module 12: responding to security incidents. overview introduction to auditing and incident response...
TRANSCRIPT
Module 12:Responding to Security
Incidents
Overview
Introduction to Auditing and Incident Response
Designing an Audit Policy
Designing an Incident Response Procedure
Lesson 1: Introduction to Auditing and Incident Response
The Auditing Process
Why Auditing Is Important
What Is an Incident Response Procedure?
You can determine a user’s actions by examining the following:You can determine a user’s actions by examining the following:
ISA Server packet filter log file
Security event log file and the IIS log file
Security event log file from the domain controller
ISA Server packet filter log file
Security event log file and the IIS log file
Security event log file from the domain controller
11
33
22
The Auditing Process
ISA Server
IIS Server
Domain Controller
You must dedicate time to review the logs.By enabling auditing, you can:You must dedicate time to review the logs.By enabling auditing, you can:
Why Auditing Is Important
Monitor events in your network
Take action if there is any suspicious activity
Monitor events in your network
Take action if there is any suspicious activity
External Attacker Internal Attacker
An incident response procedure includes steps such as:An incident response procedure includes steps such as:
What Is an Incident Response Procedure?
People to contact
Actions for limiting damage
Provisions for investigation
People to contact
Actions for limiting damage
Provisions for investigation
People
Actions
Provision for investigation
Lesson 2: Designing an Audit Policy
Process for Planning an Audit Policy
Guidelines for Creating a Framework for Auditing
Common Auditing Tools and Sources
Guidelines for Designing an Audit Review Process
Activity: Risk and Response
When planning an audit policy, you must:When planning an audit policy, you must:
Determine what types of events to audit
Identify auditing tools to use
Create a process for reviewing event logs
Establish a retention policy for audit logs
Determine what types of events to audit
Identify auditing tools to use
Create a process for reviewing event logs
Establish a retention policy for audit logs
11
33
44
22
Process for Planning an Audit Policy
The following guidelines help to create a framework for auditing:
The following guidelines help to create a framework for auditing:
Audit events and resources that you want to track
Create audit statements that include:
The type of event
The event details
Audit point
Audit events and resources that you want to track
Create audit statements that include:
The type of event
The event details
Audit point
Guidelines for Creating a Framework for Auditing
Common Auditing Tools and Sources
Resource Tools and sources
Operating systems Event Viewer
EventComb
SCOM
Custom scripts
Web sites IIS logs
URLScan
Network perimeters Router logs
Firewall logs
Packet filtering logs
Proxy logs
Applications
Application-specific logs
Intrusion-detection software
Antivirus software
SCOM
When designing an audit review process, define:When designing an audit review process, define:
Who is responsible for managing and analyzing events
How often to analyze events
How to report possible incidents to management
How to preserve the chain of evidence
Where to archive event logs
Who is responsible for managing and analyzing events
How often to analyze events
How to report possible incidents to management
How to preserve the chain of evidence
Where to archive event logs
Guidelines for Designing an Audit Review Process
Activity: Risk and Response
For each scenario:For each scenario:
Read the scenario
Choose the best risk management strategy
Determine an appropriate security response
Discuss your answers as a class
Read the scenario
Choose the best risk management strategy
Determine an appropriate security response
Discuss your answers as a class
Lesson 3: Designing an Incident Response Procedure
Process for Planning an Incident Response Procedure
Guidelines for Creating an Incident Response Team
What to Include in a Communication Plan
Common Indicators of Security Incidents
Guidelines for Analyzing a Security Incident
Methods for Limiting Damage from an Attack
Guidelines for Documenting Security Incidents
Activity: Risk and Response
Process for Planning an Incident Response Procedure
When planning an audit policy, you must:When planning an audit policy, you must:
Create and train an incident response team
Develop a communication plan
Create a plan for identifying an attack
Create policies to contain an attack
Develop a process for reviewing incidents
Create and train an incident response team
Develop a communication plan
Create a plan for identifying an attack
Create policies to contain an attack
Develop a process for reviewing incidents
11
33
44
22
55
Use these guidelines to ensure that the appropriate job roles are:Use these guidelines to ensure that the appropriate job roles are:
In the team
Available 24 hours a day
Trained in responding to security incidents
Competent in their areas of responsibility
Able to analyze situations objectively under pressure
Strong communicators
In the team
Available 24 hours a day
Trained in responding to security incidents
Competent in their areas of responsibility
Able to analyze situations objectively under pressure
Strong communicators
Guidelines for Creating an Incident Response Team
Include in your communication plan:Include in your communication plan:
What to Include in a Communication Plan
Triggers that define when to contact each member of the incident response team
Contact information for all team members
Substitute team members and contact information
Procedures for communicating securely among team members
Incident details that each team member receives
How team members communicate details of the incident to non-team members
Triggers that define when to contact each member of the incident response team
Contact information for all team members
Substitute team members and contact information
Procedures for communicating securely among team members
Incident details that each team member receives
How team members communicate details of the incident to non-team members
Common Indicators of Security Incidents
Area ExamplesNetwork irregularities
Network performance decreases
Accounts are used at irregular times
System irregularities Audited events increase significantly
System performance decreases
Computers crash or reboot mysteriously
Direct reporting of events
Users report security incidents
A new virus is published
Intrusion detection software detects an incident
Physical indicators Hardware is missing
Visible signs exist of physical compromise
Business indicators Confidential information is published on the Internet or in print
Competitor appears to possess trade secrets
Guidelines for Analyzing a Security Incident
To identify Determine
SymptomsHow is the event occurring?
What are the symptoms of the attack?
OriginWhere is the attack originating?
Is the point of origin connected to the attacker?
Entry pointHow is the attack entering the network?
Is the attacker exploiting a known vulnerability?
IntentWhat does the attacker appear to be trying to accomplish?
Is there a pattern to the attack?
SeverityWhat is at risk?
How serious is the risk?
ExposureWhat systems have been compromised?
In what way are the systems compromised?
Methods for Limiting Damage from an Attack
Resource Examples
Networks
Disconnect affected networks from the corporate network
Disconnect corporate network from the Internet
Block TCP/IP ports
Computers
Remove infected computers from the network
Remove computers that have sensitive information from the network
Deploy security hotfixes and service packs
Applications
Change passwords on compromised and sensitive accounts
Update antivirus scanning engines and signature files
Update intrusion detection systems and inspect log files
Physical security
Replace locks and key codes
Increase physical security
Use these guidelines to gather any feedback and discover:Use these guidelines to gather any feedback and discover:
The origin of the incident
How the incident was detected and reported
How the incident was responded to and resolved
Recommended changes to policies and procedures
Improvements to your incident response procedure
Updates to your risk management plan
The financial impact of the security incident
The origin of the incident
How the incident was detected and reported
How the incident was responded to and resolved
Recommended changes to policies and procedures
Improvements to your incident response procedure
Updates to your risk management plan
The financial impact of the security incident
Guidelines for Documenting Security Incidents
Activity: Risk and Response
For each scenario:For each scenario:
Read the scenario
Choose the best risk management strategy
Determine an appropriate security response
Discuss your answers as a class
Read the scenario
Choose the best risk management strategy
Determine an appropriate security response
Discuss your answers as a class
Lab: Responding to Security Incidents
Exercise 1Identifying Potential Vulnerabilities
Exercise 2Implementing an Incident Response Team
Exercise 3Implementing an Incident Response Plan
Course Evaluation