incident response evidence incident response evidence
play

Incident Response & Evidence Incident Response & Evidence - PowerPoint PPT Presentation

Aug 26, 2023 •349 likes •629 views

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

  1. Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD, CISSP

  2. Agenda Agenda Agenda Agenda � Current State of the IT World � What is Incident Response � What is Evidence Management & Handling � Tie into DRP/BCP � Summary

  4. Hong Kong Reuters Office Hacked: Traders at 5 banks lose price data PA Teenager Charged With 5 Counts of Hacking: for 36 hours Southwestern Bell, BellCore, Sprint, and SRI hit Costs to Southwestern Bell alone exceed $500,000 Citibank Hit in $10 Million Hack: Russian hacker had inside help. Several $100K not yet recovered. Computer Attack Knocks Out 3,000 Web Sites 40 hour shutdown during busiest shopping season Compaq Ships Infected PCs: Virus Taints Big Japanese Debut

  6. Consumer e Consumer e- -Commerce Commerce Commerce Consumer e Consumer e Commerce Concerns Concerns Concerns Concerns 60% 50% 40% 30% 20% 10% 0% Security Navigation Selection Trust High Price No Touch Privacy/Security issues could potentially put an $18 billion dent in the projected $40 billion 2002 e-Commerce revenue (Jupiter Communications, 2000).

  7. Attackers Attackers Attackers Attackers Attacks are becoming more sophisticated Attacks are becoming more sophisticated � � Progressed from simple user Progressed from simple user command, script and command, script and password cracking ( password cracking (sniffers sniffers, , crackers) in 1993 crackers) in 1993- -94, to 94, to intricate techniques intricate techniques that fooled the basic that fooled the basic operations of IP (spoofing operations of IP (spoofing etc.) etc.) But Attackers less skilled But Attackers less skilled � �

  8. CSI/FBI 2002 Survey CSI/FBI 2002 Survey CSI/FBI 2002 Survey CSI/FBI 2002 Survey 90% of respondents (primarily large corporations and government � agencies) detected computer security breaches within the last twelve months. 80% acknowledged financial losses due to computer breaches. � 223 respondents reported $455,848,000 in financial losses. � 74% cited their Internet connection as a frequent point of attack than � cited their internal systems as a frequent point of attack (33%). 34% percent reported the intrusions to law enforcement. (In 1996, � only 16% acknowledged reporting intrusions to law enforcement.)

  9. Incident Response Goals Incident Response Goals Incident Response Goals Incident Response Goals Provide an effective and efficient means of dealing with the situation � in a manner that reduces the potential impact to the organization. Provide management with sufficient information in order to decide on � an appropriate course of action. Maintain or restore business continuity. � Defend against future attacks. � Deter attacks through investigation and prosecution. �

  10. Relationship to InfoSec Relationship to InfoSec Relationship to InfoSec Relationship to InfoSec The IAC triad can be expanded to include: � � Non-repudiation � Accountability Incident Response is directly linked to InfoSec goals � It can help restore the IAC �

  11. Information Security Lifecycle Information Security Lifecycle Information Security Lifecycle Information Security Lifecycle Countermeasures � � Defenses that counter threats � No defenses are fool proof Detection � � Indicates that security has been breached Incident Response � � After the incident has been noticed responding to it is critical

  12. Information Security Lifecycle Information Security Lifecycle Information Security Lifecycle Information Security Lifecycle Detection Countermeasures Incident Response

  13. Seven Seven- -Stage Methodology Stage Methodology Stage Methodology Seven Seven Stage Methodology Methodology has been around since about 1989 � DOE under Dr. Schultz matured the model � Definitely not the only method � Has become part of the Common Body of Knowledge � Very pragmatic & logical approach � Although presented as a linear model some stages may happen in � parallel or like the “waterfall” method feedback into the previous stages

  14. Response Methodology Response Methodology Response Methodology Response Methodology (PDCAERF) (PDCAERF) (PDCAERF) (PDCAERF) Preparation Detection Containment Analysis Eradication Recovery Follow-up Feed Back

  15. Response Methodology Response Methodology Response Methodology Response Methodology Why use a methodology? � Structure/Organization � Dealing with incidents can be chaotic � Simultaneous incidents occur � Having a predefined methodology lends structure to the chaos � Efficiency � Time is often of the essence when dealing with incidents � Incidents can be costly both financially and organizationally �

  16. Response Methodology Response Methodology Response Methodology Response Methodology Process oriented approach � � Breaks incidents into small manageable chunks � Logical order of dealing with issues � Includes methods for improving the overall process Dealing with the unexpected � � Provides a mental framework for dealing with incidents in general � Promotes flexible thinking to deal with novel situations

  17. Response Methodology Response Methodology Response Methodology Response Methodology Legal Considerations � � Can demonstrate due care or due diligence � May limit liability � May reduce insurance premiums

  18. Evidence Management Evidence Management Evidence Management Evidence Management During an incident, evidence may be collected during � any of the 7 phases. In early stages we may not know what the final � outcome might be (e.g., Job Termination, Civil or Criminal Litigation). Network/Computer Forensics may become an issue � Must collect data in a “Forensically Friendly” manner � Must maintain the chain of custody � Important to understand the evidence lifecycle �

  19. Forensics Forensics Forensics Forensics Computer Forensics: The study of computer � technology as it relates to the law. Forensic Analysis: Examination of material and/or data � to determine its essential features and their relationship in an effort to discover evidence in a manner that is admissible in a court of law; post- mortem examination.

  20. Forensics Forensics Forensics Forensics Electronic Evidence: � Evidence relating to the issue that consists of computer files, or data, in their electronic state. Electronic Media Discovery: � The discoverability of electronic data or files.

  21. Forensics Forensics Forensics Forensics Chain of Custody: A means � of accountability, that shows who obtained the evidence, where and when the evidence was obtained, who secured the evidence, who had control or possession of the evidence. Rules of Evidence: Evidence � must be competent, relevant, and material to the issue.

  22. Evidence Life Cycle Evidence Life Cycle Evidence Life Cycle Evidence Life Cycle Collection & identification � Storage, preservation, and � transportation Presentation in court � Return to victim or court �

  23. IR & DRP/BCP IR & DRP/BCP IR & DRP/BCP IR & DRP/BCP Both IR & DRP/BCP use planning and preparation to � mitigate the damage of an negative event after it occurs. Both require fore thought, formal written policies, � procedures, and budgets. Both rely on periodic testing and maintenance of the � plan. IR can be a subset of DRP/BCP process. �

  24. Summary Summary Summary Summary The rate of network/computer intrusions is increasing � Most companies/organizations have safeguards such as � firewalls, Anti-virus, IDS We need to know what to do when the alarms go off � Like DRP/BCP we must have a IR plan in place before � hand Proper evidence management & handling procedures � are important during the response escalation process IR is the next evolution of the IT Security Industry �

  25. Contact Information Contact Information Contact Information Contact Information Dr. Marc Rogers PhD., CISSP Ph: 989-8750 E-mail: mkr@manageworx.com Web: www.manageworx.com

  26. Book References Book References Book References Book References Kruse, W. & Heiser, J. (2002). Computer forensics: Incident � response essentials. Boston: Addison Wesley. Mandia, K. & Prosise, K. (2002). Incident response: � Investigating computer crime. New York: Osborne/McGraw Hill. Northcutt, S., & Novak, J. (2002). Network intrusion � detection: An analyst’s handbook 2nd edition. Boston: New Riders SANS. (2001). Computer security incident handling: Step-by- � step. The SANS Institute. Schultz, E., & Shumway, R. (2002). Incident response: A � strategic guide to handling system and network security breaches. Boston: New Riders.

  27. Web References Web References Web References Web References CERT/CC www.cert.org � CERT/AU www.auscert.org.au � OCIPEP www.ocipep-bpiepc.gc.ca � CERIAS www.cerias.purdue.edu � FIRST www.first.org � SANS www.sans.org � INCIDENTS www.incidents.org � CCIPS www.cybercrime.gov � IIC www.iic.umanitoba.ca � RCMP www.rcmp-grc.gc.ca � FORENSICS www.incident-response.org �

Recommend

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT MIRG OOERATIONAL GUIDELINES The project developed the following operational guidelines: 1. Assessing the Safety Status of a Vessel

598 views • 16 slides
Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored By: Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Visit www.advisenltd.com at the end of this webinar to

498 views • 18 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance Operators 3 FillIn Motorist Assistance Operators from Maintenance 1 Work Zone Coordinator 2 MoDOT TMC Operators 1 City of Springfield

404 views • 24 slides
The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren After my graduation After my graduation Where I work Skill set What I do What I do Case study: incident response Incident Response for fictional

709 views • 39 slides
EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry

EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry

EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry PERSONAL BACKGROUND Lead Engineer at Heroku since 2011 Worked on nearly all parts of the platform In 2012, I led a project to overhaul Herokus Incident

1.03k views • 72 slides
A perspective to incident response or another set of recommendations for malware authors

A perspective to incident response or another set of recommendations for malware authors

A perspective to incident response or another set of recommendations for malware authors Alexandre Dulaunoy - TLP:WHITE alexandre.dulaunoy@circl.lu June 7, 2013 CIRCL, national CERT of Luxembourg CIRCL 1 is composed of 6 full-time incident

572 views • 21 slides
2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action April 11, 2018 Contact Information Theodore J. Kobus, III Casie D. Collignon Leader, Privacy and Data Protection Practice

448 views • 23 slides
National Incident Management System National Incident Management System and and National

National Incident Management System National Incident Management System and and National

National Incident Management System National Incident Management System and and National Response Plan National Response Plan Overview March 2006 HSPD-5: Management of Domestic Incidents HSPD-5 Objectives: Single comprehensive

463 views • 21 slides
National Incident Management System National Incident Management System and and National

National Incident Management System National Incident Management System and and National

National Incident Management System National Incident Management System and and National Response Plan National Response Plan Overview March 2006 HSPD-5: Management of Domestic Incidents HSPD-5 Objectives: Single comprehensive

196 views • 17 slides
Environment Management Series ENVIRONMENT INCIDENT IDENTIFICATION & RESPONSE TOOLBOX

Environment Management Series ENVIRONMENT INCIDENT IDENTIFICATION & RESPONSE TOOLBOX

Environment Management Series ENVIRONMENT INCIDENT IDENTIFICATION & RESPONSE TOOLBOX PRESENTATION Environment Management Series: EMS004 Key Information: Env Incident Identification & Response (V2) (SIMEC Mining) 2018 WHAT IS AN

445 views • 8 slides
Public Safety Response to a School Incident What You Can Do!!!

Public Safety Response to a School Incident What You Can Do!!!

Active Shooter Awareness Public Safety Response to a School Incident What You Can Do!!! http://www.drc-group.com/project/jitt-schoolactiveshootersafety.html Presentation Overview This presentation provides guidance to individuals, including

603 views • 34 slides
Environment Management Series ENVIRONMENT INCIDENT IDENTIFICATION & RESPONSE TOOLBOX

Environment Management Series ENVIRONMENT INCIDENT IDENTIFICATION & RESPONSE TOOLBOX

Environment Management Series ENVIRONMENT INCIDENT IDENTIFICATION & RESPONSE TOOLBOX PRESENTATION WHYALLA SHARED FACILITY Environment Management Series: EMS004 Key Information: Environment Incident Identification & Response (V2)

264 views • 9 slides
Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential

Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA Director of Security Research LogLogic anton@loglogic.com Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential Tuesday, June 27, 2006 Outline - I Incident

939 views • 78 slides
CIRT C ritical I ncident R esponse T eam What is CIRT? CIRT is the Critical Incident Response Team

CIRT C ritical I ncident R esponse T eam What is CIRT? CIRT is the Critical Incident Response Team

CIRT C ritical I ncident R esponse T eam What is CIRT? CIRT is the Critical Incident Response Team and is comprised of a multidisciplinary group of employees who have volunteered to respond when critical incident stress management (CISM)

466 views • 22 slides

More recommend