Security Incident Handling & Response

Transcription

1 Security ncident Handling & esponse By ng. Wahab l-hajooj, GCH, L (F) Slide 1

2 genda What is ncident Handling? Why is ncident Handling mportant? ncident Definition ncident Handling Phases ypes of ncidents Questions and Discussion Slide 2

3 What is ncident Handling? ncident Handling is an action plan for dealing with the misuse of computer systems and networks ntrusions Malicious code infection Cyber-theft DoS ther security-related events Have written Procedure and policy in place to know what to do when an incident occurs Slide 3

4 What is ncident Handling? ncident Handling plan should hooks to Disaster ecovery & Business Continuity plans he scope of ncident Handling is greater that just intrusions t covers nsider crime (Unauthorized use, nsider threats) spionage ntellectual property attacks Slide 4

5 Why is ncident Handling mportant? Sooner or later an ncident is going to occur Do you know what to do? t is not a matter of if but when Planning is everything Similar to backup Slide 5

6 ncident Definition he term incident refers to an adverse event in an information system and or network. r the threat of the occurrence of such an event Focus is on detecting deviations from the normal state of the network and systems ncident implies harm or the attempt to harm xample of incidents include: Unauthorized use of another user s account Unauthorized use of system privileges xecution of malicious code that destroys data Slide 6

7 vent Definition n event is an observable occurrence in a system and/or network xample of events include: he system boot sequence system crash Packet flooding within a network Something that you saw flash on the screen Something that you know occurred because it was collected in a log or audit file Slide 7

8 ncident Handling Phases he steps serve the handler as a roadmap Do not skip step Complete an entire given step before moving to the next phase for a single incident Sometime you have to jump back up given changing circumstance Slide 8

9 ncident Handling Phases Slide 9

10 P Policy Documentation Procedures P Power and environmental Controls get our team ready to handle incidents People ransportation Data Supplies Communication Software Hardware Slide 10

11 P P Policy Warning Banners stablish policy and warning banners Warning banner must advise the user that: ccess to the system is limited to company authorized activity ny attempted or unauthorized access, use, or modification is prohibited Unauthorized users may face penalties he use of the system may be monitored and recorded f the monitoring reveals possible evidence of criminal activity, the company can provide the records to law enforcement Have legal team review this banner, approving it in writing Slide 11

12 P P otifying Law nforcement easons you must notify law enforcement: hreat to public health or safety Substantial impact to third party Legal requirement based on industry easons not to notify law enforcement: Control Publicity isk of continued hacking isk of equipment seizure and /or interruption to business Slide 12

13 P P emain Calm ake otes Maintain xcellent otes Management Support Building a eam Key points Your calm can ncidents Communication tends to help others avoid and raise coordination everybody making critical become hey stress help act difficult level as you a governor organize errors on your nswer the own thought speed Use Date a bound and Whom What, imestamp notebook with each When, Where, numbered entry page Why, HW Slide 13

14 P P Key points - Building a eam dentify qualified people to join the team Lega l H Securit y etwork managemen t peratio ns Public relation s bviously, you won t get a full headcount for most of these, but at least make sure there is someone assigned to you Slide 14

15 P P stablish a response time baseline Some firm time between 15 and 90 minutes depending the sensitivity of your computing infrastructure Be able to have person on-site within minutes May not report to H, but May be part of the business unit Slide 15

16 P P Key points Checklists and Comm Plan Prepare system build checklists stablish visibility and compensation plan for the team Develop an mergency Communication plan Print Credit-card sized list of incident response team contact info est your call list to make sure it works Slide 16

17 P P Key points Getting ccess to Systems & Data he ncident handling team needs to be able to access systems Passwords for critical systems and crypto keys Strike a bargain with the operations team Slide 17

18 P P Key points Point of Contact and esources stablish a primary point of contact and an incident command communications center Set up resource acquisition plans for the teams Slide 18

19 P P Key points eporting Facilities stablish a war oom rain the team Cultivate elationships ncourage ntranet Phone Web people site to & devoted -mail report, fax to reporting incident eward Copies secure handling reporting of ools raining nvestigation room evidence techniques Plan for: the training etwork team System administrator Help Desk Slide 19 dministrator s

20 P P Jump Bag Laptop with multiple s Fresh Backup media (CDs, DVDs, HD) Binary backup SW Forensic SW ncryption software Packet sniffers and protocol analyzers vidence gathering accessories HUB Patch cables Call list Cell phone otebooks dditional copies of all incidents forms Slide 20

21 ncident Handling Phases Slide 21

22 D F C he goal of the identification phase is to gather events, analyze them, and determine whether we have an incident Look for harm ttempt to harm Deviations from the norm Slide 22

23 D F C Key points ssign a person to be the primary incident handler deally, assign a helper Control the flow of information nforce a need to know policy ell the details of the incident to the minimum number of people possible Slide 23

24 D F C where does dentification ccur? etwork perimeter Firewalls, routers, DS, DMZ systems Host perimeter dentification occurs when data enters or leaves a host System-level dentification occurs based on activity on the host itself nti-virus tools, file integrity tools Look for unusual (process, services, files, network usage, schedule tasks, accounts, log entries) Slide 24

25 D F C nitial ssessment Determine whether or not an event is actually an incident How much damage could be caused How widely deployed the affected platform? What is the value of the impacted systems so far? Can the vulnerability be exploited remotely? Slide 25

26 D F C stablish chain of custody Maintain a provable chain of custody ach piece of evidence must be under the control identified person When turning over evidence to law enforcement have them sign for it Slide 26

27 ncident Handling Phases Slide 27

28 C M he goal of the containment phase is to stop the bleeding Prevent the attacker from getting any deeper into the impacted system, or spreading to other systems Consist of : 1. Short-term containment 2. System backup-up 3. Long-term Containment Slide 28

29 C M Key points Deploy a small on-site team to survey the situation otify your manager and security officer otify your local or organizational incident handling team pen a ticket help to track issues Slide 29

30 C M Short-term actions Prevent the attacker from causing more damage Some possible short-term actions: Disconnect network cable solate the switch port so the system can not receive or send data pply filter to routers and / or firewalls Change name in DS to point to different P address Pull the power cable Slide 30

31 C M Backup Make a backup of the affected system as soon as practical Use blank media (destination drive should be bigger than source drive) Make a bit-by-bit backup to get all data Keep the system pristine Safely store any backup disks/tapes so that they will not be lost an d/or stolen wo identical copies: riginal (evidence, not to be touched) Backup 1 ( may be put back into production) Backup 2 ( used to create forensic copies for analysis) Slide 31

32 C M Long-term ctions: Patch the system Patch neighboring systems ull routing Change password lter trust relationships pply firewall and router filter rules emove accounts used by attacker Shutdown backdoor processes used by attacker he idea for long-term containment is to apply a temporary band-aid to stay in production while you are building a clean system during eradication phase Slide 32

33 ncident Handling Phases Slide 33

34 D C he goal of the eradication phase is to get rid of the attacker s artifacts on the machine Determine cause and symptoms of the incidents Slide 34

35 D C Key points estoring from Backups Locate the most recent clean backup emoving Malicious software Virus infections Backdoors ootkits and kernel-level ootkits ebuild from scratch Slide 35

36 D C mproving defenses mplement appropriate protection techniques pply firewall /router filters Move the system to new P Changing DS names pply patches Harden the system Slide 36

37 D C Perform vulnerability analysis System vulnerability analysis etwork vulnerability analysis Slide 37

38 ncident Handling Phases Slide 38

39 C V Y he goal of the recovery phase is to put the impacted systems back into production in a safe manner Slide 39

40 C V Y Key points Validate the system Decide when to restore operations Usually off-hours Monitor the system DS and PS S logs and application logs Slide 40

41 ncident Handling Phases Slide 41

42 L S S S L D he goal of the Lessons Learned phase is to document what happened and improve our capabilities Slide 42

43 L S S S L D Key points Lessons learned report Develop a follow-up report Lessons learned meeting Lessons learned pply Fixes Get appropriate a pproval and funding to fix: Processes echnology mprove incident handling capabilities Slide 43

44 ncident Handling Phases Slide 44

45 ypes of ncidents spionage Unauthorized use nsider threats ntellectual property attack Slide 45

46 spionage Stealing information to subvert the interests of an organization or government Many cases of unauthorized access to corporate systems are for espionage purposes Slide 46

47 Unauthorized use he user is allowed normal access, but is abusing it -mail problem hreats/hate speech Spam Malware propagating via attachments Phishing schemes nappropriate Web surfing Slide 47

48 nsider threats threat from an entity with access to your data n employee business partner Slide 48

49 xamples of nsider Casual ntentional Destructive Disables antivirus Downloads untrusted programs Logic bomb Delete data Web defacement threats on-destructive Forwards s Leaves doors open Sells secrets to competition Slide 49

50 hank you Slide 50

51 Questions and Discussion Slide 51