Incidence Response

1
Incidence Response Computer Forensics, Second
Edition
Chris Prosise Kevin Mandia
2
Outline

• Introduction to the Incident Response Process
• What is a computer security incident ?
• What are the goals of incident response ?
• Who is involved in the Incident response process
  ?
• Incident response methodology.

3
What is a computer security incident ?

• Computer security incident
• Any unlawful, unauthorized, or unacceptable
  action that involves a computer system or a
  computer network.
• Theft of trade secrets.
• Email spam or harassment.
• Unauthorized or unlawful intrusion into computing
  systems.
• Denial-of-service (DoS) attacks.

4
What are the goals of incident response ?

• In incident response methodology, it emphasized
  the goals of corporate security professionals
  with legitimate business concerns, but it also
  take into the concerns of law enforcement
  officials.
• Confirms or dispels whether an incident occurred.
• Establishes controls for proper retrieval and
  handling of evidence.
• Minimizes disruption to business and network
  operations.
• Provides accurate reports and useful
  recommendation.
• Provides rapid detection and containment.
• Education senior management.

5
Who is involved in the incident response process ?

• Incident response is a multifaceted discipline.
  It demands a myriad of capabilities that usually
  require resources from several different
  operational units of an organization.
• Computer Security Incident Response Team (CSIRT),
  to respond to any computer security incident.

6
Incident response methodology

• There are seven major components of incident
  response
• Pre-incident preparation
• Detection of incidents
• Initial response
• Formulate response strategy
• Investigate the incident
• Reporting
• Resolution

7
Seven components of incident response
Incident Occurs Point-In-Time or Ongoing
Pre-Incident Preparation
Initial Response
Formulate Response Strategy
Detection of Incidents
Reporting
Resolution Recovery Implement Security Measures
8
Pre-incident Preparation (1/2)

• Preparing the Organization
• Implement host-based security measures.
• Implement network-based security measures.
• Training end user.
• Employing an intrusion detection system (IDS)
• Creating strong access control.
• Performing timely vulnerability assessments.
• Ensuring backups are performed on a regular basis.

9
Pre-incident Preparation (2/2)

• Preparing the CSIRT
• The hardware needed to investigate computer
  security incidents.
• The software needed to investigate computer
  security incidents.
• The documentation needed to investigate computer
  security incidents.
• The appropriate policies and operating procedures
  to implement your response strategies.
• The training your staff or employee require to
  perform incident response in a manner that
  promotes successful forensics, investigations,
  and remediation.

10
Detection of Incidents (1/2)
Company X
Indicator
IDS Detection of Remote Attack Numerous Failed
Logon Attempts Logins into Dormant or Default
Accounts Activity during Nonworking
Hours Unfamiliar Files or Executable
Programs Altered Pages on Web Server Gaps in Log
files or Erasure of Log Files Slower System
Performance System Crash
Functional Areas
IDS
End User
Help Desk
System Administrator
Security
Human Resources
11
Detection of Incidents (2/2)

• Some of the critical details include the
  following
• Current time and date
• Who/What reported the incident
• Nature of the incident
• When the incident occurred
• Hardware/software involved
• Points of contact for involved personnel

12
Initial Response

• One of the first steps of any investigation is to
  obtain enough information an appropriate
  response.
• Assembling the CSIRT
• Collecting network-based and other data
• Determining the type of incident that has
  occurred
• Assessing the impact of the incident.
• Initial Response will not involve touching the
  affected system(s).

13
Formulate response strategy (1/3)

• Considering the Totality of Circumstances
• How many resources are need to investigate an
  incident ?
• How critical are the affected systems ?
• How sensitive is the compromised or stolen
  information ?
• Who are potential perpetrators ?
• What is the apparent skill of the attacker ?
• How much system and user downtime is involved ?
• What is the overall dollar loss ?

14
Formulate response strategy (2/3)

• Considering Appropriate Responses

Incident Example Response Strategy
Likely Outcome
Effect of attack mitigated by router countermeasur
es. Establishment of perpetrators identity may
require too many resources to be worthwhile
investment.
Reconfigure router to minimize effect of the
flooding.
Dos Attack
TFN DDoS attack
15
Formulate response strategy (3/3)

• Response strategy option should be quantified
  with pros and cons related to the following
• Estimated dollar loss
• Network downtime and its impact to operations.
• User downtime and its impact to operations.
• Whether or not your organization is legally
  compelled to take certain action.
• Public disclosure of the incident and its impact
  to the organizations reputation/business.
• Tacking Action
• Legal Action
• Administrative Action

16
Investigate the Incident

• The investigation phase involves determining the
  who, what, when, where, how, and why surrounding
  an incident.
• A computer security investigation can be divided
  into two phases
• Data Collection
• Forensic Analysis

17
Possible investigation phase steps
Data Collection
Analysis

• Network-Based Evidence
• Obtain IDS Logs
• Obtain Existing Router Logs
• Obtain Relevant Firewall Logs
• Obtain Remote Logs from a
• Centralized Host (SYSLOG)
• Perform Network Monitoring
• Obtain Backups
• Host-Based Evidence
• Obtain the Volatile Data
• during a Live Response
• Obtain the System time
• Obtain the Time/Data stamps
• for Every File on the Victim System
• Obtain all Relevant Files that
• Confirm or Dispel Allegation
• Obtain Backups
• Other Evidence
• Obtain Oral testimony from Witnesses

• 1.Review the Volatile Data.
• Review the Network Connections.
• Identify Any Rogue Processes (Backdoors,
• Sniffers).
• 2.Analyze the Relevant Time/Data Stamps.
• Identify Files Uploaded to the system by an
• Attacker.
• Identify File Downloaded or taken from the
• System.
• 3.Review the Log Files.
• 4.Identify Unauthorized User Accounts.
• 5.Look for Unusual or Hidden Files.
• 6.Examine Jobs Run by the Scheduler Service.
• 7.Review the Registry.
• 8.Perform Keyword searches.

18
Performing Forensic Analysis
Analysis of Data
Extract Email and Attachments
Review Browser History Files
Review Installed Application
Preparation of Data
Create File Lists
Perform Statistical Data Partition Table File
System
Review Data Collected During Live Response
Search for Relevant Strings
Review all the Network-Based Evidence
Create a Working Copy of all Evidence Media
Perform Forensic Duplication
Recover Deleted Data
Perform File Signature Analysis
Perform Software Analysis
Identify and Decrypt Encrypted Files
Recover Unallocated Space
Identify Known System File
Perform File-by-File Review
Perform Specialized Analysis
19
Reporting

• Some guidelines to ensure that the reporting
  phase does not become your CSIRTs nemesis
• Document immediately
• Write concisely and clearly
• Use a standard format
• Use editor

20
Resolution

• In this phase, you contain the problem, solve the
  problem, and take steps to prevent the problem
  from occurring again.
• Following steps are often taken to resolve a
  computer security incident
• Identify your organizations top priority.
• Determine the nature of the incident.
• Determine if there are underlying or systemic
  causes for the incident.
• Restore any affected or compromised system.

21

• Apply corrections required to address any
  host-based vulnerabilities.
• Apply network-based countermeasures such as
  access control lists, firewalls, or IDS.
• Assign responsibility for correcting any systemic
  issue.
• Track progress on all corrections.
• Validate that all remedial steps or
  countermeasures are effective.
• Update your security policy and procedures as
  needed to improve your response process.

22
Conclusion
Incident Occurs Point-In-Time or Ongoing
Pre-Incident Preparation
Initial Response
Formulate Response Strategy
Detection of Incidents
Reporting
Resolution Recovery Implement Security Measures