Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Handling COEN 250. Definitions Event – An observable occurrence Adverse Events – Events with negative consequences Computer Security Incident:

Similar presentations


Presentation on theme: "Incident Handling COEN 250. Definitions Event – An observable occurrence Adverse Events – Events with negative consequences Computer Security Incident:"— Presentation transcript:

1 Incident Handling COEN 250

2 Definitions Event – An observable occurrence Adverse Events – Events with negative consequences Computer Security Incident:  traditional security-related adverse event in which there was a loss of data confidentiality, disruption of data or system integrity, or disruption or denial of availability  newer a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices

3 Incident Types CIA related incidents:  Confidentiality  Integrity  Availability Other Types  Reconnaissance Attacks  Repudiation Someone takes action and denies it later on.

4 Need for Incident Response All organizations  Systematic response to incidents  Help in recovering quickly and efficiently  Prepare for handling and avoidance of future incidents  Deal properly with legal issues Federal Agencies  Federal Information Security Management Act (FISMA) of 2002 Provide “procedures for detecting, reporting, and responding to security incidents” Establishes centralized Federal information security incident center. Civilian agency  Establish point of contact (POC) with FedCIRC (Federal Computer Incident Reporting Center ) OMB’s Circular No. A-130, Appendix III  Capability to provide help to users when an incident occurs

5 Incident Response Scope Technical:  Incident detection and investigation tools and procedures Management-related  Policy  Formation of incident response capability In-house vs. out-sourced

6 Stake Holders Organization’s ability to fulfill mission  Users  Administrators (Organization’s ISP) Providers  Software vendors  Telecommunications providers Third Party  Clients  Affected external party  Other incident response teams  Owner of attacking address Reporting Agencies  Media  Law Enforcement Agencies  Incident Reporting Agencies

7 Incident Response Policy Typical elements  Statement of management commitment  Purpose and objectives of the policy  Scope of the policy (to whom and what it applies and under what circumstances)  Definition of computer security incidents and their consequences  Organizational structure and delineation of roles, responsibilities, and levels of authority Includes confiscation / disconnection of equipment Monitoring of activity Requirements for reporting  Prioritization or severity ratings of incidents  Performance measures  Reporting and contact forms.

8 Sharing Information with Outside Parties Media  Establish media communications procedures  Designate single Point of Contact (PoC)  Prepare for media interaction Do not reveal sensitive, technical information Appreciate the importance to communicate the public fully and effectively Brief media contacts on issues and sensitivities before discussion with media

9 Sharing Information with Outside Parties Law Enforcement  Which agency? Federal investigatory agencies  FBI  US Secret Service State law enforcement Local law enforcement Office of the Inspector General (OIG) for federal agencies

10 Sharing Information with Outside Parties Law Enforcement  What incidents? Discuss beforehand.  How to report Discuss beforehand.  Collection of evidence What? How?

11 Sharing Information with Outside Parties Incident Reporting Organizations  Federal agencies only to FedCIRC  Information Analysis Infrastructure Protection (IAIP)  CERT® Coordination Center (CERT®/CC).  Information Sharing and Analysis Centers (ISAC)

12 Incident Response Team Structure Team Models  Central Incident Response Team  Distributed Incident Response Teams  Coordinating Team Provides guidance and advice Does not have authority Staffing Models  Employees  Partially outsourced  Fully outsourced

13 Incident Response Team Structure Criteria  In house: Need for 24/7 availability Full time vs. part time team members  Volunteer fire department model Employee morale  Incident response demands on-call responsibilities for most team members Cost Staff Expertise Organizational structure of the organizations

14 Incident Response Team Structure Criteria  Outsourcer Current and Future Quality of Work Division of Responsibilities Sensitive Information Revealed to the Contractor Lack of Organization-Specific Knowledge Lack of Correlation  Outsourcer requires administrative access to systems and to logs Location  Incident response often requires physical presence

15 Incident Response Team Structure Team Development  Budget for training, publications, references  Mentoring program  Rotation between incident response and other duties  Training exercises

16 Incident Response Team Structure Interactions with other groups  Management Support, buy-in  Information security staff  Telecommunications staff Some incidents involve unauthorized access to telephone lines  IT support staff  Legal department  Public affairs / media relations  Human resources  Business continuity planning  Physical security and facilities management

17 Incident Response Team Structure Incident response team services Determine the scope of the incident response team  Incident response  Advisory distribution  Vulnerability assessment  Intrusion detection  Education and awareness  Technology watch  Patch management Usually not recommended

18 Incident Handling Containment, Eradication and Recovery Post-incident activity Detection and Analysis Preparation

19 Incident Handling: Preparation Incident Handler Communications and Facilities  Contact information On-call information for other teams within the organization, including escalation information Incident reporting mechanisms  Pagers or cell phones to be carried by team members for off-hour support, onsite communications  Encryption software  War room for central communication and coordination  Secure storage facility for securing evidence and other sensitive materials

20 Incident Handling: Preparation Incident Analysis Hardware and Software  Computer forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data  Blank portable media  Easily portable printer  Packet sniffers and protocol analyzers  Computer forensic software  Floppies and CDs with trusted versions of programs to be used to gather evidence from systems  Evidence gathering accessories hard-bound notebooks digital cameras audio recorders chain of custody forms evidence storage bags and tags evidence tape

21 Incident Handling: Preparation Incident Analysis Resources  Port lists, including commonly used ports and Trojan horse ports  Documentation for OSs, applications, protocols, and intrusion detection and antivirus signatures  Network diagrams and lists of critical assets, such as Web, , and File Transfer Protocol (FTP) servers  Baselines of expected network, system and application activity  Cryptographic hashes of critical files to speed the analysis, verification, and eradication of incidents

22 Incident Handling: Preparation Incident Mitigation Software  Media, including OS boot disks and CD- ROMs, OS media, and application media  Security patches from OS and application vendors  Backup images of OS, applications, and data stored on secondary media

23 Incident Handling: Detection and Analysis Incident Categories  Denial of Service  Malicious code  Unauthorized access  Inappropriate usage  Multiple component incidents

24 Incident Handling: Detection and Analysis Signs of an incident  Intrusion detection systems  Antivirus software  Log analyzers  File integrity checking  Third-party monitoring of critical services Incident indications vs. precursors  Precursor is a sign that an incident may occur in the future E.g. scanning  Indication is a sign that an incident is occurring or has occurred

25 Incident Handling: Detection and Analysis Indication of incident is no proof that incident has occurred Number of indications exceedingly high Recommendations  Profile networks and systems  Understand normal behavior  Use centralized logging and create a log retention policy  Perform event correlation Keep hosts synchronized (Network time protocol)  Run packet sniffers

26 Incident Handling: Detection and Analysis Incident documentation  If incident is suspected, start recording facts Incident Prioritization based on  Current and potential technical effects  Criticality of affected resources Incident notification  CIO  Head of information system  Local information security officer  Other incident teams  Other agency departments such as HR, public affairs, legal department

27 Incident Handling: Containment, Eradication, Recovery Containment strategies  Vary based on type of incident  Criteria for choosing strategy include Potential damage / theft of resources Need for evidence information Service availability Resource consumption of strategy Effectiveness of strategy Duration of solution

28 Incident Handling: Containment, Eradication, Recovery Evidence gathering  For incident analysis  For legal proceedings Chain of custody Authentication of evidence

29 Incident Handling: Containment, Eradication, Recovery Attacker identification  Validation of attacker IP address  Scanning attacker’s system  Research attacker through search engines  Using Incident Databases  Monitoring possible attacker communication channels

30 Incident Handling: Containment, Eradication, Recovery Eradication  Deleting malicious code  Disabling breached user accounts Recovery  Restoration of system(s) to normal operations Restoring from clean backups Rebuilding systems from scratch Replacing compromised files Installing patches Changing passwords Tighten perimeter security Strengthen logging

31 Incident Handling: Post-Incident Activity Evidence Retention  Prosecution of attacker  Data retention policies  Cost

32 Denial of Service Incidents DoS prevents authorized used of IT resources  Crashing OS through malformed TCP/IP packets  Crashing an application through malformed requests  Consume available resources Network Memory Disk space

33 Denial of Service Incidents DoS prevents authorized used of IT resources  Crashing OS through malformed TCP/IP packets  Crashing an application through malformed requests  Consume available resources Network Memory Disk space

34 Denial of Service Attacks Reflector attack  Spoof source address  Responder floods system with that source address Double reflector attacks

35 Port 7 is echo – reflection service If DNS server responds echoed packet, a loop is possible

36 Denial of Service Attacks Amplifier attacks

37 Denial of Service Attacks Distributed Denial of Service

38 Denial of Service Attacks Syn Floods

39 Denial of Service Attacks Preparation  Talk with organization’s ISP Filtering / limiting traffic  Coordinated response through CERT / FedCIRC  Intrusion detection software to detect DoS and DDoS  Resource monitoring  Internet health monitoring Monitoring of WWW response times

40 Denial of Service Attacks Incident prevention  Perimeter configuration Block use of services that no longer serve a legitimate purpose Perform ingress and egress filtering  Implement rate limiting  Use host hardening (disable services)  Implement DoS prevention software  Implement redundancy for services

41 Denial of Service Attacks Detection and Analysis  Precursors Reconnaissance activity Newly released DoS tool  Indications

42 Denial of Service Attacks Network-based DoS against a particular host  User reports of system unavailability  Unexplained connection losses  Network intrusion detection alerts  Host intrusion detection alerts (until the host is overwhelmed)  Increased network bandwidth utilization  Large number of connections to a single host  Asymmetric network traffic pattern (large amount of traffic going to the host, little traffic coming from the host)  Firewall and router log entries  Packets with unusual source addresses

43 Denial of Service Attacks Network-based DoS against a network  User reports of system and network unavailability  Unexplained connection losses  Network intrusion detection alerts  Increased network bandwidth utilization  Asymmetric network traffic pattern (large amount of traffic entering the network, little traffic leaving the network)  Firewall and router log entries  Packets with unusual source addresses  Packets with nonexistent destination addresses

44 Denial of Service Attacks DoS against the operating system of a particular host  User reports of system and application unavailability  Network and host intrusion detection alerts  Operating system log entries  Packets with unusual source addresses DoS against an application on a particular host  User reports of application unavailability  Network and host intrusion detection alerts  Application log entries  Packets with unusual source addresses

45 Denial of Service Attacks Containment, Eradication, and Recovery  Correct vulnerability that is being exploited  Implement filtering  Relocate target  Do not Hack Back

46 Denial of Service Attacks Evidence Gathering  Identifying the Source of Attacks From Observed Traffic  Tracing Attacks Back Through ISPs  Learning How the Attacking DDoS Hosts Were Compromised  Reviewing a Large Number of Log Entries

47 Malicious Code Malicious Code Types  Viruses File infectors Boot sector viruses Macro viruses Virus hoaxes  Trojan horses  Worms  Mobile code  Blended Windows shares Web server attacks (Nimda) Web clients (Nimda)

48 Malicious Code Incident Preparation User awareness Subscribe to antivirus vendor bulletins Deploy host-based intrusion detection systems to critical hosts  IDS detects Configuration changes (Registry, …) System executable modifications Black list Trojan horse ports  Ineffective, because There are too many ports Newer trojan horses can be configured for any port

49 Malicious Code Incident Prevention Use of antivirus software Block suspicious attached files Configure clients to act more securely  No preview, no automatic opening, no execution, … Limit the use of non-essential programs with file transfer capabilities  P2P file & music sharing  Instant messaging  IRC clients / servers Educate users on safe handling of attachments Eliminate open windows shares  Infection can quickly spread from one system to many others.  Prevent incoming / outgoing traffic on NetBIOS ports Use web browser setting to limit mobile code

50 Malicious Code Detection Precursors  Alerts for software that the organization uses  Antivirus software quarantines files Indications  Many different categories

51 Malicious Code Containment, Eradication, Recovery Containment  Malicious code is written to spread rapidly  Disconnect non-critical machines from network  Need to identify other hosts: One confirmed incident indicates other infections Perform port scans Use antivirus scanning and cleanup Review , firewall, …, hosts logs Reconfigure network and host IDS Audit processes currently running

52 Malicious Code Containment, Eradication, Recovery Containment  Send unknown malicious code to antivirus vendors  Configure servers and clients to block or shut them down  Block particular hosts or isolate networks from internet

53 Malicious Code Containment, Eradication, Recovery Evidence gathering  Typically pointless since the attack is not targeted Eradication and recovery  Depends on nature of infection: Either use antivirus software to remove malicious code infections Rebuild systems  From scratch  From known good copy  Prevent re-infection

54 Unauthorized Access Examples:  Performing a remote root compromise of an server  Defacing a Web server  Guessing and cracking passwords  Copying a database containing credit card numbers  Viewing sensitive data, including payroll records and medical information, without authorization  Running a packet sniffer on a workstation to capture usernames and passwords  Using a permission error on an anonymous FTP server to distribute pirated software and music files  Dialing into an unsecured modem and gaining internal network access  Posing as an executive, calling the help desk, resetting the executive’s password, and learning the new password  Using an unattended, logged-in workstation without permission.

55 Unauthorized Access Preparation Configure IDS to identify and alert attempts to gain access Use centralized secured logs Establish password policies

56 Unauthorized Access Prevention Use defense in depth  Network security Firewall settings Identify and secure all remote access methods Use a DMZ Use private IP addresses in internal networks  Host Security Perform regularly vulnerability assessments Disable unneeded services on hosts. Use virtualization / run services on different hosts Use principle of least privilege Use host-based firewalls Limit unauthorized physical access:  Mandatory screen locking  Log-off policy before leaving a workstation Audit permission settings for critical resources  Password files  Sensitive databases

57 Unauthorized Access Prevention Use defense in depth  Authentication and Authorization Create and audit a password policy Require stronger authentication for critical resources  Develop and use standards (FIPS 140-2) Establish procedures for provisioning and deprovisioning user accounts  Physical Security Implement physical security

58 Unauthorized Access Detection and Analysis Precursors  Reconnaissance  Security bulletin warnings, proof of concept exploits, …  Reports of social engineering attempts  Reports of failed physical access attempts

59 Unauthorized Access Detection and Analysis Root compromise of a host  Hacker tools on system  Unusual traffic to / from host  System configuration changes  Modification of critical files  Unexplained account usage  Strange OS / application log messages

60 Unauthorized Access Detection and Analysis Indications  Web defacement, FTP warez server, … NIDS alerts Resource utilization: bandwidth, storage, … User reports Modifications to critical files  Unauthorized use of standard user account Access to critical files Unexplained account usage:  Idle account used  Account in use from multiple locations  Large number of locked-out accounts  Web proxy logs showing download of hacker tools

61 Unauthorized Access Detection and Analysis Indications  Physical Intruder Reports of physical signs of intrusion User reports of network or system availability System restarts, shutdowns Missing hardware Unauthorized hardware  Unauthorized data access IDS alerts Logs of accesses to critical files

62 Unauthorized Access Containment, Eradication, Recovery Response time critical  Extensive forensics analysis is typically required Initial analysis in order to determine priority and initial containment measures Further analysis to reconstruct incident, develop countermeasures, and perform ultimate containment, eradication, recovery  Need to weight costs of caution and inaction

63 Unauthorized Access Containment, Eradication, Recovery Initial containment elements  Isolation of affected system  Disabling affected service  Eliminate attacker’s route  Disable user accounts used in attack  Enhance physical security

64 Unauthorized Access Containment, Eradication, Recovery Evidence gathering  Need for a forensic copy of affected system Other imaging can destroy evidence  Safeguard log files before they are destroyed  Use chain of evidence rules to protect physical and image evidence

65 Unauthorized Access Containment, Eradication, Recovery Eradication  Attackers usually install rootkits  Safer: Reconfigure system from known good copy  Safest: Reconfigure system from scratch  Problem: Can data be trusted?

66 Inappropriate Usage Incidents Examples  Porn  Password cracking tool downloads  Send spam / to promote personal business  Harassing s  Use of P2P file / music sharing  Improper handling of sensitive materials  Usage of organization’s IT resources to attack other computers

67 Inappropriate Usage Incidents Preparation  Establish input from HR, legal department, physical security Need for confidentiality  Someone else’s account is used to download porn Need for physical safety of incident handling team  Perpetrator might be mentally unstable or try to avoid apprehension Liability issues  Set up expectations of privacy and monitoring / logging policies  Configure IDS and logs accordingly

68 Inappropriate Usage Incidents Prevention  Few general guidelines  Have organization’s policies be reflected in firewall settings  Configure servers To not relay to prevent SPAM To use a spam blocker to also prevent outgoing SPAM  Prevent inappropriate data transfer by limiting protocols

69 Inappropriate Usage Incidents Detection and Analysis COEN 252


Download ppt "Incident Handling COEN 250. Definitions Event – An observable occurrence Adverse Events – Events with negative consequences Computer Security Incident:"

Similar presentations


Ads by Google