Lesson 7 Preparing for Incident Response and the Investigative Process - PowerPoint PPT Presentation

Lesson 7 preparing for incident response and the investigative process
1 / 27

  • Uploaded on
  • Presentation posted in: General

Lesson 7 Preparing for Incident Response and the Investigative Process. Overview. Preparing for Incident Response Investigative Guidelines. Ranum on Forensics.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentationdownload

Lesson 7 Preparing for Incident Response and the Investigative Process

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Lesson 7 preparing for incident response and the investigative process

Lesson 7Preparing for Incident Responseand the Investigative Process



  • Preparing for Incident Response

  • Investigative Guidelines

Ranum on forensics

Ranum on Forensics

  • “The real value of intrusion detection is diagnosing what is going on…never collect more data than you could conceivably want to look at. If you don’t know what to do with the data, it doesn’t matter how much you’ve got.”

    Marcus Ranum

    Network Flight Recorder

Preparing for incident response

Preparing for Incident Response

Identify vital assets

Identify Vital Assets

  • What can damage your organization the most?

  • What concerns you?

  • Who could be a threat?

  • Do hackers concern you?

This step saves you time & $ later

Applicable security maxims

Applicable Security Maxims

  • Ignorance is Bliss Maxim: The confidence that people have in

  • security is inversely proportional to how much they know about it.

  • Ass Sets Maxim: Most security programs focus on protecting the wrong assets.

  • Takes One to Know One Maxim:  The fourth most common excuse for not fixing security vulnerabilities is that “our adversaries are too stupid and/or unresourceful to figure that out.”

Preparing systems

Preparing Systems

  • Record cryptographic checksums of critical files (MD5)

    • Tripwire is widely accepted commercial product

  • Increase or enable secure audit logging

  • Build up your host’s defenses

  • Backup critical data and store media securely

  • Educate users about security

Critical file preparation

Critical File Preparation

  • Cryptographic checksums or Message Digest (MD)

    • Basically a digital signature

  • MD5 creates a 128-bit checksum from a large file

  • System Administrator can create checksum of critical file (use separate media) then compare against subsequent MD5 runs

Unix auditing

Unix Auditing

Turn on system logging

  • /var/log/syslog

  • Create Central Syslog server

    • run syslogd -r

  • Enable Process Accounting

    • Tracks the command each user executes

      • accton command

      • /usr/lib/acct/startup

Windows auditing

Windows Auditing

  • By default security auditing is not enabled

  • NT: Start|Programs|Administrative Tools| User Manager

    • User Manager select Policies|Audit

    • Logs => C:\WINNT\System32\Config\*.evt

  • WIN2K: Administrative Tools| Local Security Policy

    • Logs => C:\WINNT\System32\Config\*.evt

Other steps

Other Steps

  • Application Logging

  • Backup Critical Data

    • Unix: dump, restor, cpio, tar & dd

    • WIN2K: Start|Programs|Accessories| System Utilities| Backup

    • NT: NT Backup (NT Resources Kit)

    • WIN98: Start|Accessories| System Utilities| Backup

Network preparations

Network Preparations

  • Know your network: document, document, document

    • hardware, software, users

  • Smart topology/architecture

  • Use access control list (ACL) on router

Network preparations contd

Network Preparations-contd

  • Require authentication (host, network, kerberos, IPsec)

  • Audit regularly (manpower intensive)

  • Use network time protocol (NTP) to synchronize all events

Organizational preparations

Organizational Preparations

  • Institute comprehensive policies

  • Institute comprehensive procedures

  • Develop response procedures

    • Firedrills?

  • Create a response toolkit

  • Establish an Incident Response Team

  • Obtain top-level management support

    • Agree to ground rules/ rules of engagement

Often overlooked

Response toolkits

Response Toolkits

  • High-end processor w/lots of memory

  • Large IDE and SCSI drives

  • Backup storage: CD-RW and Tape Drives

  • Spare cables

  • Router/Hub and network interface card

  • Digital camera

  • Trusted software

    ref: www.computer-forensics.com

Establish incident response team

Establish Incident Response Team

  • Technical experts

  • Management POC

  • Team leader/principal investigator

  • Decide on mission/goal

    “Critical thinking team players who enjoy hardwork and long hours”

Ir professional organizations

IR Professional Organizations

  • Organizations

  • Information Sharing and Analysis Centers (ISACs)

  • InfraGard

  • High Tech Investigation Association

  • Information Systems Security Association (ISSA)

  • Forum of Incident Response and Security Teams (FIRST)





Investigative guidelines

Investigative Guidelines

Investigative guidelines1

Investigative Guidelines

  • Initial assessment

  • Incident notification checklist

  • Investigating

  • Formulating Response Strategy

Initial assessment not always accurate

Initial assessment

Initial Assessment

  • What probably happened?

    • Uncertainty regins

    • Each situation unique

    • Need to learn enough to determine course of action

  • What is the best response strategy?

    • Does it meet pre-established goals/ROEs?

    • Does it have management support?

    • Will your team need outside help?

Incident notification checklist

Incident Notification Checklist


  • Collect network maps and know architecture

  • Verify corporate policies

    • Many actions can only be taken if appropriate policies exist

Investigating the incident

Investigating the Incident

  • Prime directive: DO NO HARM

  • Personnel interviews

  • Hands-on activities

  • Many suspected incidents turn into non-events

  • Will the investigation do more damage than the incident itself?

Investigating the incident contd

Investigating the Incident-contd

  • Personnel interviews

    • System administrators: logs

    • Managers: know workforce, critical data

    • End-users

  • Taking hands-on actions

    • Step carefully

    • My contaminate “crime scene”

Formulate response strategy

Formulate Response Strategy

  • Declare Incident

  • Restore Normal Operations?

    • Off-line recovery

    • On-line recovery

  • Determine public relations play

    • “To spin or not to spin?”

Formulate response strategy contd

Formulate Response Strategy-contd

  • Determine probable attacker

    • Internal: handle internally

    • External: prosecute?

  • Determine Type of Attack

    • DOS, Theft, Vandalism, Policy violation, ongoing intrusion

  • Classify victim system

    • Critical server/application?

    • # of users?

Closing thought

Closing Thought

  • “The biggest problem for 2001 was keeping servers running MS-Windows products properly patched. We have numerous servers, and it’s constant fight to keep up with the patch level and test to confirm that the new patch doesn’t break something. This is the same problem for 2002.”

  • J.G.

  • Do we still have this issue today? For what OSes? Applications?

    Peace of mind depends on the action plan for response.



  • Prepare for Incidents

  • Build a good team

  • Rehearse/Practice procedures

  • Perform initial assessment

  • Formulate response

  • Do No Harm

  • Login