Computer Incident Response, BCP, DRP, Backups

Download Report

Transcript Computer Incident Response, BCP, DRP, Backups

Computer Incident Response,
BCP, DRP, Backups
Lesson 16
Incident Definitions
From “Incident Response” by Mandia and Prosise
 An Incident is any event that disrupts
normal operating procedure and precipitates
some level of crisis.
 A Computer Intrusion.
 Denial of Service Attack.
 Theft of information.
 Computer Misuse.
 A power failure.
 Investigator(s) gather facts, analyze and
resolve the incident.
Incident Response Goals
 Confirms or disproves an Incident.
 Accumulate accurate and timely information.
 The proper retrieval and handling of Evidence.
 The protection of privacy rights as established by
law and policy.
 Minimal disruption of business and network
operations.
 The legal or civil action against offenders.
 Accurate reports and useful recommendation.
Incident Response Process
From “Incident Response” by Mandia and Prosise




Define Roles.
Establish Policies.
Identify Tools.
Network Preparation.
Complete IR Checklist
Who/What/Where/When.
Incident Description
Hardware/Software.
Personnel Involved.
Network.
Completed IR Checklist.
Incident Preparation
Incident Detection
Firewall Logs.
IDS Logs.
Suspicious User.
System Administrator.
Suspicions of a user.
Activate IR Team
Initial Response
Is it really an Incident?
Verify Incident.
Affected Systems.
Users Involved.
Business Impact.
Incident Response Process (cont)
System Criticality.
Information Sensitivity.
Perpetrators.
Response Strategy
Publicity.
Skill of Attacker.
System Downtime.
Dollar Loss.
Management Approval
Dollar Loss.
Downtime.
Legal Liability.
Publicity.
Intellectual Property.
Accumulate Evidence
&
Secure System
Forensic Duplication
Best Evidence Rule.
Chain of custody.
Data Volatility.
Incident Response Process (cont)
Investigate
Implement Security Measures
Who, What, When, Where, How.
People and Things.
Isolate and Contain.
Disconnect.
Electronically isolate.
Network Filtering.
Network Monitoring
Monitor throughout the incident.
Track the hacker.
No incident recurrence.
Monitor on subnet.
Monitor at boundary.
Incident Response Process (cont)
New Procedures.
Reinstall files.
Reinstall from CD-Rom.
 Secure System.
 Turnoff unneeded services.
 Apply patches.
 Strong Passwords.
 Strong Administration.
Recovery
Documentation
Document everything as it occurs.
 Support both criminal and civil prosecution.
 Produce the final report.
 Process improvement.
Incident Response Preparation
 Risk Management.
 Host preparation.
 Network Preparation.
 Network Policies and Procedures.
 A Response toolkit.
 The Incident Response Team.
Incident Response Team
 Team Composition depends upon:
 Number and type of hosts involved.
 Number and type of networks involved.
 Number and type of Operating Systems involved.
 Attack sophistication.
 Incident Publicity.
 Internal Politics.
 Corporate Liability.
Computer Incident Response Team (CIRT)
Team Manager.
- Single Point of Contact
- Leader/decision maker
- Clear authority to act/decide.
- Assess potential impact/loss
- Upper management support
- Spokesperson
- Documents team actions.
Computer Specialist
- System Administrator
- Systems Operator/Programmer
- Technically Tracks intruder
- Monitors on-going system activity.
- Reconstructs crime.
- Documents technical aspects of
crime.
Network Specialist Advisor
- Advises computer specialist
- Network protocol specialist
- As Required
Computer Crime Investigator
- Investigator w/jurisdiction.
- Collects/documents evidence.
- Advises on investigative aspects.
- This may be a team of investigators.
Company Attorney
- Legal advice
- Case preparation
- Adjunct to Team
Public Affairs
- Advise senior management on PR
- Press Spokesperson
- Adjunct to Team
Security Auditor
- Assists Computer specialist.
- Audit trails/logs
- Assess Economic impact
- Adjunct to Team
Incident Response Team Mission
 Respond to all security incidents with a formal investigative
process based upon the Incident Response Plan and Corporate
policies.
 Conduct a bias free investigation.
 Determine if a true incident did occur.
 Assess the damage and scope of the incident.
 Control and contain the incident.
 Document the incident and maintain a chain of custody.
 Protect Privacy Rights by law and corporate policy.
 Liaison to law Enforcement and Legal Authorities.
 Provide Expert Testimony.
 Provide recommendation to senior level management.
Suggested Incident Goals and Priorities
 Incident Response Goals in order of importance.
 Assure the integrity of critical systems (life support, etc.)
 Maintain and restore the site data.
 Maintain and restore site services.
 Figure out what happened.
 Avoid escalation and further incidents.
 Avoid negative publicity.
 Find out who did it.
 Punish the attackers.
 Incident Response Priorities in order of importance
 P1 - Protect human life and safety.
 P2 - Protect classified and sensitive data.
 P3 - Protect proprietary, scientific and managerial data.
 P4 - Prevent damage to systems.
 P5 - Minimize service disruption of computing resources.
Incident Detection – discovering an incident?
Incident discovery
Strange activities
System crashes
Unusual hard disk activity.
Unexplained Reboots.
Account discrepancies
Sluggish response
Strange login hours.
Failed logins with bad passwords.
Unusual activity with the su command.
A message from a remote System Administrator
Incident Detection (cont)
 System monitoring:
 Another superuser logs in.
 A user on vacation who is logged in.
 Deleted or corrupted log files.
 A user who is not a programmer but is running
compilers.
 Network connections from unknown machines.
 Unauthorized changes to system programs.
 New account entries in /etc/passwd file.
 Analysis tools such as Tripwire.
 The System Administrator should investigate any strange
activity.
 Various commands can be employed to explore who is
doing what on the system.
Sample Helpful UNIX Commands
 finger - a protocol to find out about an individual
user or users logged onto a system.
 It accesses the /etc/passwd file
Most System Administrators will disable finger.
 users - Checks the file /etc/utmp and displays the
users logged onto the system. UNIX keeps track of
who is logged onto the system in a file called
/etc/utmp.
 A file called /var/adm/wtmp keeps track of all
logins and logouts.
w/who/whois/whodo - same as users.
 ps - Provides a snapshot of all processes running
on the system at any given moment.
More Helpful UNIX Commands
 netstat - Lists all the active and pending TCP/IP
connections between your machine and other machines.
 lastcomm - Checks the file /var/adm/acct and prints out a
list of commands executed by a user.
 ttywatch - A utility that allows the System Administrator to
monitor every tty on their system and allows them to record
the keystrokes for later playback (similar to a VCR).
 traceroute - A utility that allows the System Administrator to
trace the route of an IP packet from their host to a particular
foreign host.
 works by constructing special UDP packets to unused
port
 The ttl fields start at 1 and continue to advance by 1 until
it gets back a "service unavailable" ICMP message
instead of a "time to live exceeded" message.
Incident Detection (cont)
 Stopping the Intruder.
Power Down?
 Interrupts users.
 Deletes evidence
 Damage the file systems.
Ask him/her to leave?
 Intruder may damage the system to prevent being caught.
Kill his/her processes?




Use the ps command to list all his/her processes.
Change all compromised account passwords.
Use the kill command to terminate the processes.
Check for backdoors/sniffers/undesired programs.
Break the connection?
 Interrupts other users.
What about kernel level activity?
Changes to the kernel may negate ability to accomplish
some of the checks we mentioned
An Intruder has been detected!
Disconnect?
If the intruder stays connected your company and you may be
liable for damages.
If the intruder knows you detected him he may damage your
system to cover his tracks.
If you disconnect the intruder may go on to access other
computers.
Do you protect your information or try to catch the intruder?
Stay Connected and Trace the intruder?
Consult your log files for system, terminal and line information.
Work with other system administrators to pool information.
Set up an undetectable monitor to record his activity(make sure
your legal advisor is involved and that you have proper authorization).
Analyze your data for patterns, trends, key words, motivation, etc.
Set a honey pot?.
Track him across the network, across the continent, across national
borders.
Document everything.
Incident Reporting
 Incident notification Guidelines.
 Contact CIRT quickly
 Use explicit language that is clear, concise
and fully qualified.
 No smoke screens.
 No generalities
 Use factual language..
 No false information
 No incomplete information.
 Use matter of fact language and tone.
 No emotion
 No inflammatory language
Initial Response
 Freeze the Incident Scene.
 Verbally contain the scene with instructions such as:
 “Take your hands off the keyboard and step away
from the computer.”
“Physically disconnect the computer from the
network.”
“What is your name, office and telephone number.”
“What is the hardware and operating system?”
“I’m going to fax you a set of instruction. What is your
Fax number?”
Incident Response Checklist
Version 1.0
Date:
Time:
Name:
Telephone Number:
Nature of Incident:
Time of Incident:
How was the incident detected:
Current Impact of Incident;
Future Impact of incident:
Description of the incident:
Hardware/OS/Software involved:
IP and network addresses of compromised systems:
Network Type:
Modem:
Criticality of Information:
Physical location:
System Administrator Name and Number:
Current status of machine:
Description of Intruder Actions
Ongoing activity:
Source Address:
Malicious program involved:
Denial of Service
Vandalism:
Indication of insider or outsider:
Incident Response Checklist (cont)
Version 1.0
Client Actions
Network disconnected:
Remote access available:
Local Access available:
Audit logs available and examined:
Any changes to firewall:
Any changes to ACL:
Who has been notified:
Other actins taken:
Available Tools
Third party host auditing:
Network monitoring:
Network Auditing:
Additional Contacts
Users:
System Administrators:
Network Administrators:
Special Information
Who should not know about this incident:
Response Team Member Signature/Date:__________________________________
Incident Response Team Fax
Version 1.0
Date:_____________
Time:____________
Name:_______________________
Thank you for notifying the incident response team and agreeing to help. Please
do not touch the affected computer(s) unless told to do so by a member of the
Incident Response team. Please remain within sight of the computer until a member
of the Incident Response Team arrives and assure that no one touches the computer.
Please help us by detailing as much information about the incident as possible.
Please complete the following items. If additional space is required use a separate
sheet of paper.
Witnesses:
1.
2.
3.
What indicators lead you to notice and/or report the incident. Be as specific as
possible.
Incident Indicators:
The next section is important so be as accurate as possible. From the time you
noticed the incident to the time you took your hands from the computer, list every
command you typed and any file you accessed.
Commands typed and Files accessed:
Response Team Member Signature:______________________________________-
Initial Response (cont)
 Physically contain the scene.Two personnel, if
possible, should immediately respond to the scene.
 Incident Scene Survey (1st Member)
 Use a portable tape recorder to:
1. Record the scene
2. Record who is present.
Order everyone to leave the scene who is not directly involved
in the incident or the investigation.
3. Interview the individual who reported the incident.
4. Assist the 2nd Member.
Record, when possible, the actions of the second individual.
Initial Response (cont)
 Contain the System (2nd Member).
 Ask the System Administrator to assist.
 Back up the system.
 Do this with forensic type tool that does bit-by-bit
backup such as SafeBack
 Alternatively, remove the drive and seal it in a plastic
bag with your notes and the notes of the individual who
reported the incident.
 Attempt to identify the changed files:
 Tripwire http://www.tripwire.org/ or alternatively
 Expert Witness at http://www.asrdata.com.
Incident Investigation & Assessment
 Conduct Personnel Interviews.
 System administrator. Selected questions include:
 Unusual Activity?
 Administrative Access to System?.
 Remote Access to Systems?
 Logging Capabilities?
 Current Security Precautions?
 Managers. selected questions include:
 On-going Security tests?
 Disgruntled employees?
 Recently fired employee?
 History of current employees?
 Sensitive data or applications on the systems?
 End users. Selected questions include:
 Anomalous Behavior or Suspicious activity?
Incident Investigation & Assessment
 Assess the potential security Incident.
 What are the incident symptoms?
 Is it a security incident?
 A system problem?
 Power outage
 Faulty software
 Communication problems
 Procedures problem
 Training Problem
Incident Investigation & Assessment
 Evaluate the severity and scope of the incident.
 What specifically happened?
 What was the entry point?
 What local computers/networks were affected?
 What remote computers/networks were
affected?
 What information was affected? What was its
value to the organization?
 What further can possibly occur?
 Who else knows about the incident?
 What are the estimated time/resources required
to handle the incident.
Incident Investigation & Assessment
 Indications of an incident.
 A new account.
 Passwords were changed on existing accounts
 The protection changed on selected files/devices.
 New SUID and SGID programs have been found.
 System programs have been added/modified..
 An alias has been installed in the E-Mail system to run a program.
 New features have been added to your news or UUCP system.
 A password sniffer was found (Steal passwords to use Crack).
 File dates have been modified.
 Login files have been modified.
 The system has an unexplained crash.
 Accounting discrepancies.
 Denial of Service.
 Unexplained poor system performance.
 Suspicious probes/browsing.
Incident Investigation & Assessment
Indications of an incident (cont)
Undocumented changes or upgrades to programs.
Unexplained user account charges or changes.
 Security Access compromise (passwords, etc).
 Unauthorized use of computer facilities.
 Unexplained network/computer crashes.
 Unexplained corrupted files or services.
 Theft/missing computer/storage equipment.
 Unexplained High utilization of equipment, storage or
network resources.
 Unexplained loss of critical/sensitive data.
 Unexplained user account lockouts.
 Unexplained Network traps/alarms.
 Unexplained Firewall/IDS alerts/alarms.
Incident Investigation & Assessment

All systems/networks are suspect until the
actual extent of the incident is known.
 Verify the integrity of all site computers.
 Verify the integrity of all site networks.
 Verify the integrity of all files/directories
(checksums).
 Compare system files with backups or initial
distributions.
 Compare software application with the baseline.
 Analyze the documentation, files and security
logs.
Computer Forensics
Will eventually have to make a decision on
whether to involve LE and push for prosecution.
Computer Forensics Principles.
P1: Preserve the evidence in an unchanged
state. (think Forensic Image)
P2: Thoroughly and completely document the
Investigative Process. (chain-of-custody)
System Restoration
 The System Administrator should be used in the
recovery process.
 Don't trust anything that is on-line.
 Don't believe anything your system tells you.
 Reformat disks
 Restore operating system.
 Reload software.
 Assign new passwords.
 Scan the /etc/passwd for newly created files
 Check for changes to files that may affect security
(trapdoors, logic bombs, etc.).
The recovery should be planned to have minimal
impact on the users.
 Keep the users informed.
 Engage in rumor control.
Incident Evaluation
 Conduct an after action meeting.
 Prepare an after action report to document the incident,
the response to the incident and the recovery from the
incident.
 Lessons Learned?
 What other reports might you need to generate?
 Law Enforcement report?
 Regulatory agency report?
 Insurance claim?
 Disciplinary action?
 Dismissal action?
 Vendor report?
 Update disaster recovery plan?
 Update software to new versions?
 Update employee training?
 Public Affairs report?
 CEO report to employees?
Computer Crime Investigation
 Do You Notify Law Enforcement?
 Brief/coordinate with upper management.
 In certain situations/environments, you may
not have a choice
If you do, remember LE agency will assume
control.
 Computer crime investigation is complex,
time consuming, and resource intensive.
 Allow time/resources for
 Investigation.
 Prosecution.
Backup strategies
 Three most important things to do for security, BCP,
and DRP – Backup, Backup, Backup
 Four different types of Backups
Full: Backup everything every time
Differential: only backup that which has changed since
the last full backup (typically)
Incremental: Only backup that which has changed since
the last full or incremental backup.
Delta: backup only the portions of files that have
changed since the last delta or full backup
 Pros/cons of the different types?
Backup considerations
 What do you backup?
HW and SW as well as data
 Environmental Protection
Magnetic and optical media can be damaged by
dust, mold, heat, condensation,…
 Location of backups and backup facilities
Onsite .vs. offsite, hot, warm, cold facilities
 Effect of time on media
Business Continuity Plans (BCP)
Goal is to protect the operations of the organization, not
just the computing systems.
 May be invoked as a result of any type of disaster
 Three phases to the recovery process

Continuation of activities: enable a very limited set of functions,
the essentials for business to continue.
Resumption of activities: provide for a full, or almost full, range
of business functions.
Restoration of activities: bring back a normal operating
environment in a permanent facility.
Losses during a disaster
$6,000,000
$5,000,000
$4,000,000
Without DRP
With DRP
$3,000,000
$2,000,000
$1,000,000
$0
1
5
9
13
17
21
25
29
Cumulative Loss Summary With and Without a DRP
Some final thoughts
 Business Continuity Plan (BCP): Similar to a DRP
but focuses solely on business continuity. DRP
should also take into account possible personnel
safety and loss of life issues.
 Business Impact Assessment/Analysis (BIA): used
to determine what is important for inclusion in the
BCP/DRP. Will assess how unavailability of each
system/process would affect the organization.
Summary
 What is the Importance and Significance of this
material?
 How does this topic fit into the subject of “Voice
and Data Security”?