Principles of Incident Response and Disaster Recovery

Chapter 7 Incident Response: Response Strategies

Objectives

• Explain what an IR reaction strategy is and list general strategies that apply to all incidents

• Define incident containment and describe how it is applied to an incident

• List some of the more common categories of incidents that may occur

• Discuss the IR reaction strategies unique to each category of incident

Principles of Incident Response and Disaster Recovery, 2nd Edition 2

Introduction

• What do we do once we have detected an incident?

• IR reaction strategies – Procedures for regaining control of systems and

restoring operations to normalcy – Are at the heart of the IR plan and the CSIRT’s

operations • How the CSIRT responds to an incident relies in

part on its mission philosophy: – Protect and forget – Apprehend and prosecute

Principles of Incident Response and Disaster Recovery, 2nd Edition 3

IR Response Strategies

• Once the CSIRT has been notified and arrives “on scene ” – First: assess the situation – Second: begin asserting control and make positive

steps to regain control over the organization’s information assets

Principles of Incident Response and Disaster Recovery, 2nd Edition 4

IR Response Strategies (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 5

Response Preparation

• Prevention strategies – Using risk assessment to make informed decisions – Acquiring and maintaining good host security – Acquiring and maintaining good network security – Implementing comprehensive malware prevention – Thorough and ongoing training to raise user

awareness

Principles of Incident Response and Disaster Recovery, 2nd Edition 6

Incident Containment

• Containment strategies – Monitoring system and network activities – Disabling access to compromised systems that are

shared with other computers – Changing passwords or disabling accounts of

compromised systems – Disabling system services, if possible

Principles of Incident Response and Disaster Recovery, 2nd Edition 7

Incident Containment

• Containment strategies (cont’d.) – Disconnecting compromised systems (or networks)

from the local network – Temporarily shutting down compromised systems – Verifying that redundant systems and data have not

been compromised

Principles of Incident Response and Disaster Recovery, 2nd Edition 8

Principles of Incident Response and Disaster Recovery, 2nd Edition 9

Incident Containment (cont’d.)

• Identifying the attacking hosts involves: – Verifying the IP address of the attacking system – Web-based research of the attacking host’s IP

address – Incident/attack database searches – Attacker back-channel and side-channel

communications

Principles of Incident Response and Disaster Recovery, 2nd Edition 10

Incident Eradication

• Many practitioners feel that a system, once compromised, can never be restored to a trusted state

• To prevent concurrent recurrence – Team must continuously monitor the assets

associated with the current incident and the remaining assets that may be susceptible to attack

– The organization’s monitoring teams should be on high alert, carefully examining communications and system activities

Principles of Incident Response and Disaster Recovery, 2nd Edition 11

Incident Recovery

• The reestablishment of the pre-incident status of all organizational systems

• Incident recovery involves: – Implementing the backup and recovery plans that

should already be in place before the attack • Difficult part of recovery

– The identification of data that may have been disclosed

Principles of Incident Response and Disaster Recovery, 2nd Edition 12

Incident Containment and Eradication Strategies for Specific Attacks

• CSIRT leader must determine appropriate response based on certain aspects of the incident – Type – Method of incursion – Current level of success – Current level of loss – Expected or projected level of loss – Target – Target’s level of classification and/or sensitivity – Any legal or regulatory impacts mandating a specific

response Principles of Incident Response and Disaster Recovery, 2nd Edition 13

Incident Containment and Eradication Strategies for Specific Attacks (cont’d.) • Containment strategy should include details about

how the organization will handle: – Theft or damage to assets – Whether to preserve evidence for potential criminal

prosecution – Service-level commitments and contract

requirements to customers – Allocation of necessary resources to activate

strategy – Graduated responses that may be necessary – Duration of containment efforts

Principles of Incident Response and Disaster Recovery, 2nd Edition 14

Handling Denial of Service (DoS) Incidents

• Denial-of-service (DoS) attack – Occurs when an attacker’s action prevents the

legitimate users of a system from using it • Distributed denial-of-service (DDoS) attack

– The use of multiple systems to simultaneously attack a single target

Principles of Incident Response and Disaster Recovery, 2nd Edition 15

Handling Denial of Service (DoS) Incidents (cont’d.)

• Tasks to be performed before the DoS incident – Coordinating with service provider – Collaborating and coordinating with professional

response agencies – Implementation of prevention technologies – Monitoring resources – Coordinating the monitoring and analysis capabilities – Setting up logging and documentation – Configuring network devices to prevent DoS

incidents

Principles of Incident Response and Disaster Recovery, 2nd Edition 16

Handling Denial of Service (DoS) Incidents (cont’d.)

• Containment strategies during the DoS incident – Try to fix the source of the problem – Change the organization’s filtering strategy – Try to filter based on the characteristics of the attack – Engage upstream partners – Eliminate or relocate the target system

Principles of Incident Response and Disaster Recovery, 2nd Edition 17

Handling Denial of Service (DoS) Incidents (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 18

Principles of Incident Response and Disaster Recovery, 2nd Edition 19

Handling Denial of Service (DoS) Incidents (cont’d.)

• After the DoS attack, the organization: – Should consider its overall philosophy of protect and

forget or apprehend and prosecute – Will want to collect evidence to see how the incident

occurred and to provide insight into how to avoid future recurrences

Principles of Incident Response and Disaster Recovery, 2nd Edition 20

Principles of Incident Response and Disaster Recovery, 2nd Edition 21

Principles of Incident Response and Disaster Recovery, 2nd Edition 22

Malware

• Designed to damage, destroy, or deny service to the target systems

• Common instances include: – Viruses and worms, Trojan horses, logic bombs,

back doors, and rootkits • Cookie

– Data kept by a Web site as a means of recording that a system has visited the site

• Tracking cookie – Collects valuable personal information, then sends it

along to the attacker Principles of Incident Response and Disaster Recovery, 2nd Edition 23

Malware (cont’d.)

• Before the malware incident : – Schedule awareness programs to inform users

about current malware issues – Keep up on vendor and IR agency postings and

bulletins – Implement appropriate IDPS – Conduct effective inventory and data organization – Implement and test data backup and recovery

programs

Principles of Incident Response and Disaster Recovery, 2nd Edition 24

Malware (cont’d.)

• To search for undetected infections during the malware incident – Scan internal systems to look for active service ports – Use updated scanning and cleanup tools promptly

and aggressively – Analyze logs from e-mail servers, firewalls, IDPSs,

and individual host log files for anomalous items – Give network and host intrusion systems access to

signature files that can indicate when certain behaviors have occurred

– Conduct periodic and ongoing audits Principles of Incident Response and Disaster Recovery, 2nd Edition 25

Principles of Incident Response and Disaster Recovery, 2nd Edition 26

Principles of Incident Response and Disaster Recovery, 2nd Edition 27

Principles of Incident Response and Disaster Recovery, 2nd Edition 28

Malware (cont’d.)

• Response strategies for malware outbreaks include: – Filtering e-mail based on subject, attachment type

using malware signatures, or other criteria – Blocking known attackers – Interrupting some services – Severing networks from the Internet or each other – Engaging the users – Disrupting service

Principles of Incident Response and Disaster Recovery, 2nd Edition 29

Malware (cont’d.)

• After the malware incident – System should be constantly monitored to prevent

re-infection – Distribute warnings that a particular malware

incident has occurred and that it was successfully handled

Principles of Incident Response and Disaster Recovery, 2nd Edition 30

Unauthorized Access

• Attempts by insiders to escalate privileges and access information and other assets for which they do not explicitly have authorization

• Some examples of UA – Gaining unauthorized administrative control of any

server or service – Gaining unauthorized access to any network or

computing resource – Defacing or unauthorized modification of any public-

facing information service

Principles of Incident Response and Disaster Recovery, 2nd Edition 31

Principles of Incident Response and Disaster Recovery, 2nd Edition 32

Unauthorized Access (cont’d.)

• Before the UA incident – Placing a common central log server in a more

highly protected area of the network will certainly assist in post-event analyses

– Implementing an effective password policy and having both a complete and usable management policy as well as technology-enforced password requirements is critical

Principles of Incident Response and Disaster Recovery, 2nd Edition 33

Principles of Incident Response and Disaster Recovery, 2nd Edition 34

Principles of Incident Response and Disaster Recovery, 2nd Edition 35

Unauthorized Access (cont’d.)

• During the UA incident – NIST recommends the following containment

strategies • Isolate • Disable • Block • Disable • Lockdown

Principles of Incident Response and Disaster Recovery, 2nd Edition 36

Principles of Incident Response and Disaster Recovery, 2nd Edition 37

Principles of Incident Response and Disaster Recovery, 2nd Edition 38

Unauthorized Access (cont’d.)

• After the UA incident – The task of identifying the avenue of attack and

closing any still-open repeat mechanisms begins – The organization must identify the extent of the

damage and look for any residual effects – The CSIRT should always presume that if a critical

information asset was accessed, the data stored within it is compromised

Principles of Incident Response and Disaster Recovery, 2nd Edition 39

Principles of Incident Response and Disaster Recovery, 2nd Edition 40

Inappropriate Use

• IU incidents – Predominantly characterized as a violation of policy

rather than an effort to abuse existing systems • The following can be considered IU incidents

– Inappropriate and/or unauthorized software or services

– Organizational resources used for personal reasons – Organizational resources used to harass coworkers – Restricted company information and other assets

stored in external sites

Principles of Incident Response and Disaster Recovery, 2nd Edition 41

Inappropriate Use (cont’d.)

• Before the IU incident – For a policy to become enforceable, it must meet the

following five criteria • Dissemination (distribution) • Review (reading) • Comprehension (understanding) • Compliance (agreement) • Uniform enforcement

Principles of Incident Response and Disaster Recovery, 2nd Edition 42

Inappropriate Use (cont’d.)

• During the IU incident – Level of authority an individual manager has

• Important thing to consider when investigating a potential IU incident

– Clear policies must be in place that discuss the level of direct investigation the CSIRT may undertake

– The organization should clearly define the circumstances under which the CSIRT and/or management may investigate the interior of a piece of organization equipment

Principles of Incident Response and Disaster Recovery, 2nd Edition 43

Principles of Incident Response and Disaster Recovery, 2nd Edition 44

Principles of Incident Response and Disaster Recovery, 2nd Edition 45

Inappropriate Use (cont’d.)

• After the IU incident – The CSIRT will typically turn copies of all

documentation over to management for administrative handling, then monitor the offending systems for possible recurrences

Principles of Incident Response and Disaster Recovery, 2nd Edition 46

Principles of Incident Response and Disaster Recovery, 2nd Edition 47

Hybrid or Multicomponent Incidents

• Many incidents begin with one type of event, then transition to another

• Timeliness is a factor in prioritizing the response • Key recommendations for handling hybrid incidents

– Use software to support incident management – Prioritize each incident component as it arises – Contain each incident, then scan for others

Principles of Incident Response and Disaster Recovery, 2nd Edition 48

Principles of Incident Response and Disaster Recovery, 2nd Edition 49

Automated IR Response Systems

• The CSIRT must document and preserve every action, file, event, and item of potential evidentiary value

• Automated IR systems to facilitate IR documentation are available through a number of vendors

Principles of Incident Response and Disaster Recovery, 2nd Edition 50

Summary

• IR reaction strategies – Plans for regaining control of systems and restoring

operations to normality in the event of an incident • Once the CSIRT is active, the first task that must

occur is an assessment of the situation • Some prevention strategies include:

– Risk assessment – Acquiring and maintaining good host security – Acquiring and maintaining good network security

• It is imperative to contain a confirmed incident Principles of Incident Response and Disaster Recovery, 2nd Edition 51

Summary (cont’d.)

• Incident recovery – The reestablishment of the pre-incident status of all

organizational systems • The selection of the appropriate reaction strategy is

an exercise in risk assessment • Denial of service (DoS)

– Occurs when an attacker’s action prevents the legitimate users of a system or network from using it

Principles of Incident Response and Disaster Recovery, 2nd Edition 52