Lesson 12 Preparing for Incident Response and the Investigative Process.
-
Upload
kathleen-james -
Category
Documents
-
view
218 -
download
0
Transcript of Lesson 12 Preparing for Incident Response and the Investigative Process.
![Page 1: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/1.jpg)
Lesson 12Preparing for Incident Response
and the Investigative Process
![Page 2: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/2.jpg)
UTSA IS 6973 Incident Response
Overview
• Preparing for Incident Response
• Investigative Guidelines
![Page 3: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/3.jpg)
UTSA IS 6973 Incident Response
Ranum on Forensics
• “The real value of intrusion detection is diagnosing what is going on…never collect more data than you could conceivably want to look at. If you don’t know what to do with the data, it doesn’t matter how much you’ve got.”
Marcus Ranum
Network Flight Recorder
![Page 4: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/4.jpg)
Preparing for Incident Response
![Page 5: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/5.jpg)
UTSA IS 6973 Incident Response
Identify Vital Assets
• What can damage your organization the most?
• What concerns you?
• Who could be a threat?
• Do hackers concern you?
This step saves you time & $ later
![Page 6: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/6.jpg)
UTSA IS 6973 Incident Response
Preparing Systems
• Record cryptographic checksums of critical files (MD5)– Tripwire is widely accepted commercial product
• Increase or enable secure audit logging
• Build up your host’s defenses
• Backup critical data and store media securely
• Educate users about security
![Page 7: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/7.jpg)
UTSA IS 6973 Incident Response
Critical File Preparation
• Cryptographic checksums or Message Digest (MD)– Basically a digital signature
• MD5 creates a 128-bit checksum from a large file
• System Administrator can create checksum of critical file (use separate media) then compare against subsequent MD5 runs
![Page 8: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/8.jpg)
UTSA IS 6973 Incident Response
Unix Auditing
Turn on system logging– /var/log/syslog– Create Central Syslog server
• run syslogd -r
– Enable Process Accounting• Tracks the command each user executes
– accton command
– /usr/lib/acct/startup
![Page 9: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/9.jpg)
UTSA IS 6973 Incident Response
Windows Auditing
• By default security auditing is not enabled
• NT: Start|Programs|Administrative Tools| User Manager– User Manager select Policies|Audit– Logs => C:\WINNT\System32\Config\*.evt
• WIN2K: Administrative Tools| Local Security Policy– Logs => C:\WINNT\System32\Config\*.evt
![Page 10: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/10.jpg)
UTSA IS 6973 Incident Response
Other Steps
• Application Logging
• Backup Critical Data– Unix: dump, restor, cpio, tar & dd– WIN2K: Start|Programs|Accessories| System
Utilities| Backup– NT: NT Backup (NT Resources Kit)– WIN98: Start|Accessories| System Utilities| Backup
![Page 11: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/11.jpg)
UTSA IS 6973 Incident Response
Network Preparations
• Know your network: document, document, document– hardware, software, users
• Smart topology/architecture
• Use access control list (ACL) on router
![Page 12: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/12.jpg)
UTSA IS 6973 Incident Response
Network Preparations-contd
• Require authentication (host, network, kerberos, IPsec)
• Audit regularly (manpower intensive)
• Use network time protocol (NTP) to synchronize all events
![Page 13: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/13.jpg)
UTSA IS 6973 Incident Response
Organizational Preparations
• Institute comprehensive policies
• Institute comprehensive procedures
• Develop response procedures– Firedrills?
• Create a response toolkit
• Establish an Incident Response Team
• Obtain top-level management support– Agree to ground rules/ rules of engagement
Often overlooked
![Page 14: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/14.jpg)
UTSA IS 6973 Incident Response
Response Toolkits
• High-end processor w/lots of memory• Large IDE and SCSI drives• Backup storage: CD-RW and Tape Drives• Spare cables• Router/Hub and network interface card• Digital camera• Trusted software
ref: www.computer-forensics.com
![Page 15: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/15.jpg)
UTSA IS 6973 Incident Response
Establish Incident Response Team
• Technical experts
• Management POC
• Team leader/principal investigator
• Decide on mission/goal
“Critical thinking team players who enjoy hardwork and long hours”
![Page 16: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/16.jpg)
UTSA IS 6973 Incident Response
IR Professional Organizations
Training• WWW.SANS.ORG
• WWW.FOUNDSTONE.COM
• WWW.CERT.ORG
Organizations• Information Sharing and
Analysis Centers (ISACs)
• InfraGard
• High Tech Investigation Association
• Information Systems Security Association (ISSA)
• Forum of Incident Response and Security Teams (FIRST)
![Page 17: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/17.jpg)
Investigative Guidelines
![Page 18: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/18.jpg)
UTSA IS 6973 Incident Response
Investigative Guidelines
• Initial assessment
• Incident notification checklist
• Investigating
• Formulating Response Strategy
Initial assessment not always accurate
![Page 19: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/19.jpg)
UTSA IS 6973 Incident Response
Initial Assessment
• What probably happened?– Uncertainty regins– Each situation unique– Need to learn enough to determine course of action
• What is the best response strategy?– Does it meet pre-established goals/ROEs?– Does it have management support?– Will your team need outside help?
![Page 20: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/20.jpg)
UTSA IS 6973 Incident Response
Incident Notification Checklist
• WWW.CERT.ORG
• Collect network maps and know architecture
• Verify corporate policies– Many actions can only be taken if appropriate
policies exist
![Page 21: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/21.jpg)
UTSA IS 6973 Incident Response
Investigating the Incident
• Prime directive: DO NO HARM
• Personnel interviews
• Hands-on activities
• Many suspected incidents turn into non-events
• Will the investigation do more damage than the incident itself?
![Page 22: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/22.jpg)
UTSA IS 6973 Incident Response
Investigating the Incident-contd
• Personnel interviews– System administrators: logs– Managers: know workforce, critical data– End-users
• Taking hands-on actions– Step carefully– My contaminate “crime scene”
![Page 23: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/23.jpg)
UTSA IS 6973 Incident Response
Formulate Response Strategy
• Declare Incident
• Restore Normal Operations?– Off-line recovery– On-line recovery
• Determine public relations play– “To spin or not to spin?”
![Page 24: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/24.jpg)
UTSA IS 6973 Incident Response
Formulate Response Strategy-contd
• Determine probable attacker– Internal: handle internally– External: prosecute?
• Determine Type of Attack– DOS, Theft, Vandalism, Policy violation, ongoing
intrusion
• Classify victim system– Critical server/application?– # of users?
![Page 25: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/25.jpg)
UTSA IS 6973 Incident Response
Closing Thought
• “The biggest problem for 2001 was keeping servers running MS-Windows products properly patched. We have numerous servers, and it’s constant fight to keep up with the patch level and test to confirm that the new patch doesn’t break something. This is the same problem for 2002.”
• J.G.
• Peace of mind depends on the action plan for response.
![Page 26: Lesson 12 Preparing for Incident Response and the Investigative Process.](https://reader036.fdocuments.us/reader036/viewer/2022081515/5697bfef1a28abf838cb9cb4/html5/thumbnails/26.jpg)
UTSA IS 6973 Incident Response
Summary
• Prepare for Incidents• Build a good team• Rehearse/Practice procedures• Perform initial assessment• Formulate response• Do No Harm