security planning susan lincke planning for incident response

Security Planning

Susan Lincke

Planning for Incident Response

Title of the Presentation | 04/19/23 | 2

Objectives

Students should be able to:

Define and describe an incident response plan and business continuity plan

Describe incident management team, incident response team, proactive detection, triage

Define and describe computer forensics: authenticity, continuity, forensic copy, chain of custody, root cause,

Define external test, internal test, blind test, double blind test, targeted test.

Develop a high-level incident response plan.

Describe steps to obtain computer forensic information during an investigation.

Describe general capabilities of a forensic tool.

Describe steps to copy a disk.

Define discovery, e-discovery, deposition, declaration, affidavit, fact witness, expert consultant, expert witness.


How to React to…?

Viruses

Denial of S

ervice

Hacker Intrusion

Accidents

System Failure

Theft of Proprietary Information

Social Engineering

Lost Backup Tape

Stolen Laptop

Fire!


Incident Response vs. Business Continuity

Incident Response Planning (IRP) Security-related threats to systems, networks & dataData confidentialityNon-repudiable transactions

Business Continuity PlanningDisaster Recovery PlanContinuity of Business OperationsIRP is part of BCP and can be *the first step*

NIST SP 800-61 defines an incident as “a violation or imminent threat of violation of computer security

policies, acceptable use policies, or standard security practices.”


Review: Business Continuity Recovery Terms

Interruption Window: Time duration organization can wait between point of failure and service resumptionService Delivery Objective (SDO): Level of service in Alternate ModeMaximum Tolerable Outage: Max time in Alternate Mode

Regular Service

Alternate Mode

RegularService

(Acceptable)InterruptionWindow

Maximum Tolerable Outage

SDO

Interruption

Time…

Disaster Recovery Plan Implemented

RestorationPlan Implemented


Attack vectors = source methods: Can include removable media, flash drive, email, web, improper use, loss or theft, physical abuse, social engineering, …

Vocabulary


Vocabulary

IMT: Incident Management Team IS Mgr leads, includes steering committee, IRT membersDevelop strategies & design plan for Incident Response,

integrating business, IT, BCP, and risk managementObtain funding, Review postmortems

Meet performance & reporting requirements

IRT: Incident Response TeamHandles the specific incident. Has specific knowledge relating to:

Security, network protocols, operating systems, physicalsecurity issues, malicious code, etc.

Permanent (Full Time) Members: IT security specialists, incident handlers, investigator

Virtual (Part Time) Members: Business (middle mgmt), legal, public relations, human resources, physical security, risk, IT


Stages in Incident Response

Preparation

Identification

Containment& Escalation

Analysis &Eradication

Recovery

LessonsLearned

Plan PRIOR to Incident

Determine what is/has happened

Limit incident

Determine and removeroot cause

Return operationsto normal

Process improvement:Plan for the future

Notification

Ex-PostResponse

Notify any data breach victims

[If data breach]

Establish call center,reparation activities


Why is incident response important?

$201: average cost per breached record

66% of incidents took > 1 month to years to discover

82% of incidents detected by outsiders

78% of initial intrusions rated as low difficulty


Stage 1: PreparationWhat shall we do if different types of incidents occur? (BIA helps)When is the incident management team called?How can governmental agencies or law enforcement help?When do we involve law enforcement?What equipment do we need to handle an incident?What shall we do to prevent or discourage incidents from occurring? (e.g. banners, policies)Where on-site & off-site shall we keep the IRP?


(1) Detection TechnologiesOrganization must have sufficient detection & monitoring capabilities to detect incidents in a timely manner

Proactive Detection includes:Network Intrusion Detection/Prevention System (NIDS/NIPS)Host Intrusion Detection/Prevention System (HIDS/HIPS) Antivirus, Endpoint Security SuiteSecurity Information and Event Management (Logs)Vulnerability/audit testingSystem Baselines, SnifferCentralized Incident Management System • Input: Server, system logs• Coordinates & co-relates logs from many systems• Tracks status of incidents to closure

Reactive Detection: Reports of unusual or suspicious activity


Logs to Collect & Monitor


Incidents may include…

IT Detectsa device (firewall, router or server) issues serious alarm(s)change in configuration an IDS/IPS recognizes an irregular pattern:• unusually high traffic, • inappropriate file transfer • changes in protocol useunexplained system crashes or unexplained connection terminations

Employees ReportsMalwareViolations of policyData breach: • stolen laptop, memory • employee mistakeSocial engineering/fraud: • caller, e-mail, visitors Unusual event: • inappropriate login• unusual system aborts • server slow • deleted files• defaced website


(1) Management ParticipationManagement makes final decisionAs always, senior management has to be convinced that this is worth the money.Actual Costs: Ponemon Data Breach Study, 2014, Sponsored by Symantec

Expenses Following a Breach Average CostDetection and Escalation: forensic investigation, audit, crisis mgmt., board of directors involvement

$420,000

Notification: legal expertise, contact database development, customer communications

$510,000

Post Breach Response: help desk and incoming communications, identity protection services, legal and regulatory expenses, special investigations

$1,600,000

Lost Business: abnormal customer churn, customer procurement, goodwill

$3,320,000


WorkbookIncident Types

Incident Description Methods of Detection Procedural ResponseIntruder accesses internal network

Firewall, database, IDS, or server log indicates a probable intrusion.

Daily log evaluations, high priority email alerts

IT/Security addresses incident within 1 hour: Follow: Network Incident Procedure Section.

Break-in or theft

Computers, laptops or memory is stolen or lost.

Security alarm set for off-hours; or employee reports missing device.

Email/call Management & IT immediately. Management calls police, if theft. Security initiates tracing of laptops via location software, writes Incident Report, evaluates if breach occurred.

Social Engineering

Suspicious social engineering attempt was recognized OR information was divulged that was recognized after the fact as being inappropriate.

Training of staff leads to report from staff

Report to Management & Security.Warn employees of attempt as added training.Security evaluates if breach occurred, writes incident report.

Trojan Wireless LAN

A new WLAN masquerades as us.

Key confidential areas are inspected daily for WLAN availability

Security or network administrator is notified immediately. Incident is acted upon within 2 hours.


Stage 2: Identification

Triage: Categorize, prioritize and assign events and incidentsWhat type of incident just occurred?What is the severity of the incident?• Severity may increase if recovery is delayedWho should be called?Establish chain of custody for evidence


(2) Triage

Snapshot of the known status of all reported incident activity• Sort, Categorize, Correlate, Prioritize & Assign

Categorize: DoS, Malicious code, Unauthorized access, Inappropriate usage, Multiple componentsPrioritize: Limited resources requires prioritizing response to minimize impactAssign: Who is free/on duty, competent in this area?


(2) Chain of CustodyEvidence must follow Chain of Custody law to be admissible/acceptable in court• Include: specially trained staff, 3rd party specialist, law enforcement,

security response team

System administrator can:Retrieve info to confirm an incidentIdentify scope and size of affected environment (system/network)Determine degree of loss/alteration/damageIdentify possible path of attack


Stage 3: ContainmentActivate Incident Response Team to contain threat • IT/security, public relations, mgmt, businessIsolate the problem• Disable server or network zone comm.• Disable user access• Change firewall configurations to halt connectionObtain & preserve evidence


(3) Containment - Response

TechnicalCollect dataAnalyze log filesObtain further technical assistanceDeploy patches & workarounds

ManagerialBusiness impacts result in mgmt intervention, notification, escalation, approval

LegalIssues related to: investigation, prosecution, liability, privacy, laws & regulation, nondisclosure


Stage 4: Analysis & EradicationDetermine how the attack occurred: who, when, how, and why?• What is impact & threat? What damage occurred?

Remove root cause: initial vulnerability(s)• Rebuild System • Talk to ISP to get more information• Perform vulnerability analysis• Improve defenses with enhanced protection techniques

Discuss recovery with management, who must make decisions on handling affecting other areas of business


(4) Analysis

What happened?Who was involved?What was the reason for the attack?Where did attack originate from?When did the initial attack occur?How did it happen?What vulnerability enabled the attack?


(4) Remove root cause

If Admin or Root compromised, rebuild system

Implement recent patches & recent antivirus

Fortify defenses with enhanced security controls

Change all passwords

Retest with vulnerability analysis tools


Stage 5: Recovery

Restore operations to normal

Ensure that restore is fully tested and operational


WorkbookIncident Handling Response

Incident Type: Malware detected by Antivirus softwareContact Name & Information: Computer Technology Services Desk:

www.univ.edu/CTS/help 262-252-3344(O)Emergency Triage Procedure: Disconnect computer from Internet/WLAN. Do not reconnect. Allow anti-virus

to fix problem, if possible. Report to IT first thing during next business day. Containment & Escalation Conditions and Steps:If laptop contained confidential information, investigate malware to determine

if intruder obtained entry. Determine if Breach Law applies.Analysis & Eradication Procedure: If confidential information was on the computer (even though encrypted),

malware may have sent sensitive data across the internet; A forensic investigation is required.

Next, determine if virus=dangerous and user=admin:Type A: return computer. (A=Virus not dangerous and user not admin.)Type B: Rebuild computer. (B=Either virus was dangerous and/or user was

admin)Password is changed for all users on the computer.Other Notes (Prevention techniques):Note: Antivirus should record type of malware to log system.


Stage 6: Lessons Learned

Follow-up includes:Writing an Incident Report• What went right or wrong in the incident response?• How can process improvement occur?• How much did the incident cost (in loss & handling & time)Present report to relevant stakeholders


Planning ProcessesRisk & Business Impact AssessmentResponse & Recovery Strategy DefinitionDocument IRP and DRPTrain for response & recoveryUpdate IRP & DRPTest response & recoveryAudit IRP & DRP


Training

Introductory Training: First day as IMTMentoring: Buddy system with longer-term memberFormal TrainingOn-the-job-training

Training due to changes in IRP/DRP


Types of Penetration Tests

External Testing: Tests from outside network perimeterInternal Testing: Tests from within networkBlind Testing: Penetration tester knows nothing in advance and must do web research on companyDouble Blind Testing: System and security administrators also are not aware of testTargeted Testing: Have internal information about a target. May have access to an account.Written permission must always be obtained first


Incident Management Metrics# of Reported Incidents# of Detected IncidentsAverage time to respond to incidentAverage time to resolve an incidentTotal number of incidents successfully resolvedProactive & Preventative measures takenTotal damage from reported or detected incidentsTotal damage if incidents had not been contained in a timely manner


Challenges

Management buy-in: Management does not allocate time/staff to develop IRP• Top reason for failure

Organization goals/structure mismatch: e.g., National scope for international organizationIMT Member TurnoverCommunication problems: Too much or too littlePlan is to complex and wide


Question

The MAIN challenge in putting together an IRP is likely to be:

1. Getting management and department support

2. Understanding the requirements for chain of custody

3. Keeping the IRP up-to-date

4. Ensuring the IRP is correct


Question

The PRIMARY reason for Triage is:

1. To coordinate limited resources

2. To disinfect a compromised system

3. To determine the reasons for the incident

4. To detect an incident


Question When a system has been compromised at the administrator

level, the MOST IMPORTANT action is:

1. Ensure patches and anti-virus are up-to-date

2. Change admin password

3. Request law enforcement assistance to investigate incident

4. Rebuild system


Question The BEST method of detecting an incident is:

1. Investigating reports of discrepancies

2. NIDS/HIDS technology

3. Regular vulnerability scans

4. Job rotation


Question The person or group who develops strategies for incident

response includes:

1. CISO

2. CRO

3. IRT

4. IMT


Question The FIRST thing that should be done when you discover an

intruder has hacked into your computer system is to:

1. Disconnect the computer facilities from the computer network to hopefully disconnect the attacker

2. Power down the server to prevent further loss of confidentiality and data integrity

3. Call the police

4. Follow the directions of the Incident Response Plan


Computer Forensics

The process of identifying preserving, analyzing and presenting digital evidence for a legal proceeding


The InvestigationAvoid Infringing on the rights of the suspectWarrant required unless…•Organization/home gives permission; the crime is communicated to a third party; the evidence is in plain site or is in danger of being destroyed; evidence is found during a normal arrest process; or if police are in hot pursuit.

Computer searches generally require a warrant except:•When a signed acceptable use policy authorizes permission•If computer repair person notices illegal activities (e.g., child pornography) they can report the computer to law enforcement


Computer Crime Investigation

Call PoliceOr IncidentResponse

Copy memory,processes

files, connectionsIn progress

Powerdown

Analyze copiedimages

Preserveoriginal system

In locked storagew. min. access

Take photos ofsurrounding area

Evidence must be unalteredChain of custody professionally maintained

Four considerations:Identify evidencePreserve evidenceAnalyze copy of evidencePresent evidence

Copy disk


A forensic jumpkit includes:•a laptop preconfigured with protocol sniffers and forensic software•network taps and cables •Since the attacked computer may be contaminated, the jumpkit must be considered reliable

The investigator is likely to:•Get a full memory image snapshot, to obtain network connections, open files, in progress processes •Photograph computer: active screen, inside, outside computer for full configuration•Take disk image snapshot to analyze disk contents.

The investigator must not taint the evidence. •E.g., a cell phone left on to retain evidence must be kept in a Faraday bag to shield phone from connecting to networks

Initial Incident Investigation


Computer Forensics

Did a crime occur?If so, what occurred?

Evidence must pass tests for:Authenticity: Evidence is a true unmodified original from the crime scene• Computer Forensics does not destroy or alter the evidence

Continuity: “Chain of custody” assures that the evidence is intact and history is known


Chain of Custody

10:53 AMAttack

observedJan K

11:04Inc. Resp.

team arrives

11:05-11:44System copied

PKB & RFT

11:15SystembroughtOffline

RFT

11:45System

Powered down

PKB & RFT

11:47-1:05Disk

CopiedRFT & PKB

1:15System locked in

static-free bagin storage room

RFT & PKB

Who did what to evidence when?(Witness is required)

TimeLine


A chain of custody document tracks:Case numberDevice’s model and serial number (if available)When and where the evidence was held/storedFor each person who held or had access to the evidence (at every time)•name, title, contact information and signature •why they had access

It is useful to have a witness at each pointEvidence is stored in evidence bags, sealed with evidence tape

Chain of Custody


Creating a Forensic Copy

Original MirrorImage

3) Forensically Sterile:Wipes existing data;Records sterility

4) One-way Copy:Cannot modifyoriginal

5) Bit-by-Bit Copy:Mirror image

2) Accuracy Feature:Tool is accepted as accurate by the scientific community:

1) & 6) Calculate Message Digest:Before and after copy

7) Calculate Message DigestValidate correctness of copy


Normalizing data = converting disk data to easily readable formForensic tools analyze disk or media copy for:•logs•file timestamps•file contents•recycle bin contents•unallocated disk memory contents (or file slack)•specific keywords anywhere on disk•application behavior. The investigator:

launches the application on a virtual machine runs identical versions of OS and software packages.

Forensic Tools


EnCase: Interprets hard drives of various OS, tablets, smartphones and removable media for use in court. (www.guidancesoftware.com)

Forensic Tool Kit (FTK): Supports Windows, Apple, UNIX/Linux OS including analysis of volatile (RAM and O.S. structures) and nonvolatile data for use in a court. (www.accessdata.com)

Cellebrite: Handles commercial mobile devices for use in a court. Mobile devices are connected via appropriate cables to a workstation with the forensic tool installed, or via a travel kit. (www.cellebrite.com)

ProDiscover: Analyzes hard disks for Windows, Linux and Solaris OS. An Incident Response tool can remotely evaluate a live system. (www.techpathways.com)

X-ways: Specializes in Windows OS. X-ways can evaluate a system via a USB-stick without installation, and requires less memory. (www.x-ways.net)

Sleuthkit: An open-source tool evaluates Windows, Unix, Linux and OS-X. It is programmer-extendable. Sleuth Kit (TSK) = command-line tool; Autopsy = graphical interface. (www.sleuthkit.org)

Forensic Software Tools


When the case is brought to court, the tools & techniques used will be qualified for court:

Disk copy tool and forensic analysis tools must be standard

Investigator’s qualifications include education level, forensic training & certification:•forensic software vendors (e.g., EnCase, FTK) OR• independent organizations (e.g.: Certified Computer Forensics Examiner or Certified Forensic Computer Examiner).

Some states require a private detective license.

Preparing for Court


The Investigation Report describes the incident accurately. It:Provides full details of all evidence, easily referenced

Describes forensic tools used in the investigation

Includes interview and communication info

Provides actual results data of forensic analysis

Describes how all conclusions are reached in an unambiguous and understandable way

Includes the investigator’s contact information and dates of the investigation

Is signed by the investigator

The Investigation Report


A Judicial Procedure

Plaintiff files Complaint (or lawsuit)

Law enforcement arrests defendant

Reads Miranda rights

Defendant sends Answer within 20 days

Prosecutor files an Information with charges or

Grand Jury issues an indictment

Plaintiff & Defendant provide list of evidence and witnesses to

other side

Responsive documents

Plaintiff & Defendant request testimony, files, documents

Civil Case Criminal Case

Discovery

Phase

The Trial


Electronic Responsive Documents = Electronically Stored Info (ESI) or E-Discovery

The U.S. Federal Rules of Civil Procedure define how ESI should be requested and formatted

E-requests can be general or specific:

•specific document

•set of emails referencing a particular topic.

Discovery usually ends 1-2 months before trial, or when both sides agree

All court reports become public documents unless specifically sealed.

E-Discovery


Depositions: interviews of the key parties, e.g., witnesses or consultants•question-and-answer session•all statements recorded by court reporter; possible video•The deponent (person being questioned) may correct transcript before it is entered into court record.

Declarations: written documents•Declarer states publicly their findings and conclusions•Full references to public documents helps believability•Includes name, title, employer, qualifications, often billing rate, role, signature

Affidavit: a declaration signed by a notary•Both declarations and affidavits are limited to support motions

Discovery Stage


Witnesses must present their qualifications

Notes accessible during discovery?•NO: Email correspondence with lawyers is given attorney-client privilege•YES: Notes, reports, and chain of custody documents are discoverable.

Witnesses may include (least to most qualified):

Fact witnesses report on their participation in the case, generally in obtaining and analyzing evidence.

Expert consultants help lawyers understand technical details, but do not testify or give depositions

Expert witnesses provide expert opinions within reports and/or testimony •E.g., Computer forensic examiners • Do not need first-hand knowledge of case; can interpret evidence•Expert witness mistakes can ruin reputation

Witnesses


The TrialStages of the Trial In U.S. and U.K.

Case law is determined by:

•Regulation AND/OR

•precedence: previous decisions hold weight when regulation is not explicit and must be interpreted

Burden of Proof:

•In U.S. & U.K. criminal case :“beyond a reasonable doubt” that the defendant committed the crime

•In U.K. civil case: “the balance of probabilities” or “more sure than not”

Opening Arguments

Plaintiff’s case

Defendant’s case

Closing arguments


Question Authenticity requires:

1. Chain of custody forms are completed

2. The original equipment is not touched during the investigation

3. Law enforcement assists in investigating evidence

4. The data is a true and faithful copy of the crime scene


Question You are developing an Incident Response Plan. An executive order is that the network shall remain up, and intruders are to be pursued. Your first step is to…

1.Use commands off the local disk to record what is in memory

2.Use commands off of a memory stick to record what is in memory

3.Find a witness and log times of events

4.Call your manager and a lawyer in that order


Question What is NOT TRUE about forensic disk copies?

1.The first step in a copy is to calculate the message digest

2.Forensic analysis for presentation in court should always occur on the original disk

3.Normalization is a forensics stage which converts raw data to an understood format (e.g., ASCII, graphs, …)

4.Forensic copies requires a bit-by-bit copy


Planning is necessary•Without preparation, no incident will be detected•Incident handlers should not decide what needs to be done.

Stages:•Identification: Determine what has happened•Containment & Escalation: Limit incident•Analysis & Eradication: Analyze root cause, repair •Restore: Test and return to normal•Process Improvement•(Possibly) Breach Notification

If case is to be prosecuted:•Evidence must be carefully handled: Authenticity & Continuity•Expert testimony must be qualified, accurate, bullet-proof

Summary