First Responders Course11 Incident Response

Phil HugginsFebruary 2004

Agenda

Description Isolation & Mitigation Letter of Preservation Additional Monitoring External Notifications Restoring the Systems Securing the Systems Summary Meeting

Description

The goal of this phase is to respond to the data and conclusions drawn in the assessment phase

This includes: Isolating compromised systems Acquisition of systems Increased logging and monitoring Restoring systems Increasing security

Description

This phase restores the system/s to a known and trusted state

The secondary goal of this phase is securing similar hosts to prevent additional attacks or at least increase monitoring to identify future attacks

The lessons learned will be shared so that future incidents are more successful

Key Ideas Review

The goal of acquisition is to save the state of the system

Document everything (even mistakes)

Trust nothing on the suspect system Suspect systems should be modified

as little as possible Chain of Custody must be kept for all

potential court evidence

Isolation & Mitigation

Systems that have been identified as compromised must be isolated to prevent damage to other systems and further damage to it

When possible, unplug from the network and plug into an empty hub or switch (to prevent network unreachable errors)

If it must be kept online, restrict access to and from it using ACLs on routers and switches

Apply network monitoring to those systems that are not removed from the network

Letter of Preservation

When external systems are identified, a Letter of Preservation should be issued

Carries legal weight in the US It requests that logs and other data be preserved

and not deleted Additional legal procedures are typically required

before the data is actually transferred The letter must specify a given host or person to

save data about An example can be found in the EnCase Legal

Journal

Additional Monitoring

Additional network monitoring devices may need to be deployed to: Detect and observe future attacks Collect additional evidence of an ongoing

attack Provide data to help identify the incident scope

These devices can be built during the Readiness Phase

Logging levels on firewalls, IDS, and servers may need to be increased

Some monitoring may not be allowed depending on User Privacy Policies

Network Monitoring - UNIX Snort (http://www.snort.org) Ethereal (http://www.ethereal.com) tcpdump (http://tcpdump.org) snoop (Included in Solaris) Net Witness (

http://www.forensicexplorers.com)

Network Monitoring - Windows Windump (http://windump.polito.it) Snort (http://www.snort.org) Etherpeek (http://www.wildpackets.com) Ethereal (http://www.ethereal) Net X-Ray (http://www.netxray.co.uk) Sniffer Technologies (

http://www.networkassociates.com/us/products/sniffer/home.asp)

eEye Iris (http://www.eeye.com/html/Products/Iris/index.html)

Network Monitoring - Advanced

Niksun (http://www.axial.co.uk/niksun/niksun_products.asp) Digital Guardian (http://www.verdasys.com)

External Notification

FBI Local Police Force FIRST (www.first.org) incidents.org (SANS) incidents@securityfocus.com Any public postings must be from a

generic email account (watch out for X-headers with free HTML-email)

Restoring the Systems

It is important to not restore data that has trojans or backdoors

If a backup is known to not be compromised, it can be used

Otherwise, start with a new install Ensure that the system has all

patches installed

Securing the Systems

If the method of attack is known, secure the compromised host from it first

After, secure hosts with the same vulnerability

If the exact method is not known yet, ensure that monitoring is in place to detect future attacks

After a forensic analysis is performed, secure any vulnerabilities that were found

Additional filters may be applied to the recovered host to detect future attempts

Summary Meeting

Each person involved with the incident should attend a summary meeting

This will cover what worked and what did not work

Policies and procedures should be modified appropriately

Any ‘tricks’ that were discovered should be documented to help future responders

Incident Response Summary

This phase performs actions based on data found in the Assessment Phase

Additional monitoring and logging can be used to collect more data and ensure that new attacks are detected

External organizations may provide support or assistance

Ensure security holes are plugged and risks mitigated