Hospital Incident Command System Module 11 Incident Planning and Incident Response Scenarios.
Security Planning Susan Lincke Planning for Incident Response.
-
Upload
winfred-thompson -
Category
Documents
-
view
233 -
download
8
Transcript of Security Planning Susan Lincke Planning for Incident Response.
Security Planning
Susan Lincke
Planning for Incident Response
Title of the Presentation | 04/19/23 | 2
Objectives
Students should be able to:
Define and describe an incident response plan and business continuity plan
Describe incident management team, incident response team, proactive detection, triage
Define and describe computer forensics: authenticity, continuity, forensic copy, chain of custody, root cause,
Define external test, internal test, blind test, double blind test, targeted test.
Develop a high-level incident response plan.
Describe steps to obtain computer forensic information during an investigation.
Describe general capabilities of a forensic tool.
Describe steps to copy a disk.
Define discovery, e-discovery, deposition, declaration, affidavit, fact witness, expert consultant, expert witness.
Title of the Presentation | 04/19/23 | 3
How to React to…?
Viruses
Denial of S
ervice
Hacker Intrusion
Accidents
System Failure
Theft of Proprietary Information
Social Engineering
Lost Backup Tape
Stolen Laptop
Fire!
Title of the Presentation | 04/19/23 | 4
Incident Response vs. Business Continuity
Incident Response Planning (IRP) Security-related threats to systems, networks & dataData confidentialityNon-repudiable transactions
Business Continuity PlanningDisaster Recovery PlanContinuity of Business OperationsIRP is part of BCP and can be *the first step*
NIST SP 800-61 defines an incident as “a violation or imminent threat of violation of computer security
policies, acceptable use policies, or standard security practices.”
Title of the Presentation | 04/19/23 | 5
Review: Business Continuity Recovery Terms
Interruption Window: Time duration organization can wait between point of failure and service resumptionService Delivery Objective (SDO): Level of service in Alternate ModeMaximum Tolerable Outage: Max time in Alternate Mode
Regular Service
Alternate Mode
RegularService
(Acceptable)InterruptionWindow
Maximum Tolerable Outage
SDO
Interruption
Time…
Disaster Recovery Plan Implemented
RestorationPlan Implemented
Title of the Presentation | 04/19/23 | 6
Attack vectors = source methods: Can include removable media, flash drive, email, web, improper use, loss or theft, physical abuse, social engineering, …
Vocabulary
Title of the Presentation | 04/19/23 | 7
Vocabulary
IMT: Incident Management Team IS Mgr leads, includes steering committee, IRT membersDevelop strategies & design plan for Incident Response,
integrating business, IT, BCP, and risk managementObtain funding, Review postmortems
Meet performance & reporting requirements
IRT: Incident Response TeamHandles the specific incident. Has specific knowledge relating to:
Security, network protocols, operating systems, physicalsecurity issues, malicious code, etc.
Permanent (Full Time) Members: IT security specialists, incident handlers, investigator
Virtual (Part Time) Members: Business (middle mgmt), legal, public relations, human resources, physical security, risk, IT
Title of the Presentation | 04/19/23 | 8
Stages in Incident Response
Preparation
Identification
Containment& Escalation
Analysis &Eradication
Recovery
LessonsLearned
Plan PRIOR to Incident
Determine what is/has happened
Limit incident
Determine and removeroot cause
Return operationsto normal
Process improvement:Plan for the future
Notification
Ex-PostResponse
Notify any data breach victims
[If data breach]
Establish call center,reparation activities
Title of the Presentation | 04/19/23 | 9
Why is incident response important?
$201: average cost per breached record
66% of incidents took > 1 month to years to discover
82% of incidents detected by outsiders
78% of initial intrusions rated as low difficulty
Title of the Presentation | 04/19/23 | 10
Stage 1: PreparationWhat shall we do if different types of incidents occur? (BIA helps)When is the incident management team called?How can governmental agencies or law enforcement help?When do we involve law enforcement?What equipment do we need to handle an incident?What shall we do to prevent or discourage incidents from occurring? (e.g. banners, policies)Where on-site & off-site shall we keep the IRP?
Title of the Presentation | 04/19/23 | 11
(1) Detection TechnologiesOrganization must have sufficient detection & monitoring capabilities to detect incidents in a timely manner
Proactive Detection includes:Network Intrusion Detection/Prevention System (NIDS/NIPS)Host Intrusion Detection/Prevention System (HIDS/HIPS) Antivirus, Endpoint Security SuiteSecurity Information and Event Management (Logs)Vulnerability/audit testingSystem Baselines, SnifferCentralized Incident Management System • Input: Server, system logs• Coordinates & co-relates logs from many systems• Tracks status of incidents to closure
Reactive Detection: Reports of unusual or suspicious activity
Title of the Presentation | 04/19/23 | 12
Logs to Collect & Monitor
Title of the Presentation | 04/19/23 | 13
Incidents may include…
IT Detectsa device (firewall, router or server) issues serious alarm(s)change in configuration an IDS/IPS recognizes an irregular pattern:• unusually high traffic, • inappropriate file transfer • changes in protocol useunexplained system crashes or unexplained connection terminations
Employees ReportsMalwareViolations of policyData breach: • stolen laptop, memory • employee mistakeSocial engineering/fraud: • caller, e-mail, visitors Unusual event: • inappropriate login• unusual system aborts • server slow • deleted files• defaced website
Title of the Presentation | 04/19/23 | 14
(1) Management ParticipationManagement makes final decisionAs always, senior management has to be convinced that this is worth the money.Actual Costs: Ponemon Data Breach Study, 2014, Sponsored by Symantec
Expenses Following a Breach Average CostDetection and Escalation: forensic investigation, audit, crisis mgmt., board of directors involvement
$420,000
Notification: legal expertise, contact database development, customer communications
$510,000
Post Breach Response: help desk and incoming communications, identity protection services, legal and regulatory expenses, special investigations
$1,600,000
Lost Business: abnormal customer churn, customer procurement, goodwill
$3,320,000
Title of the Presentation | 04/19/23 | 15
WorkbookIncident Types
Incident Description Methods of Detection Procedural ResponseIntruder accesses internal network
Firewall, database, IDS, or server log indicates a probable intrusion.
Daily log evaluations, high priority email alerts
IT/Security addresses incident within 1 hour: Follow: Network Incident Procedure Section.
Break-in or theft
Computers, laptops or memory is stolen or lost.
Security alarm set for off-hours; or employee reports missing device.
Email/call Management & IT immediately. Management calls police, if theft. Security initiates tracing of laptops via location software, writes Incident Report, evaluates if breach occurred.
Social Engineering
Suspicious social engineering attempt was recognized OR information was divulged that was recognized after the fact as being inappropriate.
Training of staff leads to report from staff
Report to Management & Security.Warn employees of attempt as added training.Security evaluates if breach occurred, writes incident report.
Trojan Wireless LAN
A new WLAN masquerades as us.
Key confidential areas are inspected daily for WLAN availability
Security or network administrator is notified immediately. Incident is acted upon within 2 hours.
Title of the Presentation | 04/19/23 | 16
Stage 2: Identification
Triage: Categorize, prioritize and assign events and incidentsWhat type of incident just occurred?What is the severity of the incident?• Severity may increase if recovery is delayedWho should be called?Establish chain of custody for evidence
Title of the Presentation | 04/19/23 | 17
(2) Triage
Snapshot of the known status of all reported incident activity• Sort, Categorize, Correlate, Prioritize & Assign
Categorize: DoS, Malicious code, Unauthorized access, Inappropriate usage, Multiple componentsPrioritize: Limited resources requires prioritizing response to minimize impactAssign: Who is free/on duty, competent in this area?
Title of the Presentation | 04/19/23 | 18
(2) Chain of CustodyEvidence must follow Chain of Custody law to be admissible/acceptable in court• Include: specially trained staff, 3rd party specialist, law enforcement,
security response team
System administrator can:Retrieve info to confirm an incidentIdentify scope and size of affected environment (system/network)Determine degree of loss/alteration/damageIdentify possible path of attack
Title of the Presentation | 04/19/23 | 19
Stage 3: ContainmentActivate Incident Response Team to contain threat • IT/security, public relations, mgmt, businessIsolate the problem• Disable server or network zone comm.• Disable user access• Change firewall configurations to halt connectionObtain & preserve evidence
Title of the Presentation | 04/19/23 | 20
(3) Containment - Response
TechnicalCollect dataAnalyze log filesObtain further technical assistanceDeploy patches & workarounds
ManagerialBusiness impacts result in mgmt intervention, notification, escalation, approval
LegalIssues related to: investigation, prosecution, liability, privacy, laws & regulation, nondisclosure
Title of the Presentation | 04/19/23 | 21
Stage 4: Analysis & EradicationDetermine how the attack occurred: who, when, how, and why?• What is impact & threat? What damage occurred?
Remove root cause: initial vulnerability(s)• Rebuild System • Talk to ISP to get more information• Perform vulnerability analysis• Improve defenses with enhanced protection techniques
Discuss recovery with management, who must make decisions on handling affecting other areas of business
Title of the Presentation | 04/19/23 | 22
(4) Analysis
What happened?Who was involved?What was the reason for the attack?Where did attack originate from?When did the initial attack occur?How did it happen?What vulnerability enabled the attack?
Title of the Presentation | 04/19/23 | 23
(4) Remove root cause
If Admin or Root compromised, rebuild system
Implement recent patches & recent antivirus
Fortify defenses with enhanced security controls
Change all passwords
Retest with vulnerability analysis tools
Title of the Presentation | 04/19/23 | 24
Stage 5: Recovery
Restore operations to normal
Ensure that restore is fully tested and operational
Title of the Presentation | 04/19/23 | 25
WorkbookIncident Handling Response
Incident Type: Malware detected by Antivirus softwareContact Name & Information: Computer Technology Services Desk:
www.univ.edu/CTS/help 262-252-3344(O)Emergency Triage Procedure: Disconnect computer from Internet/WLAN. Do not reconnect. Allow anti-virus
to fix problem, if possible. Report to IT first thing during next business day. Containment & Escalation Conditions and Steps:If laptop contained confidential information, investigate malware to determine
if intruder obtained entry. Determine if Breach Law applies.Analysis & Eradication Procedure: If confidential information was on the computer (even though encrypted),
malware may have sent sensitive data across the internet; A forensic investigation is required.
Next, determine if virus=dangerous and user=admin:Type A: return computer. (A=Virus not dangerous and user not admin.)Type B: Rebuild computer. (B=Either virus was dangerous and/or user was
admin)Password is changed for all users on the computer.Other Notes (Prevention techniques):Note: Antivirus should record type of malware to log system.
Title of the Presentation | 04/19/23 | 26
Stage 6: Lessons Learned
Follow-up includes:Writing an Incident Report• What went right or wrong in the incident response?• How can process improvement occur?• How much did the incident cost (in loss & handling & time)Present report to relevant stakeholders
Title of the Presentation | 04/19/23 | 27
Planning ProcessesRisk & Business Impact AssessmentResponse & Recovery Strategy DefinitionDocument IRP and DRPTrain for response & recoveryUpdate IRP & DRPTest response & recoveryAudit IRP & DRP
Title of the Presentation | 04/19/23 | 28
Training
Introductory Training: First day as IMTMentoring: Buddy system with longer-term memberFormal TrainingOn-the-job-training
Training due to changes in IRP/DRP
Title of the Presentation | 04/19/23 | 29
Types of Penetration Tests
External Testing: Tests from outside network perimeterInternal Testing: Tests from within networkBlind Testing: Penetration tester knows nothing in advance and must do web research on companyDouble Blind Testing: System and security administrators also are not aware of testTargeted Testing: Have internal information about a target. May have access to an account.Written permission must always be obtained first
Title of the Presentation | 04/19/23 | 30
Incident Management Metrics# of Reported Incidents# of Detected IncidentsAverage time to respond to incidentAverage time to resolve an incidentTotal number of incidents successfully resolvedProactive & Preventative measures takenTotal damage from reported or detected incidentsTotal damage if incidents had not been contained in a timely manner
Title of the Presentation | 04/19/23 | 31
Challenges
Management buy-in: Management does not allocate time/staff to develop IRP• Top reason for failure
Organization goals/structure mismatch: e.g., National scope for international organizationIMT Member TurnoverCommunication problems: Too much or too littlePlan is to complex and wide
Title of the Presentation | 04/19/23 | 32
Question
The MAIN challenge in putting together an IRP is likely to be:
1. Getting management and department support
2. Understanding the requirements for chain of custody
3. Keeping the IRP up-to-date
4. Ensuring the IRP is correct
Title of the Presentation | 04/19/23 | 33
Question
The PRIMARY reason for Triage is:
1. To coordinate limited resources
2. To disinfect a compromised system
3. To determine the reasons for the incident
4. To detect an incident
Title of the Presentation | 04/19/23 | 34
Question When a system has been compromised at the administrator
level, the MOST IMPORTANT action is:
1. Ensure patches and anti-virus are up-to-date
2. Change admin password
3. Request law enforcement assistance to investigate incident
4. Rebuild system
Title of the Presentation | 04/19/23 | 35
Question The BEST method of detecting an incident is:
1. Investigating reports of discrepancies
2. NIDS/HIDS technology
3. Regular vulnerability scans
4. Job rotation
Title of the Presentation | 04/19/23 | 36
Question The person or group who develops strategies for incident
response includes:
1. CISO
2. CRO
3. IRT
4. IMT
Title of the Presentation | 04/19/23 | 37
Question The FIRST thing that should be done when you discover an
intruder has hacked into your computer system is to:
1. Disconnect the computer facilities from the computer network to hopefully disconnect the attacker
2. Power down the server to prevent further loss of confidentiality and data integrity
3. Call the police
4. Follow the directions of the Incident Response Plan
Title of the Presentation | 04/19/23 | 38
Computer Forensics
The process of identifying preserving, analyzing and presenting digital evidence for a legal proceeding
Title of the Presentation | 04/19/23 | 39
The InvestigationAvoid Infringing on the rights of the suspectWarrant required unless…•Organization/home gives permission; the crime is communicated to a third party; the evidence is in plain site or is in danger of being destroyed; evidence is found during a normal arrest process; or if police are in hot pursuit.
Computer searches generally require a warrant except:•When a signed acceptable use policy authorizes permission•If computer repair person notices illegal activities (e.g., child pornography) they can report the computer to law enforcement
Title of the Presentation | 04/19/23 | 40
Computer Crime Investigation
Call PoliceOr IncidentResponse
Copy memory,processes
files, connectionsIn progress
Powerdown
Analyze copiedimages
Preserveoriginal system
In locked storagew. min. access
Take photos ofsurrounding area
Evidence must be unalteredChain of custody professionally maintained
Four considerations:Identify evidencePreserve evidenceAnalyze copy of evidencePresent evidence
Copy disk
Title of the Presentation | 04/19/23 | 41
A forensic jumpkit includes:•a laptop preconfigured with protocol sniffers and forensic software•network taps and cables •Since the attacked computer may be contaminated, the jumpkit must be considered reliable
The investigator is likely to:•Get a full memory image snapshot, to obtain network connections, open files, in progress processes •Photograph computer: active screen, inside, outside computer for full configuration•Take disk image snapshot to analyze disk contents.
The investigator must not taint the evidence. •E.g., a cell phone left on to retain evidence must be kept in a Faraday bag to shield phone from connecting to networks
Initial Incident Investigation
Title of the Presentation | 04/19/23 | 42
Computer Forensics
Did a crime occur?If so, what occurred?
Evidence must pass tests for:Authenticity: Evidence is a true unmodified original from the crime scene• Computer Forensics does not destroy or alter the evidence
Continuity: “Chain of custody” assures that the evidence is intact and history is known
Title of the Presentation | 04/19/23 | 43
Chain of Custody
10:53 AMAttack
observedJan K
11:04Inc. Resp.
team arrives
11:05-11:44System copied
PKB & RFT
11:15SystembroughtOffline
RFT
11:45System
Powered down
PKB & RFT
11:47-1:05Disk
CopiedRFT & PKB
1:15System locked in
static-free bagin storage room
RFT & PKB
Who did what to evidence when?(Witness is required)
TimeLine
Title of the Presentation | 04/19/23 | 44
A chain of custody document tracks:Case numberDevice’s model and serial number (if available)When and where the evidence was held/storedFor each person who held or had access to the evidence (at every time)•name, title, contact information and signature •why they had access
It is useful to have a witness at each pointEvidence is stored in evidence bags, sealed with evidence tape
Chain of Custody
Title of the Presentation | 04/19/23 | 45
Creating a Forensic Copy
Original MirrorImage
3) Forensically Sterile:Wipes existing data;Records sterility
4) One-way Copy:Cannot modifyoriginal
5) Bit-by-Bit Copy:Mirror image
2) Accuracy Feature:Tool is accepted as accurate by the scientific community:
1) & 6) Calculate Message Digest:Before and after copy
7) Calculate Message DigestValidate correctness of copy
Title of the Presentation | 04/19/23 | 46
Normalizing data = converting disk data to easily readable formForensic tools analyze disk or media copy for:•logs•file timestamps•file contents•recycle bin contents•unallocated disk memory contents (or file slack)•specific keywords anywhere on disk•application behavior. The investigator:
launches the application on a virtual machine runs identical versions of OS and software packages.
Forensic Tools
Title of the Presentation | 04/19/23 | 47
EnCase: Interprets hard drives of various OS, tablets, smartphones and removable media for use in court. (www.guidancesoftware.com)
Forensic Tool Kit (FTK): Supports Windows, Apple, UNIX/Linux OS including analysis of volatile (RAM and O.S. structures) and nonvolatile data for use in a court. (www.accessdata.com)
Cellebrite: Handles commercial mobile devices for use in a court. Mobile devices are connected via appropriate cables to a workstation with the forensic tool installed, or via a travel kit. (www.cellebrite.com)
ProDiscover: Analyzes hard disks for Windows, Linux and Solaris OS. An Incident Response tool can remotely evaluate a live system. (www.techpathways.com)
X-ways: Specializes in Windows OS. X-ways can evaluate a system via a USB-stick without installation, and requires less memory. (www.x-ways.net)
Sleuthkit: An open-source tool evaluates Windows, Unix, Linux and OS-X. It is programmer-extendable. Sleuth Kit (TSK) = command-line tool; Autopsy = graphical interface. (www.sleuthkit.org)
Forensic Software Tools
Title of the Presentation | 04/19/23 | 48
When the case is brought to court, the tools & techniques used will be qualified for court:
Disk copy tool and forensic analysis tools must be standard
Investigator’s qualifications include education level, forensic training & certification:•forensic software vendors (e.g., EnCase, FTK) OR• independent organizations (e.g.: Certified Computer Forensics Examiner or Certified Forensic Computer Examiner).
Some states require a private detective license.
Preparing for Court
Title of the Presentation | 04/19/23 | 49
The Investigation Report describes the incident accurately. It:Provides full details of all evidence, easily referenced
Describes forensic tools used in the investigation
Includes interview and communication info
Provides actual results data of forensic analysis
Describes how all conclusions are reached in an unambiguous and understandable way
Includes the investigator’s contact information and dates of the investigation
Is signed by the investigator
The Investigation Report
Title of the Presentation | 04/19/23 | 50
A Judicial Procedure
Plaintiff files Complaint (or lawsuit)
Law enforcement arrests defendant
Reads Miranda rights
Defendant sends Answer within 20 days
Prosecutor files an Information with charges or
Grand Jury issues an indictment
Plaintiff & Defendant provide list of evidence and witnesses to
other side
Responsive documents
Plaintiff & Defendant request testimony, files, documents
Civil Case Criminal Case
Discovery
Phase
The Trial
Title of the Presentation | 04/19/23 | 51
Electronic Responsive Documents = Electronically Stored Info (ESI) or E-Discovery
The U.S. Federal Rules of Civil Procedure define how ESI should be requested and formatted
E-requests can be general or specific:
•specific document
•set of emails referencing a particular topic.
Discovery usually ends 1-2 months before trial, or when both sides agree
All court reports become public documents unless specifically sealed.
E-Discovery
Title of the Presentation | 04/19/23 | 52
Depositions: interviews of the key parties, e.g., witnesses or consultants•question-and-answer session•all statements recorded by court reporter; possible video•The deponent (person being questioned) may correct transcript before it is entered into court record.
Declarations: written documents•Declarer states publicly their findings and conclusions•Full references to public documents helps believability•Includes name, title, employer, qualifications, often billing rate, role, signature
Affidavit: a declaration signed by a notary•Both declarations and affidavits are limited to support motions
Discovery Stage
Title of the Presentation | 04/19/23 | 53
Witnesses must present their qualifications
Notes accessible during discovery?•NO: Email correspondence with lawyers is given attorney-client privilege•YES: Notes, reports, and chain of custody documents are discoverable.
Witnesses may include (least to most qualified):
Fact witnesses report on their participation in the case, generally in obtaining and analyzing evidence.
Expert consultants help lawyers understand technical details, but do not testify or give depositions
Expert witnesses provide expert opinions within reports and/or testimony •E.g., Computer forensic examiners • Do not need first-hand knowledge of case; can interpret evidence•Expert witness mistakes can ruin reputation
Witnesses
Title of the Presentation | 04/19/23 | 54
The TrialStages of the Trial In U.S. and U.K.
Case law is determined by:
•Regulation AND/OR
•precedence: previous decisions hold weight when regulation is not explicit and must be interpreted
Burden of Proof:
•In U.S. & U.K. criminal case :“beyond a reasonable doubt” that the defendant committed the crime
•In U.K. civil case: “the balance of probabilities” or “more sure than not”
Opening Arguments
Plaintiff’s case
Defendant’s case
Closing arguments
Title of the Presentation | 04/19/23 | 55
Question Authenticity requires:
1. Chain of custody forms are completed
2. The original equipment is not touched during the investigation
3. Law enforcement assists in investigating evidence
4. The data is a true and faithful copy of the crime scene
Title of the Presentation | 04/19/23 | 56
Question You are developing an Incident Response Plan. An executive order is that the network shall remain up, and intruders are to be pursued. Your first step is to…
1.Use commands off the local disk to record what is in memory
2.Use commands off of a memory stick to record what is in memory
3.Find a witness and log times of events
4.Call your manager and a lawyer in that order
Title of the Presentation | 04/19/23 | 57
Question What is NOT TRUE about forensic disk copies?
1.The first step in a copy is to calculate the message digest
2.Forensic analysis for presentation in court should always occur on the original disk
3.Normalization is a forensics stage which converts raw data to an understood format (e.g., ASCII, graphs, …)
4.Forensic copies requires a bit-by-bit copy
Title of the Presentation | 04/19/23 | 58
Planning is necessary•Without preparation, no incident will be detected•Incident handlers should not decide what needs to be done.
Stages:•Identification: Determine what has happened•Containment & Escalation: Limit incident•Analysis & Eradication: Analyze root cause, repair •Restore: Test and return to normal•Process Improvement•(Possibly) Breach Notification
If case is to be prosecuted:•Evidence must be carefully handled: Authenticity & Continuity•Expert testimony must be qualified, accurate, bullet-proof
Summary