A1927048121 - 21914 - 31 - 2020 - Unit 1 Complete INT 234
A1927048121 - 21914 - 31 - 2020 - Unit 1 Complete INT 234
A1927048121 - 21914 - 31 - 2020 - Unit 1 Complete INT 234
03/22/20 2
03/22/20 3
However, breaking down the procedure into logical steps makes incident
response manageable. In this chapter, we introduce an effective
methodology that will provide your organization with a tested and
successful approach to resolving computer security incidents.
03/22/20 4
Protects privacy rights established by law and policy
Minimizes disruption to business and network operations
Allows for criminal or civil action against perpetrators
Provides accurate reports and useful recommendations
Provides rapid detection and containment
Minimizes exposure and compromise of proprietary data
Protects your organization’s reputation and assets
Educates senior management
Promotes rapid detection and/or prevention of such incidents in the future (via
lessons learned, policy changes, and so on)
03/22/20 6
There are seven major components of incident response:
Pre-incident preparation Take actions to prepare the organization and
the data collected to determine what happened, when it happened, who did
it, and how it can be prevented in the future.
Reporting Accurately report information about the investigation in a
manner useful to decision makers.
Resolution Employ security measures and procedural changes, record
lessons learned, and develop long-term fixes for any problems identified.
03/22/20 7
03/22/20 8
03/22/20 9
03/22/20 10
The CSIRT is defined during the pre-incident preparation phase.
Your organization will assemble a team of experts to handle any
incidents that occur. Preparing the CSIRT includes considering at
least the following:
03/22/20 11
03/22/20 12
In most organizations, end users may report an incident through one
of three avenues:
Their immediate supervisor,
The corporate helpdesk (or localIn formation Technology department
if there is no formal help desk), or
an incident hotline managed by the Information Security entity.
Typically, end users report technical issues to the helpdesk, while
employee-related issues are reported to a supervisor or directly to
the local Human Resources department.
No matter how you detect an incident, it is paramount to record all
of the known details.
We suggest using an initial response check list to make sure you
record the pertinent facts. The initial response check list should
account for many details, not all of which will
03/22/20 13
03/22/20 14
Just record the known facts. Some of the
critical details include the following:
Current time and date
Who/what reported the incident
Nature of the incident
When the incident occurred
Hardware/software involved
Points of contact for involved personnel
03/22/20 15
03/22/20 16
03/22/20 17
For example, a DoS attack originating from a
university may be handled much differently from
how an equivalent DoS attack originating from a
competitor is handled. Before the response strategy
is chosen, it may become necessary to reinvestigate
the detailsof the incident.
03/22/20 18
Your response posture is your capacity to
respond, determined by your technical
resources, political considerations, legal
constraints, and business objectives.
Your response strategy may be significantly
03/22/20 19
03/22/20 20
03/22/20 21
DOS attack
Un-authorized use
Theft of information
Computer intrusion
03/22/20 22
03/22/20 23
03/22/20 24
03/22/20 25
Do not mistake law enforcement officials for
computer security consultants.
If you notify them solely because you cannot
implement the technical steps to remedy an
incident, it is highly unlikely they will spend
any time and effort to help.
Their job is to investigate an incident, not to
implement or advise in security measures that
would prevent further attacks and damage to
your organization from are occurring incident.
03/22/20 26
03/22/20 27
Table 2.2 for possible actions
Page 57
03/22/20 28
Determining the who, what, when, where, how, and
why surrounding an incident.
Reviewing host-based evidence, network-based
evidence, and evidence gathered via traditional,
nontechnical investigative steps.
The key is to determine which things were harmed by
which people.
The identity behind the people on a network is
increasingly difficult.
Many organizations choose to focus solely on what
was damaged, how it was damaged, and how to fix it.
03/22/20 29
A computer security investigation can be
divided into two phases:
◦ Data collection : gather all the relevant Information
needed to resolve the incident in a manner that
meets your response strategy.
◦ forensic analysis : examine all the data collected to
determine the who, what, when, where, and how
information relevant to the incident.
03/22/20 30
Data collection is the accumulation of facts and clues
that should be considered during your forensic
analysis.
Data collection involves several unique forensic
challenges:
You must collect electronic data in a forensically
sound manner.
You are often collecting more data than you can read
in your lifetime (computer storage capacity continues
to grow).
You must handle the data you collect in a manner
that protects its integrity (evidence handling).
03/22/20 31
03/22/20 32
Reviewing all the data collected.
This includes reviewing log files, system configuration
files, trust relationships, web browser history files, email
messages and their attachments, installed applications,
and graphic files.
software analysis, review time/date stamps, perform key
word searches.
Forensic analysis also includes performing more low-level
tasks, such as looking through information that has been
logically deleted from the system to determine if deleted
files, slack space, or free space contain data fragments or
entire files that may be useful to the investigation.
03/22/20 33
03/22/20 34
To create reports that accurately describe the
details of an incident, that are
understandable to decision makers, that can
with stand the barrage of legal scrutiny, and
that are produced in a timely manner.
03/22/20 35
When examining the incident response process, it is not ad hoc. Undefined
processes or procedures will leave an organization unable to both identify the
extent of the incident and be able to stop the bleeding in sufficient time to
limit damage.
Having an understanding of the incident response process is just the first step
procedures.
The incident response charter
The first step to building this capability is the decision by senior leadership
that the risk to the organization is too significant not to address the
possibility of a potential security incident. This charter outlines key elements
that will drive the creation of a Computer Security Incident Response
Team (CSIRT). 03/22/20 36
The incident response charter should be a written document that addresses the
following:
Obtain senior leadership support: In order to be a viable part of the
organization, the CSIRT requires the support of the senior leadership within the
organization. In a private sector institution, it may be difficult to obtain the
necessary support and funding, as the CSIRT itself does not provide value in the
same way marketing or sales does.
Define the constituency: The constituency clearly defines which organizational
elements and domains the CSIRT has responsibility for. Some organizations
have several divisions or subsidiaries that for whatever reason may not be part
of the CSIRT's responsibility.
Create a mission statement: Mission creep or the gradual expansion of the
CSIRT's responsibilities can occur without clear definition of what the defined
purpose of the CSIRT is. In order to counter this, a clearly defined mission
statement should be included with the written information security plan.
Determine service delivery: Along with a mission statement, a clearly defined
list of services can also counter the risk of mission creep of the CSIRT. Services
are usually divided into two separate categories, proactive and reactive
services:
03/22/20 37
Proactive services: These includes providing training for non- CSIRT staff,
providing summaries on emerging security threats, testing and deployment of
security tools, and assisting security operations with crafting IDS/IPS alerting
rules.
Reactive services: These primarily revolve around responding to incidents as
they occur. For the most part, reactive services address the entire incident
response process. This includes the acquisition and examination of evidence,
assisting in containment, eradication, and recovery efforts, and finally
documenting the incident.
03/22/20 38
CSIRT core team
The CSIRT core team consists of personnel who have incident response duties
as their fulltime job or assume incident response activities when needed. In
many instances, the core team is often made up of personnel assigned to the
information security team. The following are some of the roles that can be
incorporated into the core team:
Incident response coordinator: This is a critical component of any CSIRT.
Without clear leadership, the response to a potential incident may be
disorganized or with multiple individuals via for control during an incident, a
chaotic situation that can make the incident worse. In many instances, the
incident response coordinator is often the chief security officer (CSO), chief
information security officer (CISO), or the information security officer
(ISO) as that individual often has overall responsibility for the security of the
organization's information. Other organizations may name a single individual
who serves as the incident response coordinator.
CSIRT Senior Analyst(s): CSIRT Senior Analysts are personnel with
extensive training and experience in incident response and associated skills such
as digital forensics or network data examination. They often have several years
of experience conducting incident response activities as either a consultant or as
part of an enterprise CSIRT.
03/22/20 39
CSIRT Analyst(s): The CSIRT Analysts are personnel with CSIRT
responsibilities that have less exposure or experience in incident response
activities. Oftentimes, they have only one or two years of responding to
incidents. As a result, they can perform a variety of activities with some of
those under the direction of senior analysts.
Security operations center analyst: Larger enterprises may have an in-house
or contracted 24/7 Security Operations Centre (SOC) monitoring capability.
Analysts assigned to the SOC will often serve as the point person when it
comes to incident detection and alerting. As a result, having an SOC analyst as
part of the team allows them to be trained on techniques and serve as an
almost immediate response to a potential security incident.
IT Security Engineer / Analyst(s): Depending on the size of the
organization, there may be personnel specifically tasked with the deployment,
maintenance, and monitoring of security-related software such as anti-virus or
hardware such as firewalls or SIEM systems. Having direct access to these
devices is critical when an incident has been identified.
03/22/20 40
Technical support personnel are those individuals within the organization who
do not have CSIRT activities as part of their day-to-day operations, but rather
have expertise or access to systems and processes that may be affected by an
incident. The following are some of the personnel that can be of assistance to
the CSIRT during an incident:
Network Architect/Administrator: Often, incidents involve the network
infrastructure. This includes attacks on routers, switches, and other network
hardware and software. The Network Architect or Administrator is vital for
insight into what is normal an abnormal behaviour of these devices as well as
identifying anomalous network traffic.
Server Administrator: Threat actors often target systems within the network
where critical or sensitive data is stored. These high-value targets often include
domain controllers, file servers, or database servers. Server Administrators can
aid in acquiring log files from these systems.
Application support: Web applications are a prime target for
threat actors. Flaws in coding that allow for attacks such as SQL
injection or security misconfigurations are responsible for some
security breaches.
03/22/20 41
Desktop support: Desktop Support personnel are often involved in maintaining
controls such as data loss prevention and anti-virus on desktop systems.
Help Desk: Depending on the organization, help desk personnel are the
proverbial canary in the coal mine when it comes to identifying an incident.
They are often the first individuals contacted when a user experiences the first
signs of a malware infection or other malicious activity.
03/22/20 42
Legal: Data breaches and other incidents carry a variety of legal issues along
with them. Many countries now have breach notification laws where
organizations are required to notify customers that their information was put at
risk.
Human resources: A good deal of incidents that occur in organizations are
perpetrated by employees or contractors. The investigation of actions such as
fraud all the way to massive data theft may have to be investigated by the C
Marketing/communications: If external clients or customers may be adversely
impacted by an incident such as a Denial of Service attack or data breach, the
marketing or communications department can assist in crafting the appropriate
message to assuage fears and ensure that those external entities are receiving the
best information possible.
Facilities: The CSIRT may need access to areas after hours or for a prolonged
time. The facilities department can assist the CSIRT in obtaining the necessary
access in a timely manner.
Corporate security: The CSIRT may be called in to deal with the theft of
network resources or other technology from the organization. Laptop and digital
media theft is very common. Corporate security will often have access to
surveillance footage from entrances and exits.
03/22/20 43
External resources
Many industries have professional organizations where practitioners, regardless
of their employer, can come together to share information. CSIRT personnel
may also be tasked with interfacing with law enforcement and government
agencies at times, especially if they are targeted as part of a larger attack
perpetrated against a number of similar organizations.
High Technology Crime Investigation Association (HTCIA): The HTCIA is
an international group of professionals and students with a focus on high-tech
crime.
Infragard: For those CSIRT and information security practitioners in the United
States, the Federal Bureau of Investigation has created a private-public
partnership geared toward networking and information sharing.
Law enforcement: Law enforcement has seen an explosive growth in
cyberrelated criminal activity. In response, a great many law enforcement
organizations have increased their capacity to investigate cybercrime. CSIRT
leadership should cultivate a relationship with agencies that have cybercrime
investigative capabilities.
03/22/20 44
Vendors: External vendors can be leveraged in the event of an incident and
what they can provide is often dependent on the specific line of business the
organization has engaged them in. For example, an organization's IPS/IDS
solution provider could assist with crafting custom alerting and blocking rules to
assist in the detection and containment of malicious activity.
03/22/20 45
Expanded services catalog: The initial incident response charter had general
service categories with no real detail. The incident response plan should include
specific details of what services the CSIRT will be offering. For example, if
forensic services are listed as part of the service offering, the incident response
plan may state that forensic services include the evidence recovery from hard
drives, memory forensics, and reverse engineering potentially malicious code in
support of an incident.
CSIRT personnel: As was outlined before, there are a great many individuals
who comprise the CSIRT. The incident response plan will clearly define these
roles and responsibilities. Organizations should expand out from just a name and
title and define exactly the roles and responsibilities of each individual.
Contact list: An up- to- date contact list should be part of the Incident Response
Plan. Depending on the organization, the CSIRT may have to respond to an
incident 24 hours a day. In this case, the Incident Response Plan should have
primary and secondary contact information.
Internal communication plan: Incidents can produce a good deal of chaos as
personnel attempt to ascertain what is happening, what resources they need, and
who to engage to address the incident.
03/22/20 46
Incident classification
Not all incidents are equal in their severity and threat to the organization. For
example, a virus that infects several computers in a support area of the
organization will dictate a different level of response than an active compromise
of a critical server.
High-level incident: A high-level incident is an incident that is expected to
cause significant damage, corruption, or loss of critical and/or strategic company
or customer information. A high-level incident may involve widespread or
extended loss of system or network resources. The event can have potential
damage and liability to the organization and to the corporate public image.
Examples of high-level incidents include, but are not limited to, the following:
Network intrusion
Physical compromise of information systems
Compromise of critical information
Loss of computer system or removable media containing unencrypted confidential information
Widespread and growing malware infection (more than 25% of
hosts)
Targeted attacks against the IT infrastructure
Phishing attacks using the organization's domain and branding
03/22/20 47
Moderate-level incident: A moderate-level incident is an incident that may
cause damage, corruption, or loss of replaceable information without
compromise (there has been no misuse of sensitive customer information). A
moderate-level event may involve significant disruption to a system or network
resource. It also may have an impact to the mission of a business unit within the
corporation:
Anticipated or ongoing Denial of Service attack
Loss of computer system or removable media containing unencrypted confidential
information
Misuse or abuse of authorized access
Automated intrusion
Confined malware infection
Unusual system performance or behavior
Installation of malicious software
Suspicious changes or computer activity
Playbooks can be configured in a number of ways. For example, a written document can
be added to the Incident Response Plan for specific types of incidents. Other times,
organizations can use a flow diagram utilizing software such as iStudio or Visio.
Depending on how the organization chooses to document the playbook, they should
create 10-20 that address the range of potential incidents.
03/22/20 48
Low-level incident: A low-level incident is an incident that causes
inconvenience and/or unintentional damage or loss of recoverable information.
The incident will have little impact to the corporation:
Policy or procedural violations detected through compliance reviews or log
reviews
Lost or stolen laptop or other mobile equipment containing encrypted
confidential information
Installation of unauthorized software
Malware infection of a single PC
Incident tracking: Tracking incidents are a critical responsibility of the
CSIRT. During an incident, all actions taken by the CSIRT and other personnel
during an incident should be noted. These actions should be recorded under a
unique incident identifier.
Training: The incident response plan should also indicate the frequency of
training for CSIRT personnel. At a minimum, the entire CSIRT should be put
through a tabletop exercise at least annually. In the event that an incident
postmortem analysis indicates a gap in training, that should also be addressed
within a reasonable time after conclusion of the incident.
03/22/20 49
Maintenance: Organizations of every size continually change. This can
include changes to infrastructure, threats, and personnel. The incident
response plan should address the frequency of reviews and updates to the
incident response plan. For example, if the organization acquires another
organization, the CSIRT may have to adjust service offerings or incorporate
specific individuals and their roles.
03/22/20 51
A critical component of the incident response plan is the escalation procedures.
Escalation procedures outline who is responsible from moving an event or
series of events from just anomalies in the information system to an incident.
The escalation procedures ensure that the CSIRT is effectively utilized and that
personnel are only contacted if their particular expertise is required. The
procedures start with the parties who are most likely to observe anomalies or
events in the system that may be indicative of a larger incident. For example,
the help desk may receive a number of calls that indicate a potential malware
infection. The escalation procedures may indicate that if malware is detected
and cannot be removed via malware prevention controls, they are to contact the
CSIRT member on call.
The server administrator identifies two logins, one on a database server and
another on a web server in the DMZ. The CSIRT analyst then directs the
network administrator assigned to the CSIRT to examine network traffic
between the SQL database and the web server.
After examining the network traffic, it is determined that an external threat actor
has compromised both systems and is in the process of exfiltrating the customer
database from the internal network.
03/22/20 52
The escalation procedures are created to ensure that the appropriate individuals
have the proper authority and training to call upon resources when needed. The
escalation procedures should also address the involvement of other personnel
outside the core CSIRT members based on the severity of the incident.
03/22/20 53
Regardless of the makeup of the team, another key component of CSIRT
deployment is the inclusion of regular training. For CSIRT core members,
specific training on emerging threats, forensic techniques, and tools should be
ongoing. This can be facilitated through third-party training providers or, if
available, in-house training. The technical support members of the CSIRT
should receive regular training on techniques and tools available.
One final component to the ongoing maintenance of the incident response plan
is a complete annual review. This annual review is conducted to ensure that any
changes in personnel, constituency, or mission that may impact other
components of the plan are addressed. In addition to a review of the plan, a
complete review of the playbooks is conducted as well. As threats change, it
may be necessary to change existing playbooks or add new ones.
03/22/20 54