Download presentation
Presentation is loading. Please wait.
Published byAbraham McGee Modified over 9 years ago
1
Incident Response From the Ground Up Ellen Young and Adam Goldstein Dartmouth College NERCOMP March 11, 2008
2
Information Security Incidents Where does Incident Response fit into overall information security strategy? Prevention Detection Response*
3
Incident Response – Other Drivers Additional drivers for creating incident response policies and procedures: PCI (Payment Card Industry) security standards. Sec 12.5.3 Breach notification laws
4
Policy vs. Procedure Dartmouth Cyber-security steering committee initiated current effort Started with high level IR policy Determined more detailed procedures were required
5
Incident Response – Practical Approach First step: Incident Handling Workshop: –May 30 th and 31 st 2007 –About 30 participants from Tech Services, Consulting Services, and CSI Team –Table-top incident response exercises conducted by an experienced consulting firm – IntelGuardians - http://www.intelguardians.com/ http://www.intelguardians.com/
6
Incident Handling – Workshop 1 Involved everyone who might be a first responder from Computing Services Divided into 4 teams – mixed Help Desk, Network Admins, and System Admins Presented with a scenario, logs, and received additional clues if the right questions were asked Teams used the high level policy and existing procedures as a starting point
7
Initial Workshop Lessons Learned and Takeaways Form an Incident Response Team (IRT) Develop practical procedures: –First Responders –Technical Response –Communication Outreach and awareness – it could be someone internal; VoIP could also be compromised Ongoing training for IRT
8
Incident Response Team Different groups and areas of expertise represented 2 members for each area provides backup Team consists of: –The Directors and 2 Members each from Systems Administration, Network Services, and Consulting Services
9
Develop procedures from the “Ground Up” Workshop revealed importance of “Ground-up” approach to developing procedures –First Responders Decision-tree –Incident Assessment and Classification –Technical Action Plans for different incident types –Communication Procedures –Equipment and tools for performing investigations
10
First Responders Decision-tree Developed decision tree for first responders Easy for responders to use and determine next steps http://www.dartmouth.edu/comp/docs/FirstRes ponseCriteria.dochttp://www.dartmouth.edu/comp/docs/FirstRes ponseCriteria.doc Automatic ticket creation for IRT based upon information entered
11
Incident Assessment and Classification Incidents reported to IRT are then assessed and classified The general criteria for assessing an incident include: –Sensitivity of potentially compromised data –Legal issues –Magnitude of service disruption –Threat potential –Expanse - how widespread the incident is
12
Incident Assessment and Classification: Step 1 – Determine Severity Questions to determine severity: 1. Is sensitive, confidential or privileged data at risk?sensitive, confidential or privileged data 2. Is business continuity at risk? 3. Did someone identify a security problem regarding Dartmouth systems in a public forum (website, listserve, message board, print media, broadcast media)? 4. Has law enforcement, government agency, or other third-party contacted Dartmouth regarding a possible incident?
13
Incident Assessment and Classification: Step 2 – Assign severity level Assign severity level: Low - Risk or exposure to few Medium - Localized risk or exposure (e.g. subnet, department, non-critical service) Serious - Institutional risk/exposure Severity level will determine appropriate response plan
14
Incident Assessment and Classification: Step 3 – Determine incident type Incident Types: 1.Compromised System 2.Compromised User Credentials 3.Network Attack (DoS, Scanning, Sniffing) 4.Malware (Viruses, Worms, Trojans) 5.Lost Equipment/Theft 6.Physical Break-in 7.Social Engineering (phishing, fraud) 8.Law Enforcement Request 9.Policy Violation
15
IRT – Response Action Plans The IRT follows action plans based on: Incident Type Severity level Information on internal wiki for ease of use http://www.dartmouth.edu/comp/docs/Nercom p-IRTActionPlans.dochttp://www.dartmouth.edu/comp/docs/Nercom p-IRTActionPlans.doc http://www.dartmouth.edu/comp/docs/Nercom p-IncidentClassification.doc
16
IRT- Communication Procedures Specific procedures for communication throughout the different phases of response Includes both “horizontal” and “vertical” communication Information on internal wiki for ease of use http://www.dartmouth.edu/comp/docs/Commu nications.doc
17
IRT-Response Equipment Dedicated Laptop NAS and portable storage for images IR software CDs and flash drives –Helix - Incident Response & Computer Forensics Live CD (http://www.e-fense.com/helix/) –The SleuthKit and Autopsy: Digital Investigation Tools for Linux (http://www.sleuthkit.org/) –Windows Forensic Toolchest (WFT) (http://www.foolmoon.net/security/wft/) Secure document storage
18
Workshop 2- IRT Hands-on “Live Incident” Security consulting firm returned for a 2 day workshop (12/4 and 12/5) with the IRT: Reviewed attack trends and highlighted response techniques Compromised 4 systems on a test network IRT practiced response procedures and use of investigative tools
19
Workshop 2 – Lessons Learned Communication among IRT members working on different parts of the investigation is critical Assessing unknown systems Concerns over service disruption during initial investigation Differences in Windows vs. Linux analysis Can be difficult for first responders – desire to just fix it overwhelms desire to preserve data
20
Next Steps and Ongoing Efforts Integrate IRT forms into Remedy Help Desk System Outreach to first responders not in PKCS and College community Ongoing monthly meetings for IRT –Further training in response and forensic tools –Sample scenarios and procedure updates –Review emerging attack trends Additional training exercises for IRT and PKCS
21
Questions? ellen.l.young@dartmouth.edu adam.goldstein@dartmouth.edu Copyright 2008 Trustees of Dartmouth College This work is the intellectual property of the authors. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.