Incident Response Planning Law Enforcement Issues and THE

  • Slides: 24
Download presentation
Incident Response Planning, Law Enforcement Issues, and THE BIG PICTURE FBI Phoenix Computer Crime

Incident Response Planning, Law Enforcement Issues, and THE BIG PICTURE FBI Phoenix Computer Crime Squad

Denial of Service Identity Theft Internet Fraud Spam Child Pornography pornography E-mail Threats warez

Denial of Service Identity Theft Internet Fraud Spam Child Pornography pornography E-mail Threats warez 419 Nigerian Scam E-mail Viruses, Worms, Malicious Code Unauthorized Access FBI Phoenix – Computer Crime Squad

 • Security Policy • Security Organization ISO 17799 STANDARDS • Asset classification and

• Security Policy • Security Organization ISO 17799 STANDARDS • Asset classification and control • Personnel Security • Physical and environmental security • Communications and operations management • Access Control • Systems Development and maintenance • Business Continuity Management • Compliance (HIPAA) (Gramm-Leach-Bliley)

EDUCATION SOCIAL ENGINEERING FBI Phoenix – Computer Crime Squad

EDUCATION SOCIAL ENGINEERING FBI Phoenix – Computer Crime Squad

Anatomy of a Cyber Incident • Incident is discovered/reported • Activate: Incident Management Team

Anatomy of a Cyber Incident • Incident is discovered/reported • Activate: Incident Management Team • Notify: Security, Legal, Law Enforcement FBI Phoenix – Computer Crime Squad

Incident Management Team • • • Created prior to incident Protocols pre-defined One person

Incident Management Team • • • Created prior to incident Protocols pre-defined One person in charge One person responsible for evidence Team may cover shifts FBI Phoenix – Computer Crime Squad

Keep a log of events & document loss Document what you know, when you

Keep a log of events & document loss Document what you know, when you know, who knows, what you do, who does it (think testimony) Document Loss: resources used lost revenues, cost of consultants, equipment cost (think testimony) FBI Phoenix – Computer Crime Squad

Evidence • • Hard drives Backup data Security logs Event logs Initialed, dated, documented

Evidence • • Hard drives Backup data Security logs Event logs Initialed, dated, documented Employment records Think proof of story. FBI Phoenix – Computer Crime Squad

What to do during /after an Incident. Audit trails & logging What logs were

What to do during /after an Incident. Audit trails & logging What logs were active at the time of the attack? Begin keystroke monitoring Consent to Monitor (banner in place? ) Sys. Admin Monitoring Authority Can be used even absent consent or a warning banner A Identify and recover available evidence System log files, system images, altered/damaged files, intruders’ files, network logs (routers, SNMP, etc. ), traditional evidence Secure evidence and maintain simple “chain-of-custody” records FBI Phoenix – Computer Crime Squad

Example Banner This is a ______ computer system. Before processing classified and/or sensitive but

Example Banner This is a ______ computer system. Before processing classified and/or sensitive but unclassified information, check the security accreditation level of this system. Do not process, store, or transmit information classified above the accreditation level of this system. This computer system, including all related equipment, networks, and network devices (including Internet access) are provided only for authorized ______ use. _____ computer systems may be monitored for all lawful purposes, including to ensure their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes, but is not limited to, active attacks by authorized _____ entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this _____ computer system, authorized or unauthorized, constitutes consent to monitoring. Unauthorized use of this _____ computer system may subject you to civil litigation and/or criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to monitoring for all lawful purposes.

What To Do (continued) • Identify source(s) of the attack. • Record specific damages

What To Do (continued) • Identify source(s) of the attack. • Record specific damages and losses • Including hours spent on recovery – Now recoverable under Patriot Act provisions • Important for prosecution • Prepare for repeat attacks. • Protecting Mission Critical vs. Proprietary Data • Theorize - nobody knows your system better than you. • Determine how the intrusion happened. • Identify possible subjects and motives. • Be patient with law enforcement.

What NOT To Do • Do NOT use the compromised systems before preserving any

What NOT To Do • Do NOT use the compromised systems before preserving any evidence. • Do not make assumptions as to Federal jurisdiction or prosecutorial merit. • Do not assume that by ignoring the incident, or damage to your files, that it will go away. • Do not correspond via E-mail on a compromised network regarding the incident or the investigation.

What to Expect if you call the FBI • Agents will keep your information

What to Expect if you call the FBI • Agents will keep your information confidential. • Agents will interview key witnesses – IT Managers / Operators • Agents may offer assistance in recovering logs; securing systems • Agents may seek to identify the individual responsible • Possible plea bargaining • Possible trial • Sentencing (upon conviction) – Restitution These steps do NOT occur quickly!

Network Security Issues US strategy Computer Crime Squad

Network Security Issues US strategy Computer Crime Squad

Civil, Regulatory, Criminal Issues: 1. Asset Protection 2. Reporting oversight 3. Due diligence –

Civil, Regulatory, Criminal Issues: 1. Asset Protection 2. Reporting oversight 3. Due diligence – protection of other people’s private information 4. Due diligence – protection of resources so they won’t be used against someone else Sarbanes – Oxley Act of 2002 (accounting) Gramm – Leach - Bliley of 1999 (financial) Health Insurance Portability & Accountability Act of 1996 California SB 1386 (companies with clients in California)

national prescription 1. security standards promoted a. VOLUNTARY adherence (biz) b. regulation AND/OR c.

national prescription 1. security standards promoted a. VOLUNTARY adherence (biz) b. regulation AND/OR c. civil litigation, insurance 2. information sharing 3. a. vulnerabilities, threats 4. b. attacks

ISACs Aviation Gas & Oil Chemical Government Electrical Energy Information Technology Emergency Services Telecommunications

ISACs Aviation Gas & Oil Chemical Government Electrical Energy Information Technology Emergency Services Telecommunications Financial Services Transportation (surface) Food Water Information Sharing & Analysis Centers Infra. Gard: FBI and private/public sector partnership

Dept of Defense CIA ISACs NSA Federal Agencies law enforcment Infra. Gard Federal Lead

Dept of Defense CIA ISACs NSA Federal Agencies law enforcment Infra. Gard Federal Lead Agencies

FBI Phoenix – Computer Crime Squad www. nipc. gov

FBI Phoenix – Computer Crime Squad www. nipc. gov

56 FBI offices 79 chapters 9700+ members information sharing FBI Phoenix – Computer Crime

56 FBI offices 79 chapters 9700+ members information sharing FBI Phoenix – Computer Crime Squad

contact SA Tom Liffiton 602. 279. 5511 x 3105 FBI PHOENIX 602. 650. 3105

contact SA Tom Liffiton 602. 279. 5511 x 3105 FBI PHOENIX 602. 650. 3105 tliffiton@fbi. gov