Why?

Transcription

1 SEC 211 Incident Response Oh no, we ve been hacked! Now what do we do?

2 Why?

3 Typical incident response process 1. Oh no, we got hacked! 2. Look for the easy solution 3. Failing that, observe the damage for a time 4. Update resume and await execution

4 There s a better way Why wait until your first attack? Affects decision-making Costs more Make it part of your security policy and risk mitigation strategy Real benefits No panic attacks process guides response Financial discounts from insurance company Service provider help win business

5 Taxonomy of security work Prevention Detection Reaction IT budget

6 The process Minimize the number and severity of incidents Assemble the core computer security incident response team Define an incident response plan

7 Minimize Incidents

8 Know your stuff! Where are your backups? Are they good? What assets are you trying to protect? What are the threats against them? What vulnerabilities might the assets have? How likely are those threats to materialize? What is normal traffic on your network? How fast should the network typically respond? Who sends us ? Who should be? Are your computers protected from theft?

9 Where does this fit? Prevention Detection Reaction IT budget

10 Risk assessment High Yes! We worry! Ris k What? Me worry? Low Asset Value High

11 It s got to cover all layers Data Application Host Internal network Perimeter Physical security People, policies, and process

12 Sample classification schemes Physical Where is the asset? How is access obtained? Public area Employee-onlyonly Controlled Available during business hours Card-key readers Card-key, PIN, and palm print Network Access from where? Wired corpnet Wireless corpnet VPN Kiosks Internet How to authenticate? Domain logon (human and PC) Domain logon plus certificates (human and computer) Domain logon, smartcard, quarantine Disallowed Disallowed except from corp PC

13 Startwiththe soft the stuff Establish, enforce, and measure policies If you can t measure it, drop it A lot of incidents happen by accident Get management support Begin regular security training ILOVEYOU! Most worms target carbon, not silicon Think about security banners That they stop prosecution is an urban legend But they remind people of their responsibilites

14 Don t neglect periodic maintenance Conduct regular vulnerability assessments Do it yourself or hire a consultant, your choice Run away from checklist slaves Are they bondable? Do you trust them? (the daughter test ) Don t forget to test social engineering Get permission! i

15 Don t neglect periodic maintenance Keep your systems patched and up-to-date Clients: come on, start using a patch management tool Servers: your choice, be mindful of reboots

16 Important technical controls Strong password policies Passphrases are better though Monitor and analyze network traffic and system performance Learn what normal means for you

17 Important technical controls Routinely check all logs But they re useful only after you ve already learned normal Verify backups Do restores actually work? Is the media still functioning? i Who can perform?

18 Assemble the Core CSIRT

19 The core CSIRT These are the people who respond to all incidents Require responsibility and authority Clearly-defined duties: eliminates not my job! Who pulls the LAN cable? Under what conditions? Build this before you get attacked Make it part of their regular job description Include in job performance goals Give them periodic drills for practice

20 Successful teams Monitor for security breaches Act as communications central Receive reports of incidents Disseminate information about incidents Document incidents Promote security awareness inside the company Support system and network auditing Vulnerability assessments, penetration testing Remain abreast of new vulnerabilities and attacks Research software patches Analyze and implement new processes and technologies for reducing vulnerabilities and risk

21 Team preparation Train to use good tools Where are they? How to use them? Rapidly available specialized laptops used only for this Be sure to protect them when not in use!

22 Team preparation Train to use good tools Assemble all relevant communication info Contact names and numbers CSIRT team Admins and owners Legal Public/media relations ISP Law enforcement Involve legal in any dealings with law enforcement and when gathering evidence

23 Team preparation Train to use good tools Assemble all relevant communication info Keep emergency info in central offline storage Passwords IP addresses Router configurations Firewall rulesets Certification authority keys Contact names and numbers Escalation procedures If electronic, encrypt it then lock it up!

24 Team roles Team Lead In charge of the team s activities Coordinates reviews of team s actions Authorized to change policies and procedures

25 Team roles Team Lead Incident Handler Incident Handler Incident Handler Incident Handler Incident Handler Do the actual work

26 Team roles Team Lead Incident Handler Incident Handler Lead Incident Handler Incident Handler Incident Handler Owns a particular incident Coordinates all communication about the incident Represents entire CSIRT to those outside Might vary, depending on incident particulars

27 Team roles Team Lead Incident Handler Incident Handler Incident Handler Incident Handler Incident Handler Associate Member Associate Member Associate Member Associate Member From various departments throughout your company Specialize in areas affected by security incidents Participate in incidents or delegate to another in their area

28 Associate members IT contact Legal representative PR officer Management Coordinates communications between incident lead and rest of IT department Lawyer familiar with incident response policies; determines how to proceed. Involved before incidents, evaluates response policies to ensure you aren t at legal risk during containment If we shut down, do we violate service agreements? If we don t shut down, are we liable if someone else gets attacked from the compromised system? Crafts message for the public and handles all media inquiries Either departmental or company-wide; determines total impact (financial and otherwise) to the company; directs communications officer and interaction with law enforcement agencies

29 Response roles Inc. lead IT contact Legal repr. PR officer Mgmt. Initial assessment Owns Advises Initial response Owns Implements Updates Updates Updates Collects forensic Implements Advises Owns evidence Implements temporary fix Owns Implements Updates Updates Advises Sends communication Advises Advises Advises Implements Owns Checks with law Updates Updates Implements Updates Owns enforcement Implements Owns Implements Updates Updates Updates permanent fix Determines business impact Updates Updates Advises Updates Owns

30 Define an Incident Response Plan

31 Where does this fit? Prevention Detection Reaction IT budget

32 Incident response is not Panic Paranoia Frustration Giving up

33 Plan components Make an initial assessment Communicate the incident Contain the damage and minimize the risk Identify the type and severity of the compromise Protect evidence Notify external agencies (if appropriate) Recover systems Compile and organize incident documentation Assess incident damage and cost Review the response and update policies Test this process regularly! It s the only way you can be sure that it will work when the time comes

34 Not purely sequential Throughout incident In conjunction Some sequence Documentation Communication Initial assessment + damage containment 1.Identify type and severity 2.Contain damage and minimize risk

35 Make an initial assessment Is it really a bad guy? An admin doing his/her job might appear malicious Is it a configuration problem? Causing the IDS to report too many false positives Start trying to determine type and severity Get enough info for further study and communication How will you contain it? Record everything you do Not acting on a real incident is worse than acting on a false positive, but don t take too much time to figure it out

36 Communicate the incident If it s real then communicate to entire CSIRT Identify an incident lead and appoint handling team members Determine who outside CSIRT to contact Maintains coordination Minimizes damage Headline in newspaper could be more damaging Don t want to tip off the attacker

37 Contain the damage Acting quickly and decisively can make the difference between a minor attack and a major one Helpful priorities 1.Protect human life and peoples safety 2.Protect classified and sensitive data 3.Protect other data (proprietary, scientific, managerial) 4.Protect hardware and software 5.Minimize i i disruption of computing resources The goal: get back online as soon as possible while protecting people and preserving that which keeps us in business

38 Contain the damage Don t let the bad guy know you re on to him A wholesale password change, while necessary, will also be a give-away Do you unplug or not? Compare cost of yes or no Will you violate an SLA? Which h is more expensive? Next time: incorporate such decision into the SLA itself Disable bad guy s ingress point Modem firewall rule physical entry Rebuild new system with new hard drives Lock up existing ones to preserve forensic evidence Change passwords, especially administrative i ti

39 Determine nature of the attack Might be different from initial assessment What s the origin? What s the intent Are we a specific target? Just a random victim? Why us? (information, bandwidth, ) Which systems are compromised? Which files have been accessed? How sensitive are they? Helps direct how you will recover Incident response plan should guide your responses as you learn more about the attack

40 Determine severity of the attack Work with other CSIRT members Do they agree with your assessment? Any unauthorized physical access? Any unauthorized hardware suddenly appearing? Any new, unexpected members in admin groups? Any new startup programs? Any gaps in logs? Or completely missing? Anything else weird in them? Unexpected or unusual access failures or successes Strange times (nonworking hours) Permissions changes or elevations What s different now compared to previous integrity check? Any non-business data? (porn, music, warez) Any employee data now in a bad place? You might have to deal with privacy issues now Any change in performance?

41 Comparing against a baseline Best way to know what s changed Works only if you know your previously-recorded recorded baseline hasn t already been compromised My favorite tool: TripWire Others EventCombMT DumpEL Microsoft Operations Manager

42 Collect and protect evidence Prosecution should be the least of your worries but make backups anyway Make two bit-for for-bit backups First: on write-once media (DVD±R) Use in case you decide to prosecute; keep physically secure Second: on brand-new new hard drive Use for data recovery Document everything you do with them Physically secure original compromised disks Will become evidence if you prosecute Rebuild system with new drives

43 Collect and protect evidence There s always that trade-off Does the cost of preserving data outweigh the cost of delaying response and recovery? Is rapid recovery the most important t thing for you? Comprehensive backups might be impossible for very large systems Limit to system state, logs, breached portions of systems If you can figure it out!

44 Document document document! If you do prosecute, questions about your evidence will arise Every jurisdiction has its own requirements for acceptable evidence Maintain detailed and complete documentation Who did what when and how Sign and date every page

45 Notify external agencies Potential agencies Local and national law enforcement (especially if loss is financial) External security agencies (their experience is helpful) l) Malware experts Coordinate with your legal representative e What kind of public notification? Depends on your industry Depends on whether customers were affected

46 Media attention If you re a high-profile company, expect attention! Rarely desirable, often unavoidable Incident response plan describes Who s allowed to interact What they re allowed to say Whether you notify media or wait for their call Speaking of notification Consider how to spin it to your advantage Being honest, showing how you re improving could actually win customers Don t lie about it, of course reputation reputation damage

47 Compile and organize documentation What was the attack? How did we respond? Who When Why Organize, sign, then review with management and legal representative Consider dual sign-offs increases likelihood of evidence acceptance All this absolutely critical if you suspect an insider

48 Assess damage and cost Direct and indirect costs Loss of competitive edge (because of release of confidential information) Legal costs Labor costs incident analysis and recovery Downtime costs Lost productivity Lost sales Replaced hardware, software, other property p Costs of updating physical security Consequential damages reputation, trust

49 Review and update After you ve cleaned it all up, review your response What went well? What needs improvement? How will we get better next time? Update policies Can we make them better? Opportunities to streamline? Anything we need to strengthen? th Consider new technologies Can we improve our prevention mechanisms?

50 More Information

51 Learn more Handbook for Computer Security Incident Response Teams by Moira J. West Brown, et al /03.reports/03hb002.html Forum of Incident Response and Security Teams

52 Steve Riley technet com/steriley 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.