Professional Documents
Culture Documents
Objectives
Students should be able to:
Define and describe an incident response plan and business continuity
plan
Define recovery terms: interruption window, service delivery
objective, maximum tolerable outage, alternate mode, acceptable
interruption window
Describe incident management team, incident response team,
proactive detection, triage
Define and describe computer forensics: authenticity, continuity,
forensic copy, chain of custody, imaging, extraction, ingestion or
normalization, case log, investigation report
Develop a high-level incident response plan
nts
e
d
i
c
c
A
es
s
u
r
i
V
Soc
ia
Stolen Laptop
Hac
ker
Intr
usio
Fire!
n
t
s
Lo
Denial of Service
l En
p
u
k
Bac
gin
eer
in
e
p
Ta
Business Continuity
Planning
Disaster Recovery
Plan
Continuity of Business
Operations
IRP is part of BCP and
can be *the first step*
Regular Service
SDO
Alternate Mode
Time
Interruption
(Acceptable)
Interruption
Window
Maximum Tolerable Outage
Regular
Service
Restoration
Plan Implemented
Vocabulary
IMT: Incident Management Team
IS Mgr leads, includes steering committee, IRT members
Develop strategies & design plan for Incident Response,
integrating business, IT, BCP, and risk management
Obtain funding, Review postmortems
Meet performance & reporting requirements
Identification
Containment
& Escalation
Analysis &
Eradication
Recovery
Lessons
Learned
Ex-Post
Response
Stage 1: Preparation
What shall we do if different types of incidents
occur? (BIA helps)
When is the incident management team called?
How can governmental agencies or law enforcement
help?
When do we involve law enforcement?
What equipment do we need to handle an incident?
What shall we do to prevent or discourage incidents
from occurring? (e.g. banners, policies)
Where on-site & off-site shall we keep the IRP?
unexplained system
crashes or
unexplained connection
terminations
Malware
Violations of policy
Data breach:
Social engineering/fraud:
caller, e-mail, visitors
Unusual event:
inappropriate login
unusual system aborts
server slow
deleted files
defaced website
Average
Cost
$420,000
$510,000
$1,600,000
$3,320,000
Workbook
Incident
Incident
Types
Description
Methods of
Procedural Response
Detection
Intruder
Firewall, database, Daily log
accesses IDS, or server log evaluations,
internal
indicates a
high priority email
network
probable intrusion. alerts
Break-in or Computers, laptops Security alarm set
theft
or memory is stolen for off-hours; or
or lost.
employee reports
missing device.
Stage 2: Identification
(2) Triage
Stage 3: Containment
Activate Incident Response Team to contain
threat
IT/security, public relations, mgmt, business
Isolate the problem
Disable server or network zone comm.
Disable user access
Change firewall configurations to halt
connection
Obtain & preserve evidence
Managerial
Business impacts result in
mgmt intervention,
notification, escalation,
approval
Legal
Issues related to:
investigation, prosecution,
liability, privacy, laws &
regulation, nondisclosure
(4) Analysis
What happened?
Who was involved?
What was the reason for the attack?
Where did attack originate from?
When did the initial attack occur?
How did it happen?
What vulnerability enabled the attack?
Stage 5: Recovery
Restore operations to normal
Ensure that restore is fully tested and operational
Workbook
Planning Processes
Risk & Business Impact Assessment
Response & Recovery Strategy Definition
Document IRP and DRP
Train for response & recovery
Update IRP & DRP
Test response & recovery
Audit IRP & DRP
Training
Introductory Training: First
day as IMT
Mentoring: Buddy system
with longer-term member
Formal Training
On-the-job-training
Training due to changes in
IRP/DRP
Challenges
Management buy-in: Management does not
allocate time/staff to develop IRP
Top reason for failure
Question
The MAIN challenge in putting together an
IRP is likely to be:
1. Getting management and department
support
2. Understanding the requirements for chain
of custody
3. Keeping the IRP up-to-date
4. Ensuring the IRP is correct
Question
1.
2.
3.
4.
Question
When a system has been compromised at the
administrator level, the MOST IMPORTANT action
is:
1. Ensure patches and anti-virus are up-to-date
2. Change admin password
3. Request law enforcement assistance to
investigate incident
4. Rebuild system
Question
The BEST method of detecting an incident is:
1.
2.
NIDS/HIDS technology
3.
4.
Job rotation
Question
The person or group who develops strategies for
incident response includes:
1.
CISO
2.
CRO
3.
IRT
4.
IMT
Question
The FIRST thing that should be done when you
discover an intruder has hacked into your
computer system is to:
1. Disconnect the computer facilities from the
computer network to hopefully disconnect the
attacker
2. Power down the server to prevent further loss of
confidentiality and data integrity
3. Call the police
4. Follow the directions of the Incident Response
Plan
Computer
Investigation
and Forensics
Computer Crime
Investigation
Chain of Command
Computer Forensics
Copy disk
Analyze
copied
images
Take photos of
surrounding area
Preserve
original system
In locked storage
w. min. access
Computer Forensics
Did a crime occur?
If so, what occurred?
Evidence must pass tests for:
Authenticity: Evidence is a true and faithful
original of the crime scene
Computer Forensics does not destroy or alter the
evidence
Chain of Custody
11:04
Inc. Resp.
team
arrives
10:53
AM
Attack
observe
d
Jan K
11:0511:44
System
copied
PKB & RFT
11:15
Syste
m
brough
t
Offline
RFT
11:47-1:05
Disk
Copied
RFT & PKB
Time
Line
11:45
System
Powered
down
PKB & RFT
1:15
System
locked in
static-free
bag
in storage
room
RFT & PKB
Preparing Evidence
Work with police to AVOID:
Contaminating the evidence
Voiding the chain of custody
Evidence is not impure or tainted
Written documentation lists chain of custody: locations,
persons in contact time & place
Computer Forensics
Original
4) One-way Copy:
Cannot modify
original
5) Bit-by-Bit Copy:
Mirror image
Mirror
Image
3) Forensically Sterile:
Wipes existing data;
Records sterility
7) Calculate Message Digest
Validate correctness of copy
Computer Forensics
Data Protection: Notify people that evidence cannot be
modified
Data Acquisition: Transfer data to controlled location
Copy volatile data
Interview witnesses
Write-protect devices
Imaging: Bit-for-bit copy of data
Extraction: Select data from image (logs, processes, deleted
files)
Interrogation: Obtain info of parties from data (phone/IP
address)
Ingestion/Normalization: Convert data to an understood
format (ASCII, graphs, )
Reporting: Complete report to withstand legal process
Legal Report
Describe incident details accurately
Be understandable and unambiguous
Offer valid conclusions, opinions, or
recommendations
Fully describe how conclusion is reached
Withstand legal scrutiny
Be created in timely manner
Be easily referenced
Forensics:
Chain of Custody Forms
Chain of Custody Form: Tracks where & how
evidence was handled. Includes:
Name & Contact info of custodians
Detailed identification of evidence (e.g, model, serial #)
When, why, and by whom evidence was acquired or moved
Where stored
When/if returned
Forensics:
Investigation Report
Name and contact info for investigators
Case number
Dates of investigation
Details of interviews or communications
Details of devices or data acquired (model, serial #)
Details of software/hardware tools used (must be
reputable in law)
Details of findings, including actual data
Signature of investigator
Question
Authenticity requires:
1.
2.
3.
4.
Question
You are developing an Incident Response Plan.
An executive order is that the network shall remain
up, and intruders are to be pursued. Your first step
is to
1.Use commands off the local disk to record what is
in memory
2.Use commands off of a memory stick to record
what is in memory
3.Find a witness and log times of events
4.Call your manager and a lawyer in that order
Question
What is NOT TRUE about forensic disk copies?
1.The first step in a copy is to calculate the message
digest
2.Extraction and analysis for presentation in court
should always occur on the original disk
3.Normalization is a forensics stage which converts
raw data to an understood format (e.g., ASCII,
graphs, )
4.Forensic copies requires a bit-by-bit copy
Reference
Slide #
Slide Title
Source of Information
Recovery Terms
Stage 1: Preparation
10
14
Stage 2: Identification
15
(2) Triage
17
Stage 3: Containment
18
19
22
Stage 5: Recovery
24
25
Planning Processes
26
Training
27
28
29
Challenges
37
39
Chain of Custody
43
Computer Forensics
44
Legal Report
45
46
47