3Objectives Students should be able to: Define and describe an incident response plan and business continuity planDefine recovery terms: interruption window, service delivery objective, maximum tolerable outage, alternate mode, acceptable interruption windowDescribe incident management team, incident response team, proactive detection, triageDefine and describe computer forensics: authenticity, continuity, forensic copy, chain of custody, imaging, extraction, ingestion or normalization, case log, investigation reportDevelop a high-level incident response plan
4How to React to…? Fire! Stolen Laptop Social Engineering Denial of ServiceAccidentsVirusesStolen LaptopSocial EngineeringTheft of Proprietary InformationAny business wants to be able to plan for the future, which means they need a reasonable assurance about what to expect. Incident response is about planning for the unexpected.System FailureHacker IntrusionLost Backup TapeFire!
5Incident Response vs. Business Continuity Incident Response Planning (IRP)Security-related threats to systems, networks & dataData confidentialityNon-repudiable transactionsBusiness Continuity PlanningDisaster Recovery PlanContinuity of Business OperationsIRP is part of BCP and can be *the first step*Business continuity planning has broader scope than IRP; how will you continue to do business (and earn profits and pay your employees) after an incident that disrupts it? In addition to purely IT systems, ‘threats to systems..’ etc includes threats to infrastructure and personnel; physical storage, skill inventory and so on.Incident Response – focuses on IT attacks and preventionBusiness Continuity focuses on business, of which IT is an important part, but only a part of the story.
6Recovery TermsInterruption Window: Time duration organization can wait between point of failure and service resumptionService Delivery Objective (SDO): Level of service in Alternate ModeMaximum Tolerable Outage: Max time in Alternate ModeDisasterRecoveryPlan ImplementedRegular ServiceRegularServiceAlternate ModeThe interruption window is the time between failure and restoration of a minimal level of critical services – the minimum needed to carry on. The MTO is the acceptable time between failure and return to full operations.Recovery time objective (RTO) is the maximum time between an incident and alternate mode becoming available; that is, the length of the acceptable interruption window.SDOTime…RestorationPlan Implemented(Acceptable)InterruptionWindowInterruptionMaximum Tolerable Outage
7IRT: Incident Response Team VocabularyIMT: Incident Management TeamIS Mgr leads, includes steering committee, IRT membersDevelop strategies & design plan for Incident Response,integrating business, IT, BCP, and risk managementObtain funding, Review postmortemsMeet performance & reporting requirementsIRT: Incident Response TeamHandles the specific incident. Has specific knowledge relating to:Security, network protocols, operating systems, physicalsecurity issues, malicious code, etc.Permanent (Full Time) Members: IT security specialists,incident handlers, investigatorVirtual (Part Time) Members: Business (middle mgmt), legal,public relations, human resources, physical security, risk, ITThe slide shows higher ranking positions on top, lower ranking on the bottom.
9Stage 1: PreparationWhat shall we do if different types of incidents occur? (BIA helps)When is the incident management team called?How can governmental agencies or law enforcement help?When do we involve law enforcement?What equipment do we need to handle an incident?What shall we do to prevent or discourage incidents from occurring? (e.g. banners, policies)Where on-site & off-site shall we keep the IRP?A business impact assessment (BIA) should be conducted by each business process (department, whatever) to determine how an incident will affect it and what steps should be taken to mitigate or respond to it. This is part of risk management as well as incident response.The incident response plan (IRP) is the document that contains procedures to follow in case of an emergency (see slide 11). It should be usable by someone who wasn’t involved in its creation, and needs to be accessible in unusual circumstances – if the only copy is in your desk drawer when a fire guts your office building, then you’re doing it wrong.Bullet 3, 4: meet with government emergency management (law enforcement, etc) to learn what they are capable of and how they prefer to operate.
10(1) Detection Technologies Organization must have sufficient detection & monitoring capabilities to detect incidents in a timely mannerProactive Detection includes:Network Intrusion Detection/Prevention System (NIDS/NIPS)Host Intrusion Detection/Prevention System (HIDS/HIPS)Includes personal firewallsSecurity Information and Event Management (Logs)Vulnerability/audit testingCentralized Incident Management SystemInput: Server, system logsCoordinates & co-relates logs from many systemsTracks status of incidents to closureReactive Detection: Reports of unusual or suspicious activityYou can’t determine if an incident has occurred unless there are detection techniques. It makes sense that there is a detection technique and/or metric for each risk of concern. The above tools do not need to be implemented, depending on the decision of risk assessment. However, they are useful tools for detecting incidents.
11(1) Management Participation Management makes final decisionAs always, senior management has to be convinced that this is worth the money.Actual Costs: Ponemon Data Breach Study, 2013, Sponsored by SymantecExpenses Following a BreachAverage CostDetection and Escalation: forensic investigation, audit, crisis mgmt., board of directors involvement$400,000Notification: legal expertise, contact database development, customer communications$570,000Post Breach Response: help desk and incoming communications, identity protection services, legal and regulatory expenses, special investigations$1,410,000Lost Business: abnormal customer churn, customer procurement, goodwill$3,030,000Redundancy costs are costs of alternate equipment/lines to deal with incidents. The cost of the redundancy and detection can be weighed against the Business Impact Analysis costs when incidents occur – and the impact of how loss of computing facilities might translate into lost income.
12Workbook Incident Types DescriptionMethods of DetectionProcedural ResponseIntruder accesses internal networkFirewall, database, IDS, or server log indicates a probable intrusion.Daily log evaluations,high priority alertsIT/Security addresses incident within 1 hour: Follow: Network Incident Procedure Section.Break-in or theftComputers, laptops or memory is stolen.Security alarm set for off-hours; or employee reports missing device./call Management & IT immediately. Management calls police. Security initiates tracing of laptops via location software, writes Incident Report, evaluates if breach occurred.Social EngineeringSuspicious social engineering attempt OR information was divulged later recognized as inappropriate.Training of staff leads to report from staffReport to Management & Security. Warn employees of attempt as added training.Security evaluates if breach occurred, writes incident report.This is in an abbreviated form to fit on a slide. The Method of Detection is how we will know if an incident occurs. There may be many methods. The procedural response can refer to another document, which has a more extensive description. (Short form shown here)
13Stage 2: Identification Triage: Categorize, prioritize and assign events and incidentsWhat type of incident just occurred?What is the severity of the incident?Severity may increase if recovery is delayedWho should be called?Establish chain of custody for evidenceYou may remember from MASH (TV show and movie) that Triage is about stopping bleeding and prioritizing injuries to maximize the probability of survival. Same thing here: determining what is wrong and taking the correct first actions until the bleeding stops and the experts are ready to take over.How to declare a disaster involves more than communication; it also means when to declare a disaster, as opposed to some lesser incident. You want your response to be proportional to the scale of the incident . If you overreact (shutting down the entire network over one unauthorized entry) you’ll waste a lot of time and money. If you underreact, the incident may become a lot worse than it already is.
14(2) TriageSnapshot of the known status of all reported incident activitySort, Categorize, Correlate, Prioritize & AssignCategorize: DoS, Malicious code, Unauthorized access, Inappropriate usage, Multiple componentsPrioritize: Limited resources requires prioritizing response to minimize impactAssign: Who is free/on duty, competent in this area?Triage happens at a hospital: When you come in you are asked questions to determine how long you can wait to see a doctor. (You get prioritized compared to the other emergency patients.) They may bandage you to stop any bleeding, but think military war zone: a full operation is not done.
15(2) Chain of CustodyEvidence must follow Chain of Custody law to be admissible/acceptable in courtInclude: specially trained staff, 3rd party specialist, law enforcement, security response teamSystem administrator can:Retrieve info to confirm an incidentIdentify scope and size of affected environment (system/network)Determine degree of loss/alteration/damageIdentify possible path of attackChain of Custody will be necessary if anything will go to court. Need to be concerned with this right from the start, if a concern.Chain of Custody requires that a witness be present for all actions taken, that a qualified ‘expert’ does the incident response and forensic work (or the work accomplished stands up in court as professional), that the original disk is not modified, and that the whereabouts of the disk is always secure from the point of the incident on – locked, limited key access, witnessed, etc.
16Stage 3: Containment Activate Incident Response Team to contain threat IT/security, public relations, mgmt, businessIsolate the problemTake infected server off networkChange firewall configurations to stop attackerObtain & preserve evidenceEmployees who are not directly involved in incident response still need to know their roles, even if its just to get out of the way and let the IRT work.The proper actions are defined in the Incident Response plan, which should always be followed. For example, no one should be talking to the news accept public relations or top management.
17(3) Containment - Response TechnicalCollect dataAnalyze log filesObtain further technical assistanceDeploy patches & workaroundsManagerialBusiness impacts result in mgmt intervention, notification, escalation, approvalLegalIssues related to: investigation, prosecution, liability, privacy, laws & regulation, nondisclosureIssues may affect IT, management, and even legal, depending on the incident.
18Stage 4: Analysis & Eradication Determine how the attack occurred: who, when, how, and why?What is impact & threat? What damage occurred?Remove root cause:Rebuild SystemTalk to ISP to get more informationPerform vulnerability analysisImprove defenses with enhanced protection techniquesDiscuss recovery with management, who must make decisions on handling affecting other areas of businessForensics can be a useful tool here.Rebuilding may be necessary is someone attacked your computer – and entered as admin in particular. While some of the malware may be detected, it is possible that backdoors and rootkit parts may not be detected – including replaced OS software or new login/passwords added. So you may know part of what the attacker did, but not all. It would be best to rebuild the entire system, when in doubt, if security is a concern.
19(4) Analysis What happened? Who was involved? What was the reason for the attack?Where did attack originate from?When did the initial attack occur?How did it happen?What vulnerability enabled the attack?Here it is time to determine the root of the problem and its effects.
20(4) Remove root cause If Admin or Root compromised, rebuild system Implement recent patches & recent antivirusAll passwords should be changed
21Stage 5: Recovery Restore operations to normal Ensure that restore is fully tested and operational
22Workbook Incident Handling Response Incident Type: Malware detected by Antivirus softwareContact Name & Information: Computer Technology Services Desk: (O)Emergency Triage Procedure:Disconnect computer from Internet/WLAN. Do not reconnect. Allow anti-virus to fix problem, if possible. Report to IT first thing during next business day.Escalation Conditions and Steps:If laptop contained confidential information, investigate malware to determine if intruder obtained entry. Determine if Breach Law applies.Containment, Analysis & Eradication Procedure:If confidential information was on the computer (even though encrypted), malware may have sent sensitive data across the internet; A forensic investigation is required.Next, determine if virus=dangerous and user=admin:Type A: return computer. (A=Virus not dangerous and user not admin.)Type B: Rebuild computer. (B=Either virus was dangerous and/or user was admin)Password is changed for all users on the computer.Other Notes (Prevention techniques):Note: Antivirus should record type of malware to log system.This is an abbreviated form to fit on one page. Some incidents will be heavy in certain areas compared to others. In this case, emergency triage is not a big concern – only that the matter not become worse by continuing to allow the computer to be Internet-accessible.
23Stage 6: Lessons Learned Follow-up includes:Writing an Incident ReportWhat went right or wrong in the incident response?How can process improvement occur?How much did the incident cost (in loss & handling & time)Present report to relevant stakeholdersThis slide refers mainly to the incident process itself and how to make it better for the next time. However it is also a good time to review preventative measures. Were they adequate (given that they failed) and was the cost of the incident high enough to justify spending more resources in order to avoid another?
24Planning Processes Risk & Business Impact Assessment Response & Recovery Strategy DefinitionDocument IRP and DRPTrain for response & recoveryUpdate IRP & DRPTest response & recoveryAudit IRP & DRPIRP=Incident Response Plan. - security incidentDRP=Disaster Response Plan - business incident affecting IT
25Training Introductory Training: First day as IMT Mentoring: Buddy system with longer-term memberFormal TrainingOn-the-job-trainingTraining due to changes in IRP/DRPEveryone needs to know their roles in maintaining security. These are different methods of training.
26Types of Penetration Tests External Testing: Tests from outside network perimeterInternal Testing: Tests from within networkBlind Testing: Penetration tester knows nothing in advance and must do web research on companyDouble Blind Testing: System and security administrators also are not aware of testTargeted Testing: Have internal information about a target. May have access to an account.Written permission must always be obtained firstCISA Review Manual 2009
27Incident Management Metrics # of Reported Incidents# of Detected IncidentsAverage time to respond to incidentAverage time to resolve an incidentTotal number of incidents successfully resolvedProactive & Preventative measures takenTotal damage from reported or detected incidentsTotal damage if incidents had not been contained in a timely mannerKeep in mind, just because you don’t detect any incidents doesn’t mean there aren’t any.
28ChallengesManagement buy-in: Management does not allocate time/staff to develop IRPTop reason for failureOrganization goals/structure mismatch: e.g., National scope for international organizationIMT Member TurnoverCommunication problems: Too much or too littlePlan is to complex and wide
29QuestionThe MAIN challenge in putting together an IRP is likely to be:Getting management and department supportUnderstanding the requirements for chain of custodyKeeping the IRP up-to-dateEnsuring the IRP is correct1
30Question The PRIMARY reason for Triage is: To coordinate limited resourcesTo disinfect a compromised systemTo determine the reasons for the incidentTo detect an incident1
31QuestionWhen a system has been compromised at the administrator level, the MOST IMPORTANT action is:Ensure patches and anti-virus are up-to-dateChange admin passwordRequest law enforcement assistance to investigate incidentRebuild system4, The system must be rebuilt. Concerning 2, all passwords should be changed. 1 must also be done, after the rebuild.
32Question The BEST method of detecting an incident is: Investigating reports of discrepanciesNIDS/HIDS technologyRegular vulnerability scansJob rotation2. This is proactive and is likely to detect incidents earlier than the other methods
33QuestionThe person or group who develops strategies for incident response includes:CISOCROIRTIMTIMT: Incident Management Team -> 4= Correct Answer. Others participate, including:CISO: Chief Info Security OfficerCRO: Chief Risk OfficerIRT: Incident Response Team
34QuestionThe FIRST thing that should be done when you discover an intruder has hacked into your computer system is to:Disconnect the computer facilities from the computer network to hopefully disconnect the attackerPower down the server to prevent further loss of confidentiality and data integrityCall the policeFollow the directions of the Incident Response PlanThe decision of what should occur is a business decision. Governance or Senior Business Management should decide and this decision should be documented in the Incident Response Plan.By the way, you are right, this was not covered in the notes. CISA and CISM do the same thing. That is why it is important to use their test questions after you understand the material.
35Computer Investigation and Forensics Computer Crime InvestigationChain of CommandComputer Forensics
37Computer Forensics Did a crime occur? If so, what occurred? Evidence must pass tests for:Authenticity: Evidence is a true and faithful original of the crime sceneComputer Forensics does not destroy or alter the evidenceContinuity: “Chain of custody” assures that the evidence is intact.In court it is likely that there may be a disagreement of the drives and connectors that were available on the computer(s). Therefore, a picture of the computers and site may be required to eliminate all ambiguous discussion in court.
39Preparing Evidence Work with police to AVOID: Contaminating the evidenceVoiding the chain of custodyEvidence is not impure or taintedWritten documentation lists chain of custody: locations, persons in contact – time & placeInfringing on the rights of the suspectWarrant required unless…Company permission given; in plain site; communicated to third party; evidence in danger of being destroyed; or normal part of arrest; ...
41Creating a Forensic Copy 2) Accuracy Feature:Tool is accepted as accurate by the scientific community:OriginalMirrorImage4) One-way Copy:Cannot modifyoriginal5) Bit-by-Bit Copy:Mirror imageThis shows the steps of taking a Forensic Copy of a disk.Message digest (MD): a cryptographic hash function used to verify that no changes are made to the data being copied. The data is hashed, then copied. The copy process must not change the original data in any way – small changes in the original may create large changes in the MD. The copy should be precise (bit-by-bit) and must not be corrupted by anything on the copy medium. When the copy is complete it gets hashed too, and the two are compared. A complete and correct copy will produce an identical message digest. MDs can be faked, so chain of custody is still important.The copy is used for forensic analysis, the original is kept safe as evidence for court.3) Forensically Sterile:Wipes existing data;Records sterility1) & 6) Calculate Message Digest:Before and after copy7) Calculate Message DigestValidate correctness of copy
44Forensics: Chain of Custody Forms Chain of Custody Form: Tracks where & how evidence was handled. Includes:Name & Contact info of custodiansDetailed identification of evidence (e.g, model, serial #)When, why, and by whom evidence was acquired or movedWhere storedWhen/if returnedDetailed Activity LogsChecklists for acquiring techniciansSigned non-disclosure formsThe purpose of the (basic) Chain of Custody form is to track where and how the evidence has been handled.However, other forms also are types of Chain of Custody forms.
45Forensics: Case Log Case log includes: Case number Case basic notes, requirements, proceduresDates when requests were receivedDates investigations were assigned to investigatorsDate completedName and contact information for investigator and requestorThe purpose of the Case Log is to track all investigative assignments and activities.
46Forensics: Investigation Report Name and contact info for investigatorsCase numberDates of investigationDetails of interviews or communicationsDetails of devices or data acquired (model, serial #)Details of software/hardware tools used (must be reputable in law)Details of findings, including actual dataSignature of investigator
47Question Authenticity requires: Chain of custody forms are completed The original equipment is not touched during the investigationLaw enforcement assists in investigating evidenceThe data is a true and faithful copy of the crime scene4
48QuestionYou are developing an Incident Response Plan. An executive order is that the network shall remain up, and intruders are to be pursued. Your first step is to…Use commands off the local disk to record what is in memoryUse commands off of a memory stick to record what is in memoryFind a witness and log times of eventsCall your manager and a lawyer in that orderSteps 2, 3, 4 are good selections, but 3 is your first responsibility.
49Question What is NOT TRUE about forensic disk copies? The first step in a copy is to calculate the message digestExtraction and analysis for presentation in court should always occur on the original diskNormalization is a forensics stage which converts raw data to an understood format (e.g., ASCII, graphs, …)Forensic copies requires a bit-by-bit copy