1 Developing and Implementing a CIRT Team Nanette S. Poulios, CISSP, CISM Senior Training Consultant Easy i

2 Today’s Agenda Why does anyone need a CIRT? How do you create a CIRT? What do you need to manage and train a CIRT? Impediments to a successful CIRT Case Studies

3 Why Does Anyone Need a CIRT?

4 Incidents on the Rise Number of incidents reported to CERT/CC increased: 21,756 in ,658 in , ,529 in 2003 ** **

5 Legal and Regulatory CIRT Requirements HIPAA 45 C.F.R. Part (a)(6) FTC Safeguards Rule C.F.R (b)(3) “ Detecting, preventing and responding to attacks, intrusions, or other systems failures ” OCC Safety and Soundness Standards C.F.R. Part 30 Appendix B III (c)(g) “ Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies”

6 Legal and Regulatory CIRT Requirements (2) GLB Act Sarbanes-Oxley Basel Principle 14 “To ensure effective response to unforeseen incidents, banks should develop: Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E- banking systems that are outsourced to third- party service providers should be an integral part of these plans”

7 Best Practices CIRT Requirements ISO Reporting security incidents “Security incidents should be reported through appropriate management channels as quickly as possible. A formal reporting procedure should be established, together with an incident response procedure, setting out the action to be taken on receipt of an incident report.”

8 Best Practices CIRT Requirements (2) Incident management procedures “Incident management responsibilities and procedures should be established to ensure a quick, effective and orderly response to security incidents (see also 6.3.1). The following controls should be considered. a) Procedures should be established to cover all potential types of security incident,including: 1) information system failures and loss of service; 2) denial of service; 3) errors resulting from incomplete or inaccurate business data; 4) breaches of confidentiality.”

9 Best Practices CIRT Requirements (3)  “The Federal Information Security Management Act (FISMA) of 2002 requires Federal agencies to establish incident response capabilities.” * Requires the agency to select a team Staff the team Train the team * NIST COMPUTER SECURITY INCIDENT HANDLING GUIDE SP800-61

10 Best Practices CIRT Requirements (4) OMB Circular No. A-130, Appendix III,  “ensure that there is a capability to provide help to users when a security incident occurs in the system”

11 Business Practices Requiring a CIRT Fiduciary Responsibility Liability Avoidance Survivability

12 Security Event Definition  Not just attacks  My include any negative or unexpected behavior  System crashes  Policy violations  Examples:  Denial of Service,  Malicious Code,  Unauthorized access,  Inappropriate usage

13 How Do You Create a CIRT?

14 Authority Corporate/Agency policy must provide for CIRT creation Board of Directors approval is recommended Top level management supports the CIRT and releases a formal statement CIRT reports to upper level management, not IT

15 Mission of the CIRT Provides clear understanding of goals and objectives Communicates these goals and objectives to others Prevents misunderstandings in a crisis situation Optional purpose statement to gain support

16 Sample Mission Statement “ The objective of the CIRT is to investigate apparent intrusion attempts and report their findings in a timely manner to executive management. The CIRT provides a centralized approach to managing computer security incidents so that current incidents can be controlled as quickly as possible to avoid serious damage to XXX systems and future incidents can be prevented. Additionally, the CIRT will provide increased security awareness so that XXX’s computer systems will be better prepared and protected in the future.”

17 Responsibilities of CIRT Vary by organizational needs Proactive Examples Awareness programs Technical publications Advisories Vulnerability and Penetration testing Reactive Incident Response Malicious Code analysis Liaison with law enforcement Incident Post-mortem and Reporting

18 Operating Policies and Procedures CIRT should be governed by organizational and regulatory policies Approved by management CIRT should follow a standard operating procedure Provide complete and concise documentation Review periodically for updates Revise after post-mortem review

19 Team Composition Core Members Determine if the incident warrants further investigation Categorize the security incident Add support members to the investigation if necessary Support Members Provide needed technical expertise as required Member of the team for the duration of the incident

20 Core Members IT Audit IT Security Corporate Security Legal

21 IT Audit Member Role Ensure that best practices are followed Ensure the auditability of the investigation process Ensure that chain of custody procedures are followed correctly Maintain accountability for all evidence collected during the investigation Document investigation

22 IT Security Member Role Inform all other users that are affected by the security incident of the necessary actions to control the incident. Perform appropriate backtracing, forensic analysis and other technical tasks required by the investigation Provide an analysis of the incident including root causes Compile the final report and recommendations of the CIRT Be available as an expert witness

23 Corporate Security Member Role Provide a liaison with law enforcement Ensure that investigative best practices are followed Contain the incident locale as appropriate Manage the interview process for witnesses and suspects

24 Legal Member Role Brief other core and support members on privacy, 4th Amendment, search and seizure and wiretap issues Ensure that suspects’ rights are protected appropriately Act as spokesperson with the media Review any press releases before they are released to the media Review any management reports Act as liaison with outside legal counsel

25 Support Members Platform Specialist Financial Auditor Fraud Examiner Personnel Public Information Officer/Public Relations

26 Platform Specialist Support Role Review audit logs and report any unusual or suspect activities Report any unusual behaviors of the critical systems Be prepared to brief the CIRT on operations procedure Protect evidence of incident according to organizational guidelines and instructions of the core team

27 Platform Specialist Support Role (2) Assess and report damage to system and/or data to CIRT Aid in the determining the scope of the intrusion Aid in identifying the point of access or the source of the intrusion Make recommendations to close the source or point of access of the intrusion

28 Financial Auditor Support Role Be prepared to brief the team on financial procedures Be prepared to conduct a financial audit if the core team deems it necessary for investigative reasons Report findings to the CIRT Follow investigative procedures as determined by the CIRT

29 Fraud Examiner Support Role Aid the core members of the CIRT in discovery and recognition of fraud Follow guidelines for lawful search Follow organizational and legal privacy policies/requirements Aid in identifying objects and materials used to commit suspected fraud

30 Fraud Examiner Support Role (2) Preserve, using CIRT guidelines, any evidence collected until transported to CIRT Transport evidence to CIRT for safekeeping until resolution of investigation Report findings to the CIRT

31 Personnel Support Role Advise the core members on personnel policies and procedures Make recommendations for handling sensitive employee information

32 Public Information Officer Support Member Act as a single point of contact for the media. Obtain legal advice before any interview or press release is given to the media Obtain approval from the CIRT that any interview or press release will not interfere with the investigation. Inform all other affected users to refer any media inquires to the Public Information Officer.

33 What do you need to manage a CIRT?

34 Team Leadership Management will appoint a team leader from the Core membership of the team Duties will include: Convene the CIRT Contact the Chief Information Officer (or other designated Officer) Conduct meetings of the CIRT Periodically report status of investigations to the CIO Manage investigations

35 Team Leadership (2) Duties Continued Take responsibility for verifying chain of custody of evidence Coordinate team activities Appoint support members as required for particular investigations Present findings to management Monitor the investigation

36 CIRT Team Responsibilities The CIRT is an investigative body only. Does not make policy or take action following an investigation The CIRT is a completely independent body. It receives its direction from the Chief Information Officer, but is accountable directly to the General Manager or the General Manager’s appointee

37 CIRT Team Responsibilities (2) Determining if an event constitutes an investigative security incident Conducting an appropriate investigation to determine the root cause, source, nature, extent of damage and recommended response to a computer security incident. Preserving evidence of the incident Interviewing witnesses and suspects

38 CIRT Team Responsibilities (3) Providing appropriate liaison with law enforcement and outside legal counsel Managing the release of information to the media Managing interaction between Human Resources and witnesses, suspects, organized labor and other appropriate interested parties Preparing a report of findings, root causes, lessons learned and recommended actions for management review

39 CIRT Team Responsibilities (4) Carrying out the directions of management communicated through the Chief Information Officer Containing the incident scene to prevent contamination of evidence

40 Core Team Training Requirements Legal 4th amendment, privacy, and lawful search issues Organizational policies and procedures Investigative process Storing and transporting evidence according to legal guidelines Vendor training on all current detection and investigative tools

41 Core Team Training Requirements (2) Collecting, preserving and analyzing evidence of a computer security incident Procedures for coordinating with outside organizations such as CERT, FIRST and law enforcement

42 Support Team Training Requirements Legal 4th amendment, privacy, and lawful search issues Review organizational policies and procedures Investigative process Storing and transporting evidence according to legal guidelines Technical training on all platforms, operating systems and applications that member is responsible for including new technologies

43 Continuous Training Requirements Updates in tools used in their investigations Updates in investigative and forensic techniques Updates in appropriate technologies Updates and changes in laws, regulations and internal policies that affect investigations Periodic simulation drills

44 Impediments to a Successful CIRT

45 Impediments to a Successful CIRT Lack of management support Lack of procedures and policy Lack of access to evidence due to outsourcing Lack of event readiness within organization Lack of qualified personnel Lack of training

46 Case Studies

47 Case Studies Superbowl Slammer Incident Watchful Team Incident Blackout Incident

48

49 Resources nts/98.reports/pdf/98hb001.pdf _reporting.html 1.pdf ubs/800-61/sp pdf Investigating Computer-Related Crime, CRC Press by Peter Stephenson

50 Contact Information Nanette S. Poulios, CISSP, CISM Senior Training Consultant Easy I (direct) fax