Title: Incidence Response
1Incidence Response Computer Forensics, Second
Edition
Chris Prosise Kevin Mandia
2Outline
- Introduction to the Incident Response Process
- What is a computer security incident ?
- What are the goals of incident response ?
- Who is involved in the Incident response process
? - Incident response methodology.
3What is a computer security incident ?
- Computer security incident
- Any unlawful, unauthorized, or unacceptable
action that involves a computer system or a
computer network. - Theft of trade secrets.
- Email spam or harassment.
- Unauthorized or unlawful intrusion into computing
systems. - Denial-of-service (DoS) attacks.
4What are the goals of incident response ?
- In incident response methodology, it emphasized
the goals of corporate security professionals
with legitimate business concerns, but it also
take into the concerns of law enforcement
officials. - Confirms or dispels whether an incident occurred.
- Establishes controls for proper retrieval and
handling of evidence. - Minimizes disruption to business and network
operations. - Provides accurate reports and useful
recommendation. - Provides rapid detection and containment.
- Education senior management.
5Who is involved in the incident response process ?
- Incident response is a multifaceted discipline.
It demands a myriad of capabilities that usually
require resources from several different
operational units of an organization. - Computer Security Incident Response Team (CSIRT),
to respond to any computer security incident.
6Incident response methodology
- There are seven major components of incident
response - Pre-incident preparation
- Detection of incidents
- Initial response
- Formulate response strategy
- Investigate the incident
- Reporting
- Resolution
7Seven components of incident response
Incident Occurs Point-In-Time or Ongoing
Pre-Incident Preparation
Initial Response
Formulate Response Strategy
Detection of Incidents
Reporting
Resolution Recovery Implement Security Measures
8Pre-incident Preparation (1/2)
- Preparing the Organization
- Implement host-based security measures.
- Implement network-based security measures.
- Training end user.
- Employing an intrusion detection system (IDS)
- Creating strong access control.
- Performing timely vulnerability assessments.
- Ensuring backups are performed on a regular basis.
9Pre-incident Preparation (2/2)
- Preparing the CSIRT
- The hardware needed to investigate computer
security incidents. - The software needed to investigate computer
security incidents. - The documentation needed to investigate computer
security incidents. - The appropriate policies and operating procedures
to implement your response strategies. - The training your staff or employee require to
perform incident response in a manner that
promotes successful forensics, investigations,
and remediation.
10Detection of Incidents (1/2)
Company X
Indicator
IDS Detection of Remote Attack Numerous Failed
Logon Attempts Logins into Dormant or Default
Accounts Activity during Nonworking
Hours Unfamiliar Files or Executable
Programs Altered Pages on Web Server Gaps in Log
files or Erasure of Log Files Slower System
Performance System Crash
Functional Areas
IDS
End User
Help Desk
System Administrator
Security
Human Resources
11Detection of Incidents (2/2)
- Some of the critical details include the
following - Current time and date
- Who/What reported the incident
- Nature of the incident
- When the incident occurred
- Hardware/software involved
- Points of contact for involved personnel
12Initial Response
- One of the first steps of any investigation is to
obtain enough information an appropriate
response. - Assembling the CSIRT
- Collecting network-based and other data
- Determining the type of incident that has
occurred - Assessing the impact of the incident.
- Initial Response will not involve touching the
affected system(s).
13Formulate response strategy (1/3)
- Considering the Totality of Circumstances
- How many resources are need to investigate an
incident ? - How critical are the affected systems ?
- How sensitive is the compromised or stolen
information ? - Who are potential perpetrators ?
- What is the apparent skill of the attacker ?
- How much system and user downtime is involved ?
- What is the overall dollar loss ?
14Formulate response strategy (2/3)
- Considering Appropriate Responses
Incident Example Response Strategy
Likely Outcome
Effect of attack mitigated by router countermeasur
es. Establishment of perpetrators identity may
require too many resources to be worthwhile
investment.
Reconfigure router to minimize effect of the
flooding.
Dos Attack
TFN DDoS attack
15Formulate response strategy (3/3)
- Response strategy option should be quantified
with pros and cons related to the following - Estimated dollar loss
- Network downtime and its impact to operations.
- User downtime and its impact to operations.
- Whether or not your organization is legally
compelled to take certain action. - Public disclosure of the incident and its impact
to the organizations reputation/business. - Tacking Action
- Legal Action
- Administrative Action
16Investigate the Incident
- The investigation phase involves determining the
who, what, when, where, how, and why surrounding
an incident. - A computer security investigation can be divided
into two phases - Data Collection
- Forensic Analysis
17Possible investigation phase steps
Data Collection
Analysis
- Network-Based Evidence
- Obtain IDS Logs
- Obtain Existing Router Logs
- Obtain Relevant Firewall Logs
- Obtain Remote Logs from a
- Centralized Host (SYSLOG)
- Perform Network Monitoring
- Obtain Backups
- Host-Based Evidence
- Obtain the Volatile Data
- during a Live Response
- Obtain the System time
- Obtain the Time/Data stamps
- for Every File on the Victim System
- Obtain all Relevant Files that
- Confirm or Dispel Allegation
- Obtain Backups
- Other Evidence
- Obtain Oral testimony from Witnesses
- 1.Review the Volatile Data.
- Review the Network Connections.
- Identify Any Rogue Processes (Backdoors,
- Sniffers).
- 2.Analyze the Relevant Time/Data Stamps.
- Identify Files Uploaded to the system by an
- Attacker.
- Identify File Downloaded or taken from the
- System.
- 3.Review the Log Files.
- 4.Identify Unauthorized User Accounts.
- 5.Look for Unusual or Hidden Files.
- 6.Examine Jobs Run by the Scheduler Service.
- 7.Review the Registry.
- 8.Perform Keyword searches.
18Performing Forensic Analysis
Analysis of Data
Extract Email and Attachments
Review Browser History Files
Review Installed Application
Preparation of Data
Create File Lists
Perform Statistical Data Partition Table File
System
Review Data Collected During Live Response
Search for Relevant Strings
Review all the Network-Based Evidence
Create a Working Copy of all Evidence Media
Perform Forensic Duplication
Recover Deleted Data
Perform File Signature Analysis
Perform Software Analysis
Identify and Decrypt Encrypted Files
Recover Unallocated Space
Identify Known System File
Perform File-by-File Review
Perform Specialized Analysis
19Reporting
- Some guidelines to ensure that the reporting
phase does not become your CSIRTs nemesis - Document immediately
- Write concisely and clearly
- Use a standard format
- Use editor
20Resolution
- In this phase, you contain the problem, solve the
problem, and take steps to prevent the problem
from occurring again. - Following steps are often taken to resolve a
computer security incident - Identify your organizations top priority.
- Determine the nature of the incident.
- Determine if there are underlying or systemic
causes for the incident. - Restore any affected or compromised system.
21- Apply corrections required to address any
host-based vulnerabilities. - Apply network-based countermeasures such as
access control lists, firewalls, or IDS. - Assign responsibility for correcting any systemic
issue. - Track progress on all corrections.
- Validate that all remedial steps or
countermeasures are effective. - Update your security policy and procedures as
needed to improve your response process.
22Conclusion
Incident Occurs Point-In-Time or Ongoing
Pre-Incident Preparation
Initial Response
Formulate Response Strategy
Detection of Incidents
Reporting
Resolution Recovery Implement Security Measures