Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia Ryan J.w.Chen@INSA

Outline Introduction to the Incident Response Process What is a computer security incident ? What are the goals of incident response ? Who is involved in the Incident response process ? Incident response methodology. Ryan J.w.Chen@INSA

What is a computer security incident ? Any unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network. Theft of trade secrets. Email spam or harassment. Unauthorized or unlawful intrusion into computing systems. Denial-of-service (DoS) attacks. Unacceptable:不能接受的 Ryan J.w.Chen@INSA

What are the goals of incident response ? In incident response methodology, it emphasized the goals of corporate security professionals with legitimate business concerns, but it also take into the concerns of law enforcement officials. Confirms or dispels whether an incident occurred. Establishes controls for proper retrieval and handling of evidence. Minimizes disruption to business and network operations. Provides accurate reports and useful recommendation. Provides rapid detection and containment. Education senior management. law enforcement officials:執法官員; Emphasized:強調 1.確認是否incident發生 2.建立控制的機制做適當的補償以及證據的收集. 3.降低商業或網路上運作中斷ㄉ機率. 4.提供正確的Report以及有用的建議. 5.提供快速的偵測及封鎖. 6.培養資深的管理人員. Ryan J.w.Chen@INSA

Who is involved in the incident response process ? Incident response is a multifaceted discipline. It demands a myriad of capabilities that usually require resources from several different operational units of an organization. Computer Security Incident Response Team (CSIRT), to respond to any computer security incident. Incident response包含多方面的訓練, 需要許多公司其他部門的資源所組成. 並不是所有時間都需要CSIRT,公司可不必特別請CSIRT人才, 可由公司各個部門專業人才所組成,平時各司其職, 等需要時再整合人力解決問題. Ryan J.w.Chen@INSA

Incident response methodology There are seven major components of incident response: Pre-incident preparation Detection of incidents Initial response Formulate response strategy Investigate the incident Reporting Resolution Pre-incident preparation:準備公司環境架構和CSIRT Detection of incidents:偵測可能ㄉsecurity incident. Initial response:完成初步分析,招集CSIRT討論解決方法,告知目前ㄉ事件和哪個部門有關. Formulate response strategy:了解所有可能發生的原因,規劃最好的解決策略,並且得到主管的同意 Investigate the incident:分析收集到的資料,了解What/When//Who/How Reporting:提供Report並幫助決策者訂出解決的方法. Resolution:利用安全量測以及程序的改變,提供往後事件發生時的參考依據. Ryan J.w.Chen@INSA

Seven components of incident response Incident Occurs: Point-In-Time or Ongoing Investigate the Incident Data Collection Analysis Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Reporting Resolution Recovery Implement Security Measures Ryan J.w.Chen@INSA

Pre-incident Preparation (1/2) Preparing the Organization: Implement host-based security measures. Implement network-based security measures. Training end user. Employing an intrusion detection system (IDS) Creating strong access control. Performing timely vulnerability assessments. Ensuring backups are performed on a regular basis. Ryan J.w.Chen@INSA

Pre-incident Preparation (2/2) Preparing the CSIRT: The hardware needed to investigate computer security incidents. The software needed to investigate computer security incidents. The documentation needed to investigate computer security incidents. The appropriate policies and operating procedures to implement your response strategies. The training your staff or employee require to perform incident response in a manner that promotes successful forensics, investigations, and remediation. Remediation:矯正 Ryan J.w.Chen@INSA

Detection of Incidents (1/2) Company X Indicator Functional Areas IDS Detection of Remote Attack Numerous Failed Logon Attempts Logins into Dormant or Default Accounts Activity during Nonworking Hours Unfamiliar Files or Executable Programs Altered Pages on Web Server Gaps in Log files or Erasure of Log Files Slower System Performance System Crash IDS End User Help Desk System Administrator Security Human Resources Ryan J.w.Chen@INSA

Detection of Incidents (2/2) Some of the critical details include the following: Current time and date Who/What reported the incident Nature of the incident When the incident occurred Hardware/software involved Points of contact for involved personnel Nature:種類 Ryan J.w.Chen@INSA

Initial Response One of the first steps of any investigation is to obtain enough information an appropriate response. Assembling the CSIRT Collecting network-based and other data Determining the type of incident that has occurred Assessing the impact of the incident. Initial Response will not involve touching the affected system(s). Ryan J.w.Chen@INSA

Formulate response strategy (1/3) Considering the Totality of Circumstances: How many resources are need to investigate an incident ? How critical are the affected systems ? How sensitive is the compromised or stolen information ? Who are potential perpetrators ? What is the apparent skill of the attacker ? How much system and user downtime is involved ? What is the overall dollar loss ? 2.受影響系統的嚴重性 3.被攻陷或資料被竊取的靈敏度 4.誰是潛在的犯罪者 5.什麼是駭客常見的攻擊技巧. 6.系統或使用者運作中斷ㄉ時間 7.公司財務損失多少? Ryan J.w.Chen@INSA

Formulate response strategy (2/3) Considering Appropriate Responses: Incident Example Response Strategy Likely Outcome Effect of attack mitigated by router countermeasures. Establishment of perpetrator’s identity may require too many resources to be worthwhile investment. Reconfigure router to minimize effect of the flooding. Dos Attack TFN DDoS attack Likely Outcome:找出攻擊者可能需要許多資源所以不值得投資. Ryan J.w.Chen@INSA

Formulate response strategy (3/3) Response strategy option should be quantified with pros and cons related to the following: Estimated dollar loss Network downtime and its impact to operations. User downtime and its impact to operations. Whether or not your organization is legally compelled to take certain action. Public disclosure of the incident and its impact to the organization’s reputation/business. Tacking Action Legal Action Administrative Action Ryan J.w.Chen@INSA

Investigate the Incident The investigation phase involves determining the who, what, when, where, how, and why surrounding an incident. A computer security investigation can be divided into two phases: Data Collection Forensic Analysis Data Collection:收集所有有關你的事件反應機制所需要的資訊, 用來解決事件的發生. Forensic Analysis:檢查所有收集的資訊,察明Who, what, when, where, and how information 和事件相關. Live response:處理computer system仍開機並且持續工作中…有三種處理live response的方式: Initial live response:只收集易變的資訊 In-depth response:更進一步收集資訊以確定事件種類. Full live response:全面分析target system. Ryan J.w.Chen@INSA

Possible investigation phase steps Data Collection Analysis Network-Based Evidence Obtain IDS Logs Obtain Existing Router Logs Obtain Relevant Firewall Logs Obtain Remote Logs from a Centralized Host (SYSLOG) Perform Network Monitoring Obtain Backups Host-Based Evidence Obtain the Volatile Data during a Live Response Obtain the System time Obtain the Time/Data stamps for Every File on the Victim System Obtain all Relevant Files that Confirm or Dispel Allegation Other Evidence Obtain Oral testimony from Witnesses 1.Review the Volatile Data. Review the Network Connections. Identify Any Rogue Processes (Backdoors, Sniffers). 2.Analyze the Relevant Time/Data Stamps. Identify Files Uploaded to the system by an Attacker. Identify File Downloaded or taken from the System. 3.Review the Log Files. 4.Identify Unauthorized User Accounts. 5.Look for Unusual or Hidden Files. 6.Examine Jobs Run by the Scheduler Service. 7.Review the Registry. 8.Perform Keyword searches. Obtain Oral testimony from Witnesses:取得目擊者的證詞 Ryan J.w.Chen@INSA

Performing Forensic Analysis Analysis of Data Preparation of Data Extract Email and Attachments Review Browser History Files Review Installed Application Create File Lists Perform Statistical Data Partition Table File System Review Data Collected During Live Response Search for Relevant Strings Review all the Network-Based Evidence Create a Working Copy of all Evidence Media Perform Forensic Duplication Recover Deleted Data Perform File Signature Analysis Perform Software Analysis Identify and Decrypt Encrypted Files Recover Unallocated Space Identify Known System File Perform File-by-File Review Perform Specialized Analysis Ryan J.w.Chen@INSA

Reporting Some guidelines to ensure that the reporting phase does not become your CSIRT’s nemesis: Document immediately Write concisely and clearly Use a standard format Use editor Reporting:提供Report並幫助決策者訂出解決的方法. Document immediately:立即將所討論的結果建檔,讓新進的成員提早進入狀況 Write concisely and clearly:盡量簡潔明瞭,避免不必要的揣測. Use a standard format:使用標準格式,增加文件可信度及管理方便. Use editor:僱用專業的校訂者使非技術人員也能看的懂…但是有可能將原意修改掉造成誤會. Ryan J.w.Chen@INSA

Resolution In this phase, you contain the problem, solve the problem, and take steps to prevent the problem from occurring again. Following steps are often taken to resolve a computer security incident: Identify your organization’s top priority. Determine the nature of the incident. Determine if there are underlying or systemic causes for the incident. Restore any affected or compromised system. Resolution:利用安全量測以及程序的改變,提供往後事件發生時的參考依據. Ryan J.w.Chen@INSA

Apply corrections required to address any host-based vulnerabilities. Apply network-based countermeasures such as access control lists, firewalls, or IDS. Assign responsibility for correcting any systemic issue. Track progress on all corrections. Validate that all remedial steps or countermeasures are effective. Update your security policy and procedures as needed to improve your response process. Ryan J.w.Chen@INSA

Conclusion Incident Occurs: Point-In-Time or Ongoing Investigate the Incident Data Collection Analysis Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Reporting Resolution Recovery Implement Security Measures Ryan J.w.Chen@INSA