Date post: | 16-Jan-2015 |
Category: |
Business |
Upload: | phil-huggins |
View: | 134 times |
Download: | 0 times |
First Responders Course11 Incident Response
Phil HugginsFebruary 2004
Agenda
Description Isolation & Mitigation Letter of Preservation Additional Monitoring External Notifications Restoring the Systems Securing the Systems Summary Meeting
Description
The goal of this phase is to respond to the data and conclusions drawn in the assessment phase
This includes: Isolating compromised systems Acquisition of systems Increased logging and monitoring Restoring systems Increasing security
Description
This phase restores the system/s to a known and trusted state
The secondary goal of this phase is securing similar hosts to prevent additional attacks or at least increase monitoring to identify future attacks
The lessons learned will be shared so that future incidents are more successful
Key Ideas Review
The goal of acquisition is to save the state of the system
Document everything (even mistakes)
Trust nothing on the suspect system Suspect systems should be modified
as little as possible Chain of Custody must be kept for all
potential court evidence
Isolation & Mitigation
Systems that have been identified as compromised must be isolated to prevent damage to other systems and further damage to it
When possible, unplug from the network and plug into an empty hub or switch (to prevent network unreachable errors)
If it must be kept online, restrict access to and from it using ACLs on routers and switches
Apply network monitoring to those systems that are not removed from the network
Letter of Preservation
When external systems are identified, a Letter of Preservation should be issued
Carries legal weight in the US It requests that logs and other data be preserved
and not deleted Additional legal procedures are typically required
before the data is actually transferred The letter must specify a given host or person to
save data about An example can be found in the EnCase Legal
Journal
Additional Monitoring
Additional network monitoring devices may need to be deployed to: Detect and observe future attacks Collect additional evidence of an ongoing
attack Provide data to help identify the incident scope
These devices can be built during the Readiness Phase
Logging levels on firewalls, IDS, and servers may need to be increased
Some monitoring may not be allowed depending on User Privacy Policies
Network Monitoring - UNIX Snort (http://www.snort.org) Ethereal (http://www.ethereal.com) tcpdump (http://tcpdump.org) snoop (Included in Solaris) Net Witness (
http://www.forensicexplorers.com)
Network Monitoring - Windows Windump (http://windump.polito.it) Snort (http://www.snort.org) Etherpeek (http://www.wildpackets.com) Ethereal (http://www.ethereal) Net X-Ray (http://www.netxray.co.uk) Sniffer Technologies (
http://www.networkassociates.com/us/products/sniffer/home.asp)
eEye Iris (http://www.eeye.com/html/Products/Iris/index.html)
Network Monitoring - Advanced
Niksun (http://www.axial.co.uk/niksun/niksun_products.asp) Digital Guardian (http://www.verdasys.com)
External Notification
FBI Local Police Force FIRST (www.first.org) incidents.org (SANS) [email protected] Any public postings must be from a
generic email account (watch out for X-headers with free HTML-email)
Restoring the Systems
It is important to not restore data that has trojans or backdoors
If a backup is known to not be compromised, it can be used
Otherwise, start with a new install Ensure that the system has all
patches installed
Securing the Systems
If the method of attack is known, secure the compromised host from it first
After, secure hosts with the same vulnerability
If the exact method is not known yet, ensure that monitoring is in place to detect future attacks
After a forensic analysis is performed, secure any vulnerabilities that were found
Additional filters may be applied to the recovered host to detect future attempts
Summary Meeting
Each person involved with the incident should attend a summary meeting
This will cover what worked and what did not work
Policies and procedures should be modified appropriately
Any ‘tricks’ that were discovered should be documented to help future responders
Incident Response Summary
This phase performs actions based on data found in the Assessment Phase
Additional monitoring and logging can be used to collect more data and ensure that new attacks are detected
External organizations may provide support or assistance
Ensure security holes are plugged and risks mitigated