incident response
DESCRIPTION
Incident Response. IMT551 31 st October 2007. Christian Seifert. Definition. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/1.jpg)
Incident ResponseChristian Seifert
IMT55131st October 2007
![Page 2: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/2.jpg)
Definition
Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs. (http://it.jhu.edu/glossary/ghi.html)
2/16
![Page 3: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/3.jpg)
Examples
• Lost notebook• Positive anti-virus classification on
workstation• Denial of Service on web server• Database server sends SPAM• Unauthorized access on the premise• Deleted budget files on the file server
3/16
![Page 4: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/4.jpg)
Traditional Attack Pattern
• Locate• Gain user access• Escalate privileges• Cover tracks• Ensure future access (backdoor)• Launch further attacks (stepping stone)
4/16
![Page 5: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/5.jpg)
Incident Response Phases
• Preparation
• Identification• Containment• Eradication• Recovery• Follow-Up
Phases per incident
5/16
![Page 6: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/6.jpg)
Preparation
• Create your Incident Response Plan.• Form a Incident Response Team• Educate users & inform management• Forensic Readiness
– Ability of an organization to maximize its potential to use digital evidence whilst minimizing the cost of an investigation
6/16
![Page 7: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/7.jpg)
Incident Response Plan
• Background• Definitions• Incident classification• Reporting• Business Continuity• Process Flow• Example Incidents
7/16
![Page 8: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/8.jpg)
Incident Classification & Handling
• What constitutes an incident?• What happens when an incident is detected?• Things to consider:
– Business needs– Costs/ Resources– Legal aspects– Chain of custody
8/16
![Page 9: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/9.jpg)
Proactive/Reactive Incident Response
• Term “Response” indicates a reactive setup• However, proactive incident “response” is
also possible and recommended:– Staying informed about vulnerabilities– Education– Auditing/ Penetration Testing
9/16
![Page 10: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/10.jpg)
Identification
• Recognize and report an incident– Users via help desk– IDS/ Honeypots– Could be an outside source
• Determine whether it is an incident• Assessment & Prioritize (Triage process)• Communication• KEEP A LOG BOOK!
10/16
![Page 11: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/11.jpg)
Containment
• Limit the scope and magnitude of the incident• Steps to take:
– Stay low – do not alert the attacker– Create backups for analysis– Put your attention to systems at risk (i.e. systems
the compromised system has access to or interact with regularly)
11/16
![Page 12: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/12.jpg)
Eradication
• Problem is eliminated• Steps to take:
– Determine the problem– Determine mitigation (for example, patching the
system)
12/16
![Page 13: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/13.jpg)
Recovery
• System is returned into functional status• Steps to take:
– Restore system– Apply mitigation strategy– Closely monitor the system
13/16
![Page 14: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/14.jpg)
Follow Up
• Identify lessons learned that will prevent future incidents
• Determine costs• Steps to take
– Create incident report with recommended changes– Send recommendations to management– Implement changes
14/16
![Page 15: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/15.jpg)
Challenges
• Incident Response difficult to do right• High level of experience required to
investigate and assess technical incidents• Tendency to restore systems without
following incident response procedures
15/16
![Page 16: Incident Response](https://reader034.vdocuments.us/reader034/viewer/2022051416/56812d60550346895d926ec5/html5/thumbnails/16.jpg)
Resources
• http://www.ussecurityawareness.org/highres/incident-response.html
• DOD CSIRTM Training CD-ROMs: http://www2.norwich.edu/mkabay/infosecmgmt/disa_cirtm_cdrom.zip
• http://staff.washington.edu/dittrich/
16/16