Incident Response

1
Incident Response

• Proper Handling of
• Security Incidents

2
Goals of Incident Response

• Determine if legally protected data is present
• If such data is present, preserve the state of
  the computer at that moment as best as possible
  without risk to the user
• Maintain or restore normal operations status for
  the user
• Prevent the incident from recurring

3
Definitions

• Compromise incident resulted in unauthorized
  person(s) having the ability to access files on
  the hard disk.
• Sensitive data legally protected data
• Social security numbers
• Drivers license numbers
• Credit card numbers
• Bank account numbers
• HIPAA (health care)

4
Determine if the Computer has Sensitive Data

• Always assume sensitive data is present
• Many people are not aware that they have
  sensitive data on their computer
• Do not run Windows Spider or any other local
  scanning tool including antivirus natively!
• Port scanning or remote vulnerability scanning is
  okay

5
Determine if the Computer has Sensitive Data

• Unplug the system from the network and shut down
• One of two options
• Forensic write blocker dock
• Remove drive
• Install in Forensic Write Blocker dock and
  install in another system
• Run Windows Spider
• Helix
• Boot affected system on Helix
• Follow procedure for using Spider from Helix

6
Handling Incidents With Sensitive Data

• Document all actions by all parties
• The IT Manager and College IT Security Officer
  will manage the incident together at this stage
• Incident moves to highest priority
• Determine the extent of the incident
• Other related IT resources that may have been
  compromised
• Other places where other sensitive data may be
  stored
• The IT Security Officer will open a file on the
  incident
• The Incident Response Form is filled out
• Incident is report to ITSO. They will help
  determine how to proceed

7
Drive Imaging

• Drives are imaged in order to
• Simultaneously carry out forensics and recovery
• Make a copy of the exact state of the system for
  ITSO
• Drives can be imaged by
• The IT Security Officer
• ITSO (much slower turnaround time)
• Imaging procedure must be strictly adhered to
• Imaging of a 60gb drive can take at least half a
  day

8
What Happens Next?

• ITSO will analyze the incident.
• Hard drive forensics
• Access times
• Network logs
• Overall situation
• Determination will be made as to whether the Data
  Incident Response Team needs to meet regarding
  disclosure.

9
Data Incident Response Team (DIRT)

• Determines whether a public notification needs to
  be made in the event of potential loss of
  sensitive data
• Members
• Polly McClure
• Steve Schuster
• Representatives from
• Audit, Counsel, Police, Public Relations, Risk
  Management, data steward(s)
• Dean of affected unit
• Security Liaison/Officer from affected unit
• IT Manager from affected unit

10
If Sensitive Data is not Present

• Contact CIT (response to an alert or report the
  incident.)
• If time permits, determine the nature of the
  compromise. This may prevent it from happening
  again and will illuminate the situation for the
  user.
• Run forensics tools from CD or USB stick, not
  from the systems hard drive.

11
Remediation Information Gathering

• Reinstall/reimage should be the first choice
• Involve the College IT Security Officer if system
  cannot be redone
• View log files
• Event logs
• Service logs, such as IIS, Database
• Application-specific logs
• Local firewall logs
• Network firewall logs
• ITSOs NQ and netflow logs
• Fully inspect system with forensics tools, gather
  as much information as possible

12
Remediation Tools
It is best to rebuild/reimage a system. If a
redo is not an option, use forensics tools to
uncover the nature of the compromise and
hopefully clean it.

• CALS Forensics CD has a number of useful tools
• SIW one-stop shopping for many common forensic
  needs
• Port scanner such as Nmap look for open ports
  remotely
• TCPview ports with associated applications and
  connections, look for unusual services or many
  connections establishing and dropping
• Process Explorer identify suspect services and
  processes
• Autoruns identify suspect startup items
• RKDetector look for hidden resources and other
  rootkit indicators
• Telnet telnet to unknown listening ports to try
  to get information about the service on the port
• Search for recent file modification dates
• Request a Nessus vulnerability scan from the
  Security Officer

13
Helix

• Helix Live not necessary to boot on CD.
  Provides additional forensics tools including
• Windows Forensics Toolkit
• Security Reports
• Helix Linux-based forensics tools, booted from
  a known-good platform

14
Remediation Cleanup

• Install compromised drive into a clean system
• SAV
• Bit Defender and/or Trend Micro Online
• Helix Bit Defender (may find rootkit-related
  files not found by forensics tools. May not be
  able to clean.)
• Windows Defender
• Uninstall/reinstall SAV (clean registry keys)
• Uninstall/reinstall Windows Defender
• Reinstall anything flagged by RKDetector

15
Final Steps

• Have user change all passwords
• Calsnet/other local LAN
• Netid
• Local workstation
• Any other passwords used recently
• Contact CIT
• Give brief synopsis of remediation steps
• Indicate issue should be closed
• Request removal from quarantine if applicable

16
Questions?