Lesson 12 Preparing for Incident Response and the Investigative Process

1
Lesson 12Preparing for Incident Responseand the
Investigative Process
2
Overview

• Preparing for Incident Response
• Investigative Guidelines

3
Ranum on Forensics

• The real value of intrusion detection is
  diagnosing what is going onnever collect more
  data than you could conceivably want to look at.
  If you dont know what to do with the data, it
  doesnt matter how much youve got.
• Marcus Ranum
• Network Flight Recorder

4
Preparing for Incident Response
5
Identify Vital Assets

• What can damage your organization the most?
• What concerns you?
• Who could be a threat?
• Do hackers concern you?

This step saves you time later
6
Preparing Systems

• Record cryptographic checksums of critical files
  (MD5)
• Tripwire is widely accepted commercial product
• Increase or enable secure audit logging
• Build up your hosts defenses
• Backup critical data and store media securely
• Educate users about security

7
Critical File Preparation

• Cryptographic checksums or Message Digest (MD)
• Basically a digital signature
• MD5 creates a 128-bit checksum from a large file
• System Administrator can create checksum of
  critical file (use separate media) then compare
  against subsequent MD5 runs

8
Unix Auditing

• Turn on system logging
• /var/log/syslog
• Create Central Syslog server
• run syslogd -r
• Enable Process Accounting
• Tracks the command each user executes
• accton command
• /usr/lib/acct/startup

9
Windows Auditing

• By default security auditing is not enabled
• NT StartProgramsAdministrative Tools User
  Manager
• User Manager select PoliciesAudit
• Logs gt C\WINNT\System32\Config\.evt
• WIN2K Administrative Tools Local Security
  Policy
• Logs gt C\WINNT\System32\Config\.evt

10
Other Steps

• Application Logging
• Backup Critical Data
• Unix dump, restor, cpio, tar dd
• WIN2K StartProgramsAccessories System
  Utilities Backup
• NT NT Backup (NT Resources Kit)
• WIN98 StartAccessories System Utilities Backup

11
Network Preparations

• Know your network document, document, document
• hardware, software, users
• Smart topology/architecture
• Use access control list (ACL) on router

12
Network Preparations-contd

• Require authentication (host, network, kerberos,
  IPsec)
• Audit regularly (manpower intensive)
• Use network time protocol (NTP) to synchronize
  all events

13
Organizational Preparations

• Institute comprehensive policies
• Institute comprehensive procedures
• Develop response procedures
• Firedrills?
• Create a response toolkit
• Establish an Incident Response Team
• Obtain top-level management support
• Agree to ground rules/ rules of engagement

Often overlooked
14
Response Toolkits

• High-end processor w/lots of memory
• Large IDE and SCSI drives
• Backup storage CD-RW and Tape Drives
• Spare cables
• Router/Hub and network interface card
• Digital camera
• Trusted software
• ref www.computer-forensics.com

15
Establish Incident Response Team

• Technical experts
• Management POC
• Team leader/principal investigator
• Decide on mission/goal
• Critical thinking team players who enjoy
  hardwork and long hours

16
IR Professional Organizations

• Training
• WWW.SANS.ORG
• WWW.FOUNDSTONE.COM
• WWW.CERT.ORG

• Organizations
• Information Sharing and Analysis Centers (ISACs)
• InfraGard
• High Tech Investigation Association
• Information Systems Security Association (ISSA)
• Forum of Incident Response and Security Teams
  (FIRST)

17
Investigative Guidelines
18
Investigative Guidelines

• Initial assessment
• Incident notification checklist
• Investigating
• Formulating Response Strategy

Initial assessment not always accurate
19
Initial Assessment

• What probably happened?
• Uncertainty regins
• Each situation unique
• Need to learn enough to determine course of
  action
• What is the best response strategy?
• Does it meet pre-established goals/ROEs?
• Does it have management support?
• Will your team need outside help?

20
Incident Notification Checklist

• WWW.CERT.ORG
• Collect network maps and know architecture
• Verify corporate policies
• Many actions can only be taken if appropriate
  policies exist

21
Investigating the Incident

• Prime directive DO NO HARM
• Personnel interviews
• Hands-on activities
• Many suspected incidents turn into non-events
• Will the investigation do more damage than the
  incident itself?

22
Investigating the Incident-contd

• Personnel interviews
• System administrators logs
• Managers know workforce, critical data
• End-users
• Taking hands-on actions
• Step carefully
• My contaminate crime scene

23
Formulate Response Strategy

• Declare Incident
• Restore Normal Operations?
• Off-line recovery
• On-line recovery
• Determine public relations play
• To spin or not to spin?

24
Formulate Response Strategy-contd

• Determine probable attacker
• Internal handle internally
• External prosecute?
• Determine Type of Attack
• DOS, Theft, Vandalism, Policy violation, ongoing
  intrusion
• Classify victim system
• Critical server/application?
• of users?

25
Closing Thought

• The biggest problem for 2001 was keeping servers
  running MS-Windows products properly patched. We
  have numerous servers, and its constant fight to
  keep up with the patch level and test to confirm
  that the new patch doesnt break something. This
  is the same problem for 2002.
• J.G.
• Peace of mind depends on the action plan for
  response.

26
Summary

• Prepare for Incidents
• Build a good team
• Rehearse/Practice procedures
• Perform initial assessment
• Formulate response
• Do No Harm