incident management and response kindle r2 20160825...incident response is a subset of an overall...
TRANSCRIPT
IncidentManagementandResponseGuide:Tools,Techniques,Planning,andTemplates
ByTomOlzak,MBA,CISSP
Ó2017byThomasW.OlzakThisworkislicensedundertheCreativeCommonsAttribution-NonCommercial-NoDerivatives4.0InternationalLicense.Toviewacopyofthislicense,visit
http://creativecommons.org/licenses/by-nc-nd/4.0/.
PublishedbyErudioSecurity,LLC
Phone:419-377-6844Email:[email protected]
Web:v-cso.com
Section1. PrepareSection1.01 Policy,Procedures,andTeamSection1.02 StrategicThreatIntelligenceSection1.03 VulnerabilityManagement(a) UnsecureConfigurationandCoding(b) TrainingandAwareness(c) AccessControl(d) VulnerabilityIdentification
Section1.04 SectionSummary
Section2. RiskManagementSection2.01 RiskAssessments(a) SystemDefinition(b) IdentifyExistingControls(c) BusinessImpactAnalysis(BIA)andCalculatingRisk(d) RiskManagementRecommendations(e) ResultsDocumentationandPresentation
Section2.02 SectionSummarySection3. TeamCreationandPlanningSection3.01 TheTeam(a) ComputerSecurityIncidentResponseTeam(CSIRT)Membership(b) CSIRTResponsibilities(c) CSIRTResponseToolsandResources
Section3.02 ThePlan(a) Step1:Begindocumentationandpotentialevidencepreservation(b) Step2:Determineifincidenthasoccurred(c) Step3:Prioritizetheincident(d) Step4:Reportincidentasspecifiedintheincidentresponsecommunicationsplan(e) Step5:Obtainmanagementdecisionaboutforensicspreservationandcollection(f) Step6:Acquire,preserve,anddocumentevidenceasdirectedinStep5(g) Step7:Containtheincident(h) Steps8&9:EradicatetheIncidentandRecover(i) Step10:RootCauseAnalysisandActionPlan
Section3.03 SectionSummary
Section4. ResponseSection4.01 Step1:BegindocumentationandpotentialevidencepreservationSection4.02 Step2:DetermineifincidenthasoccurredSection4.03 Step3:PrioritizetheincidentandestablishsituationalawarenessSection4.04 Step4:ReportincidentasspecifiedincommunicationsplanSection4.05 Step5:ObtainmanagementforensicsevidencecollectiondecisionSection4.06 Step6:Acquire,preserve,andprotectevidenceSection4.07 Step7:ContaintheincidentSection4.08 Step8:EradicatetheincidentSection4.09 Step9:RecoverSection4.10 Step10:Rootcauseanalysisandreporting
Section4.11 SectionSummarySection5. InitialResponseForensicsSection5.01 ForensicsOverviewSection5.02 ProtectingDigitalEvidenceSection5.03 SecuringaPotentialCrimeSceneSection5.04 SectionSummary
Section6. WorksCitedFigure1:RiskModelFigure2:AttackSurfaceFigure3:AccessRightsFigure4:AttackTreeFigure5:ControlsMatrixFigure6:QualitativeRiskCalculatorFigure7:IncidentHandlingChecklistFigure8:ExternalCommunicationFigure9:VLANSegmentation(Olzak,2012(April))Figure10:MaximumPeriodofTolerableDowntimeFigure11:DependentProcessesFigure12:RootCauseChainofEventsFigure13:FiveWhysFigure14:IncidentResponseChecklistFigure15:DigitalForensicsFigure16:InitialResponseTeamChecklist
Section1. Prepare
Incidentshappentouseveryday.Weforgetourpassword.Oneofourkidsforgetstheirlunch.Ourcomputerdecidesnottoprint.Theseareallsmalleventsthathinderourabilitytomoveforwardinourday.Securityincidentsarethesamebutusuallyhaveagreaterimpact.
Asecurityincidentisdefineddifferentlybyvariousorganizations.NIST
definesanincidentas“Aviolationorimminentthreatofviolationofcomputersecuritypolicies,acceptableusepolicies,orstandardsecuritypractices”(Cichonski,Millar,Grance,&Scarfone,2012,p.6).Ifindthistoonarrow.
Inmyexperience,asecurityincidentisanevent,intentionalorunintentional,
thatoccursoutsidewhatisexpectedindailyoperationsthatcannegativelyaffectbusinessoperation(processes),customers,investors,andemployees.ThisexpandstheNISTdefinitionbyincludinganythingthatviolatespolicy,regulations,laws,orethics.
Inotherwords,anincidentisanythingthatcancompromisethe
confidentiality,integrity,oravailability(CIA)ofdataorthesystemsthatsupportbusinessprocesses.Confidentialityallowsonlyauthorizedindividualsorapplicationsaccesstosensitiveinformation.Integrityisthemeasureofthedata’saccuracyandauthenticity.Availabilityensuresinformationisavailabletoauthorizedentitieswhenandwhereneededforbusinessoperation.
Incidentresponseisasubsetofanoverallincidentmanagementprogram.
Thepurposeofincidentmanagementistoprepareforvarioustypesofincidentsandthenrespondwhentheyoccur.Incidentmanagementhasfourgoals:
1. Developmentandmanagementofanincidentmanagementpolicyandsupportingprocedures(detailsinSection3)
2. Creation,training,andmanagementofanincidentresponseteam(detailsinSection4)
3. Preparationa. StrategicThreatintelligenceb. Vulnerabilitymanagementc. Riskmanagement(detailsinSection2)
4. Incidentresponsetoreduceorpreventbusinessimpact(detailsinSection5)
Section1.01 Policy,Procedures,andTeam
Theincidentmanagementpolicyformsthefoundationforyourorganization’sabilitytoprepareforandrespondtotheunwantedandunexpected.
Anincidentmanagementpolicytemplateisavailablefordownloadathttp://bit.ly/2tTSKsg.Thepolicyshouldcreateanincidentmanagementprogramandassignresponsibilitiesforincidentmanagementandresponse.
InSection3,Iaddresscreatingtheincidentresponseteam,plan,and
procedures.Fornow,itisenoughtounderstandtheneedfordocumentedandup-to-dateincidentresponseprocedures.Youneverwanttofaceanincidentwithoutaclearapproachtomitigatingorpreventingnegativebusinessimpact.
Section1.02 StrategicThreatIntelligence
Strategicthreatintelligence(STI)providesyourorganizationwithinformationaboutprobablethreatsandassociatedtoolsandtechniquesusedbythethreatagents.Athreatagentisaspecificincidentofathreat.Forexample,athreatispotentialforthetheftofcustomerpaymentinformationbyexploitingvulnerabilities.Athreatagentwouldbeaspecificcybercriminalusingcertaintoolsandtechniquestoexploitweaknessesinyournetworktostealtheinformation.
Withoutunderstandinghowyoumightbeattacked,itisimpossibleto
performcomprehensiveriskassessments.Informationaboutpotentialthreatsandthreatagentsisavailablefrom
• Governmentandpublicsources
o US-CERTAlerts(http://bit.ly/2pUj5oY)o TheCyberWire(https://thecyberwire.com/)o Threatbrief(http://threatbrief.com/)o Twitterfeedsoftopsecurityprofessionals
(http://bit.ly/2pWCG7u)• Yourvendors
o IPSvendoro SIEMvendoro Threatanalyticsvendoro Microsofto Apple
Section1.03 VulnerabilityManagement
Managingvulnerabilitiesisongoing.Itallowsustoidentifyandassessriskwhenassociatedwithrelevantthreatagents.Forexample,wediscovermissingapatchduringavulnerabilityscanforMicrosoftWindowsthatiscurrentlyexploitedbyoneormorethreatagents.AnotherexamplemightbefailingtoblockallnonessentialSQLServerÒtrafficpassingthroughafirewallorbyunsecureconfigurationofVLANaccesscontrollists.Vulnerabilitiesareusuallycausedby
• Unsecureconfigurationofoperatingsystems,networkdevices,and
applications• Unsecurecodingpracticesordevelopermistakes
• Lackofusertrainingandawareness• Insufficientattentiontoauthentication,authorization,and
accountabilityinaccesscontrols
(a) UnsecureConfigurationandCodingOperatingsystems,suchasWindowsÒandWindowsServerÒ,havesecurity
baselinesprovidedbyMicrosoft(http://bit.ly/2vcW6ML).Followingthesebaselinesisagoodstart.Networkdevicevendorsalsoprovideguidanceonhowtosecurelyconfiguretheirproducts.Thisguidanceisalsosupportedbysecuritybestpractices,suchasblockingeverythingonafirewallandopeningonlywhatisnecessaryforbusinessoperation.CiscoprovidesdetailedinformationabouthardeningIOSdevicesathttps://www.cisco.com/c/en/us/support/index.html.
Securelyconfiguringapplicationsandreviewingcodingpracticesshouldnot
causemajorconcerns,iftheSystem/SoftwareDevelopmentLifeCycle(SDLC)minimallyincludesriskassessmentsandsecurityrequirementstesting.FordetailedinformationaboutintegratingsecurityintotheSDLC,seeNISTSP800-64R2SecurityConsiderationsintheSystemDevelopmentLifeCycle(http://bit.ly/2kxni2y).
(b) TrainingandAwareness
Humansarethebiggestvulnerabilityyouface.Relyingonuserbehaviortomaintainconfidentiality,integrity,andavailabilityisacontroloflastresort:acontrolonwhichyoushouldrelyonlywhenreasonableandappropriatetechnologycontrolsleavegaps.Trainingandawarenessactivities,startingwithastrongandcommunicatedAcceptableUsePolicy(downloadpolicytemplatefromhttp://bit.ly/2pUtdOx),helptomanagehumanvulnerabilities.Fordetailedinformationaboutdevelopingandmanagingsecuritytrainingandawarenessinyourorganization,seeNISTSP800-50Building an Information Technology Security Awareness and Training Program (http://bit.ly/2qNzgII).
(c) AccessControl
Controllingaccesstoinformationresourcesisnoteasy.Itrequiresreasonableandappropriateverificationofanypersonorapplicationattemptingtoaccessaresource(authentication).(Theentityattemptingtoaccessaresourceiscalledthesubject,andtheresourcebeingaccessediscalledtheobject.)Thisisfollowedbyauthorizationbasedonanalysisofuserrolestoproperlyapplysegregationofduties,need-to-know,andleastprivilege.
Segregationofdutiespreventsanysinglepersonfromperformingalltasks
associatedwithabusinessprocess.Need-to-knowensuresapersonassignedabusinessroleonlycanseetheinformationnecessarytoperformrelatedtasks.Leastprivilegelimitswhatusersinarolecandowithdatatheyaccess.Hereisanexample…
1. Auserlogsintothenetworkandhis/heridentityisestablished(authentication)
2. Theuserisgrantedaccesstothepayrollsystembecauseofhis/herrole(courseauthorization)
3. Theuserisgrantedaccesstospecifictasksordatawithintheapplication,basedonhis/herroleintheorganization(fineauthorizationbasedonsegregationofduties)
4. Oncetheuserselectsaspecifictask,heorsheisonlyallowedtoperformspecificactionsonthedata(leastprivilege)
5. Databaselimitswhattheuserseestoonlywhatisnecessarytoperformanassignedtask(need-to-know)
Thefinalcomponentofaccesscontrolisaccountability.Accountability
ensuresyouunderstandwhatsubjectaccessedanobject,whatwasdonetotheobject,andwhentheactionhappened.Collectionoflogsandlogauditingisthefoundationofaccountability.
Thestrengthofaccesscontroldependsonthesensitivityoftheresource
protected:theresource’sclassification.WeclassifydatabasedonitsvaluetotheorganizationandthenegativeimpactontheorganizationiftheCIAofthatdataiscompromised.Forexample,wemightclassifydataas
• Public:anyonecanaccessandseetheinformationwithnonegative
impactonthebusiness• Confidential:moderatedamagetotheorganizationwilloccurifthe
data’sconfidentiality,integrity,oravailabilityiscompromised• Restricted:severedamagetotheorganizationwilloccurifthedata’s
confidentiality,integrity,oravailabilityiscompromised
Anydevicethroughwhichdatapasses,isstored,orisprocessedisgiventheclassificationassociatedwiththemostsensitiveclassificationofdatainvolved.If,forexample,aservercontainsrestrictedandpublicdata(whichisneveragoodidea),theserverisclassifiedasrestricted.Youshouldconsiderstrongaccesscontrol(multifactorauthenticationandencryption)forcriticalresources.
Foradetaileddiscussionofaccesscontrol,seeIdentityManagementand
AccessControl(http://bit.ly/2q0unas).DownloadtheUniversitySystemofGeorgiasegregationofdutiesmatrixtemplatefromhttp://bit.ly/2pXCeGFassampletoolforplanningroles.
(d) VulnerabilityIdentification
Youmustknowifyouareopentoattack.Oneofthebestwaystodothisiswithregularvulnerabilityscanning.Nessus,forexample,isanup-to-datetoolwidelyusedtoscannetworksforknownvulnerabilities.Avulnerabilitymanagementprogramalsoincludespenetrationtestingandthird-partysecurity
programreviews.Allofthisbeginswithavulnerabilitymanagementpolicyandassociatedprocedures(downloadpolicytemplatefromhttp://bit.ly/2rjaikx).
Avaluabletoolforknowingwhatvulnerabilitiesyoupotentiallyhavein
houseistheNationalVulnerabilityDatabase(https://nvd.nist.gov/).
Section1.04 SectionSummaryThepurposeofincidentmanagementistoprepareforvarioustypesof
incidentsandthentorespondwhentheyoccur.Incidentmanagementhasfourgoals:
1. Developmentandmanagementofanincidentmanagementpolicyandsupportingprocedures
2. Creation,training,andmanagementofanincidentresponseteam3. Preparation4. Incidentresponsetoreduceorpreventbusinessimpact
Asecurityincidentisanevent,intentionalorunintentional,thatoccurs
outsidewhatisexpectedindailyoperationsthatcannegativelyaffectbusinessprocesses,customers,investors,andemployees.Itisanythingthatcancompromisetheconfidentiality,integrity,oravailabilityofdataorsystemsthatsupportbusinessprocesses
2-1
Section2. RiskManagementManagingriskisthefirststepininformationassurance,anditisacritical
pieceofincidentmanagement.Inbothcases,riskassessmentsandsubsequentriskacceptance,avoidance,transference,ormitigationarethefoundationofpreventingandrespondingtothreatsagents.Iftheincidentresponseteamdoesnotruntheorganization’sinformationriskmanagementprogram,itsmembersshouldatleastbeinvolvedineveryriskassessment.TheformulaicriskmodelIuseforourdiscussionofincidentmanagementrelatedtohumanattacksisshowninFigure1.
Figure1:RiskModel
Section1explainsthreatsandvulnerabilities.InFigure1,thesetofvulnerabilitiesavailabletoenableanattackarecategorizedasopportunity.Theprobabilitythatathreatagentcanorwillsuccessfullytakeadvantageofanopportunitytoreachitsobjectiveisakeycomponentofrisk.Meansaretheskillsnecessarytosuccessfullyreachtheintendedtarget.Ahumanthreatagentisusuallymotivatedbythefinancial,political,orothervalueoftheattacktarget.Naturaldisastersneednomotivation.
Asthestrengthandtestedeffectivenessofcontrolsincrease,meansand
motivationmustalsoincrease.Thisservestoshrinkthenumberofpossiblethreatagents;probabilityofoccurrenceforhumanattackstendstodecrease.Thisdecreaseiscausedbytheincreasedeffort(cost)toreachthetargetandthedecreaseinreturnoninvestmentforthethreatagent.Decreaseinprobabilityisalsorelatedtothedifficultysomethinglikeawormwouldhavespreadingacrossyourorganizationandaffectingavailability,forexample.Ifathreatagent’smotivationishigh,andsheishighlyskilled,alowerbutstillpresentprobabilityofsuccessfulvulnerabilityexploitsexists.
Onceathreatagentgainsentrytoyournetworkoroneofyoursystems,potentialfornegativebusinessimpactarises.AccordingtoGartner(2017),businessimpactincludes“…thepotentialeffects(financial,life/safety,regulatory,legal/contractual,reputationandsoforth)ofnaturalandman-madeeventsonbusinessoperations”(para.1)
Howquicklywedetect,contain,andmanageanattackaffectstheextentof
theimpact.Thisisthepurposeofincidentresponse.Ifyourorganizationhasadocumentedincidentresponseplanandatrainedincidentresponseteam,youcanpreventseriousharmwhentheinevitableintrusionoccurs.
Aswithallsecurityactivities,riskmanagementbeginswithamanagementapprovedandsupportedpolicy.ShonHarrisprovidesagreatarticleaboutwhatgoesintoariskmanagementpolicyathttp://bit.ly/2q9BgHB.
Section2.01 RiskAssessments
Riskmanagementhelpspreventandprepareforincidents.Themostvaluabletoolinthisprocessistheriskassessment.Ariskassessmentlookscloselyateachsystem,theyournetwork,andotherorganizationswhereyourdataisstoredorprocessed.Performriskassessments
• Duringtheinitiationanddevelopment/acquisitionphasesoftheSDLC
(http://bit.ly/2kxni2y)• WhendeemednecessarybyaChangeAdvisoryBoard
(http://bit.ly/2f20um5)• Whennewvulnerabilitiesarediscoveredinyoursystemsornetwork,
orwhenannouncedbyathird-party• Whenthreatintelligencerevealsanewthreat,threatagent,ortools
andtechniques• Atleastonceperyearforsystemstouchinghighlysensitivedataor
supportingcriticalbusinessprocessesAnassessmentconsistsof10stepsdividedintotwophases:PhaseI:Assess
1. Systemdefinition2. Threatidentification3. Vulnerabilityidentification4. Attackpathcontrolsassessment5. Businessimpactanalysis6. Riskdetermination7. ControlsRecommendations
PhaseII:Manage8. Actionplanandproposalcreationandpresentation9. Implementapprovedcontrolsortransferrisk10. Measuretoensurestepstakenworkasexpectedandadjustwhere
necessary
(a) SystemDefinitionSystemdefinitionbeginswithsystemdecomposition.Systemdecomposition
breaksdownasystemintothevariouscomponentsofitsattacksurface(Olzak,2011).Asystemisthecollectionofdevicesandmediausedtoaccess,process,store,andmoveinformationforarelatedsetofbusinessprocesses.Forexample,theinfrastructuresupportingpayrollprocessesisthepayrollsystem.Insomecases,youmightwanttoassessonlypartsofthesystem.However,youshouldassesscompletesystemsatleastannually.
Asystem’sattacksurfaceisnotasinglepiece.Instead,itisanaggregateof
multipleattacksurfaces.Figure2showsaverysimplemodel.Inthismodel,thenetworkattacksurfacecanbefurtherbrokendownintoeachnetworkdevice(switches,routers,firewalls,etc.)andcabling.Thedeviceattacksurfaceincludestheoperatingsystemandapplicationsithosts.Iplacedthedeviceattacksurfaceoverthenetworkattacksurfacebecausetoday’smostpopularanddestructiveattackstargetusersandtheirdevices.
Figure2:AttackSurface
Whenassessingattacksurfaces,considerthefollowing(Olzak,2017)
• Entrypointswherethesystemreceivesinformation.• Exitpointswherethesystemprovidesinformationtoothersystems:
o Directexitpointsexchangeinformationwithexternalsystems.o Indirectexitpointsprovideinformationtodirectexitpoints.
• Datachannels,protocol-enabledpathwaysoverwhichinformationtravels.
• Untrusteddataitems,persistententitiesattackersusetocontrolsystemsorextractdata.Examplesincludecookies,files,maliciousdatabaserecords,andregistryentries.Attackerscauseexitpointstoreadfromuntrusteddataitemsoruseentrypointstowriteintountrusteddataitems(Manadhata,Karabulat,&Wing,n.d.).Theyareusedbythreatagentstoownadeviceorsystem.
Protectinginformationtransitpointsandchannels;anddefendingagainst
untrusteddataitemsrequiresstrongaccessrightsbetweensubjectsandobjects.SeeFigure3.
Figure3:AccessRights
Anyaccessbetweenanobjectandasubjectshouldbecontrolledwithconsistentrightsmanagement.“Accessrightsidentifysubjects,theobjectstheycanaccess,andwhattheycandoafteraccessisgranted”(Olzak,2017).Thisdoesnotjustapplytousersandtheresourcestheyaccess;italsoappliestoapplications,services,protocols,andanythingelsethatattemptstoaccessanobjectforanyreason.
Informationaboutthesystemornetworkassessedcancomefromseveral
sources:
• Existingdocumentation• Interviews• Questionnaires• Networkscans
(b) IdentifyExistingControls
Identifyexistingcontrolsandpotentialvulnerabilitiesbywalkingthroughprobableattackpathsusingnetworkanddataflowdiagramstocreateattacktrees.Anattacktreehelpsvisualizehowathreatagentmightgainaccesstoanintendedtarget.Figure4showsanattacktreewithadatabaseserverasthetarget.Thisexampledoesnotshowallpossibleattackpaths.Foradetaileddescriptionofhowtouseanattacktree,includingaddressingprobabilityofsuccessfulattacks,seeRiskManagement(http://bit.ly/2rCPNM7).
Figure4:AttackTree
Inadditiontoattacktrees,Irecommendcreatingacontrolsmatrix.A
controlsmatrixlistsallcontrolsimplemented,howtheyareconfigured,andwhattheyprotect.Figure5isascreenshotofacontrolsmatrixtemplateyoucandownloadfromhttp://bit.ly/2pVWAV3.SeeUseasecuritycontrolsmatrixtojustifycontrolsandreducecosts(http://tek.io/2pWwnFA)foradetailedexplanationonhowtousethematrix.
Figure5:ControlsMatrix
(c) BusinessImpactAnalysis(BIA)andCalculatingRiskUseaBIAtodeterminetheseverityofthenegativeimpactonabusinessifan
incidentoccurs.Manyvariablesaffectbusinessimpact,including(Olzak,2012)
• Maximumtolerabledowntime(http://tek.io/2rDmgC5)• Impactonemployees• Impactoninvestors• Impactoncustomers• Impactoncurrentandfutureearningspotential• Sanctionsduetonon-compliancewithregulatoryrequirements
ABIAcanbequalitativeorquantitative.HowyouapproachtheBIAaffects
howyouapproachanoverallriskassessment.Aquantitativeassessmentusesactualdollaramountstoestimatebusinessimpact.Aqualitativeassessmentusessometypeofscaletoestimatedamage.Hybridanalysisisacombinationofthequantitativeandqualitativeapproaches.Aqualitativeriskcalculator,downloadablefromhttp://bit.ly/2pYNh6r,isshowninFigure6.Thiscalculatorisjustoneapproachtoqualitativeassessments,whichareeducatedguessesbasedonexperienceandcollaboration.Foradetaileddiscussionofriskassessments,seeRiskManagement(http://bit.ly/2rCPNM7).
Ifyouchoosetodownloadthecalculator,theSystemSensitivitycellsare
linkedtoaworksheetthatcalculatesthisvalue.Theyellowcolumnalsocontainsaformula.Otherworksheetsprovideguidelinesforscoringtheothercolumns.Changethesetoconformtoyourbusinessoperations,securityframework,andmanagement’sappetiteforrisk.Andremember,athreatagentusuallymustbypasstwoormorevulnerabilitiestoreachthetarget.
Figure6:QualitativeRiskCalculator
ApproachestoperformingaBIAdifferbetweenorganizations.However,we
mustalwaysfocusonthesamethingsregardlessofhowourprocedureslook.AccordingtoRoss(2010),avoidthefollowing10BIAmistakes:
1. Consideringtheimpactofinterruptedapplications,notbusiness
processes.Remember,theimpactistobusinessoperationsifasystemisnotavailableduetocompromiseorfailure.Unavailabilityimpactsbusinessprocessesthatfeedandusethefailedsystem.Ifyoutakeyourorderentrysystemofflinebecauseofanattack,forexample,noproductships.Customersarenothappy,andrevenueislost.
2. Consideringapplicationsinisolation.Again,fewapplicationsoperateinisolation.Mostshareinformationwithotherapplicationsthatenablemultiplebusinessprocesses.WhenperformingaBIAforasystemoranetworkdevice,lookatallaffectedsystemsandrelatedprocesses.
3. Payingtoolittleattentiontofinancialimpact.Financialimpactisameasureofhowanincidentaffectsyourorganization’sbottomlineonaprofitandlossstatement.Thisincludesallcosts,including
a. Lossofshorttermrevenueb. Regulatoryfinesc. Civilactionbycustomers,shareholders,etc.d. Identitytheftmanagemente. Costofrecoveryf. etc.
Costsassociatedwithanincidentmustbecalculatedwiththehelpofallaffectedareasofthebusiness.Thisisnecessaryevenifyouuseaqualitativeorhybridapproachtoyouranalysis.
4. Payingtoomuchattentiontofinancialimpact.Inadditiontoharddollarcosts,othercostsaffectthelong-termhealthofabusinessfollowinganincident,includinglossofreputationandcustomerconfidence;andlossofcompetitiveadvantage,especiallywhenintellectualpropertyisinvolved.
5. Failingtodistinguishenterpriseapplications.Applicationsthatservetheentireorganizationfallintothiscategory.Examplesincludelegalanddocumentmanagementsystems.
6. Failingtorecognizedatacenterapplications.Systems/solutionsonlyusedbyITareoftenignoredduringriskassessments.Besureyouincludetheseinyourassessments.
7. ConfusingariskassessmentwithaBIA.ABIAisasubsetofariskassessment,butitcanstandonitsown.Evenifyouhavenoideawhatmightcausetheunavailabilityofasystemorbusinessprocess,aBIAissomethingtoconsider:atleasttoestablishvaluetotheorganization.
8. Confusingriskacceptancewithabusinessimpactanalysis.DonotallowbusinessmanagerstosimplyacceptriskbecausetheydonotwanttospendthetimeworkingwithyoutocreateaBIA.ThisisonemoreinstancewheresupportofC-levelmanagementforincidentmanagementisirreplaceable.
9. Pre-determiningBIAresults.RosswritesthatabusinessmanagercancorrectlyestimatelosswithoutaformalBIAabout80percentofthetime.Thisisthesameassayingthatoneinfivebusinessprocessesorapplicationsisinaccuratelyanalyzed.Evenwhenpursuingaqualitativeanalysis,itisimportanttotaketimetowalkthroughestimatedcosts.
10. BackingintoaBIAresult.Sometimes,managerschoosetounderstatethefinancial,reputational,andoperationalimpactofanincidentbecausetheperceivedimpactistoohigh.Thisunderminestheabilitytoeffectivelyprepareforandmanageincidents.
(d) RiskManagementRecommendations
Howyoumanageriskislargelydeterminedbymanagement’sriskappetite:thelevelofriskmanagersarewillingtoassumetoachievebusinessobjectives.Partofcreatinganincidentmanagementprogramismeetingwiththeorganization’sbusinessriskmanagementteamorseniormanagementtounderstandacceptablelevelsofrisk.Thishelpsprovideworkablerecommendationsatthispointintheriskassessment.
Onceweknowtherisk,recommendoneofthefollowing:
• Accepttherisk.Ifthecostoftheriskislowerthananymitigationortransfersolutionsavailable,weusuallyrecommendriskacceptance.
• Mitigatetherisk.Ifthecostofriskishigherthanthecostofmitigationsolutions,weusuallyrecommendmitigation.Recommendingmitigationrequiresadetailedanalysisofourexistingcontrolstodetermineiftheycanbereconfiguredtoreducerisk.Italsorequiresanalysisregardinghowwemightusefewernewcontrolsbyintegratingthemintotheexistingframework.Inotherwords,neversimplythrownewcontrolsatriskwithoutathoroughanalysisofwhatyouhaveandwhatyouneed.Finally,anycontrolswerecommendshouldbereasonableandappropriateforbusinessoperation.
• Transfertherisk.Transferringrisktypicallymeanspurchasingincidentlossinsurance.Manyinsurancecarriersnowofferthis.Purchasinginsurancemightbesomethingdoneinadditiontomitigation.Forexample,youmightpurchaseinsurancetocovercostsassociatedwithcustomeridentitytheftprotectioninadditiontoimplementingadditionaltechnicalcontrols.Together,transferenceandmitigationworktoreducerisktoacceptablelevels.
• Avoidtherisk.Sometimes,riskisavoidedbysimplynotdoingsomethingbyremovingexistingprocedures/technologyorbynotimplementinganewsolution.Inmyyearsasadirectorofsecurity,managementchosetoavoidriskonlyonce.Nevercountonavoidance.Ourjobassecurityprofessionalsistofindwaystosafelyenablesolutionsthatmanagementdeemsnecessarytoreachtheorganization’sobjectives.
(e) ResultsDocumentationandPresentation
Providedetaileddocumentationforhowyouconductedtheassessmentandyourresults.Thedetailshelptheriskmitigationteambemoreeffective.TheNISTRiskManagementGuideforInformationTechnologySystems,SP800-30(http://bit.ly/2rLdVfJ)providesanexcellenttemplate.However,detailsaresomethingmanagementusuallydoesnotcareabout.Theyonlywanttoseetherisksandwhatyoubelieveneedstobedonetomanagetherisks.
Inadditiontoadetailedassessmentdocumentandatechnicalpresentation,
createapresentationformanagement.Thispresentationprovidesahigh-levelexplanationofwhatyoudidandtherisksdiscovered.Attheopeningofthepresentation,lettheattendeesknowyouwantthemtodecideonyourrecommendations.Beclearabouthowyourrecommendationsarefinanciallyandoperationallyreasonableandappropriate.
Thefinaldocumentresultingfromanassessmentistheactionplan.The
actionplanistheresultofmanagement’sapprovalofyourrecommendations.It
includeswhatistobedone,whoisresponsible,andstatus.Youcandownloadfromhttp://bit.ly/2rtKAtTthetemplateIuse.
Section2.02 SectionSummary
Incidentmanagementisinseparablefromriskmanagement.Inadditiontocreatingandpracticingaresponseplan,theincidentmanagementteamshouldbeinvolvedineveryriskassessment.Inmyopinion,theteamshouldmanagetheassessmentsaspartoftheirday-to-dayoperations.
Riskisassessedbyfirstunderstandingthesystemornetworkanalyzedand
thenwalkingthroughallpotentialthreatpaths.Thisshouldoccurwhenanewthreatemergesorwhennewvulnerabilitiesarediscovered.Inanycase,riskassessmentsforcriticalsystemsandsensitivedatashouldhappenatleastannually.
Yourriskmanagementrecommendationsmustbereasonableand
appropriatefortheorganization’sbudgetandoperations.Managementmustseetheshort-andlong-termfinancialandnon-financialimpactofsimplyacceptingrisk:orworse,doingnothing.
3-1
Section3. TeamCreationandPlanning
Inthissection,Iwalkthroughdetailsofcreatingandmanaginganincidentresponseteamandplan.Thepurposeoftheplanisto
• Rapidlydetectanomalousnetwork,system,ordevicebehavior
(situationalawareness)• Minimizelossanddestruction• Mitigateexploitedweaknesses• Restoreservices• Gatherforensicevidencewhenreasonableandappropriate
CarnegieMellon’sincidentresponseplanisagoodstartforanyorganization.
Itisavailablefordownloadathttp://bit.ly/2s7fCEn.
Section3.01 TheTeamBeforeplanningstarts,youneedanincidentresponseteam.AsIwrotein
Section2,thisteamisresponsibleformorethansimplyrespondingtoincidents.Ithasaroleinallriskmanagement,incidentprevention,andincidentpreparationactivities.Consequently,theteammakeupmustincluderepresentativesfromalltechnicalteams,organizationoperationsteams,andotherrelevantstakeholders.
(a) ComputerSecurityIncidentResponseTeam(CSIRT)Membership
Thefollowinglistofteammembersisgeneralandonlyastart.Eachorganizationisunique,andthemakeupoftheteamdependsonwhommustbeinvolvedtoensureeffectiveincidentmanagement.
• Incidentmanager• Securityanalyst• Computerforensicsinvestigator• Serverengineer• Networkengineer• Serveradministrator• Networkadministrator• Businessanalystforeachdepartment/lineofbusiness• Softwaredeveloper• Datacenteroperator• Insidelegalcounsel• Humanresources• Publicrelations
Dependingontheorganization,someofthesemembersmightbeoutsidesupportvendors.AllCSIRTmembersshouldparticipateinpreparationandplanning.
Theseteammembersserveasteamleadsintheirrespectiveareas.Whenan
incidentoccurs,youwilllikelyneedmorethanonenetworkengineer,forexample.Also,considertrainingtwoindividualsforeachteamrole:aprimaryandasecondary.Theprimarymightnotalwaysbeavailableduringanincident.
Identifyasubsetoftheteamasyourinitialresponders.Theinitialresponse
team,includinganon-callresponder,performthefirstresponsestepsasdescribedlaterinthissectionandinSection5.
Onesetofmembers,thebusinessanalysts,actasbridgesbetweentheCSIRTandthebusinessdepartmentsandlinesofbusiness.Inlargerorganizations,thesepositionsalreadyexist,providingday-to-dayprojectandITsupportfunctionstoensuretechnologyeffectivelysupportseachdepartment,linesofbusiness,andoveralltacticalandstrategicobjectives.Businessanalysisareoftenmissinginsmallerorganizations.Insuchcases,arepresentativefromeachdepartmentandeachlineofbusinessisanecessaryalternative.ThebusinessanalystorbusinessrepresentativeisthepointofcommunicationbetweentheCSIRTandthebusiness.Thisisanirreplaceableandcriticalpartofplanning,preparation,andresponse.
OnceanincidentresponsepolicycreatestheCSIRT,theteambeginscreating
plansandprocedurestomeetitsresponsibilities.
(b) CSIRTResponsibilitiesManypeoplebelievetheCSIRTsitsaroundwaitingforthenextincident.Not
true.Theincidentresponseteamisresponsiblefor
• Riskmanagement.AsshowninSection2,theCSIRTiseitherdirectlyresponsibleformanaginginformationresourceriskorprovidessupportforthosewhoare.
• Incidentpreventionandpreparation.Conductingorparticipatinginpenetrationtestsandvulnerabilitymanagementisagoodstart.TheCSIRTshouldalsobeinvolvedinthechangemanagementprocess.ThisensurestheriskmanagementcontrolsandproceduresidentifiedintheSDLCandriskassessmentsaremaintainedinawaythatsupportsincidentmanagement.
• Newthreatandvulnerabilityadvisorydistribution.Threatintelligenceandvulnerabilityresearchdailyrevealnewwaysattackerstrytoattackyourorganization.TheCSIRTisresponsibleforidentifyingnewthreatsandvulnerabilities,performinganalysistodetermineassociatedrisktotheorganization,anddistributingthisinformationtoappropriateITandbusinessteams.
• Incidentdetectionandresponse.TheCSIRTisresponsibleformonitoringforandassessinganomalousbehaviorofsystems,devices,networks,andusers.TheCSIRTdeclaresincidentswhenappropriateandexecutestheincidentresponseplan.
• Educationandawareness.Educatingemployeesabouttheimportanceofsafeuseofinformationresources,policycompliance,andregulatorycomplianceshouldalreadybehappeningwithinyourorganization.However,manyorganizationsdonotaddressintrainingsessionswhatbusinessemployees,ITstaff,andmanagersshoulddoiftheysuspectanincidentorifnotifiedofone.Thisisabigmiss.TheCSIRTshouldmanagesecuritytrainingandawarenessorbedirectlyinvolvedincontentanddelivery,includinghowtoreportanomalousbehavior.
• Informationsharing.Whetheranattackissuccessfulornot,considersharingallinformationgatheredduringinitialandincidentresponseanalysiswithbothinternalandexternalentities,including
o Stakeholderso Regionalandstatelawenforcementagencieso Federalagencieso Interestandindustrygroups
Inadditiontoincidentinformation,shareincidentmanagementfindingsaboutthreats,risks,andotherincidentrelated.Thisallowsabroaddefenseagainstthreatagents.
(c) CSIRTResponseToolsandResourcesPartofplanningandpreparingisputtingtogetherasetoftoolsand
supportingresourcesthatenabletheCSIRTwhenanincidentoccurs,includingacommandcenter;jumpkit;forensicslab(commonlyoutsourced);incidentresponseformswithdocumentedproceduresandchecklists;andexternalresourcecontacts.
(i) CommandcenterWhenanincidentoccursrequiringmorethanquickeradicationand
recovery,theCSIRTwillgatherinacentrallocationforanalysis,informationsharing,andleadership.Thiscommandcenterisusuallyapreviouslydesignatedconferenceroomortrainingfacilitywithminimally
• Whiteboardsandmarkers• Speakerphones• Multipletablesforteamandsub-teamcoordinationandinformationsharing• Hardwiredconnectiontotheinternalnetwork• IsolatedaccesspathtotheInternetforresearch,support,andreporting
Thecommandcenteristhecentralpointofresponsecommunicationandoperations.Itiswheretheteamandotherswillfindtheincidentmanager.Itisalsowhereallincidentactivitycoordinationandloggingtakeplace.
(ii) JumpkitAjumpkitisaforensicsbagoftoolsarespondercanquicklygrabandhead
outthedoor.Itshouldcontaineverythingnecessaryforatleastinitialresponseevidencepreservation,asdescribedinSection5,including
1. Journalfortakingnotes(who,what,when,where,how,andwhy)abouteveryfacetoftheincident,includingphysicalaccess
2. ContactlistforallCSIRTmembersandexternalsupport3. Up-to-dateantimalwareonUSBdriveorCD4. Crimescenetape(http://amzn.to/2qgV1Nu)5. Ducttapeorotheradhesive6. Evidencebags(http://amzn.to/2rUBqTE)7. Faradaybagsforimmediatecollectionofcellphones,tablets,andother
wirelessmobiledevices(http://amzn.to/2qkFuuZ)8. Evidencetags(http://amzn.to/2rAhwAK)9. Chainofcustodyforms(http://bit.ly/2qkzr9K)10. Digitalcamerawithextrabatteries11. Sketchbookwithpencilsandpencilsharpener12. Alaptopwithanindustryandjudiciallyacceptable(standsupincourt)
forensicssolution,suchasEnCase(http://bit.ly/1SRrdxM)13. Harddriveduplicatorwithwrite-blockcapabilities
(http://amzn.to/2rAAJSX)14. Miscellaneouscables,connectors,adaptors,etc.
Thecontentsofyourjumpkitwillvaryfromthislistdependingonwhether
yourin-houseteamperformsdetailedforensicsactivitiesorwhetheryououtsourcethem.Attheveryleast,yourkitshouldcontainitems1through11inthelistabove.
(iii) ForensicslabNoteveryorganizationneedsaforensicslab.Iworkedforalarge
organization,andwedidnothaveone.Instead,weoutsourcedforensicsanalysiswhenneeded.However,Iprovideadescriptionofwhatalabshouldincludeforthoseorganizationsdecidingtoretainthisfunctioninhouse.Youcanalsousethislistwhenassessingthecredibilityandeffectivenessofapotentialforensicsvendor.
• Strongaccesscontroltothelabthatminimallyincludesloggingauthorizedpersonnelwhoenterandwhen
• Aserverfororganizingandretaininginvestigationresults(notconnectedtotheInternet)
• Alabnetworkisolated(preferablyairgapped)fromtheorganization’snetworkwithanInternetconnectionseparatefromtherestofthe
organizationandthelabadministrativenetwork(Internetconnectionshouldbeonlyforadministrativesystems,neverforsystemsusedforevidenceanalysisorthatareevidencethemselves)
• AdministrativesystemsforInternetaccessandlabmanagementfunctions,connectedtoanetworkisolatedfromanalysissystems
• Systemsforanalysis(virtualisagoodidea)runningvariousoperatingsystems:
o Windowsdesktopo WindowsServero MacOSo Linux
• Driveduplicatorswithwriteblockers• Readersforvarioustypesofmedia(e.g.,SIMsandflashmemory)• Mediawipingequipment• Assortmentofdrivecables• Miscellaneouscablesandadapters• Varietyofdrivesofdifferenttypes• Acceptedforensicssoftware,suchasEnCaseandForensicsToolKit
(http://bit.ly/2qnSYX6)runningonnon-adminlabsystems• Securablephysicalstorageforseparatingandmaintainingevidencechainof
custody• Videooraudioequipmentforrecordingfindings,evidence,etc.• JumpKit(seeJumpkitabove)• Certifiedcomputerforensicsinvestigators
(iv) ProceduresandchecklistsSpecificprocedurecontentisuniquetoyourorganization,soIdonotgointo
muchdetail.However,Iprovideanincidentchecklist(Figure7)withrecommendationsforhowtoprepareforeachlineitem.Youcandownloadthechecklistfromhttp://bit.ly/2qfUZtk.Thischecklistformsthebasisforyourresponseplan.
Figure7:IncidentHandlingChecklist
Section3.02 ThePlan
Planningbeginsbyworkingwithallstakeholderstodevelopanoverallapproachtopreparingforandrespondingtoanincident.Thediscussionthatfollowsisageneraloverview.Yourplansshouldincludevariousattackscenariosthataffecthowyouapproachplanningandpreparedness.AppendixAoftheNISTComputerSecurityIncidentHandlingGuideSP800-61r2(http://bit.ly/1MYR74v)providesagoodsetofscenarios.
Iapproachplanningbypreparingtoexecuteeachofthe10stepsinthe
matrixinFigure7.Thisensureseverystepisthoughtthrough,documented,andpracticed.
(a) Step1:Begindocumentationandpotentialevidencepreservation
Providetheon-callresponderwiththemeanstoimmediatelybegincreatinganincidentlog.Thismightbeadocument,spreadsheet,orothertemplatealreadypreparedandreadyforuse.Further,proceduresandanassociatedcontactlistisnecessarytobeginpreservingevidenceinthedatacenter,intheoffice,oratremotelocations.InitialresponseevidencepreservationrequirestrainingforbusinessmanagersandITpersonnel.Youdonotwanttheon-callrespondertotaketimedetailingpreservationsteps.
(b) Step2:DetermineifincidenthasoccurredToolsshouldbeinplacetoenableimmediatereviewofprecursorsand
indicators.Precursorsarelogorothereventsthatoccurbeforeanincident.They
provideinsightintothepotentialforanattack.Thesemightincludesocialengineeringattempts,phishingemails,unusualnetworkorsystemactivity,etc.
Indicatorsareevidencethatanattackisinprogress.Correlatedlogentries
areagoodwaytoidentifyindicatorpatternsofcertaintypesofattacks,includingunexpectedmovementofdata,unexpecteduseraccesstoresources,unauthorizedlogmodifications,unusual/specificactivityatthefirewallorIPS,etc.
Crestprovidesagreatdocumentforhowtoconfigureandmanageincident
managementloggingathttp://bit.ly/2qjOP7p.CrowdStrikeprovidesadetailedlookatindicatorsathttp://bit.ly/2rUDYC8.
Oncetherespondergatherstheprecursorsandindicators,heshould
researchhisfindingsusingaknowledgebaseortheInternet.Researchsitesshouldalreadybeidentifiedforquickaccess.Thisresearchprovidesinsightintowhatishappeningandnextsteps.Resourcesinclude
• Yourantimalware,IPS,andSIEMvendors• US-CERT(https://www.us-cert.gov/ncas)• SANSInternetStormCenter(https://isc.sans.edu/dashboard.html)• Fee-basedcyberattackintelligenceservices
Thisstepshouldbecompletedinminutes.Thelongerittakestodeclarean
incident,thelargertheimpact.
(c) Step3:PrioritizetheincidentNotallincidentsarethesame.Somemightberemediatedinminutes.Others
mighttakedays,andthepotentialimpactacrossincidentsdiffers.Howtorespondtoeachincident,ortomultipleincidentsatthesametime,requiresprioritization.Prioritizationaffectswhoiscontactedandhowresponseisinitiated.
Yourplanmustincludeaquickguideforhowtoprioritizeincidents.Theon-
callresponderandinitialresponseteammustquicklyassesstheseriousnessoftheincidentand,again,decidewithinminuteshowtoproceed.
Usingaprioritizationmatrixisoneapproach.Useofamatrixbeginswith
prioritizingtheurgencyandimpactoftheincident.Table1belowisatemplateshowingwhatthismightlooklike(Wikipedia,2017).Thisapproachprioritizesanincidentbasedonoverallimpactontheorganizationandhowfastthatimpactmightoccur.YoucandownloadthistemplateandthetemplatesforTables2and3fromhttp://bit.ly/2qWEqkU.
Table1:PrioritizationCategories
Table2istheactualmatrixusedtodeterminethepriorityoftheincident.
Table3providesguidanceonhowquicklytorespondandtheexpectedrecoveryperiod.Noneofthisinformationislikelytobeaperfectfitforyourorganization.Adjustingthedownloadabletablesisthefirststepinintegratingthisintoyourresponseplan.TheadjustmentprocessrequiresclosecollaborationwithbusinessrepresentativesandITtoensurereasonableandappropriateresponseexpectations.
Table2:IncidentPrioritizationMatrix
Table3:IncidentPriorities
Finally,thematrixisagoodgeneralapproach,butyouwillnotalwaysneedit
ifcertaintypesofincidentsoccur.Workingcloselywiththebusinessduringresponseplanning,youshouldquicklyknowwhenaresponseiscriticalbecauseofthebusinessservicesorprocessesaffected.Oneorbothofthefollowingconditionswillusuallyresultinahighpriorityresponse(Wikipedia,2017):
• Certain(groupsof)business-criticalservices,applicationsorinfrastructure
componentsareunavailableandtheestimatedtimeforrecoveryisunknownorexceedinglylong(specifyservices,applicationsorinfrastructurecomponents,e.g.,thecustomerfacingorderentrywebsiteisdown)
• Certain(groupsof)VitalBusinessFunctions(business-criticalprocesses)areaffectedandtheestimatedtimeforrestoringtheseprocessestofulloperatingstatusisunknownorexceedinglylong(specifybusiness-criticalprocesses,e.g.payrollduringapayrollcycle)
Aspartofthisstep,beginaggressivesituationalawarenessactivities.
Situationalawareness(SA)istheabilitytounderstandthecurrentstateofasystemandwhathaschanged.SAisacontinuousprocesssupportedbysolutionslikesecurityinformationandeventmanagement(http://bit.ly/2qHKiyh);andidentitygovernanceandadministration(http://bit.ly/2qa1cCR).WithoutSA,youcanneverquicklydetectunwantedbehaviorandrespondbeforeyourorganizationsuffersseriousdamage,norcanyoueffectivelymanageanincidentinprogress.
(d) Step4:ReportincidentasspecifiedintheincidentresponsecommunicationsplanOnceyoudetermineanincidentisinprogressorhasoccurred,
communicatingwhatyouknowandwhatyouaredoingaboutittotherightpeopleisimportant.CommunicationincludestherestoftheCSIRT,previouslyidentifiedmanagers,andexternalsupportorganizations.Figure8(Cichonski,Millar,Grance,&Scarfone,2012)depictsexternalentitiesnormallyincludedinacommunicationplan.
Figure8:ExternalCommunication
Howandwheneachoftheseentitiesisinformedisuptoyourteam’spublicrelations(PR)representativeandC-levelmanagement.Asaresponder,yourresponsibilityshouldbetoinformyourPRteammemberandmembersofthemanagementteamlistedinyourcommunicationplan.Inaddition,bringinginthenecessarysoftwareandsupportvendorsisincidentmanager’sresponsibility.WhenapprovedbyPRormanagement,theCSIRTwillcommunicatedirectlywithexternalteamswithinguidelinesdocumentedinthecommunicationsplan.
Communicationdoesnotstartwithanincident.Rather,theCSIRTshould
haveanongoingworkingrelationshipwithalloutsideentitiesaspartofincidentpreparation.Whencontacted,externalteamsshouldalreadyhavefamiliaritywithyourorganizationandyourteam.Theyshouldhavebeeninvolvedinincidentresponseexercises.Nooneshouldhavetoaskquestionsthatarenotspecifictotheincidentanditscharacteristics.Again,timeiscritical.
Structuredguidelinesforcreatinganincidentresponsecommunicationplan
areavailablefordownloadfromhttp://bit.ly/2qu6jwZ.
(e) Step5:ObtainmanagementdecisionaboutforensicspreservationandcollectionMostincidentresponseguidancerequirespreservationofevidence.Inmy
experience,thisisasecondaryconsiderationformanagement.Whatmanagementwantsisaquickreturntonormaloperationwhilemitigatingbusinessimpact.Thisdoesnotmeanyoushouldnotbepreparedforevidencegathering,buttherecomesapointintheresponsewhenmanagementshoulddecidewhethercollectingevidenceismoreimportantthanrecovery.
Asyoureadearlier,weimmediatelyassumewhenanincidentoccursthatwe
mustpreserveallevidence.Thismindsetmustcontinueuntilmanagementdecidesotherwise.Includeinincidentplanningwhatisneededtounderstandwhathappenedandhowwithoutmajorrecoverydelays.
Continuous,comprehensivelogging;eventcorrelation;andretentionand
protectionoftheresultsusuallyprovidewhatweneedatthepostincidentrootcauseandactionplancreationmeetings.Theinformationalsoprovidesfirststepsforlawenforcementifapathtoprosecutionistaken.
Inadditiontologs,wecanalsoseizerelevantuserdeviceswithouta
significantdelayinrecovery.Ifwevirtualizeourservers,previousresponseplanningcanallowisolationandpreservationoftheincident-relatedserverswhilebringingupreplacementvirtualserverstorestorebusinessoperations.
Ifwethinkthroughallprobablescenariosduringplanning,evidence
collectionisoftenpossiblewithwhatmanagementmightconsiderreasonableimpactonthebottomline.Besuretoincludeforensicsconsiderationsinyourpreparationactivities.
(f) Step6:Acquire,preserve,anddocumentevidenceasdirectedinStep5
IfyourCSIRThasitsjumpkitandinternal/externalforensicslab,itisreadytotakeonthisstep.Also,partofplanningisensuringyourforensicsinvestigatorsarecertifiedandabletocollect,analyze,andprotectevidencesotheresultsstandupinacourtoflaw.SeeSection5.
(g) Step7:Containtheincident
Containmentisthemostimportantpartoflossminimizationandevidencepreservation.Forphysicalattacks,thistranslatesintodelayinganattackerlongenoughforlawenforcementorotherhumanintervention.Containmentforlogicalattacksrequiresisolationoftheaffectedsystemsandnetworksegments.Isolationprotectsuninfectedsystemsduringmalwareattacksandhelpspreventacybercriminalfromextractingdataduringabreach.Italsohelpspreventunwantedalterationofdigitalevidence.
Althoughcontainmentinvolvesprocessesuniquetoeachincident,theoverall
approachtocontainmentisstrategic.Itis“…afunctionthatassiststolimitandpreventfurtherdamagefromhappeningalongwithensuringthatthereisnodestructionofforensicevidencethatmay[sic]beneededforlegalactionsagainsttheattackers”(InfoSecNirvana,2015).Usingscenarioplanning,assesstheneedforcontainment,howcontainmentisachieved,andwhatyoumustdopriortoanincidenttoprepare.
(i) PhysicalincidentsIdonotspendmuchtimeonphysicalincidentsinthisguide.However,a
brieflookatphysicalincidentsisimportant.Sometimes,aphysicalintrusionprecedesalogicalattack.Also,adeviceonyournetworkmightbeusedtolaunchorfurtheranattackagainstyourorganizationoroneremoteontheInternet.
Thepurposeofphysicalsecurityisfirsttodeterintruderswithfences,
guards,signs,etc.Second,wedelayintrudersbyplacinglayersofbarriersbetweenthemandthetargets.Examplesofbarriersincludegates,fences,walls,andlocks.Thelengthofrequireddelaydependsontheresponsetimeforarrestingorotherwiseinterveningtostoptheintrusion.
Barriersalonearenotenough.SAalsoappliestophysicalattacks.Alarms,
cameras,andothertypesofsensorshelptrackandapprehendanintruder.Also,containingacrimesceneandrelatedevidenceisnecessaryifmanagementdecidestoprosecute.Ifadeviceorsystemisusedforanattackoristhetargetofanattack,ensurebarriers(crimescenetapeandhumanoversight)preventaccessbyanyonenotdirectlyinvolvedintheresponseprocess.
Foradetailedlookatphysicalsecurityforprotectingyourinformation
resources,seePhysicalSecurity:Managingtheintruder(http://bit.ly/2q9I7AV).
(ii) LogicalincidentsContaininglogicalincidentsrequiresaddressingisolationalternativesduring
theSDLCandallriskassessments.Ifwehavenotplannedforisolation,weenduprunningthroughthedatacenterunpluggingcables(hopefullylabeledcables),hopingforthebest.Ifyouhaveeverdonethis,youknowisolationisiffyandrecoverycantakelonger.
OneofthemosteffectivemethodsofisolationisuseofVLANs.Inadditionto
controllingday-to-dayaccess,VLANsprovidethesegmentationanddeviceisolationneededtoprevent,deter,andcontainanattack.SeeVLANNetworkSegmentationandSecurity(http://bit.ly/2ggAuVA).
Figure9showsanetworksegmentedwithVLANs.Alldatabaseserversare
onasingleVLAN,withusersandapplicationserversonanother.AllexternaltrafficarrivesandexitsonotherVLANs.VLANsareconfiguredtopreventdevicesonthesameVLANfromcommunicatingwitheachotherunlessexplicitlyallowed,sosomeisolationisalreadybuiltin.Thisisasimpleexample.Intherealworld,Iwouldlikelyseparatesensitivedata,publicdata,controldata,anddifferentbusinessprocessesontodifferentVLANs.
Figure9showshoweasyitwouldbetoisolatevarioussegmentsofthe
networkbyreconfiguringoneortwoswitches.Segmentationisalsopossibleusingroutersinadditiontoswitches.Segmentationstronglysupportscontainmentwhetheryouoperateinatraditional,virtual,orhybridenvironment.
Figure9:VLANSegmentation(Olzak,2012(April))
Quickcontainmentusingnetworkdevicesrequirespreconfiguredreconfigurationsstoredandeasilyaccessedbytheresponseteam.Thisallowsforrapidisolationoncethethreatagent’sactionsareanalyzed.Onewaytoensurefastreconfigurationacrossallrelevantdevicesiswithasoftwaredefinednetworksolution(http://bit.ly/2q7lwsq).
Forend-userdevices,themosteffectiveisolationapproachisunplugging
themfromthenetwork.Placecellphones,tablets,andothermobilecellularaccessdevicesinFaradaybags.Donotpowerthemoff.HaveaplaninplacetoblockaffecteduserdevicesfromconnectiontowirelessaccesspointsiftoolargetoplaceinFaradayprotection.
YourcontainmentapproachshouldenabletheCSIRTtostopdataextrusion
orthespreadoftheattackquicklyandasnarrowlyasisreasonableandappropriateforbusinessoperationsandrisk.Howyoudothisisuniquetothecombinationofyourtechnology,yourbudget,legalramifications,andmanagement’sappetiteforrisk.
(h) Steps8&9:EradicatetheIncidentandRecover
Stepstakentoeradicateanincidentdependonthetypeofincidentandthetoolsandtechniquesusedbytheattacker.Scenarioplanningandcomprehensivethreatintelligenceensureyouidentifyallmalware,untrusteddataitems,inappropriatematerials,unwantedregistryentries,etc.
(i) EliminateexploitedvulnerabilitiesThefirststepineradicationismakingsuretheincidentdoesnothappen
againinthesameway.Achievingthisrequireseliminationofthevulnerabilitiesexploitedbythethreatagent.Identificationofthesevulnerabilitiesshouldbeapparentthroughestablishedthreatintelligenceresearchandresultsfromyourlogmanagementsolution.
Anexpeditiousprocessforfixingvulnerabilitiesisalreadypartofawell-
designedchangemanagementprocess.Patchesandreconfigurationofcontrolsorsystemsarequicklyassessed,documented,andappliedwithoutgoingthroughcompletechangemanagementsignoff.
Ifyoumakeachangethatdoesnotworkasexpected,reverseitbeforetrying
somethingelse.Donotthrowmultiplechangesattheincidentwithoutanalysisofwhatworks,whatdoesnotwork,andremovalofanythingnolongerneeded.Otherwise,youwillnotknowwhatactuallysavedyourorganization.Further,post-incidentcleanupwilltakemuchlongerthannecessary.
(ii) RemovetheunwantedThemosteffective,andoftenquickest,approachtoeradicationonuser
devicesisacompletewipeandreinstall.Inmanyincidents,thisistheonlywaytobecertainallunwantedentitiesareremovedfromaffecteddevices.Planningforthisrequirescreationofuserdeviceimages,includingdifferentconfigurationsbasedonlineofbusiness,department,businessrole,etc.Imagecreationispartofincidentplanningandpreparation.Initially,thiscanbeverytimeconsuming.Oncedone,however,includingimagemanagementinthechangemanagementproceduresmakeskeepingimagesuptodaterelativelyeasy.
Usingserverimagesisalsoeffective,butusingvirtualizedserversor
containersforyourcriticalserversisoftenabetteroption.Bringingupavirtualmachinetoreplaceaserverisolatedinanincidentquicklyachievesbotheradicationandrecoveryforthatserverandsupportedbusinessprocesses.Beforeplacingnewserversinproduction,besuretoeliminateanyidentifiedvulnerabilitiesfoundinthecompromisedservers.
Finally,weneedtoensuredataintegrityandtheabsenceofuntrusteddata
objectsinourdatabasesandonourfileservers.Thefirstpreparationstepispreventionofintegritycompromisewithstrongauthenticationandauthorizationcontrols.Next,backupandbackupoften.Yourbackuptimelineshouldrepresentthelongestyouwanttobedownfollowinganykindofbusinesscontinuityevent(http://bit.ly/2rakdXj).Protectbackupsfromanytypeofincidentthatmightoccuratanyfacility.Thisusuallymeansretainingthemoffsiteorinthecloud.
Clouddatabasebackupservices,likethoseprovidedbyMicrosoft
(http://bit.ly/2rcjXJ4),Oracle(http://bit.ly/1N3eQ3j),andothercloudservice
providersenablebothdatabaseandflatfilebackupsthatprovidedataintegrityandreasonablerecoverytimes.SolutionslikeCarbonite(http://bit.ly/2bj85fH)canprotecteventhesmallestbusinesswithoffsite,protecteddata.However,fasterrecoverytimesforyourmosttimesensitivebusinessprocessesmightrequiremaintainingsynchronizeddatabaseserversatacolocation(co-lo)orinthecloud.
Aco-loisadatacenterplacedatleast25milesfromyourprimarydata
centerthatcontainsinfrastructuresupportingyourcriticalbusinessprocesses.Fordisasterrecoverypurposes,yourco-loanddatacentershouldbeindifferentpowergrids,floodplains,weathercorridors,etc.Forattackpurposes,theconnectionbetweentheco-loanddatacentermustbetightlycontrolled.Considerallowingnoremoteuseraccessunlessthedatacenteroroneofthecriticalsystemsbecomesunavailable.
Synchronizedatabetweentheco-loanddatacentersothatasimplechange
toDNS,VPN,orotherremoteaccessmethodsallowcustomersandremotesitesaccesswithlittleinterruptioninservicedelivery.Further,officestaffatthedatacenterlocationmusthaveawaytoeasilyaccesstheco-loservers.
Alwaysassumeyourdatacentercompromisecaneasilypasstoyourco-lo.SA
foryourco-loisalsonecessary.Whenwipe-and-replaceorredundantsystemsarenotavailableorpossible,
removalofunwanteditemsrequiresresearchintowhathappened,toolsusedbytheattacker,actionstakenbytheattacker,filesandexecutablesinstalled,andanyotherchangesmadetoregistries,configurationfiles,etc.Onceyoucompletethistime-consumingprocess,theCIRTmustcreateaprocedureandassociatedtoolstoreverseallattackeractions.TeammembersandotherrecruitedITpersonnelmustthenfollowthedocumentedproceduretoeradicatethethreat.Unlesstheattackscopewasverysmall,thisapproachmightextendrecoverytimebeyondoneormorebusinessprocessmaximumtolerabledowntimes(http://tek.io/2rDmgC5).
(iii) RecoveryRecoveryisfocusedonreturningbusinessprocesseswithinMTDsdefinedin
BIAs.Recoverytimeincludesthetimenecessarytorestoretheinfrastructureandthetimeneededtorebuilddatasets.Thisisalsoknownasthemaximumperiodoftolerabledowntime(Olzak,2013),asshowninFigure10.TheRTO(recoverytimeobjective)ishowlongittakestorestoresupportingtechnology.
Figure10:MaximumPeriodofTolerableDowntime
Wepreviouslylookedateradicationmethodsthatalsobegintherecovery
process.Solutionslikeaco-looracloud-basedredundancysolutioncanquicklyreturnbusinessprocessestonormal.Otherapproachestakemoretime.Regardlessofhowyouapproacheradicationandrecovery,besuretoworkwithmanagementtounderstandyourrecoverytimeoptions.ThisincludesconsideringtheMTDsofprocessesaffectedbyadownedsystem:bothupstreamanddownstream.SeeFigure11(Olzak,2013).
Figure11:DependentProcesses
Failureofanyoneoftheseprocessesbreaksachainrequiredtoprovideproducttocustomers.TheMTDforanyprocessinthischainistheshortestMTDacrossallprocesses:thechain’sMTD.
Onceyourecoversystems,workwiththebusinesstoconfirmcorrectoperation.Checknotonlywhetherthetechnologyworksasexpected,butalsoensuredataintegrity.Havingpredefinedreportstovalidatedataaccuracyisonewaytoquicklydothis.
(i) Step10:RootCauseAnalysisandActionPlanThelaststepinincidentresponseisensuringthesameincidentdoesnot
happenagaininthesameway.Also,youwanttoassesshowwellyourteamrespondedandwhetheryoucanimprove;therearealwaysopportunitiesforimprovement.
Althoughyoushouldhavealreadyblockedoneormoreofthevulnerabilities
exploitedinthecurrentincident,youneedtounderstandwhythosevulnerabilitiesexistedandthefailureofcontrolstodetectandstoptheattack.Rootcauseanalysisistheprimarytoolforthis.
Rootcauseanalysisfindsthefundamental,theroot,causesofanyevent.It
preventstreatingsymptoms.Treatingonlysymptomswillnoteffectivelypreventfuture,similarincidents.
Causeanalysisbeginswithbringingtogethereveryoneinvolvedintheincidentandwiththesystemsaffected.Theresultingmeetingmustprohibitfingerpointingandassigningblame.Thatisnotthepurposeofthemeeting.Tryingtoplaceblamecausesattendeestogetdefensiveandloseobjectivity.
Rootcauseisfoundbyfollowingthechainsofcauseandeffectleadingtotheincident,asshowninFigure12(Olzak,2008).Inmanyinstances,morethanonerootcauseexists.Analysisbeginswiththeproximatecauseandworksbacktotherootcauses.Aproximatecauseistheeventandsurroundingconditionsthatenabledtheincident.Theprocessusedforthisstep-backprocessvariesbetweenorganizations.Iusedtwodifferentmethods,butIfoundthefive-whysapproachworkedbest.
Figure12:RootCauseChainofEvents
Anexampleofafive-whysanalysisisshowninFigure13.Inthisexample,ransomwarecrippledtheorganizationbecauseauserfellforaphishingattack.Withfive-whys,youbeginbyaskingwhyyourdatawasunavailable.Theanswershouldincludeanyactionstaken,processesexecuted,andtheconditionsunderwhichtheactionsandexecutionshappened.Whenyouarriveatthefifthwhy,therootcauseisusuallyidentified.Ifnot,considerstartingagain.Youeithermissedsomethingortheanswersareincorrect.Thegoalistobreakthechainasfaraspossiblefromtheproximatecausewithnewcontrolsorprocedures;ormodificationstoexistingcontrolsorprocedures.However,alayeredapproachshouldmultipleeventsalongthechain.
Figure13:FiveWhys
Morethanonerootcausemightexist.Oneofyour‘why’answersmightincludetwodifferentcauses.Youranalysismustthenbranchofftoaddressboth.Considereachbranchaseparatesetoffive-whys.Youmightseparateyourteam,sosub-teamsaddressbranches.Whenallbranchesarecompleteandallrootcausesidentified,theentireteamcomesbacktogethertocompletethefullanalysisdiagram.
Youwillnotalwaysknowalltheanswerswhenfirstmeeting.Consequently,
itmighttaketwoorthreemeetingsbeforeyouarriveatallrootcausesandcreateanactionplan.
Theactionplanispartofthefinalreporttomanagement.Itincludes
recommendationsforeliminatingrootcausesandimprovingresponse.Asampleactionplanisavailablefordownloadfromhttp://bit.ly/2rtKAtT.Itshouldminimallyinclude
• Actiontotake• Priorityoftheaction• Plantocompletetheaction• Actionstatus• Personorteamassigned• Dateforexpectedcompletion
Finally,completeafullreportontheincident.Convertyourincidentloginto
twostories:oneformanagementandoneforyourtechnicalteams.Thereportincludesdocumentsandpresentations.Thepresentationtomanagementincludesarequestforapprovalfortheactionplanandanassessmentofriskifoneormoreactionsarenotapproved.Atemplateforacomprehensivebuteasytoreferenceincidentreportisavailablefordownloadfromhttp://bit.ly/2sm5k3h.
Areportisalsonecessarywhenanalysisofanomalousbehaviorisdeemed
notmalicious.Referringtothesereportsduringriskassessmentsorduringrootcauseanalysismightrevealpreviouslyunrecognizedpatterns.Ashorterreportisusuallysufficientforthis,andatemplateisavailablefromhttp://bit.ly/2rk5Nui.
Section3.03 SectionSummary
Planningandcreatingthetoolsandproceduresformanaginganincidentmusthappenbeforeanincidentoccurs.Thisenablesreasonableandappropriateprevention,detection,andresponse.
Trainingteammembersontheplanisnotoptional.EveryoneontheCSIRT
mustunderstandhisorherroleandhowtoexecuterelevantprocedures.Toolsforincidentresponseareuniquelydesignedforeachorganization.
Startingwithtemplateshelpsensureyoucoverallareas.Inadditiontothetools
providedinthissection,theSANSInstituteprovidesanalternativetoolsetathttp://bit.ly/2qASIF1.
Section4. Response
Inthissection,wewalkthroughactivitiesthatmightoccurduringaresponse.Thewalk-throughassumesyouplannedandpreparedasdescribedinSection3.Ionceagainusetheresponsechecklist,showninFigure14,asourguide.Thisisaveryhigh-levelviewofwhataresponsemightlooklike.Eachresponseisuniquetowhatisoccurring,soscenarioplanningasdescribedinSection3affectshowaresponsehappensanditseffectiveness.
Figure14:IncidentResponseChecklist
Section4.01 Step1:Begindocumentationandpotentialevidencepreservation
Uponnotificationofanomalousnetworkordevicebehavior,initiateanincidentlog.Note
• Dateandtimeofnotification• Personmakingthenotification• Whatthepersonreported• Systemsornetworksinitiallyaffected
Notifyrelevantpersonneltominimally
• Physicallyisolateaffecteduserspacesifacrimeiscommittedusingauserdevice
• Avoidfurtherlogicalorphysicalcontactwithaffectedsystemsornetworksthatwouldunnecessarilymodifylogsorwipecontent:especiallyavoidpoweringdownorresettingaffectedsystems
Section4.02 Step2:Determineifincidenthasoccurred
Usingtoolsimplementedduringplanningandpreparation,lookforincidentprecursorsandindicators.Hopefully,youwillimmediatelyknowwhatishappeningorspecificallywhattoexaminethankstoautomaticthreatintelligenceassociatedwithyoursecuritytools.Ifnot,thefollowinglistofthingstocheckisfromaposterprovidedbytheSANSInstituteathttp://bit.ly/2rkg577.ThisresourceincludestoolsforlookingfortheseconditionsinaWindowsenvironment.ALinuxversionisalsoavailable.
• Unusuallogentries.
o Didalogactivityunexpectedlystop?o Aretheremanyfailedloginattemptsorlockedoutaccounts?o Arelogsunexpectedlyaccessedormodified?
• Unusualnetworkusage.o Haveanynewandunusualfilesharesappeared?o Areunusualsessionsopenonserversoruserdevices?o Isalargequantityofdatamovinginunexpectedways?o Areunexpectedsessionsopenbetweeninternalsystemsorbetween
internalandexternalsystems?• Unusualfilesandregistrykeys.
o Hastherebeenamajorincreaseordecreaseindiskfreespace?o Arethereunusuallylargefiles?o Aretherestrangeprogramsassociatedwithsystemstartup?o Isbulkfileencryptionoccurring?
• Unusualscheduledtasks.o Arethereunusualtasksrunningasadmin,SYSTEM,orablankuser
name?• Unusualaccounts.
o Aretherenew,unexpectedaccountsintheadministratorgroups:localordomain?
• Other.o Areserversoruserdevicesperformingsluggishly?o Arethereunusualsystemcrashes?o Isthereanythingelsehappeningthatisunexpectedgivenup-to-date
networkandsystembaselinesyoupreviouslydocumented?
Ifyouhavetherighttoolsinplace(SIEM,IPS,firewalls,etc.),youwilllikelyseemuchofwhatyouneedtoknowinasecuritymanagementportal:atleastyoushould.Inanycase,youwillwanttorefertothelistabovewhendeterminingwhat
youknowandwhatyoudonot.Whiteboardswithdiscoveredinformationareagoodtoolforhelpingyourentireteamquicklygaininsightsintheincident.
Onceyoucollectsufficientinformation,useyourpreviouslyidentified
resourcestoresearchwhatmightbethecauseofyourfindings.Ifyoufindnothingmaliciousoccurring,completeashort-formreportandstoptheincidentprocess.
Section4.03 Step3:Prioritizetheincidentandestablishsituationalawareness
UseatoollikethematrixinSection3toprioritizetheincidentbasedonurgencyandimpact.AssignapreviouslydesignatedandtrainedinitialCSIRTmembertocontinuouslymonitorforconditionsinStep2throughouttheresponseprocess.Thisincludestargetsthoughttobecompromisedandallcriticaldevicesandnetworks.Isolationdoesnotalwaysworkasexpected.
Section4.04 Step4:Reportincidentasspecifiedincommunicationsplan
Usingthepreviouslydefinedcommunicationplan,notifytheCSIRTmembersandappropriatemanagementofaprobableincident.BesuretohaveavailablefordistributiontheinitialresponseactivitiesrecordedinthelogstartedinStep1.TheCSIRTestablishestheincidentcommandcenterandbeginsdetailedanalysis.Analysisneverstopsasadditionalinformationisgathered.
Section4.05 Step5:Obtainmanagementforensicsevidencecollectiondecision
Theinitialresponseshouldhavealreadytakenstepstoprotectevidence.Atthispoint,managementmustdecidewhethertocontinueforensicsprocessesorfocusonbusinessprocessrecovery.Informationneededforthisdecisionincludesevidencecollectionimpactonhowlongaffectedbusinessprocessesmightbedownandwhatevidenceisalreadyavailablewithoutdelays(seeSection3).Alsorelevantistheprobabilitythatdetailedevidencecollectionhasvaluegiventhetypeofattackandthethreatagentinvolved.
Section4.06 Step6:Acquire,preserve,andprotectevidence
IaddressthisprocessinSection5.
Section4.07 Step7:ContaintheincidentAlthoughthisstepappearslateintheprocess,itshouldbesomethingthat
happensquicklyonceanincidentisidentified.Forexample,theon-callrespondershouldhavetheskillsandtoolsettoquicklyisolatekeynetworksegmentsafterperformingStep2.InStep7,detailedanalysisbytheCSIRTandsituationalawarenessinformationprovidetheneedforadditionalcontainmentactivities.
Alsointhisstep,virtualserversandnewlyimagedspareuserdevicescanbe
activatedtoreducebusinessprocessdowntime.Dependingonhowtheincidentiscontainedandtheprocessesaffected,recoverydoesnotnecessarilyhavetowaituntilaftereradication.However,besurethesesystemswillnotbecompromised
againusingthesamevulnerabilities.Thisoftenrequirespatchingoraquickreconfigurationofanetworkdeviceorcontrol.
Section4.08 Step8:Eradicatetheincident
Atthispoint,SAandadditionalanalysisshouldprovideenoughinformationaboutthethreatagentandrelatedtoolsandtechniquesforeradication.TheCSIRTdocumentsaplanforeradication,includingscriptsandothertoolsformalwareandotherunwanteddigitalentities,andquicklytrainsresponsepersonnelonhowtoexecuteit.
Theeradicationplanincludespredefinedexpeditiouschangedocumentation
forexploitedvulnerabilitymanagement.Changesincludequickmodificationstoexistingnetworkdevices,operatingsystems,businessapplications,andsecuritycontrolsconfigurations.
Section4.09 Step9:Recover
Withproperplanning,recoverybeganinStep7andcontinuedthroughStep8.Whathasnotoccurredyetisverificationofdataintegrity.Usetoolsandproceduresselectedanddocumentedduringpreparationtoverifyorrecoverflatfileanddatabasedataaccuracyandauthenticity.Removeallcontainmentrestrictionsandworkwithbusinessuserstoensureaffectedbusinessprocessesworkasexpected:producingvalidresults.
Section4.10 Step10:Rootcauseanalysisandreporting
Gatherallpersonnelinvolvedinincidentimpactandresponsetoperformanafter-actionrootcauseanalysis.Completeadetailedresponsereportandpresentationsforbothmanagementandtechnicalteams.Thereportshouldincludeanactionplanformanagementapprovalanddetailedimprovementofbothsecuritycontrols/proceduresandresponseactivities.
Section4.11 SectionSummary
Thissectionprovidesastrongfoundationforadocumentedresponseplan.Basedonachecklist,itgivesyougeneralactionstotakeasyoustepthroughanytypeofincident.Again,thetypeofincidentdeterminesspecificactions.Therefore,trainingwithvariousattackscenariosisanecessarypartofplanningandpreparation.
Section5. InitialResponseForensics
Adetaileddiscussionofdigitalforensicsinvestigationisoutsidethescopeofthisguide.Whatisimportantinanyresponseguideishowtoinitiallypreserveevidenceforforensicsinvestigations.ThatiswhatIcoverinthissection.Foradeeperlookatdigitalforensicsinvestigations,see
• NISTSP800-86GuidetoIntegratingForensicTechniquesintoIncident
Response(http://bit.ly/2qKq9nP)• NISTSP800-101GuidelinesonMobileDeviceForensics
(http://bit.ly/1odIMvB)• DigitalForensics/IncidentResponseForms,Policies,andProcedures
(http://bit.ly/2sxbSML)• MarshallUniversityForensicScienceCenter(http://bit.ly/2qKyqIu)• NISTCrimeSceneInvestigation:AGuideforLawEnforcement
(http://bit.ly/2rN9swT)Section5.01 ForensicsOverview
Generally,forensicsisthecollection,examination,analysis,andreportingofevidenceusedinidentifyingandprosecutingperpetratorsofacrime.Digitalforensicsis“theapplicationofsciencetotheidentification,collection,examination,andanalysisofdatawhilepreservingtheinformationandmaintainingastrictchainofcustody”(Kent,Chevalier,Grance,&Dang,2006,pp.ES-1).
Theprocessofdigitalforensics,asshowninFigure15,isthecollectionof
digitalmedia,thecarefulextractionofdatafromthatmedia,correlationofthedatatocreatemeaningfulinformationaboutthecrime,andprovidingcrediblereportsshowingrelevantevidencefororagainstoneormoresuspects.Throughoutthisprocess,initialrespondersandforensicsinvestigatorsmustensureevidenceintegrity.Evidenceintegrityisensuredby
• Establishingastrictchainofcustodyassoonaspotentialevidenceis
collected• Usingonlyforensicallyacceptablemethodsofextractingdatafrommedia• Neverusingoriginalmediaforanalysis• Creatingforensiccopiesofmediaforanalysiswithhashvaluescalculated
immediatelyafterthecopyiscompleteandbeforethestartofanalysis• Allowingonlyauthorized,trackedpersonnelaccesstothecrimescene,
forensicslab,andotherareaswhereevidenceiscollectedoranalyzed• Isolatingallanalysissystemsfromnetworksexternaltothelab,especially
theInternet• Usingonlyforensicstoolsknowntobeacceptabletotheforensics
communityandgenerallyacceptableinlegalproceedings
• Beingabletodemonstratetheprofessional,skilledstatusoftheforensicsinvestigatorsinlegalproceedings
Figure15:DigitalForensics
Evidencepreservationandchainsofcustodybeginwiththeinitial
responders.Therestofthissectiondescribeshowtheymustworktopreservetheintegrityofevidencebeforearrivalofforensicsinvestigators.Section5.02 ProtectingDigitalEvidence
Wehavealreadydiscussedinprevioussectionstheimportanceofsecurelymaintaininglogsandotherinformationgatheredduringdailymonitoring.Theseformthefoundationforforensicswork.However,wealsoneedcontentsofswapfilesandmemory,insomecases,tosupplementourloginformation.Consequently,wemustneverallowanyonetoresetorpoweroffanypotentiallyaffecteddevicesuntilmanagementdecideshowfartoproceedwithevidencecollection.
Ensuringproperhandlingofuserdevicesduringanincidentrequirestrainingatleastourbusinessmanagersonwhattodoandnottodowhenanincidentissuspected.Inmyexperience,resettingorpoweringoffadeviceisacommonfirststepbymanagement.Anothermanagementactionisoftensittinginfrontofapossiblycompromisedsystem,oronethatwasusedinthecommissionofacrime,to“explore.”Alltheseactionsmustbestoppedbypolicyandtraining.
ITpersonnelmustalsoprotectevidenceindatacenters.Onceanincidentis
suspected,ahands-offpolicymustbeenforced.Theonlyexceptionsarecontainmentactivitiesdefinedanddirectedbytheresponseteam.Reachingthisoutcomerequirestrainingandpractice.
Thehands-offconditionsmustcontinueuntilthedigitalforensicsinvestigatorstakeoveroruntilmanagementdecidestoforegodetailedevidencecollection.
Section5.03 SecuringaPotentialCrimeScene
Ifanoffice,cubicle,conferenceroom,orotherphysicalspaceissuspectedofuseduringanincident,youmustsecureitimmediately.Firststepsincludeplacingsomeoneattheentrancetotheareatoblockallaccess.Ideally,thiswouldbeasecurityguard.Theinitialsecuringofthesceneistheresponsibilityofrelevantmanagersandshouldtakeplacebeforearrivalofinitialresponders.
Asquicklyaspossible,theCSIRTshoulddispatchinitialresponderstothe
site.ThefollowingstepstakenuponarrivalaremodifiedrecommendationsfromtheNIST’sCrimeSceneInvestigation:AGuideforLawEnforcement(http://bit.ly/2rN9swT).Whenperformingthesesteps,theguidingprincipleistoavoidanythingbutminimalcontaminationanddisturbanceofevidence.
1. Beginlogwithnotificationofincident(date/time,address/location,typeof
incident,andpartiesinvolved)andthenlogeveryactiontakenandobservationmadeatthescene
2. Beawareofanypersonsleavingthescene3. Approachthescenecautiously,scantheentireareatothoroughlyassessthe
scene,andnoteanypossiblesecondaryscenes4. Ensurenooneisstillusinganydeviceoraccessinganyphysicalmaterialsat
thescene5. Beawareofanypersonsinthevicinitythatmayberelatedtothecrime
a. Secureandseparatesuspectsb. Secureandseparatewitnessesc. Determineifbystandersarewitnessesandsecureandseparateas
appropriated. Excludeunauthorizedandnonessentialpersonnelfromthescene,
includingmanagersdemandingaccess6. Makeinitialobservationstoassessthesceneandensurehumansafetybefore
proceeding7. Ensurehumaninjuriesaretreated8. Remainalertandattentive,andassumethecrimeisongoinguntilotherwise
determined9. Treatthelocationasacrimesceneuntilassessedanddeterminedtobe
otherwisea. Usecrimescenetapetoidentifyandcontainallrelatedlocationsb. Logallpersonsenteringandexitingthescene
i. Timeii. Nameiii. Contactinformationiv. Reason
10. Photographthescene(andcreatesketcheswhenphotographsdonotcaptureenoughdetailsofwhatyousee)
a. Wallsb. Floorc. Desktopsd. Computerandhandhelddevicescreens
11. Carefullyplacemobiledevices(phonesandtablets)intoFaradaybagswithoutpoweringthemoffandcreateachainofcustodyformforeachcollecteddevice
12. Afterphotographingallconnectorsandoriginallocationsofthedevices,unplugallnetworkcablesandensuretheCSIRThasblockedallwirelessaccessforthesedevices
13. Waitforarrivalofforensicsinvestigators,andupontheirarrivala. Providedetailedbriefingofyouractionsandcurrentstateofthe
scene,witnesses,suspects,evidence,etc.b. Turnoverallmaterialsandevidencewithproperchainofcustodyc. Assistasrequested
Justasforensicsinvestigatorsmustbetrainedprofessionals,initial
respondersmusthaveathoroughunderstandingofwhatstepstotakeinanysituation.This,again,requiresfrequentscenario-basedtraining.ThechecklistshowninFigure16,anddownloadablefromhttp://bit.ly/2sn0ROz,isagoodstartforareferenceandresponsemanagementtoolforinitialresponders.
Figure16:InitialResponseTeamChecklist
Thechecklisttasksarenotnecessarilylistedintheorderinwhichtheyareto
becompleted.Afirstresponseteamleadshouldassigntaskstoherselfandotherteammembers,andsometasksshouldbedonesimultaneously,ifpossible.Theseincludeidentificationandseparationofwitnesses,securingandseparatingsuspects,
ensuringnounauthorizedindividualsareinorwillenterthecrimescene,andisolationofmobileandotherdevicesfromnetworkaccess.
Section5.04 SectionSummary
Firststepstakenbybusinessusersandmanagementareanimportantpartofinitialresponse.Partofsecuritytraining,atleastformanagers,shouldbewhattodoandwhatnottodowhentheysuspectanincident.
TheCSIRTinitialresponseteammustworkcloselywithmanagementonce
theyarriveonthescene.Managingemployees,collectingevidence,andotheractivitiesneedmanagementcooperation.Youarenotlawenforcement.Someoneinauthoritymustassisttoavoidunnecessaryconfrontationsanddelays.
Beforearrivaloftheforensicsinvestigator,onlyperformthosesteps
necessarytoensurehumansafety,preserveevidence,andgatherwitnesses/suspects.Logeverythingyoudoorsee.Takephotographsbeforetouchinganything.Createsketchesincasesinwhichaphotographisnotquiteenough.
Section6. WorksCitedCichonski,P.,Millar,T.,Grance,T.,&Scarfone,K.(2012,August).ComputerSecurity
IncidentHandlingGuide(NISTSP800-61r2).RetrievedMay18,2017,fromNIST(CSRC):http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Gartner.(2017).BusinessImpactAnalysis.RetrievedMay19,2017,fromGartnerIT
Glossary:http://www.gartner.com/it-glossary/bia-business-impact-analysisInfoSecNirvana.(2015,March).Part4-IncidentManagement.RetrievedMay28,
2017,fromInfoSecNirvana:http://infosecnirvana.com/part-4-incident-containment/
Kent,K.,Chevalier,S.,Grance,T.,&Dang,H.(2006,August).GuidetoIntegrating
ForensicTechniquesintoIncidentResponse.RetrievedJune2,2017,fromNIST:http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf
Manadhata,P.K.,Karabulat,Y.,&Wing,J.M.(n.d.).Report:Measuringtheattack
surfacesofenterprisesoftware.RetrievedMay19,2017,fromCarnegieMellon:SchoolofComputerScience:http://www.cs.cmu.edu/~wing/publications/ManadhataKarabulutWing08.pdf
Olzak,T.(2008,September).Preventrecurringproblemswithrootcauseanalysis.
RetrievedMay30,2017,fromTechRepublic:http://www.techrepublic.com/blog/it-security/prevent-recurring-problems-with-root-cause-analysis/
Olzak,T.(2011,June).ManagetheEnterpriseAttackSurface.RetrievedMay19,
2017,fromCBSInteractive:http://www.techrepublic.com/downloads/manage-the-enterprise-attack-surface/2949257
Olzak,T.(2012,January).RiskManagement.RetrievedMay20,2017,fromInfoSec
Institute:http://resources.infosecinstitute.com/risk-management-chapter-2/
Olzak,T.(2012,April).VLANNetworkSegmentationandSecurity.RetrievedMay23,
2017,fromInfoSecInstitute:http://resources.infosecinstitute.com/vlan-network-chapter-5/
Olzak,T.(2013,March).Theelementsofbusinesscontinuityplanning.RetrievedMay29,2017,fromTechRepublic:http://www.techrepublic.com/blog/data-center/the-elements-of-business-continuity-planning/
Olzak,T.(2016,May).Ensurebusinesscontinuitywithchangemanagement.
RetrievedMay23,2017,fromCSO:http://www.csoonline.com/article/3067112/business-continuity/ensure-business-continuity-with-change-management.html
Olzak,T.(2017).AttackSurfaceReduction.RetrievedMay19,2017,fromInfoSec
Institute:http://resources.infosecinstitute.com/attack-surface-reduction/Ross,S.(2010,October).Abusinessimpactanalysischecklist:10commonBIA
mistakes.RetrievedMay21,2017,fromSearchDisasterRecovery:http://searchdisasterrecovery.techtarget.com/feature/A-business-impact-analysis-checklist-10-common-BIA-mistakes
Wikipedia.(2017,January).ChecklistIncidentPriority.RetrievedMay26,2017,from
Wikipedia:https://wiki.en.it-processmaps.com/index.php/Checklist_Incident_Priority