Download - Incident Handling Foundations
![Page 1: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/1.jpg)
Incident Handling Foundations
![Page 2: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/2.jpg)
What is incident handling? Why is it important? What is an incident? Fundamentals The Six Step process Legal issues
Agenda
![Page 3: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/3.jpg)
Incident Handling is an action plan for dealing with intrusions, cyber-theft, denial of service, malicious code, fire, floods, and other security-related events.
Having procedures and policy in place so you know what to do when an incident occurs
Incident Handling
![Page 4: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/4.jpg)
Sooner or later an incident is going to occur. Do you know what to do?
It is not a matter of .if. but .when. Planning is everything Similar to backups
- You might not use it every day, but if a major problem occurs you are going to be
glad that you did
Why is it Important?
![Page 5: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/5.jpg)
Plans, policies and procedures developed for incident handling must comply with applicable laws.
This is not a legal course, have them reviewed by legal counsel.
Legal Aspects of IncidentHandling
![Page 6: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/6.jpg)
An .incident. is an adverse event in an information system, and/or network, or the
threat of the occurrence of such an event.
Incident implies harm, or the attempt to do harm.
The fact that an incident has occurred maymean a law has been broken
What is an Incident?
![Page 7: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/7.jpg)
Bombings, Explosions Earthquakes, Fires, Floods Power outages, Storms Hardware/software failures Strikes, Employees unavailable Hazard material spills Cyber-theft, Intellectual property theft Viruses, worms or other malicious software Unauthorized use Intrusions, Internal or external attack Denial of Service.
Types of Incidents
![Page 8: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/8.jpg)
An .event. is any observable occurrence in a system and/or network.
Examples of events include:the system boot sequencea system crashpacket flooding within a network
These observable events compose an incident
All incidents are composed of events, but not all events are incidents
What is an Event?
![Page 9: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/9.jpg)
Which of the following is an incident ?1. An attacker running NetBIOS scans against
a UNIX system.2. An attacker exploiting Sendmail on a UNIX
system.3. A backup tape containing sensitive
information is missing.
Examples of an Incident
![Page 10: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/10.jpg)
Incident Handling is similar to first aid. The caregiver tends to be under pressure and mistakes can be very costly. A simple, well- understood approach is best.
Overview of the Incident Handling Process
![Page 11: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/11.jpg)
PreparationIdentificationContainmentEradicationRecoveryLessons Learned
Incident Handling. 6 Steps
![Page 12: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/12.jpg)
PreparationGetting your environment and team ready to
handle incidents
![Page 13: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/13.jpg)
◦ Policy◦ People◦ Data◦ Software/Hardware◦ Communication◦ Supplies
◦ Transportation◦ Space◦ Power and
Environment control◦ Documentation
PreparationThe Goal of Preparation is to Get
Your Team ready to handle incidents
![Page 14: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/14.jpg)
Be Calm Take Notes,Logs,etc..
◦ Hand Written Notes are a great Help◦ Use Time Stamps in the Notes.
Management Support◦ Regular Reports (Preferred Monthly)◦ Graphically illustrated Reports
Preparation Key Points
![Page 15: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/15.jpg)
Build An Incident Handling Team◦ Identify qualified People◦ Multi- disciplinary Team is the best
Network Security Operations Systems HR
Preparation Key Points
![Page 16: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/16.jpg)
Prepare System Built Checklist◦ Procedures of Backing Up and Rebuilding systems
Getting Access to systems and Data◦ Incident Handling Team Need to have access the
System(Even without notifying system admins)◦ Strike a Bargain with the Operation Team
Establish a War Room
Preparation Key Points
![Page 17: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/17.jpg)
Train The Team◦ Conduct training scenarios◦ Deploy an internal Honey Pot
Conduct War Games◦ Pen Tests◦ Do This with more experienced teams
Cultivate Good Relationships◦ Helpdesk◦ Sys admins , network admins
Preparation Key Points
![Page 18: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/18.jpg)
Get a bag and load it with items that you might use in an incident.
Never steal from this bag
Use check list while loading the bag
Preparation Key Points Jump Bag
![Page 19: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/19.jpg)
Binary image creation software◦ dd,windd,cryptcat,netcat
Forensics tools Sleuth Kit , Autospy (Free) , Encase, Xways Diagnostic Softwares :
◦ No XPE◦ Helix (Great Tool)◦ Backtrack
Jump Bag –Software
![Page 20: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/20.jpg)
USB Drives External Hard Disks HUB OR TAB (No switch) Patch cables Laptop with Multi-OS A Lot of RAM Jumpers ,Flashlight, Tweezers ,Dental Mirror,
Business Cards
Jump Bag –Hardware
![Page 21: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/21.jpg)
IdentificationDetecting Deviation from the norm and
attempts to do harm
![Page 22: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/22.jpg)
The Goal is to gather events ,analyze them, and determine if it is an incident.
Identification phase
![Page 23: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/23.jpg)
Be Willing to alerts early.◦ Do not be afraid to declare an incident
Maintain situation awareness Provide current intelligence Correlate information Assign Primary Handler
◦ Try to assign a helper (WHY?) Control the flow of information (Need to
Know)
Identification-Points to keep in mined
![Page 24: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/24.jpg)
Communication Channels◦ You can not trust the network if you suspect you
have an attack◦ Use out-of-band Communication◦ Be careful with (VoIP)
Wireshark VOMIT
Identifications
![Page 25: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/25.jpg)
Network Detection
Host Detection
System detection
Where does Identification Occur?
![Page 26: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/26.jpg)
IDS tool has an alert Unexplained entries in a log file Failed events, such as logon Unexplained events (new accounts) System reboots Poor performance
Signs of an Incident
![Page 27: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/27.jpg)
SANS -Windows cheat sheet
SANS-Linux cheat sheet
Cheat sheets
![Page 28: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/28.jpg)
ContainmentStopping the Damage and making Forensics
images
![Page 29: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/29.jpg)
The Goal is to stop the bleeding.◦ Stop the attacker to get any deeper.
We will cover the following:◦ The Sub-phases of containment.◦ Methods of short-term containment◦ Backup◦ Method of long term containment.
Containment
![Page 30: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/30.jpg)
Disconnect network cable Pull power cable Isolate the attacked server on a separate
switch Apply filters(FW) Change the DNS names to point to a
different IP address
Short-term Containment
![Page 31: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/31.jpg)
Coordinate with your ISP ,regarding external attacks.◦ Large packet floods , warms, bot-nets.
ISP coordination
![Page 32: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/32.jpg)
Keep low profile Analyze the copy of the forensic image:
◦ Make an image ASAP◦ Use Blank Media◦ If possible take bit-by-bit image◦ Never analyze the original.◦ Keep original Pristine for evidence.
Initial analysis
![Page 33: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/33.jpg)
First thing you isolate , then image.◦ Use CD do not use USB.◦ Do not grace shutdown the system.◦ Store the image in safe place.
Original (Evidence) Image1 (May be put back into production) Image2 (Analysis) Use drive duplicators if possible Train on the image creation.
Isolate the system
![Page 34: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/34.jpg)
Acquire the logs and other sources of information.
Review logs from neighboring systems. How far did the attacker get.
Make recommendation for log term containment.◦ It is a business decision
Continuing Operation
![Page 35: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/35.jpg)
As long as you got your evidence and image backup , you can make changes to the system.
Ideal: keep system off line. Less than ideal :if system must be kept in
production , perform long term Containment.
Long-Term Containment
![Page 36: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/36.jpg)
Numerous potential actions:◦ Patching the system and nighbourng systems.◦ Change password◦ Null routing ???◦ FW◦ Remove accounts used by attackers.
Do not forget (you still need to eradicate) The ideal long-term containment is to apply
temporary solution tell you build a clean system.
Long Term containment
![Page 37: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/37.jpg)
EradicationCleaning up and removing the artifacts
done by the attacker
![Page 38: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/38.jpg)
By stopping the bleeding I need to eradicate, or to get rid of any attacker’s artifacts.
In this phase we determent the cause and the effect of the Incident:◦ By analyzing all data .◦ Isolating the system and studying the attack
patterns.
Eradication
![Page 39: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/39.jpg)
Locate the most recent CLEAN backup In the case of suspecting root kit
attack ,please rebuild the system from scratch
Remove malicious soft wares:◦ Virus◦ Backdoor◦ Rootkits or Kernal level rootkits
Eradication
![Page 40: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/40.jpg)
Now the Attackers got you :◦ Implement the appropriate protection:
Firewalls. New name /IP for the system Null routing Hardening Patching
Improve your Defenses
![Page 41: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/41.jpg)
Perform Vulnerability analysis◦ Network assessment◦ System assessment◦ Scan the entire network for interesting ports.
Nessus, is a big help.
Remember the attacker often uses the same exploit and backdoor on multiple machines , so look for them in multiple environments.
Vulnerability assessment
![Page 42: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/42.jpg)
RecoveryGetting Back to business …
Carefully.
![Page 43: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/43.jpg)
The goal of recovery is to put the impacted system back to production in safe manner.
Validate the system◦ Verify the operation of the system.◦ Let the business unit test with you
Validation
![Page 44: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/44.jpg)
Usually at off hours timeslots◦ It is easier to monitor at these times.
The final decision is in the hands if the business team.
Provide your advice but remember it is their call.
Restoring Operations
![Page 45: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/45.jpg)
Once the system is back online, continues and deep monitor is required.
Utilize all possible means of monitoring.◦ You can create a custom signature of the original
attack vector Check operating system and application
logs extra carefully.
Monitor
![Page 46: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/46.jpg)
Lesson LearnedDocumentation and improving operations
to prevent the incident to happen again
![Page 47: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/47.jpg)
The hole point of the lesson learned phase is to Document what happened in the incident ,learn from our mistakes and to improve our capabilities.
It is the most Important pahse.
Lesson Learned
![Page 48: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/48.jpg)
Develop a report◦ Try to get consensus
Conduct lessons learned meeting Send recommendations to management Follow-up meeting
Follow-up
![Page 49: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/49.jpg)
Seven Deadly Sins-Chronological order
![Page 50: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/50.jpg)
1. Failure to report and ask for help.2. Incomplete/non-existent notes3. Mishandling/Destroying evidence4. Failure to create a working image5. Failure to contain or eradicate.6. Failure to Prevent re-infection7. Failure to apply the lesson learned
Seven Deadly Sins-Chronological order
![Page 51: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/51.jpg)
Steps must be customized for your environment
Every incident is different Planning is everything Make things simple with checklists and
tested procedures
Putting the Steps Together
![Page 52: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/52.jpg)
Thank You
![Page 53: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/53.jpg)
Regulatory Criminal Law Civil Law
◦ Compensation for damage or loss◦ Damages
Compensatory Punitive Statutory
Incident Handling and the Legal System
![Page 54: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/54.jpg)
AKA Computer Fraud and Abuse Act
Provides for civil and criminal remedies for network misconduct
Criminalizes attacks on computer networks and damage to protected computers
The United States Code, Title 18,Section 30
![Page 55: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/55.jpg)
Computer Security Act of 1987
US Privacy Act of 1974
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
. The Electronic Communications Privacy Act of 1986 (ECPA)
Laws Relating to IncidentHandling
![Page 56: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/56.jpg)
Economic Espionage Act of 1996
National Information Infrastructure Protection of 1996
Patriot Act of 2001
Homeland Security Act of 2002
Terrorism, InfrastructureProtection and Espionage.
![Page 57: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/57.jpg)
Warrant should specify computer system (computer and related equipment, mouse keyboard)
Warrant should specify computer’s role in offense (attack tool, storage device)
Search/Seizure with Warrant
![Page 58: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/58.jpg)
Arrest is a legal process to deprive an individual 6of his/her freedom. For an incident handler, thiswould occur only in the unlikely case that youactually see a crime occurring.
If you don't see it yourself and it isn't urgent, donot deprive a person of their freedom.
Arrest/False Arrest
![Page 59: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/59.jpg)
If a tractor trailer crossing a bridge was hit by ahelicopter, you wouldn't normally expect the
realevidence to be brought to the courtroom.
Instead,photos, models and drawings are used. Cybercases happen at the speed of light and thereare times when screen shots, network traces,and so forth must be used. Be ready to provethese are the best evidence available.
Best Evidence
![Page 60: Incident Handling Foundations](https://reader036.vdocuments.mx/reader036/viewer/2022070504/56816974550346895de1547b/html5/thumbnails/60.jpg)
Preparation is very important . Know what your job is
◦ You are not law enforcement◦ You are not a lawyer◦ Do not take on more than you can handle
Learn from the past and keep improving your incident handling procedures
Summary