Title: KULIAH 12 INCIDENT RESPONSE (dirangkum dari buku Incident Response: A strategic Guide to Handling System and Network Security)
1KULIAH 12INCIDENT RESPONSE(dirangkum dari buku
Incident Response A strategic Guide to Handling
System and Network Security)
Aswin Suharsono
KOM 15008 Keamanan Jaringan 2012/2013
2Definisi
- Incident event (kejadian) yang mengancam
keamanan sistem komputer dan jaringan. - Event adalah semua hal yang bisa diobservasi
(diukur) - Contoh event connect ke sistem lain dalam
jaringan, mengakses file, mengirim paket, sistem
shutdown, dsb. - Event yang mengancam antara lain, system crashes,
packet flood, penggunaan akun oleh orang yang
tidak berhak, web deface, bencana alam, dan
hal-hal lain yang membahayakan kinerja sistem
3Incident Types
- CIA related incidents
- Confidentiality Upaya masuk ke dalam sistem
rahasia militer - Integrity
- Availability
- Other Types
- Reconnaissance Attacks
- Repudiation
- Someone takes action and denies it later on.
4Kenapa perlu incident response?
- Bagi Organisasi
- Respon yang sistematis terhadap insiden
- Recover quickly
- Mencegah insiden serupa di masa depan
- Menyiapkan langkah-langkah yang berkaitan dengan
hukum
5Incident Response Scope
- Technical
- Incident detection and investigation tools and
procedures - Management-related
- Policy
- Formation of incident response capability
- In-house vs. out-sourced
6Incident Handling
Preparation
Detection and Analysis
Post-incident activity
Containment, Eradication and Recovery
7PDCERF incident response method
8Preparation
9Incident Handling Preparation
- Incident Handler Communications and Facilities
- Contact information On-call information for other
teams within the organization, including
escalation information Incident reporting
mechanisms - Pagers or cell phones to be carried by team
members for off-hour support, onsite
communications - Encryption software
- War room for central communication and
coordination - Secure storage facility for securing evidence and
other sensitive materials
10Incident Handling Preparation
- Incident Analysis Hardware and Software
- Computer forensic workstations and/or backup
devices to create disk images, preserve log
files, and save other relevant incident data - Blank portable media
- Easily portable printer
- Packet sniffers and protocol analyzers
- Computer forensic software
- Floppies and CDs with trusted versions of
programs to be used to gather evidence from
systems - Evidence gathering accessories
- hard-bound notebooks
- digital cameras
- audio recorders
- chain of custody forms
- evidence storage bags and tags
- evidence tape
11Incident Handling Preparation
- Incident Analysis Resources
- Port lists, including commonly used ports and
Trojan horse ports - Documentation for OSs, applications, protocols,
and intrusion detection and antivirus signatures - Network diagrams and lists of critical assets,
such as Web, e-mail, and File Transfer Protocol
(FTP) servers - Baselines of expected network, system and
application activity - Cryptographic hashes of critical files to speed
the analysis, verification, and eradication of
incidents
12Incident Handling Preparation
- Incident Mitigation Software
- Media, including OS boot disks and CD-ROMs, OS
media, and application media - Security patches from OS and application vendors
- Backup images of OS, applications, and data
stored on secondary media
13Incident Handling Detection and Analysis
- Incident Categories
- Denial of Service
- Malicious code
- Unauthorized access
- Inappropriate usage
- Multiple component incidents
14Incident Handling Detection and Analysis
- Signs of an incident
- Intrusion detection systems
- Antivirus software
- Log analyzers
- File integrity checking
- Third-party monitoring of critical services
- Incident indications vs. precursors
- Precursor is a sign that an incident may occur in
the future - E.g. scanning
- Indication is a sign that an incident is
occurring or has occurred
15Incident Handling Detection and Analysis
- Incident documentation
- If incident is suspected, start recording facts
- Incident Prioritization based on
- Current and potential technical effects
- Criticality of affected resources
- Incident notification
- CIO
- Head of information system
- Local information security officer
- Other incident teams
- Other agency departments such as HR, public
affairs, legal department
16Incident Handling Containment, Eradication,
Recovery
- Containment strategies
- Vary based on type of incident
- Criteria for choosing strategy include
- Potential damage / theft of resources
- Need for evidence information
- Service availability
- Resource consumption of strategy
- Effectiveness of strategy
- Duration of solution
17Incident Handling Containment, Eradication,
Recovery
- Evidence gathering
- For incident analysis
- For legal proceedings
- Chain of custody
- Authentication of evidence
18Incident Handling Containment, Eradication,
Recovery
- Attacker identification
- Validation of attacker IP address
- Scanning attackers system
- Research attacker through search engines
- Using Incident Databases
- Monitoring possible attacker communication
channels
19Incident Handling Containment, Eradication,
Recovery
- Eradication
- Deleting malicious code
- Disabling breached user accounts
- Recovery
- Restoration of system(s) to normal operations
- Restoring from clean backups
- Rebuilding systems from scratch
- Replacing compromised files
- Installing patches
- Changing passwords
- Tighten perimeter security
- Strengthen logging
20Incident Handling Post-Incident Activity
- Evidence Retention
- Prosecution of attacker
- Data retention policies
- Cost
21Thats All