Incidence Response Teams

1
Incidence Response Teams

• By
• Robert Nellis, CISSP
• P-CIRT Manager
• Paychex, Inc.
• rnellis_at_paychex.com
• (585) 216-0448

2
What is an Incident Response Team?
Computer Incident Response Team (CIRT) is a vital
part of every organization. The team is
responsible for ensuring that identified
computer related events and incidents are handled
in a methodical manner to accurately investigate,
mitigate and report the event or incident to the
appropriate management or outside agency.
Formal Teams should be established for larger
organizations. These teams would consist of team
members listed in the following slides. Informal
Teams should be established for smaller
organizations and have an Incident Response
Manager identified.
3
Event or Incident?

• Event - An event is defined as any observed
  activity that may be in violation of established
  Security Policies, Standards or Procedures
  governing systems, data and personnel.
• Incident - An incident is defined as any observed
  activity reported to the CIRT team that has been
  investigated and confirmed to be in violation of
  established Security Policies, Standards or
  Procedures governing the security of owned
  systems, data and personnel

4
The Team

• CIRT Manager - Responsible for activation of
  P-CIRT team members as required by the reported
  incident or event. Review all documentation of
  activity, findings and recommended mitigation
  plans and provide briefings to Sr. Management,
  Legal, HR and Public Relations throughout the
  investigation.
• CIRT Duty Officer Responsible for gathering
  initial information regarding the event and
  alerting the appropriate team members need to
  investigate the event. Also responsible for
  compiling the documentation completed during the
  investigation.
• CIRT Analysts - When assigned to the role of Duty
  Officer is responsible for initial information
  gathering of the reported incident or event.
  Classification of the reported event or incident
  and notification to additional team members.
• Legal - Responsible for providing legal support
  and direction for all confirmed security
  breaches. These breaches include, but are not
  limited to client information, illegal activity
  or regulatory requirements. The Legal
  Representative will also act as the liaison to
  law enforcement agencies as needed.

5
The Team (cont)

• Human Resources - Responsible for providing
  support and direction for all events or incidents
  that involve employees. All activity performed by
  the CIRT team during the investigation of a
  security breach involving an employee should be
  approved by the HR Representative prior to
  commencing.
• Public Relations - Responsible for all media
  communications of identified incidents that
  require disclosure. No external communications
  are to be made public by anyone other than the
  Public Relations Representative.
• Law Enforcement - Responsible for providing
  support in all events identified as a violation
  of civil or criminal laws. Law enforcement will
  be contacted only under the direction of
  Corporate Counsel.
• Associate Analysts - Responsible for providing
  support as needed for events or incidents that
  directly or indirectly impact their circle of
  influence. The Associate Analysts manager will
  be notified prior to engaging the individual in
  the event or incident.
• Additional members CIRT may also include
  members from Physical Security, Internal Audit,
  Compliance and RISK Management.

6
The Process

• Preparation This step is the most vital and
  time consuming step in developing a CIRT team.
  The preparation step will never be completed as
  technology and attacks change, so will the
  documentation and tools necessary to prepare for
  an investigation. You will continue to review
  this step of the process and make changes as
  needed. Documentation is the key for this step as
  it will direct the actions taken for the
  remaining step in the process.
• Identification The identification of an event
  or incident will come from various sources. The
  companies Intrusion Detection, Monitoring
  systems, Firewall, Vendor Alerts and employees
  are all sources of identification.
• Containment The containment step must include
  all steps necessary to further reduce the chance
  that the event or incident will spread throughout
  the company. This step is also vital to maintain
  the appropriate level of confidentiality of the
  investigation.

7
The Process (Cont)

• Eradication The Eradication step allows the
  safe removal of the event or incident from the
  environment without compromising the evidence of
  the event or incident.
• Recovery The recovery phase allows the
  environment to restored to the original state
  prior to the event or incident. This step should
  also be used to put measures in place to mitigate
  the event from occurring in the future.
• Lessons Learned The last step in this process
  is to review the investigation and identify
  improvements and process changes to improve the
  process.

8
Tools

• Forensic Hardware/Software Encase, The Coroners
  Toolkit, The Sleuthkit
• Open Source Tools NMap, KNOPPIX, John the
  Ripper, TCP Dump.
• Disk Tools Ghost, Testdisk, File Scavenger,
  FindNTFS.
• Analysis Tools Grep, Excel, Access DB Hex
  Converter, Adobe Photoshop.
• Laptop, External Hard Drive, CD/DVD Writer
• Floppy Disks, CD/DVDs, Flash Drive
• Bound Notebook

9
Resources

• List of important CERT Websites (US-Based)
• US-CERT United States Computer Emergency
  Readiness Team http//www.us-cert.gov/
• CERT Coordination Center http//www.cert.org/
• National Vulnerability Database
  http//nvd.nist.gov/
• Common Vulnerabilities and Exposures
  http//cve.mitre.org/
• Department of Homeland Security Daily Open
  Source Infrastructure Report http//www.dhs.gov/
• SANS Internet Storm Center http//isc.sans.org/

10
Resources (Cont)

• InfraGard Guarding the Nations Infrastructure
  http//www.infragard.net/
• FIRST Forum of Incident Response and Security
  Teams http//www.first.org/
• Internet Crime Complaint Center
  http//www.ic3.gov/
• NOTE- the following sites contain resources to
  build CIRT from the ground-up.
• FIRST Forum of Incident Response and Security
  Teams http//www.first.org/resources/guides/
• CERT Coordination Center http//www.cert.org/csir
  ts/

11
Tool Resources

• Sleuthkit - http//www.sleuthkit.org/
• Encase http//www.guidancesoftware.com/
• Knoppix - http//www.knoppix.org/
• GHOST - http//www.symantec.com/index.htm
• Testdisk - http//www.cgsecurity.org/testdisk.html
  
• Misc. Tools - http//www.insecure.org/,
• http//labmice.techtarget.com/security/incidentres
  ponse.htm

12
Privacy Laws

• 23 States have privacy laws in place and 12
  states with pending legislation.
• What does this mean to the CIRT Team
• Where do we find information regarding current
  legislation?
• http//www.ncsl.org/programs/lis/cip/priv/breach.
  htm
• How do we interpret the statues?
• Reaction time for reported events must be
  streamlined States requiring disclosure of a
  breach indicate that this must happen in a
  reasonable timeframe????
• How do we document and protect evidence?

13
Privacy Laws (Cont)

• Who needs to be notified and when?
• How do we notify?
• Do outside agencies need to be notified?
• What are the penalties for non-compliance?

14
The Most Important Things To Remember

• The most important thing to remember through the
  entire incident response process is to
  DOCUMENT!!!!!!!!!
• Protect All evidence as if it were a criminal
  investigation
• Review Incident documentation for process
  improvements
• Continually train your staff

15
Questions?