Components of Incident Response ISGC 2015 Security Workshop

  • Slides: 19
Download presentation
Components of Incident Response ISGC 2015 Security Workshop David Kelsey STFC-RAL 15/03/2015 Incident Response

Components of Incident Response ISGC 2015 Security Workshop David Kelsey STFC-RAL 15/03/2015 Incident Response 1 www. egi. eu

Security incidents - background • Much better to avoid security incidents • • •

Security incidents - background • Much better to avoid security incidents • • • System configuration Up to date patching Training Security drills Monitoring Firewalls? • Security incidents still happen! • Compromised credentials, zero-day vulnerabilities, unpatched systems, bad luck, … 15/03/2015 Incident Response 2 www. egi. eu

What is a Security Incident? • “The act of violating an explicit or implied

What is a Security Incident? • “The act of violating an explicit or implied security policy” • One reason why we need policies! • Can be a suspected violation • Do not need definite proof to start handling an act as an incident 15/03/2015 Incident Response 3 www. egi. eu

Handling of incidents – why? • Protect assets • Keep data and services available

Handling of incidents – why? • Protect assets • Keep data and services available • • • Understand what happened and how Recover the compromised service Learn lessons for the future Keep all stakeholders informed Much better to work together • A reason for a CSIRT 15/03/2015 Incident Response 4 www. egi. eu

Components of Security Incident Response • • 15/03/2015 Preparation Discovery and reporting Initial analysis

Components of Security Incident Response • • 15/03/2015 Preparation Discovery and reporting Initial analysis and classification Containment Communication Analysis, resolution and recovery Post-incident analysis Incident Response 5 www. egi. eu

Preparation • Security incident response policy • Require participants to report and co-operate •

Preparation • Security incident response policy • Require participants to report and co-operate • Policy on traceability and logging • Require participants to keep logs (180 days) • Maintain all contact information • Service managers & security contacts • Computer Security Incident Response Teams • An incident response plan/procedure • Print this on paper • Know what to do, who to contact and when • Training of all sys admins • Perform security drills to exercise 15/03/2015 Incident Response 6 www. egi. eu

Discovery and reporting • Incidents are discovered in many ways • Strange system behaviour

Discovery and reporting • Incidents are discovered in many ways • Strange system behaviour • Reports from others • Intrusion detection systems • You must report to local security team(s) • You must tell the (EGI) CSIRT • Within 4 hours • abuse@egi. eu • See template for report 15/03/2015 Incident Response 7 www. egi. eu

Report template • EGI report template • Appendix B of Incident Response Procedure •

Report template • EGI report template • Appendix B of Incident Response Procedure • Normally TLP - AMBER • Limited distribution – share with other CSIRTs on a need-to-know basis • Initial report – just a heads-up • More details will follow • More details – follow up • • • 15/03/2015 Description List of compromised hosts Host used as entry point Remote IP address Etc etc Incident Response 8 www. egi. eu

Initial analysis and classification • What happened • How serious is it? • Often

Initial analysis and classification • What happened • How serious is it? • Often a decision for the CSIRT • Part of some wider incident? • Classification – one example • High – instability of whole Grid • Medium – attack of many instances of one service • Low – a local attack on one machine • CSIRT will decide how to treat it 15/03/2015 Incident Response 9 www. egi. eu

Containment • Need to stop an incident spreading • Without destroying any forensic evidence

Containment • Need to stop an incident spreading • Without destroying any forensic evidence • Do NOT shutdown or power down system • If allowed, disconnect network and storage connections to system • Or disconnect network segment • Aim: preserve forensic evidence for analysis • May be needed for law enforcement • Write down everything you do and when 15/03/2015 Incident Response 10 www. egi. eu

Communication • Very important part of incident response • MUST report to local security

Communication • Very important part of incident response • MUST report to local security team • And to EGI CSIRT • abuse@egi. eu • Within 4 hours of discovery • Quicker is better! • Then during analysis will need to communicate with CSIRT frequently • Report to VO and credential issuing authorities (CA) • Or leave this to the CSIRT • Do not talk directly to the Press • Use your local PR office – give limited but correct details • Or rely on CSIRT • Keep management informed 15/03/2015 Incident Response 11 www. egi. eu

Analysis, resolution and recovery • See “Quick and Dirty Forensics” talk • Forensic analysis

Analysis, resolution and recovery • See “Quick and Dirty Forensics” talk • Forensic analysis of file system, memory, VMs, logs • But do not write to file system (use external drives) • If you are capable • If not - ask for help • • • See “EGI Forensics Howto” Check for root kits Do not shutdown – just remove power Remove hard-disks and make forensic analysis copies Depending on severity • Patch, fix, in general re-install from known good source 15/03/2015 Incident Response 12 www. egi. eu

Post-incident analysis • Important to write a full report • Within 1 month of

Post-incident analysis • Important to write a full report • Within 1 month of incident • • 15/03/2015 What happened What you found out How did you fix it What went well What could have been improved Lessons for the future Sent to CSIRT and all site security contacts Incident Response 13 www. egi. eu

Reminder • Now to a reminder of Service Manager responsibilities 15/03/2015 Incident Response 14

Reminder • Now to a reminder of Service Manager responsibilities 15/03/2015 Incident Response 14 www. egi. eu

EGI Sevice operator responsibilities • Immediately (within 4 hours) inform local security team, NGI

EGI Sevice operator responsibilities • Immediately (within 4 hours) inform local security team, NGI security officer and EGI CSIRT • abuse@egi. eu • See Appendix B of EGI procedure • Do NOT reboot or power off host • Contain incident with one working day • e. g. disconnect network and storage • Note down everything you do and when • Announce down-time • “Security operations in progress” 15/03/2015 Incident Response 15 www. egi. eu

Responsibilities (2) • Perform analysis, corrective actions and cooperate with CSIRT (always responding within

Responsibilities (2) • Perform analysis, corrective actions and cooperate with CSIRT (always responding within 4 hours) – you may need help – ask! • • IP addresses, timestamps, identities Freeze/pause VMs and create dumps Forensic copies of filesystems and memory See Appendix A of EGI procedure • Send incident closure report within 1 month • Include lessons learned and resolution • Restore service and update any documentation or procedures • Always be careful with sharing information – use TLP • Send nothing to public lists • If in any doubt please ask for help! 15/03/2015 Incident Response 16 www. egi. eu

More information • EGI policy https: //documents. egi. eu/document/82 • EGI procedure https: //wiki.

More information • EGI policy https: //documents. egi. eu/document/82 • EGI procedure https: //wiki. egi. eu/wiki/EGI_CSIRT: Incident_reporting https: //documents. egi. eu/document/710 • EGI forensics how-to https: //wiki. egi. eu/wiki/Forensic_Howto • Traffic Light Protocol https: //wiki. egi. eu/wiki/EGI_CSIRT: TLP 15/03/2015 Incident Response 17 www. egi. eu

More information (2) • ENISA Tools http: //www. enisa. europa. eu/activities/cert/support/chiht • IETF https:

More information (2) • ENISA Tools http: //www. enisa. europa. eu/activities/cert/support/chiht • IETF https: //www. ietf. org/rfc 2350. txt • SANS http: //www. sans. org/readingroom/whitepapers/incident-handlers-handbook 33901 • NIST http: //nvlpubs. nist. gov/nistpubs/Special. Publications/NIS T. SP. 800 -61 r 2. pdf 15/03/2015 Incident Response 18 www. egi. eu

Questions? 15/03/2015 Incident Response 19 www. egi. eu

Questions? 15/03/2015 Incident Response 19 www. egi. eu