incident response
TRANSCRIPT
Incident Response
Roberto Martínez Owner – Consultant ITlligent Security Certified EC Council Instructor Latam CEH, ECSA, ENSA, CHFI, EDRP, ECVP, PMIT, ECSP MCT, MCSE, MCAD, MCTS, MCSA, Security+
Agenda
• Security Incidents
• Cyber Threats
• Incident response
• Digital Evidence
• How to prevent an Incident
Incident
Computer security incident is defined as
“Any real or suspected adverse event in relation to the security of computer systems or computer networks.”
Incidents include:
• Violation of an explicit or implied security policy
• Attempts to gain unauthorized access
• Unwanted denial of resources
• Unauthorized use of electronic resources
Incident Categories
High Impact Incidents
The intrusion process
Cyber Threats in 2010
Malware
Botnets
Threats to VOIP and
mobile convergence
Cyber warfare
Data thefts
Cybercrime-as-a-Service (CaaS) market model.
September, 2009’s “Measuring the in-the-wild effectiveness of Antivirus against Zeus” report by Trusteer, indicated that “the effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23%.” meaning that cybercriminals have clearly started excelling into the practice of bypassing signature-based malware scanners.
Incident Response
Well Defined set of procedures that address the post incident scenario.
An Incident Response Plan includes:
• Immediate action
• Investigation
• Restoration of resources
• Reporting the incident to proper channels.
Incident Handling
Incident handling helps to find out trends and pattern regarding intruder activity by analyzing it.
• It involves three basic functions:
Incident reporting
Incident Analysis
Incident Response
Security Incident Response Form
Digital Evidence
• Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form.”
Digital evidence is found in the files, such as: – Graphic files – Audio and video recording and files – Web browser history – Server logs – Word processing and spreadsheet files – E-mails – Log files
Challenging Aspects of Digital Evidence
• Digital evidence are fragile in nature
• During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently.
• During the investigation, digital evidence can be altered maliciously or unintentionally without leaving any clear signs of alteration.
• Digital evidence is circumstantial that makes it difficult for the forensics investigator to differentiate the system´s activity.
• After the incident, if a user writes some data to the system, it may overwrite the crime scene.
Forensic Policy
• Forensic policy is a set of procedures describing the actions to be taken when an incident is observed.
• It defines the roles and responsibilities of all people performing or assisting the forensic activities.
• It should include all internal and external parties that may be involved.
• It explains what actions should and should not be performed under normal and special conditions.
Forensic Analysis Guidelines
Organizations should:
• Have a capability to perform computer and network forensics
• Determine which parties should handle each aspect of forensics
• Create and maintain guidelines and procedures for performing forensic tasks
• Perform forensics using a consistent process
• Be proactive in collecting useful data
• Adhere to standard operating procedure as specified by local laws and standard making bodies such as IOCE & SWGDE while collecting evidence
How to prevent an incident
A key to preventing security incident is to eliminate as many vulnerabilities as possible.
• Scanning the network
• Auditing the network
• Deploying Intrusion Detection / Prevention systems
• Establishing Defense in Depth
Normalization
Security monitoring environment is multi-vendor Events from different devices and vendors have different formats Need to compare similar—normalized—events from multiple vendors “apples-to-apples”
Event Correlation
Firewall
Logs
NIDS Logs
Log/Alert
Log Consolidation
A defense in depth strategy utilizes multiple devices
Firewalls, NIPS, HIPS, AV, AAA, VPN, Application Events, OS Logs
Need to consolidate and normalize similar events from multiple vendors
Universal SYSLOG support
AAA
Threat Correlation – Post Incident Analysis (IV)
Post incident analysis to adjust incident severity based on context Did the attack reach destination? Is the victim vulnerable? How important is the victim system? Further events indicated a possible compromise?
Analysis can be static or dynamic
Demo
Resources
Certifications
EC Council Certified Incident Handler
• http://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspx
Computer Hacking Forensic Investigator
• http://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspx
Concepti
• http://www.concepti.com
Tools
XPLICO - Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT)
• http://www.xplico.org/
Netwitness - Threat management solutions, monitoring and real-time network forensics.
• http://www.netwitness.com/
OSSIM - Open Source Security Information Management
• http://www.alienvault.com/community.php?section=Home
Web Sites
FIRST is the global Forum for Incident Response and Security Teams
• http://www.first.org/
Questions
?
Thank you!
Roberto Martínez ITlligent Security Email: [email protected] MSN: [email protected] Skype: skp_roberto.martinez @r0bertmart1nez