View
217
Download
0
Category
Preview:
Citation preview
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
1/19
2006 Carnegie Mellon University
Security Breach Notification ProgramSeptember 14, 2007
Rich Nolan
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
2/19
2006 Carnegie Mellon University
Role of a First Responder
Essentially the first person notified and reacting to thesecurity incident
Responsibilities:
Determine the severity of the incident Collect as much information about the incident as possible Document all findings Share this collected information to determine the root cause
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
3/19
2006 Carnegie Mellon University
First Responder Toolkit
Understand program dependenciesSelect tools
Test and verify tools
Understand the benefits to using this methodology
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
4/19
2006 Carnegie Mellon University
Methodology for Creating a First
Responder Toolkit
Create the forensic tool testbed
Document the testbed
Document and set
up forensic tools
Test the tools
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
5/19
2006 Carnegie Mellon University
NIST Methodology
NIST: National Institute of Standards and Technology, InformationTechnology Laboratory, Computer Forensic Tool Testing Program
The Computer Forensics Tools Verification project provides a
measure of assurance that the tools used in the investigations of
computer-related crimes produce valid results. It also supports otherprojects in the National Institute of Justices overall computer
forensics research program, such as the National Software Reference
Library(NSRL).
http://www.cftt.nist.gov/
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
6/19
2006 Carnegie Mellon University
What is Volatile Data?
Definition:
Any data stored in system
memory that will be lost when the
machine loses power or is shut
down
Location:
Registers, cache, and
RAM (this module focuses on
RAM)
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
7/19
2006 Carnegie Mellon University
Order of Volatility
Registers and cache
Routing table, arpcache, process table,kernel statistics,connections
Temporary filesystems
Hard disk or othernonvolatile storagedevices
Remote or off-sitelogging andmonitoring data
Physical configurationand network topology
Archival media such asbackup tapes, disk, and soon
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
8/19
2006 Carnegie Mellon University
Why is Volatile Data Important?
Gain initial insight Current state of the system What activities are currently/were being
executed Validity of the alert that flagged the
suspicious computer
Root of the problemDetermine a logical timeline of the incident
Identify the time, date, and userresponsible for the security incident
Determine next step
Decide whether a full collection of thepersistent data on the suspicious
computer is necessaryOne chance to collect
After the system is rebooted or shut down,its too late!
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
9/19
2006 Carnegie Mellon University
Common First Responder Mistakes
Nothaving
accessto
baseline
documentatio
n
aboutth
e
suspicio
uscomp
uter
Assumingthatsome
partsofthesuspicious
machinemaybe
reliableandusable
Shuttingdownor
rebootingthe
suspiciouscomputer
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
10/19
2006 Carnegie Mellon University
Types of Volatile Information
Volatile System Information:A collection of information about the current configuration
and running state of the suspicious computer
Volatile Network Information:
A collection of information about the network state of the
suspicious computer
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
11/19
2006 Carnegie Mellon University
Volatile System Information
System profileCurrent system date and time
Command history
Current system uptime
Running processesOpen files, start up files, clipboard data
Logged on users
DLLs or shared libraries
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
12/19
2006 Carnegie Mellon University
Volatile Data Collection Methodology
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
13/19
2006 Carnegie Mellon University
Step 1: Incident Response Preparation
Forensic Tool Test Bed
First responder toolkit
Creation of Collection
policies
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
14/19
2006 Carnegie Mellon University
Step 2: Incident Documentation
Incident profileForensic collection logbook
First responder toolkit documentation
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
15/19
2006 Carnegie Mellon University
Step 3: Policy Verification
Determine your authority to collectDetermine your manner to collect
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
16/19
2006 Carnegie Mellon University
Step 4: Volatile Data Collection Strategy
Types of volatile information to collect
Tools and techniques that facilitate this collection
Location for saved forensic tool output
Administrative vs. user access
Type of media access(floppy, CD-ROM, USB)
Machine connected to
the network
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
17/19
2006 Carnegie Mellon University
Step 5: Volatile Data Collection Setup
Establish a trusted command shellEstablish the transmission and storage method
Ensure the integrity of forensic tool output
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
18/19
2006 Carnegie Mellon University
Step 6: Volatile Data Collection Process
Collect uptime, date, time, and command history for the securityincident.
As you execute each forensic tool or command, generate the date and
time to establish an audit trail.
Begin a command history that will document all forensic collectionactivities.
Collect all types of volatile system and network information.
End the forensic collection with date, time, and command history.
7/31/2019 2007 09 14 Rich Nolan ISA CMU CyLab Breach Notification Presentation
19/19
2006 Carnegie Mellon University
Summary
Collected volatile data can lead the first responder to theroot cause of the security incident.
Volatile data can be easily changed and lost.
Document all findings and actions performed during the
volatile data collection process.
Use a first responder toolkit to collect volatile data.
Recommended