20160128 vt irp redacted - security | virginia tech · 4.4 brenda van gelder 4/1/2015 incorporate...
TRANSCRIPT
VirginiaTechGuideforCyberSecurityIncidentResponseIMPORTANTNOTE:Ifanincidentisdeemedtobeillegalorlifethreatening,contacttheVATechPolice:540-231-6411,orEmergency:911.
ABSTRACTThisdocumentassistsuniversitypersonnelinestablishingcyberincidentresponsecapabilitiesandhandlingincidentsefficientlyandeffectively.Itprovidesaguideforcyberincidenthandling,particularlyforanalyzingincident-relateddataanddeterminingtheappropriateresponsetoeachincident.
TheITSecurityOfficecanbereachedbyemailingitso-g@vt.eduorcalling540-231-1688
1
TableofContentsVirginiaTechGuideforCyberSecurityIncidentResponse ........................................................................... 0Record of Changes ................................................................................................................... 2ReviewCycle..............................................................................................................................................................2
Section 1: Introduction ............................................................................................................. 3Authority...................................................................................................................................................................3
PurposeandScope....................................................................................................................................................3
Audience...................................................................................................................................................................4
DocumentStructure..................................................................................................................................................4
Section 2: Cyber Incident Response Capabilities ................................................................. 5Mission......................................................................................................................................................................5
StrategyandGoalsforCyberIncidentResponse......................................................................................................6
UniversityAuthorityforCyberIncidentResponse.....................................................................................................7
CyberIncidentResponseTeams................................................................................................................................8
VT’sApproachtoCyberIncidentResponse...............................................................................................................9
Section 3: The Incident Response Processes ..................................................................... 12Preparation.............................................................................................................................................................12
Identification,Detection,andAnalysis....................................................................................................................13
Containment,EradicationandRecovery.................................................................................................................19
IncidentClosure.......................................................................................................................................................21
Appendix A: CIRT Org Chart ................................................................................................. 23Appendix B: Sensitive Data Response Procedure .............................................................. 24Appendix C: CIRT Team Member List and Contact Information ........................................ 25Appendix D: Checklist of major steps for Incident Response and Handling .................. 26Appendix E: Compromise Questionnaire and Information Gathering .............................. 29Appendix F: Communications Tracking Worksheet ........................................................... 32Appendix G: Internal Audit Guidelines for reporting unacceptable computer use. ........ 34Appendix H: University Policies and Standards .................................................................. 35Appendix I – Guidance on Reporting a Cyber Incident ....................................................... 36Appendix J - Contact information for local police ............................................................... 37Appendix K: Generalized Cyber Incident Escalation and Workflow Diagram .................. 38Appendix L: Acronyms .......................................................................................................... 39Appendix M: Step by Step Cyber Incident Response ......................................................... 40
2
RecordofChanges
Version#
ImplementedBy
RevisionDate
ApprovedBy
ApprovalDate
Reason
4.0 RandyMarchany
03/14/2014 RandyMarchany Reformatplan,improveprocessdocumentation,updateteammembers,updateversionnumber
4.1 RandyMarchany 07/27/2014 RandyMarchany Updatedocumentation,expandremainingsections.
4.2 RandyMarchany 8/1/2014 RandyMarchany Updatingdiagrams
4.3 BradTilley 11/3/2014 Minorcorrectionsandclarifications
4.4 BrendavanGelder 4/1/2015 Incorporatelinemanagersfeedbackprovidedtodate
4.5a RandyMarchany 6/1/2015 Incorporatechanges,updatediagrams
4.6 AngelaCorrea 6/16/2015 Grammarandcontinuityedit
4.7 JeanPlymale 06/30/2015 AddInternalAuditguidelines,acronyms,contactinfoforlocalpoliceandupdatedocumentstructuretoreflectthesechangesandadditions.
4.8 AngelaCorrea 7/9/2015 Integrationof2015edits.
4.9 DavidRaymond 11/18/2015 RandyMarchany 11/18/2015 Finaledits.
5.0 DavidRaymond 1/28/2016 RandyMarchany 1/28/2016 -UpdatedOrgChart(App.A)
-FinalizedVersion
ReviewCycleThiscyberincidentresponseplanshouldbereviewedonanannualbasis.ThereviewshouldincludeanexaminationofproceduresandresourceinformationtomakesureinformationreflectsVirginiaTech’sneeds.TheCyberIncidentGovernanceTeamandtheITSecurityOfficershouldreviewallchanges.
3
Section1:IntroductionAuthority
OversightofthesecurityofuniversityinformationtechnologyresourcesandinformationisentrustedtotheVicePresidentforInformationTechnologybytheVirginiaTechBoardofVisitors.
In2007,theBoardofVisitorspassedaresolution(http://www.bov.vt.edu/minutes/07-06-04minutes/attach_v_070604.pdf)requiringtheVicePresidentforInformationTechnologytoensurecompliancewithestablishedsecuritystandardsthroughouttheUniversity.TheVicePresidentforInformationTechnologyandCIOhasgiventheITSecurityOffice(ITSO)fullauthoritytoactinamannertoprotecttheintegrity,confidentiality,andavailabilityofVirginiaTech’sinformationtechnologyinfrastructure.
VirginiaTechPolicy7010-“PolicyforSecuringTechnologyResourcesandServices,”givestheITSOtheauthoritytorespondtothreatstoUniversitynetworks,systems,andservices.
TheUniversityInformationTechnologySecurityProgramStandardof2012statesthatevaluatingandreportingcybersecurityincidentsisimportanttoensureinformationsecurityeventsandweaknessesassociatedwithinformationsystemsarecommunicatedinamannerthatwillallowtimelycorrectiveactiontobetaken.InformationTechnologyisresponsiblefor:
• Maintaininganincidentresponseproceduredocument• MaintainingtheComputerIncidentResponseTeam(CIRT)tocarryouttheseprocedures• ArrangingforintakeofreportsofsuspectedITsecurityexposuresofuniversitydataandother
suspectedcyberincidents.
TheITSOmanagesandcoordinatesdetection,identification,containment,eradication,andrecoveryeffortsofreportedcybersecurityincidentswithVirginiaTechdepartments’ITpersonnel.TheITSecurityOfficeralsohastheauthoritytoclassifythreatsasarisktotheenterpriseandcanactivatetheVT-CIRTteamathisdiscretion.TheCIRTTeamwillonlybeactivatedifacybersecurityincidenthasbeenidentifiedasaffectingUniversityITsystems/servicesatanenterpriseoramulti-departmentallevel.
PurposeandScope
Thispublicationseekstoassistuniversitypersonnelinmitigatingtherisksfromcybersecurityincidentsbyprovidingapracticalguideforrespondingtoincidentseffectivelyandefficiently.Thisdocumentincludesguidelinesonestablishinganeffectivecybersecurityincidentresponseprogram,buttheprimaryfocusofthedocumentistoprovideassistancewithdetecting,analyzing,prioritizing,andhandlingincidents.
ThisdocumentisnotintendedtoreplaceContinuityorDisasterRecoveryPlanning.Itisnotintendedtobeusedasadetailedlisttoaccomplisheverytaskassociatedwithcybersecurityincidenthandlingandresponse.Rather,thedocumentisintendedtoprovideaframeworkandprocessesbywhichconsistentapproachescanbedevelopedandresourceallocationscanbemadeforagivenscenariotofacilitatethedetection,identification,containment,eradication,andrecoveryfromspecificcybersecurityincidents.
4
Thisdocumentaddressesonlyincidentsthatarecomputersecurity-related,notthosecausedbynaturaldisasters,powerfailures,etc.
Thisdocumentappliestouniversity-ownedcomputersandtechnologydevicesconnectedtotheVirginiaTechnetwork.AllUniversitylocationsarecoveredbythisdocument.
ThisdocumentisintendedtoprovideguidancetoaddresscybersecurityincidentsthathaveimpactsthataffecttheUniversity’soperational,financial,orreputationalstandingand/ortheabilitytocomplywithregulatoryorlegalrequirements.
AudienceThisdocumenthasbeencreatedfortheVTcyberincidentresponseteam(CIRT),systemandnetworkadministrators,securitystaff,technicalsupportstaff,chiefinformationsecurityofficer(CISO),chiefinformationofficer(CIO),computersecurityprogrammanagers,andothersresponsibleforpreparingfororrespondingtocybersecurityincidentsatVirginiaTech.
DocumentStructureTherestofthisdocumentisarrangedasfollows:
Section2discussestheneedforcyberincidentresponsecapabilities,andoutlinespossiblecyberincidentresponseteamstructuresaswellasothergroupswithintheorganizationthatmayparticipateincyberincidentresponsehandling.
Section3providesguidelinesforeffective,efficient,andconsistentincidentresponsecapabilitiesandreviewsthecybersecurityincidentresponseelements.
AppendixA–VTCyberIncidentResponseTeamsOrganizationalChartAppendixB–CommunicationWorkflowforSensitiveDataExposureAppendixC–CIRTTeam,ITCouncil,ComplianceOfficersDirectoriesAppendixD–IncidentHandlingChecklist
Unix,LinuxandWindowsForensicschecklistsAppendixE–DetectionandAnalysisInformationGatheringOutlineAppendixF–CommunicationPlanWorksheetAppendixG–InternalAuditGuidelinesforunacceptablecomputeruseAppendixH–UniversityPoliciesandStandardsAppendixI–WorkflowDiagramforIncidentEscalationAppendixJ–ContactinformationforlocalpoliceandFBIAppendixK–GeneralizedCyberIncidentEscalationandWorkflowDiagramAppendixL–AcronymsAppendixM–StepbyStepCyberIncidentResponse
5
Section2:CyberIncidentResponseCapabilitiesAcybersecurityincidentisdefinedbytheDepartmentofHomelandSecurityasanoccurrencethat(A)actuallyorimminentlyjeopardizes,withoutlawfulauthority,theintegrity,confidentiality,oravailabilityofaninformationsystemortheinformationthatsystemcontrols,processes,stores,ortransmits;or(B)constitutesaviolationorimminentthreatofviolationoflaw,securitypolicies,securityprocedures,oracceptableusepolicies.1Anincidentcouldbeeitherintentionaloraccidentalinnature.
Examplesofcybersecurityincidents(hereaftermaybereferredtoas“cyberincident”or“incident”)mayinclude,butarenotlimitedto:
• Anincidentinwhichanattackercommandsabotnettosendhighvolumesofconnectionrequeststoawebserver,causingittocrash.
• Anincidentinwhichusersaretrickedintoopeninga“quarterlyreport”sentviaemailthatisactuallymalware;runningthetoolhasinfectedtheircomputersandestablishedconnectionswithanexternalhost.
• Anincidentwhereanattackerobtainssensitivedataandthreatensthatthedetailswillbereleasedpubliclyiftheorganizationdoesnotpayadesignatedsumofmoney.
• Anincidentwhereauserprovidesorexposessensitiveinformationtoothersthroughpeer-to-peerfilesharingservices.
SuccessfulincidentssimilartothosenotedabovehaveoccurredatVirginiaTech.Theseincidentshavecausedfinancialandreputationalharm,disrupteddailyoperations,andcreatedcomplianceissueswithstateandfederallaws.EstablishingcyberincidentresponsecapabilitiesatVirginiaTechensuressystematic(i.e.,followingaconsistentcyberincidenthandlingmeth1odology)andcoordinatedactionsaretaken.Incidentresponsehelpspersonneltominimizelossortheftofinformationanddisruptionofservicescausedbycyberincidents.
Incidentresponsecapabilitiesalsobuildinstitutionalresilience.Informationgainedandlessonslearnedduringincidenthandlingcanhelpbetterpreparefordealingwithfutureincidents.
Mission
OneoftheelementsofVirginiaTech’sInformationTechnologymissionistoprovide,secure,andmaintaininformationsystems,allowingtheUniversitytoaccomplishitsmission.
TosupporttheUniversity’smission,InformationTechnologyhasdevelopedaguideforimplementingcybersecurityincidentresponseplans.Toaidinthecoordinationofresponseactivities,InformationTechnologyhasformedaCyberIncidentResponseTeam(CIRT).TheCIRTmissionisto:
1. Limittheimpactofcyberincidentsinawaythatsafeguardsthewell-beingoftheUniversitycommunity.
1Fromhttps://www.whitehouse.gov/sites/default/files/omb/legislative/letters/coordination-of-federal-information-security-policy.pdf-44U.S.Code§3552
6
2. ProtecttheinformationtechnologyinfrastructureoftheUniversity.
3. ProtectsensitiveUniversitydatafromdisclosure,modification,andexfiltration.
4. Collecttheinformationnecessarytopursueinvestigation(s)attherequestoftheproperUniversityauthority.
StrategyandGoalsforCyberIncidentResponseTimelyandthoroughactiontomanagetheimpactofcyberincidentsisacriticalcomponentoftheresponseprocess.Theresponseshouldlimitthepotentialfordamagebyensuringthatactionsarewellknownandcoordinated.Cyberincidentresponsegoalsare:
• Toprotectthewell-beingoftheUniversitycommunity.• Toprotecttheconfidentiality,integrity,andavailabilityofUniversitysystems,networksand
data.• TohelpUniversitypersonnelrecovertheirbusinessprocessesaftercomputerornetwork
securityincidents.• ToprovideaconsistentresponsestrategytosystemandnetworkthreatsthatputVirginiaTech
dataandsystemsatrisk.• Todevelopandactivateacommunicationsplanincludinginitialreportingoftheincidentaswell
asongoingcommunicationsasnecessary.• Toaddresscyberrelatedlegalissues.• TocoordinateeffortswithexternalComputerIncidentResponseTeams.• TominimizetheUniversity’sreputationalriskbynotifyingappropriateUniversityofficialsof
cyberincidentsthatmaybecomehighprofileeventsandimplementingtimelyandappropriatecorrectiveactions.
Toachievethesegoals,InformationTechnologyhasadoptedsecuritybestpracticesderivedfromstandardizedincidentresponseprocessessuchasthosepublishedbytheNationalInstituteofStandardsandTechnology(NIST)SpecialPublication800-61andotherauthorities.
ThespecificincidentresponseprocesselementsthatcomprisetheVTCyberIncidentResponsePlaninclude:
• Preparation:Maintainingandimprovingincidentresponsecapabilitiesandpreventingincidentsbyensuringthatsystems,networks,andapplicationsaresufficientlysecure.
• Identification:Confirming,characterizing,classifying,categorizing,scoping,andprioritizingsuspectedincidents;
• Containment:Minimizingloss,theftofinformation,orservicedisruption;
• Eradication:Eliminatingthethreat;
• Recovery:Restoringcomputingservicesquicklyandsecurely;and
7
• Post-incidentactivities:Assessingresponsetobetterhandlefutureincidentsthroughutilizationofreports,“LessonsLearned,”andafter-actionactivities,ormitigationofexploitedweaknessestopreventsimilarincidentsfromoccurringinthefuture.
ThesesixelementsofCyberIncidentResponsewillbedefinedindetailinsection3.
Cross-cuttingelementspresentthroughoutincidentresponsehandlinginclude:
• Communication:Notifyingappropriateinternalandexternalpartiesandmaintainingsituationalawareness;
• Analysis:Examiningavailabledatatosupportdecision-makingthroughouttheincidentmanagementlifecycle;and
• Documentation:Recordingandtime-stampingallevidencediscovered,informationcollected,andactionstakenfromIdentificationthroughPost-incidentactivities.
UniversityAuthorityforCyberIncidentResponseThefollowingUniversityorganizationsactasUniversityAuthorities;thosewhoareauthorizedtomakerequestsanddecisionsregardingcybersecurityincidentresponseatVirginiaTech.
• VicePresidentforInformationTechnologyandChiefInformationOfficer(CIO)–empoweredtorespondtoITsecurityincidentsbyBOVResolution“InformationTechnologySecurityandAuthority”.http://www.bov.vt.edu/minutes/07-06-04minutes/attach_v_070604.pdf
• InformationTechnologySecurityOfficer(ITSO)–delegatedauthoritybyCIOtodecidewhethertoactivateCIRT,notifiesIncidentGovernanceTeamofdecision
• VTCIRTGovernanceTeam–abroadrangeofUniversitystakeholders(seeAppendixA).
• UniversityLegalCounsel–anylawenforcement/legalactions,questionsabout
informationdisclosure,legalaspectsoftheinvestigation
• UniversityPresident–personnelactionsforstaff
• ExecutiveVicePresidentandProvost–personnelactionsforfaculty
• UniversityInternalAudit–dataintegrityofcriticalUniversitydata,compliancewithUniversityproceduresandfraudinvestigations
• DivisionofStudentAffairs/StudentConduct–offensesbyVirginiaTechstudents
• VirginiaTechPoliceDepartment–criminalmatters
• DataTrustees/Stewards–sensitiveornon-publicdataaccessandgovernance(datatrusteesandstewardsarelistedinthe“StandardforAdministrativeDataManagement”http://www.it.vt.edu/publications/pdf/interim_updates/AdministrativeDataManagementStandard2013Nov4signed.pdf)
8
NOTE:Requestsfromlocal,state,orfederallawenforcementofficialsdonotnecessarilyconstituteproperauthority.AllrequestsfromtheseagenciesmustfirstbemadetoUniversityCounselbeforecontactinganyuniversitydepartmentalpersonnel.
Anyofthefollowingrequestsfromlocal,stateorfederallawenforcementagenciesmustbeauthorizedbyUniversityLegalCounselpriortoissuance:
• Warrant-IfyouarepresentedwithawarrantthathasbeenauthorizedbyUniversityLegalCounsel,youshouldcomplyimmediatelywiththerequest.NotifyyoursupervisorandtheCampusPoliceunlessadvisedotherwisebylawenforcementorUniversityLegalCounsel.
• Subpoena-IfyouarepresentedwithasubpoenathathasbeenauthorizedbyUniversityLegalCounsel,complywiththerequest.NotifyyoursupervisorunlessyouareadvisedotherwisebyLegalCounsel.
• FreedomofInformationAct–UniversityLegalCounselwilladvisehowrequestsshouldbehonored.
CyberIncidentResponseTeamsTheVTCyberIncidentResponseTeamiscomposedofcurrentmembersoftheITSecurityOfficestaffandDivisionofInformationTechnologycontactsfromSecureEnterpriseTechnologyInitiatives(SETI),NetworkInfrastructure&Services(NI&S),4HELP,EnterpriseSystems,andConvergedTechnologiesforSecuritySafetyandResilience(CTSSR);aswellasUniversitycollegeanddepartmentalrepresentativesthatmakeuptheITCouncil,andUniversityComplianceOfficers.SeeAppendixCforcontactinformationforVT-CIRTmembers.
IntroducingtheCyberIncidentResponseGovernanceTeamThecyberincidentresponsegovernanceteamisanewgroupthathasbeenformedtoprovideoversightforcyberincidentresponse.TheCyberIncidentResponseGovernanceTeamiscomposedofthefollowingUniversitystakeholders:
• VicePresidentforInformationTechnologyandCIO
• InformationTechnologySecurityOfficer
• UniversityLegalCounsel
• UniversityInternalAudit
• VTPoliceDepartment
• DataTrustees/Stewards–sensitiveornon-publicdataaccessandgovernance.Datatrusteesandstewardsarelistedinthe“StandardforAdministrativeDataManagement”http://www.it.vt.edu/publications/pdf/interim_updates/AdministrativeDataManagementStandard2013Nov4signed.pdf
• UniversityRelations
9
VT’sApproachtoCyberIncidentResponse:Thissectionprovidesguidelinesforestablishingincidentresponsecapabilities,andadviceonmaintainingandenhancingexistingcapabilitiesintheeventofacyberincident.
ReportingaCyberIncidentAcyberincidentisaneventthatposesathreattotheintegrity,availability,orconfidentialityofanITsystem.CyberincidentsshouldbereportedimmediatelytotheITSecurityOfficeorassoonaspossibleafterdiscovery.TheITSOordesigneewillactastheIncidentResponseManager(IRM)forallreportedcyberincidents.TheITSO,withtheassistanceofthereportingentitywillworktogethertocoordinateallaspectsoftheincidentresponseprocess.ThereportingentitiesmustcoordinatewiththeITSO(ordesignee)priortoinitiatinganyactionsduringtheinvestigationorinresponsetoinformationsecurityincidents.Allcommunicationsregardingcyberincidentsmustbeconductedthroughchannelsthatareknowntobeunaffectedbythecyberincidentunderinvestigation.
Cyberincidentscanbereportedinseveralwaysincludingbyemail,phone,in-person,orbyinitiatinga4Helptroubleticket.
ITSecurityOfficeContactinformation:itso-g@vt.eduor540-231-1688-foralistofITSecurityOfficestaffcontactinformation,seeAppendixC.
Examplesofincidentsthatshouldbereportedimmediatelyinclude,butarenotlimitedto:
• Avirus/wormaffectingmultiplesystems;• Intrusionordamageto;
o Websiteorpage,o Computersystemornetwork,o Wirelessaccess,o Cellphones,smartphoneso Laptops,tabletcomputerso Faxmachines,o Voicemail,ando VoiceoverIP(VOIP)systems.
SeeAppendixIforfurtherguidanceonreportingcyberincidents.
EarlynotificationallowstheITSOandaffecteddepartmentstimetogatherasmuchinformationaspossiblewhenevaluatingpotentialcyberincidents.Informationthatshouldbegatheredandsharedwhenreportingcyberincidentsincludes:
• Contactinformationofaffectedindividuals• IPaddress,hostname,orlocationofsystem(s)• Inthecaseofawebsiteintrusion,thespecificURL(s)• Disclosureofdatathatmaybeincludedonthesystem.Thisisparticularlyimportantifthisdata
mayincludesocialsecuritynumbers,creditcardnumbers,bankaccountnumbers,debitcardnumbers,driver’slicensenumbers,passportnumbers,medicalinformation,orFERPAdata.
• Disclosureofthesystem’scriticality,asnotedonitsmostrecentITriskassessment.• Adescriptionoftheincidentthatincludesatimelineandidentification/detectiondetails.
10
Promptreportingmayalsohelpreducecommonrisksassociatedwithcyberincidents,including:
• Physicalsafetyrisk:Asthe“InternetofThings”becomesmoreprevalentinmonitoringphysicalfacilities,acyberattackagainstnetworkeddevicescouldcausephysicalharmtoindividuals.
• Regulatoryrisk:Compliancewithfederalandstatelegislationregardingtheprotectionofinformation.ThisincludesdataandsystemsthatfallunderGLB(Gramm-Leach-BlileyAct),HIPAA(HealthInsurancePortabilityandAccountabilityAct),FERPA(FamilyEducationalRightsandPrivacyAct,ITAR(InternationalTrafficinArmsRegulations),PCI-DSS(PaymentCardIndustryDataSecurityStandard),federal/statedatabreachnotificationlaws,andthePatriotAct.
• Operationalrisk:Failuretoprotectsystemsanddatacancausedisruptionstocriticaldailyoperations.
• Financialrisk:Theremaybecostsassociatedwithlostdata,restoringsystems,anddatabreachnotifications.
• Reputationalrisk:Theremaybeanegativeimpactonconfidenceinasystemoranegativeimpactontheuniversity’sreputation.
11
CyberIncidentResponseProceduresOnceanincidentreporthasbeenreceived,theITSOwillconfirmdetailssurroundingtheincidentthroughtheidentification,detection,andanalysisphasesofincidenthandling.Differenttypesofincidentsmeritdifferenttypesofresponsestrategies,butgenerally:
• Ifanincidentisconfirmed,theITSOwillcoordinateactionsthroughtheCIRTGovernanceTeamandtheCIRTTeam.
• Ifanincidentcannotbeconfirmed,theITSOwillmakemitigationrecommendationstothereportingentity.
TheITSO,CIRTteams,and/ortheIRMshallcategorizetheincidentaccordingtotypeandpotentialimpact(s).Theincidentshallthenbeclassifiedandrespondedtoinorderofpriority.
• Ifimmediateactionisrequired,theITSOwillbegincoordinatedincidentresponseactivities.NOTE:TheCIRTwillonlybeactivatedifacyberincidentisaffectingUniversityITsystems/servicesatanenterpriseoramulti-departmentallevel.
• Ifimmediateactionisnotrequired,theITSOwillworkwiththereportingentitytodetermineappropriateresponseactions.
Inthecaseofmultiplecyberincidentsoccurringsimultaneously,theITSO,CIRTTeams,and/ortheIRMwill classify the incidents according to their immediate and potential adverse effects and prioritizerecoveryandinvestigationactivitiesaccordingtotheseverityoftheseeffects.
CommunicationsandInformationSharingaboutaCyberIncidentCommunicationisanessentialpartofcyberincidentresponse.Becausecommunicationsregardingacyberincidentoftenneedtooccurquickly,itisvitaltobuildrelationshipsandestablishsuitablemeansofcommunicationbetweentheITSOandothergroups,bothinternal(e.g.,humanresources,legal)andexternal(e.g.,otherincidentresponseteams,lawenforcement).Universitydepartmentsshouldproactivelydevelopinternalcybersecurityincidentcommunicationguidelines. Onceanincidentisconfirmed,theITSOandtheCIRTGovernanceTeamwillcoordinateinformationsharingsothatonlytheappropriateinformationissharedwiththeappropriateparties.
AcommunicationplanismandatorywheneverabreachofPersonallyIdentifiableInformation(PII)hasbeenconfirmed.AppendixBprovidesaworkflowdiagramforcommunicationsrequiredwhenthereisanexposureofsensitivedata.Acommunicationplanshouldidentifyinternalandexternalcommunicationneeds,andhowtheseneedswillbeaddressed.Smallereventsmayonlyrequireinternalcommunications,whilelargereventsmayrequireinteractionwithexternalstakeholders.Theapproachtocommunicationsshouldbetailoreddependingonthestakeholders.
Thecommunicationplanshouldbeactivatedassoonaspossibleafteracyberincidenthasbeenconfirmed.AppendixFprovidesaworksheettoassistinformulatingacommunicationstrategyforsharinginformationintheeventofacybersecurityincident.Section3providesmoredetailaboutdevelopingacyberincidentcommunicationsplan.
12
Section3:TheIncidentResponseProcesses
Thissectiondescribesthemajorphasesoftheincidentresponseprocess—preparation,detectionandanalysis,containment,eradicationandrecovery,andpost-incidentactivity.
AppendixDprovidesachecklistofmajorstepstobeperformedduringresponseandhandlingofanincident.Thechecklistdoesnotdictatetheexactsequenceofstepsthatshouldalwaysbefollowedandshouldbeusedtoguideforthoseinvolved.AppendixDalsoprovidesUnix/LinuxandWindowsOperatingSystemsChecklistsforrespondingtosystemcompromises.
PreparationPreparationisfundamentaltothesuccessofincidentresponseprograms.
Incidentresponsemethodologiestypicallyemphasizetheproactiveandongoinguseoftools,training,andprocessesnecessaryforpreventingincidentsbyensuringthatsystems,networks,andapplicationsaresufficientlysecure.
ManyofthenecessarytoolsandtrainingareavailableontheITSecurityOfficewebsitehttp://security.vt.edu.OneoftherecommendedpreparationpracticesisforUniversitycollegesanddepartmentstoconductanannualITRiskassessment.ThebenefitsofconductinganITRiskAssessmentincludeidentifyingapplicablethreats,includingorganization-specificthreats.Eachriskiscategorizedandprioritizedtodetermineifriskcanbemitigated,transferred,oraccepteduntilareasonableoveralllevelofriskisreached.Anotherbenefitofconductingriskassessmentsregularlyisthatcriticalresourcesareidentified,allowingstafftoemphasizemonitoringandresponseactivitiesforthoseresources.TemplatesandtrainingareavailableforITRiskAssessmentsthroughtheofficeofConvergedTechnologiesforSecurity,SafetyandResilience,atthiswebsite:http://www.it.vt.edu/ctssr/risk_assessment/
ConductinganITRiskAssessmentenablesdepartmentstocorrelateITresourceswithmissioncriticalbusinessprocessesandservices.Usingthatinformation,itthenbecomespossibletocharacterizeinterdependenciesandtheconsequencesofpotentialdisruptions,aswellastogenerateplanstoeliminateoramelioraterisks.
Preparation
Identification,Detection
andAnalysis
Containment
Eradication
Recovery
IncidentClosure
13
Identification,Detection,andAnalysis
Earlystepstakentodetect,verify,investigate,andanalyzeanincidentareimportanttodevelopinganeffectivecontainmentanderadicationstrategy.Onceanincidenthasbeenconfirmed,resourcescanbeassignedtoinvestigatethescope,impact,andresponseneeded.Thedetectionandanalysisphasesdeterminethesourceoftheincidentandpreserveevidence.
Thegeneralstepsrequiredforincidentidentification,detection,andanalysisareto:
1. ReviewInternalAuditguidelinesfordepartmentpersonnelactionswithregardtounacceptablecomputeruseandothercybersecurityincidents-SeeAppendixG.
2. Determinewhetheranincidenthasoccurred.
CoordinationbetweentheITSecurityOfficeandtheaffecteddepartmentisimportanttomakesurethatstepstakentoverifytheincidentdonotalterdatathatwillbeneededforfurtherinvestigation.
DetectionandAnalysisTheITSecurityOfficewillworkwiththeaffecteddepartmenttoquicklyanalyzeandvalidateeachincident,andperformaninitialassessmenttodeterminetheincident’sscope,suchaswhichnetworks,systems,orapplicationsareaffected;whoorwhatoriginatedtheincident;andhowtheincidentisoccurring(e.g.,whattoolsorattackmethodsarebeingused,whatvulnerabilitiesarebeingexploited).Theinitialanalysisshouldprovideenoughinformationfortheteamtoprioritizesubsequentactivities,suchascontainmentoftheincidentanddeeperanalysisoftheeffectsoftheincident.
Acoordinatedinvestigationmayberequiredonceanincidenthasbeenconfirmed.TheITSecurityOfficewillidentifyandassignanindividualtobetheIncidentResponseManager(IRM).TheIRMwillleadtheincidentresponse,isthepointofcontactforallmattersrelatingtotheincident,andisresponsibleforcoordinatingthedatarequiredfordocumentingtheinvestigationandgatheringevidence.Insomecases,Federal,State,orlocallawenforcementmaybeinvolvedinanincidentinvestigation.SeeAppendixIforcontactinformationfortheFederalBureauofInvestigations(FBI),DepartmentofHomelandSecurity(DHS),state,campus,andlocalpolice.Inter-departmentalCooperationGuidelinesUniversitypersonnelmaybealertedtoathreatfromaninternalorexternalsource.ItisimportanttonotifytheITSecurityOfficeonceathreathasbeendetected.
• Thelocalsystemsadministratorisresponsibleforfixingtheproblemonthemachine(s)TheITSecurityOfficemayalsodetectathreatandalertthesystemcustodianofrecordforthehardwareorEthernetportconnection.
14
• AllincidentsshouldbehandledbydepartmentalITstaffwiththesupportoftheITSecurityOfficeand,ifnecessary,theCIRT.
SeeAppendixE:CompromiseQuestionnaireandInformationGathering-InformationNeededfromtheUser,andAppendixI:GuidelinesforReportingaCyberIncident.
IncidentCategorization,Classification,andCIRTActivationTheincidenttypeandimpactwilldeterminethelevelofresponseneededbytheUniversity.TheITSecurityOfficewillworkwithdepartmentstodeterminetheappropriateresponseforeachconfirmedincident.Thegeneralstepsrequiredforincidentcategorizationandclassificationare:
1. Categorizetheincidentbasedontypeofincident,securityobjective,andimpact.2. Classifytheincidentasalocalorenterpriseincident.3. PrioritizehandlingoftheincidentbasedontheVTCIRTIncidentResponseClassification
Matrix4. ActivateCIRTifnecessary5. Reporttheincidenttotheappropriateinternalpersonnelandexternalorganizations.
COMMONCATEGORIESOFCYBERINCIDENTS
IncidentType Description
UnauthorizedAccess Whenanindividualorentitygainslogicalorphysicalaccesswithoutpermissiontoauniversitynetwork,system,application,data,orotherresource.
DenialofService(DoS) Anattackthatsuccessfullypreventsorimpairsthenormalauthorizedfunctionalityofnetworks,systems,orapplicationsbyexhaustingresources.ThisactivityincludesbeingthevictimorparticipatingintheDoS.
MaliciousCode Successfulinstallationofmalicioussoftware(e.g.,avirus,worm,Trojanhorse,orothercode-basedmaliciousentity)thatinfectsanoperatingsystemorapplication.AgenciesareNOTrequiredtoreportmaliciouslogicthathasbeensuccessfullyquarantinedbyantivirus(AV)software.
ImproperorInappropriateUsage Whenapersonviolatesacceptablecomputingpolicies.
SuspectedPIIBreach Ifanincidentinvolvespersonallyidentifiableinformation(PII)abreachisreportablebybeingmerelySuspected.(SuspectedPIIincidentscanberesolvedbyconfirmationofanon-PIIdetermination.)
SuspectedlossofSensitiveInformation
Anincidentthatinvolvesasuspectedlossofsensitiveinformation(notPII)thatoccurredasaresultofUnauthorizedAccess,MaliciousCode,orImproper(orInappropriate)Use,wherethecauseorextentisnotknown.
Source:IncidentResponseandManagement:NASAInformationSecurityIncidentManagement
15
IMPACTDEFINITIONS
PotentialImpact
SecurityObjective Low Medium High
Confidentiality:Preservingauthorizedrestrictionsoninformationaccessanddisclosure,includingmeansforprotectingpersonalprivacyandproprietaryinformation.
Theunauthorizeddisclosureofinformationcouldbeexpectedtohavealimitedadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
Theunauthorizeddisclosureofinformationcouldbeexpectedtohaveaseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
Theunauthorizeddisclosureofinformationcouldbeexpectedtohaveasevereorcatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals
Integrity:Guardingagainstimproperinformationmodificationordestruction,andincludesensuringinformationnon-repudiationandauthenticity.
Theunauthorizedmodificationordestructionofinformationcouldbeexpectedtohavealimitedadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
Theunauthorizedmodificationordestructionofinformationcouldbeexpectedtohaveaseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
Theunauthorizedmodificationordestructionofinformationcouldbeexpectedtohaveasevereorcatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
Availability:Ensuringtimelyandreliableaccesstoanduseofinformation
Thedisruptionofaccesstooruseofinformationoraninformationsystemcouldbeexpectedtohavealimitedadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
Thedisruptionofaccesstooruseofinformationoraninformationsystemcouldbeexpectedtohaveaseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
Thedisruptionofaccesstooruseofinformationoraninformationsystemcouldbeexpectedtohaveasevereorcatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals.
Source:FIPSPublication199
16
Onceanincidentisclassified,itisimportanttocategorizetheincidentasalocalorenterpriseevent.
LocaleventsrepresentarisktoVirginiaTechsystems,networks,anddatabutareconfinedtoasingleorsmallnumberofdepartmentalsystems.Anexampleofalocalissuewouldbemalwarediscoveredonadepartmentaldesktoporserver.Localissuesmayevenleadtodatabreachesifunencryptedsensitivedataisstoredonthecompromisedsystems.Mostcyberthreatsareidentified,contained,anderadicatedthroughcoordinatedeffortsbetweentheITSOandaffecteddepartments.LocaleventsarethemostcommontypeofattackobservedatVirginiaTech.
Enterpriseeventsarerarebuthavealargeimpact.ADistributedDenialofServiceattack(DDoS)thatdegradesnetworkperformanceinamannerthatdisruptsUniversityoperationsisanexample.Thiswouldbeanenterprise-wideissuethatwouldaffecttheentireUniversity.EnterpriseissuesmayrequiretheactivationoftheCyberIncidentResponseTeam(CIRT).CIRTteammembersmaybedrawnfrommanydepartmentsacrosstheuniversityandhaveknowledgeofcriticalsystemsthatcanbeleveragedtoprotectVirginiaTechITassetsduringanenterpriseincident.
Whenmultipleincidentsoccursimultaneously,themostseriousorhighestpotentialimpactincidentsshouldbehandledfirst.TheincidentclassificationisperformedbytheIncidentResponseManager(IRM)usingtheVTCIRTIncidentResponseClassificationMatrix.
17
VTCIRTIncidentResponseClassificationMatrix
ClassificationLevel
(3=MostSevere)
TypicalCharacteristics Impact Response ActivateCIRT?
3
DDoSattackagainstUniversityServers.Attacksagainstnetworkinfrastructure.NetworkdisruptionforalargesegmentoftheVTpopulation
Anenterprise-wideattackinvolvingmultipledepartmentsrequiringlocalandenterpriseadministratorsupportfromtheaffecteddepartments.
CIRTdirects,responsecoordinatedbyITSO.VTseniormanagement,localsysadmininvolved.PossibleLegalCounsel,LawEnforcementinvolvement
Yes
2
Affectsdataorservicesforagroupofindividualsandthreatenssensitivedata,orinvolvesaccountswithelevatedprivilegeswithpotentialthreattosensitivedata
CompromisedBanner,Exchange,ActiveDirectory,domaincontrollersystemadministratoraccount,orLearningManagementSystem(LMS)administratoraccountcompromise
ResponsecoordinatedbyITSO.LocalSysadmin.CIRTadvised,LegalCounselnotifiedifPIIbreach.
Advised
Affectsdataorservicesofasingleindividual,butinvolvessignificantamountsofsensitivedata
FacultydesktopwithUniversitydefinedsensitivedatacompromised,physicaltheftofcomputer/computerequipment
No
1
Affectsdataorservicesofagroupofindividualswithnosensitivedatainvolved
Compromiseofanaccountwithsharedfolderaccess
Localsysadmin,ITSOnotified,eventlogged,progressmonitoring,Standardforensicsperformediflocaladminisunable.
No
Affectsdataorservicesofasingleindividualwithnosensitivedatabeyondtheirowninvolved;focusisoncorrectionand/orrecoveryandeducation/futureprevention
Compromisedfacultymachinew/noUniversitydefinedsensitivedataetc.
No
0
Occurrencesofveryminororundeterminedfocus,originand/oreffectforwhichthereisnopracticalfollow-up
Networkscans,personalfirewalllogreports,Snortreports,Tripwire,IDS/IPSreports
ITSOmonitorsperiodically,periodicsummaries,vulnerability
databasemaintenance,sendsreportstocentralloggingfacilityfortrendingweekly/monthlyreports.
No
18
CIRTActivationTheCIRTwillonlybeactivatedifacyberincidenthasbeenconfirmedtobeaffectingUniversityITsystems/servicesatanenterpriseoramulti-departmentallevel.AttacksagainstdepartmentalserversdonotnecessarilyrequireCIRTactivation.Localeventsmaybeescalatedtoenterpriseeventsifevidencewarrants.TheITSOhastheauthoritytoclassifyincidentsasanenterprisethreat.TheITSO,andtheCIRTGovernanceTeamhaveauthoritytoactivatetheCIRT.
CommunicationsPlanCommunicationsprocessesoccurthroughouttheincidentresponsephasesandinvolvetheinitialreportingoftheincidenttorelevantauthorities,aswellasongoingcommunicationswiththoseimpacted.
Acommunicationsplanisessentialwhendealingwithaconfirmedcyberincident.Agoodcommunicationplancanhelplimitconfusionandincreaseresponsivenessbysharingactionplans,updatingUniversitystakeholders,andprovidingtransparencythroughouttheprocess.Theplanshouldidentifythestakeholders,thoseauthorizedtospeakabouttheincident,thecommunicationchannels,thescheduleofcommunicationaswellasproceduresfornotifyingexternalorganizationsthataredirectlyinvolvedintheincident.Acommunicationsplancanreduceconflictingmessagesandfocusefforts.
UniversityRelations,InformationTechnology,andtheappropriatestakeholdersmustdevelopacommunicationsplanwheneverabreachofPersonallyIdentifiableInformation(PII)hasbeenconfirmed.AcommunicationworkflowdiagramforPIIexposureisavailableinAppendixB.
PotentialStakeholders• VPforInformationTechnologyandCIO• ITSecurityOfficeStaff• DataTrustees/Stewards• CIRTMembers• DepartmentalManagement• DepartmentalITStaff• UniversityLegalCounsel• UniversityRelations• Vendors
• OfficeofEmergencyManagement• FacultyandStaff• Students• LawEnforcementAgencies• MembersofVirginiaTech’stechnicalsupport
community• Outsideagencies’InternalAudit• InternalAudit• Media
Plansshouldincludethefollowingelements:
• Anidentificationofthoseauthorizedtospeakabouttheincidenttouniversitystakeholdersandthemedia
• Clearprotocolsformessageapproval,toensureaccuracy• Anidentificationofcommunicationchannelsforbothinternalandexternalstakeholders(Email,
Listservs,phoneconferences,LearningManagementSystem,Blogs,Wikis,socialmediaifapplicable,etc.)
• Plannedfrequencyofcommunicationsbetweeninternalstakeholders• Plannedfrequencyofcommunicationswithexternalstakeholders• Notificationproceduresforexternalorganizationsdirectlyinvolvedinincident
19
AppendixFcontainsasamplecommunicationplanworksheet.
Containment,EradicationandRecovery
ContainmentContainmentproceduresattempttoactivelylimitthescopeandmagnitudeoftheattack.Avulnerabilityinaparticularcomputerarchitecturecanbeexploitedquickly.Containmentinvolvesacquiring,preserving,securing,anddocumentingallevidence.
Containmenthastwogoals:
• Preventdatafromleavingthenetworkviatheaffectedmachines.
• PreventattackerfromcausingfurtherdamagetoVirginiaTechinformationtechnologyassets.
TheITSOassignsahighprioritytodeterminingwhotheattackersareandwhatvector(port,softwarevulnerability,etc.)theyareusingtoattackVirginiaTechhosts.Oncethisinformationisobtained,theITSOwillrequestarouterblockorphysicaldisconnectiontotemporarilypreventanIPaddress,portorbothfromconnectingtotheVTnetwork.Thismaydisruptothernormaltraffic,butthisdisruptionwillbekepttoaminimum.Containingacyberincidenthasahigherprioritythanmaintainingnormalbusinesstraffic.
Thefollowingactionsaretakenduringthecontainmentphase:Coordinateallactivitieswithlocalsystemadministrator.Possibleactionsinclude:
• UpondirectionbytheIRM,thelocalsystemadministratorcanproceedtorepairthesystemasneededtoreturntonormalbusinessoperations.
• ConsultingprovidedbytheITSOtothelocalsystemadministrator.TheITSOwillremainavailabletoprovideconsultingsupportduringtherepairprocess.
• ThedeploymentofasmallteamfromtheITSOwiththeappropriateexpertisetothesite.• Securingthephysicalareaonsiteifnecessary.• UsingAppendixE:CompromiseQuestionnaireandInformationGatheringtoguide
documentation.• Areviewoftheinformationprovidedbythesystemadministrators.• Notallowingthesystemtobealteredinanyway.Maintainingalowprofileinordertoavoid
tippingofftheattacker.• Usingatrustedsystembinarykit(Unix/Linux,Windows)toverifythesystembinarieshavenot
beencompromised.
20
• Makingaforensiccopyofthesystemforfurtheranalysis.Ensuringthatanybackuptapesareinasecurelocation.
Determineriskofcontinuedoperation.Possibleactionsinclude:• Disablingnetworkaccessbutleavingthesystemup.Disablingtheportiftheattackisongoingor
ifthecompromisedsystemisattackinganothersite.TheNetworkTeamshouldutilizeavailabletoolstoidentifyanddisabletheport.
• Makingarecommendationtothelocalmanagement(facultymember,departmenthead,dean,supervisor,etc.)regardingwhethertheaffectedsystem(s)shouldremainonline.Attemptingtorestoreoperationsasquicklyaspossible.However,ifthecompromisedsystemthreatenstheintegrityofthenetworkorsystemsconnectedtothenetwork,itshouldbedisconnectedfromthenetassoonaspossible.
• Changingalluserandsystemcredentialsontheaffectedmachine(s).Backupthesystem.
• Insomecases,aforensicimagediskwillberequestedbylawenforcementorbytheofficeofLegalCounsel.ContacttheITSOtoinitiatetheforensicsprocess.
• Usenetworkbackupsystemstodeterminewhatfileswerechangedduringtheevent.ContactWandaBaber(540-231-9507,[email protected])orElizaLau(540-231-9399,[email protected]).
EradicationEradicationistheremovalofmaliciouscode,accounts,orinappropriateaccess.Eradicationalsoincludesrepairingvulnerabilitiesthatmayhavebeentherootcauseofthecompromise.Westronglyrecommendacompletere-installationoftheOSandapplications.
Thegeneralstepsinvolvedintheeradicationphaseofincidentresponseareto:
• Defineeradicationbenchmarkso Consultvariouschecklistsforcompromises.
SeeAppendicesD,Eforgeneralinformation• Identifyandmitigateallvulnerabilitiesthatwere
exploited• Removemalware,inappropriatematerials,andother
components• Ifmoreaffectedhostsarediscovered(e.g.,newmalwareinfections),repeattheDetectionand
Analysisstepstoidentifyallotheraffectedhosts,thencontainanderadicatetheincidentforthem
• ReinstallOS,applypatches,reinstallapplications,andapplyknownpatches
RecoveryOncetheincidenthasbeencontainedanderadicated,recoverycanstart.Thisphaseallowsbusinessprocessesaffectedbytheincidenttorecoverandresumeoperations.
21
Thegeneralrecoverystepsare:
1. Iftherewassensitivedataontheaffectedmachine,gotostep2.Iftherewasnot,gotostep4.
2. FollowtheflowchartstepsinAppendixB.3. ReinstallandpatchtheOSandapplications.Change
alluserandsystemcredentials.4. Restoredatatothesystem.5. Returnaffectedsystemstoanoperationallyready
state.6. Confirmthattheaffectedsystemsarefunctioning
normally.7. Ifnecessary,implementadditionalmonitoringtolook
forfuturerelatedPost-IncidentActivity.
IncidentClosureDocumentationofacyberincidentandthestepstakentomitigateissuesencounteredareimportant.ThedocumentationoffersanopportunitytoimproveIncidentResponseprocessesandidentifyrecurringissues.MostlocalissuescanbeproperlydocumentedusingtheUniversity’s4Helptroubleticketsystem.
Certaincyberincidentsshouldbedocumentedmorethoroughlywhentheirimpactwarrants.TheITSOwillidentifythoselocalincidentsthatshouldbemorethoroughlydocumented.Afollowupreportanddocumentationisrequiredforallenterpriselevelincidents.
Follow-upreportsdocumenttheincidentandincludethelessonslearnedinordertopreserveandexpandknowledge.ReportsareproducedbytheITSecurityOfficeand/ortheCIRTteamsdependingontheincident.Thereportshouldinclude:
• Informationabouttheincidenttype• Adescriptionofhowtheincidentwasdiscovered• Informationaboutthesystemsthatwereaffected• Informationaboutwhowasresponsibleforthesystem
anditsdata• Adescriptionofwhatcausedtheincident• Adescriptionoftheresponsetotheincidentandwhether
itwaseffective• Recommendationstopreventfutureincidents• Adiscussionoflessonslearnedthatwillimprovefuture
responses• Atimelineofevents,fromdetectiontoincidentclosure
22
Thefollow-upreportshouldbesharedwiththeVPforInformationTechnologyandCIOaswellasotherstakeholdersdeemedappropriate.A“LessonsLearned”meetingwithallthoseinvolvedinthehandlingandresponseoftheincidentshouldbeheldandismandatoryforenterpriselevelincidents.
23
AppendixA:VTCyberIncidentResponseTeamOrganizationalChart
CIRTOrganizationChart
VPIT&CIOScottMidkiff
DeputyCIO/ITChiefofStaff
ScotRansbottom
ITSO&IRMRandyMarchany
CoreCIRT
CIRTGovernance
SystemsCIRT
NetworkCIRT
ITSOStaff
DepartmentalCIRT
VTPD
DataTrustees/Stewards
UniversityGeneralCounsel
UniversityRelations
InternalAudit
ITSORandyMarchany
DeputyCIO/ITChiefofStaff
ScotRansbottom
EmergencyManagement
25
AppendixC:CIRTTeamMemberListandContactInformation
Thisappendixisredactedforpublicdistribution.ForafulllistofCIRTmemberswithcontactinformation,[email protected](540)231-1688.
26
AppendixD:ChecklistofmajorstepsforIncidentResponseandHandling
Action Completed DetectionandAnalysisPhase 1 Determinewhetheranincidenthasoccurred
1.1 Analyzetheprecursorsandindicators 1.2 Lookforcorrelatinginformation 1.3 Performresearch(e.g.,searchengines,knowledgebase)
1.4 Assoonasthehandlerbelievesanincidenthasoccurred,begindocumentingtheinvestigationandgatheringevidence
2. Prioritizehandlingoftheincidentbasedontherelevantfactors(functionalimpact,informationimpact,recoverabilityeffort,etc.)
3. Reporttheincidenttotheappropriateinternalpersonnelandexternalorganizations.
Containment,EradicationandRecovery
4. Acquire,preserve,secure,anddocumentevidence
5. Containtheincident 6. Eradicatetheincident 6.1 Identifyandmitigateallvulnerabilitiesthatwereexploited 6.2 Removemalware,inappropriatematerials,andothercomponents 6.3 Ifmoreaffectedhostsarediscovered(e.g.,newmalwareinfections),repeatthe
DetectionandAnalysissteps(1.1,1.2)toidentifyallotheraffectedhosts,thencontain(5)anderadicate(6)theincidentforthem
7. Recoverfromtheincident 7.1 Returnaffectedsystemstoanoperationallyreadystate
7.2 Confirmthattheaffectedsystemsarefunctioningnormally
7.3 Ifnecessary,implementadditionalmonitoringtolookforfuturerelatedactivity
Post-IncidentActivity
8. Createafollow-upreport
9. Holdalessonslearnedmeeting(mandatoryformajorincidents,optionalotherwise)
Source:NISTSpecialPublication800-61revision2
27
UNIX/LINUXChecklist
Thissectionisintendedtoprovideguidanceduringtheexaminationofacompromisedsystem.Additionalstepsmaybeneededtoexamineasystem.PleaseconsulttheITSecurityOfficebeforeperformingsteps.
£ Regaincontrolofthesystem.Someoptionsincludedisconnectingthesystemfromthenetworkand
makinganimagecopyofthesystemdisk(s).
£ Analyzetheintrusion.
£ Lookformodificationsmadetosystemsoftwareandconfigurationfiles.
£ Lookformodificationstodata.
£ Lookfortoolsanddataleftbehindbytheintruder.
£ Reviewlogfiles.
£ Lookforsignsofanetworksniffer.
£ Checkothersystemsonthelocalnetwork.
£ Checkforsystemsaffectedonotherlocalsubnetsorremotesites.
£ Recoverfromtheintrusion.
£ InstallacleanversionoftheOSontheaffectedsystem.
£ Disableunnecessaryservices.
£ Installallvendorsecuritypatches.
£ Changeallpasswords.
£ Improvethesecurityofyoursystemandnetwork.
£ ReviewtheCenterforInternetSecuritybenchmarkdocumentsandtheCERT.ORGUnixconfiguration
guidelineschecklist.
£ Installsecuritytools.
£ Enablemaximallogging.
£ Installsoftwarefirewalltools.
£ Reconnecttothenetwork.
28
WindowsChecklist
Thissectionisintendedtoprovideguidanceduringtheexaminationofacompromisedsystem.Additionalstepsmaybeneededtoexamineasystem.PleaseconsulttheITSecurityOfficebeforeperformingsteps.
£ Examinelogandeventfiles.
£ Checkforodduseraccountsandgroups.
£ Lookforincorrectgroupmemberships.
£ Lookforincorrectuserrights.
£ Checkforunauthorizedapplicationsstartingatboot.
£ ChecksystembinarieswithsomethinglikeTripwire.
£ Checknetworkconfigurationandactivity.
£ Checkforunauthorizedshares.
£ Examinejobsrunbytheschedulerservice.
£ Checkforunauthorizedprocesses.
£ Lookforunusualorhiddenfiles.
£ Checkforalteredpermissionsonfilesorregistrykeys.
£ Checkforchangesinuserofcomputerpolicies.
£ MakesurethesystemhasnotbeenmovedtoadifferentWorkgrouporDomain.
£ Examineallotherrelatedsystems.
29
AppendixE:CompromiseQuestionnaireandInformationGathering
Itisimportanttogatherandrecordinformationduringanincident.Thishelpswithplanningandassigningresources.Analysisofgatheredinformationisalsoimportanttotheincidentclosureprocess.Thefollowingquestionsareintendedasanexampletohelpwithinformationgathering.Dependingonthenatureoftheincident,itmaybeappropriateforadditionalquestionstobeconsidered.ConsultAppendixGbeforeproceeding.
InformationNeededaboutDetection
1. Whatistheinfection/intrusiontype?
2. Whattimewastheincidentdetected?
3. Howwastheinfectiondetected?
4. Whodetectedtheinfection?
5. WhatistheincidentmachineIPaddressandDNSname?
6. WhoistheITSupportfortheincidentmachine?
7. Wasa4HelpTicketcreated?
a. Whatistheticketnumber?
8. Whattimewastheinitialnotificationsent?
9. Wasnetworkaccessdisabled?
10. Werepeoplecontacted?Ifso,who?
InformationNeededfromtheUser
1. Gatheruser’scontactinformation.User(name,email,phone#)
2. Whatistheuser’sjobfunction?
3. Whatistheprimaryfunctionofthisdepartment?
a. Whoistheuser’smanager/direct-report?
4. DoestheuserworkwithsensitiveorcoveredPIIdata?
a. Ifyes,whattypesofsensitiveorcoveredPIIdata?
5. Howmuchsensitivedata?(#offiles,GBs?,filetypes,location)
6. Whatfilesdidtheuseraccessduringthetimeoftheincident?
7. Diduserworkwithresearchdata?
a. Ifso,whattypesofresearchdata?
8. Howmuchresearchdata(#offiles,size?,filetypes,location)
9. Doestheuseruseuniversityordepartmentalenterprisesystems?
a. Ifso,whatlevelofaccessdoestheuserhave?
10. Doestheuserhaveaccesstosharednetworkstorage?
11. Aretheshareddrivesautomaticallymounted?
30
12. Whoelsesharesthedatainthosefolders?
13. Didtheuseruseencryptiononfiles?Ifso,whatkind(s)ofencryptionandwherearethekeys?ITSOmay
requireaccesstoencryptionkeys.
QuestionsabouttheInfection
1. Whatwastheuserdoingduringtheincident?
2. Didtheusernoticeanystrangethingsaboutthecomputeraroundthattime?
3. Didtheuserreceiveanystrangeemails,oropenanyunknownattachments?
4. Didtheuserentercredentials(username,password)onanysites?
5. Didtheuserinstallanysoftware?
6. Didtheuserreceiveanysoftwareupdates?
7. Didtheuser’santivirussoftwarecomplainoralert?
8. Didtheusernoticeachangeincomputerperformance?
9. DidtheuserreceiveanystrangeInstantMessages?
10. Doestheuserusetheircomputerfornon-workrelatedfunctions?
11. Ifso,whatfunction(s)?
12. Facebook/socialmedia?InternetRadio?Email?OnlineBanking?
InformationNeededfromDepartmentalITSupport
1. ITSupportcontactinformation(name,email,phone#)
2. Dotheyhaveshareddrives?
3. Whohasaccesstothesedrives?
4. Whattypeofdataisaccessedorusedbythesystem?FERPA,GLBA,UniversityPII,etc.
5. Aretheyautomaticallymounted?
6. Whattypesofsecurityprecautionshaveyouplacedonthesystem?(AV,MalwareBytes)
7. Isadministrativeaccessgrantedtotheuser?
8. Whattypesofencryptionareused?
InfectionDetailsandAnalysis
1. ITperson(name,email,phone#)
2. Dotheyhaveshareddrives?
3. Whohasaccesstothesedrives?
4. Typesofdata(seeabove)
5. Aretheyautomaticallymounted?
31
6. Whattypesofsecurityprecautionshavebeenplacedonthesystem?
7. Whattypeofanti-virusisused?
8. Doestheuserhaveadministrativeaccess?
9. Istherefile-basedencryption?(think:TrueCrypt)
a. Whattypeofencryption?
IncidentAnalysis
1. Whenwasthefirstsignofaninfection?
2. Wasthissignindicativeoftheinitialinfection?
3. Whatistheconfidenceleveloftheinitialinfectionnotice?
4. Isacopyofthemalwarepackageavailable?
5. Howlongwasthemachineonlineafterthefirstsignofaninfection?
6. HowlongbeforetheITstaffwasnotified?
7. HowmanyCommand&Control(C&C)serversareinvolved?
8. Wherearetheylocated?
9. HowmuchdatawenttoeachC&Cserver?
10. AreotherdevicesonthenetworkcommunicatingwiththeseC&Cservers?
11. Howmuchdatawastransferredbetweenthetimeofthebelievedinitialinfectionandwhenthedevice
waspulledoffthenetwork?
12. Whowerethetoptalkers?
13. Aretheylegitimatetoptalkers?
14. Whatothernetworksecurityalertsweretriggeredbythedevice?
15. Howmuchtrafficremainsfortheincidentperiodafterthetoptalkersareremoved?
32
AppendixF:CommunicationsTrackingWorksheetThisworksheetisintendedtohelpformulateacommunicationstrategytoshareinformationwhilecontaining,eradicating,andrecoveringfromacyber-incident.Allcommunicationsregardingcyberincidentsmustbeconductedthroughchannelsthatareknowntobeunaffectedbythecyberincidentunderinvestigation.
Note:ConsultUniversityLegalCounselandUniversityRelationsbeforecommunicatingwithexternalstakeholders.
1. Listofpossiblestakeholders£ VPandCIOforInformationTechnology£ ITSecurityOfficeStaff£ CIRTTeamMembers£ DepartmentalManagement£ DepartmentalITStaff£ UniversityLegalCounsel
£ FacultyandStaff£ Students£ LawEnforcementAgencies£ VirginiaTech’stechnicalsupportcommunity£ Outsideagencies£ Vendors
Others:
2. Listthoseauthorizedtocommunicate(limitsofauthorization)
3. Listinternalcommunicationschannels£ Email£ Listserv(canbeeventspecific)£ Phone/videoconferences£ Meetings
£ Officephones£ Cellphones
Others:
4. Listexternalcommunicationschannels£ Email£ Web,Blogs£ Listserv(canbeeventspecific)£ Phone/videoconferences£ Meetings
£ Officephones£ Cellphones
Others:
5. Scheduleofcommunications(Discussappropriatefrequencyofcommunications)
33
ITSecurityOfficeProcedureforNotificationofOutsideOrganizationsInvolvedinaCyberIncident
ItmaybenecessarytocontactanoutsideorganizationtoletthemknowthatamachineundertheircontrolmaybehavinganegativeimpactonVirginiaTech’sITsystemsandnetworks.Thestepsprovidedbelowareintendedtoguidecommunication.
1. Determinetechnicalandadministrativecontactsofthesourcemachine.2. DetermineWHOIScontactforupstreamprovider,ifoneexists.3. DetermineifaUS-CERTor“abuse”emailaddressexistsifthesourcemachineisfromaforeigncountry.4. [email protected]/scannedbythesourcemachine.5. SendaconciseemailtotheWHOIScontactofthesourcemachines.Include:
• Thesourcesite’sUS-CERT• CopyforITSecurityOffice• Copyaffecteddepartment(s)andpersonnel.• Logexcerptsintextofe-mail.DoNOTsendattachmentsorHTML.
34
AppendixG:InternalAuditGuidelinesforreportingunacceptablecomputeruse.Source:http://www.ia.vt.edu/Unacceptable%20Computer%20Use%20Guidance.pdf
35
AppendixH:UniversityPoliciesandStandards
• Availableathttp://www.policies.vt.edu• VirginiaTechStatementofBusinessConductStandards–
http://www.cafm.vt.edu/busprac/business_conduct_standards.php• 1060–PolicyonSocialSecurityNumbers• 2000–ManagementofUniversityRecords• 2001–RetentionandStorageofPresidentialRecords• 2010–ReleaseofNamesandAddressesofStudents• 4082–AppropriateUseofElectronicPersonnelandPayrollRecords• 7000–AcceptableUseofComputerandCommunicationSystems• 7010–PolicyforSecuringTechnologyResourcesandServices• 7025–SafeguardingNonpublicCustomerInformation• 7030–PolicyonPrivacyStatementsonVirginiaTechWebSites• 7035–PrivacyPolicyforEmployees’ElectronicCommunications• 7040–PersonalCredentialsforEnterpriseElectronicServices• 7100–AdministrativeDataManagementandAccessPolicy• StandardforAdministrativeDataManagement
http://www.it.vt.edu/publications/pdf/interim_updates/AdministrativeDataManagementStandard2013Nov4signed.pdf
• 7200–UniversityITSecurityProgram• 7205–ITInfrastructure,Architecture,andOngoingOperations• 7210–ITProjectManagement• 7215–ITAccessibility
VirginiaLegislation
• CommonwealthofVAPolicy1.75–UseofInternetandElectronicCommunicationSystems• CodeofVirginia2.2-603.GIncidentReportingRequirement,
www.vita.virginia.gov/security/incident/guidance.cfm• CodeofVirginia18.2-186.6DataBreachNotificationRequirement• CodeofVirginia2.2-3801Definitions• CodeofVirginia2.2-3806RightsofDataSubjects
References
1. BoardofVisitorInformationTechnologySecurityandAuthorityResolution,June2007,http://www.bov.vt.edu/minutes/07-06-04minutes/attach_v_070604.pdf
36
AppendixI:GuidanceonReportingaCyberIncident
WhattoReport
Acyberincidentshouldbereportedifitresultedineither:
• ExposureoflegallyprotecteddatainUniversitydatabases,suchasfinancialinformationprotectedbyGLBA,
• HealthinformationprotectedbyHIPAA.AND/OR
• MajordisruptiontonormalagencyactivitiescarriedoutviatheUniversity’sdatacommunications,suchasnetworkunavailabilityforallorsignificantportionsofanagencyduetoadenialofservice(DoS)attack.
Youshouldreporteventsthathavearealimpactonyourorganization.AnITsecurityincidentincludes,butisnotlimitedtothefollowingeventsregardlessofplatformorcomputerenvironment,when:
a. Damageisdoneb. Lossoccursc. Maliciouscodeisimplantedd. Thereisevidenceoftamperingwithdatae. Unauthorizedaccesshasbeengainedorrepeatedattemptsatunauthorizedaccesshavebeenmade
(fromeitherinternalorexternalsources)f. Therehasbeenathreatorharassmentviaanelectronicmedium(internalorexternal)g. Accessisachievedbytheintruderh. Webpagesaredefacedi. Auserdetectssomethingnoteworthyorunusual(anewtrafficpattern,newtypeofmaliciouscode,a
specificIPasthesourceofpersistentattacks)j. Thereisadenialofserviceattackontheagencyk. Virusattacksadverselyaffectserversormultipleworkstationsl. Otherinformationtechnologysecurityincidentsoccurthatcouldundermineconfidenceandtrustinthe
Commonwealth'sInformationTechnologysystems
37
AppendixJ-Contactinformationforlocalpolice
VirginiaTechPolice(540-231-6411)
BlacksburgPolice(540-961-1150)
ChristiansburgPolice(540-382-3131)
RadfordPolice(540-731-3624)
39
AppendixL:Acronyms
CIO: Chief Information Officer CIRT: Computer Incident Response Team CISO: Chief Information Security Officer COV: Commonwealth of Virginia CSRM: Commonwealth Security and Risk Management DDoS: Distributed Denial of Service ES: Enterprise Systems FERPA: Family Educational Rights and Privacy Act GLB: Gramm-Leach-Bliley Act HIPAA: Health Insurance Portability and Accountability Act IDS: Intrusion Detection System IMS: Identity Management Services IPS: Intrusion Prevention System IRM: Incident Response Manager ISO: Information Security Officer IT: Information Technology ITSO: IT Security Office or IT Security Officer depending on the context ITAR: International Traffic in Arms Regulations ITRM: Information Technology Resource Management ITSO: Information Technology Security Officer NI&S: Network Infrastructure and Services NIST: National Institute of Standards and Technology PCI-DSS: Payment Card Industry Data Security Standard PII: Personally Identifiable Information PIRN: Personal information requiring notification SEC501: Information Security Standard 501 SETI: Secure Enterprise Technology Initiatives VCCC: VITA Customer Care Center URL: Universal Resource Locator US-CERT: United States Computer Emergency Readiness Team VITA: Virginia Information Technologies Agency VT: Virginia Tech