Session 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP

Similar documents
CSIRT Introduction to Security Incident Handling

Computer Security Incident Handling Detec6on and Analysis

Data Security Incident Response Plan. [Insert Organization Name]

How To Audit The Mint'S Information Technology

Information Security Incident Management Guidelines

INCIDENT RESPONSE CHECKLIST

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

KEY STEPS FOLLOWING A DATA BREACH

LogRhythm and NERC CIP Compliance

Data Management Policies. Sage ERP Online

Attachment A. Identification of Risks/Cybersecurity Governance

IMS-ISA Incident Response Guideline

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Data Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir.

How To Manage Security On A Networked Computer System

Incident Reporting Guidelines for Constituents (Public)

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Supplier Information Security Addendum for GE Restricted Data

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Defending Against Data Beaches: Internal Controls for Cybersecurity

LogRhythm and PCI Compliance

Business & Finance Information Security Incident Response Policy

SANS Top 20 Critical Controls for Effective Cyber Defense

Cyber Security Metrics Dashboards & Analytics

Into the cybersecurity breach

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

SECURITY. Risk & Compliance Services

Guideline on Auditing and Log Management

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

OCIE CYBERSECURITY INITIATIVE

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

FISMA / NIST REVISION 3 COMPLIANCE

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

GEARS Cyber-Security Services

Network Security Policy: Best Practices White Paper

Incident Response. Proactive Incident Management. Sean Curran Director

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Enterprise Security Tactical Plan

GFI White Paper PCI-DSS compliance and GFI Software products

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Incident Response 101: You ve been hacked, now what?

Critical Security Controls

California State University, Chico. Information Security Incident Management Plan

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

September 20, 2013 Senior IT Examiner Gene Lilienthal

The University of Tennessee Chattanooga Incident Response Plan

Cybersecurity: What CFO s Need to Know

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Ecom Infotech. Page 1 of 6

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Standard: Information Security Incident Management

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

IT Security Incident Management Policies and Practices

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Cyber Incident Response

Office of Inspector General

Security Policy for External Customers

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Audit Report. Management of Naval Reactors' Cyber Security Program

Security Controls Implementation Plan

RISK ASSESSMENT GUIDELINES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Stay ahead of insiderthreats with predictive,intelligent security

Payment Card Industry Data Security Standard

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Overcoming PCI Compliance Challenges

Security Overview. BlackBerry Corporate Infrastructure

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Protecting against cyber threats and security breaches

DUUS Information Technology (IT) Incident Management Standard

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Guideline on Incident Handling

DATA BREACH COVERAGE

Incident Response Plan for PCI-DSS Compliance

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Concierge SIEM Reporting Overview

TRIPWIRE NERC SOLUTION SUITE

How to effectively respond to an information security incident

Cisco Advanced Services for Network Security

The webinar will begin shortly

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

Cisco IPS Tuning Overview

Transcription:

Session 334 Incident Management Jeff Roth, CISA, CGEIT, CISSP

SPEAKER BIOGRAPHY Jeff Roth, CISA, CGEIT Jeff Roth has over 25 years experience in IT audit, security, risk management and IT Governance experience in public and private sectors. Over this time, Jeff has developed specific focus on certification and accreditation assessment and Information system security engineering for critical infrastructure reviews for high impact federal, state and local governments. This includes specialized security, ethics and fraud investigation support to inside/outside legal counsel, ethics officers, corporate security and the NASA Office of the Inspector General at Johnson, Kennedy, Marshall and Stennis Space Centers. Most recently Jeff has been a contributor to ISACA s COBIT Task Force - COBIT 5 for Security upcoming publication.

Session Agenda Incident detection, identification and recording Goals Methods and Techniques Recognized investigative techniques and diagnosis Determine the correct resolution and recovery processes for your environment Establish and evaluate your organizations incident management framework Good References for Incident Management Practices

Session Goals How to develop and establish incident detection, identification and recording capabilities Recognized investigative techniques and diagnosis to be used within the incident id management processes Determine resolution and recovery techniques that should be in your incident management toolkit Establishing and evaluating incident management frameworks best for your organization Where to go for further guidance related to incident management

Setting the Stage Organizing Oga gan effective ect ecomputer security incident response capability (CSIRC) involves several major decisions and actions. Establishing an organization specific definition of the term incident so that the scope of the term is clear. What services the incident response team should provide Consider which team structures and models can provide those services, and select and implement one or more incident response teams. Incident response plan, policy, and procedure creation

Setting the Stage Incident response is needed because attacks frequently compromise personal and business dt data. Citi Critically success factors are: Rapid, effective and efficient response when security breaches occur Systematic response to incidents that provides a consistent incident handling processes repeatable and reliable see you in court Ensuring the appropriate actions are taken as required by organizational, industry and regulatory entities. Benefits include: Minimize loss or theft of information and disruption of services caused by incidents. Use information gained during incident handling to better prepare for handling future incidents and to provide stronger protection for systems and

Incident Detection, Identification and Recording

Incident Detection, Identification and Recording Definitions 1 An event is any observable occurrence in a system or network. Examples of typical events include: A user connecting to a file share, a server receiving a request for a web page, A user sending email, A firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. 1 NIST Special Publication 800 61, Computer Security Incident Handling Guide

Incident Detection, Identification Definitions 1 and Recording A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable tbl use policies, i or standard dsecurity practices. Examples of incidents are: Targeting DDOS A botnet sends high volumes of connection requests to a web server, causing it to crash. PHISHING Users are tricked into opening a quarterly report sent via email that is actually malware; running the tool has infected their computers and established connections with an external host. Data Breach An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money. 1 NIST Special Publication 800 61, Computer Security Incident Handling Guide

Incident Detection, Identification and Recording Definitions 1 A computer security incident id is a violation i or imminent threat of violation of computer security policies, acceptable usepolicies, or standard security practices. Examples of incidents are: Piracy A user provides illegal copies of software to others through peer to peer file sharing services. Unauthorized access or incorrectly set access privileges to file shares High risk network probing activity detected by IDS/IPS systems Your industry definitions??? 1 NIST Special Publication 800 61, Computer Security Incident Handling Guide

Incident Detection, Identification and Recording First the CSIR team must have mechanisms and processes in place to detect signs or indicators of an incident. Automated detection capabilities include network based and hostbased IDPSs, antivirus software, and log analyzers. Incidents may also be detected through manual means, such as problems reported by users. End of Day security checks of printers and processing locations Deep, specialized technical knowledge and extensive experience are necessary for proper and efficient analysis of incident related data.

Incident Detection, Identification and Recording Signs of an incident fall into one of two categories: A precursor is a sign that an incident may occur in the future. If precursors are detected, your organization may have an opportunity to prevent the incident by enhancing its security posture to prevent an attack. Web server log entries that show the usage of a vulnerability scanner An announcement of a new exploit that targets a vulnerability of the organization s mail server A threat from a group stating that the group will attack the organization. An indicator is a sign that an incident may have occurred or may be occurring now.

Incident Detection, Identification and Recording Signs of an incident fall into one of two categories: An indicator is a sign that an incident may have occurred or may be occurring now. There are many examples: Network or Host based intrusion detection sensor alerts Antivirus software alerts Repeated user account unauthorized access attempt log entries Integrity checking detects static or sensitive system or files changes An email administrator sees a large number of bounced emails with suspicious content. A network administrator notices an unusual deviation from typical network traffic flows.

Incident Detection, Identification and Recording In order to make incident identification more effective there are the following methods that can be employed: Profile Networks and Systems Understand Normal Behaviors Create a Log Retention Policy Perform Event Correlation Keep All Host Clocks Synchronized Maintain and Use a Knowledge Base of Information Use Internet Search Engines for Research Run Packet Sniffers to Collect Additional Data Filter the Data.

Incident Detection, Identification and Recording Due to time constraints and need to act, you will not be able to review and analyze all the indicators; at minimum the most suspicious activity should be investigated. Filter out categories of indicators that tend to be insignificant. Filtering strategy is to show only the categories of indicators that are of the highest significance. NOTE Filtering does run the risk, because new malicious activity may notfall into one of the chosen indicatorfilters

Incident Detection, Identification and Recording The CSIR team must maintain records about the incident: The current status of the incident (new, in progress, forwarded for investigation, resolved, etc.) A summary of the incident Precursors and/or Indicators related to the incident Other incidents related to this incident Actions taken by all incident id handlers on this incident id Impact assessment(s) related to the incident Contact information for other involved parties (e.g., system owners, system administrators, management and legal) Evidence gathered during the incident investigation and inventory of this evidence Comments from incident handlers

Recognized Investigative Techniques and Diagnosis The process for performing digital forensics comprises the following basic phases 2 : Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data. Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data. Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination. 2 NIST Special Publication 800 68, GUIDE TO INTEGRATING FORENSIC TECHNIQUES INTO INCIDENT RESPONSE

Recognized Investigative Techniques and Diagnosis The process for performing digital forensics comprises the following basic phases 2 : Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process. 2 NIST Special Publication 800 68, GUIDE TO INTEGRATING FORENSIC TECHNIQUES INTO INCIDENT RESPONSE

Recognized Investigative Techniques and Diagnosis Before we go any further Does your organization have the requisite skills and assets to accomplish CSIR investigations and analysis/diagnosis? Organizations should ensure that their policies contain clear statements addressing all major forensic considerations, such as legal lreview of investigative tools, techniques and processes, contacting law enforcement, performing monitoring, and conducting regular reviews of forensic policies and procedures. 2 NIST Special Publication 800 68, GUIDE TO INTEGRATING FORENSIC TECHNIQUES INTO INCIDENT RESPONSE

Recognized Investigative Techniques and Diagnosis Critical to success factors when examiningdata from data files are as follows. Examine copies of files, not the original files. Preserve and verify file integrity. Rely on file headers, not file extensions, to identify file content types. Have a forensic toolkit for data examination and analysis Integrity controls over: the platforms where the tools are stored Platform image Tool(s) images Verifiable patching

Recognized Investigative Techniques and Diagnosis Fundamentalsfor Operating Systems OS data exists in both non volatile and volatile states. Non volatile data refers to data that persists even after a computer is powered down, such as a file system stored on a hard drive. Volatile data refers to data on a live system that is lost after a computer is powered down, such as the current network connections to and from the system and data stored in RAM 2 NIST Special Publication 800 68, GUIDE TO INTEGRATING FORENSIC TECHNIQUES INTO INCIDENT RESPONSE

Recognized Investigative Techniques and Diagnosis Fundamentalsfor Operating Systems Proper tools must be employed to examine both volatile and non volatile data. As an example Filtering tools automate the process of examining swap and RAM dump files by identifying text patterns and numerical values that might represent phone numbers, names of people, e mail addresses, Web addresses, and dother types of critical tca information ato 2 NIST Special Publication 800 68, GUIDE TO INTEGRATING FORENSIC TECHNIQUES INTO INCIDENT RESPONSE

Recognized Investigative Techniques and Diagnosis Fundamentalsfor network forensics: Reconstructing events by replaying network traffic Visualizing the traffic flows and the relationships among hosts Building profiles of typical activity and identifying significant deviations Searching application content for keywords 2 NIST Special Publication 800 68, GUIDE TO INTEGRATING FORENSIC TECHNIQUES INTO INCIDENT RESPONSE

Recognized Investigative Techniques and Diagnosis The sheer volume and scope of tools and techniques needed to properly capture, analyze and diagnosethe incident go far beyond the time allowed for this session. More information can be found at: http://csrc.nist.gov/publications http://www.cert.org 2 NIST Special Publication 800 68, GUIDE TO INTEGRATING FORENSIC TECHNIQUES INTO INCIDENT RESPONSE

Resolution and Recovery Processes for Your Environment Once your Incident Response Team has contained the incident, typical recovery actions may include: Eradication of quarantined threat to eliminate components of the incident, such as deleting malware and disabling breached user accounts. At times eradication is either not necessary or is performed during recovery. In recovery, administrators restore systems to normal operation and (if applicable) remediate vulnerabilities to prevent similar incidents. Restoring systems from clean backups or even rebuildingsystems from scratch Replacing compromised files with clean versions Installing patches

Resolution and Recovery Processes for Your Environment Once your Incident Response Team has contained the incident, typical recovery actions may include: (continued) Changing passwords Tighteningnetwork network perimeter security Higher levels of system logging or network monitoring Once a target has been successfully compromised, the word spreads among hostile threats and the same or like resource in another location in your organization will often be attacked again. Reporting requirements must be coordinated in accordance with your organization s policies and procedures there should be no delays

Resolution and Recovery Processes for Your Environment Lessons Learned Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. This meeting held within several days of the end of the incident. Exactly what happened, and at what times? How well did staff and management perform in dealing with the incident? id Were the documented dprocedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What would the staff and management do differently the next time a similar incident occurs?

Resolution and Recovery Processes for Your Environment Lessons Learned (continued) How could information sharing with other organizations have been improved? What corrective actions can prevent similar incidents in the future? What additional tools or resources are needed to detect, analyze, and mitigate future incidents?

Establishing and Evaluating Incident Management Framework Policy Elements High level organization wide directive governing incident response, and should include the following key elements: Statement of management commitment (Tone at the Top) Purpose and objectives of the policy Scope ofthe policy (to whomand what it applies and under what circumstances) Definition of computer security incidents Organizational structure Roles and responsibilities

Establishing and Evaluating Incident Management Framework Policy Elements continued: Levels of authority to include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity The requirements for: Reporting certain types of incidents External communications i and information i sharing (e.g., what can be shared with whom, when, and over what channels) Prioritization or severity ratings of incidents Performance measures Reporting and contact forms.

Establishing and Evaluating Incident Management Framework Plan Elements Formal, focused, tailored and coordinated roadmap for implementing the incident response capability. The incident response plan should include the following elements: Mission Strategies and goals Senior management approval Organizational approach to incident response How the incident response team will communicate with the rest of the organization and with other organizations Metrics for measuring the incident response capability bl Roadmap for maturing the incident response capability How the program fits into the overall organization

Establishing and Evaluating Incident Management Framework Procedure Elements Based on the incident response policy and plan. Standard operating procedures (SOPs) consist of: Specific technical processes Tools and Techniques Checklists Threat and risk assessment Escalation checklist System specific procedures Forms used by the incident response team...document in a timely, accurate and correct manner

Establishing and Evaluating Incident Management Framework SOPs need to be adequate to provide reasonable assurance that the following are meet: Organizational priorities are addressed. Minimize errors, particularly those that mightbe caused by incident handling tempo and stress. SOPs should be: Tested to validate their accuracy and usefulness Under controlled distribution to all team members. Training needs to be provided for all prospective SOP users

Establishing and Evaluating Incident Management Framework Evaluating your organization s CSIRC can include the following areas of focus: Number of Incidents Recorded Caution when looking at numbers take care to investigate why number counts decrease or increase The number of incidents handled may decrease because of better network and host security controls, not because of negligence by the incident response team. May increase due to increased employee and customer y p y awareness

Establishing and Evaluating Incident Management Framework Evaluating your organization s CSIRC can include the following areas of focus: Number of Incidents Recorded continued Optimal use as a measure of the relative amount of work that the incident response team had to perform, not as a measure of the quality of the team.

Establishing and Evaluating Incident Management Framework Evaluating your organization s CSIRC can include the following areas of focus: Number of Incidents Recorded continued Produce separate incident counts for each incident category. Subcategories also can be used to provide more information. i Growing number of incidents performed by insiders need for background investigations for personnel Misuse of computing resources and stronger security controls on internal networks

Establishing and Evaluating Incident Management Framework Evaluating your organization s CSIRC can include the following areas of focus: Time Per Incident: Total amount of labor spent working on the incident Cycle time from the beginning of the incident to incident discovery, to the initial impact assessment, and to each stage of the incident handling process (e.g., containment, recovery)

Establishing and Evaluating Incident Management Framework Evaluating your organization s CSIRC can include the following areas of focus: Time Per Incident: Length of time for the incident response team to respond to the initial report of the incident Length of time to report the incident to management and, if necessary, appropriate external entities (e.g., Outside Legal Counsel, Law Enforcement, US CERT).

Establishing and Evaluating Incident Management Framework Evaluating your organization s CSIRC can include the following areas of focus: Objective Assessment of Each Incident Examine logs, forms, reports, and other incident documentation for compliance with incident response policies i and procedures Were precursors and indicators of the incident documented?

Establishing and Evaluating Incident Management Framework Evaluating your organization s CSIRC can include the following areas of focus: Objective Assessment of Each Incident Did the incident caused damage before it was detected? Was adequate root cause analysis performed to include the vector of attack, the vulnerabilities exploited, and the characteristics of the targeted or victimized systems, networks, and applications?

Establishing and Evaluating Incident Management Framework Evaluating your organization s CSIRC can include the following areas of focus: Objective Assessment of Each Incident Is the incident is a recurrence of a previous incident? If so why did it happen again? How were estimated monetary damage calculated from the incident (e.g., information and critical processes negativelyaffected affected by the incident)?

Summary Identify incident detection and recording CSIR team must have mechanisms and processes in place to detect signs or indicators of an incident Deep, specialized technical knowledge and extensive experience are necessary for proper and efficient analysis of incident related data. Recognize investigative techniques and diagnosis Your organization must have the requisite skills and assets to accomplish CSIR investigations and analysis/diagnosis Your organizations should ensure that their policies contain clear statements addressing all major forensic considerations, such as legal review of investigative tools, techniques and processes, contacting law enforcement, performing monitoring, and conducting regular reviews of forensic policies and procedures.

Summary Determine resolution and recovery Once a target has been successfully compromised tag your it, and your adversary know it. Reporting requirements must be coordinated in accordance with your organization s policies and procedures there should be no delays

Summary Establish and evaluate incident management framework Defined and documented CSIR Policy, Plan and SOPs Processes must be measureable Performance measures need to based on your environment s critical features and processes

Good References for Incident Management Practices National Institute of Standards and Technology (NIST) Special Publications Special Publication 800 61, Computer Security Incident Handling Guide Special Publication 800 83, Guide to Malware Incident Prevention and Handling Special Publication 800 86, 86, Guide to Integrating Forensic Techniques into Incident Response

Good References for Incident Management Practices OMB Memorandum M 07 16 16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 2007

Questions?

Collaborate Contribute Connect www.isaca.org/knowledge-center The Knowledge Center is a collection of resources and online communities that connect ISACA members globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information