RETURN TO MAIN Identifying and Responding to Security Incidents in the Law Firm Presented by: Carlos Batista, Information Security Manager Alston & Bird

RETURN TO MAINRETURN TO MAIN

Identifying and Responding to Security Incidents in the Law Firm

Presented by:Carlos Batista, Information Security Manager

Alston & Bird LLP


Learning Objectives

Understand how one law firm developed and enacted a formal Computer Incident Response Team (CIRT)Identify key stakeholders in Incident ResponseIdentify most likely scenarios for a computer security breachDefine a methodology and establish measures for how to respond to such breaches


About Alston & Bird:

National, Full-Service Law Firm725 Attorneys, 5 U.S. Offices240 Servers & 2,100 DesktopsAlmost all IT & Security Services Hosted In-House25% of Servers Virtualized


The Benefits of a Computer Incident Response Team (CIRT)

Proactive approach to responding to a security breachBetter prepared to collect & analyze forensic quality evidenceLess downtime to impacted / breached & un-impacted systemsFirm’s reputation is better preserved by following proper containment strategies


#1 Key to CIRT Planning & Success:

Senior Management Support!


How to Form a CIRT – Key Players

Core TeamInformation Security Manager (CIRT Team Leader)IT Infrastructure ManagerDirector of I.T.Information Security AnalystFacilities Manager

Support TeamFinance ManagerBC / DR RepresentativeH.R. RepresentativeBusiness Development / Public RelationsAttorney / Loss PreventionC.I.O.


Identify Likely Breach Scenarios

There are many security breach scenarios – you need to narrow them down to a few and address how to respond to those. We chose to develop responses to four scenarios:

Significant Computer or Network Equipment TheftCompromise of Firm’s WebsiteVirus or Worm Outbreak on the NetworkUnauthorized Disclosure by Electronic Means


Identify a Methodology for Responding

Response scenarios are typically easier to devise when an overall strategy or methodology is followed.

We chose the PDCERF model (Schultz & Shumway) for incident response.


PDCERF Methodology DefinedPreparation – Being ready to respond before an incident actually occurs.Detection – Determining that something malicious has actually occurred.Containment – Limiting the extent of an incident, preventing further damage from occurring. Eradication – Finding and eliminating the root cause or causes that made the incident possible.Recovery – Restoring the environment to its pre-incident state but protected so the incident cannot reoccur.Follow-Up – Reviewing and integrating “lessons learned” into your incident response plans and security operations.


Scenario #2 – Compromise of Firm’s Website


Preparation

Determined Incident Response Posture & Obtained ApprovalConfigured FW, IDS/IPS Optimally for Attack DetectionConfigured Web Server & Database LoggingCreated Known-Good System Backups with MD5 HashesSynchronized Network Time across All DevicesEstablished Relationship with Infragard (FBI)Created CIRT Calling TreeCreated “Maintenance” WebsiteBuilt Documentation on CIRT Framework and Cutover ProceduresPrepare to Record Everything During an Incident (Timeline)


Detection

Interfaced with Support Groups / Help Center to define a Notification PlanDefined SLAs for Initial Response, First Meeting, and Incident Updates to ManagementDefined Procedures for Initial Evidence GatheringCreated Secure Repository for All Digital Evidence


Containment

VMWare Guest Machines For Website PausedVMWare Files Copied to a Forensic ServerImpacted Hosts Segmented From Rest of NetworkFull Disclosure Kept Strictly ConfidentialHelp Center Instructed to Inform Others Website is Experiencing “Technical Difficulties”External Parties Not Contacted (Not Currently)


Eradication

Depends Largely On The Determined Root CauseMay Involve Software Updates, Software Removal, Configuration Changes, Better Change Control, Operational Security, Physical Security, etcChanges Tested in QA / Development Environment As Much as Possible


Recovery

All Impacted Systems Are Flattened And RebuiltRebuilds Performed From Certified Known Good Backup (MD5)Procedures Developed for Rebuild to Minimize Possibility Of Breach ReoccurringMitigations to Address Root Cause of Breach ImplementedValidation Testing PerformedAccess to Fully Operational Website Re-enabled


Follow-Up

Post-Mortem Meetings to Review the Following: Timeline Response Time Recovery Procedures Evidence Gathered Investigatory Next Steps - If Applicable Parties Involved – Should Others Be Brought In? Disposition of Evidence What Can Be Done Better? Update Scenario Response Plan


CIRT – Next Steps

Continue Working on Scenarios – Incident Response is a Process, not a Project Implement Syslog ServerInvestigate using Tripwire for Integrity CheckIntegrate AlertFind Into CIRT ProceduresActively Test Scenarios – Challenging Because Downtime is Required


References

Schultz & Shumway: Incident Response – A Strategic Guide to Handling System and Network Security Breaches.

Mandia, Prosise & Pepe: Incident Response & Computer Forensics (2nd Edition).

SANS Institute (sans.org)


Questions / Comments?

“In God we trust…all others we virus scan.” - Anonymous

Documents

RETURN TO MAIN Identifying and Responding to Security Incidents in the Law Firm Presented by: Carlos Batista, Information Security Manager Alston & Bird