8/8/2019 Incident Response - Campus Party 2010

1/25

8/8/2019 Incident Response - Campus Party 2010

2/25

AgendaAgenda

Security IncidentsSecurity Incidents

Cyber ThreatsCyber Threats Incident responseIncident response

Digital EvidenceDigital Evidence

How to prevent an IncidentHow to prevent an Incident

8/8/2019 Incident Response - Campus Party 2010

3/25

IncidentIncident

Computer security incident is

defined asAny real or suspected adverseevent in relation to the security ofcomputer systems or computernetworks.

8/8/2019 Incident Response - Campus Party 2010

4/25

Incidents include:Incidents include:

Violation of an explicit or impliedsecurity policy

Attempts to gain unauthorized access

Unwanted denial of resources

Unauthorized use of electronicresources

8/8/2019 Incident Response - Campus Party 2010

5/25

Incident CategoriesIncident Categories

8/8/2019 Incident Response - Campus Party 2010

6/25

High Impact IncidentsHigh Impact Incidents

8/8/2019 Incident Response - Campus Party 2010

7/25

8/8/2019 Incident Response - Campus Party 2010

8/25

Cyber Threats in 2010Cyber Threats in 2010

8/8/2019 Incident Response - Campus Party 2010

9/25

Cybercrime-as-a-ServiceCybercrime-as-a-Service(CaaS) market model.(CaaS) market model.

, - -September 2009 s Measuring the in the wild effectiveness of , Antivirus against Zeus report by Trusteer indicated that h ef f e c t i v e ne s s o f a n u p t o d a t e a n t i v ir u s a g a i n s t%, % , %e u s i s t hu s n o t 1 0 0 n o t 9 0 n o t e v e n 5 0 - t s%u s t 2 3 . meaning that cybercriminals have clearly started

-excelling into the practice of bypassing signature based.malware scanners

8/8/2019 Incident Response - Campus Party 2010

10/25

Incident ResponseIncident Response

Well Defined set of procedures thataddress the post incident scenario.

An Incident Response Plan includes:

Immediate action

Investigation Restoration of resources

Reporting the incident to properchannels.

8/8/2019 Incident Response - Campus Party 2010

11/25

Incident HandlingIncident Handling

Incident handling helps to find outtrends and pattern regarding

intruder activity by analyzing it.

It involves three basic functions:

qIncident reportingqIncident Analysis

qIncident Response

8/8/2019 Incident Response - Campus Party 2010

12/25

Security IncidentSecurity IncidentResponse FormResponse Form

8/8/2019 Incident Response - Campus Party 2010

13/25

Digital EvidenceDigital Evidence

Digital evidence is defined as anyinformation of probative value that iseither stored or transmitted in a digitalform.

Digital evidence is found in the files, such as: Graphic filesAudio and video recording and files

Web browser history Server logs Word processing and spreadsheet files E-mails Log files

8/8/2019 Incident Response - Campus Party 2010

14/25

Challenging Aspects ofChallenging Aspects ofDigital EvidenceDigital Evidence

Digital evidence are fragile in nature

During the investigation of the crime scene, if thecomputer is turned off, the data which is not

saved can be lost permanently.

During the investigation, digital evidence can bealtered maliciously or unintentionally withoutleaving any clear signs of alteration.

Digital evidence is circumstantial that makes itdifficult for the forensics investigator todifferentiate the systems activity.

After the incident, if a user writes some data to the

8/8/2019 Incident Response - Campus Party 2010

15/25

Forensic PolicyForensic Policy

Forensic policy is a set of proceduresdescribing the actions to be takenwhen an incident is observed.

It defines the roles andresponsibilities of all peopleperforming or assisting the forensicactivities.

It should include all internal andexternal parties that may beinvolved.

It explains what actions should andshould not be performed under

normal and special conditions.

F i A l i

8/8/2019 Incident Response - Campus Party 2010

16/25

Forensic AnalysisForensic Analysis

GuidelinesGuidelinesOrganizations should:

Have a capability to perform computer and networkforensics

Determine which parties should handle each aspect offorensics

Create and maintain guidelines and procedures forperforming forensic tasks

Perform forensics using a consistent process

H t t

8/8/2019 Incident Response - Campus Party 2010

17/25

How to prevent anHow to prevent an

incidentincident

A key to preventing security incident isto eliminate as many vulnerabilities as

possible.

Scanning the network

Auditing the network Deploying Intrusion Detection /

Prevention systems

Establishing Defense in Depth

8/8/2019 Incident Response - Campus Party 2010

18/25

NormalizationNormalization

-Security monitoring environment is multi vendorEvents from different devices and vendors have different

formats Need to compare similar normalized events from multiple

- - vendors apples to apples

8/8/2019 Incident Response - Campus Party 2010

19/25

Event CorrelationEvent Correlation

irewallLogs

IDS Logs

/og Alert

8/8/2019 Incident Response - Campus Party 2010

20/25

Log ConsolidationLog Consolidation

A defense in depth strategy utilizes multiple devices

, , , , , , ,Firewalls NIPS HIPS AV AAA VPN Application Events OSLogs

Need to consolidate and normalizesimilar events from multiple

vendors

niversal SYSLOGsupport

AAA

8/8/2019 Incident Response - Campus Party 2010

21/25

Post Incident AnalysisPost Incident Analysis(IV)(IV)

Post incident analysis to adjust incidentseverity based on context

Did the attack reach destination?

Is the victim vulnerable?

How important is the victim system?

Further events indicated a possiblecompromise?

Analysis can be static or dynamic

8/8/2019 Incident Response - Campus Party 2010

22/25

DemoDemo

8/8/2019 Incident Response - Campus Party 2010

23/25

ResourcesResources

CertificationsCertificationsEC Council Certified Incident Handler

http://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspx

Computer Hacking Forensic Investigator

http://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspx

Concepti

http://www.concepti.com

ToolsToolsXPLICO - Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT)

http://www.xplico.org/

Netwitness - Threat management solutions, monitoring and real-time

network forensics. http://www.netwitness.com/

OSSIM - Open Source Security Information Management

http://www.alienvault.com/community.php?section=Home

Web SitesWeb Sites

FIRST is the global Forum for Incident Response and Security Teams http://www.first.org/

http://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspxhttp://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspxhttp://www.concepti.com/http://www.xplico.org/http://www.netwitness.com/http://www.alienvault.com/community.php?section=Homehttp://www.first.org/http://www.first.org/http://www.first.org/http://www.alienvault.com/community.php?section=Homehttp://www.alienvault.com/community.php?section=Homehttp://www.netwitness.com/http://www.netwitness.com/http://www.netwitness.com/http://www.xplico.org/http://www.xplico.org/http://www.concepti.com/http://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspxhttp://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspxhttp://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspxhttp://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspxhttp://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspxhttp://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspx

8/8/2019 Incident Response - Campus Party 2010

24/25

QuestionsQuestions

?

8/8/2019 Incident Response - Campus Party 2010

25/25

Thank you!Thank you!

oberto Martnezoberto MartnezTlligent Security

: . . .Email roberto martinez@itlligent com mx:MSN . .frml@live com mx: .Skype skp_roberto martinez

@r 0 b e r t m a r t 1 n e z

mailto:frml@live.com.mxmailto:frml@live.com.mxmailto:frml@live.com.mxmailto:frml@live.com.mx