Incident Response From the Ground Up

Ellen Young and Adam Goldstein

Dartmouth College

NERCOMP

March 11, 2008

Information Security Incidents

Where does Incident Response fit into overall information security strategy?

• Prevention

• Detection

• Response*

Incident Response – Other Drivers

Additional drivers for creating incident response policies and procedures:

• PCI (Payment Card Industry) security standards. Sec 12.5.3

• Breach notification laws

Policy vs. Procedure

Dartmouth Cyber-security steering committee initiated current effort

Started with high level IR policy Determined more detailed procedures were

required

Incident Response – Practical Approach

First step:

• Incident Handling Workshop:– May 30th and 31st 2007– About 30 participants from Tech Services,

Consulting Services, and CSI Team– Table-top incident response exercises

conducted by an experienced consulting firm – IntelGuardians - http://www.intelguardians.com/

Incident Handling – Workshop 1

• Involved everyone who might be a first responder from Computing Services

• Divided into 4 teams – mixed Help Desk, Network Admins, and System Admins

• Presented with a scenario, logs, and received additional clues if the right questions were asked

• Teams used the high level policy and existing procedures as a starting point

Initial Workshop Lessons Learned and Takeaways

• Form an Incident Response Team (IRT)

• Develop practical procedures:– First Responders– Technical Response– Communication

• Outreach and awareness – it could be someone internal; VoIP could also be compromised

• Ongoing training for IRT

Incident Response Team

• Different groups and areas of expertise represented

• 2 members for each area provides backup• Team consists of:

– The Directors and 2 Members each from Systems Administration, Network Services, and Consulting Services

Develop procedures from the “Ground Up”

• Workshop revealed importance of “Ground-up” approach to developing procedures– First Responders Decision-tree– Incident Assessment and Classification– Technical Action Plans for different incident types– Communication Procedures– Equipment and tools for performing investigations

First Responders Decision-tree• Developed decision tree for first responders• Easy for responders to use and determine next

steps• http://www.dartmouth.edu/comp/docs/

FirstResponseCriteria.doc • Automatic ticket creation for IRT based upon

information entered

Incident Assessment and Classification

Incidents reported to IRT are then assessed and classified

The general criteria for assessing an incident include:

– Sensitivity of potentially compromised data

– Legal issues

– Magnitude of service disruption

– Threat potential

– Expanse - how widespread the incident is

Incident Assessment and Classification:Step 1 – Determine Severity

Questions to determine severity:1. Is sensitive, confidential or privileged data at risk?

2. Is business continuity at risk?

3. Did someone identify a security problem regarding Dartmouth systems in a public forum (website, listserve, message board, print media, broadcast media)?

4. Has law enforcement, government agency, or other third-party contacted Dartmouth regarding a possible incident?

Incident Assessment and Classification:Step 2 – Assign severity level

Assign severity level:

• Low - Risk or exposure to few

• Medium - Localized risk or exposure (e.g. subnet, department, non-critical service)

• Serious - Institutional risk/exposure

Severity level will determine appropriate response plan

Incident Assessment and Classification:Step 3 – Determine incident type

Incident Types:1.Compromised System

2.Compromised User Credentials

3.Network Attack (DoS, Scanning, Sniffing)

4.Malware (Viruses, Worms, Trojans)

5.Lost Equipment/Theft

6.Physical Break-in

7.Social Engineering (phishing, fraud)

8.Law Enforcement Request

9.Policy Violation

IRT – Response Action Plans

The IRT follows action plans based on:• Incident Type• Severity level

Information on internal wiki for ease of use

http://www.dartmouth.edu/comp/docs/Nercomp-IRTActionPlans.doc

http://www.dartmouth.edu/comp/docs/Nercomp-IncidentClassification.doc

IRT- Communication Procedures

Specific procedures for communication throughout the different phases of response

Includes both “horizontal” and “vertical” communication

Information on internal wiki for ease of use

http://www.dartmouth.edu/comp/docs/Communications.doc

IRT-Response Equipment

• Dedicated Laptop

• NAS and portable storage for images

• IR software CDs and flash drives

– Helix - Incident Response & Computer Forensics Live CD (http://www.e-fense.com/helix/)

– The SleuthKit and Autopsy: Digital Investigation Tools for Linux (http://www.sleuthkit.org/)

– Windows Forensic Toolchest (WFT) (http://www.foolmoon.net/security/wft/)

• Secure document storage

Workshop 2- IRT Hands-on “Live Incident”

Security consulting firm returned for a 2 day workshop (12/4 and 12/5) with the IRT:

• Reviewed attack trends and highlighted response techniques

• Compromised 4 systems on a test network

• IRT practiced response procedures and use of investigative tools

Workshop 2 – Lessons Learned

• Communication among IRT members working on different parts of the investigation is critical

• Assessing unknown systems• Concerns over service disruption during

initial investigation• Differences in Windows vs. Linux analysis• Can be difficult for first responders – desire

to just fix it overwhelms desire to preserve data

Next Steps and Ongoing Efforts

• Integrate IRT forms into Remedy Help Desk System

• Outreach to first responders not in PKCS and College community

• Ongoing monthly meetings for IRT– Further training in response and forensic tools

– Sample scenarios and procedure updates

– Review emerging attack trends

• Additional training exercises for IRT and PKCS

Questions?

ellen.l.young@dartmouth.eduadam.goldstein@dartmouth.edu

Copyright 2008 Trustees of Dartmouth College

This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires

written permission from the authors.