mortem report
–
–
–
–
Document incident
What went well
What went wrong
Identify scope of data loss
• Update Incident Response Plan
• Reassess technology, policies and procedures
• Possibly prepare for court
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
32
Resources: Historical
RoadNews.com. “History of Hacking”
http://www.roadnews.com/html/Articles/historyofhacking.htm
Bruce Sterling, “Short History of the Internet” [From The Magazine of
Fantasy and Science Fiction, February 1993.]
http://w3.aces.uiuc.edu/AIM/scale/nethistory.html
Adrienne Wilmoth Lerner. “Computer Fraud and Abuse Act of 1986”[
Advameg Inc.]
http://www.espionageinfo.com/Co-Cop/Computer-Fraud-and-Abuse-Actof-1986.html
Internet Engineering Task Force, “RFC 1244 Site Security Handbook,”
[1991]
http://www.rfc-archive.org/getrfc.php?rfc=1244
Internet Engineering Task Force, “RFC 2350: Expectations for
Computer Security Incident Response,” [1998]
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
33
Resources: Data Loss Prevention
Scott Berinato “Data Breach Notification Laws State by State,” [CSO
Magazine, 2/12/2008]
http://www.csoonline.com/read/020108/ammap/ammap.html
Attrition.org, “Dataloss Archive and Database,” [Jericho, Lyger]
http://attrition.org/dataloss/
Etiolated.org, “Shedding Light on Privacy Incidents,” [Dave]
http://etiolated.org/
Ponemon Institute, LLC, “2007 Annual Study: US Cost of a Data
Breach,” [November, 2007]
http://www.vontu.com/uploadedfiles/global/Ponemon-Cost-of-a-DataBreach-2007.pdf
http://www.rfc-archive.org/getrfc.php?rfc=2350
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
34
Resources: Incident Response
National Institute of Standards and Technology,
“Computer Security Incident Handling Guide,”
[U.S. Department of Commerce]
http://csrc.nist.gov/publications/nistpubs/80061/sp800-61.pdf
Center for Internet Security, “CIS Benchmarks”
[2008]
http://www.cisecurity.org/bench.html
Tenable Network Security
http://tenablesecurity.com/solutions/
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
35
Summary
Preparation
Detection
Containment
Evidence Collection
Investigation
Eradication & Recovery
Post Mortem
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
36
Questions?
cfennelly@tenablesecurity.com
carole.fennelly@gmail.com
March 15, 2016
Copyright © 2002-2008 Tenable Network Security, Inc.
37
Related documents
Passive Vulnerability Scanner
Passive Vulnerability Scanner
Taipei-Wego-International-Program-Composition-Class
Taipei-Wego-International-Program-Composition-Class
Click here to add title
Click here to add title
Math 160A - Winter 2016 - Homework #4
Math 160A - Winter 2016 - Homework #4
Seminar Special Topics course Environmental Data Analysis W2016
Seminar Special Topics course Environmental Data Analysis W2016
Abstract Template
Abstract Template
Confirmation Gr. 9 & 10
Confirmation Gr. 9 & 10
Download
advertisement