Michael McDonnellGIAC Certified Intrusion Analyst

michael@winterstorm.ca

Creative Commons License: You are free to share and remix but you must provide attribution and you must share alike.

IncidentResponse

Incident Response Overview

1. Events and Incidents2. Response vs Handling3. Process and Capability4. Questions

Incidents are Events

Any real or suspected adverse event

related to information systems

A violation existing Information security policy

Security Incidents are Common

Any real or suspected adverse event

related to information systems

A violation existing Information security policy

Incidents are… Viruses

Incidents are… Hackers

Incidents are… Hackers

Incidents are… Vandalism

Incidents are… Theft

Incidents are… Data Loss

Incidents are… “Outages”

Incidents are… Espionage

Incidents are not… Disasters (maybe)

Incidents are… Continuous

Incident Response is a Capability

1.Events: Monitor and Detect

2.Incidents: Identify and Analyze

3.Actions: Contain and Correct

4.Lessons: Learn and Improve

Incidents Response is…

A Processthat manages risk associated with information systems

A Capabilityof an organization to respond to continuous security threats

Incidents Response vs Handling

Strategic vs OperationalContinual vs Discreet

Process vs ActionImprovement vs Remediation

Incidents Response is…

SystematicConsistent

Fast & EfficientDriver for Improvement

Authoritative/EmpoweredSensitive/Confidential

Documented

Incidents Response Teams

Supported by ManagementCross-functional

Well TrainedGood Communicators

Technical ExpertsWell Equipped

Have Broad Access

Incident Response is a Process

1.Preparation2.Detection and Analysis3.Containment/Mitigation4.Recovery5.Post-Incident Analysis

1.Be Prepared2.Be Systematic & Organized3.Act Quickly4.Fix the Problem5.Make Improvements

Preparation: Training

Preparation: Communications

Preparation: Hardware & Software

Preparation: Continuous Monitoring

Preparation: Analysis & Migitation

Detection & Analysis

Different threat require different responses

Incident Categories:1. Denial of Service2. Malicious Software3. Unauthorized Access4. Inappropriate Usage5. Hybrid

Detection: How was it detected? Is it really an incident or an unusual event? Can it be confirmed?

Analysis: What is at risk? (“System Profile”) What is normal for that system? Correlate events for more information Carefully record and document data

Detection & Analysis

Detection & Analysis

Diagnosis Matrix

Extremely helpful for inexperienced or ad-hoc incident handlers.

Part of diagnosis means seeking help from others• Sysadmins for knowledge of normal system operations• Managers for knowledge of impact

Incident Documentation

Begin as soon as an incident is suspected

Include: System events Telephone conversations Observed or initiated changes Note the current status frequently with timestamps.

At any given moment: Current status and priority Summary of incident Actions taken by handlers Contact information for other parties List of evidence gathered Comments for other handlers Next steps to be taken

Incident Priority: Effect & Criticality

Incident Containment & Mitigation

Identify and block the attackerPatch the systemTake the system offlineUpgrade softwareRestore from backupReboot

It is key to consult external databases for advice, and data about the type of attack, the attacker, the problem, and its solution.

Incident Containment & Mitigation

Incident Post-Mortem

Incident Response is a driver for improvements in information security. So it is critical to conduct a post-incident analysis and report.

Exactly what happened, and at what times? How well did staff and management perform in dealing with the incident? Were

the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What would the staff and management do differently the next time a similar

incident occurs? What corrective actions can prevent similar incidents in the future? What additional tools or resources are needed to detect, analyze, and mitigate

future incidents?What Personally Identifiable Information involved? Is disclosure advised?

Incident Post-Mortem

Incident Checklist

Incident Reporting

What should you report?

What happened?Why did it happen?What was done to correct it?What impact did it have?What did it cost?What could have been done differently?How could it have been avoided?Is it resolved? What else is needed?How likely is it to happen again? How often?What is the long term impact?

Information Security is an Outcome

"Our systems are secure from hackers“

"We have blocked 17,342 viruses to date“

“Our systems are all online“

“Insiders cannot steal our information”

“We have backups”

“We are Secure”

Information Security is a Process

“We want to improve security“

"We need to protect against more threats"

"We want to reduce risk"

"We want to increase customer confidence"

"We want to decrease the number of compromises"

“We want to be more Secure”

Defence in Depth lowers Risk

Process leads to Outcome

Firewalls do not make you secureAnti-virus does not make you secure

Policies do not make you secureVPNs do not make you secure

Guards do not make you securePasswords do not make you secure

 

Incident Response is a Capability that enables them to make you

MORE secure

 

Questions?

Email:michael@winterstorm.ca

Slides:http://winterstorm.ca/download/