Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008.

Published byAbraham McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008."— Presentation transcript:

1 Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008

2 Information Security Incidents Where does Incident Response fit into overall information security strategy? Prevention Detection Response*

3 Incident Response – Other Drivers Additional drivers for creating incident response policies and procedures: PCI (Payment Card Industry) security standards. Sec 12.5.3 Breach notification laws

4 Policy vs. Procedure  Dartmouth Cyber-security steering committee initiated current effort  Started with high level IR policy  Determined more detailed procedures were required

5 Incident Response – Practical Approach First step: Incident Handling Workshop: –May 30 th and 31 st 2007 –About 30 participants from Tech Services, Consulting Services, and CSI Team –Table-top incident response exercises conducted by an experienced consulting firm – IntelGuardians - http://www.intelguardians.com/ http://www.intelguardians.com/

6 Incident Handling – Workshop 1 Involved everyone who might be a first responder from Computing Services Divided into 4 teams – mixed Help Desk, Network Admins, and System Admins Presented with a scenario, logs, and received additional clues if the right questions were asked Teams used the high level policy and existing procedures as a starting point

7 Initial Workshop Lessons Learned and Takeaways Form an Incident Response Team (IRT)‏ Develop practical procedures: –First Responders –Technical Response –Communication Outreach and awareness – it could be someone internal; VoIP could also be compromised Ongoing training for IRT

8 Incident Response Team Different groups and areas of expertise represented 2 members for each area provides backup Team consists of: –The Directors and 2 Members each from Systems Administration, Network Services, and Consulting Services

9 Develop procedures from the “Ground Up” Workshop revealed importance of “Ground-up” approach to developing procedures –First Responders Decision-tree –Incident Assessment and Classification –Technical Action Plans for different incident types –Communication Procedures –Equipment and tools for performing investigations

10 First Responders Decision-tree Developed decision tree for first responders Easy for responders to use and determine next steps http://www.dartmouth.edu/comp/docs/FirstRes ponseCriteria.dochttp://www.dartmouth.edu/comp/docs/FirstRes ponseCriteria.doc Automatic ticket creation for IRT based upon information entered

11 Incident Assessment and Classification Incidents reported to IRT are then assessed and classified The general criteria for assessing an incident include: –Sensitivity of potentially compromised data –Legal issues –Magnitude of service disruption –Threat potential –Expanse - how widespread the incident is

12 Incident Assessment and Classification: Step 1 – Determine Severity Questions to determine severity: 1. Is sensitive, confidential or privileged data at risk?sensitive, confidential or privileged data 2. Is business continuity at risk? 3. Did someone identify a security problem regarding Dartmouth systems in a public forum (website, listserve, message board, print media, broadcast media)? 4. Has law enforcement, government agency, or other third-party contacted Dartmouth regarding a possible incident?

13 Incident Assessment and Classification: Step 2 – Assign severity level Assign severity level: Low - Risk or exposure to few Medium - Localized risk or exposure (e.g. subnet, department, non-critical service) Serious - Institutional risk/exposure Severity level will determine appropriate response plan

14 Incident Assessment and Classification: Step 3 – Determine incident type Incident Types: 1.Compromised System 2.Compromised User Credentials 3.Network Attack (DoS, Scanning, Sniffing) 4.Malware (Viruses, Worms, Trojans) 5.Lost Equipment/Theft 6.Physical Break-in 7.Social Engineering (phishing, fraud) 8.Law Enforcement Request 9.Policy Violation

15 IRT – Response Action Plans The IRT follows action plans based on: Incident Type Severity level Information on internal wiki for ease of use http://www.dartmouth.edu/comp/docs/Nercom p-IRTActionPlans.dochttp://www.dartmouth.edu/comp/docs/Nercom p-IRTActionPlans.doc ‏ http://www.dartmouth.edu/comp/docs/Nercom p-IncidentClassification.doc

16 IRT- Communication Procedures Specific procedures for communication throughout the different phases of response Includes both “horizontal” and “vertical” communication Information on internal wiki for ease of use http://www.dartmouth.edu/comp/docs/Commu nications.doc

17 IRT-Response Equipment Dedicated Laptop NAS and portable storage for images IR software CDs and flash drives –Helix - Incident Response & Computer Forensics Live CD (http://www.e-fense.com/helix/) –The SleuthKit and Autopsy: Digital Investigation Tools for Linux (http://www.sleuthkit.org/) –Windows Forensic Toolchest (WFT) (http://www.foolmoon.net/security/wft/) Secure document storage

18 Workshop 2- IRT Hands-on “Live Incident” Security consulting firm returned for a 2 day workshop (12/4 and 12/5) with the IRT: Reviewed attack trends and highlighted response techniques Compromised 4 systems on a test network IRT practiced response procedures and use of investigative tools

19 Workshop 2 – Lessons Learned Communication among IRT members working on different parts of the investigation is critical Assessing unknown systems Concerns over service disruption during initial investigation Differences in Windows vs. Linux analysis Can be difficult for first responders – desire to just fix it overwhelms desire to preserve data

20 Next Steps and Ongoing Efforts Integrate IRT forms into Remedy Help Desk System Outreach to first responders not in PKCS and College community Ongoing monthly meetings for IRT –Further training in response and forensic tools –Sample scenarios and procedure updates –Review emerging attack trends Additional training exercises for IRT and PKCS

21 Questions? ellen.l.young@dartmouth.edu adam.goldstein@dartmouth.edu Copyright 2008 Trustees of Dartmouth College This work is the intellectual property of the authors. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

Download ppt "Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008."

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
Copyright Elaine David & Pam Heath-Johnston University of Connecticut, 2005 This work is the intellectual property of the authors. Permission is granted.

Copyright Elaine David & Pam Heath-Johnston University of Connecticut, 2005 This work is the intellectual property of the authors. Permission is granted.
© 2007-2011 Carnegie Mellon University The CERT Insider Threat Center.

© Carnegie Mellon University The CERT Insider Threat Center.
Copyright Jill M. Forrester 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,

Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, 2007. This work is the intellectual property of the author.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College Copyright Penn State University-2008. This work is the intellectual.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Copyright Statement © Jason Rhode and Carol Scheidenhelm. 2006. This work is the intellectual property of the authors. Permission is granted for this material.

Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.
Providing and Managing Technology Training Providing & Managing Technology Training Susan McKibben The University of Akron.

Providing and Managing Technology Training Providing & Managing Technology Training Susan McKibben The University of Akron.
Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
Security Awareness: Taking the Medicine and Liking It Shirley C. Payne Director for Security Coordination University of Virginia EDUCAUSE Conference October.

Security Awareness: Taking the Medicine and Liking It Shirley C. Payne Director for Security Coordination University of Virginia EDUCAUSE Conference October.
Tales from the Trenches Copyright Long, Mitrano, McGovern, and Orr, 2003. This work is the intellectual property of the authors. Permission is granted.

Tales from the Trenches Copyright Long, Mitrano, McGovern, and Orr, This work is the intellectual property of the authors. Permission is granted.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google