incident management and response kindle r2 20160825...incident response is a subset of an overall...

IncidentManagementandResponseGuide:Tools,Techniques,Planning,andTemplates

ByTomOlzak,MBA,CISSP

Ó2017byThomasW.OlzakThisworkislicensedundertheCreativeCommonsAttribution-NonCommercial-NoDerivatives4.0InternationalLicense.Toviewacopyofthislicense,visit

http://creativecommons.org/licenses/by-nc-nd/4.0/.

PublishedbyErudioSecurity,LLC

Phone:419-377-6844Email:[email protected]

Web:v-cso.com

Section1. PrepareSection1.01 Policy,Procedures,andTeamSection1.02 StrategicThreatIntelligenceSection1.03 VulnerabilityManagement(a) UnsecureConfigurationandCoding(b) TrainingandAwareness(c) AccessControl(d) VulnerabilityIdentification

Section1.04 SectionSummary

Section2. RiskManagementSection2.01 RiskAssessments(a) SystemDefinition(b) IdentifyExistingControls(c) BusinessImpactAnalysis(BIA)andCalculatingRisk(d) RiskManagementRecommendations(e) ResultsDocumentationandPresentation

Section2.02 SectionSummarySection3. TeamCreationandPlanningSection3.01 TheTeam(a) ComputerSecurityIncidentResponseTeam(CSIRT)Membership(b) CSIRTResponsibilities(c) CSIRTResponseToolsandResources

Section3.02 ThePlan(a) Step1:Begindocumentationandpotentialevidencepreservation(b) Step2:Determineifincidenthasoccurred(c) Step3:Prioritizetheincident(d) Step4:Reportincidentasspecifiedintheincidentresponsecommunicationsplan(e) Step5:Obtainmanagementdecisionaboutforensicspreservationandcollection(f) Step6:Acquire,preserve,anddocumentevidenceasdirectedinStep5(g) Step7:Containtheincident(h) Steps8&9:EradicatetheIncidentandRecover(i) Step10:RootCauseAnalysisandActionPlan


Section4. ResponseSection4.01 Step1:BegindocumentationandpotentialevidencepreservationSection4.02 Step2:DetermineifincidenthasoccurredSection4.03 Step3:PrioritizetheincidentandestablishsituationalawarenessSection4.04 Step4:ReportincidentasspecifiedincommunicationsplanSection4.05 Step5:ObtainmanagementforensicsevidencecollectiondecisionSection4.06 Step6:Acquire,preserve,andprotectevidenceSection4.07 Step7:ContaintheincidentSection4.08 Step8:EradicatetheincidentSection4.09 Step9:RecoverSection4.10 Step10:Rootcauseanalysisandreporting

Section4.11 SectionSummarySection5. InitialResponseForensicsSection5.01 ForensicsOverviewSection5.02 ProtectingDigitalEvidenceSection5.03 SecuringaPotentialCrimeSceneSection5.04 SectionSummary

Section6. WorksCitedFigure1:RiskModelFigure2:AttackSurfaceFigure3:AccessRightsFigure4:AttackTreeFigure5:ControlsMatrixFigure6:QualitativeRiskCalculatorFigure7:IncidentHandlingChecklistFigure8:ExternalCommunicationFigure9:VLANSegmentation(Olzak,2012(April))Figure10:MaximumPeriodofTolerableDowntimeFigure11:DependentProcessesFigure12:RootCauseChainofEventsFigure13:FiveWhysFigure14:IncidentResponseChecklistFigure15:DigitalForensicsFigure16:InitialResponseTeamChecklist

Section1. Prepare

Incidentshappentouseveryday.Weforgetourpassword.Oneofourkidsforgetstheirlunch.Ourcomputerdecidesnottoprint.Theseareallsmalleventsthathinderourabilitytomoveforwardinourday.Securityincidentsarethesamebutusuallyhaveagreaterimpact.

Asecurityincidentisdefineddifferentlybyvariousorganizations.NIST

definesanincidentas“Aviolationorimminentthreatofviolationofcomputersecuritypolicies,acceptableusepolicies,orstandardsecuritypractices”(Cichonski,Millar,Grance,&Scarfone,2012,p.6).Ifindthistoonarrow.

Inmyexperience,asecurityincidentisanevent,intentionalorunintentional,

thatoccursoutsidewhatisexpectedindailyoperationsthatcannegativelyaffectbusinessoperation(processes),customers,investors,andemployees.ThisexpandstheNISTdefinitionbyincludinganythingthatviolatespolicy,regulations,laws,orethics.

Inotherwords,anincidentisanythingthatcancompromisethe

confidentiality,integrity,oravailability(CIA)ofdataorthesystemsthatsupportbusinessprocesses.Confidentialityallowsonlyauthorizedindividualsorapplicationsaccesstosensitiveinformation.Integrityisthemeasureofthedata’saccuracyandauthenticity.Availabilityensuresinformationisavailabletoauthorizedentitieswhenandwhereneededforbusinessoperation.

Incidentresponseisasubsetofanoverallincidentmanagementprogram.

Thepurposeofincidentmanagementistoprepareforvarioustypesofincidentsandthenrespondwhentheyoccur.Incidentmanagementhasfourgoals:

1. Developmentandmanagementofanincidentmanagementpolicyandsupportingprocedures(detailsinSection3)

2. Creation,training,andmanagementofanincidentresponseteam(detailsinSection4)

3. Preparationa. StrategicThreatintelligenceb. Vulnerabilitymanagementc. Riskmanagement(detailsinSection2)

4. Incidentresponsetoreduceorpreventbusinessimpact(detailsinSection5)

Section1.01 Policy,Procedures,andTeam

Theincidentmanagementpolicyformsthefoundationforyourorganization’sabilitytoprepareforandrespondtotheunwantedandunexpected.

Anincidentmanagementpolicytemplateisavailablefordownloadathttp://bit.ly/2tTSKsg.Thepolicyshouldcreateanincidentmanagementprogramandassignresponsibilitiesforincidentmanagementandresponse.

InSection3,Iaddresscreatingtheincidentresponseteam,plan,and

procedures.Fornow,itisenoughtounderstandtheneedfordocumentedandup-to-dateincidentresponseprocedures.Youneverwanttofaceanincidentwithoutaclearapproachtomitigatingorpreventingnegativebusinessimpact.

Section1.02 StrategicThreatIntelligence

Strategicthreatintelligence(STI)providesyourorganizationwithinformationaboutprobablethreatsandassociatedtoolsandtechniquesusedbythethreatagents.Athreatagentisaspecificincidentofathreat.Forexample,athreatispotentialforthetheftofcustomerpaymentinformationbyexploitingvulnerabilities.Athreatagentwouldbeaspecificcybercriminalusingcertaintoolsandtechniquestoexploitweaknessesinyournetworktostealtheinformation.

Withoutunderstandinghowyoumightbeattacked,itisimpossibleto

performcomprehensiveriskassessments.Informationaboutpotentialthreatsandthreatagentsisavailablefrom

• Governmentandpublicsources

o US-CERTAlerts(http://bit.ly/2pUj5oY)o TheCyberWire(https://thecyberwire.com/)o Threatbrief(http://threatbrief.com/)o Twitterfeedsoftopsecurityprofessionals

(http://bit.ly/2pWCG7u)• Yourvendors

o IPSvendoro SIEMvendoro Threatanalyticsvendoro Microsofto Apple

Section1.03 VulnerabilityManagement

Managingvulnerabilitiesisongoing.Itallowsustoidentifyandassessriskwhenassociatedwithrelevantthreatagents.Forexample,wediscovermissingapatchduringavulnerabilityscanforMicrosoftWindowsthatiscurrentlyexploitedbyoneormorethreatagents.AnotherexamplemightbefailingtoblockallnonessentialSQLServerÒtrafficpassingthroughafirewallorbyunsecureconfigurationofVLANaccesscontrollists.Vulnerabilitiesareusuallycausedby

• Unsecureconfigurationofoperatingsystems,networkdevices,and

applications• Unsecurecodingpracticesordevelopermistakes

• Lackofusertrainingandawareness• Insufficientattentiontoauthentication,authorization,and

accountabilityinaccesscontrols

(a) UnsecureConfigurationandCodingOperatingsystems,suchasWindowsÒandWindowsServerÒ,havesecurity

baselinesprovidedbyMicrosoft(http://bit.ly/2vcW6ML).Followingthesebaselinesisagoodstart.Networkdevicevendorsalsoprovideguidanceonhowtosecurelyconfiguretheirproducts.Thisguidanceisalsosupportedbysecuritybestpractices,suchasblockingeverythingonafirewallandopeningonlywhatisnecessaryforbusinessoperation.CiscoprovidesdetailedinformationabouthardeningIOSdevicesathttps://www.cisco.com/c/en/us/support/index.html.

Securelyconfiguringapplicationsandreviewingcodingpracticesshouldnot

causemajorconcerns,iftheSystem/SoftwareDevelopmentLifeCycle(SDLC)minimallyincludesriskassessmentsandsecurityrequirementstesting.FordetailedinformationaboutintegratingsecurityintotheSDLC,seeNISTSP800-64R2SecurityConsiderationsintheSystemDevelopmentLifeCycle(http://bit.ly/2kxni2y).

(b) TrainingandAwareness

Humansarethebiggestvulnerabilityyouface.Relyingonuserbehaviortomaintainconfidentiality,integrity,andavailabilityisacontroloflastresort:acontrolonwhichyoushouldrelyonlywhenreasonableandappropriatetechnologycontrolsleavegaps.Trainingandawarenessactivities,startingwithastrongandcommunicatedAcceptableUsePolicy(downloadpolicytemplatefromhttp://bit.ly/2pUtdOx),helptomanagehumanvulnerabilities.Fordetailedinformationaboutdevelopingandmanagingsecuritytrainingandawarenessinyourorganization,seeNISTSP800-50Building an Information Technology Security Awareness and Training Program (http://bit.ly/2qNzgII).

(c) AccessControl

Controllingaccesstoinformationresourcesisnoteasy.Itrequiresreasonableandappropriateverificationofanypersonorapplicationattemptingtoaccessaresource(authentication).(Theentityattemptingtoaccessaresourceiscalledthesubject,andtheresourcebeingaccessediscalledtheobject.)Thisisfollowedbyauthorizationbasedonanalysisofuserrolestoproperlyapplysegregationofduties,need-to-know,andleastprivilege.

Segregationofdutiespreventsanysinglepersonfromperformingalltasks

associatedwithabusinessprocess.Need-to-knowensuresapersonassignedabusinessroleonlycanseetheinformationnecessarytoperformrelatedtasks.Leastprivilegelimitswhatusersinarolecandowithdatatheyaccess.Hereisanexample…

1. Auserlogsintothenetworkandhis/heridentityisestablished(authentication)

2. Theuserisgrantedaccesstothepayrollsystembecauseofhis/herrole(courseauthorization)

3. Theuserisgrantedaccesstospecifictasksordatawithintheapplication,basedonhis/herroleintheorganization(fineauthorizationbasedonsegregationofduties)

4. Oncetheuserselectsaspecifictask,heorsheisonlyallowedtoperformspecificactionsonthedata(leastprivilege)

5. Databaselimitswhattheuserseestoonlywhatisnecessarytoperformanassignedtask(need-to-know)

Thefinalcomponentofaccesscontrolisaccountability.Accountability

ensuresyouunderstandwhatsubjectaccessedanobject,whatwasdonetotheobject,andwhentheactionhappened.Collectionoflogsandlogauditingisthefoundationofaccountability.

Thestrengthofaccesscontroldependsonthesensitivityoftheresource

protected:theresource’sclassification.WeclassifydatabasedonitsvaluetotheorganizationandthenegativeimpactontheorganizationiftheCIAofthatdataiscompromised.Forexample,wemightclassifydataas

• Public:anyonecanaccessandseetheinformationwithnonegative

impactonthebusiness• Confidential:moderatedamagetotheorganizationwilloccurifthe

data’sconfidentiality,integrity,oravailabilityiscompromised• Restricted:severedamagetotheorganizationwilloccurifthedata’s

confidentiality,integrity,oravailabilityiscompromised

Anydevicethroughwhichdatapasses,isstored,orisprocessedisgiventheclassificationassociatedwiththemostsensitiveclassificationofdatainvolved.If,forexample,aservercontainsrestrictedandpublicdata(whichisneveragoodidea),theserverisclassifiedasrestricted.Youshouldconsiderstrongaccesscontrol(multifactorauthenticationandencryption)forcriticalresources.

Foradetaileddiscussionofaccesscontrol,seeIdentityManagementand

AccessControl(http://bit.ly/2q0unas).DownloadtheUniversitySystemofGeorgiasegregationofdutiesmatrixtemplatefromhttp://bit.ly/2pXCeGFassampletoolforplanningroles.

(d) VulnerabilityIdentification

Youmustknowifyouareopentoattack.Oneofthebestwaystodothisiswithregularvulnerabilityscanning.Nessus,forexample,isanup-to-datetoolwidelyusedtoscannetworksforknownvulnerabilities.Avulnerabilitymanagementprogramalsoincludespenetrationtestingandthird-partysecurity

programreviews.Allofthisbeginswithavulnerabilitymanagementpolicyandassociatedprocedures(downloadpolicytemplatefromhttp://bit.ly/2rjaikx).

Avaluabletoolforknowingwhatvulnerabilitiesyoupotentiallyhavein

houseistheNationalVulnerabilityDatabase(https://nvd.nist.gov/).

Section1.04 SectionSummaryThepurposeofincidentmanagementistoprepareforvarioustypesof

incidentsandthentorespondwhentheyoccur.Incidentmanagementhasfourgoals:

1. Developmentandmanagementofanincidentmanagementpolicyandsupportingprocedures

2. Creation,training,andmanagementofanincidentresponseteam3. Preparation4. Incidentresponsetoreduceorpreventbusinessimpact

Asecurityincidentisanevent,intentionalorunintentional,thatoccurs

outsidewhatisexpectedindailyoperationsthatcannegativelyaffectbusinessprocesses,customers,investors,andemployees.Itisanythingthatcancompromisetheconfidentiality,integrity,oravailabilityofdataorsystemsthatsupportbusinessprocesses

2-1

Section2. RiskManagementManagingriskisthefirststepininformationassurance,anditisacritical

pieceofincidentmanagement.Inbothcases,riskassessmentsandsubsequentriskacceptance,avoidance,transference,ormitigationarethefoundationofpreventingandrespondingtothreatsagents.Iftheincidentresponseteamdoesnotruntheorganization’sinformationriskmanagementprogram,itsmembersshouldatleastbeinvolvedineveryriskassessment.TheformulaicriskmodelIuseforourdiscussionofincidentmanagementrelatedtohumanattacksisshowninFigure1.

Figure1:RiskModel

Section1explainsthreatsandvulnerabilities.InFigure1,thesetofvulnerabilitiesavailabletoenableanattackarecategorizedasopportunity.Theprobabilitythatathreatagentcanorwillsuccessfullytakeadvantageofanopportunitytoreachitsobjectiveisakeycomponentofrisk.Meansaretheskillsnecessarytosuccessfullyreachtheintendedtarget.Ahumanthreatagentisusuallymotivatedbythefinancial,political,orothervalueoftheattacktarget.Naturaldisastersneednomotivation.

Asthestrengthandtestedeffectivenessofcontrolsincrease,meansand

motivationmustalsoincrease.Thisservestoshrinkthenumberofpossiblethreatagents;probabilityofoccurrenceforhumanattackstendstodecrease.Thisdecreaseiscausedbytheincreasedeffort(cost)toreachthetargetandthedecreaseinreturnoninvestmentforthethreatagent.Decreaseinprobabilityisalsorelatedtothedifficultysomethinglikeawormwouldhavespreadingacrossyourorganizationandaffectingavailability,forexample.Ifathreatagent’smotivationishigh,andsheishighlyskilled,alowerbutstillpresentprobabilityofsuccessfulvulnerabilityexploitsexists.

Onceathreatagentgainsentrytoyournetworkoroneofyoursystems,potentialfornegativebusinessimpactarises.AccordingtoGartner(2017),businessimpactincludes“…thepotentialeffects(financial,life/safety,regulatory,legal/contractual,reputationandsoforth)ofnaturalandman-madeeventsonbusinessoperations”(para.1)

Howquicklywedetect,contain,andmanageanattackaffectstheextentof

theimpact.Thisisthepurposeofincidentresponse.Ifyourorganizationhasadocumentedincidentresponseplanandatrainedincidentresponseteam,youcanpreventseriousharmwhentheinevitableintrusionoccurs.

Aswithallsecurityactivities,riskmanagementbeginswithamanagementapprovedandsupportedpolicy.ShonHarrisprovidesagreatarticleaboutwhatgoesintoariskmanagementpolicyathttp://bit.ly/2q9BgHB.

Section2.01 RiskAssessments

Riskmanagementhelpspreventandprepareforincidents.Themostvaluabletoolinthisprocessistheriskassessment.Ariskassessmentlookscloselyateachsystem,theyournetwork,andotherorganizationswhereyourdataisstoredorprocessed.Performriskassessments

• Duringtheinitiationanddevelopment/acquisitionphasesoftheSDLC

(http://bit.ly/2kxni2y)• WhendeemednecessarybyaChangeAdvisoryBoard

(http://bit.ly/2f20um5)• Whennewvulnerabilitiesarediscoveredinyoursystemsornetwork,

orwhenannouncedbyathird-party• Whenthreatintelligencerevealsanewthreat,threatagent,ortools

andtechniques• Atleastonceperyearforsystemstouchinghighlysensitivedataor

supportingcriticalbusinessprocessesAnassessmentconsistsof10stepsdividedintotwophases:PhaseI:Assess

1. Systemdefinition2. Threatidentification3. Vulnerabilityidentification4. Attackpathcontrolsassessment5. Businessimpactanalysis6. Riskdetermination7. ControlsRecommendations

PhaseII:Manage8. Actionplanandproposalcreationandpresentation9. Implementapprovedcontrolsortransferrisk10. Measuretoensurestepstakenworkasexpectedandadjustwhere

necessary

(a) SystemDefinitionSystemdefinitionbeginswithsystemdecomposition.Systemdecomposition

breaksdownasystemintothevariouscomponentsofitsattacksurface(Olzak,2011).Asystemisthecollectionofdevicesandmediausedtoaccess,process,store,andmoveinformationforarelatedsetofbusinessprocesses.Forexample,theinfrastructuresupportingpayrollprocessesisthepayrollsystem.Insomecases,youmightwanttoassessonlypartsofthesystem.However,youshouldassesscompletesystemsatleastannually.

Asystem’sattacksurfaceisnotasinglepiece.Instead,itisanaggregateof

multipleattacksurfaces.Figure2showsaverysimplemodel.Inthismodel,thenetworkattacksurfacecanbefurtherbrokendownintoeachnetworkdevice(switches,routers,firewalls,etc.)andcabling.Thedeviceattacksurfaceincludestheoperatingsystemandapplicationsithosts.Iplacedthedeviceattacksurfaceoverthenetworkattacksurfacebecausetoday’smostpopularanddestructiveattackstargetusersandtheirdevices.

Figure2:AttackSurface

Whenassessingattacksurfaces,considerthefollowing(Olzak,2017)

• Entrypointswherethesystemreceivesinformation.• Exitpointswherethesystemprovidesinformationtoothersystems:

o Directexitpointsexchangeinformationwithexternalsystems.o Indirectexitpointsprovideinformationtodirectexitpoints.

• Datachannels,protocol-enabledpathwaysoverwhichinformationtravels.

• Untrusteddataitems,persistententitiesattackersusetocontrolsystemsorextractdata.Examplesincludecookies,files,maliciousdatabaserecords,andregistryentries.Attackerscauseexitpointstoreadfromuntrusteddataitemsoruseentrypointstowriteintountrusteddataitems(Manadhata,Karabulat,&Wing,n.d.).Theyareusedbythreatagentstoownadeviceorsystem.

Protectinginformationtransitpointsandchannels;anddefendingagainst

untrusteddataitemsrequiresstrongaccessrightsbetweensubjectsandobjects.SeeFigure3.

Figure3:AccessRights

Anyaccessbetweenanobjectandasubjectshouldbecontrolledwithconsistentrightsmanagement.“Accessrightsidentifysubjects,theobjectstheycanaccess,andwhattheycandoafteraccessisgranted”(Olzak,2017).Thisdoesnotjustapplytousersandtheresourcestheyaccess;italsoappliestoapplications,services,protocols,andanythingelsethatattemptstoaccessanobjectforanyreason.

Informationaboutthesystemornetworkassessedcancomefromseveral

sources:

• Existingdocumentation• Interviews• Questionnaires• Networkscans

(b) IdentifyExistingControls

Identifyexistingcontrolsandpotentialvulnerabilitiesbywalkingthroughprobableattackpathsusingnetworkanddataflowdiagramstocreateattacktrees.Anattacktreehelpsvisualizehowathreatagentmightgainaccesstoanintendedtarget.Figure4showsanattacktreewithadatabaseserverasthetarget.Thisexampledoesnotshowallpossibleattackpaths.Foradetaileddescriptionofhowtouseanattacktree,includingaddressingprobabilityofsuccessfulattacks,seeRiskManagement(http://bit.ly/2rCPNM7).

Figure4:AttackTree

Inadditiontoattacktrees,Irecommendcreatingacontrolsmatrix.A

controlsmatrixlistsallcontrolsimplemented,howtheyareconfigured,andwhattheyprotect.Figure5isascreenshotofacontrolsmatrixtemplateyoucandownloadfromhttp://bit.ly/2pVWAV3.SeeUseasecuritycontrolsmatrixtojustifycontrolsandreducecosts(http://tek.io/2pWwnFA)foradetailedexplanationonhowtousethematrix.

Figure5:ControlsMatrix

(c) BusinessImpactAnalysis(BIA)andCalculatingRiskUseaBIAtodeterminetheseverityofthenegativeimpactonabusinessifan

incidentoccurs.Manyvariablesaffectbusinessimpact,including(Olzak,2012)

• Maximumtolerabledowntime(http://tek.io/2rDmgC5)• Impactonemployees• Impactoninvestors• Impactoncustomers• Impactoncurrentandfutureearningspotential• Sanctionsduetonon-compliancewithregulatoryrequirements

ABIAcanbequalitativeorquantitative.HowyouapproachtheBIAaffects

howyouapproachanoverallriskassessment.Aquantitativeassessmentusesactualdollaramountstoestimatebusinessimpact.Aqualitativeassessmentusessometypeofscaletoestimatedamage.Hybridanalysisisacombinationofthequantitativeandqualitativeapproaches.Aqualitativeriskcalculator,downloadablefromhttp://bit.ly/2pYNh6r,isshowninFigure6.Thiscalculatorisjustoneapproachtoqualitativeassessments,whichareeducatedguessesbasedonexperienceandcollaboration.Foradetaileddiscussionofriskassessments,seeRiskManagement(http://bit.ly/2rCPNM7).

Ifyouchoosetodownloadthecalculator,theSystemSensitivitycellsare

linkedtoaworksheetthatcalculatesthisvalue.Theyellowcolumnalsocontainsaformula.Otherworksheetsprovideguidelinesforscoringtheothercolumns.Changethesetoconformtoyourbusinessoperations,securityframework,andmanagement’sappetiteforrisk.Andremember,athreatagentusuallymustbypasstwoormorevulnerabilitiestoreachthetarget.

Figure6:QualitativeRiskCalculator

ApproachestoperformingaBIAdifferbetweenorganizations.However,we

mustalwaysfocusonthesamethingsregardlessofhowourprocedureslook.AccordingtoRoss(2010),avoidthefollowing10BIAmistakes:

1. Consideringtheimpactofinterruptedapplications,notbusiness

processes.Remember,theimpactistobusinessoperationsifasystemisnotavailableduetocompromiseorfailure.Unavailabilityimpactsbusinessprocessesthatfeedandusethefailedsystem.Ifyoutakeyourorderentrysystemofflinebecauseofanattack,forexample,noproductships.Customersarenothappy,andrevenueislost.

2. Consideringapplicationsinisolation.Again,fewapplicationsoperateinisolation.Mostshareinformationwithotherapplicationsthatenablemultiplebusinessprocesses.WhenperformingaBIAforasystemoranetworkdevice,lookatallaffectedsystemsandrelatedprocesses.

3. Payingtoolittleattentiontofinancialimpact.Financialimpactisameasureofhowanincidentaffectsyourorganization’sbottomlineonaprofitandlossstatement.Thisincludesallcosts,including

a. Lossofshorttermrevenueb. Regulatoryfinesc. Civilactionbycustomers,shareholders,etc.d. Identitytheftmanagemente. Costofrecoveryf. etc.

Costsassociatedwithanincidentmustbecalculatedwiththehelpofallaffectedareasofthebusiness.Thisisnecessaryevenifyouuseaqualitativeorhybridapproachtoyouranalysis.

4. Payingtoomuchattentiontofinancialimpact.Inadditiontoharddollarcosts,othercostsaffectthelong-termhealthofabusinessfollowinganincident,includinglossofreputationandcustomerconfidence;andlossofcompetitiveadvantage,especiallywhenintellectualpropertyisinvolved.

5. Failingtodistinguishenterpriseapplications.Applicationsthatservetheentireorganizationfallintothiscategory.Examplesincludelegalanddocumentmanagementsystems.

6. Failingtorecognizedatacenterapplications.Systems/solutionsonlyusedbyITareoftenignoredduringriskassessments.Besureyouincludetheseinyourassessments.

7. ConfusingariskassessmentwithaBIA.ABIAisasubsetofariskassessment,butitcanstandonitsown.Evenifyouhavenoideawhatmightcausetheunavailabilityofasystemorbusinessprocess,aBIAissomethingtoconsider:atleasttoestablishvaluetotheorganization.

8. Confusingriskacceptancewithabusinessimpactanalysis.DonotallowbusinessmanagerstosimplyacceptriskbecausetheydonotwanttospendthetimeworkingwithyoutocreateaBIA.ThisisonemoreinstancewheresupportofC-levelmanagementforincidentmanagementisirreplaceable.

9. Pre-determiningBIAresults.RosswritesthatabusinessmanagercancorrectlyestimatelosswithoutaformalBIAabout80percentofthetime.Thisisthesameassayingthatoneinfivebusinessprocessesorapplicationsisinaccuratelyanalyzed.Evenwhenpursuingaqualitativeanalysis,itisimportanttotaketimetowalkthroughestimatedcosts.

10. BackingintoaBIAresult.Sometimes,managerschoosetounderstatethefinancial,reputational,andoperationalimpactofanincidentbecausetheperceivedimpactistoohigh.Thisunderminestheabilitytoeffectivelyprepareforandmanageincidents.

(d) RiskManagementRecommendations

Howyoumanageriskislargelydeterminedbymanagement’sriskappetite:thelevelofriskmanagersarewillingtoassumetoachievebusinessobjectives.Partofcreatinganincidentmanagementprogramismeetingwiththeorganization’sbusinessriskmanagementteamorseniormanagementtounderstandacceptablelevelsofrisk.Thishelpsprovideworkablerecommendationsatthispointintheriskassessment.

Onceweknowtherisk,recommendoneofthefollowing:

• Accepttherisk.Ifthecostoftheriskislowerthananymitigationortransfersolutionsavailable,weusuallyrecommendriskacceptance.

• Mitigatetherisk.Ifthecostofriskishigherthanthecostofmitigationsolutions,weusuallyrecommendmitigation.Recommendingmitigationrequiresadetailedanalysisofourexistingcontrolstodetermineiftheycanbereconfiguredtoreducerisk.Italsorequiresanalysisregardinghowwemightusefewernewcontrolsbyintegratingthemintotheexistingframework.Inotherwords,neversimplythrownewcontrolsatriskwithoutathoroughanalysisofwhatyouhaveandwhatyouneed.Finally,anycontrolswerecommendshouldbereasonableandappropriateforbusinessoperation.

• Transfertherisk.Transferringrisktypicallymeanspurchasingincidentlossinsurance.Manyinsurancecarriersnowofferthis.Purchasinginsurancemightbesomethingdoneinadditiontomitigation.Forexample,youmightpurchaseinsurancetocovercostsassociatedwithcustomeridentitytheftprotectioninadditiontoimplementingadditionaltechnicalcontrols.Together,transferenceandmitigationworktoreducerisktoacceptablelevels.

• Avoidtherisk.Sometimes,riskisavoidedbysimplynotdoingsomethingbyremovingexistingprocedures/technologyorbynotimplementinganewsolution.Inmyyearsasadirectorofsecurity,managementchosetoavoidriskonlyonce.Nevercountonavoidance.Ourjobassecurityprofessionalsistofindwaystosafelyenablesolutionsthatmanagementdeemsnecessarytoreachtheorganization’sobjectives.

(e) ResultsDocumentationandPresentation

Providedetaileddocumentationforhowyouconductedtheassessmentandyourresults.Thedetailshelptheriskmitigationteambemoreeffective.TheNISTRiskManagementGuideforInformationTechnologySystems,SP800-30(http://bit.ly/2rLdVfJ)providesanexcellenttemplate.However,detailsaresomethingmanagementusuallydoesnotcareabout.Theyonlywanttoseetherisksandwhatyoubelieveneedstobedonetomanagetherisks.

Inadditiontoadetailedassessmentdocumentandatechnicalpresentation,

createapresentationformanagement.Thispresentationprovidesahigh-levelexplanationofwhatyoudidandtherisksdiscovered.Attheopeningofthepresentation,lettheattendeesknowyouwantthemtodecideonyourrecommendations.Beclearabouthowyourrecommendationsarefinanciallyandoperationallyreasonableandappropriate.

Thefinaldocumentresultingfromanassessmentistheactionplan.The

actionplanistheresultofmanagement’sapprovalofyourrecommendations.It

includeswhatistobedone,whoisresponsible,andstatus.Youcandownloadfromhttp://bit.ly/2rtKAtTthetemplateIuse.


Incidentmanagementisinseparablefromriskmanagement.Inadditiontocreatingandpracticingaresponseplan,theincidentmanagementteamshouldbeinvolvedineveryriskassessment.Inmyopinion,theteamshouldmanagetheassessmentsaspartoftheirday-to-dayoperations.

Riskisassessedbyfirstunderstandingthesystemornetworkanalyzedand

thenwalkingthroughallpotentialthreatpaths.Thisshouldoccurwhenanewthreatemergesorwhennewvulnerabilitiesarediscovered.Inanycase,riskassessmentsforcriticalsystemsandsensitivedatashouldhappenatleastannually.

Yourriskmanagementrecommendationsmustbereasonableand

appropriatefortheorganization’sbudgetandoperations.Managementmustseetheshort-andlong-termfinancialandnon-financialimpactofsimplyacceptingrisk:orworse,doingnothing.

3-1

Section3. TeamCreationandPlanning

Inthissection,Iwalkthroughdetailsofcreatingandmanaginganincidentresponseteamandplan.Thepurposeoftheplanisto

• Rapidlydetectanomalousnetwork,system,ordevicebehavior

(situationalawareness)• Minimizelossanddestruction• Mitigateexploitedweaknesses• Restoreservices• Gatherforensicevidencewhenreasonableandappropriate

CarnegieMellon’sincidentresponseplanisagoodstartforanyorganization.

Itisavailablefordownloadathttp://bit.ly/2s7fCEn.

Section3.01 TheTeamBeforeplanningstarts,youneedanincidentresponseteam.AsIwrotein

Section2,thisteamisresponsibleformorethansimplyrespondingtoincidents.Ithasaroleinallriskmanagement,incidentprevention,andincidentpreparationactivities.Consequently,theteammakeupmustincluderepresentativesfromalltechnicalteams,organizationoperationsteams,andotherrelevantstakeholders.

(a) ComputerSecurityIncidentResponseTeam(CSIRT)Membership

Thefollowinglistofteammembersisgeneralandonlyastart.Eachorganizationisunique,andthemakeupoftheteamdependsonwhommustbeinvolvedtoensureeffectiveincidentmanagement.

• Incidentmanager• Securityanalyst• Computerforensicsinvestigator• Serverengineer• Networkengineer• Serveradministrator• Networkadministrator• Businessanalystforeachdepartment/lineofbusiness• Softwaredeveloper• Datacenteroperator• Insidelegalcounsel• Humanresources• Publicrelations

Dependingontheorganization,someofthesemembersmightbeoutsidesupportvendors.AllCSIRTmembersshouldparticipateinpreparationandplanning.

Theseteammembersserveasteamleadsintheirrespectiveareas.Whenan

incidentoccurs,youwilllikelyneedmorethanonenetworkengineer,forexample.Also,considertrainingtwoindividualsforeachteamrole:aprimaryandasecondary.Theprimarymightnotalwaysbeavailableduringanincident.

Identifyasubsetoftheteamasyourinitialresponders.Theinitialresponse

team,includinganon-callresponder,performthefirstresponsestepsasdescribedlaterinthissectionandinSection5.

Onesetofmembers,thebusinessanalysts,actasbridgesbetweentheCSIRTandthebusinessdepartmentsandlinesofbusiness.Inlargerorganizations,thesepositionsalreadyexist,providingday-to-dayprojectandITsupportfunctionstoensuretechnologyeffectivelysupportseachdepartment,linesofbusiness,andoveralltacticalandstrategicobjectives.Businessanalysisareoftenmissinginsmallerorganizations.Insuchcases,arepresentativefromeachdepartmentandeachlineofbusinessisanecessaryalternative.ThebusinessanalystorbusinessrepresentativeisthepointofcommunicationbetweentheCSIRTandthebusiness.Thisisanirreplaceableandcriticalpartofplanning,preparation,andresponse.

OnceanincidentresponsepolicycreatestheCSIRT,theteambeginscreating

plansandprocedurestomeetitsresponsibilities.

(b) CSIRTResponsibilitiesManypeoplebelievetheCSIRTsitsaroundwaitingforthenextincident.Not

true.Theincidentresponseteamisresponsiblefor

• Riskmanagement.AsshowninSection2,theCSIRTiseitherdirectlyresponsibleformanaginginformationresourceriskorprovidessupportforthosewhoare.

• Incidentpreventionandpreparation.Conductingorparticipatinginpenetrationtestsandvulnerabilitymanagementisagoodstart.TheCSIRTshouldalsobeinvolvedinthechangemanagementprocess.ThisensurestheriskmanagementcontrolsandproceduresidentifiedintheSDLCandriskassessmentsaremaintainedinawaythatsupportsincidentmanagement.

• Newthreatandvulnerabilityadvisorydistribution.Threatintelligenceandvulnerabilityresearchdailyrevealnewwaysattackerstrytoattackyourorganization.TheCSIRTisresponsibleforidentifyingnewthreatsandvulnerabilities,performinganalysistodetermineassociatedrisktotheorganization,anddistributingthisinformationtoappropriateITandbusinessteams.

• Incidentdetectionandresponse.TheCSIRTisresponsibleformonitoringforandassessinganomalousbehaviorofsystems,devices,networks,andusers.TheCSIRTdeclaresincidentswhenappropriateandexecutestheincidentresponseplan.

• Educationandawareness.Educatingemployeesabouttheimportanceofsafeuseofinformationresources,policycompliance,andregulatorycomplianceshouldalreadybehappeningwithinyourorganization.However,manyorganizationsdonotaddressintrainingsessionswhatbusinessemployees,ITstaff,andmanagersshoulddoiftheysuspectanincidentorifnotifiedofone.Thisisabigmiss.TheCSIRTshouldmanagesecuritytrainingandawarenessorbedirectlyinvolvedincontentanddelivery,includinghowtoreportanomalousbehavior.

• Informationsharing.Whetheranattackissuccessfulornot,considersharingallinformationgatheredduringinitialandincidentresponseanalysiswithbothinternalandexternalentities,including

o Stakeholderso Regionalandstatelawenforcementagencieso Federalagencieso Interestandindustrygroups

Inadditiontoincidentinformation,shareincidentmanagementfindingsaboutthreats,risks,andotherincidentrelated.Thisallowsabroaddefenseagainstthreatagents.

(c) CSIRTResponseToolsandResourcesPartofplanningandpreparingisputtingtogetherasetoftoolsand

supportingresourcesthatenabletheCSIRTwhenanincidentoccurs,includingacommandcenter;jumpkit;forensicslab(commonlyoutsourced);incidentresponseformswithdocumentedproceduresandchecklists;andexternalresourcecontacts.

(i) CommandcenterWhenanincidentoccursrequiringmorethanquickeradicationand

recovery,theCSIRTwillgatherinacentrallocationforanalysis,informationsharing,andleadership.Thiscommandcenterisusuallyapreviouslydesignatedconferenceroomortrainingfacilitywithminimally

• Whiteboardsandmarkers• Speakerphones• Multipletablesforteamandsub-teamcoordinationandinformationsharing• Hardwiredconnectiontotheinternalnetwork• IsolatedaccesspathtotheInternetforresearch,support,andreporting

Thecommandcenteristhecentralpointofresponsecommunicationandoperations.Itiswheretheteamandotherswillfindtheincidentmanager.Itisalsowhereallincidentactivitycoordinationandloggingtakeplace.

(ii) JumpkitAjumpkitisaforensicsbagoftoolsarespondercanquicklygrabandhead

outthedoor.Itshouldcontaineverythingnecessaryforatleastinitialresponseevidencepreservation,asdescribedinSection5,including

1. Journalfortakingnotes(who,what,when,where,how,andwhy)abouteveryfacetoftheincident,includingphysicalaccess

2. ContactlistforallCSIRTmembersandexternalsupport3. Up-to-dateantimalwareonUSBdriveorCD4. Crimescenetape(http://amzn.to/2qgV1Nu)5. Ducttapeorotheradhesive6. Evidencebags(http://amzn.to/2rUBqTE)7. Faradaybagsforimmediatecollectionofcellphones,tablets,andother

wirelessmobiledevices(http://amzn.to/2qkFuuZ)8. Evidencetags(http://amzn.to/2rAhwAK)9. Chainofcustodyforms(http://bit.ly/2qkzr9K)10. Digitalcamerawithextrabatteries11. Sketchbookwithpencilsandpencilsharpener12. Alaptopwithanindustryandjudiciallyacceptable(standsupincourt)

forensicssolution,suchasEnCase(http://bit.ly/1SRrdxM)13. Harddriveduplicatorwithwrite-blockcapabilities

(http://amzn.to/2rAAJSX)14. Miscellaneouscables,connectors,adaptors,etc.

Thecontentsofyourjumpkitwillvaryfromthislistdependingonwhether

yourin-houseteamperformsdetailedforensicsactivitiesorwhetheryououtsourcethem.Attheveryleast,yourkitshouldcontainitems1through11inthelistabove.

(iii) ForensicslabNoteveryorganizationneedsaforensicslab.Iworkedforalarge

organization,andwedidnothaveone.Instead,weoutsourcedforensicsanalysiswhenneeded.However,Iprovideadescriptionofwhatalabshouldincludeforthoseorganizationsdecidingtoretainthisfunctioninhouse.Youcanalsousethislistwhenassessingthecredibilityandeffectivenessofapotentialforensicsvendor.

• Strongaccesscontroltothelabthatminimallyincludesloggingauthorizedpersonnelwhoenterandwhen

• Aserverfororganizingandretaininginvestigationresults(notconnectedtotheInternet)

• Alabnetworkisolated(preferablyairgapped)fromtheorganization’snetworkwithanInternetconnectionseparatefromtherestofthe

organizationandthelabadministrativenetwork(Internetconnectionshouldbeonlyforadministrativesystems,neverforsystemsusedforevidenceanalysisorthatareevidencethemselves)

• AdministrativesystemsforInternetaccessandlabmanagementfunctions,connectedtoanetworkisolatedfromanalysissystems

• Systemsforanalysis(virtualisagoodidea)runningvariousoperatingsystems:

o Windowsdesktopo WindowsServero MacOSo Linux

• Driveduplicatorswithwriteblockers• Readersforvarioustypesofmedia(e.g.,SIMsandflashmemory)• Mediawipingequipment• Assortmentofdrivecables• Miscellaneouscablesandadapters• Varietyofdrivesofdifferenttypes• Acceptedforensicssoftware,suchasEnCaseandForensicsToolKit

(http://bit.ly/2qnSYX6)runningonnon-adminlabsystems• Securablephysicalstorageforseparatingandmaintainingevidencechainof

custody• Videooraudioequipmentforrecordingfindings,evidence,etc.• JumpKit(seeJumpkitabove)• Certifiedcomputerforensicsinvestigators

(iv) ProceduresandchecklistsSpecificprocedurecontentisuniquetoyourorganization,soIdonotgointo

muchdetail.However,Iprovideanincidentchecklist(Figure7)withrecommendationsforhowtoprepareforeachlineitem.Youcandownloadthechecklistfromhttp://bit.ly/2qfUZtk.Thischecklistformsthebasisforyourresponseplan.

Figure7:IncidentHandlingChecklist

Section3.02 ThePlan

Planningbeginsbyworkingwithallstakeholderstodevelopanoverallapproachtopreparingforandrespondingtoanincident.Thediscussionthatfollowsisageneraloverview.Yourplansshouldincludevariousattackscenariosthataffecthowyouapproachplanningandpreparedness.AppendixAoftheNISTComputerSecurityIncidentHandlingGuideSP800-61r2(http://bit.ly/1MYR74v)providesagoodsetofscenarios.

Iapproachplanningbypreparingtoexecuteeachofthe10stepsinthe

matrixinFigure7.Thisensureseverystepisthoughtthrough,documented,andpracticed.

(a) Step1:Begindocumentationandpotentialevidencepreservation

Providetheon-callresponderwiththemeanstoimmediatelybegincreatinganincidentlog.Thismightbeadocument,spreadsheet,orothertemplatealreadypreparedandreadyforuse.Further,proceduresandanassociatedcontactlistisnecessarytobeginpreservingevidenceinthedatacenter,intheoffice,oratremotelocations.InitialresponseevidencepreservationrequirestrainingforbusinessmanagersandITpersonnel.Youdonotwanttheon-callrespondertotaketimedetailingpreservationsteps.

(b) Step2:DetermineifincidenthasoccurredToolsshouldbeinplacetoenableimmediatereviewofprecursorsand

indicators.Precursorsarelogorothereventsthatoccurbeforeanincident.They

provideinsightintothepotentialforanattack.Thesemightincludesocialengineeringattempts,phishingemails,unusualnetworkorsystemactivity,etc.

Indicatorsareevidencethatanattackisinprogress.Correlatedlogentries

areagoodwaytoidentifyindicatorpatternsofcertaintypesofattacks,includingunexpectedmovementofdata,unexpecteduseraccesstoresources,unauthorizedlogmodifications,unusual/specificactivityatthefirewallorIPS,etc.

Crestprovidesagreatdocumentforhowtoconfigureandmanageincident

managementloggingathttp://bit.ly/2qjOP7p.CrowdStrikeprovidesadetailedlookatindicatorsathttp://bit.ly/2rUDYC8.

Oncetherespondergatherstheprecursorsandindicators,heshould

researchhisfindingsusingaknowledgebaseortheInternet.Researchsitesshouldalreadybeidentifiedforquickaccess.Thisresearchprovidesinsightintowhatishappeningandnextsteps.Resourcesinclude

• Yourantimalware,IPS,andSIEMvendors• US-CERT(https://www.us-cert.gov/ncas)• SANSInternetStormCenter(https://isc.sans.edu/dashboard.html)• Fee-basedcyberattackintelligenceservices

Thisstepshouldbecompletedinminutes.Thelongerittakestodeclarean

incident,thelargertheimpact.

(c) Step3:PrioritizetheincidentNotallincidentsarethesame.Somemightberemediatedinminutes.Others

mighttakedays,andthepotentialimpactacrossincidentsdiffers.Howtorespondtoeachincident,ortomultipleincidentsatthesametime,requiresprioritization.Prioritizationaffectswhoiscontactedandhowresponseisinitiated.

Yourplanmustincludeaquickguideforhowtoprioritizeincidents.Theon-

callresponderandinitialresponseteammustquicklyassesstheseriousnessoftheincidentand,again,decidewithinminuteshowtoproceed.

Usingaprioritizationmatrixisoneapproach.Useofamatrixbeginswith

prioritizingtheurgencyandimpactoftheincident.Table1belowisatemplateshowingwhatthismightlooklike(Wikipedia,2017).Thisapproachprioritizesanincidentbasedonoverallimpactontheorganizationandhowfastthatimpactmightoccur.YoucandownloadthistemplateandthetemplatesforTables2and3fromhttp://bit.ly/2qWEqkU.

Table1:PrioritizationCategories

Table2istheactualmatrixusedtodeterminethepriorityoftheincident.

Table3providesguidanceonhowquicklytorespondandtheexpectedrecoveryperiod.Noneofthisinformationislikelytobeaperfectfitforyourorganization.Adjustingthedownloadabletablesisthefirststepinintegratingthisintoyourresponseplan.TheadjustmentprocessrequiresclosecollaborationwithbusinessrepresentativesandITtoensurereasonableandappropriateresponseexpectations.

Table2:IncidentPrioritizationMatrix

Table3:IncidentPriorities

Finally,thematrixisagoodgeneralapproach,butyouwillnotalwaysneedit

ifcertaintypesofincidentsoccur.Workingcloselywiththebusinessduringresponseplanning,youshouldquicklyknowwhenaresponseiscriticalbecauseofthebusinessservicesorprocessesaffected.Oneorbothofthefollowingconditionswillusuallyresultinahighpriorityresponse(Wikipedia,2017):

• Certain(groupsof)business-criticalservices,applicationsorinfrastructure

componentsareunavailableandtheestimatedtimeforrecoveryisunknownorexceedinglylong(specifyservices,applicationsorinfrastructurecomponents,e.g.,thecustomerfacingorderentrywebsiteisdown)

• Certain(groupsof)VitalBusinessFunctions(business-criticalprocesses)areaffectedandtheestimatedtimeforrestoringtheseprocessestofulloperatingstatusisunknownorexceedinglylong(specifybusiness-criticalprocesses,e.g.payrollduringapayrollcycle)

Aspartofthisstep,beginaggressivesituationalawarenessactivities.

Situationalawareness(SA)istheabilitytounderstandthecurrentstateofasystemandwhathaschanged.SAisacontinuousprocesssupportedbysolutionslikesecurityinformationandeventmanagement(http://bit.ly/2qHKiyh);andidentitygovernanceandadministration(http://bit.ly/2qa1cCR).WithoutSA,youcanneverquicklydetectunwantedbehaviorandrespondbeforeyourorganizationsuffersseriousdamage,norcanyoueffectivelymanageanincidentinprogress.

(d) Step4:ReportincidentasspecifiedintheincidentresponsecommunicationsplanOnceyoudetermineanincidentisinprogressorhasoccurred,

communicatingwhatyouknowandwhatyouaredoingaboutittotherightpeopleisimportant.CommunicationincludestherestoftheCSIRT,previouslyidentifiedmanagers,andexternalsupportorganizations.Figure8(Cichonski,Millar,Grance,&Scarfone,2012)depictsexternalentitiesnormallyincludedinacommunicationplan.

Figure8:ExternalCommunication

Howandwheneachoftheseentitiesisinformedisuptoyourteam’spublicrelations(PR)representativeandC-levelmanagement.Asaresponder,yourresponsibilityshouldbetoinformyourPRteammemberandmembersofthemanagementteamlistedinyourcommunicationplan.Inaddition,bringinginthenecessarysoftwareandsupportvendorsisincidentmanager’sresponsibility.WhenapprovedbyPRormanagement,theCSIRTwillcommunicatedirectlywithexternalteamswithinguidelinesdocumentedinthecommunicationsplan.

Communicationdoesnotstartwithanincident.Rather,theCSIRTshould

haveanongoingworkingrelationshipwithalloutsideentitiesaspartofincidentpreparation.Whencontacted,externalteamsshouldalreadyhavefamiliaritywithyourorganizationandyourteam.Theyshouldhavebeeninvolvedinincidentresponseexercises.Nooneshouldhavetoaskquestionsthatarenotspecifictotheincidentanditscharacteristics.Again,timeiscritical.

Structuredguidelinesforcreatinganincidentresponsecommunicationplan

areavailablefordownloadfromhttp://bit.ly/2qu6jwZ.

(e) Step5:ObtainmanagementdecisionaboutforensicspreservationandcollectionMostincidentresponseguidancerequirespreservationofevidence.Inmy

experience,thisisasecondaryconsiderationformanagement.Whatmanagementwantsisaquickreturntonormaloperationwhilemitigatingbusinessimpact.Thisdoesnotmeanyoushouldnotbepreparedforevidencegathering,buttherecomesapointintheresponsewhenmanagementshoulddecidewhethercollectingevidenceismoreimportantthanrecovery.

Asyoureadearlier,weimmediatelyassumewhenanincidentoccursthatwe

mustpreserveallevidence.Thismindsetmustcontinueuntilmanagementdecidesotherwise.Includeinincidentplanningwhatisneededtounderstandwhathappenedandhowwithoutmajorrecoverydelays.

Continuous,comprehensivelogging;eventcorrelation;andretentionand

protectionoftheresultsusuallyprovidewhatweneedatthepostincidentrootcauseandactionplancreationmeetings.Theinformationalsoprovidesfirststepsforlawenforcementifapathtoprosecutionistaken.

Inadditiontologs,wecanalsoseizerelevantuserdeviceswithouta

significantdelayinrecovery.Ifwevirtualizeourservers,previousresponseplanningcanallowisolationandpreservationoftheincident-relatedserverswhilebringingupreplacementvirtualserverstorestorebusinessoperations.

Ifwethinkthroughallprobablescenariosduringplanning,evidence

collectionisoftenpossiblewithwhatmanagementmightconsiderreasonableimpactonthebottomline.Besuretoincludeforensicsconsiderationsinyourpreparationactivities.

(f) Step6:Acquire,preserve,anddocumentevidenceasdirectedinStep5

IfyourCSIRThasitsjumpkitandinternal/externalforensicslab,itisreadytotakeonthisstep.Also,partofplanningisensuringyourforensicsinvestigatorsarecertifiedandabletocollect,analyze,andprotectevidencesotheresultsstandupinacourtoflaw.SeeSection5.

(g) Step7:Containtheincident

Containmentisthemostimportantpartoflossminimizationandevidencepreservation.Forphysicalattacks,thistranslatesintodelayinganattackerlongenoughforlawenforcementorotherhumanintervention.Containmentforlogicalattacksrequiresisolationoftheaffectedsystemsandnetworksegments.Isolationprotectsuninfectedsystemsduringmalwareattacksandhelpspreventacybercriminalfromextractingdataduringabreach.Italsohelpspreventunwantedalterationofdigitalevidence.

Althoughcontainmentinvolvesprocessesuniquetoeachincident,theoverall

approachtocontainmentisstrategic.Itis“…afunctionthatassiststolimitandpreventfurtherdamagefromhappeningalongwithensuringthatthereisnodestructionofforensicevidencethatmay[sic]beneededforlegalactionsagainsttheattackers”(InfoSecNirvana,2015).Usingscenarioplanning,assesstheneedforcontainment,howcontainmentisachieved,andwhatyoumustdopriortoanincidenttoprepare.

(i) PhysicalincidentsIdonotspendmuchtimeonphysicalincidentsinthisguide.However,a

brieflookatphysicalincidentsisimportant.Sometimes,aphysicalintrusionprecedesalogicalattack.Also,adeviceonyournetworkmightbeusedtolaunchorfurtheranattackagainstyourorganizationoroneremoteontheInternet.

Thepurposeofphysicalsecurityisfirsttodeterintruderswithfences,

guards,signs,etc.Second,wedelayintrudersbyplacinglayersofbarriersbetweenthemandthetargets.Examplesofbarriersincludegates,fences,walls,andlocks.Thelengthofrequireddelaydependsontheresponsetimeforarrestingorotherwiseinterveningtostoptheintrusion.

Barriersalonearenotenough.SAalsoappliestophysicalattacks.Alarms,

cameras,andothertypesofsensorshelptrackandapprehendanintruder.Also,containingacrimesceneandrelatedevidenceisnecessaryifmanagementdecidestoprosecute.Ifadeviceorsystemisusedforanattackoristhetargetofanattack,ensurebarriers(crimescenetapeandhumanoversight)preventaccessbyanyonenotdirectlyinvolvedintheresponseprocess.

Foradetailedlookatphysicalsecurityforprotectingyourinformation

resources,seePhysicalSecurity:Managingtheintruder(http://bit.ly/2q9I7AV).

(ii) LogicalincidentsContaininglogicalincidentsrequiresaddressingisolationalternativesduring

theSDLCandallriskassessments.Ifwehavenotplannedforisolation,weenduprunningthroughthedatacenterunpluggingcables(hopefullylabeledcables),hopingforthebest.Ifyouhaveeverdonethis,youknowisolationisiffyandrecoverycantakelonger.

OneofthemosteffectivemethodsofisolationisuseofVLANs.Inadditionto

controllingday-to-dayaccess,VLANsprovidethesegmentationanddeviceisolationneededtoprevent,deter,andcontainanattack.SeeVLANNetworkSegmentationandSecurity(http://bit.ly/2ggAuVA).

Figure9showsanetworksegmentedwithVLANs.Alldatabaseserversare

onasingleVLAN,withusersandapplicationserversonanother.AllexternaltrafficarrivesandexitsonotherVLANs.VLANsareconfiguredtopreventdevicesonthesameVLANfromcommunicatingwitheachotherunlessexplicitlyallowed,sosomeisolationisalreadybuiltin.Thisisasimpleexample.Intherealworld,Iwouldlikelyseparatesensitivedata,publicdata,controldata,anddifferentbusinessprocessesontodifferentVLANs.

Figure9showshoweasyitwouldbetoisolatevarioussegmentsofthe

networkbyreconfiguringoneortwoswitches.Segmentationisalsopossibleusingroutersinadditiontoswitches.Segmentationstronglysupportscontainmentwhetheryouoperateinatraditional,virtual,orhybridenvironment.

Figure9:VLANSegmentation(Olzak,2012(April))

Quickcontainmentusingnetworkdevicesrequirespreconfiguredreconfigurationsstoredandeasilyaccessedbytheresponseteam.Thisallowsforrapidisolationoncethethreatagent’sactionsareanalyzed.Onewaytoensurefastreconfigurationacrossallrelevantdevicesiswithasoftwaredefinednetworksolution(http://bit.ly/2q7lwsq).

Forend-userdevices,themosteffectiveisolationapproachisunplugging

themfromthenetwork.Placecellphones,tablets,andothermobilecellularaccessdevicesinFaradaybags.Donotpowerthemoff.HaveaplaninplacetoblockaffecteduserdevicesfromconnectiontowirelessaccesspointsiftoolargetoplaceinFaradayprotection.

YourcontainmentapproachshouldenabletheCSIRTtostopdataextrusion

orthespreadoftheattackquicklyandasnarrowlyasisreasonableandappropriateforbusinessoperationsandrisk.Howyoudothisisuniquetothecombinationofyourtechnology,yourbudget,legalramifications,andmanagement’sappetiteforrisk.

(h) Steps8&9:EradicatetheIncidentandRecover

Stepstakentoeradicateanincidentdependonthetypeofincidentandthetoolsandtechniquesusedbytheattacker.Scenarioplanningandcomprehensivethreatintelligenceensureyouidentifyallmalware,untrusteddataitems,inappropriatematerials,unwantedregistryentries,etc.

(i) EliminateexploitedvulnerabilitiesThefirststepineradicationismakingsuretheincidentdoesnothappen

againinthesameway.Achievingthisrequireseliminationofthevulnerabilitiesexploitedbythethreatagent.Identificationofthesevulnerabilitiesshouldbeapparentthroughestablishedthreatintelligenceresearchandresultsfromyourlogmanagementsolution.

Anexpeditiousprocessforfixingvulnerabilitiesisalreadypartofawell-

designedchangemanagementprocess.Patchesandreconfigurationofcontrolsorsystemsarequicklyassessed,documented,andappliedwithoutgoingthroughcompletechangemanagementsignoff.

Ifyoumakeachangethatdoesnotworkasexpected,reverseitbeforetrying

somethingelse.Donotthrowmultiplechangesattheincidentwithoutanalysisofwhatworks,whatdoesnotwork,andremovalofanythingnolongerneeded.Otherwise,youwillnotknowwhatactuallysavedyourorganization.Further,post-incidentcleanupwilltakemuchlongerthannecessary.

(ii) RemovetheunwantedThemosteffective,andoftenquickest,approachtoeradicationonuser

devicesisacompletewipeandreinstall.Inmanyincidents,thisistheonlywaytobecertainallunwantedentitiesareremovedfromaffecteddevices.Planningforthisrequirescreationofuserdeviceimages,includingdifferentconfigurationsbasedonlineofbusiness,department,businessrole,etc.Imagecreationispartofincidentplanningandpreparation.Initially,thiscanbeverytimeconsuming.Oncedone,however,includingimagemanagementinthechangemanagementproceduresmakeskeepingimagesuptodaterelativelyeasy.

Usingserverimagesisalsoeffective,butusingvirtualizedserversor

containersforyourcriticalserversisoftenabetteroption.Bringingupavirtualmachinetoreplaceaserverisolatedinanincidentquicklyachievesbotheradicationandrecoveryforthatserverandsupportedbusinessprocesses.Beforeplacingnewserversinproduction,besuretoeliminateanyidentifiedvulnerabilitiesfoundinthecompromisedservers.

Finally,weneedtoensuredataintegrityandtheabsenceofuntrusteddata

objectsinourdatabasesandonourfileservers.Thefirstpreparationstepispreventionofintegritycompromisewithstrongauthenticationandauthorizationcontrols.Next,backupandbackupoften.Yourbackuptimelineshouldrepresentthelongestyouwanttobedownfollowinganykindofbusinesscontinuityevent(http://bit.ly/2rakdXj).Protectbackupsfromanytypeofincidentthatmightoccuratanyfacility.Thisusuallymeansretainingthemoffsiteorinthecloud.

Clouddatabasebackupservices,likethoseprovidedbyMicrosoft

(http://bit.ly/2rcjXJ4),Oracle(http://bit.ly/1N3eQ3j),andothercloudservice

providersenablebothdatabaseandflatfilebackupsthatprovidedataintegrityandreasonablerecoverytimes.SolutionslikeCarbonite(http://bit.ly/2bj85fH)canprotecteventhesmallestbusinesswithoffsite,protecteddata.However,fasterrecoverytimesforyourmosttimesensitivebusinessprocessesmightrequiremaintainingsynchronizeddatabaseserversatacolocation(co-lo)orinthecloud.

Aco-loisadatacenterplacedatleast25milesfromyourprimarydata

centerthatcontainsinfrastructuresupportingyourcriticalbusinessprocesses.Fordisasterrecoverypurposes,yourco-loanddatacentershouldbeindifferentpowergrids,floodplains,weathercorridors,etc.Forattackpurposes,theconnectionbetweentheco-loanddatacentermustbetightlycontrolled.Considerallowingnoremoteuseraccessunlessthedatacenteroroneofthecriticalsystemsbecomesunavailable.

Synchronizedatabetweentheco-loanddatacentersothatasimplechange

toDNS,VPN,orotherremoteaccessmethodsallowcustomersandremotesitesaccesswithlittleinterruptioninservicedelivery.Further,officestaffatthedatacenterlocationmusthaveawaytoeasilyaccesstheco-loservers.

Alwaysassumeyourdatacentercompromisecaneasilypasstoyourco-lo.SA

foryourco-loisalsonecessary.Whenwipe-and-replaceorredundantsystemsarenotavailableorpossible,

removalofunwanteditemsrequiresresearchintowhathappened,toolsusedbytheattacker,actionstakenbytheattacker,filesandexecutablesinstalled,andanyotherchangesmadetoregistries,configurationfiles,etc.Onceyoucompletethistime-consumingprocess,theCIRTmustcreateaprocedureandassociatedtoolstoreverseallattackeractions.TeammembersandotherrecruitedITpersonnelmustthenfollowthedocumentedproceduretoeradicatethethreat.Unlesstheattackscopewasverysmall,thisapproachmightextendrecoverytimebeyondoneormorebusinessprocessmaximumtolerabledowntimes(http://tek.io/2rDmgC5).

(iii) RecoveryRecoveryisfocusedonreturningbusinessprocesseswithinMTDsdefinedin

BIAs.Recoverytimeincludesthetimenecessarytorestoretheinfrastructureandthetimeneededtorebuilddatasets.Thisisalsoknownasthemaximumperiodoftolerabledowntime(Olzak,2013),asshowninFigure10.TheRTO(recoverytimeobjective)ishowlongittakestorestoresupportingtechnology.

Figure10:MaximumPeriodofTolerableDowntime

Wepreviouslylookedateradicationmethodsthatalsobegintherecovery

process.Solutionslikeaco-looracloud-basedredundancysolutioncanquicklyreturnbusinessprocessestonormal.Otherapproachestakemoretime.Regardlessofhowyouapproacheradicationandrecovery,besuretoworkwithmanagementtounderstandyourrecoverytimeoptions.ThisincludesconsideringtheMTDsofprocessesaffectedbyadownedsystem:bothupstreamanddownstream.SeeFigure11(Olzak,2013).

Figure11:DependentProcesses

Failureofanyoneoftheseprocessesbreaksachainrequiredtoprovideproducttocustomers.TheMTDforanyprocessinthischainistheshortestMTDacrossallprocesses:thechain’sMTD.

Onceyourecoversystems,workwiththebusinesstoconfirmcorrectoperation.Checknotonlywhetherthetechnologyworksasexpected,butalsoensuredataintegrity.Havingpredefinedreportstovalidatedataaccuracyisonewaytoquicklydothis.

(i) Step10:RootCauseAnalysisandActionPlanThelaststepinincidentresponseisensuringthesameincidentdoesnot

happenagaininthesameway.Also,youwanttoassesshowwellyourteamrespondedandwhetheryoucanimprove;therearealwaysopportunitiesforimprovement.

Althoughyoushouldhavealreadyblockedoneormoreofthevulnerabilities

exploitedinthecurrentincident,youneedtounderstandwhythosevulnerabilitiesexistedandthefailureofcontrolstodetectandstoptheattack.Rootcauseanalysisistheprimarytoolforthis.

Rootcauseanalysisfindsthefundamental,theroot,causesofanyevent.It

preventstreatingsymptoms.Treatingonlysymptomswillnoteffectivelypreventfuture,similarincidents.

Causeanalysisbeginswithbringingtogethereveryoneinvolvedintheincidentandwiththesystemsaffected.Theresultingmeetingmustprohibitfingerpointingandassigningblame.Thatisnotthepurposeofthemeeting.Tryingtoplaceblamecausesattendeestogetdefensiveandloseobjectivity.

Rootcauseisfoundbyfollowingthechainsofcauseandeffectleadingtotheincident,asshowninFigure12(Olzak,2008).Inmanyinstances,morethanonerootcauseexists.Analysisbeginswiththeproximatecauseandworksbacktotherootcauses.Aproximatecauseistheeventandsurroundingconditionsthatenabledtheincident.Theprocessusedforthisstep-backprocessvariesbetweenorganizations.Iusedtwodifferentmethods,butIfoundthefive-whysapproachworkedbest.

Figure12:RootCauseChainofEvents

Anexampleofafive-whysanalysisisshowninFigure13.Inthisexample,ransomwarecrippledtheorganizationbecauseauserfellforaphishingattack.Withfive-whys,youbeginbyaskingwhyyourdatawasunavailable.Theanswershouldincludeanyactionstaken,processesexecuted,andtheconditionsunderwhichtheactionsandexecutionshappened.Whenyouarriveatthefifthwhy,therootcauseisusuallyidentified.Ifnot,considerstartingagain.Youeithermissedsomethingortheanswersareincorrect.Thegoalistobreakthechainasfaraspossiblefromtheproximatecausewithnewcontrolsorprocedures;ormodificationstoexistingcontrolsorprocedures.However,alayeredapproachshouldmultipleeventsalongthechain.

Figure13:FiveWhys

Morethanonerootcausemightexist.Oneofyour‘why’answersmightincludetwodifferentcauses.Youranalysismustthenbranchofftoaddressboth.Considereachbranchaseparatesetoffive-whys.Youmightseparateyourteam,sosub-teamsaddressbranches.Whenallbranchesarecompleteandallrootcausesidentified,theentireteamcomesbacktogethertocompletethefullanalysisdiagram.

Youwillnotalwaysknowalltheanswerswhenfirstmeeting.Consequently,

itmighttaketwoorthreemeetingsbeforeyouarriveatallrootcausesandcreateanactionplan.

Theactionplanispartofthefinalreporttomanagement.Itincludes

recommendationsforeliminatingrootcausesandimprovingresponse.Asampleactionplanisavailablefordownloadfromhttp://bit.ly/2rtKAtT.Itshouldminimallyinclude

• Actiontotake• Priorityoftheaction• Plantocompletetheaction• Actionstatus• Personorteamassigned• Dateforexpectedcompletion

Finally,completeafullreportontheincident.Convertyourincidentloginto

twostories:oneformanagementandoneforyourtechnicalteams.Thereportincludesdocumentsandpresentations.Thepresentationtomanagementincludesarequestforapprovalfortheactionplanandanassessmentofriskifoneormoreactionsarenotapproved.Atemplateforacomprehensivebuteasytoreferenceincidentreportisavailablefordownloadfromhttp://bit.ly/2sm5k3h.

Areportisalsonecessarywhenanalysisofanomalousbehaviorisdeemed

notmalicious.Referringtothesereportsduringriskassessmentsorduringrootcauseanalysismightrevealpreviouslyunrecognizedpatterns.Ashorterreportisusuallysufficientforthis,andatemplateisavailablefromhttp://bit.ly/2rk5Nui.


Planningandcreatingthetoolsandproceduresformanaginganincidentmusthappenbeforeanincidentoccurs.Thisenablesreasonableandappropriateprevention,detection,andresponse.

Trainingteammembersontheplanisnotoptional.EveryoneontheCSIRT

mustunderstandhisorherroleandhowtoexecuterelevantprocedures.Toolsforincidentresponseareuniquelydesignedforeachorganization.

Startingwithtemplateshelpsensureyoucoverallareas.Inadditiontothetools

providedinthissection,theSANSInstituteprovidesanalternativetoolsetathttp://bit.ly/2qASIF1.

Section4. Response

Inthissection,wewalkthroughactivitiesthatmightoccurduringaresponse.Thewalk-throughassumesyouplannedandpreparedasdescribedinSection3.Ionceagainusetheresponsechecklist,showninFigure14,asourguide.Thisisaveryhigh-levelviewofwhataresponsemightlooklike.Eachresponseisuniquetowhatisoccurring,soscenarioplanningasdescribedinSection3affectshowaresponsehappensanditseffectiveness.

Figure14:IncidentResponseChecklist

Section4.01 Step1:Begindocumentationandpotentialevidencepreservation

Uponnotificationofanomalousnetworkordevicebehavior,initiateanincidentlog.Note

• Dateandtimeofnotification• Personmakingthenotification• Whatthepersonreported• Systemsornetworksinitiallyaffected

Notifyrelevantpersonneltominimally

• Physicallyisolateaffecteduserspacesifacrimeiscommittedusingauserdevice

• Avoidfurtherlogicalorphysicalcontactwithaffectedsystemsornetworksthatwouldunnecessarilymodifylogsorwipecontent:especiallyavoidpoweringdownorresettingaffectedsystems

Section4.02 Step2:Determineifincidenthasoccurred

Usingtoolsimplementedduringplanningandpreparation,lookforincidentprecursorsandindicators.Hopefully,youwillimmediatelyknowwhatishappeningorspecificallywhattoexaminethankstoautomaticthreatintelligenceassociatedwithyoursecuritytools.Ifnot,thefollowinglistofthingstocheckisfromaposterprovidedbytheSANSInstituteathttp://bit.ly/2rkg577.ThisresourceincludestoolsforlookingfortheseconditionsinaWindowsenvironment.ALinuxversionisalsoavailable.

• Unusuallogentries.

o Didalogactivityunexpectedlystop?o Aretheremanyfailedloginattemptsorlockedoutaccounts?o Arelogsunexpectedlyaccessedormodified?

• Unusualnetworkusage.o Haveanynewandunusualfilesharesappeared?o Areunusualsessionsopenonserversoruserdevices?o Isalargequantityofdatamovinginunexpectedways?o Areunexpectedsessionsopenbetweeninternalsystemsorbetween

internalandexternalsystems?• Unusualfilesandregistrykeys.

o Hastherebeenamajorincreaseordecreaseindiskfreespace?o Arethereunusuallylargefiles?o Aretherestrangeprogramsassociatedwithsystemstartup?o Isbulkfileencryptionoccurring?

• Unusualscheduledtasks.o Arethereunusualtasksrunningasadmin,SYSTEM,orablankuser

name?• Unusualaccounts.

o Aretherenew,unexpectedaccountsintheadministratorgroups:localordomain?

• Other.o Areserversoruserdevicesperformingsluggishly?o Arethereunusualsystemcrashes?o Isthereanythingelsehappeningthatisunexpectedgivenup-to-date

networkandsystembaselinesyoupreviouslydocumented?

Ifyouhavetherighttoolsinplace(SIEM,IPS,firewalls,etc.),youwilllikelyseemuchofwhatyouneedtoknowinasecuritymanagementportal:atleastyoushould.Inanycase,youwillwanttorefertothelistabovewhendeterminingwhat

youknowandwhatyoudonot.Whiteboardswithdiscoveredinformationareagoodtoolforhelpingyourentireteamquicklygaininsightsintheincident.

Onceyoucollectsufficientinformation,useyourpreviouslyidentified

resourcestoresearchwhatmightbethecauseofyourfindings.Ifyoufindnothingmaliciousoccurring,completeashort-formreportandstoptheincidentprocess.

Section4.03 Step3:Prioritizetheincidentandestablishsituationalawareness

UseatoollikethematrixinSection3toprioritizetheincidentbasedonurgencyandimpact.AssignapreviouslydesignatedandtrainedinitialCSIRTmembertocontinuouslymonitorforconditionsinStep2throughouttheresponseprocess.Thisincludestargetsthoughttobecompromisedandallcriticaldevicesandnetworks.Isolationdoesnotalwaysworkasexpected.

Section4.04 Step4:Reportincidentasspecifiedincommunicationsplan

Usingthepreviouslydefinedcommunicationplan,notifytheCSIRTmembersandappropriatemanagementofaprobableincident.BesuretohaveavailablefordistributiontheinitialresponseactivitiesrecordedinthelogstartedinStep1.TheCSIRTestablishestheincidentcommandcenterandbeginsdetailedanalysis.Analysisneverstopsasadditionalinformationisgathered.

Section4.05 Step5:Obtainmanagementforensicsevidencecollectiondecision

Theinitialresponseshouldhavealreadytakenstepstoprotectevidence.Atthispoint,managementmustdecidewhethertocontinueforensicsprocessesorfocusonbusinessprocessrecovery.Informationneededforthisdecisionincludesevidencecollectionimpactonhowlongaffectedbusinessprocessesmightbedownandwhatevidenceisalreadyavailablewithoutdelays(seeSection3).Alsorelevantistheprobabilitythatdetailedevidencecollectionhasvaluegiventhetypeofattackandthethreatagentinvolved.

Section4.06 Step6:Acquire,preserve,andprotectevidence

IaddressthisprocessinSection5.

Section4.07 Step7:ContaintheincidentAlthoughthisstepappearslateintheprocess,itshouldbesomethingthat

happensquicklyonceanincidentisidentified.Forexample,theon-callrespondershouldhavetheskillsandtoolsettoquicklyisolatekeynetworksegmentsafterperformingStep2.InStep7,detailedanalysisbytheCSIRTandsituationalawarenessinformationprovidetheneedforadditionalcontainmentactivities.

Alsointhisstep,virtualserversandnewlyimagedspareuserdevicescanbe

activatedtoreducebusinessprocessdowntime.Dependingonhowtheincidentiscontainedandtheprocessesaffected,recoverydoesnotnecessarilyhavetowaituntilaftereradication.However,besurethesesystemswillnotbecompromised

againusingthesamevulnerabilities.Thisoftenrequirespatchingoraquickreconfigurationofanetworkdeviceorcontrol.

Section4.08 Step8:Eradicatetheincident

Atthispoint,SAandadditionalanalysisshouldprovideenoughinformationaboutthethreatagentandrelatedtoolsandtechniquesforeradication.TheCSIRTdocumentsaplanforeradication,includingscriptsandothertoolsformalwareandotherunwanteddigitalentities,andquicklytrainsresponsepersonnelonhowtoexecuteit.

Theeradicationplanincludespredefinedexpeditiouschangedocumentation

forexploitedvulnerabilitymanagement.Changesincludequickmodificationstoexistingnetworkdevices,operatingsystems,businessapplications,andsecuritycontrolsconfigurations.

Section4.09 Step9:Recover

Withproperplanning,recoverybeganinStep7andcontinuedthroughStep8.Whathasnotoccurredyetisverificationofdataintegrity.Usetoolsandproceduresselectedanddocumentedduringpreparationtoverifyorrecoverflatfileanddatabasedataaccuracyandauthenticity.Removeallcontainmentrestrictionsandworkwithbusinessuserstoensureaffectedbusinessprocessesworkasexpected:producingvalidresults.

Section4.10 Step10:Rootcauseanalysisandreporting

Gatherallpersonnelinvolvedinincidentimpactandresponsetoperformanafter-actionrootcauseanalysis.Completeadetailedresponsereportandpresentationsforbothmanagementandtechnicalteams.Thereportshouldincludeanactionplanformanagementapprovalanddetailedimprovementofbothsecuritycontrols/proceduresandresponseactivities.


Thissectionprovidesastrongfoundationforadocumentedresponseplan.Basedonachecklist,itgivesyougeneralactionstotakeasyoustepthroughanytypeofincident.Again,thetypeofincidentdeterminesspecificactions.Therefore,trainingwithvariousattackscenariosisanecessarypartofplanningandpreparation.

Section5. InitialResponseForensics

Adetaileddiscussionofdigitalforensicsinvestigationisoutsidethescopeofthisguide.Whatisimportantinanyresponseguideishowtoinitiallypreserveevidenceforforensicsinvestigations.ThatiswhatIcoverinthissection.Foradeeperlookatdigitalforensicsinvestigations,see

• NISTSP800-86GuidetoIntegratingForensicTechniquesintoIncident

Response(http://bit.ly/2qKq9nP)• NISTSP800-101GuidelinesonMobileDeviceForensics

(http://bit.ly/1odIMvB)• DigitalForensics/IncidentResponseForms,Policies,andProcedures

(http://bit.ly/2sxbSML)• MarshallUniversityForensicScienceCenter(http://bit.ly/2qKyqIu)• NISTCrimeSceneInvestigation:AGuideforLawEnforcement

(http://bit.ly/2rN9swT)Section5.01 ForensicsOverview

Generally,forensicsisthecollection,examination,analysis,andreportingofevidenceusedinidentifyingandprosecutingperpetratorsofacrime.Digitalforensicsis“theapplicationofsciencetotheidentification,collection,examination,andanalysisofdatawhilepreservingtheinformationandmaintainingastrictchainofcustody”(Kent,Chevalier,Grance,&Dang,2006,pp.ES-1).

Theprocessofdigitalforensics,asshowninFigure15,isthecollectionof

digitalmedia,thecarefulextractionofdatafromthatmedia,correlationofthedatatocreatemeaningfulinformationaboutthecrime,andprovidingcrediblereportsshowingrelevantevidencefororagainstoneormoresuspects.Throughoutthisprocess,initialrespondersandforensicsinvestigatorsmustensureevidenceintegrity.Evidenceintegrityisensuredby

• Establishingastrictchainofcustodyassoonaspotentialevidenceis

collected• Usingonlyforensicallyacceptablemethodsofextractingdatafrommedia• Neverusingoriginalmediaforanalysis• Creatingforensiccopiesofmediaforanalysiswithhashvaluescalculated

immediatelyafterthecopyiscompleteandbeforethestartofanalysis• Allowingonlyauthorized,trackedpersonnelaccesstothecrimescene,

forensicslab,andotherareaswhereevidenceiscollectedoranalyzed• Isolatingallanalysissystemsfromnetworksexternaltothelab,especially

theInternet• Usingonlyforensicstoolsknowntobeacceptabletotheforensics

communityandgenerallyacceptableinlegalproceedings

• Beingabletodemonstratetheprofessional,skilledstatusoftheforensicsinvestigatorsinlegalproceedings

Figure15:DigitalForensics

Evidencepreservationandchainsofcustodybeginwiththeinitial

responders.Therestofthissectiondescribeshowtheymustworktopreservetheintegrityofevidencebeforearrivalofforensicsinvestigators.Section5.02 ProtectingDigitalEvidence

Wehavealreadydiscussedinprevioussectionstheimportanceofsecurelymaintaininglogsandotherinformationgatheredduringdailymonitoring.Theseformthefoundationforforensicswork.However,wealsoneedcontentsofswapfilesandmemory,insomecases,tosupplementourloginformation.Consequently,wemustneverallowanyonetoresetorpoweroffanypotentiallyaffecteddevicesuntilmanagementdecideshowfartoproceedwithevidencecollection.

Ensuringproperhandlingofuserdevicesduringanincidentrequirestrainingatleastourbusinessmanagersonwhattodoandnottodowhenanincidentissuspected.Inmyexperience,resettingorpoweringoffadeviceisacommonfirststepbymanagement.Anothermanagementactionisoftensittinginfrontofapossiblycompromisedsystem,oronethatwasusedinthecommissionofacrime,to“explore.”Alltheseactionsmustbestoppedbypolicyandtraining.

ITpersonnelmustalsoprotectevidenceindatacenters.Onceanincidentis

suspected,ahands-offpolicymustbeenforced.Theonlyexceptionsarecontainmentactivitiesdefinedanddirectedbytheresponseteam.Reachingthisoutcomerequirestrainingandpractice.

Thehands-offconditionsmustcontinueuntilthedigitalforensicsinvestigatorstakeoveroruntilmanagementdecidestoforegodetailedevidencecollection.

Section5.03 SecuringaPotentialCrimeScene

Ifanoffice,cubicle,conferenceroom,orotherphysicalspaceissuspectedofuseduringanincident,youmustsecureitimmediately.Firststepsincludeplacingsomeoneattheentrancetotheareatoblockallaccess.Ideally,thiswouldbeasecurityguard.Theinitialsecuringofthesceneistheresponsibilityofrelevantmanagersandshouldtakeplacebeforearrivalofinitialresponders.

Asquicklyaspossible,theCSIRTshoulddispatchinitialresponderstothe

site.ThefollowingstepstakenuponarrivalaremodifiedrecommendationsfromtheNIST’sCrimeSceneInvestigation:AGuideforLawEnforcement(http://bit.ly/2rN9swT).Whenperformingthesesteps,theguidingprincipleistoavoidanythingbutminimalcontaminationanddisturbanceofevidence.

1. Beginlogwithnotificationofincident(date/time,address/location,typeof

incident,andpartiesinvolved)andthenlogeveryactiontakenandobservationmadeatthescene

2. Beawareofanypersonsleavingthescene3. Approachthescenecautiously,scantheentireareatothoroughlyassessthe

scene,andnoteanypossiblesecondaryscenes4. Ensurenooneisstillusinganydeviceoraccessinganyphysicalmaterialsat

thescene5. Beawareofanypersonsinthevicinitythatmayberelatedtothecrime

a. Secureandseparatesuspectsb. Secureandseparatewitnessesc. Determineifbystandersarewitnessesandsecureandseparateas

appropriated. Excludeunauthorizedandnonessentialpersonnelfromthescene,

includingmanagersdemandingaccess6. Makeinitialobservationstoassessthesceneandensurehumansafetybefore

proceeding7. Ensurehumaninjuriesaretreated8. Remainalertandattentive,andassumethecrimeisongoinguntilotherwise

determined9. Treatthelocationasacrimesceneuntilassessedanddeterminedtobe

otherwisea. Usecrimescenetapetoidentifyandcontainallrelatedlocationsb. Logallpersonsenteringandexitingthescene

i. Timeii. Nameiii. Contactinformationiv. Reason

10. Photographthescene(andcreatesketcheswhenphotographsdonotcaptureenoughdetailsofwhatyousee)

a. Wallsb. Floorc. Desktopsd. Computerandhandhelddevicescreens

11. Carefullyplacemobiledevices(phonesandtablets)intoFaradaybagswithoutpoweringthemoffandcreateachainofcustodyformforeachcollecteddevice

12. Afterphotographingallconnectorsandoriginallocationsofthedevices,unplugallnetworkcablesandensuretheCSIRThasblockedallwirelessaccessforthesedevices

13. Waitforarrivalofforensicsinvestigators,andupontheirarrivala. Providedetailedbriefingofyouractionsandcurrentstateofthe

scene,witnesses,suspects,evidence,etc.b. Turnoverallmaterialsandevidencewithproperchainofcustodyc. Assistasrequested

Justasforensicsinvestigatorsmustbetrainedprofessionals,initial

respondersmusthaveathoroughunderstandingofwhatstepstotakeinanysituation.This,again,requiresfrequentscenario-basedtraining.ThechecklistshowninFigure16,anddownloadablefromhttp://bit.ly/2sn0ROz,isagoodstartforareferenceandresponsemanagementtoolforinitialresponders.

Figure16:InitialResponseTeamChecklist

Thechecklisttasksarenotnecessarilylistedintheorderinwhichtheyareto

becompleted.Afirstresponseteamleadshouldassigntaskstoherselfandotherteammembers,andsometasksshouldbedonesimultaneously,ifpossible.Theseincludeidentificationandseparationofwitnesses,securingandseparatingsuspects,

ensuringnounauthorizedindividualsareinorwillenterthecrimescene,andisolationofmobileandotherdevicesfromnetworkaccess.


Firststepstakenbybusinessusersandmanagementareanimportantpartofinitialresponse.Partofsecuritytraining,atleastformanagers,shouldbewhattodoandwhatnottodowhentheysuspectanincident.

TheCSIRTinitialresponseteammustworkcloselywithmanagementonce

theyarriveonthescene.Managingemployees,collectingevidence,andotheractivitiesneedmanagementcooperation.Youarenotlawenforcement.Someoneinauthoritymustassisttoavoidunnecessaryconfrontationsanddelays.

Beforearrivaloftheforensicsinvestigator,onlyperformthosesteps

necessarytoensurehumansafety,preserveevidence,andgatherwitnesses/suspects.Logeverythingyoudoorsee.Takephotographsbeforetouchinganything.Createsketchesincasesinwhichaphotographisnotquiteenough.

Section6. WorksCitedCichonski,P.,Millar,T.,Grance,T.,&Scarfone,K.(2012,August).ComputerSecurity

IncidentHandlingGuide(NISTSP800-61r2).RetrievedMay18,2017,fromNIST(CSRC):http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Gartner.(2017).BusinessImpactAnalysis.RetrievedMay19,2017,fromGartnerIT

Glossary:http://www.gartner.com/it-glossary/bia-business-impact-analysisInfoSecNirvana.(2015,March).Part4-IncidentManagement.RetrievedMay28,

2017,fromInfoSecNirvana:http://infosecnirvana.com/part-4-incident-containment/

Kent,K.,Chevalier,S.,Grance,T.,&Dang,H.(2006,August).GuidetoIntegrating

ForensicTechniquesintoIncidentResponse.RetrievedJune2,2017,fromNIST:http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

Manadhata,P.K.,Karabulat,Y.,&Wing,J.M.(n.d.).Report:Measuringtheattack

surfacesofenterprisesoftware.RetrievedMay19,2017,fromCarnegieMellon:SchoolofComputerScience:http://www.cs.cmu.edu/~wing/publications/ManadhataKarabulutWing08.pdf

Olzak,T.(2008,September).Preventrecurringproblemswithrootcauseanalysis.

RetrievedMay30,2017,fromTechRepublic:http://www.techrepublic.com/blog/it-security/prevent-recurring-problems-with-root-cause-analysis/

Olzak,T.(2011,June).ManagetheEnterpriseAttackSurface.RetrievedMay19,

2017,fromCBSInteractive:http://www.techrepublic.com/downloads/manage-the-enterprise-attack-surface/2949257

Olzak,T.(2012,January).RiskManagement.RetrievedMay20,2017,fromInfoSec

Institute:http://resources.infosecinstitute.com/risk-management-chapter-2/

Olzak,T.(2012,April).VLANNetworkSegmentationandSecurity.RetrievedMay23,

2017,fromInfoSecInstitute:http://resources.infosecinstitute.com/vlan-network-chapter-5/

Olzak,T.(2013,March).Theelementsofbusinesscontinuityplanning.RetrievedMay29,2017,fromTechRepublic:http://www.techrepublic.com/blog/data-center/the-elements-of-business-continuity-planning/

Olzak,T.(2016,May).Ensurebusinesscontinuitywithchangemanagement.

RetrievedMay23,2017,fromCSO:http://www.csoonline.com/article/3067112/business-continuity/ensure-business-continuity-with-change-management.html

Olzak,T.(2017).AttackSurfaceReduction.RetrievedMay19,2017,fromInfoSec

Institute:http://resources.infosecinstitute.com/attack-surface-reduction/Ross,S.(2010,October).Abusinessimpactanalysischecklist:10commonBIA

mistakes.RetrievedMay21,2017,fromSearchDisasterRecovery:http://searchdisasterrecovery.techtarget.com/feature/A-business-impact-analysis-checklist-10-common-BIA-mistakes

Wikipedia.(2017,January).ChecklistIncidentPriority.RetrievedMay26,2017,from

Wikipedia:https://wiki.en.it-processmaps.com/index.php/Checklist_Incident_Priority

incident management and response kindle r2 20160825...incident response is a subset of an overall...

Documents