incident response
DESCRIPTION
Incident Response. IMT551 31 st October 2007. Christian Seifert. Definition. - PowerPoint PPT PresentationTRANSCRIPT
Incident ResponseChristian Seifert
IMT55131st October 2007
Definition
Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs. (http://it.jhu.edu/glossary/ghi.html)
2/16
Examples
• Lost notebook• Positive anti-virus classification on
workstation• Denial of Service on web server• Database server sends SPAM• Unauthorized access on the premise• Deleted budget files on the file server
3/16
Traditional Attack Pattern
• Locate• Gain user access• Escalate privileges• Cover tracks• Ensure future access (backdoor)• Launch further attacks (stepping stone)
4/16
Incident Response Phases
• Preparation
• Identification• Containment• Eradication• Recovery• Follow-Up
Phases per incident
5/16
Preparation
• Create your Incident Response Plan.• Form a Incident Response Team• Educate users & inform management• Forensic Readiness
– Ability of an organization to maximize its potential to use digital evidence whilst minimizing the cost of an investigation
6/16
Incident Response Plan
• Background• Definitions• Incident classification• Reporting• Business Continuity• Process Flow• Example Incidents
7/16
Incident Classification & Handling
• What constitutes an incident?• What happens when an incident is detected?• Things to consider:
– Business needs– Costs/ Resources– Legal aspects– Chain of custody
8/16
Proactive/Reactive Incident Response
• Term “Response” indicates a reactive setup• However, proactive incident “response” is
also possible and recommended:– Staying informed about vulnerabilities– Education– Auditing/ Penetration Testing
9/16
Identification
• Recognize and report an incident– Users via help desk– IDS/ Honeypots– Could be an outside source
• Determine whether it is an incident• Assessment & Prioritize (Triage process)• Communication• KEEP A LOG BOOK!
10/16
Containment
• Limit the scope and magnitude of the incident• Steps to take:
– Stay low – do not alert the attacker– Create backups for analysis– Put your attention to systems at risk (i.e. systems
the compromised system has access to or interact with regularly)
11/16
Eradication
• Problem is eliminated• Steps to take:
– Determine the problem– Determine mitigation (for example, patching the
system)
12/16
Recovery
• System is returned into functional status• Steps to take:
– Restore system– Apply mitigation strategy– Closely monitor the system
13/16
Follow Up
• Identify lessons learned that will prevent future incidents
• Determine costs• Steps to take
– Create incident report with recommended changes– Send recommendations to management– Implement changes
14/16
Challenges
• Incident Response difficult to do right• High level of experience required to
investigate and assess technical incidents• Tendency to restore systems without
following incident response procedures
15/16
Resources
• http://www.ussecurityawareness.org/highres/incident-response.html
• DOD CSIRTM Training CD-ROMs: http://www2.norwich.edu/mkabay/infosecmgmt/disa_cirtm_cdrom.zip
• http://staff.washington.edu/dittrich/
16/16