Incident Response
-
Upload
michael-mcdonnell-cism -
Category
Technology
-
view
407 -
download
2
description
Transcript of Incident Response
![Page 1: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/1.jpg)
Michael McDonnellGIAC Certified Intrusion Analyst
Creative Commons License: You are free to share and remix but you must provide attribution and you must share alike.
IncidentResponse
![Page 2: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/2.jpg)
Incident Response Overview
1. Events and Incidents2. Response vs Handling3. Process and Capability4. Questions
![Page 3: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/3.jpg)
Incidents are Events
Any real or suspected adverse event
related to information systems
A violation existing Information security policy
![Page 4: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/4.jpg)
Security Incidents are Common
Any real or suspected adverse event
related to information systems
A violation existing Information security policy
![Page 5: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/5.jpg)
Incidents are… Viruses
![Page 6: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/6.jpg)
Incidents are… Hackers
![Page 7: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/7.jpg)
Incidents are… Hackers
![Page 8: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/8.jpg)
Incidents are… Vandalism
![Page 9: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/9.jpg)
Incidents are… Theft
![Page 10: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/10.jpg)
Incidents are… Data Loss
![Page 11: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/11.jpg)
Incidents are… “Outages”
![Page 12: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/12.jpg)
Incidents are… Espionage
![Page 13: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/13.jpg)
Incidents are not… Disasters (maybe)
![Page 14: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/14.jpg)
Incidents are… Continuous
![Page 15: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/15.jpg)
Incident Response is a Capability
1.Events: Monitor and Detect
2.Incidents: Identify and Analyze
3.Actions: Contain and Correct
4.Lessons: Learn and Improve
![Page 16: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/16.jpg)
Incidents Response is…
A Processthat manages risk associated with information systems
A Capabilityof an organization to respond to continuous security threats
![Page 17: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/17.jpg)
Incidents Response vs Handling
Strategic vs OperationalContinual vs Discreet
Process vs ActionImprovement vs Remediation
![Page 18: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/18.jpg)
Incidents Response is…
SystematicConsistent
Fast & EfficientDriver for Improvement
Authoritative/EmpoweredSensitive/Confidential
Documented
![Page 19: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/19.jpg)
Incidents Response Teams
Supported by ManagementCross-functional
Well TrainedGood Communicators
Technical ExpertsWell Equipped
Have Broad Access
![Page 20: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/20.jpg)
Incident Response is a Process
1.Preparation2.Detection and Analysis3.Containment/Mitigation4.Recovery5.Post-Incident Analysis
1.Be Prepared2.Be Systematic & Organized3.Act Quickly4.Fix the Problem5.Make Improvements
![Page 21: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/21.jpg)
Preparation: Training
![Page 22: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/22.jpg)
Preparation: Communications
![Page 23: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/23.jpg)
Preparation: Hardware & Software
![Page 24: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/24.jpg)
Preparation: Continuous Monitoring
![Page 25: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/25.jpg)
Preparation: Analysis & Migitation
![Page 26: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/26.jpg)
Detection & Analysis
Different threat require different responses
Incident Categories:1. Denial of Service2. Malicious Software3. Unauthorized Access4. Inappropriate Usage5. Hybrid
Detection: How was it detected? Is it really an incident or an unusual event? Can it be confirmed?
Analysis: What is at risk? (“System Profile”) What is normal for that system? Correlate events for more information Carefully record and document data
![Page 27: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/27.jpg)
Detection & Analysis
![Page 28: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/28.jpg)
Detection & Analysis
![Page 29: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/29.jpg)
Diagnosis Matrix
Extremely helpful for inexperienced or ad-hoc incident handlers.
Part of diagnosis means seeking help from others• Sysadmins for knowledge of normal system operations• Managers for knowledge of impact
![Page 30: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/30.jpg)
Incident Documentation
Begin as soon as an incident is suspected
Include: System events Telephone conversations Observed or initiated changes Note the current status frequently with timestamps.
At any given moment: Current status and priority Summary of incident Actions taken by handlers Contact information for other parties List of evidence gathered Comments for other handlers Next steps to be taken
![Page 31: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/31.jpg)
Incident Priority: Effect & Criticality
![Page 32: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/32.jpg)
Incident Containment & Mitigation
Identify and block the attackerPatch the systemTake the system offlineUpgrade softwareRestore from backupReboot
It is key to consult external databases for advice, and data about the type of attack, the attacker, the problem, and its solution.
![Page 33: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/33.jpg)
Incident Containment & Mitigation
![Page 34: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/34.jpg)
Incident Post-Mortem
Incident Response is a driver for improvements in information security. So it is critical to conduct a post-incident analysis and report.
Exactly what happened, and at what times? How well did staff and management perform in dealing with the incident? Were
the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What would the staff and management do differently the next time a similar
incident occurs? What corrective actions can prevent similar incidents in the future? What additional tools or resources are needed to detect, analyze, and mitigate
future incidents?What Personally Identifiable Information involved? Is disclosure advised?
![Page 35: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/35.jpg)
Incident Post-Mortem
![Page 36: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/36.jpg)
Incident Checklist
![Page 37: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/37.jpg)
Incident Reporting
What should you report?
What happened?Why did it happen?What was done to correct it?What impact did it have?What did it cost?What could have been done differently?How could it have been avoided?Is it resolved? What else is needed?How likely is it to happen again? How often?What is the long term impact?
![Page 38: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/38.jpg)
Information Security is an Outcome
"Our systems are secure from hackers“
"We have blocked 17,342 viruses to date“
“Our systems are all online“
“Insiders cannot steal our information”
“We have backups”
“We are Secure”
![Page 39: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/39.jpg)
Information Security is a Process
“We want to improve security“
"We need to protect against more threats"
"We want to reduce risk"
"We want to increase customer confidence"
"We want to decrease the number of compromises"
“We want to be more Secure”
![Page 40: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/40.jpg)
Defence in Depth lowers Risk
![Page 41: Incident Response](https://reader036.fdocuments.in/reader036/viewer/2022081519/557464bed8b42a146f8b4cb3/html5/thumbnails/41.jpg)
Process leads to Outcome
Firewalls do not make you secureAnti-virus does not make you secure
Policies do not make you secureVPNs do not make you secure
Guards do not make you securePasswords do not make you secure
Incident Response is a Capability that enables them to make you
MORE secure