Module 12 Responding to Security Incidents Overview Introduction
- Slides: 23
Module 12: Responding to Security Incidents
Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response Procedure
Lesson 1: Introduction to Auditing and Incident Response The Auditing Process Why Auditing Is Important What Is an Incident Response Procedure?
The Auditing Process You can determine a user’s actions by examining the following: 1 ISA Server packet filter log file 2 Security event log file and the IIS log file 3 Security event log file from the domain controller IIS Server ISA Server Domain Controller
Why Auditing Is Important You must dedicate time to review the logs. By enabling auditing, you can: Monitor events in your network Take action if there is any suspicious activity External Attacker Internal Attacker
What Is an Incident Response Procedure? An incident response procedure includes steps such as: People to contact Actions for limiting damage Provisions for investigation Actions People Provision for investigatio n
Lesson 2: Designing an Audit Policy Process for Planning an Audit Policy Guidelines for Creating a Framework for Auditing Common Auditing Tools and Sources Guidelines for Designing an Audit Review Process Activity: Risk and Response
Process for Planning an Audit Policy When planning an audit policy, you must: 1 Determine what types of events to audit 2 Identify auditing tools to use 3 Create a process for reviewing event logs 4 Establish a retention policy for audit logs
Guidelines for Creating a Framework for Auditing The following guidelines help to create a framework for auditing: ü Audit events and resources that you want to ü track Create audit statements that include: ü ü ü The type of event The event details Audit point
Common Auditing Tools and Sources Resource Operating systems Tools and sources Event Viewer Event. Comb SCOM Custom scripts Web sites IIS logs URLScan Network perimeters Router logs Firewall logs Packet filtering logs Proxy logs Application-specific logs Intrusion-detection software Antivirus software SCOM
Guidelines for Designing an Audit Review Process When designing an audit review process, define: ü Who is responsible for managing and ü ü analyzing events How often to analyze events How to report possible incidents to ü management ü How to preserve the chain of evidence Where to archive event logs
Activity: Risk and Response For each scenario: Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class
Lesson 3: Designing an Incident Response Procedure Process for Planning an Incident Response Procedure Guidelines for Creating an Incident Response Team What to Include in a Communication Plan Common Indicators of Security Incidents Guidelines for Analyzing a Security Incident Methods for Limiting Damage from an Attack Guidelines for Documenting Security Incidents Activity: Risk and Response
Process for Planning an Incident Response Procedure When planning an audit policy, you must: 1 Create and train an incident response team 2 Develop a communication plan 3 Create a plan for identifying an attack 4 Create policies to contain an attack 5 Develop a process for reviewing incidents
Guidelines for Creating an Incident Response Team Use these guidelines to ensure that the appropriate job roles are: ü In the team ü Available 24 hours a day ü Trained in responding to security incidents ü Competent in their areas of responsibility ü Able to analyze situations objectively under ü pressure Strong communicators
What to Include in a Communication Plan Include in your communication plan: Triggers that define when to contact each member of the incident response team Contact information for all team members Substitute team members and contact information Procedures for communicating securely among team members Incident details that each team member receives How team members communicate details of the incident to non-team members
Common Indicators of Security Incidents Area Network irregularities Examples Network performance decreases Accounts are used at irregular times System irregularities Audited events increase significantly System performance decreases Computers crash or reboot mysteriously Direct reporting of events Users report security incidents A new virus is published Intrusion detection software detects an incident Physical indicators Hardware is missing Visible signs exist of physical compromise Business indicators Confidential information is published on the Internet or in print Competitor appears to possess trade secrets
Guidelines for Analyzing a Security Incident To identify Determine How is the event occurring? ü Symptoms ü Origin ü Is the point of origin connected to the attacker? How is the attack entering the network? Entry point ü Intent Is the attacker exploiting a known vulnerability? What does the attacker appear to be trying to accomplish? ü Severity ü Exposure What are the symptoms of the attack? Where is the attack originating? Is there a pattern to the attack? What is at risk? How serious is the risk? What systems have been compromised? In what way are the systems compromised?
Methods for Limiting Damage from an Attack Resource Examples Disconnect affected networks from the corporate network Networks Disconnect corporate network from the Internet Block TCP/IP ports Remove infected computers from the network Computers Remove computers that have sensitive information from the network Deploy security hotfixes and service packs Change passwords on compromised and sensitive accounts Applications Update antivirus scanning engines and signature files Update intrusion detection systems and inspect log files Physical Replace locks and key codes
Guidelines for Documenting Security Incidents Use these guidelines to gather any feedback and discover: ü The origin of the incident ü How the incident was detected and reported ü How the incident was responded to and resolved ü Recommended changes to policies and ü procedures Improvements to your incident response ü procedure ü Updates to your risk management plan The financial impact of the security incident
Activity: Risk and Response For each scenario: Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class
Lab: Responding to Security Incidents Exercise 1 Identifying Potential Vulnerabilities Exercise 2 Implementing an Incident Response Team Exercise 3 Implementing an Incident Response Plan
Course Evaluation