1 / 16

Incident Response

Incident Response. IMT551 31 st October 2007. Christian Seifert. Definition.

Download Presentation

Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Incident Response IMT551 31st October 2007 Christian Seifert

  2. Definition Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs. (http://it.jhu.edu/glossary/ghi.html)

  3. Examples • Lost notebook • Positive anti-virus classification on workstation • Denial of Service on web server • Database server sends SPAM • Unauthorized access on the premise • Deleted budget files on the file server

  4. Traditional Attack Pattern • Locate • Gain user access • Escalate privileges • Cover tracks • Ensure future access (backdoor) • Launch further attacks (stepping stone)

  5. Incident Response Phases • Preparation • Identification • Containment • Eradication • Recovery • Follow-Up Phases per incident

  6. Preparation • Create your Incident Response Plan. • Form a Incident Response Team • Educate users & inform management • Forensic Readiness • Ability of an organization to maximize its potential to use digital evidence whilst minimizing the cost of an investigation

  7. Incident Response Plan • Background • Definitions • Incident classification • Reporting • Business Continuity • Process Flow • Example Incidents

  8. Incident Classification & Handling • What constitutes an incident? • What happens when an incident is detected? • Things to consider: • Business needs • Costs/ Resources • Legal aspects • Chain of custody

  9. Proactive/Reactive Incident Response • Term “Response” indicates a reactive setup • However, proactive incident “response” is also possible and recommended: • Staying informed about vulnerabilities • Education • Auditing/ Penetration Testing

  10. Identification • Recognize and report an incident • Users via help desk • IDS/ Honeypots • Could be an outside source • Determine whether it is an incident • Assessment & Prioritize (Triage process) • Communication • KEEP A LOG BOOK!

  11. Containment • Limit the scope and magnitude of the incident • Steps to take: • Stay low – do not alert the attacker • Create backups for analysis • Put your attention to systems at risk (i.e. systems the compromised system has access to or interact with regularly)

  12. Eradication • Problem is eliminated • Steps to take: • Determine the problem • Determine mitigation (for example, patching the system)

  13. Recovery • System is returned into functional status • Steps to take: • Restore system • Apply mitigation strategy • Closely monitor the system

  14. Follow Up • Identify lessons learned that will prevent future incidents • Determine costs • Steps to take • Create incident report with recommended changes • Send recommendations to management • Implement changes

  15. Challenges • Incident Response difficult to do right • High level of experience required to investigate and assess technical incidents • Tendency to restore systems without following incident response procedures

  16. Resources • http://www.ussecurityawareness.org/highres/incident-response.html • DOD CSIRTM Training CD-ROMs: http://www2.norwich.edu/mkabay/infosecmgmt/disa_cirtm_cdrom.zip • http://staff.washington.edu/dittrich/

More Related