Incidence Response & Computer Forensics, Second Edition

Ryan J.w.Chen@INSA 1

Incidence Response & Computer Forensics, Second Edition

Chris ProsiseKevin Mandia


Outline

Introduction to the Incident Response Process What is a computer security incident ? What are the goals of incident response

? Who is involved in the Incident

response process ? Incident response methodology.


What is a computer security incident ?

Computer security incident: Any unlawful, unauthorized, or unacceptable actio

n that involves a computer system or a computer network. Theft of trade secrets. Email spam or harassment. Unauthorized or unlawful intrusion into comput

ing systems. Denial-of-service (DoS) attacks.


What are the goals of incident response ? In incident response methodology, it emphasized

the goals of corporate security professionals with legitimate business concerns, but it also take into the concerns of law enforcement officials.

Confirms or dispels whether an incident occurred. Establishes controls for proper retrieval and handling of

evidence. Minimizes disruption to business and network

operations. Provides accurate reports and useful recommendation. Provides rapid detection and containment. Education senior management.


Who is involved in the incident response process ? Incident response is a multifaceted

discipline. It demands a myriad of capabilities that usually require resources from several different operational units of an organization.

Computer Security Incident Response Team (CSIRT), to respond to any computer security incident.


Incident response methodology There are seven major components of

incident response: Pre-incident preparation Detection of incidents Initial response Formulate response strategy Investigate the incident Reporting Resolution


Seven components of incident response

Pre-Incident Preparation

Initial Response

FormulateResponse Strategy

Detection of

Incidents

Investigate the Incident

Data Collection

DataAnalysis

Reporting

ResolutionRecovery

Implement Security Measures

Incident Occurs: Point-In-Time or Ongoing


Pre-incident Preparation (1/2)

Preparing the Organization: Implement host-based security measures. Implement network-based security measures. Training end user. Employing an intrusion detection system (IDS) Creating strong access control. Performing timely vulnerability assessments. Ensuring backups are performed on a regular

basis.


Pre-incident Preparation (2/2)

Preparing the CSIRT: The hardware needed to investigate computer

security incidents. The software needed to investigate computer

security incidents. The documentation needed to investigate computer

security incidents. The appropriate policies and operating procedures to

implement your response strategies. The training your staff or employee require to

perform incident response in a manner that promotes successful forensics, investigations, and remediation.


Detection of Incidents (1/2)

IDS

End User

Help Desk

System Administrator

Security

Human Resources

Functional Areas

Company X

IDS Detection of Remote AttackNumerous Failed Logon AttemptsLogins into Dormant or Default AccountsActivity during Nonworking HoursUnfamiliar Files or Executable ProgramsAltered Pages on Web ServerGaps in Log files or Erasure of Log FilesSlower System PerformanceSystem Crash

Indicator


Detection of Incidents (2/2)

Some of the critical details include the following: Current time and date Who/What reported the incident Nature of the incident When the incident occurred Hardware/software involved Points of contact for involved

personnel


Initial Response

One of the first steps of any investigation is to obtain enough information an appropriate response. Assembling the CSIRT Collecting network-based and other data Determining the type of incident that has occurred Assessing the impact of the incident.

Initial Response will not involve touching the affected system(s).


Formulate response strategy (1/3)

Considering the Totality of Circumstances: How many resources are need to investigate

an incident ? How critical are the affected systems ? How sensitive is the compromised or stolen

information ? Who are potential perpetrators ? What is the apparent skill of the attacker ? How much system and user downtime is

involved ? What is the overall dollar loss ?



Considering Appropriate Responses:

Incident Example Response Strategy Likely Outcome

Dos Attack TFN DDoSattack

Reconfigure routerto minimize effect of the flooding.

Effect of attackmitigated by routercountermeasures.Establishment ofperpetrator’s identitymay require toomany resources to beworthwhile investment.



Response strategy option should be quantified with pros and cons related to the following:

Estimated dollar loss Network downtime and its impact to operations. User downtime and its impact to operations. Whether or not your organization is legally compelled to t

ake certain action. Public disclosure of the incident and its impact to the org

anization’s reputation/business. Tacking Action

Legal Action Administrative Action



The investigation phase involves determining the who, what, when, where, how, and why surrounding an incident.

A computer security investigation can be divided into two phases: Data Collection Forensic Analysis


Possible investigation phase steps

Network-Based Evidence•Obtain IDS Logs•Obtain Existing Router Logs•Obtain Relevant Firewall Logs•Obtain Remote Logs from a Centralized Host (SYSLOG)•Perform Network Monitoring•Obtain BackupsHost-Based Evidence•Obtain the Volatile Data during a Live Response•Obtain the System time•Obtain the Time/Data stamps for Every File on the Victim System•Obtain all Relevant Files that Confirm or Dispel Allegation•Obtain BackupsOther Evidence•Obtain Oral testimony from Witnesses

1.Review the Volatile Data.•Review the Network Connections.•Identify Any Rogue Processes (Backdoors, Sniffers).

2.Analyze the Relevant Time/Data Stamps.•Identify Files Uploaded to the system by an Attacker.•Identify File Downloaded or taken from the System.

3.Review the Log Files.4.Identify Unauthorized User Accounts.5.Look for Unusual or Hidden Files.6.Examine Jobs Run by the Scheduler Service.7.Review the Registry.8.Perform Keyword searches.

Data Collection Analysis


Performing Forensic Analysis

PerformForensic

Duplication

Create a Working

Copyof all

EvidenceMedia

CreateFileLists

PerformStatistical DataPartition Table

File System

ExtractEmail and

Attachments

RecoverDeleted

Data

Perform FileSignatureAnalysis

RecoverUnallocated

Space

IdentifyKnown

System File

ReviewBrowser

History Files

Review DataCollected

DuringLive Response

Search forRelevantStrings

PerformSoftwareAnalysis

Review all the Network-Based

Evidence

Identify andDecrypt

EncryptedFiles

PerformFile-by-File

Review

ReviewInstalled

Application

PerformSpecialized

Analysis

Preparation of Data

Analysis of Data


Reporting Some guidelines to ensure that the reportin

g phase does not become your CSIRT’s nemesis: Document immediately Write concisely and clearly Use a standard format Use editor


Resolution

In this phase, you contain the problem, solve the problem, and take steps to prevent the problem from occurring again.

Following steps are often taken to resolve a computer security incident: Identify your organization’s top priority. Determine the nature of the incident. Determine if there are underlying or systemic ca

uses for the incident. Restore any affected or compromised system.


Apply corrections required to address any host-based vulnerabilities.

Apply network-based countermeasures such as access control lists, firewalls, or IDS.

Assign responsibility for correcting any systemic issue.

Track progress on all corrections. Validate that all remedial steps or

countermeasures are effective. Update your security policy and procedures

as needed to improve your response process.


Conclusion

Pre-Incident Preparation

Initial Response

FormulateResponse Strategy

Detection of

Incidents


Data Collection

DataAnalysis

Reporting

ResolutionRecovery

Implement Security Measures

Incident Occurs: Point-In-Time or Ongoing

Documents

Incidence Response & Computer Forensics, Second Edition