Incident ResponseChristian Seifert

IMT55131st October 2007

Definition

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs. (http://it.jhu.edu/glossary/ghi.html)

2/16

Examples

• Lost notebook• Positive anti-virus classification on

workstation• Denial of Service on web server• Database server sends SPAM• Unauthorized access on the premise• Deleted budget files on the file server

3/16

Traditional Attack Pattern

• Locate• Gain user access• Escalate privileges• Cover tracks• Ensure future access (backdoor)• Launch further attacks (stepping stone)

4/16

Incident Response Phases

• Preparation

• Identification• Containment• Eradication• Recovery• Follow-Up

Phases per incident

5/16

Preparation

• Create your Incident Response Plan.• Form a Incident Response Team• Educate users & inform management• Forensic Readiness

– Ability of an organization to maximize its potential to use digital evidence whilst minimizing the cost of an investigation

6/16

Incident Response Plan

• Background• Definitions• Incident classification• Reporting• Business Continuity• Process Flow• Example Incidents

7/16

Incident Classification & Handling

• What constitutes an incident?• What happens when an incident is detected?• Things to consider:

– Business needs– Costs/ Resources– Legal aspects– Chain of custody

8/16

Proactive/Reactive Incident Response

• Term “Response” indicates a reactive setup• However, proactive incident “response” is

also possible and recommended:– Staying informed about vulnerabilities– Education– Auditing/ Penetration Testing

9/16

Identification

• Recognize and report an incident– Users via help desk– IDS/ Honeypots– Could be an outside source

• Determine whether it is an incident• Assessment & Prioritize (Triage process)• Communication• KEEP A LOG BOOK!

10/16

Containment

• Limit the scope and magnitude of the incident• Steps to take:

– Stay low – do not alert the attacker– Create backups for analysis– Put your attention to systems at risk (i.e. systems

the compromised system has access to or interact with regularly)

11/16

Eradication

• Problem is eliminated• Steps to take:

– Determine the problem– Determine mitigation (for example, patching the

system)

12/16

Recovery

• System is returned into functional status• Steps to take:

– Restore system– Apply mitigation strategy– Closely monitor the system

13/16

Follow Up

• Identify lessons learned that will prevent future incidents

• Determine costs• Steps to take

– Create incident report with recommended changes– Send recommendations to management– Implement changes

14/16

Challenges

• Incident Response difficult to do right• High level of experience required to

investigate and assess technical incidents• Tendency to restore systems without

following incident response procedures

15/16

Resources

• http://www.ussecurityawareness.org/highres/incident-response.html

• DOD CSIRTM Training CD-ROMs: http://www2.norwich.edu/mkabay/infosecmgmt/disa_cirtm_cdrom.zip

• http://staff.washington.edu/dittrich/

16/16