Incident Response Process

INCIDENT RESPONSE
Incident: ‘The attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or
interference with system operations in an information system.’

Incident Response is an organization’s reaction to unlawful or

unacceptable actions involving a computer or network component.
Instead of being caught unprepared and starting a chaotic and
possibly devastating response, a systematic and well-organized
approach should be used to react. Therefore incidents are usually
handled by a so-called Computer Security Incident Response
Team, or CSIRT, which is comprised of personnel with different
qualifications that are needed during the response process, in
particular people with legal and technical expertise.
PREPARATION FOR PRE-INCIDENT RESPONSE

You come into work and discover that your servers have been compromised, and valuable personal data has been stolen.
No problem, you call your computer security incident response team (CSIRT), and everything will be great, right?

Not necessarily. One of the most important, and most overlooked, steps of intrusion detection is the PRE-INCIDENT
PREPARATION.

- Identify your corporate risk

- prepare your hosts for incident response

- prepare your network by implementing network security measures

- establish policies and procedures that allow you to meet your response objectives

- create a response toolkit for use by the CSIRT

- create a CSIRT that can assemble to handle incidents.

IDENTIFY YOUR CORPORATE RISK

● Unpatched web serves

● Internet-facing system
● Untrained employees

This is fairly self explanatory. Basically it just means asking a few questions. What are our assets? How are those assets
threatened? How can someone get to those assets?

For my example, we will pretend to be in charge of security for a commercial property management company. In this case,
field offices are spread throughout the country. At each office a database containing sensitive client information is
maintained, and it is required that the database is sent to the "Home Office" once a week.

Our assets would then be the database, and the information contained could be addresses, social security numbers, tax
id's, etc. The threat could come from competitors vying for our clients or identity thieves. The vulnerabilities lie in several
areas. Untrained users, sniffers, keyloggers, database 'miners', and unpatched servers.
PREPARING HOSTS FOR INCIDENT RESPONSE

-record checksums of critical files : A checksum, also known as a fingerprint, is a digital signature unique to that file. These
are used to compare a system in a known "Good State" vs a system that may have been compromised. One of the most
commonly used methods to create checksums is the MD5 algorithm.

-increase and enable secure audit login: By transferring your log files to a remote secure server, you minimize the danger of
log files being removed or altered.

-build up defenses: Patches, firewall, IDS, etc.

-back up data and store media securely

-educate users about security

Implementing host based security

1. Install and configure a host based firewall

2. Choose good passwords for any accounts on the system, and change any default or well known accounts
on the machine
3. Install and keep up with operating system patches and also hardware firmware patches
4. Configure and continue to monitor logs on the device
5. Disable services and accounts which are not being used, or are no longer necessary
6. Replace insecure services (such as telnet, rsh, or rlogin) with more secure alternatives such as ssh
7. Restrict access to services which cannot be disabled where possible
8. Make and test backups of the system in a consistent manner
PREPARING A NETWORK

-install firewalls and IDS

-use access control on routers

-create a network topology conducive to monitoring

-encrypt network traffic

-require authentication
Implementing network based security

In network penetration testing , network is scanned is scanned, mapped and ports are checked. If a port is found opened or
unfiltered its vulnerability is checked and according to its vulnerability it is exploited so that with the help of network whole
server can be hacked.

Firewalls protect computers and networks from external attacks by regulating Internet traffic. That is, they control the data
coming in and going out of a computer or network. The firewall itself can exist on individual computers or as part of the
entire network, installed on a server or router.The are two types host based firewalls and network based firewalls.

A NIDS tries to detect malicious activity such as denial-of-service attacks, port scans and attacks by monitoring the network
traffic.
Employ an Intrusion detection system (IDS)
host-based intrusion detection systems (HIDS) are systems that sit at service endpoints rather than in the network transit
points like NIDS. The first type of IDS that’s widely implemented, Host IDS, is installed on servers and is more focused on
analyzing the specific operating system and application functionality residing on the HIDS host. HIDS are often critical in
detecting internal attacks directed towards an organization’s servers such as DNS, mail, and web servers. HIDS can detect
a variety of potential attack situations such as file permission changes and improperly formed client–server requests.

File Integrity and Log File Checkers

File integrity and log file checking agents are a form of HIDS that focus on the operating systems binary files and the log
files normally produced by OS-based security mechanisms such as login logs. File integrity software systems are best
installed immediately after operating system installation. The software creates a local database and MDS hashes of
operating system binaries and configuration flies. Should system binaries or other files change in any way, nightly
processes that compare current hashes against original file hashes will detect the change and alert administrators.

Log file checkers run regularly as well and parse system and application logs to search for signature-based alerts. For
instance, multiple failed logins on a server would typically be detected and reported by log-checking software
Intrusion Prevention Systems
Network-based intrusion prevention systems (IPS) perform packet sniffing and analyze network traffic to identify and stop
suspicious activity. Network-based IPS acts like a network firewall.

It receives packets, analyzes them, and allows acceptable packets to pass through. The network-based IPS architecture
allows some attacks to be detected on networks before they reach their intended targets.

Most network-based IPS products use a combination of attack signatures and analysis of network and application protocols,
which means that they compare network activity for frequently attacked applications (e.g., email servers, web servers) to
expected behavior to identify potentially malicious activity.

Network-based IPS products are used to detect many types of malicious activity besides malware, and typically can detect
only a few instances of malware by default, such as recent major worms. However, some IPS products are highly
customizable, deploy attack signatures for many major new malware threats in a matter of minutes.

Networkbased IPS products can be effective at stopping specific known threats, such as network service worms, and
email–borne malware with easily recognizable characteristics (e.g., subject, attachment filename). Another form of IPS,
known as a network behavior analysis (NBA) system, attempts to stop attacks by identifying unusual network traffic flows.
Antivirus
Scanning critical host components such as startup files and boot records.

Antivirus software should be configured to perform real-time scans of each file as it is downloaded, opened, or executed,
which is known as on-access scanning.

Monitoring the behavior of common applications, such as email clients, web browsers, and instant messaging software.
Antivirus software should monitor activity involving the applications most likely to spread malware to other hosts.

Scanning files for known malware. Antivirus software on hosts should be configured to scan all hard drives regularly to
identify any file system infections and, optionally, depending on organization security needs, to scan removable media
inserted into the host before allowing its use. Users should also be able to launch a scan manually as needed, which is
known as ondemand scanning.

Identifying common types of malware as well as attacker tools.

Disinfecting files, which refers to removing malware from within a file, and quarantining files, which means that files
containing malware are stored in isolation. Disinfecting a file is generally preferable to quarantining it because the malware
is removed and the original file restored.
Access Control

Traffic between zones is carefully controlled

Personnel in the Finance group can get email, Active Directory, and web traffic to
proxies

Connections to servers over HTTPS

Servers are not allowed to send outbound traffic to the Internet

For system management, administrator uses two factor authentication to the

specified administrative workstation (jump-box)
Centralized Logging Systems

Log event ,error , process creation and termination and access logs
•Free

•Splunk, ELSA, Snare

•Commercial

•ArcSight, RSA's EnVision

Retention : Retain the logged data for at least a year

 Investigative Tools
● Can search your environment for artifacts like malware or attacker tools
● AccessData Enterprise
● Guidance Software EnCase Enterprise