1
Developing and Implementing a CIRT Team
Nanette S. Poulios, CISSP, CISMSenior Training Consultant
Easy i
2
Today’s Agenda
Why does anyone need a CIRT?
How do you create a CIRT?
What do you need to manage and train a CIRT?
Impediments to a successful CIRT
Case Studies
3
Why Does Anyone Need a CIRT?
4
Incidents on the Rise
Number of incidents reported to CERT/CC increased:
21,756 in 200052,658 in 200182,094 2002137,529 in 2003 **
** http://www.cert.org/stats/cert_stats.html
5
Legal and Regulatory CIRT Requirements
HIPAA 45 C.F.R. Part 164.308(a)(6)FTC Safeguards Rule C.F.R. 314.4(b)(3)
“Detecting, preventing and responding to attacks, intrusions, or other systems failures”
OCC Safety and Soundness Standards C.F.R. Part 30 Appendix B III (c)(g)
“Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies”
6
Legal and Regulatory CIRT Requirements (2)
GLB ActSarbanes-OxleyBasel Principle 14
“To ensure effective response to unforeseen incidents, banks should develop:
Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans”
7
Best Practices CIRT Requirements
ISO 17799
6.3.1 Reporting security incidents
“Security incidents should be reported through appropriate management channels as quickly as possible. A formal reporting procedure should be established, together with an incident response procedure, setting out the action to be taken on receipt of an incident report.”
8
Best Practices CIRT Requirements(2)
8.1.3 Incident management procedures
“Incident management responsibilities and procedures should be established to ensure a quick, effective and orderly response to security incidents (see also 6.3.1). The following controls should be considered.
a) Procedures should be established to cover all potential types of security incident,including:
1) information system failures and loss of service;
2) denial of service;
3) errors resulting from incomplete or inaccurate business data;
4) breaches of confidentiality.”
9
Best Practices CIRT Requirements(3)
“The Federal Information Security Management Act (FISMA) of 2002 requires Federal agencies to establish incident response capabilities.” *
Requires the agency to select a teamStaff the teamTrain the team
*NIST COMPUTER SECURITY INCIDENT HANDLING GUIDE SP800-61
10
Best Practices CIRT Requirements(4)
OMB Circular No. A-130, Appendix III,
“ensure that there is a capability to provide help to users when a security incident occurs in the system”
11
Business Practices Requiring a CIRT
Fiduciary Responsibility
Liability Avoidance
Survivability
12
Security Event Definition
Not just attacks My include any negative or unexpected
behavior System crashes Policy violations Examples: Denial of Service,
Malicious Code, Unauthorized access, Inappropriate usage
13
How Do You Create a CIRT?
14
Authority
Corporate/Agency policy must provide for CIRT creation
Board of Directors approval is recommended
Top level management supports the CIRT and releases a formal statement
CIRT reports to upper level management, not IT
15
Mission of the CIRT
Provides clear understanding of goals and objectives
Communicates these goals and objectives to others
Prevents misunderstandings in a crisis situation
Optional purpose statement to gain support
16
Sample Mission Statement
“The objective of the CIRT is to investigate apparent intrusion attempts and report their findings in a timely manner to executive management. The CIRT provides a centralized approach to managing computer security incidents so that current incidents can be controlled as quickly as possible to avoid serious damage to XXX systems and future incidents can be prevented. Additionally, the CIRT will provide increased security awareness so that XXX’s computer systems will be better prepared and protected in the future.”
17
Responsibilities of CIRT
Vary by organizational needsProactive Examples
Awareness programsTechnical publications
AdvisoriesVulnerability and Penetration testing
ReactiveIncident ResponseMalicious Code analysisLiaison with law enforcementIncident Post-mortem and Reporting
18
Operating Policies and Procedures
CIRT should be governed by organizational and regulatory policies
Approved by managementCIRT should follow a standard
operating procedureProvide complete and concise documentationReview periodically for updatesRevise after post-mortem review
19
Team Composition
Core MembersDetermine if the incident warrants further investigation
Categorize the security incident
Add support members to the investigation if necessary
Support Members
Provide needed technical expertise as required
Member of the team for the duration of the incident
20
Core Members
IT Audit
IT Security
Corporate Security
Legal
21
IT Audit Member Role
Ensure that best practices are followed
Ensure the auditability of the investigation process
Ensure that chain of custody procedures are followed correctly
Maintain accountability for all evidence collected during the investigation
Document investigation
22
IT Security Member Role
Inform all other users that are affected by the security incident of the necessary actions to control the incident.
Perform appropriate backtracing, forensic analysis and other technical tasks required by the investigation
Provide an analysis of the incident including root causes
Compile the final report and recommendations of the CIRT
Be available as an expert witness
23
Corporate Security Member Role
Provide a liaison with law enforcement
Ensure that investigative best practices are followed
Contain the incident locale as appropriate
Manage the interview process for witnesses and suspects
24
Legal Member Role
Brief other core and support members on privacy, 4th Amendment, search and seizure and wiretap issues
Ensure that suspects’ rights are protected appropriately
Act as spokesperson with the media
Review any press releases before they are released to the media
Review any management reports
Act as liaison with outside legal counsel
25
Support Members
Platform Specialist
Financial Auditor
Fraud Examiner
Personnel
Public Information Officer/Public Relations
26
Platform Specialist Support Role
Review audit logs and report any unusual or suspect activities
Report any unusual behaviors of the critical systems
Be prepared to brief the CIRT on operations procedure
Protect evidence of incident according to organizational guidelines and instructions of the core team
27
Platform Specialist Support Role (2)
Assess and report damage to system and/or data to CIRT
Aid in the determining the scope of the intrusion
Aid in identifying the point of access or the source of the intrusion
Make recommendations to close the source or point of access of the intrusion
28
Financial Auditor Support Role
Be prepared to brief the team on financial procedures
Be prepared to conduct a financial audit if the core team deems it necessary for investigative reasons
Report findings to the CIRTFollow investigative procedures as
determined by the CIRT
29
Fraud Examiner Support Role
Aid the core members of the CIRT in discovery and recognition of fraud
Follow guidelines for lawful search
Follow organizational and legal privacy policies/requirements
Aid in identifying objects and materials used to commit suspected fraud
30
Fraud Examiner Support Role (2)
Preserve, using CIRT guidelines, any evidence collected until transported to CIRT
Transport evidence to CIRT for safekeeping until resolution of investigation
Report findings to the CIRT
31
Personnel Support Role
Advise the core members on personnel policies and procedures
Make recommendations for handling sensitive employee information
32
Public Information Officer Support Member
Act as a single point of contact for the media.
Obtain legal advice before any interview or press release is given to the media
Obtain approval from the CIRT that any interview or press release will not interfere with the investigation.
Inform all other affected users to refer any media inquires to the Public Information Officer.
33
What do you need to manage a CIRT?
34
Team Leadership
Management will appoint a team leader from the Core membership of the team
Duties will include:
Convene the CIRT
Contact the Chief Information Officer (or other designated Officer)
Conduct meetings of the CIRT
Periodically report status of investigations to the CIO
Manage investigations
35
Team Leadership (2)
Duties Continued
Take responsibility for verifying chain of custody of evidence
Coordinate team activities
Appoint support members as required for particular investigations
Present findings to management
Monitor the investigation
36
CIRT Team Responsibilities
The CIRT is an investigative body only.
Does not make policy or take action following an investigation
The CIRT is a completely independent body.
It receives its direction from the Chief Information Officer, but is accountable directly to the General Manager or the General Manager’s appointee
37
CIRT Team Responsibilities (2)
Determining if an event constitutes an investigative security incident
Conducting an appropriate investigation to determine the root cause, source, nature, extent of damage and recommended response to a computer security incident.
Preserving evidence of the incidentInterviewing witnesses and suspects
38
CIRT Team Responsibilities (3)
Providing appropriate liaison with law enforcement and outside legal counsel
Managing the release of information to the media
Managing interaction between Human Resources and witnesses, suspects, organized labor and other appropriate interested parties
Preparing a report of findings, root causes, lessons learned and recommended actions for management review
39
CIRT Team Responsibilities (4)
Carrying out the directions of management communicated through the Chief Information Officer
Containing the incident scene to prevent contamination of evidence
40
Core Team Training Requirements
Legal 4th amendment, privacy, and lawful search issues
Organizational policies and procedures
Investigative processStoring and transporting evidence
according to legal guidelinesVendor training on all current
detection and investigative tools
41
Core Team Training Requirements (2)
Collecting, preserving and analyzing evidence of a computer security incident
Procedures for coordinating with outside organizations such as CERT, FIRST and law enforcement
42
Support Team Training Requirements
Legal 4th amendment, privacy, and lawful search issues
Review organizational policies and procedures
Investigative processStoring and transporting evidence
according to legal guidelinesTechnical training on all platforms,
operating systems and applications that member is responsible for including new technologies
43
Continuous Training Requirements
Updates in tools used in their investigations
Updates in investigative and forensic techniques
Updates in appropriate technologiesUpdates and changes in laws,
regulations and internal policies that affect investigations
Periodic simulation drills
44
Impediments to a Successful CIRT
45
Impediments to a Successful CIRT
Lack of management support
Lack of procedures and policy
Lack of access to evidence due to outsourcing
Lack of event readiness within organization
Lack of qualified personnel
Lack of training
46
Case Studies
47
Case Studies
Superbowl Slammer Incident
Watchful Team Incident
Blackout Incident
48
49
Resources
http://www.sei.cmu.edu/pub/documents/98.reports/pdf/98hb001.pdf
http://www.cert.org/tech_tips/incident_reporting.html
http://www.sans.org/rr/papers/27/641.pdf
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
Investigating Computer-Related Crime, CRC Press by Peter Stephenson
50
Contact InformationNanette S. Poulios, CISSP, CISM
Senior Training Consultant Easy I
248-705-0710 (direct)
248-375-2315 fax