Upload
sven
View
59
Download
3
Embed Size (px)
DESCRIPTION
INCIDENT RESPONSE PLANNING and FORENSIC READINESS. Denver ISACA Presentation. February 21, 2002. Incident Response Planning and Forensic Readiness. Kevin Rich Managing Security Architect @stake - PowerPoint PPT Presentation
Citation preview
INCIDENT RESPONSE PLANNINGand FORENSIC READINESS
February 21, 2002
Denver ISACA Presentation
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Incident Response Planning and Forensic Readiness
Kevin Rich
Managing Security Architect
@stake
@stake is a consulting firm specializing in secure design, architecture, and assessments of digital technology
@stake, the best minds in digital security
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Objectives
This is not a comprehensive discussion
Get you thinking about Incident Response and Forensic Readiness
Ideas and guidelines for your own implementation
Agenda
– Definitions
– Scoping
– Planning
– Readiness
– ROI
– Questions
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Definitions
Incident Response
– Any action by your organization to a defined event
There are many types of incidents
Our focus will be on technology incidents
Incident Response Planning
– Efforts by your organization to handle any incident
Forensic Readiness
– Preparedness to gather, store, and handle your incident response data
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
If a tree falls in the woods …
Incident and incident types need to be defined in advance so that a proper response mechanism can be defined.
Incident response is not a standalone item, but must rest on a foundation of policies and an ability to properly determine what an “incident” is and when one has occurred.
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Lifecycle
NETWORK VULNERABILITY ASSESSMENT APPLICATION ASSESSMENT
HOST HARDENING FORENSIC
READINESS POLICY
WRITING
INTRUSION DETECTION INCIDENT
RESPONSE PLANNING
INCIDENT
FORENSIC ACQUISITION
INCIDENT RESPONSE
FORENSIC IDENTIFICATION
PROSECUTION INTRUDER TRACKING
_____________________________________________________
• An incident is some event at a particular time and place
• Planning and preparedness are both strategic processes
• Planning and preparedness must come before the event.
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
What does your threat model look like?
Internal
– Surveys indicate ~70% percent of security threats come from the inside
External
– Do you have a highly visible Internet presence.
– Are you a target of choice or a target of chance
Financial institutions verses Frankstacos.com
Failures
– Does your organization require “highly available” systems
How much down time is acceptable
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Threat Model: Internal
Willful Destruction
Theft
Abuse or privilege or resources
Accidental
– These all have many categories but can be lumped into a few containers such as:
Property
Data
Resources
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Willful Destruction
Definition
– The act of destroying; a tearing down; a bringing to naught; subversion; demolition; ruin; slaying; devastation.
Example
– A disgruntled employee physically destroys their laptop or formats the hard drive destroying data critical to project success
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Theft
Definition
– The act of stealing; specifically, the felonious taking and removing of personal property, with an intent to deprive the rightful owner of the same; larceny.
Note: To constitute theft there must be a taking without the owner's consent, and it must be unlawful or felonious; every part of the property stolen must be removed, however slightly, from its former position; and it must be, at least momentarily, in the complete possession of the thief.
Example
– An employee removes internal client information for sale to a competitor
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Abuse of Privilege
Definition
To use one’s legitimate access rights to perpetrate a malicious activity.
Example:
IT VAR monitors financial firm’s buy and sell activity by pulling Sybase traffic from a protocol analyzer deployed to capture said data for performance analysis.
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Accidental
Definition
Occurring unexpectedly, unintentionally, or by chance.
Examples
– An employee selects files for deletion on the corporate file server. But unwittingly deletes files not owned by them.
– The cleaning crew unplugs a server so that they can plug in their vacuum cleaner.
– The hot water heater explodes and floods the server room.
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Threat Model: External
Social Engineering
Worms and Virii
DDoS
“Hackers”
Mis-configured and unconfigured devices
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Social Engineering
Definition
Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem.
Example
“Hello, this is Jim from Systems, we need your password”
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Virii and Worms Definition
– Worm - A program that propagates itself over a network, reproducing itself as it goes.
– Virii - Unlike a worm, a virus cannot infect other computers without assistance. It is propagated by vectors such as humans trading programs with their friends. The virus may do nothing but propagate itself and then allow the program to run normally. Usually, however, after propagating silently for a while, it starts doing things like writing cute messages on the terminal or playing strange tricks with the display (some viruses include nice display hacks). Many nasty viruses, written by particularly perversely minded crackers, do irreversible damage, like nuking all the user's files.
Examples
CodeRed
Stoned
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
DDoS
Definition
Distributed Denial Of Service – A resource attack to a single target originating from multiple sources
Example
– Yahoo, Buy.com, eBay, CNN, E*Trade, and Amazon attacks
Tools
– Trinoo
– Stacheldraht
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
“Hackers”
Definition
There are many definitions, but for this discussion we’ll label hackers as “Bad Guys” attacking your systems or resources with malicious intent
Example
A malicious intruder exploits a vulnerability in your organizations web application(s) and retrieves sensitive customer data
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Mis-configured or unconfigured devices Definition
Any device placed into services before having undergone proper configuration.
Examples
– Default OE installations
– Default web server installation
– Development systems
– “Temporary” changes for testing or other purposes
– Devices deployed by uninformed administrators
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Threat Model: Failures
Hardware Failures
– HA component failures not noticed
– Gradual component failures not noticed
Mis-configuration
– Wireless AP breach of security perimeter
– Unconfigured, Unused and Unknown services
– Cascading ACLs mis-applied or mis-understood
– Overly permissive ACLs by policy
Software Failures
Overview
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Planning for an Incident
Policy and Procedures
Identify
Respond
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Planning – Policy and Procedure
This must be the basis for any Incident Response Strategy
Publish it
Disseminate it
Keep it current
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Planning – Identify
A vital part of incident response is knowing that an incident occurred. Identification may come thru human intelligence or system intelligence. Incident identification must be based on defined policy.
– Awareness training for employees
– Simple means of reporting incidents to the correct department(s)
– Intrusion Detection Systems (HIDS and NIDS)
– Properly formatted logs in a central location
Common Format
Segregated
NTP is a must
– Monitoring
Monitoring can be performed internally or thru managed service providers
Automated
Manual
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Planning – Respond Knowing how you will respond before it’s time to respond is critical.
– Based on Policy
– Training and Drills
– Legal Issues
What types of events will involve your legal department
If you do not plan to prosecute, the incident can be handled differently
– Who will be contacted
Escalation procedures (when do we tell the VP?)
– How will personnel be contacted?
Pager, phone, e-mail, running thru the halls screaming “FIRE”
How and When do escalation occur
Does time affect who will be contacted
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Planning – Respond– Keeping Accurate Records
Record everything and timestamp it
Keep the record book with you at all times
Who touched, when did they touch it, and why did they touch it
– Knowing where things are
Does anybody know where the backups are
Hot swaps for failures
Contact information for vendors, support contract, internal employees
– Checkpoints
Somebody needs to “own” the process
– This should be someone who is not involved in the tactical effort
Is everyone on track
Are efforts being duplicated
Have the correct departments been notified of restoration or delays
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Forensic Readiness
Readiness is the key – Without being ready, your results will most likely fall short of a full understanding of what really happened. If you intend to make a legal case, the investigation must be complete.
Forensic efforts must be conducted by trained experts.
– Tools are complex
– If used improperly, the tool will destroy the very evidence that you are trying to preserve
– The forensic effort is VERY manual in nature
– After the data is properly collected, analysis is often not intuitive
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Forensic Readiness - Baseline
Collect the Evidence – Like a police investigation, the crime scene must be preserved by blocking access and taking “pictures”. Digital information is stored on the disks of compromised systems and requires a cryptographically signed image. The system should be taken offline and the physical disk(s) stored properly. Time is of the essence for collection procedures.
Evidence Retention – Establish a chain of custody to document who has had custody from time of discovery to presentation in court. Additional evidence such as logs from firewalls, IDS, and sniffers are useful. All systems should use NTP or other form of authoritative time stamps.
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Forensic Readiness – Baseline (cont)
Reconstruction – Step 1 is to reinstall as much as possible and restore as little as possible. Reinstalling from trusted media reduces the threat of reintroduction. OS, applications and database stored procedures should all be reinstalled.
Host Hardening – Even fully patched systems are vulnerable. Production systems should have all unnecessary functionality removed and the remaining functionality should be hardened and configured to run with least privilege.
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Forensic Readiness – Baseline (cont)
Logging – Accountability is the foundation for incident response and forensics. To use your logs effectively, answer these questions:
– What information do the logs contain?
– Where are the logs located?
– How are the logs protected?
– How are logs from multiple sources correlated ?
– How is time synchronized?
Protecting Logs – The primary way of protecting logs is via file-system permissions. The process writing the log should only be able to write. Administrators should only be able to read logs. Other approaches include WORM media such as CD-ROM and printers.
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Forensic Readiness – Baseline (cont)
Time Synchronization – Synchronizing system clocks in advance saves substantial time during incident response and evidence is strengthened when your IDS, firewall, and hosts all report the same event at the same time.
– Network Time Protocol (NTP) is not a secure protocol, but is generally accepted.
– STIME – http://www.ietf.org/html.charters/stime-charter.html - is headed for RFC and holds the most promise for becoming the industry standard.
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Return On Investment (ROI)
Forensic readiness allows businesses to:
Quickly determine attack vector
Understand and isolate relevant information, minimizing required resources
Promptly remove threat of repeat entry
Recover from damage more completely and with less downtime
Detect trends over time
Receive insurance premium discounts
Benefits of forensic readiness
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Return On Investment (ROI)
Lack of forensic readiness can result in:
Loss of business – damage to reputation
Loss of revenue – loss of clients
Legal action – inability to meet SLA, inappropriate actions, etc…
Data theft, modification or destruction
Inability to effectively regain administrative access/control
System downtime
Benefits of forensic readiness
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Return On Investment (ROI)
System running default installation was compromised
System infiltration lasted 30 minutes
Image was taken and made public for open source forensic examination
13 teams participated
Teams required 48 person-hours for analysis on average
– Just forensic analysis:
No IDS analysis or decision making
No forensic acquisition
No reconstitution
No stakeholder communications (beyond the reports generated)
Honeynet (http://www.honeynet.org) project statistics
P R O P R I E T A R Y A N D C O N F I D E N T I A L © 2 0 0 1 @ S T A K E , I N C .
Is my organization “Prepared” & “Ready”?
If you’re not sure, then you’re not!
– @stake offers forensics readiness consulting
– @stake Academy offers training courses to help get your organization prepared
Contact Information
– Kevin Rich Managing Security Architect [email protected]
– Sue Teague Account Executive [email protected]
– Denver Office: 303 979-0035