Title: What Would Sun Tzu Do: The Lessons We Can Apply in Cyberspace
1What Would Sun Tzu DoThe Lessons We Can Apply
in Cyberspace
IS-3523 Review
210 Propositions on Network Defense
- Networks are critical business support
systems...if not the sole reason for the business - Networks exist to operate
- Security should ensure you operate
- All good systems have fail safes
- Vulnerability Alerts are not only a Sys Admin
Issue - The threat to our network is real
- There is no distant end on a network
- There is no distant end in network defense
- You are only as good as your weakest link
- You do not want to be the weakest link
- Incident Response exposes your weak links
3Dangers in Cyberspace
- Early Virus/Worms
- Melissa (Mar/Apr 99)
- Loveletter (May 00)
- Kournikova (12-13 Feb 01)
- Present Day Virus/Worms
- Code Red Worm ( Jul 2001...)
- Sir Cam Worm (July 2001)
- Nimda Worm (Sept 2001...)
- Goner Worm (Dec 01)
- Bugbear (Sep 02)
- Sobig (Jan 03)
- Slammer Worm (Jan 03)
4Economic Impacts
- Melissa
- 1.2B
- Love Letter
- 8.7B, Most of Fortune 500 Companies
- Kournikova
- Sircam
- 1B
- Code Red
- 2.6B estimated Jul/Aug 01 alone
- Nimda
- Network Saturation in 6 hours
5The Worst Can Happen
"Don't look at the past and assume that's the
future. Look at the enemy's strengths and your
vulnerability. You've got to realize that the
worst case does sometimes happen." -Richard
Clarke Special Advisor for Cybersecurity
6The Cost Is High
15 Billion cost of eSecurity breaches to U.S.
businesses in one year Source Datamonitor
7Scope of the Problem
- 85 of respondents detected computer security
breaches in last 12 months - 64 acknowledged financial losses
- Hackers systematically stole customer data for
more than a year including a million credit
card numbers - 2001 Computer Security Institute survey of
538 organizations - SANS Institute
8Scope of the Problem, cont.
- Average bank holdup 14,000
- Average computer theft 2 million (Associatio
n of Certified Fraud Examiners) - NIMDA virus compromised over 86,000 internet
hosts (Source SANS Institute) - Code Red - 359,000 servers in less than 14 hours
(Source CAIDA)
9Incident Response Overview
- Goals
- Methodology
- Preparation
- Detection
- Initial Response
- Strategy Formulation
- Investigation
- Monitoring
- Recovery
- Reporting
10What is an Incident?
- Incident - an event in an information
- system/network
- Time based security
- Protection time detection time reaction time
Some say its all about vulnerability management
11Goals of Incident Response
- Confirm or dispel incident
- Promote accurate info accumulation
- Establish controls for evidence
- Protects privacy rights
- Minimize disruption to operations
- Allow for legal/civil recriminations
- Provide accurate reports/recommendations
12Incident Response Methodology
- Pre-incident preparation
- Detection
- Initial Response
- Strategy formulation
- Duplication
- Investigation
- Security measure implementation
- Network monitoring
- Recovery
- Reporting
- Follow-up
137 Components of Incident Response
Investigate the Incident
Pre-Incident Preparation
Formulate Response Strategy
Data Collection
Data Analysis
Reporting
Detection of Incidents
Initial Response
Resolution Recovery Implement Security Measures
Page 15, Fig 2-1, Mandia 2nd Edition
14Pre-Incident Preparation
Detection of Incidents
Incident Response Team Formed
Notification Checklist Completed
Initial Response
Is it really an Incident?
No
Yes
Formulate Response Strategy
Pursue and accumulate evidence and/or secure
system
Secure System
Can Pursue Both Paths Simultaneously
Accumulate Evidence
Forensic duplication?
Yes
Forensic Duplication
No
Implement Security Measures
Investigation
Perform Network Monitoring
Isolate and Contain
Reporting
Follow-Up
Ref Incident Response by Mandia and Procise,
Page 18, Fig 2-1
15Detection
D E T E C T
Firewall Logs
IDS Logs
Response Team Activated
Notification Checklist Completed
Suspicious User
Sys Admin
16Initial Critical Details
- Current time and date
- Who/what is reporting the incident
- Nature of the incident
- When the incident occurred
- Hardware/software involved
- Point of contact for involved personnel
17INITIAL RESPONSE
Success
Details from notification checklist
I R N E I S T P I O A N L S E
Verified information about the incident
Prepared response team
How much info is enough?
Failure
18Response Strategy Formulation
Verified information about the incident
Mgt Approved Action Plan
Formulate Response Strategy
Response Posture
Goal determine most appropriate response
strategy
19Factors for Strategy
- How critical are the impacted systems?
- Data sensitivity
- Who are the perpetrators?
- Does the incident have publicity
- Level of access to the hacker
- Apparent skill of the attacker
- How much downtime can be tolerated
- Overall dollar loss involved
20Common Incidents
- Denial of Service Attack
- Unauthorized Use
- Vandalism
- Information Theft
- Computer Intrusion
Management Support
network downtime user downtime legal
liability publcity theft of intellectual property
21Investigation Stage
Live System
Investigation
Network Logs
Investigative Report
Forensic Duplicate
22Security Measure Implementation Stage
Verified Info
Implementing Security Remedies
Monitor
Network Logs
Response Posture
Isolate and Contain
Prevent Same Exposure!
Fishbowling the attacker
23Recovery/Reporting Process
Recovery backups hardening user education COOP
Conclusions
Report
Support Criminal Actions Lessons
Learned Prevent Repeats
Successful containment
24What Will You Do?
- We Need a Initial Response that
- Supports the Goals of Computer Security
- Supports the Business Practices
- Supports Administrative and Legal Policy
- Is Forensically Sound
- Is Simple and Efficient (KISS)
- Provides an Accurate Snapshot for Decision Makers
- Supports Civil, Administrative, or Criminal
Action.
25Common Mistakes
- Failure to Document Findings Appropriately
- Failure to Notify or Provide Accurate Information
to Decision Makers - Failure to Record and Control Access to Digital
Evidence - Wait Too Long Before Reporting
- Underestimating the Scope of Evidence that may be
found
26Common Mistakes
- Technical Blunders
- Altering Time/Date Stamps on Evidence Systems
- Killing Rogue Processes
- Patching the System
- Not Recording the Steps Taken on the System
- Not Acting Passively
27Brave New Battles
Each new technology will bring with it new forms
of crime, demanding innovative security. That is
the dynamic which drives our modern progress not
dreams, not ideas, but the simple desire on the
part of criminals to take what is not theirs by
law, and the determination of others to keep them
from doing so.
This Alien Shore, C. S. Friedman (C) 1998
28Summary
- You have to plan for the worst case
- You must pick a diverse team
- You must practice your plan
- You must expect to fail early