Incident Response

Incident Response Process

Forensics
Acknowledgments
Material is sourced from:
 CISA® Review Manual 2011, ©2010, ISACA. All rights reserved.
Used by permission.
 CISM® Review Manual 2012, ©2011, ISACA. All rights reserved.
Used by permission.

Author: Susan J Lincke, PhD

Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng

Funded by National Science Foundation (NSF) Course, Curriculum and

Laboratory Improvement (CCLI) grant 0837574: Information
Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/or
source(s) and do not necessarily reflect the views of the National
Science Foundation.
Objectives
Students should be able to:
Define and describe an incident response plan and business continuity plan
Define recovery terms: interruption window, service delivery objective,
maximum tolerable outage, alternate mode, acceptable interruption window
Describe incident management team, incident response team, proactive
detection, triage
Define and describe computer forensics: authenticity, continuity, forensic
copy, chain of custody, imaging, extraction, ingestion or normalization, case
log, investigation report
Develop a high-level incident response plan
 Denial of Service
How to React to…?

c idents
ses Ac
u
Vir Soc
Stolen Laptop ial
E ngi
ne e
Theft of Proprietary Information ring

System Failure pe
Hac
ker p Ta
Intr
usio ck u
Fire! n B a
Lo st
 Incident Response vs.
Business Continuity
Incident Response Business Continuity
Planning (IRP) Planning
 Security-related  Disaster Recovery
threats to systems, Plan
networks & data  Continuity of
 Data confidentiality Business Operations
 Non-repudiable  IRP is part of BCP
transactions and can be *the first
step*
Recovery Terms
Interruption Window: Time duration organization can wait
between point of failure and service resumption
Service Delivery Objective (SDO): Level of service in Alternate
Mode
Maximum Tolerable Outage: Max time in Alternate Mode
Disaster
Recovery
Plan Implemented
Regular Service Regular
Service
SDO Alternate Mode

Time… Restoration
Interruption (Acceptable) Plan Implemented
Interruption
Window

Maximum Tolerable Outage

 Vocabulary
IMT: Incident Management Team
IS Mgr leads, includes steering committee, IRT members
Develop strategies & design plan for Incident Response,
integrating business, IT, BCP, and risk management
Obtain funding, Review postmortems
Meet performance & reporting requirements

IRT: Incident Response Team

Handles the specific incident. Has specific knowledge relating to:
Security, network protocols, operating systems, physical
security issues, malicious code, etc.
Permanent (Full Time) Members: IT security specialists,
incident handlers, investigator
Virtual (Part Time) Members: Business (middle mgmt), legal,
public relations, human resources, physical security, risk, IT
Incident Response Plan (IRP)
Preparation Plan PRIOR to Incident

Identification Determine what is/has happened

Containment Limit incident

& Escalation [If data breach]

Analysis & Determine and remove Notification Notify any data

Eradication root cause breach victims

Return operations Ex-Post Establish call center,

Recovery Response
to normal reparation activities

Lessons Process improvement:

Learned Plan for the future
Stage 1: Preparation
 What shall we do if different types of incidents occur?
(BIA helps)
 When is the incident management team called?
 How can governmental agencies or law enforcement
help?
 When do we involve law enforcement?
 What equipment do we need to handle an incident?
 What shall we do to prevent or discourage incidents from
occurring? (e.g. banners, policies)
 Where on-site & off-site shall we keep the IRP?
(1) Detection Technologies
Organization must have sufficient detection & monitoring capabilities to
detect incidents in a timely manner

Proactive Detection includes:

 Network Intrusion Detection/Prevention System (NIDS/NIPS)
 Host Intrusion Detection/Prevention System (HIDS/HIPS)
 Includes personal firewalls
 Security Information and Event Management (Logs)
 Vulnerability/audit testing
 Centralized Incident Management System
 Input: Server, system logs
 Coordinates & co-relates logs from many systems
 Tracks status of incidents to closure

Reactive Detection: Reports of unusual or suspicious activity

(1) Management Participation
 Management makes final decision
 As always, senior management has to be convinced
that this is worth the money.
 Actual Costs: Ponemon Data Breach Study,
2013, Sponsored by Symantec
Expenses Following a Breach Average Cost
Detection and Escalation: forensic investigation, audit, crisis $400,000
mgmt., board of directors involvement
Notification: legal expertise, contact database development, $570,000
customer communications
Post Breach Response: help desk and incoming $1,410,000
communications, identity protection services, legal and
regulatory expenses, special investigations
Lost Business: abnormal customer churn, customer $3,030,000
procurement, goodwill
 Workbook
Incident Types
Incident Description Methods of Procedural Response
Detection
Intruder Firewall, database, IDS, Daily log IT/Security addresses
accesses or server log indicates a evaluations, incident within 1 hour:
internal probable intrusion. high priority Follow: Network Incident
network email alerts Procedure Section.
Break-in or Computers, laptops or Security alarm Email/call Management & IT
theft memory is stolen. set for off-hours; immediately. Management
or employee calls police. Security
reports missing initiates tracing of laptops
device. via location software, writes
Incident Report, evaluates if
breach occurred.
Social Suspicious social Training of staff Report to Management &
Engineering engineering attempt OR leads to report Security. Warn employees of
information was divulged from staff attempt as added training.
later recognized as Security evaluates if breach
Stage 2: Identification
Triage: Categorize, prioritize and assign
events and incidents
 What type of incident just occurred?
 What is the severity of the incident?
 Severity may increase if recovery is delayed
 Who should be called?
 Establish chain of custody for evidence
 (2) Triage
Snapshot of the known status of all reported
incident activity
 Sort, Categorize, Correlate, Prioritize & Assign
Categorize: DoS, Malicious code, Unauthorized
access, Inappropriate usage, Multiple
components
Prioritize: Limited resources requires prioritizing
response to minimize impact
Assign: Who is free/on duty, competent in this
area?
(2) Chain of Custody
 Evidence must follow Chain of Custody law to be
admissible/acceptable in court
 Include: specially trained staff, 3rd party specialist, law
enforcement, security response team

System administrator can:

 Retrieve info to confirm an incident
 Identify scope and size of affected environment
(system/network)
 Determine degree of loss/alteration/damage
 Identify possible path of attack
Stage 3: Containment
 Activate Incident Response Team to
contain threat
 IT/security, public relations, mgmt, business
 Isolate the problem
 Take infected server off network
 Change firewall configurations to stop
attacker
 Obtain & preserve evidence
(3) Containment - Response
Technical Managerial
 Collect data  Business impacts result in
 Analyze log files mgmt intervention,
 Obtain further technical notification, escalation,
approval
assistance
 Deploy patches &
Legal
workarounds
 Issues related to:
investigation, prosecution,
liability, privacy, laws &
regulation, nondisclosure
Stage 4: Analysis & Eradication
 Determine how the attack occurred: who, when, how,
and why?
 What is impact & threat? What damage occurred?
 Remove root cause:
 Rebuild System
 Talk to ISP to get more information
 Perform vulnerability analysis
 Improve defenses with enhanced protection techniques
 Discuss recovery with management, who must make
decisions on handling affecting other areas of business
(4) Analysis
 What happened?
 Who was involved?
 What was the reason for the attack?
 Where did attack originate from?
 When did the initial attack occur?
 How did it happen?
 What vulnerability enabled the attack?
(4) Remove root cause
 If Admin or Root compromised, rebuild
system
 Implement recent patches & recent
antivirus
 All passwords should be changed
Stage 5: Recovery
 Restore operations to normal
 Ensure that restore is fully tested and
operational
 Workbook
Incident Handling Response
Incident Type: Malware detected by Antivirus software
Contact Name & Information: Computer Technology Services Desk:
www.univ.edu/CTS/help 262-252-3344(O)
Emergency Triage Procedure:
Disconnect computer from Internet/WLAN. Do not reconnect. Allow anti-virus
to fix problem, if possible. Report to IT first thing during next business day.
Escalation Conditions and Steps:
If laptop contained confidential information, investigate malware to determine
if intruder obtained entry. Determine if Breach Law applies.
Containment, Analysis & Eradication Procedure:
If confidential information was on the computer (even though encrypted),
malware may have sent sensitive data across the internet; A forensic
investigation is required.
Next, determine if virus=dangerous and user=admin:
Type A: return computer. (A=Virus not dangerous and user not admin.)
Type B: Rebuild computer. (B=Either virus was dangerous and/or user was
admin)
Password is changed for all users on the computer.
Other Notes (Prevention techniques):
Note: Antivirus should record type of malware to log system.
Stage 6: Lessons Learned
 Follow-up includes:
 Writing an Incident Report
 What went right or wrong in the incident
response?
 How can process improvement occur?
 How much did the incident cost (in loss &
handling & time)
 Present report to relevant stakeholders
Planning Processes
 Risk & Business Impact Assessment
 Response & Recovery Strategy Definition
 Document IRP and DRP
 Train for response & recovery
 Update IRP & DRP
 Test response & recovery
 Audit IRP & DRP
Training
Introductory Training: First
day as IMT
Mentoring: Buddy system
with longer-term member
Formal Training
On-the-job-training

Training due to changes in

IRP/DRP
Types of Penetration Tests
External Testing: Tests from outside network
perimeter
Internal Testing: Tests from within network
Blind Testing: Penetration tester knows nothing in
advance and must do web research on company
Double Blind Testing: System and security
administrators also are not aware of test
Targeted Testing: Have internal information about
a target. May have access to an account.
Written permission must always be obtained first

CISA Review Manual 2009

Incident Management Metrics
 # of Reported Incidents
 # of Detected Incidents
 Average time to respond to incident
 Average time to resolve an incident
 Total number of incidents successfully resolved
 Proactive & Preventative measures taken
 Total damage from reported or detected incidents
 Total damage if incidents had not been contained in a
timely manner
Challenges
 Management buy-in: Management does not
allocate time/staff to develop IRP
 Top reason for failure
 Organization goals/structure mismatch: e.g.,
National scope for international organization
 IMT Member Turnover
 Communication problems: Too much or too little
 Plan is to complex and wide
 Question
The MAIN challenge in putting together an IRP
is likely to be:
1. Getting management and department support
2. Understanding the requirements for chain of
custody
3. Keeping the IRP up-to-date
4. Ensuring the IRP is correct
 Question
The PRIMARY reason for Triage is:
1. To coordinate limited resources
2. To disinfect a compromised system
3. To determine the reasons for the incident
4. To detect an incident
 Question
When a system has been compromised at the
administrator level, the MOST IMPORTANT
action is:
1. Ensure patches and anti-virus are up-to-date
2. Change admin password
3. Request law enforcement assistance to
investigate incident
4. Rebuild system
 Question
The BEST method of detecting an
incident is:
1. Investigating reports of discrepancies
2. NIDS/HIDS technology
3. Regular vulnerability scans
4. Job rotation
 Question
The person or group who develops
strategies for incident response includes:
1. CISO
2. CRO
3. IRT
4. IMT
 Question
The FIRST thing that should be done when you
discover an intruder has hacked into your
computer system is to:
1. Disconnect the computer facilities from the
computer network to hopefully disconnect the
attacker
2. Power down the server to prevent further loss of
confidentiality and data integrity
3. Call the police
4. Follow the directions of the Incident Response
Plan
Computer
Investigation
and Forensics
Computer Crime Investigation
Chain of Command
Computer Forensics
Computer Crime Investigation
Call Police Analyze
Or Incident copied
Response images Evidence must be unaltered
Chain of custody
Copy memory, professionally maintained
Take photos of
processes
surrounding area
files, connections Four considerations:
In progress Identify evidence
Preserve Preserve evidence
original system Analyze copy of evidence
Power
In locked storage Present evidence
down
w. min. access

Copy disk
Computer Forensics
 Did a crime occur?
 If so, what occurred?

Evidence must pass tests for:

 Authenticity: Evidence is a true and faithful
original of the crime scene
 Computer Forensics does not destroy or alter the
evidence
 Continuity: “Chain of custody” assures that the
evidence is intact.
Chain of Custody
11:05-11:44 11:47-1:05
11:04
System Disk
Inc. Resp.
copied Copied
team arrives
PKB & RFT RFT & PKB
Time
Line

10:53 AM 11:15 11:45 1:15

Attack System System System locked in
observed brought Powered static-free bag
Jan K Offline down in storage room
RFT PKB & RFT RFT & PKB

Who did what to evidence when?

(Witness is required)
Preparing Evidence
Work with police to AVOID:
 Contaminating the evidence
 Voiding the chain of custody
 Evidence is not impure or tainted
 Written documentation lists chain of custody: locations, persons
in contact – time & place
 Infringing on the rights of the suspect
 Warrant required unless…
 Company permission given; in plain site; communicated to third
party; evidence in danger of being destroyed; or normal part of
arrest; ...
Computer Forensics

The process of identifying preserving,

analyzing and presenting digital evidence for
a legal proceeding
 Creating a Forensic Copy
2) Accuracy Feature:
Tool is accepted as accurate by the scientific community:

4) One-way Copy:
Original Cannot modify Mirror
original Image

5) Bit-by-Bit Copy:
Mirror image 3) Forensically Sterile:
1) & 6) Calculate Message Digest: Wipes existing data;
Before and after copy Records sterility
7) Calculate Message Digest
Validate correctness of copy
Computer Forensics
Data Protection: Notify people that evidence cannot be
modified
Data Acquisition: Transfer data to controlled location
 Copy volatile data
 Interview witnesses
 Write-protect devices
Imaging: Bit-for-bit copy of data
Extraction: Select data from image (logs, processes, deleted
files)
Interrogation: Obtain info of parties from data (phone/IP
address)
Ingestion/Normalization: Convert data to an understood
format (ASCII, graphs, …)
Reporting: Complete report to withstand legal process
Legal Report
 Describe incident details accurately
 Be understandable and unambiguous
 Offer valid conclusions, opinions, or
recommendations
 Fully describe how conclusion is reached
 Withstand legal scrutiny
 Be created in timely manner
 Be easily referenced
Forensics:
Chain of Custody Forms
 Chain of Custody Form: Tracks where & how evidence
was handled. Includes:
 Name & Contact info of custodians
 Detailed identification of evidence (e.g, model, serial #)
 When, why, and by whom evidence was acquired or moved
 Where stored
 When/if returned
 Detailed Activity Logs
 Checklists for acquiring technicians
 Signed non-disclosure forms
Forensics: Case Log
Case log includes:
 Case number
 Case basic notes, requirements, procedures
 Dates when requests were received
 Dates investigations were assigned to
investigators
 Date completed
 Name and contact information for investigator
and requestor
Forensics:
Investigation Report
 Name and contact info for investigators
 Case number
 Dates of investigation
 Details of interviews or communications
 Details of devices or data acquired (model, serial #)
 Details of software/hardware tools used (must be
reputable in law)
 Details of findings, including actual data
 Signature of investigator
 Question
Authenticity requires:
1. Chain of custody forms are completed
2. The original equipment is not touched during
the investigation
3. Law enforcement assists in investigating
evidence
4. The data is a true and faithful copy of the crime
scene
 Question
You are developing an Incident Response Plan. An
executive order is that the network shall remain up, and
intruders are to be pursued. Your first step is to…
1. Use commands off the local disk to record what is in
memory
2. Use commands off of a memory stick to record what is in
memory
3. Find a witness and log times of events
4. Call your manager and a lawyer in that order
 Question
What is NOT TRUE about forensic disk copies?
1. The first step in a copy is to calculate the message
digest
2. Extraction and analysis for presentation in court
should always occur on the original disk
3. Normalization is a forensics stage which converts
raw data to an understood format (e.g., ASCII,
graphs, …)
4. Forensic copies requires a bit-by-bit copy
Reference
Slide # Slide Title Source of Information
6 Recovery Terms CISM: page 230
8 Incident Response Plan (IRP) CISM: page 221, 222
9 Stage 1: Preparation CISM: page 221, 223
10 (1) Detection Technologies CISM: page 222
14 Stage 2: Identification CISM: page 222, 223
15 (2) Triage CISM: page 222
17 Stage 3: Containment CISM: page 223
18 (3) Containment – Response CISM: page 222
19 Stage 4: Analysis & Eradication CISM: page223 , 224
22 Stage 5: Recovery CISM: page 224
24 Stage 6: Lessons Learned CISM: page 224
25 Planning Processes CISM: page 228
26 Training CISM: page 227
27 Type of Penetration Tests CISA: page 378
28 Incident Management Metrics CISM: page 220
29 Challenges CISM: page 227
37 Computer Crime Investigation CISA: page 380
39 Chain of Custody CISA: page 380
43 Computer Forensics CISA: page 380, 381
44 Legal Report CISA: page 381
45 Forensics: Chain of Custody Forms CISA: page 375 and CISM: page 239
46 Forensics: Case Log CISM: page 239
47 Forensics: Investigation Report CISM: page 239