Incident Response
Managing Security at Microsoft
Published: April 2004
Solution OverviewSituationSituation
BenefitsBenefits
SolutionSolution
• Security threats to computer networks often come from attackers who Security threats to computer networks often come from attackers who take advantage of security flaws, such as well- known configuration take advantage of security flaws, such as well- known configuration errors and published product vulnerabilities. Just like any enterprise, errors and published product vulnerabilities. Just like any enterprise, Microsoft is the target of computer attacks.Microsoft is the target of computer attacks.
• Microsoft IT developed a consistent process for responding to incidents and Microsoft IT developed a consistent process for responding to incidents and recovering from disasters that do occur. The primary objectives of this recovering from disasters that do occur. The primary objectives of this process are to establish a clear command and control center, to rapidly process are to establish a clear command and control center, to rapidly mitigate exposure, to maximize cooperation, and to efficiently coordinate mitigate exposure, to maximize cooperation, and to efficiently coordinate response activities. response activities.
• Microsoft IT’s detailed, well-rehearsed and flexible incident response Microsoft IT’s detailed, well-rehearsed and flexible incident response plan plan ensures that any exploit that occurs can be handled in an orderly, ensures that any exploit that occurs can be handled in an orderly, effective manner that minimizes the impact to systems.effective manner that minimizes the impact to systems.
Microsoft IT Security Methodology
PeoplePeople
ProcessProcess
TechnologyTechnology
• Dedicated staffDedicated staff• TrainingTraining• Security – a mindset and a Security – a mindset and a
prioritypriority• Employee educationEmployee education
• Planning for securityPlanning for security• PreventionPrevention• DetectionDetection• ReactionReaction
• Baseline technologyBaseline technology• Standards, encryption, protectionStandards, encryption, protection• Product security featuresProduct security features• Security tools and productsSecurity tools and products
Risk Assessment
LowLow HighHigh
Ris
kR
isk
Asset ValueAsset Value
PropertyPropertyTangible/ReplaceableTangible/Replaceable
InformationInformationClients/Corporate NetworkClients/Corporate Network
PeoplePeopleEmployeesEmployees
HighHigh
Preventing Incidents
● Scanning● Auditing● Detecting Intrusions● Establishing Defense In Depth● Securing Clients for Remote Users
Incident Response Team Structure
Incident LeadIncident Lead
Core Incident Core Incident Response TeamResponse TeamAll incidentsAll incidents
Examples of Extended Examples of Extended Technical Response TeamTechnical Response TeamEngaged as neededEngaged as needed
Security, Services & Security, Services & ArchitectureArchitecture
LeadLead
InvestigationsInvestigationsLeadLead
CommunicationsCommunicationsLeadLead
Other GroupOther GroupLeadsLeads
(as needed)(as needed)
NetworkNetworkOperationsOperations
IT HelpdeskIT HelpdeskVirus AlertVirus Alert
Command TeamCommand Team(VACT)(VACT)
Virus Attack Command Team
VACT LeadVACT Lead
InformationInformationSecuritySecurity
MessagingMessaging ServerServerOperationsOperations
NetworkNetworkOperationsOperations
DesktopDesktopServicesServices IT HelpdeskIT Helpdesk
Incident Response Team Chairs● Incident Command Chair
● Manage central logistics● Coordinate response strategies● Ensure staffing of the Operations Center● Maintain a comprehensive record of events
● Communications Chair● Draft and submit all proposed communication● Coordinate with Corporate Public Relations● Monitor media for press related to the incident
● Investigations Chair● Pursue investigative leads● Perform a forensics examination of computer and information systems● Coordinate with law enforcement officials
Incident Response Plan
Trigger PhaseTrigger Phase
SecuritySecurityScan/AuditScan/Audit
Response PhaseResponse Phase
Ong
oing evaluationand
response re
visions
ResponseResponseTeamTeam
AssembledAssembled
OperationsOperations
ExternalExternalWeb SiteWeb Site
InternalInternalWeb SiteWeb Site
UserUser
SupportSupport
Information Information on incident on incident receivedreceived
Decision to begin Decision to begin Incident Incident
Response PlanResponse Plan
Evaluate Evaluate SituationSituation
Establish First Establish First Course of Course of
ActionAction
Isolate and Isolate and ContainContain
Analyze and Analyze and RespondRespond
Alert Others as Alert Others as RequiredRequired
Begin Begin RemediationRemediationDe-escalation:De-escalation:
Return to Normal Return to Normal OperationsOperations
Post-IncidentPost-IncidentReviewReview
Revise/Improve Revise/Improve Response Response ProcessProcess
Quick guide to determining the Quick guide to determining the significance of incidentsignificance of incident
• Severity of the eventSeverity of the event
• Overall business impactOverall business impact
• Criticality of Criticality of vulnerable/attacked assetsvulnerable/attacked assets
• Public availability of Public availability of informationinformation
• Scope of exposureScope of exposure
• Public relations impactsPublic relations impacts
• Extent of use of groups Extent of use of groups outside of securityoutside of security
Trigger Phase And Team Assembly● Trigger Phase
● Evaluate the situation● Establish the first course of action
● Team Assembly
Response Phase
● Isolate and Contain● Analyze and Respond● Alert Others As Required● Begin Remediation
De-escalation And Post-Incident Review● De-escalation
● Return to normal business operations● No reporting of new information by the parties
involved
● Post-incident Review● Debrief of the key organizations● Discussion of the successes and shortcomings
of the incident response
Defending Against Malware: Trojan Horse And Worm● The Trojan horse does something more than the
user expects● The backdoor Trojan horse compromises
computer security while appearing to do something useful
● Worm viruses copy from one disk drive to another and use a variety of means to replicate themselves
Defending Against Malware: Virus
● Ways to significantly reduce downtime caused by an attack● Educate users about the importance of
complying with security policies● Follow general guidelines for protection against
viruses
● In the event of a major attack, the incident response plan takes effect, tailored to a virus attack
Defending Against DDoS Attacks● In the event of a DDoS attack against the
Microsoft network or other domain properties, the incident response plan takes effect
● The response is tailored to the DDoS type of attack
● When symptoms such as high CPU usage indicate a DDoS attack, remember that there may be other causes of the symptoms, such as new content on a Web server or newly released products
Defending Against Internet-Facing Server Attacks● Systems in the perimeter network are usually the
first to be attacked● In the event of an Internet-facing server attack
against the Microsoft network or other domain properties, the incident response plan takes effect
● The response is tailored to an attack on an Internet-facing server
Defending Against Unauthorized Network Intrusions
● An attacker may try to attack the infrastructure – routers, Exchange-based servers, domain controllers, and attacks on the Active Directory directory service
● In the event of a network intrusion at Microsoft, the incident response plan takes effect, tailored to a network intrusion attack
● Attackers sometimes use a “smoke screen” – an attack to divert attention from a more stealthy network intrusion
Closing Vulnerabilities In Products● Product vulnerabilities become apparent
only when the software is run on a particular computer, under a particular operating system, or in a specific configuration
● If a major vulnerability is discovered in a Microsoft product, the response is tailored to the situation; therefore, the specific steps involved are somewhat different from the steps required to handle an attack
Lessons Learned
● Poor password management● Weak account management processes● Unsecured and unmanaged remote
computers● Poorly configured and unpatched systems● Weak auditing and monitoring processes● Inadequately restricted access to critical
information
First Layer Of Defense: Secure The Network Perimeter● Use secure wireless access● Use a perimeter messaging firewall on the
network● Use an effective network intrusion detection
system● Secure remote user connections● Deny viruses at the perimeter
Second Layer of Defense: Secure The Network Interior● Control programs available to users● Eliminate weak passwords● Eliminate shared domain service accounts● Use secure domain controllers● Enforce application of antivirus software and
software patches● Use secure, robust operating systems for clients
and servers
Conclusion
● Prevention is less costly than reacting to incidents
● Enterprises should develop a system of security audits, system scans, and remediation steps and educate users about protecting their systems
● Impact to systems is reduced by having a detailed, well-rehearsed, and flexible incident response plan
For More Information● Additional content on Microsoft IT
deployments and best practices can be found on http://www.microsoft.com● Microsoft TechNet
http://www.microsoft.com/technet/itshowcase
● Microsoft Case Study Resourceshttp://www.microsoft.com/resources/casestudies
● E-mail IT [email protected]
This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.