Chapter 4 After Incident Detection

Similar documents
Information Security Incident Response Plan

Information Security Incident Response Plan

MANAGEMENT OF INFORMATION SECURITY INCIDENTS

Certified Information Security Manager (CISM) Course Overview

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Michigan Department of Education

Credit Card Data Compromise: Incident Response Plan

Data Privacy Breach Policy and Procedure

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

Overview of the. Computer Security Incident Response Plan. Process Resource Center

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

SECURITY & PRIVACY DOCUMENTATION

Breaches and Remediation

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Forensics and Active Protection

Disaster Recovery and Business Continuity Planning (Mile2)

Digital Forensics. Also known as. General definition: Computer forensics or network forensics

CYBERSECURITY MATURITY ASSESSMENT

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Defining Computer Security Incident Response Teams

Blue Team Handbook: Incident Response Edition

Incident Response Training and Workshop Oct 28, Ralph Durkee Durkee Consulting, Inc.

National College for High Speed Rail DATA BREACH NOTIFICATION PROCEDURE

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

After the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

What is a Breach? 8/28/2017

DUNS CAGE 5T5C3

Breaches and Remediation

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Cyber Security Incident Response Fighting Fire with Fire

Building and Testing an Effective Incident Response Plan

Certified Information Systems Auditor (CISA)

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

Business Continuity Planning

University of Pittsburgh Security Assessment Questionnaire (v1.7)

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Data Breach Preparation and Response. April 21, 2017

SANS Institute 2003, All Rights Reserved.

Incident Response Table Tops

THE INTERNATIONAL INSTITUTE OF CERTIFIED FORENSIC ACCOUNTANTS, INC. USA. CERTIFIED IN FRAUD & FORENSIC ACCOUNTING (Cr.

Effective Cyber Incident Response in Insurance Companies

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Scientific Working Group on Digital Evidence

Ansible for Incident Response

Certified Digital Forensics Examiner

Heavy Vehicle Cyber Security Bulletin

Standard for Security of Information Technology Resources

Consumer Protection & System Security Update. Bill Jenkins and Cammie Blais

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Incident Response Plans: The Emergency Shutoff Control for Cyber Risk. Tabitha Greiner, Acumera Chris Lietz, Coalfire

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Cyber Resilience - Protecting your Business 1

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

50+ Incident Response Preparedness Checklist Items.

Cybersecurity Auditing in an Unsecure World

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Preservation, Retrieval & Production. Electronic Evidence: Tips, Tactics & Technology. Issues

Bridging the gap: SOC and CSIRT

NIST Standards. October 14, 2016 Steve Konecny

I-9 AND E-VERIFY VENDOR DUE DILIGENCE

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

Certified Digital Forensics Examiner

TEL2813/IS2820 Security Management

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

13 Operational and Security Incident management. IT Governance CEN 667

Information Security Policy

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

Tools & Techniques I: New Internal Auditor

COMPUTER FORENSICS THIS IS NOT CSI COLORADO SPRINGS. Frank Gearhart, ISSA Colorado Springs

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

DATA BREACH NUTS AND BOLTS

BraindumpsVCE. Best vce braindumps-exam vce pdf free download

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

SERVICE DESCRIPTION MANAGED BACKUP & RECOVERY

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Information Security Incident

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Introduction to Business continuity Planning

Safeguarding unclassified controlled technical information (UCTI)

Computer forensics Aiman Al-Refaei

Security Governance and Management Scorecard

EXAM PREPARATION GUIDE

Information Technology General Control Review

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Data Security and Privacy Principles IBM Cloud Services

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

Compliance Program Assessment Overview of Findings. Report to the Audit and Risk Committee of the Teachers Retirement Board June 8, 2016

Request for Proposal Technology Services, Maintenance and Support

Alberta Reliability Standard Cyber Security Incident Reporting and Response Planning CIP-008-AB-5

Internal Audit Report DATA CENTER LOGICAL SECURITY

Transcription:

Chapter 4 After Incident Detection Ed Crowley Spring 10 1

Topics Incident Response Process SANs Six Step IR Process 1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons learned 7. Lessons learned feeds back into preparation Obtaining Preliminary Information Establishing an Incident Notification Procedure Recording Details after Initial Detection Incident Declaration Assembling the CSIRT Determining Escalation Procedures Implementing Notification Procedures Scoping an Incident Perform Traditional Investigative Steps Interviews Formulating a Response Strategy 2

Incident Response Process Focus on the initial response after detection i.e. detection and analysis. (NIST 800-31). 1. Preparation 2. Detection and Analysis 3. Containment, Eradication, and Recovery 4. Post-Incident Activity 3

SANs Compatible Six Step Incident Handling Process Loop Illustration from SANs. 4

Overview of Initial Response Phase IR Process attributes Rapid and effective decision making Rapid accumulation of forensically sound information Appropriate incident escalation Rapid notification of the participants required to assemble CSIRT 5

Obtaining Preliminary Information Goal Obtain enough information to determine appropriate response. May include: Initial incident notification Recording details CSIRT assembly Traditional investigative steps Conducting interviews Determining whether the incident is to be escalated 6

Establishing an Incident Notification Procedure Requires all employees to participate Establish procedure for users to report potential computer security incident(s) Make an initial response checklist for help desk employees who are not security professionals. 7

Initial Response Checklist Incident date Reporter s contact info Incident: Type Location Date incident first noticed Location s physical security description How incident was detected Since incident, who accessed or touched relevant systems? Who has had physical access to system? Who knows about incident? 8

Initial Response Checklist, Second Section System Details Make and model Operating system Primary system users Sys admin IP & MAC addresses System network name Resident critical info Incident contained or ongoing? Network monitoring needed? System still connected? Backup tapes? Employee need to know? Remedial steps? Information storage 9

Case Names and Notes Case notes are any documentation that records steps taken during incident response process 10

Incident Declaration In a few cases, it may be difficult to determine if an incident occurred. That is, difficult based on details recorded in the initial response checklist. Check Scheduled maintenance Unscheduled downtime Recent system upgrades, patches, etc? Testing? Employee suspicions 11

Assembling the CSIRT Many organizations utilize dynamic CSIRTs in response to a particular situation or incident. In contrast to an established, centralized team dedicated to incident response. One of incident response s biggest challenges is knowing who, and when, to contact 12

Determining Escalation Procedures For each incident, a determination must be made as to whether the incident will be handled at the local or at the corporate level. 13

Implementing Notification Procedures Organizations need a central contact point. And a notification checklist Points of contact that need to be maintained: HR General counsel Network operations Corporate investigations Physical security Outside LE Other business units 14

Internal Investigations Often require a different notification process than external security incidents. Notification should only include people that: Need to know and can help Will not be confused, panicked, otherwise hinder the investigation Are not close friends of the suspects Should employ the need to know principle 15

Scoping an Incident IR requires Rapid decisions A capable principal investigator Size of team depends upon number of involved: Hosts O/Ss Systems Investigation Timeframe Potential exposure or case profile Litigation likelihood Subjects awareness of investigation 16

Assigning a Team Leader All computer related investigations require professionals who understand the incident s: Technical aspects Computer security incident investigative process 17

Team Leader s Tasks Manage CSIRT Interview process Provide status Ensure utilization of best practices Provide overall incident analysis Protect evidence Verify evidence s chain of custody If necessary, perform forensic duplication and analysis Compile, manage, and present the investigative report Offer management recommendations Understand Legal issues Corporate policies Provide an unbiased investigation 18

Technical Staff Often part time or temporary Need to have Complete O/S knowledge Ability to review logs, audit trails, other trace evidence Understand evidence handling process Perform proper damage assessments Assist in determining incident scope Determine incident nature Identify specific technical details Maintain perspective Document everything Support team leader When needed, perform interviews 19

Perform Traditional Investigative Steps Host based evidence Network based evidence Other evidence 20

Sample Interview Questions What happened? When did it happen? What systems are relevant /compromised/involved? Who did it? Who uses affected/relevant systems? What actions have already been taken? What is the relevant corporate policy? 21

Interviewees System Administrators Managers End Users 22

Formulating a Response Strategy Likely, response strategy development will be an iterative process. Many options examined before final response strategy is implemented. Policy Verification 23

Questions? 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback