1. Information Security Incident Management
One EDU’s Approach
Johnny Nipper, EnCE
Kevin Lanning, MSIS GSEC CISSP
Benjamin Bressman, GSEC GCIH GCFA
2. Information Security
Level Set
• Core Principles of Information Security
– Confidentiality – Keeping information private
– Integrity – Keeping information accurate
– Availability – Keeping information available (even
in disasters) to authorized parties
3. Why Incident Response?
• Legal and Compliance obligations require
notification when sensitive information is acquired
by unauthorized parties
• University Policy requires a process for responding to
incidents
• Computing environments at large are under constant
attack. (We are no exception)
• Attack Stats
4. What is an incident?
• Acceptance Criteria
– How do we determine the difference between an
incident and an event?
• Could sensitive information/critical system be at risk?
• Was event malicious?
– Maintaining a publicly accessible definition of
sensitive data helps bring clarity during events
– Trust support personnel and the campus
community, but maintain the ability to verify
when validation is needed
5. Incident Management
Methodologies
• One approach—see SANS.org—Course 504
– Planning
• Your departmental contacts
• Communication strategies
• Failover systems and strategies, data
archives/backups
– Identification-Is it an incident?
– Containment-Are intrusions contained?
– Eradication-Is intrusion over?
– Recovery-Are your business functions back to
normal?
– Lessons Learned-Recommendations
6. Incident Management
• Incident Environment?
– Higher education institutions compared with
business or military
– Governance/Culture
– Mission
– Technology types/Infrastructure
7. How are incidents discovered?
• Intrusion Detection/Prevention Systems
• Centrally Managed Anti-Virus
• Complaints by attacked parties
• Support Personnel - Often our first responders
– Help contain the incident and preserve data
– Help balance forensics with business continuity
8. Response, Evidence Acquisition
• Preserve Evidence
– Disconnect from the network?
– How do we power down?
– Preserve “last accessed” times (No AV scans)
– Log access can overwrite valuable information
• What evidence?
– A forensic image, an exact copy of the disk(s)
– Preserving timestamps is key
– Network data, Off-site logs, etc
9. Business Impact
• Must be mindful of business impact
– How will incident response/forensics impact…
• University mission
– Teaching
– Research
– Public Service
• The Department/Group
– When will systems be back up and running?
– Will intruders have a way back into the systems?
• The User
11. Investigation and Analysis
• Provide context for decision makers
– From the perspective of sensitive information:
• Where did sensitive information exist, if at all?
– From the technical perspective:
• Create timelines that detail (for example)…
– File creation and access
– When was malware introduced?
• Capabilities of the malware?
• When was sensitive information last accessed?
12. Forensic Processes and Tools
• Integrity and confidentiality of evidence
– Chain of custody forms
– Cryptographic Hash of hard drives, images
– Storage of hard drives and hard drive images
• Tools
– Guidance Software EnCase, AccessData FTK
– Open source tools like log2timeline
– Anti-malware software (SEP)
– Registry/Log/Browser/OS Artifact data viewers
– Identity Finder – Finds sensitive information
13. Reporting Results
• Cases can be presented to…
– Information Security management
– Office of University Counsel
– Office of Research Compliance
– Internal Audit
– Law Enforcement
• Decision makers help determine next steps
– Is a notification appropriate?
– How can we prevent recurrence?
14. Lessons Learned/Recommendations
• Behavior Modification
– User learns best practices to prevent future incidents
– Sys Admin configures systems to resist similar attacks
• Software Modifications
– Harden software if flaws are found during investigation
– Introduce vulnerability management to be proactive
• Process Modifications
– Business processes may be modified to reduce risk
15. References
• How to Reach Us?
– security@unc.edu
• Documents:
– NIST 800-61 – “Computer Security Incident Handling Guide” (csrc.nist.gov)
• Courses:
– SANS 504 – “Hacker Techniques, Exploits and Incident Handling” (sans.org)
• Tools:
– Guidance Software / EnCase – www.guidancesoftware.com
– Access Data / FTK – www.accessdata.com
– log2timeline – www.log2timeline.net
– Identity Finder – www.identityfinder.com
• Online Resources:
– Forensics Wiki – www.forensicswiki.org
– Forensic Focus – www.forensicfocus.com
– Windows Incident Response – windowsir.blogspot.com
Editor's Notes
Millions of probestens of thousands of attacks per dayfirewalls drop ~3 million attacks per day