Incident Response

Roberto Martínez Owner – Consultant ITlligent Security Certified EC Council Instructor Latam CEH, ECSA, ENSA, CHFI, EDRP, ECVP, PMIT, ECSP MCT, MCSE, MCAD, MCTS, MCSA, Security+

Agenda

• Security Incidents

• Cyber Threats

• Incident response

• Digital Evidence

• How to prevent an Incident

Incident

Computer security incident is defined as

“Any real or suspected adverse event in relation to the security of computer systems or computer networks.”

Incidents include:

• Violation of an explicit or implied security policy

• Attempts to gain unauthorized access

• Unwanted denial of resources

• Unauthorized use of electronic resources

Incident Categories

High Impact Incidents

The intrusion process

Cyber Threats in 2010

Malware

Botnets

Threats to VOIP and

mobile convergence

Cyber warfare

Data thefts

Cybercrime-as-a-Service (CaaS) market model.

September, 2009’s “Measuring the in-the-wild effectiveness of Antivirus against Zeus” report by Trusteer, indicated that “the effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23%.” meaning that cybercriminals have clearly started excelling into the practice of bypassing signature-based malware scanners.

Incident Response

Well Defined set of procedures that address the post incident scenario.

An Incident Response Plan includes:

• Immediate action

• Investigation

• Restoration of resources

• Reporting the incident to proper channels.

Incident Handling

Incident handling helps to find out trends and pattern regarding intruder activity by analyzing it.

• It involves three basic functions:

Incident reporting

Incident Analysis

Incident Response

Security Incident Response Form

Digital Evidence

• Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form.”

Digital evidence is found in the files, such as: – Graphic files – Audio and video recording and files – Web browser history – Server logs – Word processing and spreadsheet files – E-mails – Log files

Challenging Aspects of Digital Evidence

• Digital evidence are fragile in nature

• During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently.

• During the investigation, digital evidence can be altered maliciously or unintentionally without leaving any clear signs of alteration.

• Digital evidence is circumstantial that makes it difficult for the forensics investigator to differentiate the system´s activity.

• After the incident, if a user writes some data to the system, it may overwrite the crime scene.

Forensic Policy

• Forensic policy is a set of procedures describing the actions to be taken when an incident is observed.

• It defines the roles and responsibilities of all people performing or assisting the forensic activities.

• It should include all internal and external parties that may be involved.

• It explains what actions should and should not be performed under normal and special conditions.

Forensic Analysis Guidelines

Organizations should:

• Have a capability to perform computer and network forensics

• Determine which parties should handle each aspect of forensics

• Create and maintain guidelines and procedures for performing forensic tasks

• Perform forensics using a consistent process

• Be proactive in collecting useful data

• Adhere to standard operating procedure as specified by local laws and standard making bodies such as IOCE & SWGDE while collecting evidence

How to prevent an incident

A key to preventing security incident is to eliminate as many vulnerabilities as possible.

• Scanning the network

• Auditing the network

• Deploying Intrusion Detection / Prevention systems

• Establishing Defense in Depth

Normalization

Security monitoring environment is multi-vendor Events from different devices and vendors have different formats Need to compare similar—normalized—events from multiple vendors “apples-to-apples”

Event Correlation

Firewall

Logs

NIDS Logs

Log/Alert

Log Consolidation

A defense in depth strategy utilizes multiple devices

Firewalls, NIPS, HIPS, AV, AAA, VPN, Application Events, OS Logs

Need to consolidate and normalize similar events from multiple vendors

Universal SYSLOG support

AAA

Threat Correlation – Post Incident Analysis (IV)

Post incident analysis to adjust incident severity based on context Did the attack reach destination? Is the victim vulnerable? How important is the victim system? Further events indicated a possible compromise?

Analysis can be static or dynamic

Demo

Resources

Certifications

EC Council Certified Incident Handler

• http://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspx

Computer Hacking Forensic Investigator

• http://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspx

Concepti

• http://www.concepti.com

Tools

XPLICO - Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT)

• http://www.xplico.org/

Netwitness - Threat management solutions, monitoring and real-time network forensics.

• http://www.netwitness.com/

OSSIM - Open Source Security Information Management

• http://www.alienvault.com/community.php?section=Home

Web Sites

FIRST is the global Forum for Incident Response and Security Teams

• http://www.first.org/

Questions

?

Thank you!

Roberto Martínez ITlligent Security Email: roberto.martinez@itlligent.com.mx MSN: frml@live.com.mx Skype: skp_roberto.martinez @r0bertmart1nez