Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008.

Similar presentations


Presentation on theme: "Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008."— Presentation transcript:

1 Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008

2 Information Security Incidents Where does Incident Response fit into overall information security strategy? Prevention Detection Response*

3 Incident Response – Other Drivers Additional drivers for creating incident response policies and procedures: PCI (Payment Card Industry) security standards. Sec 12.5.3 Breach notification laws

4 Policy vs. Procedure  Dartmouth Cyber-security steering committee initiated current effort  Started with high level IR policy  Determined more detailed procedures were required

5 Incident Response – Practical Approach First step: Incident Handling Workshop: –May 30 th and 31 st 2007 –About 30 participants from Tech Services, Consulting Services, and CSI Team –Table-top incident response exercises conducted by an experienced consulting firm – IntelGuardians - http://www.intelguardians.com/ http://www.intelguardians.com/

6 Incident Handling – Workshop 1 Involved everyone who might be a first responder from Computing Services Divided into 4 teams – mixed Help Desk, Network Admins, and System Admins Presented with a scenario, logs, and received additional clues if the right questions were asked Teams used the high level policy and existing procedures as a starting point

7 Initial Workshop Lessons Learned and Takeaways Form an Incident Response Team (IRT)‏ Develop practical procedures: –First Responders –Technical Response –Communication Outreach and awareness – it could be someone internal; VoIP could also be compromised Ongoing training for IRT

8 Incident Response Team Different groups and areas of expertise represented 2 members for each area provides backup Team consists of: –The Directors and 2 Members each from Systems Administration, Network Services, and Consulting Services

9 Develop procedures from the “Ground Up” Workshop revealed importance of “Ground-up” approach to developing procedures –First Responders Decision-tree –Incident Assessment and Classification –Technical Action Plans for different incident types –Communication Procedures –Equipment and tools for performing investigations

10 First Responders Decision-tree Developed decision tree for first responders Easy for responders to use and determine next steps http://www.dartmouth.edu/comp/docs/FirstRes ponseCriteria.dochttp://www.dartmouth.edu/comp/docs/FirstRes ponseCriteria.doc Automatic ticket creation for IRT based upon information entered

11 Incident Assessment and Classification Incidents reported to IRT are then assessed and classified The general criteria for assessing an incident include: –Sensitivity of potentially compromised data –Legal issues –Magnitude of service disruption –Threat potential –Expanse - how widespread the incident is

12 Incident Assessment and Classification: Step 1 – Determine Severity Questions to determine severity: 1. Is sensitive, confidential or privileged data at risk?sensitive, confidential or privileged data 2. Is business continuity at risk? 3. Did someone identify a security problem regarding Dartmouth systems in a public forum (website, listserve, message board, print media, broadcast media)? 4. Has law enforcement, government agency, or other third-party contacted Dartmouth regarding a possible incident?

13 Incident Assessment and Classification: Step 2 – Assign severity level Assign severity level: Low - Risk or exposure to few Medium - Localized risk or exposure (e.g. subnet, department, non-critical service) Serious - Institutional risk/exposure Severity level will determine appropriate response plan

14 Incident Assessment and Classification: Step 3 – Determine incident type Incident Types: 1.Compromised System 2.Compromised User Credentials 3.Network Attack (DoS, Scanning, Sniffing) 4.Malware (Viruses, Worms, Trojans) 5.Lost Equipment/Theft 6.Physical Break-in 7.Social Engineering (phishing, fraud) 8.Law Enforcement Request 9.Policy Violation

15 IRT – Response Action Plans The IRT follows action plans based on: Incident Type Severity level Information on internal wiki for ease of use http://www.dartmouth.edu/comp/docs/Nercom p-IRTActionPlans.dochttp://www.dartmouth.edu/comp/docs/Nercom p-IRTActionPlans.doc ‏ http://www.dartmouth.edu/comp/docs/Nercom p-IncidentClassification.doc

16 IRT- Communication Procedures Specific procedures for communication throughout the different phases of response Includes both “horizontal” and “vertical” communication Information on internal wiki for ease of use http://www.dartmouth.edu/comp/docs/Commu nications.doc

17 IRT-Response Equipment Dedicated Laptop NAS and portable storage for images IR software CDs and flash drives –Helix - Incident Response & Computer Forensics Live CD (http://www.e-fense.com/helix/) –The SleuthKit and Autopsy: Digital Investigation Tools for Linux (http://www.sleuthkit.org/) –Windows Forensic Toolchest (WFT) (http://www.foolmoon.net/security/wft/) Secure document storage

18 Workshop 2- IRT Hands-on “Live Incident” Security consulting firm returned for a 2 day workshop (12/4 and 12/5) with the IRT: Reviewed attack trends and highlighted response techniques Compromised 4 systems on a test network IRT practiced response procedures and use of investigative tools

19 Workshop 2 – Lessons Learned Communication among IRT members working on different parts of the investigation is critical Assessing unknown systems Concerns over service disruption during initial investigation Differences in Windows vs. Linux analysis Can be difficult for first responders – desire to just fix it overwhelms desire to preserve data

20 Next Steps and Ongoing Efforts Integrate IRT forms into Remedy Help Desk System Outreach to first responders not in PKCS and College community Ongoing monthly meetings for IRT –Further training in response and forensic tools –Sample scenarios and procedure updates –Review emerging attack trends Additional training exercises for IRT and PKCS

21 Questions? ellen.l.young@dartmouth.edu adam.goldstein@dartmouth.edu Copyright 2008 Trustees of Dartmouth College This work is the intellectual property of the authors. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Download ppt "Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008."

Similar presentations


Ads by Google