Incident Handling - PowerPoint PPT Presentation

About This Presentation
Title:

Incident Handling

Description:

Connections from/to unfamiliar sites? New hidden directories? Integrity checkers ... Gulf war marines. Corporate: affect environment of decision. Zapatista peso ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 25
Provided by: timshi
Category:

less

Transcript and Presenter's Notes

Title: Incident Handling


1
Recognizing Attacks
2
Recognition Stances
3
Leading Questions
  • Is it a real break-in?
  • Was any damage really done?
  • Is protecting evidence important?
  • Is restoring normal operation quickly important?
  • Willing to chance modification of files?
  • Is no publicity important?
  • Can it happen again?

4
Document Actions
  • Start notebook
  • Collect printouts and backup media
  • Use scripts
  • Get legal assistance for evidence-gathering
  • PLAN AHEAD

5
Finding the Intruder
  • Finding changes
  • Receiving message from other system administrator
    / net defender
  • Strange activities
  • User reports

6
Steps in Handling
  • 1. Identify/understand the problem
  • 2. Contain/stop the damage
  • 3. Confirm diagnosis and determine damage
  • 4. Restore system
  • 5. Deal with the cause
  • 6. Perform related recovery

7
Dealing with Intruder
  • Ignore Intruder
  • Dangerous
  • Contrary to policy/law?
  • Communicate with intruder
  • Dangerous
  • Low return
  • Trace/identify intruder
  • Watch for traps / assumptions
  • Network and host options
  • Phone logs
  • Break intruders connection
  • Physically
  • Logically (logout, kill processes, lock account)

8
Asking for Help
  • CERT, FIRST, Law enforcement, etc.
  • Dont use infected system
  • Avoid using email from connected systems

9
Finding Damage
  • What have affected accounts done lately?
  • Missing log files?
  • What has root done?
  • What reboots have occurred?
  • Unexplained error messages?
  • Connections from/to unfamiliar sites?
  • New hidden directories?
  • Integrity checkers
  • Changed binaries?
  • Changed configuration files?
  • Changed library files?
  • Changed boot files?
  • Changed user files?

10
Dealing with Damage
  • Delete unauthorized account(s)
  • Restore authorized access to affected account(s)
  • Restore file / device protections
  • Remove setuid/setgid programs
  • Remove unauthorized mail aliases
  • Remove added files / directories
  • Force new passwords

11
Resume Service
  • Patch and repair damage, enable further
    monitoring, resume
  • Quick scan and cleanup, resume
  • Call in law enforcement -- delay resumption
  • Do nothing -- use corrupted system

12
Dealing with Consequences
  • Was sensitive information disclosed?
  • Who do you need to notify formally?
  • Who do you need to notify informally?
  • What disciplinary action is needed?

13
Moving Forward
  • What vendor contacts do we need to make?
  • What other system administrators should be
    notified?
  • What updated employee training is needed?

14
Netwar
  • Individual affect key decision-maker
  • Ems telegram
  • Gulf war marines
  • Corporate affect environment of decision
  • Zapatista peso collapse
  • Vietnam protests
  • Intifada / Cyber-Intifada?
  • Strategic combination of all previous

15
Example Zapatista Cyberstrike
  • Mid-1990s rebellion in Mexico
  • Military situation strongly favored Mexican Army
  • Agents of influence circulated rumors of Peso
    instability
  • Peso crash forced government to negotiating table
  • Compounded by intrusions into Mexican logistics

16
Building Understanding
Intrusions/Responses Threats/Counters Vulnerabilit
ies/Fixes
17
Analysis Process
Incident Information Flow
Identify Profiles and Categories
Isolate Variables
Identify Data Sources
Establish Relevancy
Identify Gaps
18
One Effort Looking Inside the Noise
Network Activity Example
Overall Activity Several Gbytes/day
Noise - Below the Radar
19
Low-Packet Filtering
  • Its hard to use TCP without generating a lot of
    packets
  • Negotiation, transmission, configuration, error
    checking
  • Few legitimate low-packet sessions possible
  • Mostly web access

20
Low-Packet Traffic
21
Flow Based Detection
  • Scans and Probes
  • Distributed Tools
  • Worm/Virus Propagation
  • ???

22
Challenges to Analysis
  • Gathering sufficient datasets to make
    statistically valid judgments
  • Developing automated technical analysis tools
  • Developing a reliable methodology for
    cyber-analysis
  • Overcoming organizational bias against sharing
    information

23
Limits of Analysis
  • Inherently partial data
  • Baseline in dynamic environment
  • Correlation vs. Causation
  • Implications
  • Need to be cautious in kinds of conclusions
  • Consider strategies for dealing with trends gone
    wrong

24
Summary
  • Incidents are not proof of bad administration
  • Lots of effort involved in handling Incidents
  • Need proactive, strategic planning to reduce
    costs, improve handling
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Incident Handling" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!