|
CIS527 Week #10 IT Risk Management Mitigating Risk with a Computer Incident Response Team
|
|
Slide #
|
Slide Title
|
Slide Narration
|
|
Slide 1
|
Introduction
|
Welcome to IT Risk Management.
In this lesson we will discuss Mitigating Risk with a Computer Incident Response Team
Next slide
|
|
Slide 2
|
Topics
|
The following topics will be covered in this lesson:
What a computer incident response team (CIRT) plan is;
What the purpose of a CIRT is;
What the elements of a CIRT plan are;
How a CIRT plan can mitigate an organization’s risk; and
What best practices for implementing a CIRT plan are.
Next slide
|
|
Slide 3
|
What Is a Computer Incident Response Team (CIRT) Plan?
|
A computer incident is a violation, or imminent threat of a violation, of a security policy or security practice, and includes any adverse event or activity that affects the security of computer systems or networks. The event may result in loss of confidentiality, integrity, or availability.
The terms “computer incident” and “computer security incident” mean the same thing and are used interchangeably.
An imminent threat of violation is an incident that is about to occur. This commonly refers to emerging threats, such as viruses or worms that are rapidly spreading.
Multiple types of computer incidents can affect an organization, including:
Denial of service (DoS) attack;
Malicious code;
Unauthorized access;
Inappropriate usage; and
Multiple component
A computer incident response team (CIRT) is a group of people that will respond to Incidents. The CIRT plan is a formal document that outlines an organization’s response to
computer incidents.
Next slide
|
|
Slide 4
|
Purpose of a CIRT Plan
|
The purpose of the CIRT plan is to help an organization prepare for computer incidents. This preparation helps the organization identify potential incidents. With the CIRT Plan, security personnel can then identify the best responses to reduce the potential damage.
A CIRT plan outlines the purpose of the response effort.
In general, the purpose is to identify the incident as fully
as possible. The answers to the five Ws are a good starting
point. The five Ws are what, where, who, when, and why.
For good measure, add in how it occurred.
The what identifies what type of attack occurred. The attack could be a DoS attack, a malware attack, unauthorized access,
or inappropriate usage. Next, where the attack occurred needs to be identified, then who launched the attack. Logs are very useful for this. Audit logs can be checked for the system, as well as firewall and router logs. If the user authenticated, the logs will identify the user account used for the attack.
Identifying when an attack occurred is much more than just identifying when the symptoms were discovered. Attackers perform reconnaissance before an attack. Log entries may show that the reconnaissance attacks occurred several times over the past week from the same source, for instance.
Answering why attackers attack helps to understand their motive.
Last, identify how the attack occurred. This helps to identify the vulnerabilities that exist in this system. Once it is discovered how the attack succeeded, identification as to how to prevent it in the future can be made. In other words, identifying how the attack succeeded helps identify controls or countermeasures to prevent future attacks.
Next slide
|
|
Slide 5
|
Elements of a CIRT Plan
|
CIRTs can have several different elements, but there are no specific requirements stating that certain elements must be included. A CIRT commonly includes information on the membership of the CIRT and policy information, and may also include details on communication methods and incident
response procedures.
Although a CIRT plan identifies CIRT members, these members will be involved before the creation of the CIRT plan.
Specifically, they will help create the plan. CIRT members include IT and security professionals who understand the risks that threaten networks and systems. There are different models that can be used for a CIRT. The National Institute of Standards and Technology (NIST) regularly releases special publications (SPs). NIST SP 800-61 identifies the following three models:
Central incident response team;
Distributed incident response team; and
Coordinating team
Roles also need to be indentified clearly. CIRT members often hold one or more specific roles in the team. The goal is to ensure that the team includes members from several different areas. Roles held by the team members include team leader, information security members, network administrators, physical security, legal, human resources, and communications.
Next slide
|
|
Slide 6
|
Elements of a CIRT Plan (continued)
|
The incident response team has several responsibilities that involve helping to develop the plan, respond to incidents, and document the incidents. Each member of the team has special skills and responsibilities to the team.
Some of the primary responsibilities of the CIRT include:
Develop incident response procedures;
Investigate incidents;
Determine cause of incidents;
Recommend controls to prevent future incidents;
Protect collected evidence; and
Use a chain of custody.
The CIRT plan at any organization may spell out the previous responsibilities, and if the organization has other responsibilities expected of the CIRT, they can be included in the CIRT plan.
The CIRT is also accountable to the organization to provide a proactive response to any incident. Although incidents can’t be avoided, the team is expected to minimize the impact of the incident.
Next slide
|
|
Slide 7
|
Elements of a CIRT Plan (continued)
|
A CIRT plan includes CIRT policies which may be simple policy statements, or appendixes at the end of the plan. These policies provide the team with guidance in the midst of any incident.
One of the primary policies to consider is whether CIRT members can attack back or not. During the investigation of an incident, a team member may have the opportunity to launch an attack on the attacker. The question is, “Should this be done?”The answer is almost always a resounding “No!” because if the CIRT member is caught, he or she can be prosecuted. A defense of “but he did it first” won’t impress a judge. Similarly, even if the attacker broke laws attacking the organization’s network, justification is not given to break laws to attack back.
This is not to say that an organization should never attack back. Police, government, and military agencies may have specific units that are trained to attack. These attacks may gather evidence on criminal activities and may be purposeful cyberwarfare against a government’s enemies. However, if this isn’t the specific mission of the unit, an attack back should not be initiated.
Next slide
|
|
Slide 8
|
Elements of a CIRT Plan (continued)
|
A CIRT plan identifies the incident handling process. This process can be a large part of the plan depending on how detailed the plan is. NIST SP 800-61 is the “Computer Security Incident Handling Guide.” The guide outlines distinct phases of the incident handling process, as follows:
Preparation;
Detection and analysis;
Containment, eradication and recovery;
Post incident recovery; and
Handling DoS attack incidents
A suspected attack can be confirmed by reviewing available logs. System logs include information on system activity. Firewall logs can show network traffic to the system. Additionally, logs gathered by the Intrusion Detection System (IDS) can identify many specific types of attacks. The response depends on the type of attack. For example, if the attack is due to a vulnerability, such as an unpatched system, the primary response should be to fix the vulnerability. If an IDS system doesn’t automatically respond to the attack, changes can be made manually. The goal is to identify the source of the attack and modify the firewall rules to block the traffic.
Next slide
|
|
Slide 9
|
Elements of a CIRT Plan (continued)
|
Malware incidents are the result of any malicious software, such as viruses and worms. There are many types of malware, and new ones appear daily. Some of the varieties include:
Viruses;
Worms;
Mobile code; and
Trojan horses.
The primary protection against malware is antivirus software. Many organizations use a three-pronged approach. First, anti-Virus software is installed on all systems in the organization. Second, because the majority of viruses are delivered via e-mail, AV software is installed in the e-mail server. Last, AV software is often installed at the boundary of the network where the intranet meets the Internet and can filter all traffic for potential malware.
A secondary protection is training and education. Many users are unaware of how malware is delivered. Users also do not recognize the extent of damage possible from malware. Routine training educates users about the types of malware threats. Last, many organizations configure Web browsers and e-mail readers to prevent the execution of malicious mobile code.
Next slide
|
|
Slide 10
|
Check Your Understanding
|
|
|
Slide 11
|
Elements of a CIRT Plan (continued)
|
An unauthorized access incident occurs when a person gains access to resources, even when that person is not authorized access. Although this can be accidental, the focus is on attackers gaining access to data or systems. Social engineering or technical attacks are more ways hackers can gain access through a system.
Some examples of unauthorized access incidents include:
• Attacking and defacing a Web server;
• Uploading or downloading data from a File Transfer Protocol (FTP) server;
• Using an unattended workstation without permission;
• Viewing or copying sensitive data without authorization;
• Using social engineering techniques to collect organization data;
• Guessing or cracking passwords and logging on with these credentials; and finally,
• Running a packet sniffer like Wireshark to capture data transmitted on the network.
The majority of these types of attacks originate from attackers outside the organization. Attackers often access servers or other internal resources through the Internet. Internet-facing servers are most vulnerable to Internet-based attacks.
Next slide
|
|
Slide 12
|
Elements of a CIRT Plan (continued)
|
One of the basic protection steps you can take is to ensure that all servers are hardened. Steps to harden a server include:
Reduce the attack surface;
Keep systems up to date;
Enable firewalls; and
Enable Intrusion Detection Systems.
Unauthorized access incidents can be detected through several methods. IDSs often provide warnings about reconnaissance activity before an attack. Educated users can report social engineering attempts. A social engineer uses conning and trickery to get a user to give up secrets. Informed users can recognize these attempts and report them to administrators.
Some attacks are not detected. An attacker may reach in, access data in a database, and then disappear. Even if it is logged, the actual event may go undetected until later when there is a realization that a problem has occurred. The stolen data may be research and development data that is now being used by a competitor, or the data may be customer credit information. Until customers complain about it, the problem may not actually be detected.
The response depends on the attack. If the attack is detected in progress, the goal is to isolate the affected system. If the problem is due to a compromised account, the account can be disabled. If the account is an elevated account, such as one with elevated permissions, there must be a check to see if other accounts were created with this one.
Next slide
|
|
Slide 13
|
Elements of a CIRT Plan (continued)
|
Inappropriate usage incidents occur when users violate internal policies. These incidents aren’t usually as serious as external incidents, but depending on the activity, the incidents can be serious and result in loss of money for the organization.
Examples of inappropriate usage include users who:
Spam coworkers;
Access Web sites that are prohibited;
Purposely circumvent security policies;
Use file-sharing or P2P programs;
Send files with sensitive data outside the organization; or
Launch attacks from within the organization against
other computers.
The first thing to do to help prevent these incidents is to have a security policy. The security policy should include an Acceptable Use Policy (AUP), or the AUP should be separate. The AUP identifies what is acceptable usage and what is not acceptable usage.
The use of P2P programs to download or share pirated music, videos, or programs is also included in many AUPs. One of the main problems with P2P programs is data leakage, which occurs when the P2P network shares user data without the user being aware of it.
Firewalls and proxy servers log all traffic going through them. The logs can be scanned to determine if users are violating the policies. A second way to detect inappropriate usage is through other users who may receive spam from an employee advertising his or her business or promoting a religion.
The primary response is based on the existing policies, which include the security policy and the AUP. If policies don’t exist, they need to be created. If an employee violates
the policy, the employee is at fault, but if a policy doesn’t exist, the organization may be at fault.
Next slide
|
|
Slide 14
|
Elements of a CIRT Plan (continued)
|
A multiple component incident is a single incident that includes two or more other incidents. These incidents are related to each other, but that may not be apparent right away.
To consider how this works, imagine a user receives
an e-mail with a malware attachment. When the user opens the attachment, it infects the user’s system. This is the first incident. The malware has three objectives. First, it releases a worm component that seeks out computers on the network and infects them. This is the second incident. Next, it contacts a server on the Internet that is managing a botnet. In this role, the infected system acts as a zombie. It waits for a command from the botnet control server and then does whatever it’s commanded to do. Because the infected system has infected other systems on the network, multiple systems can be are infected. Each of these systems is looking for other systems to infect, and acting as a zombie ready to perform the bidding of the botnet. Next, consider that the botnet control server issues a command to all the infected systems. This directs them to launch an attack on a server on the Internet. All the zombies in the network attack. This is the third incident.
In this case, the primary protection is AV software and ensuring the AV software is up to date. Anomaly-based intrusion detection systems may notice the increased activity on the network. An anomaly-based IDS starts with a baseline of normal activity. When activity increases outside the established threshold, the IDS alerts on the anomaly.
Next slide
|
|
Slide 15
|
Elements of a CIRT Plan (continued)
|
Escalation occurs when an event is determined to be an incident, and is declared an incident. One of the first steps to take when an incident is declared is to recall the CIRT members, either by phone tree or any other type of traditional recall. Communication is very important during the incident and may be hampered during the incident as well. For example, e-mail or instant messenger systems can fail during an incident. If these are the primary methods of communication with no backup plan, communication will be challenging.
Solutions used for Disaster Recovery Plans can also be used for computer incidents, such as CIRT members being issued push-to-talk phones or walkie-talkies. A war room can also be set up for face-to-face communications. The war room can be staffed constantly, and team members can report findings to personnel there.
Incident handling procedures must be followed when an incident is suspected. Checklists can be included in the CIRT plan as procedures to use in response to incidents. IT professionals who are first notified of a potential incident can use these checklists, as well as CIRT members. Although checklists cannot be created to respond to every possible incident, they can be tailored to different types of incidents.
Calculating the impact and priority is one of the important steps when handling an incident to identify the impact and priority of the incident. The CIRT plan can include tools to help personnel determine the impact and priority. Members can then refer to these tools for clarification during the incident.
Once calculation of the impact and priority is determined,
checklists can be used. The following is a sample generic checklist:
Verify an incident has occurred;
Determine type of incident;
Determine impact or potential impact of incident;
Report incident;
Acquire available evidence on incident;
Contain incident;
Escalate incident;
Recover from incident; and
Document incident.
Next slide
|
|
Slide 16
|
Elements of a CIRT Plan (continued)
|
Handling DoS attack incidents, malware incidents, unauthorized access incidents, and inappropriate usage incidents can be accomplished by evaluating the attack and then designing a checklist that addresses the type of attack specifically. The following items should be considered when creating a checklist for any type of attack identified above:
Containment;
Eradication; and
Recovery
The following list is specific to DoS attack incidents:
Containment: Halt the DoS attack as soon as possible. There may be the ability to add filters at routers or firewalls to block the traffic based on the IP address, port, or protocol used in the attack
Eradication: Identify vulnerabilities that allowed the DoS attack. It could be because the server wasn’t adequately hardened.
Recovery: Determine if there is any long-term damage on the server and repair if applicable.
The following list is specific to malware incidents:
Containment: Identify all the infected systems and disconnect them from the network. Identify why the AV software didn’t detect the malware.
Eradication: Run full scans on the systems. AV vendors such as Symantec and McAfee often host pages that show detailed steps to remove multipartite viruses and other advanced malware.
Recovery: Replace any files that were deleted or quarantined and are needed for system operation. Verify that the system is no longer infected.
Next slide
|
|
Slide 17
|
Elements of a CIRT Plan (continued)
|
The following list is specific to unauthorized access incidents:
Containment: If the attack is discovered in process, identify the attacked system and isolate it from the network.
Eradication: Identify the weaknesses that allowed the attack to succeed. Ensure that all the steps to harden the server have been completed and haven’t been modified. Ensure that strong passwords are being used. Consider changing the passwords on the system.
Recovery: After the vulnerabilities have been resolved, reconnect the systems and verify they are operational. Test the systems to ensure they are operating as expected.
The following list is specific to inappropriate usage incidents:
Containment: Consider disabling the user’s account until management takes action.
Eradication: Some organizations require users to complete specific training before their access is returned. Other organizations require supervisors to document the activity in the employee’s record.
Recovery: If the account was disabled, you would enable it after the appropriate action has been completed.
Next slide
|
|
Slide 18
|
How Does a CIRT Plan Mitigate an Organization’s Risk?
|
The CIRT plan helps an organization prepare for incidents. When prepared, the organization is able to respond to the incidents much quicker and with focused action.
One of the primary benefits of the CIRT plan is the identification of CIRT members. The plan identifies these individuals so that the organization knows who they are.
Once the plan and the members are identified, the organization has a better understanding of the skills needed. The members can be trained to ensure they have the skills needed to support the requirements.
Without the plan, IT and security professionals don’t have the benefit of time to analyze their response.
Next slide
|
|
Slide 19
|
Best Practices for Implementing a CIRT Plan for Your Organization
|
When implementing a CIRT plan for your organization, you can use several best practices. The following list shows some of these best practices:
Define a computer security incident;
Include policies in the CIRT plan to guide CIRT members;
Provide training;
Include checklists; and
Subscribe to security notifications
Next slide
|
|
Slide 20
|
Check Your Understanding
|
|
|
Slide 21
|
Summary
|
We have reached the end of this lesson. Let’s take a look at what we’ve covered.
First we defined what a computer incident response team (CIRT) plan is. We defined the team as a group of people assigned to respond to computer incidents within an organization, and the plan as a formal document which outlines an organization’s response to computer incidents.
Next we discussed the purpose of the CIRT plan, which is to help prepare for computer incidents, outline the purpose of response efforts, and answer the five Ws – what, where, who, when, why, and lastly how.
We then looked at the elements of a CIRT plan. We learned that CIRT plans commonly include information on membership, organizational policy, communication methods, and incident response procedures. We also looked at common CIRT models and roles in this section.
Next we learned how a CIRT plan can mitigate an organization’s risk. Here, we learned that it helps the organization to plan for incidents, identifies the CIRT members, and provides a better understanding of the skills needed to handle a computer incident.
Lastly, we considered the best practices for implementing a CIRT plan. These included defining a computer security incident,including policies in the CIRT plan to guide CIRT members, providing training, including checklists, and subscribing to security notifications.
This completes this lesson.
|
