Incident Response From the Ground Up
Ellen Young and Adam Goldstein
Dartmouth College
NERCOMP
March 11, 2008
Information Security Incidents
Where does Incident Response fit into overall information security strategy?
• Prevention
• Detection
• Response*
Incident Response – Other Drivers
Additional drivers for creating incident response policies and procedures:
• PCI (Payment Card Industry) security standards. Sec 12.5.3
• Breach notification laws
Policy vs. Procedure
Dartmouth Cyber-security steering committee initiated current effort
Started with high level IR policy Determined more detailed procedures were
required
Incident Response – Practical Approach
First step:
• Incident Handling Workshop:– May 30th and 31st 2007– About 30 participants from Tech Services,
Consulting Services, and CSI Team– Table-top incident response exercises
conducted by an experienced consulting firm – IntelGuardians - http://www.intelguardians.com/
Incident Handling – Workshop 1
• Involved everyone who might be a first responder from Computing Services
• Divided into 4 teams – mixed Help Desk, Network Admins, and System Admins
• Presented with a scenario, logs, and received additional clues if the right questions were asked
• Teams used the high level policy and existing procedures as a starting point
Initial Workshop Lessons Learned and Takeaways
• Form an Incident Response Team (IRT)
• Develop practical procedures:– First Responders– Technical Response– Communication
• Outreach and awareness – it could be someone internal; VoIP could also be compromised
• Ongoing training for IRT
Incident Response Team
• Different groups and areas of expertise represented
• 2 members for each area provides backup• Team consists of:
– The Directors and 2 Members each from Systems Administration, Network Services, and Consulting Services
Develop procedures from the “Ground Up”
• Workshop revealed importance of “Ground-up” approach to developing procedures– First Responders Decision-tree– Incident Assessment and Classification– Technical Action Plans for different incident types– Communication Procedures– Equipment and tools for performing investigations
First Responders Decision-tree• Developed decision tree for first responders• Easy for responders to use and determine next
steps• http://www.dartmouth.edu/comp/docs/
FirstResponseCriteria.doc • Automatic ticket creation for IRT based upon
information entered
Incident Assessment and Classification
Incidents reported to IRT are then assessed and classified
The general criteria for assessing an incident include:
– Sensitivity of potentially compromised data
– Legal issues
– Magnitude of service disruption
– Threat potential
– Expanse - how widespread the incident is
Incident Assessment and Classification:Step 1 – Determine Severity
Questions to determine severity:1. Is sensitive, confidential or privileged data at risk?
2. Is business continuity at risk?
3. Did someone identify a security problem regarding Dartmouth systems in a public forum (website, listserve, message board, print media, broadcast media)?
4. Has law enforcement, government agency, or other third-party contacted Dartmouth regarding a possible incident?
Incident Assessment and Classification:Step 2 – Assign severity level
Assign severity level:
• Low - Risk or exposure to few
• Medium - Localized risk or exposure (e.g. subnet, department, non-critical service)
• Serious - Institutional risk/exposure
Severity level will determine appropriate response plan
Incident Assessment and Classification:Step 3 – Determine incident type
Incident Types:1.Compromised System
2.Compromised User Credentials
3.Network Attack (DoS, Scanning, Sniffing)
4.Malware (Viruses, Worms, Trojans)
5.Lost Equipment/Theft
6.Physical Break-in
7.Social Engineering (phishing, fraud)
8.Law Enforcement Request
9.Policy Violation
IRT – Response Action Plans
The IRT follows action plans based on:• Incident Type• Severity level
Information on internal wiki for ease of use
http://www.dartmouth.edu/comp/docs/Nercomp-IRTActionPlans.doc
http://www.dartmouth.edu/comp/docs/Nercomp-IncidentClassification.doc
IRT- Communication Procedures
Specific procedures for communication throughout the different phases of response
Includes both “horizontal” and “vertical” communication
Information on internal wiki for ease of use
http://www.dartmouth.edu/comp/docs/Communications.doc
IRT-Response Equipment
• Dedicated Laptop
• NAS and portable storage for images
• IR software CDs and flash drives
– Helix - Incident Response & Computer Forensics Live CD (http://www.e-fense.com/helix/)
– The SleuthKit and Autopsy: Digital Investigation Tools for Linux (http://www.sleuthkit.org/)
– Windows Forensic Toolchest (WFT) (http://www.foolmoon.net/security/wft/)
• Secure document storage
Workshop 2- IRT Hands-on “Live Incident”
Security consulting firm returned for a 2 day workshop (12/4 and 12/5) with the IRT:
• Reviewed attack trends and highlighted response techniques
• Compromised 4 systems on a test network
• IRT practiced response procedures and use of investigative tools
Workshop 2 – Lessons Learned
• Communication among IRT members working on different parts of the investigation is critical
• Assessing unknown systems• Concerns over service disruption during
initial investigation• Differences in Windows vs. Linux analysis• Can be difficult for first responders – desire
to just fix it overwhelms desire to preserve data
Next Steps and Ongoing Efforts
• Integrate IRT forms into Remedy Help Desk System
• Outreach to first responders not in PKCS and College community
• Ongoing monthly meetings for IRT– Further training in response and forensic tools
– Sample scenarios and procedure updates
– Review emerging attack trends
• Additional training exercises for IRT and PKCS
Questions?
[email protected]@dartmouth.edu
Copyright 2008 Trustees of Dartmouth College
This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires
written permission from the authors.