28. More information CSIRT Handbook http://www.cert.org/archive/pdf/csirt-handbook.pdf Forming an Incident Response Team http://www.auscert.org.au/render.html?it=2252 Incident Response White Paper – BH Consulting http://www.bhconsulting.ie/Incident%20Response%20White%20Paper.pdf RFC2350: Expectations for Computer Security Incident Response http://www.rfc-archive.org/getrfc.php?rfc=2350 Organisational Models for Computer Security Incident Response Teams http://www.cert.org/archive/pdf/03hb001.pdf The SANS Institute’s Reading Room http://www.sans.org/reading_room
29. More Resources Guidelines for Evidence Collection and Archiving (RFC 3227) http://www.ietf.org/rfc/rfc3227.txt Resources for Computer Security IncidentResponse Teams (CSIRTs) http://www.cert.org/csirts/resources.html RFC 2196: Site Security Handbook http://www.faqs.org/rfcs/rfc2196.html ENISA Step by Step Guide for setting up CERTS http://enisa.europa.eu/doc/pdf/deliverables/enisa_csirt_setting_up_guide.pdf CSIRT Case Classification (Example for enterprise CSIRT) http://www.first.org/resources/guides/csirt_case_classification.html
The three certainties with regards to information securityDeath and TaxesYou will have an incident.How you respond to an incident will have a direct influence on the impact that incident may have to your costs, reputation and ability to conduct business.
Traditional focus on PreventionPoliciesFirewallsAnti-Virus SoftwareIntrusion Detection SystemsIf turned on !!Little Attention Paid to RespondingResponse Focus Primarily onVirusesMinor Policy Breaches
More solutions do not necessarily guarantee you are secure.Neither does more standards such as ISO 27001 or PCI DSS. Yes they will make your security more efficient and better, but you still will at some stage suffer a breach.
Traditional ResponseAdhocUnplannedDeal with it as it happensResults inProlonged incidentsIf You Know You Have Been AttackedLack of metrics and measurementsBad Guys & Gals getting awayInappropriate Response Can Result;Disclosure of confidential information.Prolonged recovery times.Lack of evidence for a criminal or civil case.Negative impact to the organisation’s image.Potential legal and/or compliance Issues.Potential Legal Cases from Third Party Organisations.Exposure to Legal/Libel Cases From Employees/Individuals.IT Manager Updating Their CV
IT Manager Updating Their CVInvariably IT get blamed for either letting the incident happen in the first place or for not responding appropriately
Structured and Formalised Response provides;Positive Security PostureIncidents Dealt with Quickly, Efficiently and EffectivelyRapid and Accurate Assessment of IncidentsChoosing Most Appropriate Response.Shortened Recovery Times.Minimised Business Disruption.Confidence to Proceed with a Court Case.Regulatory and Legal Compliance.Potential Reduction in Incidents.Accurate Reporting and Metrics
Do you want this man sitting across from you as a result of an incident?
Talk about the publicly known breaches
Websites compromised to host phishing sites and malwareCompromised SSH accountsDDOS attacksPrivacy breach on website’s databaseConficker
ComposedInformation SecurityOperationsHuman ResourcesLegalPublic RelationsFacilities ManagementUnder Control of Information Security
Log filesNetwork DevicesPeopleNot just via the support deskBaseliningWhat is the norm for your network?ExternalVulernability ListsPartnersThird Parties
Forensics SoftwareCommercial vs. Open SourceIncident Tracking & RecordingDigital SignaturesSpare MediaBackupsEvidence bagsEvidence formsPhysical EvidenceCCTV, Swipe Card accessNetwork Sniffers Centralised Time SourceTraining CoursesNotebooksDigital CameraOut of Band CommunicationsEmail may be compromisedSupport System may be compromisedWar RoomSecure StorageCoffee!!
How are Incidents Reported?Incident ClassificationProcedures in Place for Expected IncidentsProcedures in Place for Unexpected IncidentsWho declares an Incident?Who to involve and when?Team available 24x7?Escalation TreeTypical ProceduresMalware/Computer Virus infectionExternal Unauthorised Access to SystemsInternal Unauthorised Access to SystemsTheft of Computer Equipment and Related Data.Discovery of Illegal Content on Company’s ResourcesSerious Breach of the AUPMinor Breach of the AUPWebsite Defacement.Denial of Service Attack.Email Flood Attack.Third Party Compromise.Disclosure of Confidential Information.
Incidents Can Occur 24x7What takes Priority?Mitigate the impact of IncidentGather as Much Evidence As PossibleRestore SystemsWhat Authority has IRT teamE.g. Take systems offlineIntegrate with Business ContinuityCan IRT invoke Business Continuity Plan?Integrate With Other ProcessesChange Control etc.Security vs Service !!
Some Skills not available In-houseLegalForensicsPublic RelationsAgree Terms & Conditions before an IncidentSuppliersISPs, Telecomms, HostingPartnersCustomersAn Garda SiochanaGarda Computer Crime UnitPart of Garda Bureau of Fraud InvestigationHow do you Report a Computer Crime?Contact Local Garda StationRefer to Garda Computer Crime UnitWhen Should You Contact Garda Computer Crime UnitToday !!Do the above before you have an incident as it is not something you want to negotiate in the middle of responding to an incident or breach.
Run Practise Drills.Identify Weaknesses in IR.Review Effectiveness of Incident Response.Ensure Everyone Aware of Roles & Responsibilities.Regularly Test Network for Vulnerabilities.Regularly Normalise Network & Systems.Test Staff Awareness.Test Management Awareness.Can you contact everyone when you need to?For example will the network engineer in their twenties who is single be available to respond at 10 p.m. on a Friday night? How about the manager who has to do the school run in the morning?
Establish a formal Incident Response Process.Take into account your business environmentRegulatory and legal obligationsPolicy on incident response
Most important thing to do is not to panic.Panic causes stress and stress in turn can lead to bad decisions.Incorrect decisions or inappropriate responses can have severe impact on the outcome of your response.
Contrary to what your reactions might be saying you should Stop and Access the situation.Fire chief when arriving at the scene of an incident always asks “What is going on?”Unmanaged response can result in corrupted logs, lack of forensic evidence or alerting the unauthorized user.- Ask what is happening?- How was the incident reported?- What systems are impacted?- What approach does mgmt want to take – investigate & prosecute or get systems up and running?- What regulatory or legal obligations do you have? Have you got the appropriate skills on board?Do you need external expertise?
Containment involves limiting the scope and impact of the information security incident.Stopping the spread of a virusPreventing compromise of other machinesUse tools such as- Segregating the networkUsing ACL on routers to block or filter trafficUnplugging network cablesShutting down systemsRemember your servers contain your crown jewels, sometimes we need to sacrifice the village to defend the castle.
Eradicating an incident entails identifying and removing the root causeSimply restoring a system to operational status without identifying the root cause may result in incident re-occurring again at a later stage.To ensure the root cause has been identified and eradicated, and to also support any future criminal or civil court cases, the following shall be followed;- All relevant evidence be gathered in a forensically sound manner by trained personnel using approved software and equipment.All steps and actions should be clearly documented All copied of original media and log files being investigated should be digitally signed and stored securely to prevent tampering. - All investigations should be conducted on verified copies of the original media and log files.
Recovery means restoring a system(s) back to their normal operational status.This may requirerestoring system(s) from backupsreinstalling from known and certified original media.Repairing infected files using AV softwareApplying patches to the systemPart of the recovery process shall ensure that the integrity of the backup being used for the restore operation has been thoroughly verified and that the restore operation was successful.
Once recovered systems should be monitored to ensure they are not compromised again.It is possible that your investigation may not have discovered an alternative route into your system that the criminals could use again.It is also possible that the root cause has been identified incorrectly and that the attack happened through a different means not addressed in the recovery process.You could also have missed a compromised system in your investigation and this could be used to compromise you again.Monitor the system(s) carefully for any unusual behavior and investigate further
Throughout the information security incident it is essential that appropriate communications are maintained. During an information security incident it is also essential that confidentiality is maintained throughout the incident’s lifecycle as the issue could result in a court case or disciplinary measures against a staff member.Communication media could be compromised e.g. email so alternatives will need to be used.Other things to considerPress enquiriesAn Garda SiochanaData Protection ComissionerRegulatory bodiesThird Parties such as clients or business partnersPublicStaffManagementLegal
To disclose or not to disclose?You may have no optionIssue may be known publicly – website defacement etc.You may be obliged to report, morally, regulatory or contractuallyIs it better that you manage the details of the issue or a third party like the press?