Incident Response and Digital Forensics – Denver Chapter of ISACA.
Incidence Response & Computer Forensics, Second Edition
-
Upload
madeline-boone -
Category
Documents
-
view
19 -
download
0
description
Transcript of Incidence Response & Computer Forensics, Second Edition
Ryan J.w.Chen@INSA 1
Incidence Response & Computer Forensics, Second Edition
Chris ProsiseKevin Mandia
Ryan J.w.Chen@INSA 2
Outline
Introduction to the Incident Response Process What is a computer security incident ? What are the goals of incident response
? Who is involved in the Incident
response process ? Incident response methodology.
Ryan J.w.Chen@INSA 3
What is a computer security incident ?
Computer security incident: Any unlawful, unauthorized, or unacceptable actio
n that involves a computer system or a computer network. Theft of trade secrets. Email spam or harassment. Unauthorized or unlawful intrusion into comput
ing systems. Denial-of-service (DoS) attacks.
Ryan J.w.Chen@INSA 4
What are the goals of incident response ? In incident response methodology, it emphasized
the goals of corporate security professionals with legitimate business concerns, but it also take into the concerns of law enforcement officials.
Confirms or dispels whether an incident occurred. Establishes controls for proper retrieval and handling of
evidence. Minimizes disruption to business and network
operations. Provides accurate reports and useful recommendation. Provides rapid detection and containment. Education senior management.
Ryan J.w.Chen@INSA 5
Who is involved in the incident response process ? Incident response is a multifaceted
discipline. It demands a myriad of capabilities that usually require resources from several different operational units of an organization.
Computer Security Incident Response Team (CSIRT), to respond to any computer security incident.
Ryan J.w.Chen@INSA 6
Incident response methodology There are seven major components of
incident response: Pre-incident preparation Detection of incidents Initial response Formulate response strategy Investigate the incident Reporting Resolution
Ryan J.w.Chen@INSA 7
Seven components of incident response
Pre-Incident Preparation
Initial Response
FormulateResponse Strategy
Detection of
Incidents
Investigate the Incident
Data Collection
DataAnalysis
Reporting
ResolutionRecovery
Implement Security Measures
Incident Occurs: Point-In-Time or Ongoing
Ryan J.w.Chen@INSA 8
Pre-incident Preparation (1/2)
Preparing the Organization: Implement host-based security measures. Implement network-based security measures. Training end user. Employing an intrusion detection system (IDS) Creating strong access control. Performing timely vulnerability assessments. Ensuring backups are performed on a regular
basis.
Ryan J.w.Chen@INSA 9
Pre-incident Preparation (2/2)
Preparing the CSIRT: The hardware needed to investigate computer
security incidents. The software needed to investigate computer
security incidents. The documentation needed to investigate computer
security incidents. The appropriate policies and operating procedures to
implement your response strategies. The training your staff or employee require to
perform incident response in a manner that promotes successful forensics, investigations, and remediation.
Ryan J.w.Chen@INSA 10
Detection of Incidents (1/2)
IDS
End User
Help Desk
System Administrator
Security
Human Resources
Functional Areas
Company X
IDS Detection of Remote AttackNumerous Failed Logon AttemptsLogins into Dormant or Default AccountsActivity during Nonworking HoursUnfamiliar Files or Executable ProgramsAltered Pages on Web ServerGaps in Log files or Erasure of Log FilesSlower System PerformanceSystem Crash
Indicator
Ryan J.w.Chen@INSA 11
Detection of Incidents (2/2)
Some of the critical details include the following: Current time and date Who/What reported the incident Nature of the incident When the incident occurred Hardware/software involved Points of contact for involved
personnel
Ryan J.w.Chen@INSA 12
Initial Response
One of the first steps of any investigation is to obtain enough information an appropriate response. Assembling the CSIRT Collecting network-based and other data Determining the type of incident that has occurred Assessing the impact of the incident.
Initial Response will not involve touching the affected system(s).
Ryan J.w.Chen@INSA 13
Formulate response strategy (1/3)
Considering the Totality of Circumstances: How many resources are need to investigate
an incident ? How critical are the affected systems ? How sensitive is the compromised or stolen
information ? Who are potential perpetrators ? What is the apparent skill of the attacker ? How much system and user downtime is
involved ? What is the overall dollar loss ?
Ryan J.w.Chen@INSA 14
Formulate response strategy (2/3)
Considering Appropriate Responses:
Incident Example Response Strategy Likely Outcome
Dos Attack TFN DDoSattack
Reconfigure routerto minimize effect of the flooding.
Effect of attackmitigated by routercountermeasures.Establishment ofperpetrator’s identitymay require toomany resources to beworthwhile investment.
Ryan J.w.Chen@INSA 15
Formulate response strategy (3/3)
Response strategy option should be quantified with pros and cons related to the following:
Estimated dollar loss Network downtime and its impact to operations. User downtime and its impact to operations. Whether or not your organization is legally compelled to t
ake certain action. Public disclosure of the incident and its impact to the org
anization’s reputation/business. Tacking Action
Legal Action Administrative Action
Ryan J.w.Chen@INSA 16
Investigate the Incident
The investigation phase involves determining the who, what, when, where, how, and why surrounding an incident.
A computer security investigation can be divided into two phases: Data Collection Forensic Analysis
Ryan J.w.Chen@INSA 17
Possible investigation phase steps
Network-Based Evidence•Obtain IDS Logs•Obtain Existing Router Logs•Obtain Relevant Firewall Logs•Obtain Remote Logs from a Centralized Host (SYSLOG)•Perform Network Monitoring•Obtain BackupsHost-Based Evidence•Obtain the Volatile Data during a Live Response•Obtain the System time•Obtain the Time/Data stamps for Every File on the Victim System•Obtain all Relevant Files that Confirm or Dispel Allegation•Obtain BackupsOther Evidence•Obtain Oral testimony from Witnesses
1.Review the Volatile Data.•Review the Network Connections.•Identify Any Rogue Processes (Backdoors, Sniffers).
2.Analyze the Relevant Time/Data Stamps.•Identify Files Uploaded to the system by an Attacker.•Identify File Downloaded or taken from the System.
3.Review the Log Files.4.Identify Unauthorized User Accounts.5.Look for Unusual or Hidden Files.6.Examine Jobs Run by the Scheduler Service.7.Review the Registry.8.Perform Keyword searches.
Data Collection Analysis
Ryan J.w.Chen@INSA 18
Performing Forensic Analysis
PerformForensic
Duplication
Create a Working
Copyof all
EvidenceMedia
CreateFileLists
PerformStatistical DataPartition Table
File System
ExtractEmail and
Attachments
RecoverDeleted
Data
Perform FileSignatureAnalysis
RecoverUnallocated
Space
IdentifyKnown
System File
ReviewBrowser
History Files
Review DataCollected
DuringLive Response
Search forRelevantStrings
PerformSoftwareAnalysis
Review all the Network-Based
Evidence
Identify andDecrypt
EncryptedFiles
PerformFile-by-File
Review
ReviewInstalled
Application
PerformSpecialized
Analysis
Preparation of Data
Analysis of Data
Ryan J.w.Chen@INSA 19
Reporting Some guidelines to ensure that the reportin
g phase does not become your CSIRT’s nemesis: Document immediately Write concisely and clearly Use a standard format Use editor
Ryan J.w.Chen@INSA 20
Resolution
In this phase, you contain the problem, solve the problem, and take steps to prevent the problem from occurring again.
Following steps are often taken to resolve a computer security incident: Identify your organization’s top priority. Determine the nature of the incident. Determine if there are underlying or systemic ca
uses for the incident. Restore any affected or compromised system.
Ryan J.w.Chen@INSA 21
Apply corrections required to address any host-based vulnerabilities.
Apply network-based countermeasures such as access control lists, firewalls, or IDS.
Assign responsibility for correcting any systemic issue.
Track progress on all corrections. Validate that all remedial steps or
countermeasures are effective. Update your security policy and procedures
as needed to improve your response process.
Ryan J.w.Chen@INSA 22
Conclusion
Pre-Incident Preparation
Initial Response
FormulateResponse Strategy
Detection of
Incidents
Investigate the Incident
Data Collection
DataAnalysis
Reporting
ResolutionRecovery
Implement Security Measures
Incident Occurs: Point-In-Time or Ongoing