Incident Response

Incident Response Process Forensics

Acknowledgments
Material is sourced from: CISA Review Manual 2011, 2010, ISACA. All rights reserved. Used by permission. CISM Review Manual 2012, 2011, ISACA. All rights reserved. Used by permission. Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers/Contributors: Todd Burri, Kahili Cheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

Objectives
Students should be able to: Define and describe an incident response plan and business continuity plan Define recovery terms: interruption window, service delivery objective, maximum tolerable outage, alternate mode, acceptable interruption window Describe incident management team, incident response team, proactive detection, triage Define and describe computer forensics: authenticity, continuity, forensic copy, chain of custody, imaging, extraction, ingestion or normalization, case log, investigation report

Denial of Service

How to React to?

Stolen Laptop
Theft of Proprietary Information

System Failure

Fire!

Incident Response vs. Business Continuity

Incident Response Planning (IRP) Security-related threats to systems, networks & data Data confidentiality Non-repudiable transactions Business Continuity Planning Disaster Recovery Plan Continuity of Business Operations IRP is part of BCP and can be *the first step*

Recovery Terms
Interruption Window: Time duration organization can wait between point of failure and service resumption Service Delivery Objective (SDO): Level of service in Alternate Mode Maximum Tolerable Outage: Max time in Alternate Mode
Disaster Recovery Plan Implemented Regular Service SDO Time Interruption (Acceptable) Interruption Window Maximum Tolerable Outage Alternate Mode Restoration Plan Implemented

Regular Service

Vocabulary
IMT: Incident Management Team
IS Mgr leads, includes steering committee, IRT members Develop strategies & design plan for Incident Response, integrating business, IT, BCP, and risk management Obtain funding, Review postmortems Meet performance & reporting requirements

IRT: Incident Response Team

Handles the specific incident. Has specific knowledge relating to: Security, network protocols, operating systems, physical security issues, malicious code, etc. Permanent (Full Time) Members: IT security specialists, incident handlers, investigator Virtual (Part Time) Members: Business (middle mgmt), legal, public relations, human resources, physical security, risk, IT

Incident Response Plan (IRP)

Preparation
Plan PRIOR to Incident Identification

Determine what is/has happened Containment Limit incident

Determine and remove root cause

Analysis & Eradication Recovery Lessons Learned

Return operations to normal

Process improvement: Plan for the future

Stage 1: Preparation

What shall we do if different types of incidents occur? (BIA helps) When is the incident management team called? How can governmental agencies or law enforcement help? When do we involve law enforcement? What equipment do we need to handle an incident? What shall we do to prevent or discourage incidents from occurring? (e.g. banners, policies) Where on-site & off-site shall we keep the IRP?

(1) Detection Technologies

Organization must have sufficient detection & monitoring capabilities to detect incidents in a timely manner
Proactive Detection includes: Network Intrusion Detection System (NIDS) Host Intrusion Detection System (HIDS)

Includes personal firewalls

Vulnerability/audit testing Centralized Incident Management System

Input: Server, system logs Coordinates & co-relates logs from many systems Tracks status of incidents to closure

Reactive Detection: Reports of unusual or suspicious activity

(1) Management Participation

Propose Alternatives
Include

business criticality, risk of proposal, cost, time to recover, reliability Redundancy Costs: Preparation, purchasing of redundant computers or alternative routing, reaction capability Detection Costs: NIDS/HIDS tools, setup, monitoring, response

Management makes final decision

As

always, senior management has to be convinced that this is worth the money.

(1) IRP Contents

Preincident readiness How to declare a disaster Evacuation procedures Identifying persons responsible, contact information

IRT, S/W-H/W vendors, insurance, recovery facilities, suppliers, offsite media, human relations, law enforcement (for serious security threat)

Step-by-step procedures Required resources for recovery & continued operations

Workbook

Incident Types
Incident Web page fails Break-in Description Main web page fails or is defaced Computers or memory forms are Stolen. Information was divulged that was recognized after the fact as being inappropriate. Methods of Procedural Detection Response Keep-alive IT addresses incident message to IDS within 1 hour: Server email SysAdmin Recovery IR Proc. Security alarm, or employee observes at work. Training of staff report from staff Call Management & IT immediately. Management calls police. Report to Management Breach notification law

Social Engineering

Stage 2: Identification
Triage: Categorize, prioritize and assign events and incidents What type of incident just occurred? What is the severity of the incident?
Severity

may increase if recovery is delayed

Who should be called? Establish chain of custody for evidence

(2) Triage
Snapshot of the known status of all reported incident activity
Sort,

Categorize, Correlate, Prioritize & Assign

Categorize: DoS, Malicious code, Unauthorized access, Inappropriate usage, Multiple components Prioritize: Limited resources requires prioritizing response to minimize impact Assign: Who is free/on duty, competent in this area?

(2) Chain of Custody

Evidence must follow Chain of Custody law to be admissible/acceptable in court

Include: specially trained staff, 3rd party specialist, law enforcement, security response team

System administrator can: Retrieve info to confirm an incident Identify scope and size of affected environment (system/network) Determine degree of loss/alteration/damage Identify possible path of attack

Stage 3: Containment

Activate Incident Response Team to contain threat

IT/security,

public relations, mgmt, business

Isolate the problem

Take

infected server off network Change firewall configurations to stop attacker

Obtain & preserve evidence

(3) Containment - Response

Technical Collect data Analyze log files Obtain further technical assistance Deploy patches & workarounds Managerial Business impacts result in mgmt intervention, notification, escalation, approval
Legal Issues related to: investigation, prosecution, liability, privacy, laws & regulation, nondisclosure

Stage 4: Analysis & Eradication

Determine how the attack occurred: who, when, how, and why?

What is impact & threat? What damage occurred?

Remove root cause:

Rebuild System Talk to ISP to get more information Perform vulnerability analysis Improve defenses with enhanced protection techniques

Discuss recovery with management, who must make decisions on handling affecting other areas of business

(4) Analysis
What happened? Who was involved? What was the reason for the attack? Where did attack originate from? When did the initial attack occur? How did it happen? What vulnerability enabled the attack?

(4) Remove root cause

If Admin or Root compromised, rebuild system Implement recent patches & recent antivirus All passwords should be changed

Stage 5: Recovery
Restore operations to normal Ensure that restore is fully tested and operational

Workbook

Incident Handling Response

Incident Type: Malware detected by Anti-virus software Contact Name & Information: Joe Ryan, ryan@ameridynitechicorp.com,

262-252-3344(O)

Emergency Triage Procedure:

Disconnect computer from Internet/WLAN. Do not reconnect. Report to IT first thing during next business day.
Escalation Conditions and Steps:

If laptop has confidential information, determine if Breach Law applies.

Containment, Analysis & Eradication Procedure: IT investigates problem.

Type A: return computer. Type B: Rebuild computer.

Other Notes (Prevention techniques):

Encrypt computer: This ensures that if laptop is stolen, breach notification law does not apply..

Stage 6: Lessons Learned

Follow-up includes: Writing an Incident Report

What

went right or wrong in the incident response? How can process improvement occur? How much did the incident cost (in loss & response)

Present report to relevant stakeholders

Planning Processes
Risk & Business Impact Assessment Response & Recovery Strategy Definition Document IRP and DRP Train for response & recovery Update IRP & DRP Test response & recovery Audit IRP & DRP

Training
Introductory Training: First day as IMT Mentoring: Buddy system with longer-term member Formal Training On-the-job-training Training due to changes in IRP/DRP

Types of Penetration Tests

External Testing: Tests from outside network perimeter Internal Testing: Tests from within network Blind Testing: Penetration tester knows nothing in advance and must do web research on company Double Blind Testing: System and security administrators also are not aware of test Targeted Testing: Have internal information about a target. May have access to an account. Written permission must always be obtained first
CISA Review Manual 2009

Challenges

Management buy-in: Management does not allocate time/staff to develop IRP

Top

reason for failure

Organization goals/structure mismatch: e.g., National scope for international organization IMT Member Turnover Communication problems: Too much or too little Plan is too complex and wide

Incident Management Metrics

# of Reported Incidents # of Detected Incidents Average time to respond to incident Average time to resolve an incident Total number of incidents successfully resolved Proactive & Preventative measures taken Total damage from reported or detected incidents Total damage if incidents had not been contained in a timely manner

Question
The MAIN challenge in putting together an IRP is likely to be: Getting management and department support Understanding the requirements for chain of custody Keeping the IRP up-to-date Ensuring the IRP is correct

1. 2.

3. 4.

Question
1. 2. 3. 4.

The PRIMARY reason for Triage is: To coordinate limited resources To disinfect a compromised system To determine the reasons for the incident To detect an incident

Question
When a system has been compromised at the administrator level, the MOST IMPORTANT action is: Ensure patches and anti-virus are up-to-date Change admin password Request law enforcement assistance to investigate incident Rebuild system

1. 2. 3.

4.

Question
The BEST method of detecting an incident is: Investigating reports of discrepancies NIDS/HIDS technology Regular vulnerability scans Job rotation

1. 2. 3. 4.

Question
The person or group who develops strategies for incident response includes: 1. CISO 2. CRO 3. IRT 4. IMT

Question
The FIRST thing that should be done when you discover an intruder has hacked into your computer system is to: Disconnect the computer facilities from the computer network to hopefully disconnect the attacker Power down the server to prevent further loss of confidentiality and data integrity Call the police Follow the directions of the Incident Response Plan

1.

2.

3.
4.

Computer Investigation and Forensics

Computer Crime Investigation Chain of Command Computer Forensics

Computer Crime Investigation

Call Police Or Incident Response Copy memory, processes files, connections In progress Power down Analyze copied images

Take photos of surrounding area Preserve original system In locked storage w. min. access

Evidence must be unaltered Chain of custody professionally maintained

Four considerations: Identify evidence Preserve evidence Analyze copy of evidence Present evidence

Copy disk

Computer Forensics

Did a crime occur? If so, what occurred?

Evidence must pass tests for: Authenticity: Evidence is a true and faithful original of the crime scene
Computer

Forensics does not destroy or alter the

evidence

Continuity: Chain of custody assures that the evidence is intact.

Chain of Custody
11:04 Inc. Resp. team arrives 11:05-11:44 System copied PKB & RFT 11:47-1:05 Disk Copied RFT & PKB Time Line

10:53 AM Attack observed Jan K

11:15 System brought Offline RFT

11:45 System Powered down PKB & RFT

1:15 System locked in static-free bag in storage room RFT & PKB

Who did what to evidence when?

(Witness is required)

Preparing Evidence
Work with police to AVOID: Contaminating the evidence Voiding the chain of custody

Evidence is not impure or tainted Written documentation lists chain of custody: locations, persons in contact time & place Warrant required unless Company permission given; in plain site; communicated to third party; evidence in danger of being destroyed; or normal part of arrest; ...

Infringing on the rights of the suspect

Computer Forensics

The process of identifying preserving, analyzing and presenting digital evidence for a legal proceeding

Creating a Forensic Copy

2) Accuracy Feature: Tool is accepted as accurate by the scientific community: e.g., CoreRESTORE, Forensic Replicator, FRED

Original

4) One-way Copy: Cannot modify original

5) Bit-by-Bit Copy: Mirror image

Mirror Image

1) & 6) Calculate Message Digest: Before and after copy

3) Forensically Sterile: Wipes existing data; Records sterility

7) Calculate Message Digest Validate correctness of copy

Computer Forensics
Data Protection: Notify people that evidence cannot be modified Data Acquisition: Transfer data to controlled location Copy volatile data Interview witnesses Write-protect devices Imaging: Bit-for-bit copy of data Extraction: Select data from image (logs, processes, deleted files) Interrogation: Obtain info of parties from data (phone/IP address) Ingestion/Normalization: Convert data to an understood format (ASCII, graphs, ) Reporting: Complete report to withstand legal process

Legal Report
Describe incident details accurately Be understandable and unambiguous Offer valid conclusions, opinions, or recommendations Fully describe how conclusion is reached Withstand legal scrutiny Be created in timely manner Be easily referenced

Forensics: Chain of Custody Forms

Chain of Custody Form: Tracks where & how evidence was handled. Includes:

Name & Contact info of custodians Detailed identification of evidence (e.g, model, serial #) When, why, and by whom evidence was acquired or moved Where stored When/if returned

Detailed Activity Logs Checklists for acquiring technicians Signed non-disclosure forms

Forensics: Case Log

Case log includes: Case number Case basic notes, requirements, procedures Dates when requests were received Dates investigations were assigned to investigators Date completed Name and contact information for investigator and requestor

Forensics: Investigation Report

Name and contact info for investigators Case number Dates of investigation Details of interviews or communications Details of devices or data acquired (model, serial #) Details of software/hardware tools used (must be reputable in law) Details of findings, including actual data Signature of investigator

Stages of Computer Forensics

Select data from image (logs, processes, deleted files)

Data Acquisition:
Transfer data to controlled location Extraction: Interrogation: Ingestion/ Normalization: Imaging: Obtain info of parties from data (phone/IP address) Bit-for-bit copy of data Convert data to an understood format (ASCII, graphs, )

Stages of Computer Forensics

Select data from image (logs, processes, deleted files)

Data Acquisition:
Transfer data to controlled location Extraction: Interrogation: Ingestion/ Normalization: Imaging: Obtain info of parties from data (phone/IP address) Bit-for-bit copy of data Convert data to an understood format (ASCII, graphs, )

Question
1. 2.

3.

4.

Authenticity requires: Chain of custody forms are completed The original equipment is not touched during the investigation Law enforcement assists in investigating evidence Data analysis occurs on a copy of the original disk

Question
You are developing an Incident Response Plan. An executive order is that the network shall remain up, and intruders are to be pursued. Your first step is to Use commands off the local disk to record what is in memory Use commands off of a memory stick to record what is in memory Find a witness and log times of events Call your manager and a lawyer in that order

1.

2.

3. 4.

Question
1.

2.

3.

4.

What is NOT TRUE about forensic disk copies? The first step in a copy is to calculate the message digest Extraction and analysis for presentation in court should always occur on the original disk Normalization is a forensics stage which converts raw data to an understood format (e.g., ASCII, graphs, ) Forensic copies requires a bit-by-bit copy

Reference
Slide # 6 8 9 10 14 15 17 18 19 22 24 25 26 27 28 29 37 39 43 44 45 46 47 Slide Title Recovery Terms Incident Response Plan (IRP) Stage 1: Preparation (1) Detection Technologies Stage 2: Identification (2) Triage Stage 3: Containment (3) Containment Response Stage 4: Analysis & Eradication Stage 5: Recovery Stage 6: Lessons Learned Planning Processes Training Type of Penetration Tests Incident Management Metrics Challenges Computer Crime Investigation Chain of Custody Computer Forensics Legal Report Forensics: Chain of Custody Forms Forensics: Case Log Forensics: Investigation Report Source of Information CISM: page 230 CISM: page 221, 222 CISM: page 221, 223 CISM: page 222 CISM: page 222, 223 CISM: page 222 CISM: page 223 CISM: page 222 CISM: page223 , 224 CISM: page 224 CISM: page 224 CISM: page 228 CISM: page 227 CISA: page 378 CISM: page 220 CISM: page 227 CISA: page 380 CISA: page 380 CISA: page 380, 381 CISA: page 381 CISA: page 375 and CISM: page 239 CISM: page 239 CISM: page 239