Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan

Published byClarence Lynch Modified over 9 years ago

Similar presentations

Presentation on theme: "Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan"— Presentation transcript:

1 Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan mattbing@umich.edu

2 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 2 Who am I? 10+ years experience in IT security 2 years at U-M  ITSS (IT Security Services)  Incident Response Coordinator tEnsure consistent handling of serious incidents University-wide tExpert advice – computer forensics, network and malware analysis Please understand due to confidentiality, I will not be discussing real incidents

3 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 3 Agenda What is an incident? Incident lifecycle First steps in incident handling Tools What you can do

4 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 4 What is an incident? IT security incidents have three faces  Data - attempted or successful unauthorized access, use, disclosure, modification, or destruction of information  Resources - interference with IT operation  People - violation of explicit or implied policy Impact  Not all incidents are equal

5 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 5 Goals of incident response Minimize consequences of incidents Enable informed decisions to be made by appropriate stakeholders  Not just an IT problem Understand the cause and effect of an incident Incorporate lessons learned  Processes and procedures  Countermeasures

6 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 6 Incident lifecycle Phase 1 – “The first 10 minutes”  Notification  Initial assessment  Escalation  Containment Phase 2  Analysis  Further action  Lessons learned

7 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 7 First steps Notification  First signs of an incident  IDS alert / abuse report / user notification  Amount of information is typically low Initial assessment  What is the possible impact?  How confident are you this is an incident?  Almost always requires further investigation

8 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 8 Risk of actions Availability of data goes down as your understanding of an incident goes up  File system MAC times are overwritten  Logs are rotated  Attackers cover traces  Examining a system changes it, possibly destroying valuable volatile data  Can that crucial deleted log entry in slack space be overwritten? Every action taken when examining an incident is a risk benefit/decision  Increasing level of intrusiveness

9 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 9 Risk of actions Does pulling the network cable have no risk? while `true`; do ping -c 1 www.yahoo.com || rm -rf /; sleep 30; done What about pulling the power cable?  Lose ALL volatile information on the system  Active processes, network connections

10 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 10 Initial assessment Scenario  We receive an abuse e-mail from Merit that a Windows XP machine on our network (192.168.109.132) is generating a large amount of traffic. We don’t know what could be causing this, but this machine might contain student SSNs.  How do we determine with a high-degree of confidence whether this machine is compromised?

11 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 11 Portscan

12 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 12 Portscan

13 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 13 Portscan

14 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 14 Portscan Nmap  http://insecure.org/nmap/ Netcat  http://www.vulnwatch.org/netcat/ Risks: depends entirely on the services probed, possibly modified MAC times on daemons, or generated log entries

15 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 15 TCPView

16 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 16 TCPView

17 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 17 TCPView  http://www.sysinternals.com/Utilities/TcpView.html Risks: copied a binary to the system and executed it  Can we trust the output if there is a rootkit installed?  Requires Administrator access, was a keyboard sniffer installed when we logged on?  Modified registry if run from USB or CDROM  Utility installs new system device driver  New entry in Prefetch cache

18 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 18 Event Viewer

19 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 19 Event Viewer Risks: modifies access time on MMC.EXE, file containing event logs %windir%\SYSTEM32\config\*.evt

20 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 20 Virus Scan Identifies any potential malicious code on the system, but…. Risks: overwrites the Access time on all files scanned  High level of intrusiveness

21 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 21 What next? Escalation  Notify the appropriate business owners  Devise a containment plan together  Explain the risks Containment  Pull the network plug?  Add a firewall rule or router filter?

22 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 22 After the first 10 minutes Analysis  What other information about the system do you have?  Netflow, firewall, antivirus logs  Analyze to determine root cause and effect  Escalate to other stakeholders, as necessary Further action  Notification to affected individuals?  Involve law enforcement? Lessons learned

23 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 23 Other tools EnCase  http://www.guidancesoftware.com/ Helix  http://www.e-fense.com/helix/ VMWare  http ://www.vmware.com/ IDA Pro  http://www.datarescue.com/idabase/index.htm

24 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 24 What you can do Develop a toolset Stay current in the security community Identify critical systems and locations of sensitive data Know your business owners Introduce yourself to law enforcement

25 Questions / Comments Thank You

Download ppt "Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm
Malware Artifacts.

Malware Artifacts.
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Network and Server Attacks and Penetration Chapter 12.

Network and Server Attacks and Penetration Chapter 12.
Incidence Response & Computer Forensics, Second Edition

Incidence Response & Computer Forensics, Second Edition
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.

11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google