MANAGEMENT of INFORMATION SECURITY Fifth Edition INCIDENT RESPONSE

  • Slides: 36
Download presentation
MANAGEMENT of INFORMATION SECURITY, Fifth Edition

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

INCIDENT RESPONSE Management of Information Security, 5 th Edition, © Cengage Learning 2

INCIDENT RESPONSE Management of Information Security, 5 th Edition, © Cengage Learning 2

Incident Response Plan • Incident response (IR) is an organization’s set of planning and

Incident Response Plan • Incident response (IR) is an organization’s set of planning and preparation efforts for detecting, reacting to, and recovering from an incident • Incident response planning (IRP) consists of the actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team • The IR Plan is the documented product of incident response planning; a plan that shows the organization’s intended efforts in the event of an incident Management of Information Security, 5 th Edition, © Cengage Learning 3

Incident Response • Adverse event: An event with negative consequences that could threaten the

Incident Response • Adverse event: An event with negative consequences that could threaten the organization’s information assets or operations. Sometimes referred to as an incident candidate • Incident: An adverse event that could result in a loss of information assets, but does not threaten the viability of the entire organization Management of Information Security, 5 th Edition, © Cengage Learning 4

Getting Started • An early task for the CPMT is to form a computer

Getting Started • An early task for the CPMT is to form a computer security incident response team (CSIRT): an IR team composed of technical IT, managerial IT, and Info. Sec professionals who are prepared to detect, react to, and recover from an incident • Key members of the CSIRT become the IR planning committee and begin work by developing policy to define the operations of the team, to articulate the organizational response to various types of incidents, and to advise end users on how to contribute to the effective response of the organization Management of Information Security, 5 th Edition, © Cengage Learning 5

NIST Incident Response Life Cycle Management of Information Security, 5 th Edition, © Cengage

NIST Incident Response Life Cycle Management of Information Security, 5 th Edition, © Cengage Learning 6

Incident Response Policy • NIST SP 800 -61, Rev. 2: The Computer Security Incident

Incident Response Policy • NIST SP 800 -61, Rev. 2: The Computer Security Incident Handling Guide identifies the following key components of a typical IR policy: – Statement of management commitment – Purpose and objectives of the policy – Scope of the policy (to whom and what it applies and under what circumstances) – Definition of Info. Sec incidents and related terms – Organizational structure and definition of roles, responsibilities, and levels of authority – Prioritization or severity ratings of incidents – Performance measures – Reporting and contact forms Management of Information Security, 5 th Edition, © Cengage Learning 7

Incident Response Planning • When a threat becomes a valid adverse event, it is

Incident Response Planning • When a threat becomes a valid adverse event, it is classified as an information security incident if: – It is directed against information assets – It has a realistic chance of success – It threatens the confidentiality, integrity, or availability of information assets • It is important to understand that IR is a reactive measure, not a preventative one Management of Information Security, 5 th Edition, © Cengage Learning 8

IR Planning • The responsibility for creating an organization’s IR plan usually falls to

IR Planning • The responsibility for creating an organization’s IR plan usually falls to the CISO, or an IT manager with security responsibilities • Using the multistep CP process discussed in the previous section as a model, the CP team can create the IR plan • For every incident scenario, the CP team creates three sets of incident-handling procedures: – During the incident – After the incident – Before the incident Management of Information Security, 5 th Edition, © Cengage Learning 9

During the Incident • Planners develop and document the procedures that must be performed

During the Incident • Planners develop and document the procedures that must be performed during the incident • These procedures are grouped and assigned to various roles • The planning committee drafts a set of function-specific procedures Management of Information Security, 5 th Edition, © Cengage Learning 10

After the Incident • Once the procedures for handling an incident are drafted, planners

After the Incident • Once the procedures for handling an incident are drafted, planners develop and document the procedures that must be performed immediately after the incident has ceased • Separate functional areas may develop different procedures Management of Information Security, 5 th Edition, © Cengage Learning 11

Before the Incident • Planners draft a third set of procedures, those tasks that

Before the Incident • Planners draft a third set of procedures, those tasks that must be performed in advance of the incident • These procedures include: – details of data backup schedules – disaster recovery preparation – training schedules – testing plans – copies of service agreements – business continuity plans Management of Information Security, 5 th Edition, © Cengage Learning 12

Incident Response Planning Management of Information Security, 5 th Edition, © Cengage Learning 13

Incident Response Planning Management of Information Security, 5 th Edition, © Cengage Learning 13

IR Planning • Planning requires a detailed understanding of the information systems and the

IR Planning • Planning requires a detailed understanding of the information systems and the threats they face • The IR planning team seeks to develop predefined responses that guide users through the steps needed to respond to an incident • Pre-defining incident responses enables rapid reaction without confusion or wasted time and effort Management of Information Security, 5 th Edition, © Cengage Learning 14

IR Planning • The execution of the IR plan typically falls to the CSIRT

IR Planning • The execution of the IR plan typically falls to the CSIRT • The CSIRT is a subset of the IR team and is composed of technical and managerial IT and Info. Sec professionals prepared to diagnose and respond to an incident • In some organizations, the CSIRT may simply be a loose or informal association of IT and Info. Sec staffers who would be called up if an attack was detected on the organization’s information assets • In other, more formal implementations, the CSIRT is a set of policies, procedures, technologies, people, and data put in place to prevent, detect, react to, and recover from an incident that could potentially damage the organization’s information Management of Information Security, 5 th Edition, © Cengage Learning 15

IR Actions • Incident response actions can be organized into three basic phases: 1.

IR Actions • Incident response actions can be organized into three basic phases: 1. Detection—Recognition that an incident is under way 2. Reaction—Responding to the incident in a predetermined fashion to contain and mitigate its potential damage 3. Recovery—Returning all systems and data to their state before the incident Management of Information Security, 5 th Edition, © Cengage Learning 16

IR Checklist Management of Information Security, 5 th Edition, © Cengage Learning 17

IR Checklist Management of Information Security, 5 th Edition, © Cengage Learning 17

Data Protection in Preparation for Incidents • Traditional data backups—The organization can use a

Data Protection in Preparation for Incidents • Traditional data backups—The organization can use a combination of on-site and offsite tape-drive or hard-drive backup methods, in a variety of rotation schemes; because the backup point is some time in the past, recent data is potentially lost • Electronic vaulting—The organization can employ bulk batchtransfer of data to an off-site facility; transfer is usually conducted via leased lines or secure Internet connections. • Remote journaling—The organization can transfer live transactions to an off-site facility; with remote journaling – Only transactions are transferred, not archived data; and – The transfer takes place online and in much closer to real time • Database shadowing—storing duplicate online transaction data, along with duplicate databases at the remote site on a redundant server; writes multiple copies of the database simultaneously in two separate locations Management of Information Security, 5 th Edition, © Cengage Learning 18

Detecting Incidents • The challenge is determining whether an event is routine system use

Detecting Incidents • The challenge is determining whether an event is routine system use or an actual incident • Incident classification is the process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident • Initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators are all ways to track and detect incident candidates • Careful training allows everyone to relay vital information to the IR team Management of Information Security, 5 th Edition, © Cengage Learning 19

Incident Indicators: Possible Indicators • Presence of unfamiliar files • Presence or execution of

Incident Indicators: Possible Indicators • Presence of unfamiliar files • Presence or execution of unknown programs or processes • Unusual consumption of computing resources • Unusual system crashes Management of Information Security, 5 th Edition, © Cengage Learning 20

Incident Indicators: Probable Indicators • • Activities at unexpected times Presence of new accounts

Incident Indicators: Probable Indicators • • Activities at unexpected times Presence of new accounts Reported attacks Notification from IDS Management of Information Security, 5 th Edition, © Cengage Learning 21

Incident Indicators: Definite Indicators • • • Use of dormant accounts Changes to logs

Incident Indicators: Definite Indicators • • • Use of dormant accounts Changes to logs Presence of hacker tools Notifications by partner or peer Notification by hacker Management of Information Security, 5 th Edition, © Cengage Learning 22

Occurrences of Actual Incidents • • • Loss of availability Loss of integrity Loss

Occurrences of Actual Incidents • • • Loss of availability Loss of integrity Loss of confidentiality Violation of policy Violation of law Management of Information Security, 5 th Edition, © Cengage Learning 23

Reacting to Incidents • Once an actual incident has been confirmed and properly classified,

Reacting to Incidents • Once an actual incident has been confirmed and properly classified, the IR plan moves from the detection phase to the reaction phase • In the incident response phase, a number of action steps taken by the CSIRT and others must occur quickly and may occur concurrently • These steps include notification of key personnel, the assignment of tasks, and documentation of the incident Management of Information Security, 5 th Edition, © Cengage Learning 24

Notification of Key Personnel • As soon as an incident is declared, the right

Notification of Key Personnel • As soon as an incident is declared, the right people must be immediately notified in the right order • An alert roster is a document containing contact information on the individuals to be notified in the event of an actual incident either sequentially or hierarchically • The alert message is a scripted description of the incident • Other key personnel must also be notified of the incident only after the incident has been confirmed, but before media or other external sources learn of it Management of Information Security, 5 th Edition, © Cengage Learning 25

Documenting an Incident • As soon as an incident has been confirmed and the

Documenting an Incident • As soon as an incident has been confirmed and the notification process is underway, the team should begin documentation • It should record the who, what, when, where, why and how of each action taken while the incident is occurring • It serves as a case study after the fact to determine if the right actions were taken, and if they were effective • It can also prove the organization did everything possible to deter the spread of the incident Management of Information Security, 5 th Edition, © Cengage Learning 26

Incident Containment Strategies • The essential task of IR is to stop the incident

Incident Containment Strategies • The essential task of IR is to stop the incident or contain its impact • Incident containment strategies focus on two tasks: – stopping the incident – recovering control of the systems Management of Information Security, 5 th Edition, © Cengage Learning 27

Incident Containment Strategies • Disabling compromised user accounts • Reconfiguring a firewall to block

Incident Containment Strategies • Disabling compromised user accounts • Reconfiguring a firewall to block the problem traffic • Temporarily disabling the compromised process or service • Taking down the conduit application or server —for example, the e-mail server • Stopping all computers and network devices Management of Information Security, 5 th Edition, © Cengage Learning 28

Incident Escalation • An incident may increase in scope or severity to the point

Incident Escalation • An incident may increase in scope or severity to the point that the IRP cannot adequately contain the incident • Each organization will have to determine, during the business impact analysis, the point at which the incident becomes a disaster • The organization must also document when to involve outside response Management of Information Security, 5 th Edition, © Cengage Learning 29

Recovering from Incidents • Once the incident has been contained, and system control regained,

Recovering from Incidents • Once the incident has been contained, and system control regained, incident recovery can begin • The CSIRT must assess the full extent of the damage in order to determine what must be done to restore the systems • The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets is called incident damage assessment • Those who document the damage must be trained to collect and preserve evidence, in case the incident is part of a crime or results in a civil action Management of Information Security, 5 th Edition, © Cengage Learning 30

Recovering from Incidents • The incident recovery process includes: – Identify the vulnerabilities that

Recovering from Incidents • The incident recovery process includes: – Identify the vulnerabilities that allowed the incident to occur and spread and resolve them – Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place and install, replace or upgrade them – Evaluate monitoring capabilities (if present) to improve detection and reporting methods, or install new monitoring capabilities Management of Information Security, 5 th Edition, © Cengage Learning 31

Recovering from Incidents (cont. ) – Restore the data from backups as needed –

Recovering from Incidents (cont. ) – Restore the data from backups as needed – Restore the services and processes in use where compromised (and interrupted) services and processes must be examined, cleaned, and then restored – Continuously monitor the system – Restore the confidence of the members of the organization’s communities of interest Management of Information Security, 5 th Edition, © Cengage Learning 32

Common Mistakes CSIRTs make • According to Mc. Afee, there are 10 common mistakes

Common Mistakes CSIRTs make • According to Mc. Afee, there are 10 common mistakes that an organization’s CSIRTs make in IR: These include “Failure to… 1. 2. 3. 4. 5. …appoint a clear chain of command with a specified individual in charge …establish a central operations center …“know your enemy, ” as described in Chapters 1 and 6 …develop a comprehensive IR plan with containment strategies …record IR activities at all phases, especially help desk tickets to detect incidents 6. …document the events as they occur in a timeline 7. …distinguish incident containment from incident remediation (as part of reaction) 8. …secure and monitor networks and network devices 9. …establish and manage system and network logging 10. …establish and support effective antivirus and antimalware solutions” Management of Information Security, 5 th Edition, © Cengage Learning 33

NIST Recommendations for Incident Handling • Acquire Tools and Resources That May Be of

NIST Recommendations for Incident Handling • Acquire Tools and Resources That May Be of Value During Incident Handling • Prevent Incidents from Occurring by Ensuring That Networks, Systems, and Applications Are Sufficiently Secure • Identify Precursors and Indicators Through Alerts Generated by Several Types of Security Software • Establish Mechanisms for Outside Parties to Report Incidents • Require a Baseline Level of Logging and Auditing on All Systems, and a Higher Baseline Level on All Critical Systems • Profile Networks and Systems • Understand the Normal Behaviors of Networks, Systems, and Applications • Create a Log Retention Policy • Perform Event Correlation Management of Information Security, 5 th Edition, © Cengage Learning 34

NIST Recommendations for Incident Handling (cont. ) • Keep All Host Clocks Synchronized •

NIST Recommendations for Incident Handling (cont. ) • Keep All Host Clocks Synchronized • Maintain and Use a Knowledge Base of Information • Start Recording All Information as Soon as the Team Suspects That an Incident Has Occurred • Safeguard Incident Data • Prioritize Handling of the Incidents Based on the Relevant Factors • Include Provisions for Incident Reporting in the Organization’s Incident Response Policy • Establish Strategies and Procedures for Containing Incidents • Follow Established Procedures for Evidence Gathering and Handling • Capture Volatile Data from Systems as Evidence • Obtain System Snapshots Through Full Forensic Disk Images, not File System Backups • Hold Lessons-Learned Meetings After Major Incidents Management of Information Security, 5 th Edition, © Cengage Learning 35

Organizational Philosophy on Incident and Disaster Handling • Protect and forget, also known as

Organizational Philosophy on Incident and Disaster Handling • Protect and forget, also known as “patch and proceed, ” focuses on the defense of data and the systems that house, and transmit it – An investigation that takes this approach focuses on the detection and analysis of events to determine how they happened and to prevent reoccurrence • Apprehend and prosecute, also known as “pursue and prosecute, ” focuses on the identification and apprehension of responsible individuals, with additional attention paid to the collection and preservation of potential evidentiary material that might support administrative or criminal prosecution Management of Information Security, 5 th Edition, © Cengage Learning 36