manage security incident
play

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 - PowerPoint PPT Presentation

Sep 02, 2023 •139 likes •466 views

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

  1. Manage Security Incident Mingchao Ma STFC – RAL, UK ISGC 2010 Security Workshop 7 th March 2010

  2. Overview • Actively manage incident handling –Be ready BEFORE an incident • Based on NIST SP800-61rev1 recommendation –http://csrc.nist.gov/publications/nistpubs/800- 61-rev1/SP800-61rev1.pdf And • EGEE security incident policy and security incident response procedure • Aim at first responder –What to do? • Focus on preparation and identification • A little bit evidence collection techniques

  3. It is a question of “when incident will happen”, not “if”

  5. Know your enemies and know yourself, You can win a hundred battles without a single loss. The Art of War by Sun Tzu Are you ready?

  6. Incident Handling Lifecycle Preparation Identificatio n Containment Eradication Forensic Analysis - Evidence acquisition - Log and Timeline analysis Recovery - Media (e.g. file system) analysis - String search - Data recovery Lesson-learned - Artifact (malware) analysis - Reporting

  7. Be warned! • No two incidents are identical • NO one-for-all solution, tailor it for your OWN need! • Many types of incidents –DoS, Virus/Worm, Inappropriate usage, unauthorized access etc. • Focus on “hacking scenario” • But the principle remains the same!

  8. Step 1 - Preparation • Know existing policies, regulations and laws –Authority of investigation –What information can be collected? –Privacy and wiretapping issue • Do not violate any existing security policies • And do not break laws!

  9. Preparation • Security policy and incident handling procedure –Policies & procedures, write them down on PAPER –A simple and easy-to-follow procedure is very helpful • Building a team –Information about the team - "Organizational Models for Computer Security Incident Response Teams (CSIRTs) (http://www.cert.org/archive/pdf/03hb001.pdf) • Contacts information and communication channels –Name, telephone, email, PGP keys etc. • Incidents Prevention –Risk assessment –Patching, hardening, best practice, education etc. –Be aware of your organization's security policy • Known your systems before an incident –Profile systems and network – Know normal behaviours

  10. Preparation - toolkit • Incident response toolkit –Linux forensic live CDs • Helix (no longer free � ) - http://e-fense.com/ –Live response, live/dead acquisition and analysis • FCCU GNU/Linux Forensic Boot CD –Belgian Federal Computer Crime Unit –http://www.lnx4n6.be/ • BackTrack 4 has an option to boot into forensic mode –http://remote-exploit.org/backtrack.html • Many others –Will not modify the target system harddisk • Will not auto-mount devices on target system • Will not use target system swap partition • Build-in some well-known open source forensic tools

  11. Preparation - toolkit • Trusted binaries - statically compiled binaries run from CD or USB –ls, lsof, ps, netstat, w, grep, uname, date, find, file, ifconfig, arp … … • Test before use –different Linux distributions and kernels – both 32 bit and 64 bit platform • Will not modify A-time of system binaries; • Be aware of limitation – can be cheated as well –Kernel mode rootkit

  12. Incident Handling Lifecycle Preparation Identification Containment Eradication Recovery Lesson-learned

  13. Step 2 - Identification • Detect deviation from normal status –Alerted by someone else; –Host & network IDS alerts; –antivirus/antispyware alerts; –Rootkit detection tools; –file integrity check; –System logs; –firewall logs; –A trusted central logging facility is essential; –Correlate all information available to minimise false alarm

  14. Identification • Declare an incident once confirmed –Make sure that senior management is informed –Notification – who should be notified? –EGEE CSIRTs: PROJECT-EGEE-SECURITY- CSIRTS@in2p3.fr • Following incident handling procedures –EGEE incident response procedure – https://edms.cern.ch/document/867454

  15. Declare an incident Head up template ---------------------------------------------------------8<---------------------------------------------------- • “Inform immediately your local FROM: <your_email_address@your_organisation> security team and your ROC Security TO: < project-egee-security-csirts@in2p3.fr > SUBJECT: Security incident suspected at <your site> Contact (either via direct contact ** PLEASE DO NOT REDISTRIBUTE ** EGEE- <DATE> (ex: EGEE-20090531) ** This message is sent to the EGEE CSIRTs and must NOT be publicly archived ** or via project-egee-security- Dear CSIRTs, It seems a security incident has been detected at <your site>. support@cern.ch). This step MUST be Summary of the information available so far: completed within 4 hours after the <Ex: A malicious SSH connection was detected from 012.012.012.012. The extent of the incident is unclear for now, and more information will be published in the coming suspected incident has been hours as forensics are progressing at our site. However, all sites should check for successful SSH connection from 012.012.012.012 as a precautionary measure.> discovered. ---------------------------------------------------------8<----------------------------------------------------

  16. Incident Handling Lifecycle Preparation Identification Containment Eradication Recovery Lesson-learned

  17. Step 3 – Containment & Forensic Analysis • Prevent attackers from further damaging systems –Online or Offline? • Pull the network cable? –Live or Dead system? • Pull the plug?

  18. Containment & Forensic Analysis • Start up forensic analysis process once incident has been identified –Aim to obtain forensic sound evidences –Live system information • Will lose once powered off – Bit by bit disk image –Logs analysis • Collect volatile data FIRST, if possible!

  19. How to collect evidences • Volatile data collection • Hard disk image • Where to store evidences? –Attach a USB device –Transfer data over network with netcat Evidence workstation (192.168.0.100): # ./nc –l –p 2222 > evidence.txt Compromised host: #./ lsof–n |nc 192.168.0.100 2222

  20. Volatile Data Collection • Aim: –Collect as much volatile data as possible –But minimise footprint on the target system • In order of most volatile to least –Memory –Network status and connections –Running processes –Other system information • Be warned: system status will be modified • Document everything you have done • Be aware of the concept of “chain of custody” –Maintain a good record (a paper trail) of what you have done with evidence

  21. How to collect volatile data • System RAM –Raw memory image with memdump Available at http://www.porcupine.org/forensics/tct.html • Network Information –open ports and connections with lsof and netstats • Process information –Running processes with PS –Process dumping with pcat • Available at http://www.porcupine.org/forensics/tct.html

  22. How to collect volatile data • System Information –System uptime: uptime –OS type and build: uname –a –Current date/time: date –Partition map: fdisk -l –Mount points: mount –… …?

  23. Collect Evidence – Disk Image • Bit by bit disk image –both allocated and unallocated space • Live system image vs Dead system image –Helix Live CD or FCCU Live CD • Full disk or partition • Linux dd command – dd if=/dev/sda of=/mnt/usb/sda.img bs=512 • Modified dd – e.g. dc3dd – http://dc3dd.sourceforge.net/

  24. Evidence Collection • Memory dump; • Network status; • Process dump; • Other system information; • Disk images; • Forensic analysis done on the images NOT on the original disk;

  25. After Evidence Collection • Mount disk/partition images on a trusted system • Timeline analysis –What had happened? • Media (e.g. file system) analysis –What was modified/changed and or left? • String search on both allocated and unallocated areas • Data recovery –What was deleted? • Artifact (malware) analysis –To understand the function of the malware • Sharing findings with relevant parties

  26. Incident Handling Lifecycle Preparation Identification Containment Eradication Recovery Lesson-learned

  27. Step 4 Eradiation • Remove compromised accounts • Revoke compromised credentials • Remove malware/ artifact left over by the attackers • Restore from most recent clean backup • If root-compromised, rebuild system from scratch • Harden, patch system to prevent it from re-occurrence

  28. Incident Handling Lifecycle Preparation Identification Containment Eradication Recovery Lesson-learned

  29. Recovery • Put system back to production in a control manner • Decided by management • Closely monitoring the system

  30. Incident Handling Lifecycle Preparation Identification Containment Eradication Recovery Lesson-learned

  31. Step 6 – Lesson learned • Know what went right and what went wrong: learning & improving –A post-mortem meeting/discussion • A final report –EGEE incident response procedure: complete a final incident report including lesson-learned with ONE month after incident is closed!

Recommend

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Chapter 7 Standard Incident Handling Procedures Learn

358 views • 7 slides
Incident Management Incident Management Making sure things go right when they inevitably go

Incident Management Incident Management Making sure things go right when they inevitably go

Incident Management Incident Management Making sure things go right when they inevitably go wrong. Gareth Eason, HEAnet for TF-NOC, Zrich, 2011-06-29 Agenda HEAnet background: What do we do? Why manage incidents? How does

587 views • 33 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent &amp; capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra

Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra

Implementing Security and Incident Response with the ELB Miguel Zenon Nicanor L. Saavedra SECURITY ENGINEER github.com/zzenonn linkedin.com/in/zzenonn t h s Module Define Elastic Load Balancing Overview Understand different ELB security

666 views • 33 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

704 views • 39 slides
Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit

558 views • 28 slides
Using Data to Impr ove T r affic Inc ide nt Manage me nt (T IM) E ve r y Day Counts 4 (E

Using Data to Impr ove T r affic Inc ide nt Manage me nt (T IM) E ve r y Day Counts 4 (E

Using Data to Impr ove T r affic Inc ide nt Manage me nt (T IM) E ve r y Day Counts 4 (E DC- 4) Innovation 9/26/18 T odays Age nda Paul Jodoin, Traffic Incident Management (TIM) Program Manager FHWA Office of Transportation

401 views • 20 slides
Food Defense or WV Incident? Judy Fadden Fadden Analytical Security Did you Know that??? 2MM

Food Defense or WV Incident? Judy Fadden Fadden Analytical Security Did you Know that??? 2MM

Does Your Employee Tree Have Bad Fruit That Could Ripen into a Food Defense or WV Incident? Judy Fadden Fadden Analytical Security Did you Know that??? 2MM US workers report being victims of workplace violence each year.* WV costs to

393 views • 10 slides
Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a focus on services for specialized public service providers, finance industry and corporations with high data sensitivity. NRDCS.L T TIMETABLE FOR

612 views • 12 slides
TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing Platforms Introduction Christopher Day, Chief Security Architect, Terremark Responsible for Terremarks global information security services

332 views • 30 slides
International Atomic Energy Agency Department of Nuclear Safety and Security Incident and

International Atomic Energy Agency Department of Nuclear Safety and Security Incident and

International Atomic Energy Agency Department of Nuclear Safety and Security Incident and Emergency Centre IAEA Assessment and Prognosis Side Event Presentation Introduction Lesson from Fukushima Daiichi accident - Agency has new response

574 views • 38 slides
Nuclear Safety and Security in Brief Elena Buglova Centre Head Incident and Emergency Centre

Nuclear Safety and Security in Brief Elena Buglova Centre Head Incident and Emergency Centre

Nuclear Safety and Security in Brief Elena Buglova Centre Head Incident and Emergency Centre (IEC) International Atomic Energy Agency Department of Nuclear Safety and Security: http://www-ns.iaea.org/default.asp Inside Nuclear Safety and

376 views • 19 slides
Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy

Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy

Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy Tolbert MicroFocus ArcSight and Siemplify Addressing the needs of SOCs, including: Relieving resource constraints by automating

476 views • 19 slides
Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC

Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC

Incident Action Planning in the EOC GGC NHC 2018 GGC NHC 2018 Incident Action Planning EOC plans are typically more strategic than field IAPs A planning process helps synchronize operations and ensure they support incident objectives

510 views • 34 slides
Grating Incident resulting in LTI Agenda Background and Medical Condition Incident

Grating Incident resulting in LTI Agenda Background and Medical Condition Incident

Grating Incident resulting in LTI Agenda Background and Medical Condition Incident Description Immediate Causes and Latent Failures Swiss Cheese Model Key HSSE Themes from the Grating Incident Weak Signals from

564 views • 14 slides
and Analysis Center DHS Hunt and Incident Response Team September 12, 2018 SUPERCHARGE YOUR

and Analysis Center DHS Hunt and Incident Response Team September 12, 2018 SUPERCHARGE YOUR

SUPERCHARGE YOUR SECURITY Water Information Sharing and Analysis Center DHS Hunt and Incident Response Team September 12, 2018 SUPERCHARGE YOUR SECURITY Presenter Brian Draper, DHS NCCIC HIRT Slides and recording will be posted by

429 views • 18 slides
Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp;

Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp;

Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp; Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
RSD6 Safety and Security July 16, 2018 District Wide Issuance of identifiable Incident

RSD6 Safety and Security July 16, 2018 District Wide Issuance of identifiable Incident

RSD6 Safety and Security July 16, 2018 District Wide Issuance of identifiable Incident Command Structure (ICS) traffic vests for administrators (2016/1017) Procurement of Heat Blankets (2016) Repairs to interior/exterior

244 views • 9 slides
Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization

Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization

V olunteer C ommunications N etwork (V-C-N) Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization Radio Nets for ZR Incidents - A V-C-N.org Academy Course - 2012-04.08-0237 264: Incident Mobilization

753 views • 20 slides
Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization

Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization

V olunteer C ommunications N etwork (V-C-N) Incident Mobilization Incident Mobilization (R- -T T- -S) Nets S) Nets (R Mobilization Radio Nets for ZR Incidents - A V-C-N.org Academy Course - 2012-04.08-0237 264: Incident Mobilization

773 views • 50 slides
FORCES TO COUNTER AN INCIDENT OF NUCLEAR SECURITY Cesar Romao System for the Protection of the

FORCES TO COUNTER AN INCIDENT OF NUCLEAR SECURITY Cesar Romao System for the Protection of the

PREPAREDNESS, READINESS AND INTEROPERABILITY OF CONTINGENCY FORCES TO COUNTER AN INCIDENT OF NUCLEAR SECURITY Cesar Romao System for the Protection of the Brazilian Nuclear Program Physical Protection System Process Amendment to the CPPNM

841 views • 14 slides
Preparing For and Responding to a Computer Security Incident: MAKING THE FIRST 72 HOURS COUNT

Preparing For and Responding to a Computer Security Incident: MAKING THE FIRST 72 HOURS COUNT

Preparing For and Responding to a Computer Security Incident: MAKING THE FIRST 72 HOURS COUNT MAKING THE FIRST 72 HOURS COUNT Stephen Lilley Marcus A. Christian Associate Partner slilley@mayerbrown.com mchristian@mayerbrown.com Jeffrey P. Taft

536 views • 29 slides
in the Health Care Industry To More Effectively Manage Cyber Security Risk August 4, 2017 Secure

in the Health Care Industry To More Effectively Manage Cyber Security Risk August 4, 2017 Secure

Adopting Continuous Diagnostics and Mitigation (CDM) in the Health Care Industry To More Effectively Manage Cyber Security Risk August 4, 2017 Secure Ops vs Security Ops 1 Healthcare has HIPAA HITECH HITRUST So Why Should We

337 views • 13 slides

More recommend