Lesson 3: Incident Response

Previous page
Table of content
Next page

Lesson 3: Incident Response

In Chapter 10 you learned that an incident response policy should be part of your organization's security policy. This incident response policy should cover how personnel are expected to deal with computer security incidents, events that result from any type of attack, which includes intruders and malicious code. In previous lessons you learned about different types of attacks and ways they might be detected. In this lesson you learn how computer security incidents resulting from an attack or intrusion should be handled.

After this lesson, you will be able to

  • Organize and coordinate a response team

  • Select appropriate forensic activities in response to an intrusion

  • Maintain a chain of custody and preserve evidence

Estimated lesson time: 30 minutes

CSIRT

When a computer security incident occurs, some person or group should take the lead in receiving, reviewing, and responding to incident reports and activity. In an organization, this is typically the person designated as the security officer. Some organizations appoint teams to handle security incidents. Such a team is often called a computer security incident response team (CSIRT). A CSIRT could be an ad hoc team, assembled only when an incident is reported, or a formal team supported by a corporation, governmental body, educational institution, or some other type of organization.

If an organization doesn't have its own CSIRT, there are usually external teams that can help. There are CSIRTs throughout the world ready to assist network administrators with computer security incidents. The Forum of Incident Response and Security Teams (FIRST), at http://www.first.org, maintains a list of contact information of incident response teams. If you cannot find a team that covers your organization, you can contact CERT (http://www.cert.org) to report new viruses and major security incidents. If you establish a CSIRT, you should contact FIRST to identify your team to other teams and establish a reporting chain.

For more information, see RFC 2350, "Expectations for Computer Security Incident Response"; CERTs CSIRT FAQ at http://www.cert.org/csirts/csirt_faq.html; NIST Special Publication 800-3, "Establishing a Computer Security Incident Response Capability (CSIRC)"; and "Electronic Crime Scene Investigation: A Guide for First Responders," available at www.ncjrs.org/pdffiles1/nij/187736.pdf.

Incident Response Basics

Every organization should have an incident response policy. All users should know who to contact if they think an incident is occurring. In many cases, the information you see in this lesson should be part of your incident response policy. If you are responsible for creating or maintaining this policy, you should review this lesson and all of the referenced documents when creating, modifying, or improving that policy. Thorough documentation helps ensure that you and the members of your organization are able to respond appropriately during a security incident.

One of the first things that you should do is prioritize your response. This means protecting the most important resources first. Here is an example of a priority list for responding to an incident:

  1. Protect people's lives and safety.

  2. Protect classified and sensitive data first.

  3. Protect other data.

  4. Protect hardware and software.

  5. Minimize disruption of business services and operations.

The actual steps that you must take to accomplish those tasks depends on the situation. One common first step is to remove a compromised system from the network. Although doing so technically changes the system's configuration, it also mitigates the harm that an attacker or malicious code can cause. If you don't remove a compromised system from the network, and that system is used to infect or attack other systems, you could be held responsible for damages.

Forensics

Computer forensics describes the investigation and analysis of computer security incidents with the interests of gathering and preserving potential legal evidence. This section describes the components and important aspects of computer forensic investigation. In this section you learn the basics about collecting evidence, maintaining a chain of custody, and preserving evidence.

Collection of Evidence

When an incident occurs, you should immediately begin to collect evidence. This evidence can help you learn from the intrusion and improve your systems, their operation, and your staff's capabilities. Evidence might be required for the following reasons:

  • To locate, educate, reprimand, or terminate negligent or responsible employees.

  • To prosecute attackers for computer crimes or misuses.

  • To describe your situation and obtain help from other CSIRTs.

If you live in the United States, you can contact your state's attorneys general's office or local law enforcement office to learn about requirements for handling computer evidence.

Point of Contact

Appoint someone as the point of contact to be responsible for maintaining contact with law enforcement and other CSIRTs. This person should coordinate all activities and disseminate information appropriately to internal and external personnel. The point of contact should also be responsible for coordinating the collection of evidence to ensure that it is done in accordance with all laws and legal regulations.

Work Carefully

Before you begin work on a compromised system, consider what your actions might mean to the present state of the system. When gathering evidence, concentrate on not altering anything and meticulously document all of your actions for later reference. This is often difficult because you might need to disconnect the system from the network to stop the malicious activity. If you do not, you might be held liable for damage done to other systems or organizations.

When possible, analyze a replica of the system instead of the original. For example, make an image of the system's hard disk, or make and restore a backup to another system. Do your best to ensure that your image copying or backup doesn't change the current state of the compromised system. Some courts might require the original compromised system as evidence.

You shouldn't conduct your investigation from a compromised computer. Once a system is compromised, none of the components can be trusted. Some forensic software manufacturers produce software that allows you to analyze a system from another computer. This allows you to inspect files, logs, and data without actually modifying the compromised system. Forensic tools are discussed next.

Forensic Tools

Many of the tools you need to conduct a forensic investigation are often part of the operating system you are using. However, the built-in operating system tools might not be as effective or easy to use as tools specifically made for forensic investigation. There are many different software providers producing and maintaining forensic tools, some of which are listed below. You can find out more about these products by doing an Internet search on the company or software name.

  • Foundstone, which provides a list of free forensic software for Windows operating systems.

  • Computer Cop, which provides forensic tools for Windows operating systems.

  • ASR Data, which provides forensic tools for Macintosh, Linux, and BeOS.

  • EnCase, from Guidance Software.

  • The Cybersnitch Web site, which maintains a set of links to forensic software organized by operating system called The Ultimate Collection of Forensic Software (TUCOFS).

Collect All Available Information

All information concerning the incident must be recorded and securely stored. You should establish, examine, and preserve an audit trail. An audit trail is a record of who accessed a computer and what operations he or she performed. Some software products create audit trails automatically. Sometimes you might have to pull an audit trail together from a variety of sources such as system logs, network logs, file access times, IDS logs, and system administrator logs and notes.

For more information on audit trails, read Chapter 18, "Audit Trails," of NIST Special Publication 800-12, "An Introduction to Computer Security: The NIST Handbook."

In addition to acquiring and protecting the audit trail, you should collect other potential evidence. This includes any information that addresses the who, what, where, when, why, and how of a situation, such as the following:

  • Obtain and protect the latest partial and full system backups.

  • Take a pictures or screen shots of all evidence, such as messages displayed on the computer, signs of visible damage, and anything else that is out of place or suspicious.

  • Obtain and protect any security videos, audios, or reports from periods of time surrounding and including the incident.

  • Recover as many deleted, encrypted, or damaged files related to the intrusion as possible.

You should create and maintain a written log for each and every incident response activity. Examples of what you should document include the following:

  • Name of the system or systems compromised

  • Time, date, and location of each activity

  • Specific actions taken

  • Identities of the people performing each action

  • What each person said

  • Who was notified and what information was disseminated

  • What actions each notified person, group, or organization took

  • Who had access to the system, physical location, and evidence

  • What data was collected and who analyzed it

Realize that all evidence is subject to subpoena at any legal proceeding. Ensure that you document each incident separately and that your documentation is thorough and professional.

Chain of Custody

A chain of custody must be maintained for all evidence. A documented chain of custody shows who collected and had access to each piece of evidence. Failure to maintain this chain of custody might invalidate your evidence. The documentation must be meticulous and verifiable, including dates, times, locations, and the verified identities of every person handling evidence. This includes any time evidence is accessed or moved while in storage. Further, anyone accessing stored evidence should provide a legitimate, verifiable, and documented purpose for doing so.

Preservation of Evidence

Protecting the evidence you gather is critical. As mentioned previously, work carefully and change as little as possible. Try to conduct your investigation on a separate system that is a restored backup or imaged version of the compromised system. Everything you do must be thoroughly documented. Follow these rules to preserve evidence:

  • Archive and retain all information concerning an intrusion until the investigation and any legal proceedings are complete.

  • Preserve all critical information onsite and offsite. Make copies of all logs, system hard disks, policies, procedures, system and network configurations, photographs, cryptographic checksums, databases, and system backups. Offsite storage preserves evidence in the event of a natural disaster or subsequent intrusion.

  • Define, document, and follow a strict procedure for securing and accessing evidence both onsite and offsite.

Legal Action

Coordinate all of your activities with your organization's upper management and legal counsel (if available). Legal counsel can advise you of your options both civil and criminal in pursuing legal action. If you plan to pursue legal action, you must contact the appropriate law enforcement agencies immediately. Their reports and verifications are often required to prove that an incident actually occurred. Further, they might be able to support you in collecting information and preserving evidence. You should also collaborate with other CSIRTs, which might be able to provide additional experience and guidance.

Exercise: Incident Response Priority

Organize the following incident response actions into an appropriate priority:

a. Minimize the effect of the attack on the organization's business activities

b. Protect all other data

c. Protect classified and sensitive data

d. Protect hardware and software

e. Protect human life and prevent people from being injured

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. What should you do when organizing a CSIRT?

  2. What are the main points you should keep in mind when performing computer forensics?

  3. Why is unplugging a compromised system from the network usually a prudent action?

Lesson Summary

  • CSIRTs can be either formalized or ad hoc teams. CSIRTs help an organization deal with computer security incidents and possibly protect other organizations from compromise. There are CSIRTs all over the world that are willing to work with network administrators and other CSIRTs to help reduce the damage caused by attackers and malicious code.

  • Computer forensics is the investigation and analysis of computer security incidents with the objective of collecting evidence. Evidence must be gathered carefully so that other evidence is not disturbed. When possible, systems should be analyzed by making images or backups to avoid disturbing a system that might be used as evidence in a legal proceeding.

  • A chain of custody is required to prove that evidence is preserved and unaltered. Without a chain of custody, evidence might be considered invalid. Evidence must be carefully preserved with plenty of documentation, including logs, reports, pictures, backups, and system images. Two copies of all evidence that can be duplicated should be maintained. One copy should be maintained onsite and one copy should be held offsite to protect evidence in case of a natural disaster or subsequent attack.


Previous page
Table of content
Next page
Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55
Authors: Microsoft Corporation, Andy Ruth, Kurt Hudson
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Inside Network Security Assessment: Guarding Your IT Infrastructure
Building Web Applications with UML (2nd Edition)
Java How to Program (6th Edition) (How to Program (Deitel))
The Java Tutorial: A Short Course on the Basics, 4th Edition
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy