incident response - campus party 2010
TRANSCRIPT
-
8/8/2019 Incident Response - Campus Party 2010
1/25
-
8/8/2019 Incident Response - Campus Party 2010
2/25
AgendaAgenda
Security IncidentsSecurity Incidents
Cyber ThreatsCyber Threats Incident responseIncident response
Digital EvidenceDigital Evidence
How to prevent an IncidentHow to prevent an Incident
-
8/8/2019 Incident Response - Campus Party 2010
3/25
IncidentIncident
Computer security incident is
defined asAny real or suspected adverseevent in relation to the security ofcomputer systems or computernetworks.
-
8/8/2019 Incident Response - Campus Party 2010
4/25
Incidents include:Incidents include:
Violation of an explicit or impliedsecurity policy
Attempts to gain unauthorized access
Unwanted denial of resources
Unauthorized use of electronicresources
-
8/8/2019 Incident Response - Campus Party 2010
5/25
Incident CategoriesIncident Categories
-
8/8/2019 Incident Response - Campus Party 2010
6/25
High Impact IncidentsHigh Impact Incidents
-
8/8/2019 Incident Response - Campus Party 2010
7/25
-
8/8/2019 Incident Response - Campus Party 2010
8/25
Cyber Threats in 2010Cyber Threats in 2010
-
8/8/2019 Incident Response - Campus Party 2010
9/25
Cybercrime-as-a-ServiceCybercrime-as-a-Service(CaaS) market model.(CaaS) market model.
, - -September 2009 s Measuring the in the wild effectiveness of , Antivirus against Zeus report by Trusteer indicated that h ef f e c t i v e ne s s o f a n u p t o d a t e a n t i v ir u s a g a i n s t%, % , %e u s i s t hu s n o t 1 0 0 n o t 9 0 n o t e v e n 5 0 - t s%u s t 2 3 . meaning that cybercriminals have clearly started
-excelling into the practice of bypassing signature based.malware scanners
-
8/8/2019 Incident Response - Campus Party 2010
10/25
Incident ResponseIncident Response
Well Defined set of procedures thataddress the post incident scenario.
An Incident Response Plan includes:
Immediate action
Investigation Restoration of resources
Reporting the incident to properchannels.
-
8/8/2019 Incident Response - Campus Party 2010
11/25
Incident HandlingIncident Handling
Incident handling helps to find outtrends and pattern regarding
intruder activity by analyzing it.
It involves three basic functions:
qIncident reportingqIncident Analysis
qIncident Response
-
8/8/2019 Incident Response - Campus Party 2010
12/25
Security IncidentSecurity IncidentResponse FormResponse Form
-
8/8/2019 Incident Response - Campus Party 2010
13/25
Digital EvidenceDigital Evidence
Digital evidence is defined as anyinformation of probative value that iseither stored or transmitted in a digitalform.
Digital evidence is found in the files, such as: Graphic filesAudio and video recording and files
Web browser history Server logs Word processing and spreadsheet files E-mails Log files
-
8/8/2019 Incident Response - Campus Party 2010
14/25
Challenging Aspects ofChallenging Aspects ofDigital EvidenceDigital Evidence
Digital evidence are fragile in nature
During the investigation of the crime scene, if thecomputer is turned off, the data which is not
saved can be lost permanently.
During the investigation, digital evidence can bealtered maliciously or unintentionally withoutleaving any clear signs of alteration.
Digital evidence is circumstantial that makes itdifficult for the forensics investigator todifferentiate the systems activity.
After the incident, if a user writes some data to the
-
8/8/2019 Incident Response - Campus Party 2010
15/25
Forensic PolicyForensic Policy
Forensic policy is a set of proceduresdescribing the actions to be takenwhen an incident is observed.
It defines the roles andresponsibilities of all peopleperforming or assisting the forensicactivities.
It should include all internal andexternal parties that may beinvolved.
It explains what actions should andshould not be performed under
normal and special conditions.
F i A l i
-
8/8/2019 Incident Response - Campus Party 2010
16/25
Forensic AnalysisForensic Analysis
GuidelinesGuidelinesOrganizations should:
Have a capability to perform computer and networkforensics
Determine which parties should handle each aspect offorensics
Create and maintain guidelines and procedures forperforming forensic tasks
Perform forensics using a consistent process
H t t
-
8/8/2019 Incident Response - Campus Party 2010
17/25
How to prevent anHow to prevent an
incidentincident
A key to preventing security incident isto eliminate as many vulnerabilities as
possible.
Scanning the network
Auditing the network Deploying Intrusion Detection /
Prevention systems
Establishing Defense in Depth
-
8/8/2019 Incident Response - Campus Party 2010
18/25
NormalizationNormalization
-Security monitoring environment is multi vendorEvents from different devices and vendors have different
formats Need to compare similar normalized events from multiple
- - vendors apples to apples
-
8/8/2019 Incident Response - Campus Party 2010
19/25
Event CorrelationEvent Correlation
irewallLogs
IDS Logs
/og Alert
-
8/8/2019 Incident Response - Campus Party 2010
20/25
Log ConsolidationLog Consolidation
A defense in depth strategy utilizes multiple devices
, , , , , , ,Firewalls NIPS HIPS AV AAA VPN Application Events OSLogs
Need to consolidate and normalizesimilar events from multiple
vendors
niversal SYSLOGsupport
AAA
-
8/8/2019 Incident Response - Campus Party 2010
21/25
Post Incident AnalysisPost Incident Analysis(IV)(IV)
Post incident analysis to adjust incidentseverity based on context
Did the attack reach destination?
Is the victim vulnerable?
How important is the victim system?
Further events indicated a possiblecompromise?
Analysis can be static or dynamic
-
8/8/2019 Incident Response - Campus Party 2010
22/25
DemoDemo
-
8/8/2019 Incident Response - Campus Party 2010
23/25
ResourcesResources
CertificationsCertificationsEC Council Certified Incident Handler
http://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspx
Computer Hacking Forensic Investigator
http://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspx
Concepti
http://www.concepti.com
ToolsToolsXPLICO - Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT)
http://www.xplico.org/
Netwitness - Threat management solutions, monitoring and real-time
network forensics. http://www.netwitness.com/
OSSIM - Open Source Security Information Management
http://www.alienvault.com/community.php?section=Home
Web SitesWeb Sites
FIRST is the global Forum for Incident Response and Security Teams http://www.first.org/
http://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspxhttp://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspxhttp://www.concepti.com/http://www.xplico.org/http://www.netwitness.com/http://www.alienvault.com/community.php?section=Homehttp://www.first.org/http://www.first.org/http://www.first.org/http://www.alienvault.com/community.php?section=Homehttp://www.alienvault.com/community.php?section=Homehttp://www.netwitness.com/http://www.netwitness.com/http://www.netwitness.com/http://www.xplico.org/http://www.xplico.org/http://www.concepti.com/http://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspxhttp://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspxhttp://www.eccouncil.org/certification/computer_hacking_forensic_investigator.aspxhttp://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspxhttp://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspxhttp://www.eccouncil.org/certification/ec-council_certified_incident_handler.aspx -
8/8/2019 Incident Response - Campus Party 2010
24/25
QuestionsQuestions
?
-
8/8/2019 Incident Response - Campus Party 2010
25/25
Thank you!Thank you!
oberto Martnezoberto MartnezTlligent Security
: . . .Email roberto martinez@itlligent com mx:MSN . .frml@live com mx: .Skype skp_roberto martinez
@r 0 b e r t m a r t 1 n e z
mailto:[email protected]:[email protected]:[email protected]:[email protected]