Incident HandlingEng./ Ahmed Samy Kamel

Eng./ Robber Edward Attalla

Eng./ Mohammed Safwat Mohammed

Supervised by Dr./

Ashraf Tamam

Agenda Introduction.

What is an incident?

Incident (Types & Categories).

What is an incident handling?

Incident handling life-cycle.

Conclusion.

IntroductionIn today’s world, it is imperative for an organization to

have a strong incident handling plan in place.

One devastating incident could cost a company millions of dollars not only in hardware and software, but also in the loss of proprietary information, company time, and productivity.

Many corporate executives overlook the need to have a strong incident handling procedure in place because of the lack of knowledge about computer security.

In order to prevent a system from being completely compromised, it is advised that a company follow phases of incident handling: preparation, identification, detection, analysis, containment, eradication, recovery, follow-up.

What is an incident?

According to the NIST(National Institute of Standards

and Technology )a computer security incident is:– ”a violation or imminent threat of violation of

computer security policies, acceptable use policies, or standard security practices.”

Essentially, an incident is anything outside of common-practice or policy-compliant use.

Incident TypesHardware/software failures.Cyber-theft, Intellectual property theft.Viruses, worms or other malicious software.Unauthorized use. Intrusions, Internal or external attack.Denial of Service.Strikes, Employees unavailable.Power outages, Storms. Hazard material spills. Bombings, Explosions.Earthquakes, Fires, Floods.

Incident Categories•Denial of Service:

•Prevents or impairs authorized use by exhausting resources.

•Malicious Code:•Virus, worm, Trojan horse, etc…….

•Unauthorized Access:•Logical or physical access without permission.

•Inappropriate Usage:•Violates acceptable use policies.

•Multiple Component:•One incident encompassing one or more incidents.

*Multiple Category Incidents:•Should be categorized by transmission mechanism.

•Example:

•Virus creates backdoor.

•Handle as malicious code, since the virus was the transmission mechanism.

Incident Handling is an action plan for dealing with intrusions, cyber-theft, denial of service (DoS), malicious code, fire, floods, and other security-related events.

Having procedures and policies in place so you know what to do when an incident occurs.

What is Incident Handling?

• Incident handlers are responsible for:Analysing ambiguous, contradictory, and incomplete

symptoms...

...over many different systems.

...in many different locations.

...to determine if anything has happened.

...how it happened.

...how to fix it.

… how to ensure it doesn't happen again.

Incidents Handling(IH) Life-Cycle

Preparation

Identification

Detection

Analysis Containment

Eradication

Recovery

Follow up

**Preparation is one of the most important step in the Incident Handling(IH) lifecycle, because If a system is not initially prepared for an attack, it is extremely vulnerable and if attacked, the potential destruction will be greater.

**In order to help prevent an intrusion, it is necessary that a company plans and prepares for any possible intrusion, This includes:-

-creating a security plan and policy.

-developing an emergency communication plan.

-selecting and training incident handling team members.

-providing easy reporting facilities.

-routinely practicing and improving upon the incident response plan.

**Security controls should only be used for what the business requires. In other words, build a system that allows the company to access their business

needs and then eliminate anything else.

(1)Preparation

The Goal of Preparation is to Get Your Team ready to handle incidents.

–Policy.–People.–Data.–Software/Hardware.–Communication.–Supplies.–Transportation.–Space.–Power and Environment Control.–Documentation.

Preparation Key Points

Take Notes,Logs,etc….•Hand Written Notes are a great Help.•Use Time Stamps in the Notes.

Management Support•Regular Reports (Preferred Monthly).•Graphically illustrated Reports.

Build An Incident Handling Team•Identify qualified People.•Multi- disciplinary Team is the best

NetworkSecurityOperationsSystemsHR

Prepare System Built Checklist•Procedures of Backing Up and Rebuilding systems.

Getting Access to systems and Data•Incident Handling Team Need to have access the System(Even without notifying system admins).•Strike a Bargain with the Operation Team.

Establish a War Room.

Train The Team•Conduct training scenarios.•Deploy an internal Honey Pot.

Conduct War Games•Pen Tests.•Do This with more experienced teams.

Cultivate Good Relationships•Helpdesk.•Sys admins , network admins.

Jump BagSoftware:-•Binary image creation software.•Forensics tools.•Sleuth Kit , Autopsy (Free) , Encase, Xways.•Diagnostic Software's.Hardware:-•USB Drives.•External Hard Disks.•HUB or TAB (No switch).•Patch cables.•Laptop with Multi-OS.•A Lot of RAM.•Jumpers ,Flashlight, Tweezers ,Dental Mirror, Business Cards.

(2)IdentificationUsually the first step to identification is Noticing something

unusual on a system.

Identification involves perpetual monitoring, which will help determine whether an event has really occurred, and the nature of this event.

Examining the system logs regularly will help a system administrator be more aware of an intrusion or some unusual activity,The system logs can show denied access messages, messages referring to old vulnerabilities, and blocked accesses to specific services.

A “need to know” policy should go into affect to ensure that the intruder does not realize he is being monitored because of a significant change in the system’s processes.

An intrusion detection system (IDS) is a tool that can help in the identification and detection of activities of an attack, The IDS’s purpose is to detect an attack by a hacker by monitoring incoming traffic while the attack is actually occurring.

the IDS will sound an alarm and alert the system administrator, If there is an obvious violation.

By using a Host-based intrusion detection tool, you can prevent a worm from infecting your system by blocking it from entering the system.

Finally it should be kept in mind that only secure communication channels should be used to prevent the intruder from overhearing the communication.

(3)Detection• The Goal is to gather events ,analyze them, and determine if it

is an Incident.

• Signs of an Incident:-•IDS tool has an alert.

•Unexplained entries in a log file.

•Failed events, such as logon.

•Unexplained events (new accounts).

•System reboots.

•Poor performance.

• Sources of signso Publicly available information.o Software Alerts.o Logs.o People.o Network and Host-Based IDS.o Antivirus Software.o File integrity checking software.o Third-party monitoring service.o Operating system.o Network devices.o Information on new vulnerabilities/exploits.

Detect Signs• The most difficult part of the process.• This is due to 3 factors:•Detection through different means, levels of detail, and fidelity.•High volume of potential signs.•Deep, specialized technical knowledge and extensive experience are necessary.

• Signs fall into 2 categories:-•Indications.•Precursors.

• Indication•A sign that an incident may have occurred or may be occurring.

•Too many types to extensively list.

Examples:•IDS alerts about buffer overflow.

•Web server crashes.

•Filenames with suspicious characters.

•Anti-virus software alerts an infected host.

•Unusual deviation from typical network traffic flows.

• Precursors•A sign that an incident may occur in the future.•IH version of “early warning signs”.

•Examples: *Log entries showing signs of vulnerability scanners.

*New applicable exploit.

*Hacktivist threat.

Detection-Points to keep in mined

Be Willing to alerts early.

Maintain situation awareness.

Provide current intelligence.

Correlate information.

Assign Primary Handler.

Control the flow of information(Need to Know).

Communication Channels.

(4)Analysis• Would be easy if all precursors were indications But they are not,

User-provided indications are often incorrect, Even if indication is accurate, Doesn't necessarily mean anything is going on.

• Indicator may be an issue, just not a security issue.

• Example: Web server that is down due to non-malicious cause.

• Remember, skilled attackers cover their tracks, It is likely that there may be no precursors or indications until after the incident has occurred, Unskilled attackers are being able to be as quiet as skilled attackers with the tools being released.

Containment, Eradication, and Recovery encompass the third phase of the Incident Response Life Cycle.

• Containment•What to do when discovering an incident?

• Eradication•How do we stop the incident?

• Recovery•How do we recover from the incident?

(5)ContainmentThe Goal is to stop the bleeding and Stop the attacker to get any deeper. In order to contain the incident, there are a few steps that should be followed to make sure the problem does not expand,First, an on-site team should survey the incident and secure the area, if possible, while making sure to keep the system in the exact state that it was found. second, Securing the area includes isolating the compromised system and keeping all non-essential persons away from the system.Another important step, is to back up the system using new media and stored in a safe place to prevent tampering.It is also important to keep all the log files containing information regarding the intrusion to use as a reference in an investigation.The final step in containment is determining whether the organization should continue operating in the compromised situation.

We will cover the following:Methods of short-term containment.Methods of long-term containment.The Sub-phases of containment.Backup.

Short-term ContainmentDisconnect network cable.Pull power cable.Isolate the attacked server on a separate switch.Apply filters(FW).Change the DNS names to point to a different IP address.

Long-Term ContainmentAs long as you got your evidence and image backup , you can make changes to the system.Ideal: keep system off line.Less than ideal :if system must be kept in production , perform long term Containment.Numerous potential actions:

•Patching the system and neighboring systems.•Change password.•Null routing ???•FW.•Remove accounts used by attackers.

The ideal long-term containment is to apply temporary solution tell you build a clean system.

(6)EradicationEradication is the removal of any changes or unwanted data put on the

system, Such as deleting malicious code or disabling breached user accounts.

Once an incident has occurred, it is important to make sure it is not repeated. In order to do this, the problem needs to be eradicated.

To eradicate the problem, the cause needs to be identified in order to improve the system’s defenses.

Vulnerability analysis should take place to search for any additional vulnerability on the system and prevent any future incidents of the same nature.

The final step in eradication is to locate the most recent backup before the intrusion so that the system can be restored back to its original state.

Eradication is not performed if It is unnecessary (Ex: Outside DoS Attack) and It is performed in recovery (Rebuild of system).

(7)RecoveryThe goal of recovery is to put the impacted system back to

production in safe manner.

The first reaction, once the recovery stage has been reached, will be to restore the System.

the system will require analysis to determine how the system can be improved so that the same kind of attack does not reoccur.

The system may need to have its antivirus software updated, or the IDS updated with new policies.

Documents should be copied in order to overwrite and reformat theSystem, Once the system is operating, the root password and all

other passwords should be changed.

• Other actions that are suggested in recovery•Employ higher levels of system logging.

•Employ higher levels of network monitoring.

•Research and employ guidance regarding the specific incident.

•Can commonly be found on the Internet resources for the software/hardware involved.

(8)Follow upWhen the incident is under control, it is important to look

back and reflect on how the incident occurred, and how effective the ensuing handling of the situation was.

During the follow-up stage, • strategy meetings should be held.• analytical reports should be written.• IT security-related policies should be updated.

Important points to consider are • whether to change the placement of firewalls.• move the compromised system to a more secure location.• change the IP address of the compromised system, or update the routers

and firewalls.

To document the incident, a report should be written synchronous with the investigation to ensure that all details are recorded.

This document should include what worked well and what did not. which policies need to be updated. which incident handling processes need to be improved. also include any forms that were used during the incident handling process.

After the meeting has occurred and the follow-up report has been prepared, the security policies, plan, and procedures will most likely require updates, These documents should be updated with all the suggestions that were mentioned during the report and meeting.

The management groups should then be brought up to speed on all the changes.

Incident handling was a security procedure many company executives overlooked, but not anymore, Companies are beginning to realize what is at stake, not just financially, but also in proprietary information, if an attack were to occur on their systems.

Security policies are beginning to be kept up-to-date, system inventories are being made, and incident response teams are being formed.

Companies are beginning to protect their systems from the ground up and are keeping their systems up-to-date under the principles of incident handling.

Cyber terrorism is real and the only way to prevent the attacks from being catastrophic is to have an effective and well-rehearsed incident handling procedure in place.

Previous cyber attacks have provided information on how to protect from future attacks, and in each instance, incident handling has proven useful.

However, taking what a company learns from handling an incident will continue to make systems stronger and in turn, help fight cyber terrorism.

Conclusion:-

Any Questions??

Thank you