June 30, 2015 Copyright © 2002-2008 Tenable Network Security, Inc. 1 Developing an Incident Response Plan.

April 18, 2023 Copyright © 2002-2008 Tenable Network Security, Inc.1

Developing an Incident Response Plan


Carole Fennelly

• Over 25 years in IT

• Wrote a lot of caustic articles on Information Security

• Co-founder of Hacker Court

• Presently Security Information Specialist with Tenable


Evolution of Incident Response

No longer just a technical issue – it’s a business concern.


Past Goals

• Protect Assets

• Catch the Wily Hacker

• Harden Systems

• Resume Operations

• Monitor for Repeat Attacks


Early Guidance

• 1989 – Herbert Zinn (aka) Shadow Hawk is first person prosecuted under the Computer Fraud and Abuse Act of 1986

• 1988 – CERT formed in response to Morris worm

• 1991 - RFC 1244 provides guidance on Internet Response


Personnel Involved

• Technical Staff

• Technical Management

• Possibly Law Enforcement


Current Goals

• Protect Assets

• Demonstrate Compliance

• Save Money

• Catch the Intruder?


Compliance• BASEL II• Control Objectives for Information and related Technology (COBIT)• Federal Information Security Management (FISMA)• Gramm-Leach-Bliley Act (GLBA)• Health Insurance Portability and Accountability Act (HIPAA)• ISO 17799 Security Standards• Information Technology Information Library (ITIL)• Motion Picture Association of America (MPAA) inquiries• National Institute of Standards (NIST)• National Security Agency (NSA)• Payment Card Industry (PCI)• Recording Industry Association of America (RIAA) inquiries• Sarbanes-Oxley (SOX)• Site Data Protection (SDP)• Various State Laws (California’s Database Breach Notification Act -

SB 1386)


Dataloss Statistics


Incident Response Process

• Preparation

• Detection

• Containment

• Evidence Collection

• Investigation

• Eradication and Recovery

• Post Mortem


Preparation

• Form CSIRT

• Develop Policies and Procedures

• Assess technology needs

• Perform Business Risk Analysis

• Develop Security Awareness Program

• Test the Plan


CSIRT Organizational Roles

• Executive Sponsor

• IT Director

• CSIRT Coordinator

• Technical Subject Matter Experts

• Legal representative

• HR representative

• Business unit representatives


Role of Law Enforcement

• Who decides to call the cops?

• How much access should law enforcement have?

• Are you prepared to go to court?


Policies and Procedures• Executive Statement - intended for management to establish

overall goals of the security policy and mechanisms in place to support it.

• Asset Protection and Information Management, - intended for Project Managers to provide specific standards and guidelines for information management.

• Acceptable Use Policy – details what users can expect with regard to privacy and what is expected of them to protect the organization’s information assets.

• Secure System and Network Administration -intended to establish requirements for secure system and network administration.

• Auditing, Monitoring and Compliance - intended for those responsible for auditing system and network security controls and ensuring policy compliance.

• Disaster Recovery Plan - covers incidents that may have a catastrophic effect on business operations.


Contact Lists

• Internal Organizations

• Vendors

• Third Party Connections

• Law Enforcement Agencies


Technology Assessment

Monitoring Tools

Network Segmentation

Investigative Tools

Operating System Hardening

Anti-Virus/Spyware

Patch Management

Vulnerability Management

Backups


Business Risk Analysis

• Identify Business Information Owners

• Identify Critical applications

• Classify Data– Patient Health Information– Credit Card Data– Client Financial Data– Material Non-public– Intellectual Property


Security Awareness

• User training (Early Warning System)

• Security mailing lists

• Security training

• Vulnerability Databases

• Patch Databases

• Security Conferences


Detection

It’s Monday. You've got mail! A lot of it… 60 Minutes is holding on line 1, the DA is on line 2, the CEO is on line 3, and somebody claiming to be the Omnipotent Stomper is texting your cell. It’s going to be a bad day…


Obvious Indicators

• Communication from Attacker

• Communication from Law Enforcement

• Communication from another site

• Network Floods

• IDS alarm

• Damaged or Missing Data

• Unusual system behavior


Sometimes very obvious…


Subtle Indications


Evaluating Technical Impact


Evaluating Business Impact


Intrusion Response Tasks

• Document everything

• Notify appropriate contacts

• Protect systems and limit data loss

• Gather volatile data and logs

• Mirror disks

• Safeguard evidence


Containment• Disable new login sessions• Un-mount disk drives • Check for dead-man switches• Shut down affected systems if data at risk• Disconnect network interface • Modify firewall and router filtering rules • Monitor system and/or network activity.• Monitor or disable compromised services • Move devices to a containment VLAN• Modify DNS records to point to a different IP

address


Evidence Gathering

• Collect Volatile Data – Processes– Memory– Network connections– Open File descriptors

• Mirror Disks– Use a Write Block to protect source disk


Evidence Protection

• All evidence delivered to evidence custodian

• Evidence locked up in a safe place

• Evidence is signed in and out each time it changes hands

• Chain of custody log stays with evidence through entire process


Forensic Analysis

• Use disk mirror for forensic exam

• Never use source disk

• Follow a set methodology

• Write a report

• Document any test program created and used against forensic evidence


Restoring Operations

• Isolate target system from rest of network

• Ensure integrity of installation media

• Ensure integrity of backups

• Use CIS benchmarks as guides

• Change all passwords and keys


Monitoring for Repeat Attacks

• Attack vector may be same attacker or copycat

• Consider installing additional monitoring tools

• Allocate staff hours for extra monitoring


Post Mortem• Meeting with CSIRT • Create post-mortem report

– Document incident– What went well– What went wrong– Identify scope of data loss

• Update Incident Response Plan• Reassess technology, policies and procedures• Possibly prepare for court


Resources: HistoricalRoadNews.com. “History of Hacking”http://www.roadnews.com/html/Articles/historyofhacking.htmBruce Sterling, “Short History of the Internet” [From The Magazine of

Fantasy and Science Fiction, February 1993.]http://w3.aces.uiuc.edu/AIM/scale/nethistory.htmlAdrienne Wilmoth Lerner. “Computer Fraud and Abuse Act of

1986”[ Advameg Inc.]http://www.espionageinfo.com/Co-Cop/Computer-Fraud-and-Abuse-

Act-of-1986.htmlInternet Engineering Task Force, “RFC 1244 Site Security Handbook,”

[1991]http://www.rfc-archive.org/getrfc.php?rfc=1244Internet Engineering Task Force, “RFC 2350: Expectations for

Computer Security Incident Response,” [1998]


Resources: Data Loss PreventionScott Berinato “Data Breach Notification Laws State by State,” [CSO

Magazine, 2/12/2008]http://www.csoonline.com/read/020108/ammap/ammap.htmlAttrition.org, “Dataloss Archive and Database,” [Jericho, Lyger]http://attrition.org/dataloss/Etiolated.org, “Shedding Light on Privacy Incidents,” [Dave]http://etiolated.org/

Ponemon Institute, LLC, “2007 Annual Study: US Cost of a Data Breach,” [November, 2007]

http://www.vontu.com/uploadedfiles/global/Ponemon-Cost-of-a-Data-Breach-2007.pdf

http://www.rfc-archive.org/getrfc.php?rfc=2350


Resources: Incident Response

National Institute of Standards and Technology, “Computer Security Incident Handling Guide,” [U.S. Department of Commerce]

http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf

Center for Internet Security, “CIS Benchmarks” [2008]

http://www.cisecurity.org/bench.html

Tenable Network Security

http://tenablesecurity.com/solutions/


Summary

Preparation

Detection

Containment

Evidence Collection

Investigation

Eradication & Recovery

Post Mortem


Questions?

[email protected]

[email protected]

June 30, 2015 Copyright © 2002-2008 Tenable Network Security, Inc. 1 Developing an Incident Response Plan.

Documents

tenable network security

tenable slide

security po

security awareness program

internet response slide

law enforcement slide

incident response plan

dataloss statistics