Incident Response Lifecycle

HANDLING DIFFERENT TYPES OF

INFORMATION SECURITY INCIDENTS
 Handling Incidents
• Incident handling phases:
- Preparation: establishing and training an incident
response team, and acquiring the necessary tools and resources.
- Detection and analysis: detecting security breaches and
alerting organization during any imminent attack.
- Containment: mitigating the impact of the incident by
containing
- Eradication and recovery: carrying out detection and
analysis cycle to eradicate incident and ultimately initiate
recovery.
- Post-incident activity: preparing detailed report of the
cause and cost of the incident and future preventive measures
against similar attacks.
Phases (Life cycle)
 Preparation
• incident analysis hardware and software to identify an
incident.
• appropriate incident handling communication means and
facilities.
• incident analysis resources to identify an incident.
• incident mitigation software to identify an incident.
• different response strategies to identify incidents through
attack vectors, such as external/ removable media, attrition,
web, email, impersonation, improper usage by organization’s
authorized users, loss or theft of equipment and others that
are beyond the scope of the above mentioned.
Incident analysis hardware and software to
identify an incident
• Digital forensic workstations and/or backup devices
• Laptops
• Spare workstations, servers, and networking
equipment, or the virtualized equivalents
• Portable printer
• Packet sniffers and protocol analyzers
• Digital forensic software
• Removable media
• Evidence gathering accessories
 Appropriate incident handling
communication means and facilities
• Contact information
• On-call information
• Incident reporting mechanisms
• Issue tracking system
• Smartphones
• Encryption software
• War room
• Secure storage facility
 Incident analysis resources to identify an
incident
• Port lists
• Documentation
• Network diagrams and lists of critical assets
• Current baselines
• Cryptographic hashes
 Incident mitigation software to identify an
incident
• Access to images
 Detection and Analysis
(Attack Vectors)
• Peripheral devices such as external/ removable
media
• Attrition
• Website or web based application
• Email message or attachment
• Improper usage of an organization’s acceptable
usage policies by an authorized user
• Loss or theft of equipment
• Other factors
 Signs of security incident
• Two main types
- Precursors: a sign that an incident may
occur in the future.
- Indicator: a sign that an incident may
have occurred or may be occurring now
 Common signs of security incident
• Precursors:
• web server log entries that show the usage of a vulnerability scanner.
• announcement of a new exploit that targets a vulnerability of the organization’s
mail server.
• threat from a group stating that it will attack the organization.
• Indicators:
• network intrusion detection sensor alerts when a buffer overflow attempt
occurs against a database server.
• antivirus software alerts when it detects that a host is infected with malware.
• system administrator sees a file name with unusual characters.
• host records an auditing configuration change in its log.
• application logs multiple failed login attempts from an unfamiliar remote
system.
• email administrator sees a large number of bounced emails with suspicious
content.
• network administrator notices an unusual deviation from typical network traffic
flows.
 Incident Information
• Various Sources:
- Alerts
- Logs
- Network flow
- Publicly available information
- People
Sources of Precursors and Indicators
Sources of Precursors and Indicators
Sources of Precursors and Indicators
 Detection and Analysis
(Incident Analysis)
• Profile Networks and Systems
• Understand Normal Behaviours
• Create a Log Retention Policy
• Perform Event Correlation
• Keep All Host Clocks Synchronized
• Maintain and Use a Knowledge Base of Information
• Use Internet Search Engines for Research
• Run Packet Sniffers to Collect Additional Data
• Filter the Data
• Seek Assistance from Others
 Detection and Analysis
(Incident Prioritization)
• Functional Impact of the Incident
• Information Impact of the Incident
• Recoverability from the Incident
Functional Impact of the Incident
Information Impact of the Incident
Recoverability from the Incident
 Containment, Eradication, and Recovery
• Criteria for determining the appropriate strategy include:
- Potential damage to and theft of resources
- Need for evidence preservation
- Service availability (e.g., network connectivity, services
provided to external parties)
- Time and resources needed to implement the strategy
- Effectiveness of the strategy (e.g., partial containment,
full containment)
- Duration of the solution (e.g., emergency workaround to
be removed in four hours, temporary workaround to be
removed in two weeks, permanent solution).
 Eradication and Recovery
• Eradication: to eliminate components of the
incident, such as deleting malware and disabling
breached user accounts, as well as identifying and
mitigating all vulnerabilities that were exploited.
• Recovery: administrators restore systems to
normal operation, confirm that the systems are
functioning normally, and (if applicable) remediate
vulnerabilities to prevent similar incidents.
 Post-Incident Activity
• Learning and improving.
• Questions to be answered:
- Exactly what happened, and at what times?
- How well did staff and management perform in dealing with the incident?
Were the documented procedures followed? Were they adequate?
- What information was needed sooner?
- Were any steps or actions taken that might have inhibited the recovery?
- What would the staff and management do differently the next time a
similar incident occurs?
- How could information sharing with other organizations have been
improved?
- What corrective actions can prevent similar incidents in the future? -
What precursors or indicators should be watched for in the future to detect
similar incidents?
Incident Handling Checklist
Top Exercise for Incident Response (IR) for
XYZ Organization