VirginiaTechGuideforCyberSecurityIncidentResponseIMPORTANTNOTE:Ifanincidentisdeemedtobeillegalorlifethreatening,contacttheVATechPolice:540-231-6411,orEmergency:911.

ABSTRACTThisdocumentassistsuniversitypersonnelinestablishingcyberincidentresponsecapabilitiesandhandlingincidentsefficientlyandeffectively.Itprovidesaguideforcyberincidenthandling,particularlyforanalyzingincident-relateddataanddeterminingtheappropriateresponsetoeachincident.

TheITSecurityOfficecanbereachedbyemailingitso-g@vt.eduorcalling540-231-1688

1

TableofContentsVirginiaTechGuideforCyberSecurityIncidentResponse ........................................................................... 0Record of Changes ................................................................................................................... 2ReviewCycle..............................................................................................................................................................2

Section 1: Introduction ............................................................................................................. 3Authority...................................................................................................................................................................3

PurposeandScope....................................................................................................................................................3

Audience...................................................................................................................................................................4

DocumentStructure..................................................................................................................................................4

Section 2: Cyber Incident Response Capabilities ................................................................. 5Mission......................................................................................................................................................................5

StrategyandGoalsforCyberIncidentResponse......................................................................................................6

UniversityAuthorityforCyberIncidentResponse.....................................................................................................7

CyberIncidentResponseTeams................................................................................................................................8

VT’sApproachtoCyberIncidentResponse...............................................................................................................9

Section 3: The Incident Response Processes ..................................................................... 12Preparation.............................................................................................................................................................12

Identification,Detection,andAnalysis....................................................................................................................13

Containment,EradicationandRecovery.................................................................................................................19

IncidentClosure.......................................................................................................................................................21

Appendix A: CIRT Org Chart ................................................................................................. 23Appendix B: Sensitive Data Response Procedure .............................................................. 24Appendix C: CIRT Team Member List and Contact Information ........................................ 25Appendix D: Checklist of major steps for Incident Response and Handling .................. 26Appendix E: Compromise Questionnaire and Information Gathering .............................. 29Appendix F: Communications Tracking Worksheet ........................................................... 32Appendix G: Internal Audit Guidelines for reporting unacceptable computer use. ........ 34Appendix H: University Policies and Standards .................................................................. 35Appendix I – Guidance on Reporting a Cyber Incident ....................................................... 36Appendix J - Contact information for local police ............................................................... 37Appendix K: Generalized Cyber Incident Escalation and Workflow Diagram .................. 38Appendix L: Acronyms .......................................................................................................... 39Appendix M: Step by Step Cyber Incident Response ......................................................... 40

2

RecordofChanges

Version#

ImplementedBy

RevisionDate

ApprovedBy

ApprovalDate

Reason

4.0 RandyMarchany

03/14/2014 RandyMarchany Reformatplan,improveprocessdocumentation,updateteammembers,updateversionnumber

4.1 RandyMarchany 07/27/2014 RandyMarchany Updatedocumentation,expandremainingsections.

4.2 RandyMarchany 8/1/2014 RandyMarchany Updatingdiagrams

4.3 BradTilley 11/3/2014 Minorcorrectionsandclarifications

4.4 BrendavanGelder 4/1/2015 Incorporatelinemanagersfeedbackprovidedtodate

4.5a RandyMarchany 6/1/2015 Incorporatechanges,updatediagrams

4.6 AngelaCorrea 6/16/2015 Grammarandcontinuityedit

4.7 JeanPlymale 06/30/2015 AddInternalAuditguidelines,acronyms,contactinfoforlocalpoliceandupdatedocumentstructuretoreflectthesechangesandadditions.

4.8 AngelaCorrea 7/9/2015 Integrationof2015edits.

4.9 DavidRaymond 11/18/2015 RandyMarchany 11/18/2015 Finaledits.

5.0 DavidRaymond 1/28/2016 RandyMarchany 1/28/2016 -UpdatedOrgChart(App.A)

-FinalizedVersion

ReviewCycleThiscyberincidentresponseplanshouldbereviewedonanannualbasis.ThereviewshouldincludeanexaminationofproceduresandresourceinformationtomakesureinformationreflectsVirginiaTech’sneeds.TheCyberIncidentGovernanceTeamandtheITSecurityOfficershouldreviewallchanges.

3

Section1:IntroductionAuthority

OversightofthesecurityofuniversityinformationtechnologyresourcesandinformationisentrustedtotheVicePresidentforInformationTechnologybytheVirginiaTechBoardofVisitors.

In2007,theBoardofVisitorspassedaresolution(http://www.bov.vt.edu/minutes/07-06-04minutes/attach_v_070604.pdf)requiringtheVicePresidentforInformationTechnologytoensurecompliancewithestablishedsecuritystandardsthroughouttheUniversity.TheVicePresidentforInformationTechnologyandCIOhasgiventheITSecurityOffice(ITSO)fullauthoritytoactinamannertoprotecttheintegrity,confidentiality,andavailabilityofVirginiaTech’sinformationtechnologyinfrastructure.

VirginiaTechPolicy7010-“PolicyforSecuringTechnologyResourcesandServices,”givestheITSOtheauthoritytorespondtothreatstoUniversitynetworks,systems,andservices.

TheUniversityInformationTechnologySecurityProgramStandardof2012statesthatevaluatingandreportingcybersecurityincidentsisimportanttoensureinformationsecurityeventsandweaknessesassociatedwithinformationsystemsarecommunicatedinamannerthatwillallowtimelycorrectiveactiontobetaken.InformationTechnologyisresponsiblefor:

• Maintaininganincidentresponseproceduredocument• MaintainingtheComputerIncidentResponseTeam(CIRT)tocarryouttheseprocedures• ArrangingforintakeofreportsofsuspectedITsecurityexposuresofuniversitydataandother

suspectedcyberincidents.

TheITSOmanagesandcoordinatesdetection,identification,containment,eradication,andrecoveryeffortsofreportedcybersecurityincidentswithVirginiaTechdepartments’ITpersonnel.TheITSecurityOfficeralsohastheauthoritytoclassifythreatsasarisktotheenterpriseandcanactivatetheVT-CIRTteamathisdiscretion.TheCIRTTeamwillonlybeactivatedifacybersecurityincidenthasbeenidentifiedasaffectingUniversityITsystems/servicesatanenterpriseoramulti-departmentallevel.

PurposeandScope

Thispublicationseekstoassistuniversitypersonnelinmitigatingtherisksfromcybersecurityincidentsbyprovidingapracticalguideforrespondingtoincidentseffectivelyandefficiently.Thisdocumentincludesguidelinesonestablishinganeffectivecybersecurityincidentresponseprogram,buttheprimaryfocusofthedocumentistoprovideassistancewithdetecting,analyzing,prioritizing,andhandlingincidents.

ThisdocumentisnotintendedtoreplaceContinuityorDisasterRecoveryPlanning.Itisnotintendedtobeusedasadetailedlisttoaccomplisheverytaskassociatedwithcybersecurityincidenthandlingandresponse.Rather,thedocumentisintendedtoprovideaframeworkandprocessesbywhichconsistentapproachescanbedevelopedandresourceallocationscanbemadeforagivenscenariotofacilitatethedetection,identification,containment,eradication,andrecoveryfromspecificcybersecurityincidents.

4

Thisdocumentaddressesonlyincidentsthatarecomputersecurity-related,notthosecausedbynaturaldisasters,powerfailures,etc.

Thisdocumentappliestouniversity-ownedcomputersandtechnologydevicesconnectedtotheVirginiaTechnetwork.AllUniversitylocationsarecoveredbythisdocument.

ThisdocumentisintendedtoprovideguidancetoaddresscybersecurityincidentsthathaveimpactsthataffecttheUniversity’soperational,financial,orreputationalstandingand/ortheabilitytocomplywithregulatoryorlegalrequirements.

AudienceThisdocumenthasbeencreatedfortheVTcyberincidentresponseteam(CIRT),systemandnetworkadministrators,securitystaff,technicalsupportstaff,chiefinformationsecurityofficer(CISO),chiefinformationofficer(CIO),computersecurityprogrammanagers,andothersresponsibleforpreparingfororrespondingtocybersecurityincidentsatVirginiaTech.

DocumentStructureTherestofthisdocumentisarrangedasfollows:

Section2discussestheneedforcyberincidentresponsecapabilities,andoutlinespossiblecyberincidentresponseteamstructuresaswellasothergroupswithintheorganizationthatmayparticipateincyberincidentresponsehandling.

Section3providesguidelinesforeffective,efficient,andconsistentincidentresponsecapabilitiesandreviewsthecybersecurityincidentresponseelements.

AppendixA–VTCyberIncidentResponseTeamsOrganizationalChartAppendixB–CommunicationWorkflowforSensitiveDataExposureAppendixC–CIRTTeam,ITCouncil,ComplianceOfficersDirectoriesAppendixD–IncidentHandlingChecklist

Unix,LinuxandWindowsForensicschecklistsAppendixE–DetectionandAnalysisInformationGatheringOutlineAppendixF–CommunicationPlanWorksheetAppendixG–InternalAuditGuidelinesforunacceptablecomputeruseAppendixH–UniversityPoliciesandStandardsAppendixI–WorkflowDiagramforIncidentEscalationAppendixJ–ContactinformationforlocalpoliceandFBIAppendixK–GeneralizedCyberIncidentEscalationandWorkflowDiagramAppendixL–AcronymsAppendixM–StepbyStepCyberIncidentResponse

5

Section2:CyberIncidentResponseCapabilitiesAcybersecurityincidentisdefinedbytheDepartmentofHomelandSecurityasanoccurrencethat(A)actuallyorimminentlyjeopardizes,withoutlawfulauthority,theintegrity,confidentiality,oravailabilityofaninformationsystemortheinformationthatsystemcontrols,processes,stores,ortransmits;or(B)constitutesaviolationorimminentthreatofviolationoflaw,securitypolicies,securityprocedures,oracceptableusepolicies.1Anincidentcouldbeeitherintentionaloraccidentalinnature.

Examplesofcybersecurityincidents(hereaftermaybereferredtoas“cyberincident”or“incident”)mayinclude,butarenotlimitedto:

• Anincidentinwhichanattackercommandsabotnettosendhighvolumesofconnectionrequeststoawebserver,causingittocrash.

• Anincidentinwhichusersaretrickedintoopeninga“quarterlyreport”sentviaemailthatisactuallymalware;runningthetoolhasinfectedtheircomputersandestablishedconnectionswithanexternalhost.

• Anincidentwhereanattackerobtainssensitivedataandthreatensthatthedetailswillbereleasedpubliclyiftheorganizationdoesnotpayadesignatedsumofmoney.

• Anincidentwhereauserprovidesorexposessensitiveinformationtoothersthroughpeer-to-peerfilesharingservices.

SuccessfulincidentssimilartothosenotedabovehaveoccurredatVirginiaTech.Theseincidentshavecausedfinancialandreputationalharm,disrupteddailyoperations,andcreatedcomplianceissueswithstateandfederallaws.EstablishingcyberincidentresponsecapabilitiesatVirginiaTechensuressystematic(i.e.,followingaconsistentcyberincidenthandlingmeth1odology)andcoordinatedactionsaretaken.Incidentresponsehelpspersonneltominimizelossortheftofinformationanddisruptionofservicescausedbycyberincidents.

Incidentresponsecapabilitiesalsobuildinstitutionalresilience.Informationgainedandlessonslearnedduringincidenthandlingcanhelpbetterpreparefordealingwithfutureincidents.

Mission

OneoftheelementsofVirginiaTech’sInformationTechnologymissionistoprovide,secure,andmaintaininformationsystems,allowingtheUniversitytoaccomplishitsmission.

TosupporttheUniversity’smission,InformationTechnologyhasdevelopedaguideforimplementingcybersecurityincidentresponseplans.Toaidinthecoordinationofresponseactivities,InformationTechnologyhasformedaCyberIncidentResponseTeam(CIRT).TheCIRTmissionisto:

1. Limittheimpactofcyberincidentsinawaythatsafeguardsthewell-beingoftheUniversitycommunity.

1Fromhttps://www.whitehouse.gov/sites/default/files/omb/legislative/letters/coordination-of-federal-information-security-policy.pdf-44U.S.Code§3552

6

2. ProtecttheinformationtechnologyinfrastructureoftheUniversity.

3. ProtectsensitiveUniversitydatafromdisclosure,modification,andexfiltration.

4. Collecttheinformationnecessarytopursueinvestigation(s)attherequestoftheproperUniversityauthority.

StrategyandGoalsforCyberIncidentResponseTimelyandthoroughactiontomanagetheimpactofcyberincidentsisacriticalcomponentoftheresponseprocess.Theresponseshouldlimitthepotentialfordamagebyensuringthatactionsarewellknownandcoordinated.Cyberincidentresponsegoalsare:

• Toprotectthewell-beingoftheUniversitycommunity.• Toprotecttheconfidentiality,integrity,andavailabilityofUniversitysystems,networksand

data.• TohelpUniversitypersonnelrecovertheirbusinessprocessesaftercomputerornetwork

securityincidents.• ToprovideaconsistentresponsestrategytosystemandnetworkthreatsthatputVirginiaTech

dataandsystemsatrisk.• Todevelopandactivateacommunicationsplanincludinginitialreportingoftheincidentaswell

asongoingcommunicationsasnecessary.• Toaddresscyberrelatedlegalissues.• TocoordinateeffortswithexternalComputerIncidentResponseTeams.• TominimizetheUniversity’sreputationalriskbynotifyingappropriateUniversityofficialsof

cyberincidentsthatmaybecomehighprofileeventsandimplementingtimelyandappropriatecorrectiveactions.

Toachievethesegoals,InformationTechnologyhasadoptedsecuritybestpracticesderivedfromstandardizedincidentresponseprocessessuchasthosepublishedbytheNationalInstituteofStandardsandTechnology(NIST)SpecialPublication800-61andotherauthorities.

ThespecificincidentresponseprocesselementsthatcomprisetheVTCyberIncidentResponsePlaninclude:

• Preparation:Maintainingandimprovingincidentresponsecapabilitiesandpreventingincidentsbyensuringthatsystems,networks,andapplicationsaresufficientlysecure.

• Identification:Confirming,characterizing,classifying,categorizing,scoping,andprioritizingsuspectedincidents;

• Containment:Minimizingloss,theftofinformation,orservicedisruption;

• Eradication:Eliminatingthethreat;

• Recovery:Restoringcomputingservicesquicklyandsecurely;and

7

• Post-incidentactivities:Assessingresponsetobetterhandlefutureincidentsthroughutilizationofreports,“LessonsLearned,”andafter-actionactivities,ormitigationofexploitedweaknessestopreventsimilarincidentsfromoccurringinthefuture.

ThesesixelementsofCyberIncidentResponsewillbedefinedindetailinsection3.

Cross-cuttingelementspresentthroughoutincidentresponsehandlinginclude:

• Communication:Notifyingappropriateinternalandexternalpartiesandmaintainingsituationalawareness;

• Analysis:Examiningavailabledatatosupportdecision-makingthroughouttheincidentmanagementlifecycle;and

• Documentation:Recordingandtime-stampingallevidencediscovered,informationcollected,andactionstakenfromIdentificationthroughPost-incidentactivities.

UniversityAuthorityforCyberIncidentResponseThefollowingUniversityorganizationsactasUniversityAuthorities;thosewhoareauthorizedtomakerequestsanddecisionsregardingcybersecurityincidentresponseatVirginiaTech.

• VicePresidentforInformationTechnologyandChiefInformationOfficer(CIO)–empoweredtorespondtoITsecurityincidentsbyBOVResolution“InformationTechnologySecurityandAuthority”.http://www.bov.vt.edu/minutes/07-06-04minutes/attach_v_070604.pdf

• InformationTechnologySecurityOfficer(ITSO)–delegatedauthoritybyCIOtodecidewhethertoactivateCIRT,notifiesIncidentGovernanceTeamofdecision

• VTCIRTGovernanceTeam–abroadrangeofUniversitystakeholders(seeAppendixA).

• UniversityLegalCounsel–anylawenforcement/legalactions,questionsabout

informationdisclosure,legalaspectsoftheinvestigation

• UniversityPresident–personnelactionsforstaff

• ExecutiveVicePresidentandProvost–personnelactionsforfaculty

• UniversityInternalAudit–dataintegrityofcriticalUniversitydata,compliancewithUniversityproceduresandfraudinvestigations

• DivisionofStudentAffairs/StudentConduct–offensesbyVirginiaTechstudents

• VirginiaTechPoliceDepartment–criminalmatters

• DataTrustees/Stewards–sensitiveornon-publicdataaccessandgovernance(datatrusteesandstewardsarelistedinthe“StandardforAdministrativeDataManagement”http://www.it.vt.edu/publications/pdf/interim_updates/AdministrativeDataManagementStandard2013Nov4signed.pdf)

8

NOTE:Requestsfromlocal,state,orfederallawenforcementofficialsdonotnecessarilyconstituteproperauthority.AllrequestsfromtheseagenciesmustfirstbemadetoUniversityCounselbeforecontactinganyuniversitydepartmentalpersonnel.

Anyofthefollowingrequestsfromlocal,stateorfederallawenforcementagenciesmustbeauthorizedbyUniversityLegalCounselpriortoissuance:

• Warrant-IfyouarepresentedwithawarrantthathasbeenauthorizedbyUniversityLegalCounsel,youshouldcomplyimmediatelywiththerequest.NotifyyoursupervisorandtheCampusPoliceunlessadvisedotherwisebylawenforcementorUniversityLegalCounsel.

• Subpoena-IfyouarepresentedwithasubpoenathathasbeenauthorizedbyUniversityLegalCounsel,complywiththerequest.NotifyyoursupervisorunlessyouareadvisedotherwisebyLegalCounsel.

• FreedomofInformationAct–UniversityLegalCounselwilladvisehowrequestsshouldbehonored.

CyberIncidentResponseTeamsTheVTCyberIncidentResponseTeamiscomposedofcurrentmembersoftheITSecurityOfficestaffandDivisionofInformationTechnologycontactsfromSecureEnterpriseTechnologyInitiatives(SETI),NetworkInfrastructure&Services(NI&S),4HELP,EnterpriseSystems,andConvergedTechnologiesforSecuritySafetyandResilience(CTSSR);aswellasUniversitycollegeanddepartmentalrepresentativesthatmakeuptheITCouncil,andUniversityComplianceOfficers.SeeAppendixCforcontactinformationforVT-CIRTmembers.

IntroducingtheCyberIncidentResponseGovernanceTeamThecyberincidentresponsegovernanceteamisanewgroupthathasbeenformedtoprovideoversightforcyberincidentresponse.TheCyberIncidentResponseGovernanceTeamiscomposedofthefollowingUniversitystakeholders:

• VicePresidentforInformationTechnologyandCIO

• InformationTechnologySecurityOfficer

• UniversityLegalCounsel

• UniversityInternalAudit

• VTPoliceDepartment

• DataTrustees/Stewards–sensitiveornon-publicdataaccessandgovernance.Datatrusteesandstewardsarelistedinthe“StandardforAdministrativeDataManagement”http://www.it.vt.edu/publications/pdf/interim_updates/AdministrativeDataManagementStandard2013Nov4signed.pdf

• UniversityRelations

9

VT’sApproachtoCyberIncidentResponse:Thissectionprovidesguidelinesforestablishingincidentresponsecapabilities,andadviceonmaintainingandenhancingexistingcapabilitiesintheeventofacyberincident.

ReportingaCyberIncidentAcyberincidentisaneventthatposesathreattotheintegrity,availability,orconfidentialityofanITsystem.CyberincidentsshouldbereportedimmediatelytotheITSecurityOfficeorassoonaspossibleafterdiscovery.TheITSOordesigneewillactastheIncidentResponseManager(IRM)forallreportedcyberincidents.TheITSO,withtheassistanceofthereportingentitywillworktogethertocoordinateallaspectsoftheincidentresponseprocess.ThereportingentitiesmustcoordinatewiththeITSO(ordesignee)priortoinitiatinganyactionsduringtheinvestigationorinresponsetoinformationsecurityincidents.Allcommunicationsregardingcyberincidentsmustbeconductedthroughchannelsthatareknowntobeunaffectedbythecyberincidentunderinvestigation.

Cyberincidentscanbereportedinseveralwaysincludingbyemail,phone,in-person,orbyinitiatinga4Helptroubleticket.

ITSecurityOfficeContactinformation:itso-g@vt.eduor540-231-1688-foralistofITSecurityOfficestaffcontactinformation,seeAppendixC.

Examplesofincidentsthatshouldbereportedimmediatelyinclude,butarenotlimitedto:

• Avirus/wormaffectingmultiplesystems;• Intrusionordamageto;

o Websiteorpage,o Computersystemornetwork,o Wirelessaccess,o Cellphones,smartphoneso Laptops,tabletcomputerso Faxmachines,o Voicemail,ando VoiceoverIP(VOIP)systems.

SeeAppendixIforfurtherguidanceonreportingcyberincidents.

EarlynotificationallowstheITSOandaffecteddepartmentstimetogatherasmuchinformationaspossiblewhenevaluatingpotentialcyberincidents.Informationthatshouldbegatheredandsharedwhenreportingcyberincidentsincludes:

• Contactinformationofaffectedindividuals• IPaddress,hostname,orlocationofsystem(s)• Inthecaseofawebsiteintrusion,thespecificURL(s)• Disclosureofdatathatmaybeincludedonthesystem.Thisisparticularlyimportantifthisdata

mayincludesocialsecuritynumbers,creditcardnumbers,bankaccountnumbers,debitcardnumbers,driver’slicensenumbers,passportnumbers,medicalinformation,orFERPAdata.

• Disclosureofthesystem’scriticality,asnotedonitsmostrecentITriskassessment.• Adescriptionoftheincidentthatincludesatimelineandidentification/detectiondetails.

10

Promptreportingmayalsohelpreducecommonrisksassociatedwithcyberincidents,including:

• Physicalsafetyrisk:Asthe“InternetofThings”becomesmoreprevalentinmonitoringphysicalfacilities,acyberattackagainstnetworkeddevicescouldcausephysicalharmtoindividuals.

• Regulatoryrisk:Compliancewithfederalandstatelegislationregardingtheprotectionofinformation.ThisincludesdataandsystemsthatfallunderGLB(Gramm-Leach-BlileyAct),HIPAA(HealthInsurancePortabilityandAccountabilityAct),FERPA(FamilyEducationalRightsandPrivacyAct,ITAR(InternationalTrafficinArmsRegulations),PCI-DSS(PaymentCardIndustryDataSecurityStandard),federal/statedatabreachnotificationlaws,andthePatriotAct.

• Operationalrisk:Failuretoprotectsystemsanddatacancausedisruptionstocriticaldailyoperations.

• Financialrisk:Theremaybecostsassociatedwithlostdata,restoringsystems,anddatabreachnotifications.

• Reputationalrisk:Theremaybeanegativeimpactonconfidenceinasystemoranegativeimpactontheuniversity’sreputation.

11

CyberIncidentResponseProceduresOnceanincidentreporthasbeenreceived,theITSOwillconfirmdetailssurroundingtheincidentthroughtheidentification,detection,andanalysisphasesofincidenthandling.Differenttypesofincidentsmeritdifferenttypesofresponsestrategies,butgenerally:

• Ifanincidentisconfirmed,theITSOwillcoordinateactionsthroughtheCIRTGovernanceTeamandtheCIRTTeam.

• Ifanincidentcannotbeconfirmed,theITSOwillmakemitigationrecommendationstothereportingentity.

TheITSO,CIRTteams,and/ortheIRMshallcategorizetheincidentaccordingtotypeandpotentialimpact(s).Theincidentshallthenbeclassifiedandrespondedtoinorderofpriority.

• Ifimmediateactionisrequired,theITSOwillbegincoordinatedincidentresponseactivities.NOTE:TheCIRTwillonlybeactivatedifacyberincidentisaffectingUniversityITsystems/servicesatanenterpriseoramulti-departmentallevel.

• Ifimmediateactionisnotrequired,theITSOwillworkwiththereportingentitytodetermineappropriateresponseactions.

Inthecaseofmultiplecyberincidentsoccurringsimultaneously,theITSO,CIRTTeams,and/ortheIRMwill classify the incidents according to their immediate and potential adverse effects and prioritizerecoveryandinvestigationactivitiesaccordingtotheseverityoftheseeffects.

CommunicationsandInformationSharingaboutaCyberIncidentCommunicationisanessentialpartofcyberincidentresponse.Becausecommunicationsregardingacyberincidentoftenneedtooccurquickly,itisvitaltobuildrelationshipsandestablishsuitablemeansofcommunicationbetweentheITSOandothergroups,bothinternal(e.g.,humanresources,legal)andexternal(e.g.,otherincidentresponseteams,lawenforcement).Universitydepartmentsshouldproactivelydevelopinternalcybersecurityincidentcommunicationguidelines. Onceanincidentisconfirmed,theITSOandtheCIRTGovernanceTeamwillcoordinateinformationsharingsothatonlytheappropriateinformationissharedwiththeappropriateparties.

AcommunicationplanismandatorywheneverabreachofPersonallyIdentifiableInformation(PII)hasbeenconfirmed.AppendixBprovidesaworkflowdiagramforcommunicationsrequiredwhenthereisanexposureofsensitivedata.Acommunicationplanshouldidentifyinternalandexternalcommunicationneeds,andhowtheseneedswillbeaddressed.Smallereventsmayonlyrequireinternalcommunications,whilelargereventsmayrequireinteractionwithexternalstakeholders.Theapproachtocommunicationsshouldbetailoreddependingonthestakeholders.

Thecommunicationplanshouldbeactivatedassoonaspossibleafteracyberincidenthasbeenconfirmed.AppendixFprovidesaworksheettoassistinformulatingacommunicationstrategyforsharinginformationintheeventofacybersecurityincident.Section3providesmoredetailaboutdevelopingacyberincidentcommunicationsplan.

12

Section3:TheIncidentResponseProcesses

Thissectiondescribesthemajorphasesoftheincidentresponseprocess—preparation,detectionandanalysis,containment,eradicationandrecovery,andpost-incidentactivity.

AppendixDprovidesachecklistofmajorstepstobeperformedduringresponseandhandlingofanincident.Thechecklistdoesnotdictatetheexactsequenceofstepsthatshouldalwaysbefollowedandshouldbeusedtoguideforthoseinvolved.AppendixDalsoprovidesUnix/LinuxandWindowsOperatingSystemsChecklistsforrespondingtosystemcompromises.

PreparationPreparationisfundamentaltothesuccessofincidentresponseprograms.

Incidentresponsemethodologiestypicallyemphasizetheproactiveandongoinguseoftools,training,andprocessesnecessaryforpreventingincidentsbyensuringthatsystems,networks,andapplicationsaresufficientlysecure.

ManyofthenecessarytoolsandtrainingareavailableontheITSecurityOfficewebsitehttp://security.vt.edu.OneoftherecommendedpreparationpracticesisforUniversitycollegesanddepartmentstoconductanannualITRiskassessment.ThebenefitsofconductinganITRiskAssessmentincludeidentifyingapplicablethreats,includingorganization-specificthreats.Eachriskiscategorizedandprioritizedtodetermineifriskcanbemitigated,transferred,oraccepteduntilareasonableoveralllevelofriskisreached.Anotherbenefitofconductingriskassessmentsregularlyisthatcriticalresourcesareidentified,allowingstafftoemphasizemonitoringandresponseactivitiesforthoseresources.TemplatesandtrainingareavailableforITRiskAssessmentsthroughtheofficeofConvergedTechnologiesforSecurity,SafetyandResilience,atthiswebsite:http://www.it.vt.edu/ctssr/risk_assessment/

ConductinganITRiskAssessmentenablesdepartmentstocorrelateITresourceswithmissioncriticalbusinessprocessesandservices.Usingthatinformation,itthenbecomespossibletocharacterizeinterdependenciesandtheconsequencesofpotentialdisruptions,aswellastogenerateplanstoeliminateoramelioraterisks.

Preparation

Identification,Detection

andAnalysis

Containment

Eradication

Recovery

IncidentClosure

13

Identification,Detection,andAnalysis

Earlystepstakentodetect,verify,investigate,andanalyzeanincidentareimportanttodevelopinganeffectivecontainmentanderadicationstrategy.Onceanincidenthasbeenconfirmed,resourcescanbeassignedtoinvestigatethescope,impact,andresponseneeded.Thedetectionandanalysisphasesdeterminethesourceoftheincidentandpreserveevidence.

Thegeneralstepsrequiredforincidentidentification,detection,andanalysisareto:

1. ReviewInternalAuditguidelinesfordepartmentpersonnelactionswithregardtounacceptablecomputeruseandothercybersecurityincidents-SeeAppendixG.

2. Determinewhetheranincidenthasoccurred.

CoordinationbetweentheITSecurityOfficeandtheaffecteddepartmentisimportanttomakesurethatstepstakentoverifytheincidentdonotalterdatathatwillbeneededforfurtherinvestigation.

DetectionandAnalysisTheITSecurityOfficewillworkwiththeaffecteddepartmenttoquicklyanalyzeandvalidateeachincident,andperformaninitialassessmenttodeterminetheincident’sscope,suchaswhichnetworks,systems,orapplicationsareaffected;whoorwhatoriginatedtheincident;andhowtheincidentisoccurring(e.g.,whattoolsorattackmethodsarebeingused,whatvulnerabilitiesarebeingexploited).Theinitialanalysisshouldprovideenoughinformationfortheteamtoprioritizesubsequentactivities,suchascontainmentoftheincidentanddeeperanalysisoftheeffectsoftheincident.

Acoordinatedinvestigationmayberequiredonceanincidenthasbeenconfirmed.TheITSecurityOfficewillidentifyandassignanindividualtobetheIncidentResponseManager(IRM).TheIRMwillleadtheincidentresponse,isthepointofcontactforallmattersrelatingtotheincident,andisresponsibleforcoordinatingthedatarequiredfordocumentingtheinvestigationandgatheringevidence.Insomecases,Federal,State,orlocallawenforcementmaybeinvolvedinanincidentinvestigation.SeeAppendixIforcontactinformationfortheFederalBureauofInvestigations(FBI),DepartmentofHomelandSecurity(DHS),state,campus,andlocalpolice.Inter-departmentalCooperationGuidelinesUniversitypersonnelmaybealertedtoathreatfromaninternalorexternalsource.ItisimportanttonotifytheITSecurityOfficeonceathreathasbeendetected.

• Thelocalsystemsadministratorisresponsibleforfixingtheproblemonthemachine(s)TheITSecurityOfficemayalsodetectathreatandalertthesystemcustodianofrecordforthehardwareorEthernetportconnection.

14

• AllincidentsshouldbehandledbydepartmentalITstaffwiththesupportoftheITSecurityOfficeand,ifnecessary,theCIRT.

SeeAppendixE:CompromiseQuestionnaireandInformationGathering-InformationNeededfromtheUser,andAppendixI:GuidelinesforReportingaCyberIncident.

IncidentCategorization,Classification,andCIRTActivationTheincidenttypeandimpactwilldeterminethelevelofresponseneededbytheUniversity.TheITSecurityOfficewillworkwithdepartmentstodeterminetheappropriateresponseforeachconfirmedincident.Thegeneralstepsrequiredforincidentcategorizationandclassificationare:

1. Categorizetheincidentbasedontypeofincident,securityobjective,andimpact.2. Classifytheincidentasalocalorenterpriseincident.3. PrioritizehandlingoftheincidentbasedontheVTCIRTIncidentResponseClassification

Matrix4. ActivateCIRTifnecessary5. Reporttheincidenttotheappropriateinternalpersonnelandexternalorganizations.

COMMONCATEGORIESOFCYBERINCIDENTS

IncidentType Description

UnauthorizedAccess Whenanindividualorentitygainslogicalorphysicalaccesswithoutpermissiontoauniversitynetwork,system,application,data,orotherresource.

DenialofService(DoS) Anattackthatsuccessfullypreventsorimpairsthenormalauthorizedfunctionalityofnetworks,systems,orapplicationsbyexhaustingresources.ThisactivityincludesbeingthevictimorparticipatingintheDoS.

MaliciousCode Successfulinstallationofmalicioussoftware(e.g.,avirus,worm,Trojanhorse,orothercode-basedmaliciousentity)thatinfectsanoperatingsystemorapplication.AgenciesareNOTrequiredtoreportmaliciouslogicthathasbeensuccessfullyquarantinedbyantivirus(AV)software.

ImproperorInappropriateUsage Whenapersonviolatesacceptablecomputingpolicies.

SuspectedPIIBreach Ifanincidentinvolvespersonallyidentifiableinformation(PII)abreachisreportablebybeingmerelySuspected.(SuspectedPIIincidentscanberesolvedbyconfirmationofanon-PIIdetermination.)

SuspectedlossofSensitiveInformation

Anincidentthatinvolvesasuspectedlossofsensitiveinformation(notPII)thatoccurredasaresultofUnauthorizedAccess,MaliciousCode,orImproper(orInappropriate)Use,wherethecauseorextentisnotknown.

Source:IncidentResponseandManagement:NASAInformationSecurityIncidentManagement

15

IMPACTDEFINITIONS

PotentialImpact

SecurityObjective Low Medium High

Confidentiality:Preservingauthorizedrestrictionsoninformationaccessanddisclosure,includingmeansforprotectingpersonalprivacyandproprietaryinformation.

Theunauthorizeddisclosureofinformationcouldbeexpectedtohavealimitedadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

Theunauthorizeddisclosureofinformationcouldbeexpectedtohaveaseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

Theunauthorizeddisclosureofinformationcouldbeexpectedtohaveasevereorcatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals

Integrity:Guardingagainstimproperinformationmodificationordestruction,andincludesensuringinformationnon-repudiationandauthenticity.

Theunauthorizedmodificationordestructionofinformationcouldbeexpectedtohavealimitedadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

Theunauthorizedmodificationordestructionofinformationcouldbeexpectedtohaveaseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

Theunauthorizedmodificationordestructionofinformationcouldbeexpectedtohaveasevereorcatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

Availability:Ensuringtimelyandreliableaccesstoanduseofinformation

Thedisruptionofaccesstooruseofinformationoraninformationsystemcouldbeexpectedtohavealimitedadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

Thedisruptionofaccesstooruseofinformationoraninformationsystemcouldbeexpectedtohaveaseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

Thedisruptionofaccesstooruseofinformationoraninformationsystemcouldbeexpectedtohaveasevereorcatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

Source:FIPSPublication199

16

Onceanincidentisclassified,itisimportanttocategorizetheincidentasalocalorenterpriseevent.

LocaleventsrepresentarisktoVirginiaTechsystems,networks,anddatabutareconfinedtoasingleorsmallnumberofdepartmentalsystems.Anexampleofalocalissuewouldbemalwarediscoveredonadepartmentaldesktoporserver.Localissuesmayevenleadtodatabreachesifunencryptedsensitivedataisstoredonthecompromisedsystems.Mostcyberthreatsareidentified,contained,anderadicatedthroughcoordinatedeffortsbetweentheITSOandaffecteddepartments.LocaleventsarethemostcommontypeofattackobservedatVirginiaTech.

Enterpriseeventsarerarebuthavealargeimpact.ADistributedDenialofServiceattack(DDoS)thatdegradesnetworkperformanceinamannerthatdisruptsUniversityoperationsisanexample.Thiswouldbeanenterprise-wideissuethatwouldaffecttheentireUniversity.EnterpriseissuesmayrequiretheactivationoftheCyberIncidentResponseTeam(CIRT).CIRTteammembersmaybedrawnfrommanydepartmentsacrosstheuniversityandhaveknowledgeofcriticalsystemsthatcanbeleveragedtoprotectVirginiaTechITassetsduringanenterpriseincident.

Whenmultipleincidentsoccursimultaneously,themostseriousorhighestpotentialimpactincidentsshouldbehandledfirst.TheincidentclassificationisperformedbytheIncidentResponseManager(IRM)usingtheVTCIRTIncidentResponseClassificationMatrix.

17

VTCIRTIncidentResponseClassificationMatrix

ClassificationLevel

(3=MostSevere)

TypicalCharacteristics Impact Response ActivateCIRT?

3

DDoSattackagainstUniversityServers.Attacksagainstnetworkinfrastructure.NetworkdisruptionforalargesegmentoftheVTpopulation

Anenterprise-wideattackinvolvingmultipledepartmentsrequiringlocalandenterpriseadministratorsupportfromtheaffecteddepartments.

CIRTdirects,responsecoordinatedbyITSO.VTseniormanagement,localsysadmininvolved.PossibleLegalCounsel,LawEnforcementinvolvement

Yes

2

Affectsdataorservicesforagroupofindividualsandthreatenssensitivedata,orinvolvesaccountswithelevatedprivilegeswithpotentialthreattosensitivedata

CompromisedBanner,Exchange,ActiveDirectory,domaincontrollersystemadministratoraccount,orLearningManagementSystem(LMS)administratoraccountcompromise

ResponsecoordinatedbyITSO.LocalSysadmin.CIRTadvised,LegalCounselnotifiedifPIIbreach.

Advised

Affectsdataorservicesofasingleindividual,butinvolvessignificantamountsofsensitivedata

FacultydesktopwithUniversitydefinedsensitivedatacompromised,physicaltheftofcomputer/computerequipment

No

1

Affectsdataorservicesofagroupofindividualswithnosensitivedatainvolved

Compromiseofanaccountwithsharedfolderaccess

Localsysadmin,ITSOnotified,eventlogged,progressmonitoring,Standardforensicsperformediflocaladminisunable.

No

Affectsdataorservicesofasingleindividualwithnosensitivedatabeyondtheirowninvolved;focusisoncorrectionand/orrecoveryandeducation/futureprevention

Compromisedfacultymachinew/noUniversitydefinedsensitivedataetc.

No

0

Occurrencesofveryminororundeterminedfocus,originand/oreffectforwhichthereisnopracticalfollow-up

Networkscans,personalfirewalllogreports,Snortreports,Tripwire,IDS/IPSreports

ITSOmonitorsperiodically,periodicsummaries,vulnerability

databasemaintenance,sendsreportstocentralloggingfacilityfortrendingweekly/monthlyreports.

No

18

CIRTActivationTheCIRTwillonlybeactivatedifacyberincidenthasbeenconfirmedtobeaffectingUniversityITsystems/servicesatanenterpriseoramulti-departmentallevel.AttacksagainstdepartmentalserversdonotnecessarilyrequireCIRTactivation.Localeventsmaybeescalatedtoenterpriseeventsifevidencewarrants.TheITSOhastheauthoritytoclassifyincidentsasanenterprisethreat.TheITSO,andtheCIRTGovernanceTeamhaveauthoritytoactivatetheCIRT.

CommunicationsPlanCommunicationsprocessesoccurthroughouttheincidentresponsephasesandinvolvetheinitialreportingoftheincidenttorelevantauthorities,aswellasongoingcommunicationswiththoseimpacted.

Acommunicationsplanisessentialwhendealingwithaconfirmedcyberincident.Agoodcommunicationplancanhelplimitconfusionandincreaseresponsivenessbysharingactionplans,updatingUniversitystakeholders,andprovidingtransparencythroughouttheprocess.Theplanshouldidentifythestakeholders,thoseauthorizedtospeakabouttheincident,thecommunicationchannels,thescheduleofcommunicationaswellasproceduresfornotifyingexternalorganizationsthataredirectlyinvolvedintheincident.Acommunicationsplancanreduceconflictingmessagesandfocusefforts.

UniversityRelations,InformationTechnology,andtheappropriatestakeholdersmustdevelopacommunicationsplanwheneverabreachofPersonallyIdentifiableInformation(PII)hasbeenconfirmed.AcommunicationworkflowdiagramforPIIexposureisavailableinAppendixB.

PotentialStakeholders• VPforInformationTechnologyandCIO• ITSecurityOfficeStaff• DataTrustees/Stewards• CIRTMembers• DepartmentalManagement• DepartmentalITStaff• UniversityLegalCounsel• UniversityRelations• Vendors

• OfficeofEmergencyManagement• FacultyandStaff• Students• LawEnforcementAgencies• MembersofVirginiaTech’stechnicalsupport

community• Outsideagencies’InternalAudit• InternalAudit• Media

Plansshouldincludethefollowingelements:

• Anidentificationofthoseauthorizedtospeakabouttheincidenttouniversitystakeholdersandthemedia

• Clearprotocolsformessageapproval,toensureaccuracy• Anidentificationofcommunicationchannelsforbothinternalandexternalstakeholders(Email,

Listservs,phoneconferences,LearningManagementSystem,Blogs,Wikis,socialmediaifapplicable,etc.)

• Plannedfrequencyofcommunicationsbetweeninternalstakeholders• Plannedfrequencyofcommunicationswithexternalstakeholders• Notificationproceduresforexternalorganizationsdirectlyinvolvedinincident

19

AppendixFcontainsasamplecommunicationplanworksheet.

Containment,EradicationandRecovery

ContainmentContainmentproceduresattempttoactivelylimitthescopeandmagnitudeoftheattack.Avulnerabilityinaparticularcomputerarchitecturecanbeexploitedquickly.Containmentinvolvesacquiring,preserving,securing,anddocumentingallevidence.

Containmenthastwogoals:

• Preventdatafromleavingthenetworkviatheaffectedmachines.

• PreventattackerfromcausingfurtherdamagetoVirginiaTechinformationtechnologyassets.

TheITSOassignsahighprioritytodeterminingwhotheattackersareandwhatvector(port,softwarevulnerability,etc.)theyareusingtoattackVirginiaTechhosts.Oncethisinformationisobtained,theITSOwillrequestarouterblockorphysicaldisconnectiontotemporarilypreventanIPaddress,portorbothfromconnectingtotheVTnetwork.Thismaydisruptothernormaltraffic,butthisdisruptionwillbekepttoaminimum.Containingacyberincidenthasahigherprioritythanmaintainingnormalbusinesstraffic.

Thefollowingactionsaretakenduringthecontainmentphase:Coordinateallactivitieswithlocalsystemadministrator.Possibleactionsinclude:

• UpondirectionbytheIRM,thelocalsystemadministratorcanproceedtorepairthesystemasneededtoreturntonormalbusinessoperations.

• ConsultingprovidedbytheITSOtothelocalsystemadministrator.TheITSOwillremainavailabletoprovideconsultingsupportduringtherepairprocess.

• ThedeploymentofasmallteamfromtheITSOwiththeappropriateexpertisetothesite.• Securingthephysicalareaonsiteifnecessary.• UsingAppendixE:CompromiseQuestionnaireandInformationGatheringtoguide

documentation.• Areviewoftheinformationprovidedbythesystemadministrators.• Notallowingthesystemtobealteredinanyway.Maintainingalowprofileinordertoavoid

tippingofftheattacker.• Usingatrustedsystembinarykit(Unix/Linux,Windows)toverifythesystembinarieshavenot

beencompromised.

20

• Makingaforensiccopyofthesystemforfurtheranalysis.Ensuringthatanybackuptapesareinasecurelocation.

Determineriskofcontinuedoperation.Possibleactionsinclude:• Disablingnetworkaccessbutleavingthesystemup.Disablingtheportiftheattackisongoingor

ifthecompromisedsystemisattackinganothersite.TheNetworkTeamshouldutilizeavailabletoolstoidentifyanddisabletheport.

• Makingarecommendationtothelocalmanagement(facultymember,departmenthead,dean,supervisor,etc.)regardingwhethertheaffectedsystem(s)shouldremainonline.Attemptingtorestoreoperationsasquicklyaspossible.However,ifthecompromisedsystemthreatenstheintegrityofthenetworkorsystemsconnectedtothenetwork,itshouldbedisconnectedfromthenetassoonaspossible.

• Changingalluserandsystemcredentialsontheaffectedmachine(s).Backupthesystem.

• Insomecases,aforensicimagediskwillberequestedbylawenforcementorbytheofficeofLegalCounsel.ContacttheITSOtoinitiatetheforensicsprocess.

• Usenetworkbackupsystemstodeterminewhatfileswerechangedduringtheevent.ContactWandaBaber(540-231-9507,wbaber@vt.edu)orElizaLau(540-231-9399,lau@vt.edu).

EradicationEradicationistheremovalofmaliciouscode,accounts,orinappropriateaccess.Eradicationalsoincludesrepairingvulnerabilitiesthatmayhavebeentherootcauseofthecompromise.Westronglyrecommendacompletere-installationoftheOSandapplications.

Thegeneralstepsinvolvedintheeradicationphaseofincidentresponseareto:

• Defineeradicationbenchmarkso Consultvariouschecklistsforcompromises.

SeeAppendicesD,Eforgeneralinformation• Identifyandmitigateallvulnerabilitiesthatwere

exploited• Removemalware,inappropriatematerials,andother

components• Ifmoreaffectedhostsarediscovered(e.g.,newmalwareinfections),repeattheDetectionand

Analysisstepstoidentifyallotheraffectedhosts,thencontainanderadicatetheincidentforthem

• ReinstallOS,applypatches,reinstallapplications,andapplyknownpatches

RecoveryOncetheincidenthasbeencontainedanderadicated,recoverycanstart.Thisphaseallowsbusinessprocessesaffectedbytheincidenttorecoverandresumeoperations.

21

Thegeneralrecoverystepsare:

1. Iftherewassensitivedataontheaffectedmachine,gotostep2.Iftherewasnot,gotostep4.

2. FollowtheflowchartstepsinAppendixB.3. ReinstallandpatchtheOSandapplications.Change

alluserandsystemcredentials.4. Restoredatatothesystem.5. Returnaffectedsystemstoanoperationallyready

state.6. Confirmthattheaffectedsystemsarefunctioning

normally.7. Ifnecessary,implementadditionalmonitoringtolook

forfuturerelatedPost-IncidentActivity.

IncidentClosureDocumentationofacyberincidentandthestepstakentomitigateissuesencounteredareimportant.ThedocumentationoffersanopportunitytoimproveIncidentResponseprocessesandidentifyrecurringissues.MostlocalissuescanbeproperlydocumentedusingtheUniversity’s4Helptroubleticketsystem.

Certaincyberincidentsshouldbedocumentedmorethoroughlywhentheirimpactwarrants.TheITSOwillidentifythoselocalincidentsthatshouldbemorethoroughlydocumented.Afollowupreportanddocumentationisrequiredforallenterpriselevelincidents.

Follow-upreportsdocumenttheincidentandincludethelessonslearnedinordertopreserveandexpandknowledge.ReportsareproducedbytheITSecurityOfficeand/ortheCIRTteamsdependingontheincident.Thereportshouldinclude:

• Informationabouttheincidenttype• Adescriptionofhowtheincidentwasdiscovered• Informationaboutthesystemsthatwereaffected• Informationaboutwhowasresponsibleforthesystem

anditsdata• Adescriptionofwhatcausedtheincident• Adescriptionoftheresponsetotheincidentandwhether

itwaseffective• Recommendationstopreventfutureincidents• Adiscussionoflessonslearnedthatwillimprovefuture

responses• Atimelineofevents,fromdetectiontoincidentclosure

22

Thefollow-upreportshouldbesharedwiththeVPforInformationTechnologyandCIOaswellasotherstakeholdersdeemedappropriate.A“LessonsLearned”meetingwithallthoseinvolvedinthehandlingandresponseoftheincidentshouldbeheldandismandatoryforenterpriselevelincidents.

23

AppendixA:VTCyberIncidentResponseTeamOrganizationalChart

CIRTOrganizationChart

VPIT&CIOScottMidkiff

DeputyCIO/ITChiefofStaff

ScotRansbottom

ITSO&IRMRandyMarchany

CoreCIRT

CIRTGovernance

SystemsCIRT

NetworkCIRT

ITSOStaff

DepartmentalCIRT

VTPD

DataTrustees/Stewards

UniversityGeneralCounsel

UniversityRelations

InternalAudit

ITSORandyMarchany

DeputyCIO/ITChiefofStaff

ScotRansbottom

EmergencyManagement

24

AppendixB:SensitiveDataResponseProcedure

25

AppendixC:CIRTTeamMemberListandContactInformation

Thisappendixisredactedforpublicdistribution.ForafulllistofCIRTmemberswithcontactinformation,contacttheITSecurityOfficeatitso-g@vt.eduor(540)231-1688.

26

AppendixD:ChecklistofmajorstepsforIncidentResponseandHandling

Action Completed DetectionandAnalysisPhase 1 Determinewhetheranincidenthasoccurred

1.1 Analyzetheprecursorsandindicators 1.2 Lookforcorrelatinginformation 1.3 Performresearch(e.g.,searchengines,knowledgebase)

1.4 Assoonasthehandlerbelievesanincidenthasoccurred,begindocumentingtheinvestigationandgatheringevidence

2. Prioritizehandlingoftheincidentbasedontherelevantfactors(functionalimpact,informationimpact,recoverabilityeffort,etc.)

3. Reporttheincidenttotheappropriateinternalpersonnelandexternalorganizations.

Containment,EradicationandRecovery

4. Acquire,preserve,secure,anddocumentevidence

5. Containtheincident 6. Eradicatetheincident 6.1 Identifyandmitigateallvulnerabilitiesthatwereexploited 6.2 Removemalware,inappropriatematerials,andothercomponents 6.3 Ifmoreaffectedhostsarediscovered(e.g.,newmalwareinfections),repeatthe

DetectionandAnalysissteps(1.1,1.2)toidentifyallotheraffectedhosts,thencontain(5)anderadicate(6)theincidentforthem

7. Recoverfromtheincident 7.1 Returnaffectedsystemstoanoperationallyreadystate

7.2 Confirmthattheaffectedsystemsarefunctioningnormally

7.3 Ifnecessary,implementadditionalmonitoringtolookforfuturerelatedactivity

Post-IncidentActivity

8. Createafollow-upreport

9. Holdalessonslearnedmeeting(mandatoryformajorincidents,optionalotherwise)

Source:NISTSpecialPublication800-61revision2

27

UNIX/LINUXChecklist

Thissectionisintendedtoprovideguidanceduringtheexaminationofacompromisedsystem.Additionalstepsmaybeneededtoexamineasystem.PleaseconsulttheITSecurityOfficebeforeperformingsteps.

£ Regaincontrolofthesystem.Someoptionsincludedisconnectingthesystemfromthenetworkand

makinganimagecopyofthesystemdisk(s).

£ Analyzetheintrusion.

£ Lookformodificationsmadetosystemsoftwareandconfigurationfiles.

£ Lookformodificationstodata.

£ Lookfortoolsanddataleftbehindbytheintruder.

£ Reviewlogfiles.

£ Lookforsignsofanetworksniffer.

£ Checkothersystemsonthelocalnetwork.

£ Checkforsystemsaffectedonotherlocalsubnetsorremotesites.

£ Recoverfromtheintrusion.

£ InstallacleanversionoftheOSontheaffectedsystem.

£ Disableunnecessaryservices.

£ Installallvendorsecuritypatches.

£ Changeallpasswords.

£ Improvethesecurityofyoursystemandnetwork.

£ ReviewtheCenterforInternetSecuritybenchmarkdocumentsandtheCERT.ORGUnixconfiguration

guidelineschecklist.

£ Installsecuritytools.

£ Enablemaximallogging.

£ Installsoftwarefirewalltools.

£ Reconnecttothenetwork.

28

WindowsChecklist

Thissectionisintendedtoprovideguidanceduringtheexaminationofacompromisedsystem.Additionalstepsmaybeneededtoexamineasystem.PleaseconsulttheITSecurityOfficebeforeperformingsteps.

£ Examinelogandeventfiles.

£ Checkforodduseraccountsandgroups.

£ Lookforincorrectgroupmemberships.

£ Lookforincorrectuserrights.

£ Checkforunauthorizedapplicationsstartingatboot.

£ ChecksystembinarieswithsomethinglikeTripwire.

£ Checknetworkconfigurationandactivity.

£ Checkforunauthorizedshares.

£ Examinejobsrunbytheschedulerservice.

£ Checkforunauthorizedprocesses.

£ Lookforunusualorhiddenfiles.

£ Checkforalteredpermissionsonfilesorregistrykeys.

£ Checkforchangesinuserofcomputerpolicies.

£ MakesurethesystemhasnotbeenmovedtoadifferentWorkgrouporDomain.

£ Examineallotherrelatedsystems.

29

AppendixE:CompromiseQuestionnaireandInformationGathering

Itisimportanttogatherandrecordinformationduringanincident.Thishelpswithplanningandassigningresources.Analysisofgatheredinformationisalsoimportanttotheincidentclosureprocess.Thefollowingquestionsareintendedasanexampletohelpwithinformationgathering.Dependingonthenatureoftheincident,itmaybeappropriateforadditionalquestionstobeconsidered.ConsultAppendixGbeforeproceeding.

InformationNeededaboutDetection

1. Whatistheinfection/intrusiontype?

2. Whattimewastheincidentdetected?

3. Howwastheinfectiondetected?

4. Whodetectedtheinfection?

5. WhatistheincidentmachineIPaddressandDNSname?

6. WhoistheITSupportfortheincidentmachine?

7. Wasa4HelpTicketcreated?

a. Whatistheticketnumber?

8. Whattimewastheinitialnotificationsent?

9. Wasnetworkaccessdisabled?

10. Werepeoplecontacted?Ifso,who?

InformationNeededfromtheUser

1. Gatheruser’scontactinformation.User(name,email,phone#)

2. Whatistheuser’sjobfunction?

3. Whatistheprimaryfunctionofthisdepartment?

a. Whoistheuser’smanager/direct-report?

4. DoestheuserworkwithsensitiveorcoveredPIIdata?

a. Ifyes,whattypesofsensitiveorcoveredPIIdata?

5. Howmuchsensitivedata?(#offiles,GBs?,filetypes,location)

6. Whatfilesdidtheuseraccessduringthetimeoftheincident?

7. Diduserworkwithresearchdata?

a. Ifso,whattypesofresearchdata?

8. Howmuchresearchdata(#offiles,size?,filetypes,location)

9. Doestheuseruseuniversityordepartmentalenterprisesystems?

a. Ifso,whatlevelofaccessdoestheuserhave?

10. Doestheuserhaveaccesstosharednetworkstorage?

11. Aretheshareddrivesautomaticallymounted?

30

12. Whoelsesharesthedatainthosefolders?

13. Didtheuseruseencryptiononfiles?Ifso,whatkind(s)ofencryptionandwherearethekeys?ITSOmay

requireaccesstoencryptionkeys.

QuestionsabouttheInfection

1. Whatwastheuserdoingduringtheincident?

2. Didtheusernoticeanystrangethingsaboutthecomputeraroundthattime?

3. Didtheuserreceiveanystrangeemails,oropenanyunknownattachments?

4. Didtheuserentercredentials(username,password)onanysites?

5. Didtheuserinstallanysoftware?

6. Didtheuserreceiveanysoftwareupdates?

7. Didtheuser’santivirussoftwarecomplainoralert?

8. Didtheusernoticeachangeincomputerperformance?

9. DidtheuserreceiveanystrangeInstantMessages?

10. Doestheuserusetheircomputerfornon-workrelatedfunctions?

11. Ifso,whatfunction(s)?

12. Facebook/socialmedia?InternetRadio?Email?OnlineBanking?

InformationNeededfromDepartmentalITSupport

1. ITSupportcontactinformation(name,email,phone#)

2. Dotheyhaveshareddrives?

3. Whohasaccesstothesedrives?

4. Whattypeofdataisaccessedorusedbythesystem?FERPA,GLBA,UniversityPII,etc.

5. Aretheyautomaticallymounted?

6. Whattypesofsecurityprecautionshaveyouplacedonthesystem?(AV,MalwareBytes)

7. Isadministrativeaccessgrantedtotheuser?

8. Whattypesofencryptionareused?

InfectionDetailsandAnalysis

1. ITperson(name,email,phone#)

2. Dotheyhaveshareddrives?

3. Whohasaccesstothesedrives?

4. Typesofdata(seeabove)

5. Aretheyautomaticallymounted?

31

6. Whattypesofsecurityprecautionshavebeenplacedonthesystem?

7. Whattypeofanti-virusisused?

8. Doestheuserhaveadministrativeaccess?

9. Istherefile-basedencryption?(think:TrueCrypt)

a. Whattypeofencryption?

IncidentAnalysis

1. Whenwasthefirstsignofaninfection?

2. Wasthissignindicativeoftheinitialinfection?

3. Whatistheconfidenceleveloftheinitialinfectionnotice?

4. Isacopyofthemalwarepackageavailable?

5. Howlongwasthemachineonlineafterthefirstsignofaninfection?

6. HowlongbeforetheITstaffwasnotified?

7. HowmanyCommand&Control(C&C)serversareinvolved?

8. Wherearetheylocated?

9. HowmuchdatawenttoeachC&Cserver?

10. AreotherdevicesonthenetworkcommunicatingwiththeseC&Cservers?

11. Howmuchdatawastransferredbetweenthetimeofthebelievedinitialinfectionandwhenthedevice

waspulledoffthenetwork?

12. Whowerethetoptalkers?

13. Aretheylegitimatetoptalkers?

14. Whatothernetworksecurityalertsweretriggeredbythedevice?

15. Howmuchtrafficremainsfortheincidentperiodafterthetoptalkersareremoved?

32

AppendixF:CommunicationsTrackingWorksheetThisworksheetisintendedtohelpformulateacommunicationstrategytoshareinformationwhilecontaining,eradicating,andrecoveringfromacyber-incident.Allcommunicationsregardingcyberincidentsmustbeconductedthroughchannelsthatareknowntobeunaffectedbythecyberincidentunderinvestigation.

Note:ConsultUniversityLegalCounselandUniversityRelationsbeforecommunicatingwithexternalstakeholders.

1. Listofpossiblestakeholders£ VPandCIOforInformationTechnology£ ITSecurityOfficeStaff£ CIRTTeamMembers£ DepartmentalManagement£ DepartmentalITStaff£ UniversityLegalCounsel

£ FacultyandStaff£ Students£ LawEnforcementAgencies£ VirginiaTech’stechnicalsupportcommunity£ Outsideagencies£ Vendors

Others:

2. Listthoseauthorizedtocommunicate(limitsofauthorization)

3. Listinternalcommunicationschannels£ Email£ Listserv(canbeeventspecific)£ Phone/videoconferences£ Meetings

£ Officephones£ Cellphones

Others:

4. Listexternalcommunicationschannels£ Email£ Web,Blogs£ Listserv(canbeeventspecific)£ Phone/videoconferences£ Meetings

£ Officephones£ Cellphones

Others:

5. Scheduleofcommunications(Discussappropriatefrequencyofcommunications)

33

ITSecurityOfficeProcedureforNotificationofOutsideOrganizationsInvolvedinaCyberIncident

ItmaybenecessarytocontactanoutsideorganizationtoletthemknowthatamachineundertheircontrolmaybehavinganegativeimpactonVirginiaTech’sITsystemsandnetworks.Thestepsprovidedbelowareintendedtoguidecommunication.

1. Determinetechnicalandadministrativecontactsofthesourcemachine.2. DetermineWHOIScontactforupstreamprovider,ifoneexists.3. DetermineifaUS-CERTor“abuse”emailaddressexistsifthesourcemachineisfromaforeigncountry.4. Contactitso-g@vt.edutoseeifothercampussiteshavebeenattacked/scannedbythesourcemachine.5. SendaconciseemailtotheWHOIScontactofthesourcemachines.Include:

• Thesourcesite’sUS-CERT• CopyforITSecurityOffice• Copyaffecteddepartment(s)andpersonnel.• Logexcerptsintextofe-mail.DoNOTsendattachmentsorHTML.

34

AppendixG:InternalAuditGuidelinesforreportingunacceptablecomputeruse.Source:http://www.ia.vt.edu/Unacceptable%20Computer%20Use%20Guidance.pdf

35

AppendixH:UniversityPoliciesandStandards

• Availableathttp://www.policies.vt.edu• VirginiaTechStatementofBusinessConductStandards–

http://www.cafm.vt.edu/busprac/business_conduct_standards.php• 1060–PolicyonSocialSecurityNumbers• 2000–ManagementofUniversityRecords• 2001–RetentionandStorageofPresidentialRecords• 2010–ReleaseofNamesandAddressesofStudents• 4082–AppropriateUseofElectronicPersonnelandPayrollRecords• 7000–AcceptableUseofComputerandCommunicationSystems• 7010–PolicyforSecuringTechnologyResourcesandServices• 7025–SafeguardingNonpublicCustomerInformation• 7030–PolicyonPrivacyStatementsonVirginiaTechWebSites• 7035–PrivacyPolicyforEmployees’ElectronicCommunications• 7040–PersonalCredentialsforEnterpriseElectronicServices• 7100–AdministrativeDataManagementandAccessPolicy• StandardforAdministrativeDataManagement

http://www.it.vt.edu/publications/pdf/interim_updates/AdministrativeDataManagementStandard2013Nov4signed.pdf

• 7200–UniversityITSecurityProgram• 7205–ITInfrastructure,Architecture,andOngoingOperations• 7210–ITProjectManagement• 7215–ITAccessibility

VirginiaLegislation

• CommonwealthofVAPolicy1.75–UseofInternetandElectronicCommunicationSystems• CodeofVirginia2.2-603.GIncidentReportingRequirement,

www.vita.virginia.gov/security/incident/guidance.cfm• CodeofVirginia18.2-186.6DataBreachNotificationRequirement• CodeofVirginia2.2-3801Definitions• CodeofVirginia2.2-3806RightsofDataSubjects

References

1. BoardofVisitorInformationTechnologySecurityandAuthorityResolution,June2007,http://www.bov.vt.edu/minutes/07-06-04minutes/attach_v_070604.pdf

36

AppendixI:GuidanceonReportingaCyberIncident

WhattoReport

Acyberincidentshouldbereportedifitresultedineither:

• ExposureoflegallyprotecteddatainUniversitydatabases,suchasfinancialinformationprotectedbyGLBA,

• HealthinformationprotectedbyHIPAA.AND/OR

• MajordisruptiontonormalagencyactivitiescarriedoutviatheUniversity’sdatacommunications,suchasnetworkunavailabilityforallorsignificantportionsofanagencyduetoadenialofservice(DoS)attack.

Youshouldreporteventsthathavearealimpactonyourorganization.AnITsecurityincidentincludes,butisnotlimitedtothefollowingeventsregardlessofplatformorcomputerenvironment,when:

a. Damageisdoneb. Lossoccursc. Maliciouscodeisimplantedd. Thereisevidenceoftamperingwithdatae. Unauthorizedaccesshasbeengainedorrepeatedattemptsatunauthorizedaccesshavebeenmade

(fromeitherinternalorexternalsources)f. Therehasbeenathreatorharassmentviaanelectronicmedium(internalorexternal)g. Accessisachievedbytheintruderh. Webpagesaredefacedi. Auserdetectssomethingnoteworthyorunusual(anewtrafficpattern,newtypeofmaliciouscode,a

specificIPasthesourceofpersistentattacks)j. Thereisadenialofserviceattackontheagencyk. Virusattacksadverselyaffectserversormultipleworkstationsl. Otherinformationtechnologysecurityincidentsoccurthatcouldundermineconfidenceandtrustinthe

Commonwealth'sInformationTechnologysystems

37

AppendixJ-Contactinformationforlocalpolice

VirginiaTechPolice(540-231-6411)

BlacksburgPolice(540-961-1150)

ChristiansburgPolice(540-382-3131)

RadfordPolice(540-731-3624)

38

AppendixK:GeneralizedCyberIncidentEscalationandWorkflowDiagram

39

AppendixL:Acronyms

CIO: Chief Information Officer CIRT: Computer Incident Response Team CISO: Chief Information Security Officer COV: Commonwealth of Virginia CSRM: Commonwealth Security and Risk Management DDoS: Distributed Denial of Service ES: Enterprise Systems FERPA: Family Educational Rights and Privacy Act GLB: Gramm-Leach-Bliley Act HIPAA: Health Insurance Portability and Accountability Act IDS: Intrusion Detection System IMS: Identity Management Services IPS: Intrusion Prevention System IRM: Incident Response Manager ISO: Information Security Officer IT: Information Technology ITSO: IT Security Office or IT Security Officer depending on the context ITAR: International Traffic in Arms Regulations ITRM: Information Technology Resource Management ITSO: Information Technology Security Officer NI&S: Network Infrastructure and Services NIST: National Institute of Standards and Technology PCI-DSS: Payment Card Industry Data Security Standard PII: Personally Identifiable Information PIRN: Personal information requiring notification SEC501: Information Security Standard 501 SETI: Secure Enterprise Technology Initiatives VCCC: VITA Customer Care Center URL: Universal Resource Locator US-CERT: United States Computer Emergency Readiness Team VITA: Virginia Information Technologies Agency VT: Virginia Tech

40

AppendixM:StepbyStepCyberIncidentResponse

IncidentDetection

NotifyDepartmentHead,ITSecurityOffice

ConsultAppendixG

BeginTimelineDocumentationofevent

FollowinstructionsperITSecurityOfficeformitigation

Conductmitigation

Confirmmitigation

Conduct“LessonsLearned”meeting

IncidentClosure