Incident%20Handling - PowerPoint PPT Presentation

About This Presentation
Title:

Incident%20Handling

Description:

Is restoring normal operation quickly important? Willing to chance ... there are precipitous cliffs with torrents running between, deep natural hollows, ... – PowerPoint PPT presentation

Number of Views:152
Avg rating:3.0/5.0
Slides: 32
Provided by: timshi
Category:

less

Transcript and Presenter's Notes

Title: Incident%20Handling


1
Recognizing Attacks
2
Recognition Stances
3
Leading Questions
  • Is it a real break-in?
  • Was any damage really done?
  • Is protecting evidence important?
  • Is restoring normal operation quickly important?
  • Willing to chance modification of files?
  • Is no publicity important?
  • Can it happen again?

4
Document Actions
  • Start notebook
  • Collect printouts and backup media
  • Use scripts
  • Get legal assistance for evidence-gathering
  • PLAN AHEAD

5
Finding the Intruder
  • Finding changes
  • Receiving message from other system administrator
    / net defender
  • Strange activities
  • User reports

6
Steps in Handling
  • 1. Identify/understand the problem
  • 2. Contain/stop the damage
  • 3. Confirm diagnosis and determine damage
  • 4. Restore system
  • 5. Deal with the cause
  • 6. Perform related recovery

7
Dealing with Intruder
  • Ignore Intruder
  • Dangerous
  • Contrary to policy/law?
  • Communicate with intruder
  • Dangerous
  • Low return
  • Trace/identify intruder
  • Watch for traps / assumptions
  • Network and host options
  • Phone logs
  • Break intruders connection
  • Physically
  • Logically (logout, kill processes, lock account)

8
Asking for Help
  • CERT, FIRST, Law enforcement, etc.
  • Dont use infected system
  • Avoid using email from connected systems

9
Finding Damage
  • What have affected accounts done lately?
  • Missing log files?
  • What has root done?
  • What reboots have occurred?
  • Unexplained error messages?
  • Connections from/to unfamiliar sites?
  • New hidden directories?
  • Integrity checkers
  • Changed binaries?
  • Changed configuration files?
  • Changed library files?
  • Changed boot files?
  • Changed user files?

10
Dealing with Damage
  • Delete unauthorized account(s)
  • Restore authorized access to affected account(s)
  • Restore file / device protections
  • Remove setuid/setgid programs
  • Remove unauthorized mail aliases
  • Remove added files / directories
  • Force new passwords

11
Resume Service
  • Patch and repair damage, enable further
    monitoring, resume
  • Quick scan and cleanup, resume
  • Call in law enforcement -- delay resumption
  • Do nothing -- use corrupted system

12
Dealing with Consequences
  • Was sensitive information disclosed?
  • Who do you need to notify formally?
  • Who do you need to notify informally?
  • What disciplinary action is needed?

13
Moving Forward
  • What vendor contacts do we need to make?
  • What other system administrators should be
    notified?
  • What updated employee training is needed?

14
Netwar
  • Individual affect key decision-maker
  • Ems telegram
  • Gulf war marines
  • Corporate affect environment of decision
  • Zapatista peso collapse
  • Vietnam protests
  • Intifada / Cyber-Intifada?
  • Strategic combination of all previous

15
Example Zapatista Cyberstrike
  • Mid-1990s rebellion in Mexico
  • Military situation strongly favored Mexican Army
  • Agents of influence circulated rumors of Peso
    instability
  • Peso crash forced government to negotiating table
  • Compounded by intrusions into Mexican logistics

16
Building Understanding
Intrusions/Responses Threats/Counters Vulnerabilit
ies/Fixes
17
Analysis Process
Incident Information Flow
Identify Profiles and Categories
Isolate Variables
Identify Data Sources
Establish Relevancy
Identify Gaps
18
Limits of Analysis
  • Inherently partial data
  • Baseline in dynamic environment
  • Correlation vs. Causation
  • Implications
  • Need to be cautious in kinds of conclusions
  • Consider strategies for dealing with trends gone
    wrong

19
Physical and Cyber Attacks
  • Country in which there are precipitous cliffs
    with torrents running between, deep natural
    hollows, confined places, tangled thickets,
    quagmires and crevasses, should be left with all
    possible speed and not approached.
  • - Sun Tzu

20
Underlying Principles
  • Separation of physical and cyber security no
    longer possible
  • Physical events can have cyber consequences
  • Cyber events can have physical consequences
  • Understanding the cyber environment is now an
    essential element of developing and maintaining
    situational control
  • The nature of cyberspace means that the old
    fortress mentality is no longer viable

21
Security Policies
  • Does the organization have physical and cyber
    security policies?
  • Have they been reviewed with respect to each
    other?
  • Are the parties responsible for these policies in
    contact?
  • What are the enforcement methods?

22
Specific Policy Areas of Concern
  • Hiring and firing
  • Outsourcing contracts
  • Visitors
  • Customers/sponsors
  • Special events

23
Facility Controls
  • Are the physical security plans for the facility
    documented and tested?
  • To what degree is the physical security dependent
    on computers and information networks?
  • Policies and procedures for visitors?
  • Do new or renovated facilities have computer
    controlled elevators, escalators, security
    systems, or fire doors?
  • Are these systems isolated or are they connected
    via the Internet to an external security provider?

24
Physical Protection of Information Resources
  • How is physical access to remote nodes
    controlled?
  • What precautions are taken to minimize access to
    servers, cabling, routers, etc.?
  • What access controls are in place?
  • How are the access controls updated and managed?
  • How are system components physically safeguarded?
  • Are audit and monitoring records routinely
    examined for anomalies and necessary corrective
    actions? By whom?

25
Network Security
  • What does the network look like?
  • What is the connectivity between networks?
  • Can the network be accessed from the outside?
  • What encryption protocols (if any) are in use on
    the network?

26
Network Concerns
  • Is redundancy built into the network?
  • Are all necessary security patches in place?
  • How often are security patch requirements
    reviewed?
  • Are there external nodes on the network, and if
    so, are any of them wireless?
  • Is the network administered on-site or at a
    remote facility?

27
Information Protection of Physical Resources
  • What information regarding the facility is
    available on the network?
  • Is there information about guests, employees,
    critical functions available? (scheduling,
    credentialing, etc.)
  • What access controls are in place for this
    information? (technology, procedure)
  • Is sensitive or critical information protected by
    secure, offsite storage and backups?
  • Is the integrity of installed software and data
    verified regularly? How?
  • Are all changes to IT hardware and software
    planned, controlled, and documented?
  • Is unique user identification required for all
    information system users, including third-party
    users?

28
Example Impacts
  • Interruption of emergency services
  • 911 service off line
  • Disruption of hospital networks
  • Potential loss of life
  • Interruption of power grid
  • Disruption of services dependent on power
  • Hospitals
  • Hazardous material facilities
  • Secure facilities
  • Traffic control in chaos
  • Potential financial loss enormous

29
Cascade Impacts
  • Interruption of Telecommunications
  • Impact on all levels of communications
  • Severe impact on financial services
  • Loss of communications with public impacts
    confidence in government
  • Potentially serious impact on military logistics
    (over 90 percent of all logistics over private
    infrastructure)
  • Interruption of Transportation
  • Disruption of commerce
  • Foodstuffs and fuel deliveries interrupted
  • Potential hazardous material compromises
  • Direct impact on population

30
Summary
  • Incidents are not proof of bad administration
  • Lots of effort involved in handling Incidents
  • Need proactive, strategic planning to reduce
    costs, improve handling

31
Closing Quote
  • If you know the enemy and know yourself, you need
    not fear the result of a hundred battles. If you
    know yourself but not the enemy, for every
    victory gained you will also suffer a defeat. If
    you know neither the enemy nor yourself, you will
    succumb in every battle.
  • Sun Tzu
Write a Comment
User Comments (0)
About PowerShow.com