Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Handling COEN 250.

Similar presentations

Presentation on theme: "Incident Handling COEN 250."— Presentation transcript:

1 Incident Handling COEN 250

2 Definitions Event – An observable occurrence
Adverse Events – Events with negative consequences Computer Security Incident: traditional security-related adverse event in which there was a loss of data confidentiality, disruption of data or system integrity, or disruption or denial of availability newer a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices

3 Incident Types CIA related incidents: Other Types Confidentiality
Integrity Availability Other Types Reconnaissance Attacks Repudiation Someone takes action and denies it later on.

4 Need for Incident Response
All organizations Systematic response to incidents Help in recovering quickly and efficiently Prepare for handling and avoidance of future incidents Deal properly with legal issues Federal Agencies Federal Information Security Management Act (FISMA) of 2002 Provide “procedures for detecting, reporting, and responding to security incidents” Establishes centralized Federal information security incident center. Civilian agency Establish point of contact (POC) with FedCIRC (Federal Computer Incident Reporting Center ) OMB’s Circular No. A-130, Appendix III Capability to provide help to users when an incident occurs

5 Incident Response Scope
Technical: Incident detection and investigation tools and procedures Management-related Policy Formation of incident response capability In-house vs. out-sourced

6 Stake Holders Organization’s ability to fulfill mission Providers
Users Administrators (Organization’s ISP) Providers Software vendors Telecommunications providers Third Party Clients Affected external party Other incident response teams Owner of attacking address Reporting Agencies Media Law Enforcement Agencies Incident Reporting Agencies

7 Incident Response Policy
Typical elements Statement of management commitment Purpose and objectives of the policy Scope of the policy (to whom and what it applies and under what circumstances) Definition of computer security incidents and their consequences Organizational structure and delineation of roles, responsibilities, and levels of authority Includes confiscation / disconnection of equipment Monitoring of activity Requirements for reporting Prioritization or severity ratings of incidents Performance measures Reporting and contact forms.

8 Sharing Information with Outside Parties
Media Establish media communications procedures Designate single Point of Contact (PoC) Prepare for media interaction Do not reveal sensitive, technical information Appreciate the importance to communicate the public fully and effectively Brief media contacts on issues and sensitivities before discussion with media

9 Sharing Information with Outside Parties
Law Enforcement Which agency? Federal investigatory agencies FBI US Secret Service State law enforcement Local law enforcement Office of the Inspector General (OIG) for federal agencies

10 Sharing Information with Outside Parties
Law Enforcement What incidents? Discuss beforehand. How to report Collection of evidence What? How?

11 Sharing Information with Outside Parties
Incident Reporting Organizations Federal agencies only to FedCIRC Information Analysis Infrastructure Protection (IAIP) CERT® Coordination Center (CERT®/CC). Information Sharing and Analysis Centers (ISAC)

12 Incident Response Team Structure
Team Models Central Incident Response Team Distributed Incident Response Teams Coordinating Team Provides guidance and advice Does not have authority Staffing Models Employees Partially outsourced Fully outsourced

13 Incident Response Team Structure
Criteria In house: Need for 24/7 availability Full time vs. part time team members Volunteer fire department model Employee morale Incident response demands on-call responsibilities for most team members Cost Staff Expertise Organizational structure of the organizations

14 Incident Response Team Structure
Criteria Outsourcer Current and Future Quality of Work Division of Responsibilities Sensitive Information Revealed to the Contractor Lack of Organization-Specific Knowledge Lack of Correlation Outsourcer requires administrative access to systems and to logs Location Incident response often requires physical presence

15 Incident Response Team Structure
Team Development Budget for training, publications, references Mentoring program Rotation between incident response and other duties Training exercises

16 Incident Response Team Structure
Interactions with other groups Management Support, buy-in Information security staff Telecommunications staff Some incidents involve unauthorized access to telephone lines IT support staff Legal department Public affairs / media relations Human resources Business continuity planning Physical security and facilities management

17 Incident Response Team Structure
Incident response team services Determine the scope of the incident response team Incident response Advisory distribution Vulnerability assessment Intrusion detection Education and awareness Technology watch Patch management Usually not recommended

18 Incident Handling Detection and Analysis Preparation
Containment, Eradication and Recovery Post-incident activity

19 Incident Handling: Preparation
Incident Handler Communications and Facilities Contact information On-call information for other teams within the organization, including escalation information Incident reporting mechanisms Pagers or cell phones to be carried by team members for off-hour support, onsite communications Encryption software War room for central communication and coordination Secure storage facility for securing evidence and other sensitive materials

20 Incident Handling: Preparation
Incident Analysis Hardware and Software Computer forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data Blank portable media Easily portable printer Packet sniffers and protocol analyzers Computer forensic software Floppies and CDs with trusted versions of programs to be used to gather evidence from systems Evidence gathering accessories hard-bound notebooks digital cameras audio recorders chain of custody forms evidence storage bags and tags evidence tape

21 Incident Handling: Preparation
Incident Analysis Resources Port lists, including commonly used ports and Trojan horse ports Documentation for OSs, applications, protocols, and intrusion detection and antivirus signatures Network diagrams and lists of critical assets, such as Web, , and File Transfer Protocol (FTP) servers Baselines of expected network, system and application activity Cryptographic hashes of critical files to speed the analysis, verification, and eradication of incidents

22 Incident Handling: Preparation
Incident Mitigation Software Media, including OS boot disks and CD-ROMs, OS media, and application media Security patches from OS and application vendors Backup images of OS, applications, and data stored on secondary media

23 Incident Handling: Detection and Analysis
Incident Categories Denial of Service Malicious code Unauthorized access Inappropriate usage Multiple component incidents

24 Incident Handling: Detection and Analysis
Signs of an incident Intrusion detection systems Antivirus software Log analyzers File integrity checking Third-party monitoring of critical services Incident indications vs. precursors Precursor is a sign that an incident may occur in the future E.g. scanning Indication is a sign that an incident is occurring or has occurred

25 Incident Handling: Detection and Analysis
Indication of incident is no proof that incident has occurred Number of indications exceedingly high Recommendations Profile networks and systems Understand normal behavior Use centralized logging and create a log retention policy Perform event correlation Keep hosts synchronized (Network time protocol) Run packet sniffers

26 Incident Handling: Detection and Analysis
Incident documentation If incident is suspected, start recording facts Incident Prioritization based on Current and potential technical effects Criticality of affected resources Incident notification CIO Head of information system Local information security officer Other incident teams Other agency departments such as HR, public affairs, legal department

27 Incident Handling: Containment, Eradication, Recovery
Containment strategies Vary based on type of incident Criteria for choosing strategy include Potential damage / theft of resources Need for evidence information Service availability Resource consumption of strategy Effectiveness of strategy Duration of solution

28 Incident Handling: Containment, Eradication, Recovery
Evidence gathering For incident analysis For legal proceedings Chain of custody Authentication of evidence

29 Incident Handling: Containment, Eradication, Recovery
Attacker identification Validation of attacker IP address Scanning attacker’s system Research attacker through search engines Using Incident Databases Monitoring possible attacker communication channels

30 Incident Handling: Containment, Eradication, Recovery
Deleting malicious code Disabling breached user accounts Recovery Restoration of system(s) to normal operations Restoring from clean backups Rebuilding systems from scratch Replacing compromised files Installing patches Changing passwords Tighten perimeter security Strengthen logging

31 Incident Handling: Post-Incident Activity
Evidence Retention Prosecution of attacker Data retention policies Cost

32 Denial of Service Incidents
DoS prevents authorized used of IT resources Crashing OS through malformed TCP/IP packets Crashing an application through malformed requests Consume available resources Network Memory Disk space

33 Denial of Service Incidents
DoS prevents authorized used of IT resources Crashing OS through malformed TCP/IP packets Crashing an application through malformed requests Consume available resources Network Memory Disk space

34 Denial of Service Attacks
Reflector attack Spoof source address Responder floods system with that source address Double reflector attacks

35 Port 7 is echo – reflection service
If DNS server responds echoed packet, a loop is possible

36 Denial of Service Attacks
Amplifier attacks

37 Denial of Service Attacks
Distributed Denial of Service

38 Denial of Service Attacks
Syn Floods

39 Denial of Service Attacks
Preparation Talk with organization’s ISP Filtering / limiting traffic Coordinated response through CERT / FedCIRC Intrusion detection software to detect DoS and DDoS Resource monitoring Internet health monitoring Monitoring of WWW response times

40 Denial of Service Attacks
Incident prevention Perimeter configuration Block use of services that no longer serve a legitimate purpose Perform ingress and egress filtering Implement rate limiting Use host hardening (disable services) Implement DoS prevention software Implement redundancy for services

41 Denial of Service Attacks
Detection and Analysis Precursors Reconnaissance activity Newly released DoS tool Indications

42 Denial of Service Attacks
Network-based DoS against a particular host User reports of system unavailability Unexplained connection losses Network intrusion detection alerts Host intrusion detection alerts (until the host is overwhelmed) Increased network bandwidth utilization Large number of connections to a single host Asymmetric network traffic pattern (large amount of traffic going to the host, little traffic coming from the host) Firewall and router log entries Packets with unusual source addresses

43 Denial of Service Attacks
Network-based DoS against a network User reports of system and network unavailability Unexplained connection losses Network intrusion detection alerts Increased network bandwidth utilization Asymmetric network traffic pattern (large amount of traffic entering the network, little traffic leaving the network) Firewall and router log entries Packets with unusual source addresses Packets with nonexistent destination addresses

44 Denial of Service Attacks
DoS against the operating system of a particular host User reports of system and application unavailability Network and host intrusion detection alerts Operating system log entries Packets with unusual source addresses DoS against an application on a particular host User reports of application unavailability Application log entries

45 Denial of Service Attacks
Containment, Eradication, and Recovery Correct vulnerability that is being exploited Implement filtering Relocate target Do not Hack Back

46 Denial of Service Attacks
Evidence Gathering Identifying the Source of Attacks From Observed Traffic Tracing Attacks Back Through ISPs Learning How the Attacking DDoS Hosts Were Compromised Reviewing a Large Number of Log Entries

47 Malicious Code Malicious Code Types Viruses Trojan horses Worms
File infectors Boot sector viruses Macro viruses Virus hoaxes Trojan horses Worms Mobile code Blended Windows shares Web server attacks (Nimda) Web clients (Nimda)

48 Malicious Code Incident Preparation
User awareness Subscribe to antivirus vendor bulletins Deploy host-based intrusion detection systems to critical hosts IDS detects Configuration changes (Registry, …) System executable modifications Black list Trojan horse ports Ineffective, because There are too many ports Newer trojan horses can be configured for any port

49 Malicious Code Incident Prevention
Use of antivirus software Block suspicious attached files Configure clients to act more securely No preview, no automatic opening, no execution, … Limit the use of non-essential programs with file transfer capabilities P2P file & music sharing Instant messaging IRC clients / servers Educate users on safe handling of attachments Eliminate open windows shares Infection can quickly spread from one system to many others. Prevent incoming / outgoing traffic on NetBIOS ports Use web browser setting to limit mobile code

50 Malicious Code Detection
Precursors Alerts for software that the organization uses Antivirus software quarantines files Indications Many different categories

51 Malicious Code Containment, Eradication, Recovery
Malicious code is written to spread rapidly Disconnect non-critical machines from network Need to identify other hosts: One confirmed incident indicates other infections Perform port scans Use antivirus scanning and cleanup Review , firewall, …, hosts logs Reconfigure network and host IDS Audit processes currently running

52 Malicious Code Containment, Eradication, Recovery
Send unknown malicious code to antivirus vendors Configure servers and clients to block or shut them down Block particular hosts or isolate networks from internet

53 Malicious Code Containment, Eradication, Recovery
Evidence gathering Typically pointless since the attack is not targeted Eradication and recovery Depends on nature of infection: Either use antivirus software to remove malicious code infections Rebuild systems From scratch From known good copy Prevent re-infection

54 Unauthorized Access Examples:
Performing a remote root compromise of an server Defacing a Web server Guessing and cracking passwords Copying a database containing credit card numbers Viewing sensitive data, including payroll records and medical information, without authorization Running a packet sniffer on a workstation to capture usernames and passwords Using a permission error on an anonymous FTP server to distribute pirated software and music files Dialing into an unsecured modem and gaining internal network access Posing as an executive, calling the help desk, resetting the executive’s password, and learning the new password Using an unattended, logged-in workstation without permission.

55 Unauthorized Access Preparation
Configure IDS to identify and alert attempts to gain access Use centralized secured logs Establish password policies

56 Unauthorized Access Prevention
Use defense in depth Network security Firewall settings Identify and secure all remote access methods Use a DMZ Use private IP addresses in internal networks Host Security Perform regularly vulnerability assessments Disable unneeded services on hosts. Use virtualization / run services on different hosts Use principle of least privilege Use host-based firewalls Limit unauthorized physical access: Mandatory screen locking Log-off policy before leaving a workstation Audit permission settings for critical resources Password files Sensitive databases

57 Unauthorized Access Prevention
Use defense in depth Authentication and Authorization Create and audit a password policy Require stronger authentication for critical resources Develop and use standards (FIPS 140-2) Establish procedures for provisioning and deprovisioning user accounts Physical Security Implement physical security

58 Unauthorized Access Detection and Analysis
Precursors Reconnaissance Security bulletin warnings, proof of concept exploits, … Reports of social engineering attempts Reports of failed physical access attempts

59 Unauthorized Access Detection and Analysis
Root compromise of a host Hacker tools on system Unusual traffic to / from host System configuration changes Modification of critical files Unexplained account usage Strange OS / application log messages

60 Unauthorized Access Detection and Analysis
Indications Web defacement, FTP warez server, … NIDS alerts Resource utilization: bandwidth, storage, … User reports Modifications to critical files Unauthorized use of standard user account Access to critical files Unexplained account usage: Idle account used Account in use from multiple locations Large number of locked-out accounts Web proxy logs showing download of hacker tools

61 Unauthorized Access Detection and Analysis
Indications Physical Intruder Reports of physical signs of intrusion User reports of network or system availability System restarts, shutdowns Missing hardware Unauthorized hardware Unauthorized data access IDS alerts Logs of accesses to critical files

62 Unauthorized Access Containment, Eradication, Recovery
Response time critical Extensive forensics analysis is typically required Initial analysis in order to determine priority and initial containment measures Further analysis to reconstruct incident, develop countermeasures, and perform ultimate containment, eradication, recovery Need to weight costs of caution and inaction

63 Unauthorized Access Containment, Eradication, Recovery
Initial containment elements Isolation of affected system Disabling affected service Eliminate attacker’s route Disable user accounts used in attack Enhance physical security

64 Unauthorized Access Containment, Eradication, Recovery
Evidence gathering Need for a forensic copy of affected system Other imaging can destroy evidence Safeguard log files before they are destroyed Use chain of evidence rules to protect physical and image evidence

65 Unauthorized Access Containment, Eradication, Recovery
Attackers usually install rootkits Safer: Reconfigure system from known good copy Safest: Reconfigure system from scratch Problem: Can data be trusted?

66 Inappropriate Usage Incidents
Examples Porn Password cracking tool downloads Send spam / to promote personal business Harassing s Use of P2P file / music sharing Improper handling of sensitive materials Usage of organization’s IT resources to attack other computers

67 Inappropriate Usage Incidents
Preparation Establish input from HR, legal department, physical security Need for confidentiality Someone else’s account is used to download porn Need for physical safety of incident handling team Perpetrator might be mentally unstable or try to avoid apprehension Liability issues Set up expectations of privacy and monitoring / logging policies Configure IDS and logs accordingly

68 Inappropriate Usage Incidents
Prevention Few general guidelines Have organization’s policies be reflected in firewall settings Configure servers To not relay to prevent SPAM To use a spam blocker to also prevent outgoing SPAM Prevent inappropriate data transfer by limiting protocols

69 Inappropriate Usage Incidents Detection and Analysis
COEN 252

Download ppt "Incident Handling COEN 250."

Similar presentations

Ads by Google