File000119

Module VI – Incident Handling

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Tech Insight: Finding Common Ground For Security, IT Teams

Source: http://darkreading.com/

Tips for security and IT teams to better cooperate on hot-button issues of password policies, patch management, and network security Dec 19, 2008 | 03:48 PMBy John Sawyer

Disagreements are a common occurrence between IT security and other IT groups, but nothing brings out their differences of opinion and practice like incident response or an emergency patch, such as Microsoft's fix this week for Internet Explorer.

A security team can butt heads with other IT groups for many reasons -- anything from personality conflicts and management styles to fundamental differences in opinion about how IT systems should be managed. A few key problem areas that come up regularly in organizations of all sizes are password policies, patch management, and network security with firewalls and VPNs. Passwords are the weakest link as well as the biggest lightning rod: Users don't want complex, hard-to-remember passwords. Security wants passwords that are uncrackable. And systems admins don't want to be caught in the middle implementing a policy that results in users constantly complaining or needing regular password resets. The process of developing secure password policies almost always ends with none of the involved parties happy with the outcome.

Getting all groups on the same page about passwords usually requires a compromise all around, but several things can ease the pain of implementation. Educating users on the importance of passwords, along with tips and tricks on creating a secure password, is by far the cheapest method. Self-service portals for password resets, too, can help reduce the load on the help desk and sys admins after new password policies are put into effect.



Scenario

Orient Recruitment Inc. is an online human resource recruitment firm. The web server of the firm is critical for its normal business operations.

Neo, the network administrator observed some unusual activity targeted towards the web server. The web server was overloaded with connection requests from huge number of different sources.

Before he could realize the potential of the attack, the website of Orient Recruitment Inc. was already down due to Denial of Service Attack.

The company’s management called up the local Incident Response team to look into the matter and solve the DoS issue.

What steps will the incident response team take to investigate the attack?



Module Objective

• What is an Incident?• Security Incidents• Incident Reporting• Incident Response• Incident handling• What is CSIRT?• Who Works in a CSIRT ?• Types of Incidents and Level of Support • How CSIRT Handles Case: Steps• World CERTs

This module will familiarize you with:



Module Flow

What is an Incident?

Security Incidents

Incident Reporting

Incident Response

Incident Handling

What is CSIRT?

Who Works in a CSIRT ?

Types of Incidents and Level of Support

How CSIRT Handles Case: Steps

World CERTs



What is an Incident

Computer security incident is defined as “Any real or suspected adverse event in relation to the security of computer systems or computer networks”

It also includes external threats such as gaining access to systems, disrupting their services through malicious spamming, and execution of malicious codes that destroy or corrupt systems



Security Incidents

• Evidence of tampering with data • Denial of service attack on the agency • Web site defacement • Unauthorized access or continuous attempts at unauthorized

access (both from either internal or external sources) • Social engineering incidents• Virus attacks that badly affect servers or multiple workstations• Other incidents that could undermine the confidence and trust in

the state’s information technology systems

A security incident includes:



Category of Incidents

Low level

Mid Level

High Level

There are 3 category of incidents:



Category of Incidents: Low Level

• Loss of personal password• Suspected sharing of the organization’s accounts• Unsuccessful scans and probes• Presence of any computer virus or worms

They can be identified when there is:

Low level incidents are the least severe kind of incidents

They should be handled within one working day after the event occurs



Category of Incidents: Mid Level

• Violation of special access to a computer or computing facility• Unfriendly employee termination• Unauthorized storing and processing data• Destruction of property related to a computer incident (less than

$100,000)• Personal theft of data related to a computer incident($100,000)• Computer virus or worms of comparatively larger intensity• Illegal access to buildings

They can be identified by observing:

The incidents at this level are comparatively more serious and thus, should be handled the same day the event occurs



Category of Incidents: High Level

• Denial of Service attacks• Suspected computer break-in• Computer virus or worms of highest intensity; e.g: Trojan, back door• Changes to system hardware, firmware, or software without

authentication• Destruction of property exceeding $100,000• Personal theft exceeding $100,000 and illegal electronic fund

transfer or download/sale• Any kind of pornography, gambling, or violation of any law

These include:

These are the most serious incidents and are considered as “Major” in nature

High level incidents should be handled immediately after the incident occurs



Issues in Present Security Scenario

Increase in the number of companies venturing into e-business coupled with high Internet usage

Decrease in vendor product development cycle and product testing cycle

Increase in complexity of the Internet as a network

Alarming increase in intruder activities and tools, expertise of attackers, and sophistication of hacks

Lack of thoroughly trained professionals as compared to the number and intensity of the security breaches



How to Identify an Incident

A system alarm from an intrusion detection tool indicating security breach

Suspicious entries in network

Accounting gaps of several minutes with no accounting log

Other events such as unsuccessful login attempts, unexplained new user or files, attempts to write system files, and modification or deleting of data

Unusual usage patterns, such as programs being compiled in the account of users who are non-programmers



How to Prevent an Incident

• Scanning the network/system for security loopholes• Auditing the network/system • Deploying intrusion detection/prevention systems on the

network/system• Establishing defense-in-depth• Securing clients for remote users

Intrusions can be prevented by:

A key to preventing security incidents is to eliminate as many vulnerabilities as possible



The diagram below illustrates the relationship between Incident Response, Incident handling, and Incident management

Defining the Relationship between Incident Response, Incident Handling, and Incident Management



Incident Management



Incident Management

Incident management is not just responding to an incident when it happens but includes proactive activities that help to prevent incidents by providing guidance against the potential risks and threats

Includes the development of a plan of action, a set of processes that are consistent, repeatable, of high quality, measurable, and understood within the constituency

Who performs Incident Management?

• Human resource personnel• Legal council• The firewall manager• An outsourced service provider



Incident Management (cont’d)

Figure : Five High-Level Incident Management Processes



Threat Analysis and Assessment

Threat analysis is a systematic detection, identification, and evaluation of vulnerabilities of a facility, operation, or system

The threat analysis is a process of scrutinizing the conditions and processes that are important for business interruption

• Examining the physical security processes• Creating the risk management program• Identifying and examining the threats related to customers• Providing the data, trends, methodologies, and possibility of risk actions• Identifying and defining the security process flows

The critical tasks of threat analysis and assessment include:



Vulnerability Analysis

• Defining and classifying network or system resources • Assigning relative levels of importance to the resources • Identifying potential threats to each resource • Developing a strategy to deal with the most serious potential

problems• Defining and implementing ways to minimize the consequences

if an attack occurs

Steps in vulnerability analysis:

Vulnerability analysis or vulnerability assessment is a process of identifying, defining, and classifying the security breaches in a computer, network, and communications infrastructure



Estimating Cost of an Incident

• Lost productivity hours• Investigation and recovery efforts• Loss of business• Loss or theft of resources

Tangible cost:

• Corporate reputation being ruined• Loss of goodwill• Psychological damage

• Directly impacted may feel victimized• May impact morale or initiate fear

• Legal liability• Effect on the shareholder’s value

Intangible cost:



Change Control

Change control involves all procedures that handles or controls the authorized changes to the organization’s assets such as software and hardware

It involves the mechanism of change request, result recording, documenting, testing the results after the changes, and gaining approval for the requests

It involves analyzing the problem, updating the results, and sending a request of change to the concerned personnel or representative

This is reviewed by the management which authorizes the required changes

Change



Incident Reporting



Incident Reporting

• Intensity of the security breach• Circumstances, which revealed the vulnerability• Shortcomings in the design and impact or level of weakness• Entry logs related to the intruder’s activity• Correct time-zone of the region and synchronization information of

the system with a National time server via NTP (Network Time Protocol)

When a user encounters any breach, report the following:



Computer Incident Reporting



Whom to Report an Incident

Incident reporting is the process of reporting the information regarding the encountered security breach in a proper format

The incident should be reported to the CERT Coordination center, site security manager, or other sites

It can also be reported to the law enforcement agencies such as FBI,USSS Electronic crimes branch, or Department of Defense Contractors

It should be reported to receive technical assistance and raise security awareness to minimize the losses



Report a Privacy or Security Violation

• Date, time, and location of the incident• The nature of the violation• Type of the private data involved• Other persons involved• Any immediate harm known or observed• Immediate corrective actions already taken

Gather the following information at the time of security violation:



Preliminary Information Security Incident Reporting Form

PRELIMINARY INFORMATION SECURITY INCIDENT REPORTING FORM

Background Information

Name of Bureau/Department :

Brief description on the affected system (e.g. function, URLs):

Physical location of the affected system: Within B/D Third-party service provider facility

System administration/operation by: In-house IT team End user Outsourced service provider

Reporting Entity Information

Name: Designation:

Office Contact: 24 hours Contact:

Email Address: Fax Number:

Incident Details

Date/Time (Detected): Date/Time (Reported to OGCIO):

Symptoms of Incidents:

Impacts: Defacement of web site Service interruption (denial of service attack / mail bomb / system failure) Massive malicious code attack Lost/damage/unauthorized alternation of information Compromise/leakage of sensitive information Intrusion/unauthorized access Others, please specify: _______________________________

Please provide details on the impact and service interruption period, if any:

Actions Taken:

Current System Status:

Other Information:



Why Organizations do not Report Computer Crimes?

Misunderstanding of the scope of the problem

• This does not happen to other organizations

Fear of negative publicity

• Proactive reporting and handling of the incident will allow many organizations to put their spin on the media reports

Potential loss of customers

Desire to handle things internally

Lack of awareness of the attack



Incident Response



Responding to a Security Incident

• Identify the affected resources• Analyze the incident• Assign event identity and severity level• Assign incident task force members• Containing threats from further affecting the systems• Evidence collection• Forensic analysis

Guidelines to be followed for a methodical manner of response handling stage and investigation are as follows:

Computer incident response is based on the documented and untampered evidence



Incident Response Procedure

• The IIC, IL work with the system personnel to determine the area and scope that the incident covers

Identify the Affected Resources

• An assessment is made by the IIC combined with the IL and system personnel for determining the security levels

Analyze the incident

• The incidents require a unique identifier that is collision free to allow tracking and archiving of incidents for historical reference

• The identity of the incident is assigned by the IIC, followed by the name assignment and severity level assigned to the incident

Assign Event Identity and Severity Level

The guidelines to be followed in the response handling stage are:



Incident Response Procedure (cont’d)

• IIC in combination with the IL coordinates a task force to resolve the incident

• The task force consists of technical managers of resources, division managers, etc.

Assign Incident Task Force Members

• Threats are to be contained by removing the suspect resources from normal operations

• IIC and IL are responsible for determining risks

Containing Threats

• The information related to the incident is taken as an evidence• Information can be collected from interviews with administrators, log

files, exploit code left by the attacker

Evidence Collection



Incident Response Procedure (cont’d)

• Forensic analysis and discovery of an incident should include:• The perpetrators and victims of the events• Events that took place• When and what time, the events occurred• Where the events occurred and what they infected• How the events occurred

Forensic Analysis



Security Incident Response (Detailed Form)

Contact Information and Incident

Last Name:______________________ First Name: ________________________

Job Title: ____________________________________________________

Phone: __________________________ Alt Phone: _________________________

Mobile: __________________________ Pager: _____________________________

Email: ____________________________ Fax: _______________________________



Security Incident Response (Detailed Form) (cont’d)

Incident Description

Date/Time and Recovery Information

Date/Time of First Attack: Date: ____________ Time: _______________

Date/Time of Attack Detected: Date: ____________ Time: _______________

Has the Attack Ended: Yes No

Duration of Attack (in hours):

Severity of Attack: Low Medium High

Estimated Recovery Time of this Report (Clock) _________________________

Estimated Recovery Time of this Report (Staff Hours) _________________________

Estimated Damage Account as of this Report ($$$ Loss) _________________________

Number of Hosts Affected: _________________________

Number of Users Affected: _________________________




Exposing Confidential/Classified/ Unclassified Data

Theft of Information Technology Resources/ Other Assets

Creating accounts Altering DNS/Website/Data/ Logs

Destroying Data

Anonymous FTP abuse

Attacking Attackers/ Other Sites

Credit Card Fraud Fraud Unauthorized Use/Access

Using Machine Illegally

Impersonation Increasing Notoriety of Attacker

Installing a Back Door/Trojan Horse

Attacking the Internet

ICQ Abuse/IRC Abuse

Life Threatening Activity

Password Cracking Sniffer Don’t Know

Type of Incident Detected:

Other (Specify) _________________________________________________________SB1386 – Is Email Notification Required? Yes No SB1386 - Email Notification Sent Out? Yes No

Comments (Specify Incident Details and additional information): _________________________________________________________________________




General Information

How Did You Initially Become Aware of the Incident?Automated Software NotificationAutomated Review of Log FilesManual Review of Log FilesSystem Anomaly ( i. e., Crashes, Slowness)Third Party NotificationDon’t KnowOther (Specify)

Attack Technique (Vulnerability Exploited / Exploit Used)CVE/CERT VU or BugTraq NumberVirus, Trojan Horse, Worm, or Other Malicious CodeDenial of Service or Distributed Denial of Service AttackUnauthorized Access to Affected Computer Privileged Compromise (Root/Admin Access) User AccountCompromise/Web Compromise (Defacement)Scanning/ProbingOther

Suspected perpetrator(s) or possible motivation(s) of attack:CSU staff/students/ facultyFormer staff/ students/facultyExternal PartyUnknownOther (Specify)




Malicious Code

Virus, WormName or Description of Virus _________________________________________Is Anti-Virus Software Installed on the Affected Computer(s)? Yes (Name) NoDid the Anti-Virus Software Detect the Virus? Yes NoWhen was your Anti-Virus Software Last Updated? _________________________

Network Activity

ProtocolsName or Description of Virus

TCP UDP ICMP IPSec IP Multicast Ipv6 OtherPlease Identify Source Ports Involved in the Attack: _______________________Please Identify Destination Ports Involved in the Attack: _______________________




Impact of Attack

HostsIndividual HostsDoes this Host represent an Attacking or Victim Host? Victim Attacker BothHost Name: IP Address:Operating System Affected: Patch Level (if known):Applications Affected: Database:Others:Primary Purpose of this Host:

User Desktop Machine User Laptop Machine Web ServerMail Server FTP Server Domain ControllerDomain Name Server Time Server NFS/File System ServerDatabase Server Application Server Other Infrastructure Services

Bulk HostsBulk Host Information (Details): ________________________________________Comments (Please detail incident): ______________________________________




Data Compromised:Did the attack result in a loss/compromise of sensitive or personal information? Yes No OtherComments: ________________________________________________________________________Did the attack result in damage to system(s) or date: Yes (Specify) No OtherComments: ________________________________________________________________________

Law Enforcement:Has Law Enforcement Been Notified? Yes NoRemediation:Please detail what corrective actions have been taken (specify):Comments: ________________________________________________________________________

Did Your Detection and Response Process and Procedures Work as Intended?Comments: ________________________________________________________________________Please provide Discovery Methods and Monitoring Procedures that would have Improved Your Ability to Detect an Intrusion.Comments: ________________________________________________________________________

Are there Improvements to Procedures and Tools that would have Aided You in the Response ProcessComments: ________________________________________________________________________

Are there Improvements that would have Enhanced Your Ability to Contain an IntrusionComments: ________________________________________________________________________

Are there Correction Procedures that would have Improved Your Effectiveness in Recovering Your SystemsComments: ________________________________________________________________________



Incident Response Policy

Clearly outline management's support for the policy

Decide an organizational approach

Determine outside notification procedures

Address remote connections and encompass all remote employees or contractors

Define partner agreements

Identify the members of the incident team and describe their roles, responsibilities, and functions

Develop an internal communications plan that identifies who you will notify and how you will contact them

Define a method for reporting and historically archiving the incident



Incident Response Guidelines

Check if potential incident is verified

Contact department/agency security staff

• I.T. Manager -• [designee/others by department procedure] -

Contact CSIRT’s member

• Call GOVnet Beeper• GOVnet will then contact CSIRT members ([email protected])• If there is no response within ten minutes, call the office of the CIO

Isolate system(s) from GOVnet [unless CSIRT’s decision is to leave the system connected to monitor active attacker]



Incident Response Guidelines (cont’d)

Maintain a log book - who/ what / when / where

Find out whether the incident was caused by virus, worm, or attacker

Estimate the extent of the problem and the number of systems affected



Incident Response Guidelines (cont’d)

Contact local police authority with jurisdiction at the location of the incident (This MUST BE coordinated with CSIRT)

Follow server/operating system specific procedures to snapshot the system

Inoculate/restore the system

Close the vulnerability and ensure that all patches have been installed

Return to normal operations

Prepare report and conduct follow-up analysis

Revise prevention and screening procedures

Remember to log all actions



Response Handling Roles

The incident reported to a security team is set for investigation

A full time member of the security team acts as Incident Investigator and Coordinator (IIC)

A member of the incident response team acts as Incident Liaison (IL)

IIC assigns the security level to the incident and performs investigative duties and technical analysis

IIC duties require unrestricted access to resources directly affected by the incident

IL acts as coordinator and liaison to the resources needed by the IIC



Roles and Responsibilities of SSM, ISSM, and ISSO

• Maintains user’s accounts, passwords, keys, etc.• One of the major responsibilities of the senior management is to secure the

organization’s computer systems• The responsibility for the success of the organization lies with the senior managers

Senior System Manager (SSM):

• Checks the level of security to manage the risks • Establishes the risk management process • Ensures information resources for audit requirements and participation by all levels

of employees to implement policies and procedures.• Prepares disaster recovery plan for information resources and maintain it

Information System Security Manager (ISSM):

• Identifies threats and vulnerabilities• Identifies restricted, sensitive, and unrestricted information resources• Develops and maintains risk management processes, disaster recovery/ contingency

planning for information, and updated security procedures

Information System Security Officer (ISSO):



Contingency/Continuity of Operations Planning

Contingency plan provides backup for documents to overcome from the disaster

It is necessary for a company or business to function normally

Guidelines for contingency planning are as follows:

• Focuses on the development and maintenance of the plan

Starting Point

• Problems are analyzed• Checks what sort of problems/disasters can occur• Checks for the likelihood of occurrence of the problem• Checks for the severity of the problem

Impact assessment

• Developing phase is designed to structure or develop the contingency plan• It acts on the threats and regulates the business process by setting an order or

priority of working

Developing the plan



Contingency/Continuity of Operations Planning (cont’d)

• In this phase, the developed plan is tested • Determines whether the plan can actually work in real time

disaster environment• Testing results are documented for future reference

Testing the plan

• Personnel need to undergo training to get familiar with the plan which helps them to perform their tasks and responsibilities effectively

Personnel training

• Maintaining the plan involves updating• As processes are added or deleted by the organization, the plans

should be updated regularly

Maintaining the plan




• Supporting Information (past incident analysis report, vulnerability analysis reports etc.)

• Notification/activation ( supplies notification procedures and offers activation of the plan)

• Recovery (recovers the data with the help of backups)• Reconstitution (restores the original information after the disaster)• Plan Appendices (provides records of further analysis)

Components of the contingency planning:




Continuity of operations provides an alternative site to the organization for a period of one month so as to recover from the disaster and perform normal organizational operations



Budget/Resource Allocation

Budget and resource constraints are major roadblocks of an incident handling and response planning process

Budget and resources are generally allocated according to previous experiences and perceived risk to the organizations' resources

There is no standard rule or practice for budget allocation as return of investment for incident handling in information system cannot be measured

Documentation of the previous incidents and losses to the organization may help decision makers to estimate the potential cost of savings



Incident Handling



Handling Incidents

Incident handling helps to find out trends and pattern related to the intruder’s activity by analyzing it

It involves three basic functions:

• Incident reporting• Incident analysis• Incident response

It recommends network administrators for recovery, containment, and prevention to constituents

It allows incident reports to be gathered in one location so that the exact trends and pattern can be recognized and recommended strategies can be employed

It helps the corresponding staffs to understand the process of responding and to tackle unexpected threats and security breaches



Procedure for Handling Incident

Preparation

Identification

Containment

Eradication

Recovery

Follow-up

The incident handling process is divided into six stages:



1. Preparation

Preparation enables easy coordination among staff

Provides baseline protection

Uses virus detection and eradication tools

Company staff is given training at this stage



2. Identification

Identification involves validating, identifying, and reporting the incident

Determining the symptoms given in ‘how to identify an incident’

Identifying nature of the incident

Identifying events

Protecting evidence

Reporting events



3. Containment

Containment limits the extent and intensity of an incident

It avoids logging as root on the compromised system

It avoids conventional methods to trace back as this may alert the attackers

It prepares complete backups of the infected systems

It changes the passwords of all unaffected systems in the LAN



4. Eradication

Look into additional information along with the information gathered in the 3rd (Containment) phase to find out the reasons for the particular incident

Use standard anti-virus tools to remove virus/worms from the storage media

Improve security measures by enabling firewalls, router filters, or assigning new IP address

Analyze the vulnerability



5. Recovery

Determine the course of actions

Monitor and validate systems

Determine the integrity of the backup itself by making an attempt to read its data

Verify the success of the operation and normal condition of the system

Monitor the system by network loggers, system log files, and potential back doors



6. Follow-up

• Extent to which the incidents disrupted the organization• Data lost and its value• Damaged hardware and its cost

Determine the staff time required and perform the following cost analysis:

Revise policies and procedures from the lessons learned from the past



6. Follow-up (cont’d)

• Was the preparation for the incident sufficient?• Whether the detection occurred promptly or not, and why?• Using additional tools could have helped or not?• Was the incident contained?• What practical difficulties were encountered?• Was it communicated properly?

Document the response to incident by finding answers to the following:



Post-Incident Activity

Every incident response team should advance to reflect new threats, improved technology, and lessons learned

The important aspect of these activities are updating of the incident response policies and procedures for better security

Using collected incident data helps to provide several measures for the success of the incident response team

• Number of incidents handled• Time per incident• Objective assessment of each incident • Subjective assessment of each incident

The metrics for incident related data includes:



Post-Incident Activity (cont’d)

• The policies should be created for the time the evidence from an incident has to be retained

• The factors to be considered for policy creation are:• At the time of prosecuting the attacker, the evidence needs to be retained until the legal

actions are completed• Most organizations have data retention policies that state how long certain types of data

may be kept

Evidence Retention



Education, Training, and Awareness

Education, training, and awareness program educates people on how to handle computer related incidents

Education and training provides skills required to implement the incident handling policies

Practical training removes the developmental errors, improves procedures, and reduces the occurrence of mis-communication

Well-trained members can prevent an incident or limit the resulting damage



Education, Training, and Awareness (cont’d)

• Identification and operation of the utility shut-off devices• Location of the incident handling areas• Emergency responsibilities and re-assignment plans for all positions

Training should be conducted at specified intervals, and it should include:

• Knowledge and participation • Concerning plan's strategies • Contingency arrangements

The awareness campaign should be designed for several purposes such as:



Post-Incident Report

Post-Incident Report Incident Ref. No.: ________

Bureau/Department : ____________________________________________

Reporting Officer Details

Report Date : ___________________________________________________

Reported By Name : ____________________________________________Designation : _____________________________________________Phone No. : _____________________________________________Email Addr. : ______________________________________________

Incident Details

Incident Date : ___________________________________________________

Type of Incident:

System Name and Description:

Summary of Incident:



Post-Incident Report (cont’d)

Event Sequence: Date / Time Event

Action Taken and Result:

Current System Status:

Personnel Involved: Name Designation Phone No. Email Eec. Role

Hacker Details (if any):

Computer Virus Details (if any):

Other Affected Sites/Systems:

Damage (including disruption/suspension of service):

Cost Factor (including loss caused by the incident and the recovery cost/manpower):

Recommended Action to Prevent Recurrence:

Other Comments:

Experience Learnt:



Procedural and Technical Countermeasures

• Information is downgraded or declassified depending on the loss of sensitivity of the information due to the passage of time or on occurrence of a specific event

• Declassification is not automatically an approval for public disclosure

Media is Downgraded or Declassified:

• Destruction of media is an ultimate form of sanitization• Once the media is destroyed, it cannot be recycled as originally intended• Media sanitization is a process of deleting confidential data from storage media, with

reasonable guarantee that the data cannot be retrieved and reconstructed• The sanitization process is especially important when storage media are transferred,

becomes obsolete, no longer usable, or are no longer required by an information system

Destruction/Sanitization of Media:

• The activity must provide the volume, level, and sensitivity of the classified material• Sensitivity of the operational assignment• Potential for aggressive action

Emergency Destruction:



Vulnerability Resources

• It publishes information about a wide variety of vulnerabilities including their technical descriptions impact, solutions and workarounds, and lists of the affected vendors

US-CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls/):

• It is the U.S. government repository of standards based vulnerability management data that includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics

National Vulnerability Database (http://nvd.nist.gov/):

• List or dictionary of publicly known information security vulnerabilities and exposures international in scope and free for public use

Common Vulnerabilities and Exposures List (http://cve.mitre.org/):



CSIRT



What is CSIRT?

• CSIRT provides 24x7 Computer Security Incident Response Services to any user, company, government agency, or organization

• It provides a reliable and trusted single point of contact for reporting computer security incidents worldwide

• It provides the means for reporting incidents and disseminating important incident-related information

Computer Security Incident Response Team (CSIRT): Incident Response Services 24x7



CSIRT: Goals and Strategy

• To manage security problems by taking a proactive approach towards customers’ security vulnerabilities and by responding effectively to potential information security incidents

• To minimize and control the damage• To provide or assist with effective response and recovery• To prevent future events

Goals of CSIRT:

• It provides a single point of contact for reporting local problems

• It identifies and analyzes what has happened including the impact and threat

• It researches on solutions and mitigation strategies• It shares response options, information, and lessons learned

Strategy of CSIRT:



CSIRT Vision

• Identify the organization• Specify the mission, goals, and objectives of an organization• Select the services to be offered by the CSIRT• Determine how the CSIRT should be structured for the organization• Plan the budget required by the organization to implement and

manage the CSIRT• Determine the resources (equipment, staff, infrastructure) to be used

by CSIRT

CSIRT Vision is to:



Motivation behind CSIRTs

An increase in the number of computer security incidents being reported and the increase in number and type of organizations being affected by the computer security incidents

A more focused awareness by organizations on the need for security policies and practices as part of their overall risk-management strategies

New laws and regulations that impact how organizations are required to protect the information assets

The realization that systems and network administrators alone cannot protect organizational systems and assets

The realization that a prepared plan and strategy is required



Why Does an Organization Need an Incident Response Team?

Incident Response Team helps organizations to recover from computer security breaches and threats

It is a formalized team that performs incident response work as its major job function

As an ad-hoc team, it is responsible for ongoing computer security incident



Who Works in a CSIRT?

• Manager or team lead• Assistant managers, supervisors, or

group leaders • Hotline, help desk, or triage staff • Incident handlers • Vulnerability handlers • Artifact analysis staff • Platform specialists • Trainers • Technology watch

CSIRT staff roles may include:

• Support staff • Technical writers • Network or system administrators,

CSIRT infrastructure staff • Programmers or developers (to build

CSIRT tools) • Web developers and maintainers• Media relations • Legal or paralegal staff or liaison • Law enforcement staff or liaison • Auditors or quality assurance staff • Marketing staff

Other roles may include:



Staffing Your Computer Security Incident Response Team: What are the Basic Skills Needed?

Basic Skills:

Personal Skills

• Communication:• Written and oral

• Presentation Skills • Diplomacy • Ability to follow policies and procedures • Team skills • Integrity • Knowing one's Limits • Coping with stress • Problem solving • Time management

Technical Skills

• Programming skills

Incident Handling Skills



Team Models

• Central Incident Response Team• Distributed Incident Response Teams• Coordinating Team

Incident response team structure models fall into one of the three categories:

• Employees• Partially Outsourced• Fully Outsourced

Incident response teams can also use any of the three staffing models:



Delegation of Authority

A properly planned delegation of the authority ensures an effective response to the incidents in accordance with the organization’s response policy

Members of the incident response team should be given authority according to their skills, expertise, and experience

Delegation of authority include:

• Allocation of tasks• Empowerment• Assignment of responsibility• Accountability



CSIRT Services Can be Grouped into Three Categories

• These services are triggered by an event or request, such as a report of a compromised host, wide-spreading malicious code, software vulnerability, or something that was identified by an intrusion detection or logging system

• They are the core component of CSIRT’s work

Reactive services:

• These services provide assistance and information to prepare, protect, and secure constituent systems in anticipation of attacks, problems, or events

• Performance of these services will directly reduce the number of incidents in the future

Proactive services:



CSIRT Services Can be Grouped into Three Categories (cont’d)

• These services augment the existing and well-established services that are independent of incident handling and traditionally performed by other areas of an organization such as the IT, audit, or training departments

• If the CSIRT performs or assists with these services, the CSIRT’s point of view and expertise can provide insight to improve the overall security of the organization and identify risks, threats, and system weaknesses

• These services are generally proactive but contribute indirectly to reduce the number of incidents

Security quality management services:



CSIRT Case Classification

Incident Category Sensitivity* Description

Incident Category S3 DOS or DDOS attack.

Forensics S1 Any forensic work to be done by CSIRT.

Compromised Information

S1Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property.

Compromised Asset S1, S2Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host.

Unlawful activity S1Theft / Fraud / Human Safety / Child Porn. Computer-related incidents of a criminal nature, likely involving law enforcement, Global Investigations, or Loss Prevention.

Internal Hacking S1, S2, S3Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware.

External Hacking S1, S2, S3Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware.

Malware S3A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that are being actively controlled by an attacker via a backdoor or Trojan. (See Compromised Asset)

Email S3 Spoofed email, SPAM, and other email security-related events.

Consulting S1, S2, S3 Security consulting unrelated to any confirmed incident.

Policy Violations S1, S2, S3

•Sharing offensive material, sharing/possession of copyright material. •Deliberate violation of Infosec policy.•Inappropriate use of corporate asset such as computer, network, or application.•Unauthorized escalation of privileges or deliberate attempt to subvert access controls.

Incident Categories: All incidents managed by the CSIRT should be classified into one of the categories listed below:



• Threats to the physical safety of human beings• Root or system-level attacks on any machine either multi-user or dedicated-

purpose• Compromise of the restricted confidential service accounts or software

installations, particularly those with authorized access to the confidential data• Denial of service attacks on any of the service accounts or software installations

The computer security incident response team will assign resources according to the following priorities, listed in a decreasing order:

Types of Incidents and Level of Support



Types of Incidents and Level of Support (cont’d)

• Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks, and destructive virus outbursts

• Compromise of the individual’s user accounts, i.e. unauthorized access to a user or service account

• Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. Netnews and e-mail forgery, unauthorized use of IRC bots

• Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent

The computer security incident response team will assign resources according to the following priorities, listed in a decreasing order:



Service Description Attributes

Attribute Description

Objective Purpose and nature of the service

Definition Description of scope and depth of service

Function Descriptions Descriptions of individual functions within the service

Availability The conditions under which the service is available: to whom, when and how

Quality Assurance Quality assurance parameters applicable for the service. Includes both setting and limiting of constituency expectations

Interactions and InformationDisclosure

The interactions between the CSIRT and parties affected by the service, such as the constituency, other teams, and the mediaIncludes setting information requirements for parties accessing the service, and defining the strategy with regards to the disclosure of information (both restricted and public)

Interfaces withOther Services

Define and specify the information flow exchange points between this service and other CSIRT services it interacts with

PriorityThe relative priorities of functions within the service, and of the service versus other CSIRT services

For each service provided, the CSIRT should provide its constituency with service descriptions (or formal service level agreements) in as much detail as possible

In particular, any service provided by the CSIRT should include an explanation of the attributes and descriptions as outlined inthe table, below:



Incident Specific Procedures-I (Virus and Worm Incidents)

Step 1• Isolate the system

Step 2• Notify the appropriate people

Step 3• Identify the problem

Step 4• Prevent the virus or worm from further infecting

Step 5• Inoculate the system(s)

Step 6• Return to a normal operating mode

Step 7• Follow up analysis



Incident Specific Procedures-II (Hacker Incidents)

• Step 1: Identify the problem• Step 2: Notify the appropriate people• Step 3: Identify the attacker• Step 4: Notify CERT• Step 5: Follow up analysis

(A) Attempted Probes into a State of Vermont System

• Step 1: Notify the appropriate people• Option 1: Removal of attacker from the system

• Step 2: Snap-shot the System• Step 3: Lock out the attacker• Step 4: Restore the system• Step 5: Notify other agencies• Step 6: Follow up analysis

• Option 2: Monitoring of the attacker’s activity

(B) Active Hacker Activity

(C) Evidence of Past Incidents

Log all actions in every phase*



Incident Specific Procedures-III (Social Incidents, Physical Incidents)

• Step 1: Identify potential risk• Log all actions*

Social Incidents:

• Step 2: Notify the appropriate people• Log all actions*

Physical Incidents:



How CSIRT Handles Case: Steps

Inform the appropriate people

Keep a log book

Release the information

Maintain a list of contacts

Report

Follow up analysis



US-CERT Incident Reporting System

US-CERT is a partnership between the department of Homeland security and the public and private sectors. Established to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation. This system is used to report cyber-related incidents to US-CERT.



US-CERT Incident Reporting System (Cont’d)



CSIRT Incident Report Form



CERT(R) Coordination Center: Incident Reporting Form



Example of CSIRT

Internal CSIRT provides services to their parent organization such as bank, manufacturing company, university, or any government agencies

National CSIRT provides services to the entire nation, example being Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)

Analysis Centers synthesize data, determine trends, and patterns in an incident activity to predict future activity or provide early warnings

Vendor teams identify vulnerabilities in software and hardware products

Incidents Response Providers offer services to the paid clients



Best Practices for Creating a CSIRT

Step 1• Obtain management support and buy-in

Step 2• Determine the CSIRT strategic plan

Step 3• Gather relevant information

Step 4• Design the CSIRT vision

Step 5• Communicate the CSIRT vision and operational plan

Step 6• Begin CSIRT’s implementation

Step 7• Announce the operational CSIRT



Step 1: Obtain Management Support and Buy-in

Without management approval and support, creating an effective incident response capability can be difficult and problematic

Once the team is established, how is it maintained and expanded with budget, personnel, and equipment resources?

Will the role and authority of the CSIRT continue to be backed by management across the various constituencies or parent organization?



Step 2: Determine the CSIRT Development Strategic Plan

Are there specific timeframes to be met? Are they realistic, and if not, can they be changed?

Is there a project group? Where do the group members come from?

How do you let the organization know about the development of the CSIRT?

If you have a project team, how do you record and communicate the information you are collecting, especially if the team is geographically dispersed?



Step 3: Gather Relevant Information

• Business managers • Representatives from IT• Representatives from the legal department• Representatives from human resources • Representatives from public relations • Any existing security groups, including physical security • Audit and risk management specialists

The stakeholders could include:

Meet with key stakeholders to discuss the expectations, strategic direction, definitions, and responsibilities of the CSIRT



Step 4: Design your CSIRT Vision

• Identify your constituency: Who does the CSIRT support and service?• Define your CSIRT mission, goals, and objectives: What does the

CSIRT do for the identified constituency?• Select the CSIRT services to provide to the constituency (or

others): How does the CSIRT support its mission?• Determine the organizational model: How is the CSIRT structured

and organized?• Identify required resources: What staff, equipment, and

infrastructure are needed to operate the CSIRT?• Determine your CSIRT funding: How is the CSIRT funded for its

initial startup and its long-term maintenance and growth?

In creating your vision, you should:



Step 5: Communicate the CSIRT Vision

Communicate the CSIRT’s vision and operational plan to the management, constituency, and others who need to know and understand its operations

As appropriate, make adjustments to the plan based on their feedback



Step 6: Begin CSIRT Implementation

Hire and train the initial CSIRT staff

Buy equipment and build any necessary network infrastructure to support the team

Develop the initial set of CSIRT policies and procedures to support your services

Define the specifications for and build your incident-tracking system

Develop incident-reporting guidelines and forms for your constituency



Step 7: Announce the CSIRT

When the CSIRT is operational, announce it to the constituency or parent organization

It is best if this announcement comes from sponsoring management

Include the contact information and hours of operation for the CSIRT in the announcement

This is an excellent time to make the CSIRT incident-reporting guidelines available



Limits to Effectiveness in CSIRTs

• A CSIRT can work smarter by investing in automation• Policy Experimentation and Future Scenarios

• When a problem is well-understood, it can be solved. This is typically accomplished by altering some of the policies in the system, or by reengineering parts of it

Remedy:

A fundamental problem for a CSIRT is to balance a growing work load with limited human resources



Working Smarter by Investing in Automated Response Capability

Figure: Working smarter by investing in automated response capability



World CERTs



World CERTs

• Australia CERT (AUSCERT)• Hong Kong CERT (HKCERT/CC)• Indonesian CSIRT (ID-CERT)• Japan CERT-CC (JPCERT/CC)• Korea CERT (CERT-KR)• Malaysia CERT (MyCERT)• Pakistan CERT(PakCERT)• Singapore CERT (SingCERT)• Taiwan CERT (TWCERT)• China CERT (CNCERT/CC)

Asia Pacific CERTs

• CERT-CC• US-CERT• Canadian Cert• Cancert• Forum of Incident Response and Security

Teams• FIRST

North American CERTs

• CAIS• CAIS- Brazilian Research Network

CSIRT• NIC BR Security Office Brazilian CERT• NBS

South American CERTs

• EuroCERT• FUNET CERT• CERTA• DFN-CERT• JANET-CERT• CERT-NL• UNINETT-CERT• CERT-NASK• Swiss Academic and Research Network

CERT

European CERTs



Australia CERT (AUSCERT)



Hong Kong CERT (HKCERT/CC)



Indonesian CSIRT (ID-CERT)



Japan CERT-CC (JPCERT/CC)



Singapore CERT (SingCERT)



Taiwan CERT (TWCERT)



China CERT (CNCERT/CC)



CERT-CC



US-CERT



Canadian Cert



Forum of Incident Response and Security Teams



CAIS



NIC BR Security Office Brazilian CERT



EuroCERT



FUNET CERT



DFN-CERT



JANET-CERT



http://www.first.org/about/organization/teams/



http://www.apcert.org/about/structure/members.html



IRTs Around the World

Courtesy of CERT/CC©Carnegie Mellon University 2003



Summary

Increase in the number of products and relative increase in the number of hacking tools has put security in the spotlight

Computer security incident is defined as any real or suspected adverse event in relation to the security of computer systems or computer networks

Handling Incidents involves three basic functions: incident reporting, incident analysis, and incident response

Incident reporting is the process of reporting the information regarding the encountered security breach in a proper format

CSIRT provides rapid response to maintain the security and integrity of the systems

Without management’s approval and support, creating an effective incident response capability can be difficult and problematic



