Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Section 4 and Appendix Incident

VIEWS: 20 PAGES: 14

									Section 4 and Appendix: Incident Response Team
Procedures

4. IRT Action Plans

4.1 – Compromised System

      4.1.1 – Serious – Severity Level


         Phase 1 - Initial Response
         1. Open ticket in Help desk system
         2. Initiate Communication Procedure for Serious Severity Incidents (Sec 3.2.1)
         3. Gather Information: Complete as much of the table under Documenting the
            Incident (Sec. 3.1.1) as possible.
         4. Initial assessment: Depending on the OS, symptoms, and role of computer,
            perform the following
                 o Write down each command performed on live system
                 o Minimize any actions that write to disk
                 o Contact Network IRT members to check Tipping Point, StealthWatch
                     and other logs.
                                       1
                 o Check for rootkit
                 o Record network connections
                         On Linux/UNIX: Use known good netstat (-nap) command
                         On Windows: Foundstone fport command
                            http://www.foundstone.com/us/resources/proddesc/fport.htm.
                            Maps open ports to applications.
                 o Record process information
                         On Linux/UNIX: Use known good ps command
                         on Windows: Sysinternals pslist command
                 o Scan for malware
                                          2
                         On Windows
         5. Mitigate damage
                 o If system is attacking others: disconnect system from network. If no
                     physical access, contact Network IRT members to block/disable port.
                 o Suspicion of backdoor or other unauthorized listening port: disconnect
                     from network. If no physical access, contact Network IRT members to
                     block/disable port.
                 o Disable any process that is actively corrupting or deleting data
                 o Disable any malware processes. See Malware Detection and

1
    See Appendix C – Rootkit Detection
2
    See Appendix D – Malware Detection and Removal


Sections 4 & 5 - Incident Response Procedures                                  Page 1 of 14
                Removal3 for more information.
             o Change any passwords that may have been compromised. Notify
                owners of accounts that may have been compromised to change their
                passwords on all systems.
       6. Image system (if necessary)
             o When to image a system:
                    If compromise may lead to criminal investigation
                    If system needs to get back online quickly by re-installing.
                      Image so that investigation can continue
                    If cause of compromise is not readily known and more detailed
                      investigation is needed
                                  4
             o Bit Imaging Steps

       Phase 2 - Investigation
       1. Perform Log Analysis 5
       2. Perform Forensic Analysis 6
       3. Evidence documentation
       4. Continue Communication Procedure for Serious Severity Incidents (Sec.
          3.2.1)

       Phase 3 - Closure
       1. Draft Incident Summary and send to IRT
       2. Lessons Learned - Assess cause of compromise and whether other systems
          may be vulnerable. Follow necessary steps (communication, patching,
          account updates etc.) to prevent additional compromises.
       3. Complete Communication Procedure for Serious Severity Incidents (Sec
          3.2.1)


    4.1.2 – Medium – Severity Level

       Phase 1 - Initial Response
       1. Open ticket in Help desk system
       2. Initiate Communication Procedure for Medium Severity Incidents (Sec 3.2.2)
       3. Gather Information: Complete as much of the table under Documenting the
          Incident (Sec 3.1.1) as possible.
       4. Initial assessment: Depending on the OS, symptoms, and role of computer,
          perform the following
               o Contact Network IRT members to check Tipping Point, StealthWatch
                   and other logs.
                                   7
               o Check for rootkit
               o Record network connections

3
  See Appendix D – Malware Detection and Removal
4
  See Appendix E – Bit Imaging
5
  See Appendix F – Log Analysis
6
  See Appendix G – Forensic Analysis
7
  See Appendix C – Rootkit Detection


Sections 4 & 5 - Incident Response Procedures                              Page 2 of 14
                        On Linux/UNIX: Use known good netstat (-nap) command
                        On Windows: Foundstone fport command
                         http://www.foundstone.com/us/resources/proddesc/fport.htm.
                         Maps open ports to applications.
              o Record process information
                      On Linux/UNIX: Use known good ps command
                      on Windows: Sysinternals pslist command
              o Scan for malware
                                      8
                      On Windows
       5. Mitigate damage
              o If system is attacking others: disconnect system from network. If no
                 physical access, contact Network IRT members to block/disable port.
              o Suspicion of backdoor or other unauthorized listening port: disconnect
                 from network. If no physical access, contact Network IRT members to
                 block/disable port.
              o Disable any process that is actively corrupting or deleting data
              o Disable any malware processes. See Malware Detection and Removal
                 for more information.
              o Change any passwords that may have been compromised. Notify
                 owners of accounts that may have been compromised to change their
                 passwords on all systems.
       6. In most cases, imaging a system for a Medium Severity Incident is not
          necessary. However, if there is a need or interest in performing a complete
          investigation, then perform the following:
                                    9
              o Bit Imaging Steps

       Phase 2 - Investigation
       1. Perform Log Analysis 10
       2. Evidence documentation
       3. Continue Communication Procedure for Medium Severity Incidents (Sec
          3.2.2)

       Phase 3 - Closure
       1. Incident Summary
       2. Lessons Learned - Assess cause of compromise and whether other systems
          may be vulnerable. Follow necessary steps (communication, patching,
          account updates etc.) to prevent additional compromises.
       3. Complete Communication Procedure for Medium Severity Incidents (Sec
          3.2.2)




8
  See Appendix D – Malware Detection and Removal
9
  See Appendix E – Bit Imaging
10
   See Appendix F – Log Analysis



Sections 4 & 5 - Incident Response Procedures                               Page 3 of 14
      4.1.3 – Low – Severity Level


          Phase 1 - Initial Response
          1. Open ticket in Help desk system
          2. Gather Information: Complete as much of the table under Documenting the
             Incident (Sec 3.1.1.) as possible.
          3. Initial assessment: Depending on the OS, symptoms, and role of computer,
             perform the following
                                       11
                  o Check for rootkit
                  o Record network connections
                           On Linux/UNIX: Use known good netstat (-nap) command
                           On Windows: Foundstone fport command
                             http://www.foundstone.com/us/resources/proddesc/fport.htm.
                             Maps open ports to applications.
                  o Record process information
                           On Linux/UNIX: Use known good ps command
                           on Windows: Sysinternals pslist command
                  o Scan for malware
                                           12
                           On Windows
          4. Mitigate damage
                  o If system is attacking others: disconnect system from network. If no
                      physical access, contact Network IRT members to block/disable port.
                  o Suspicion of backdoor or other unauthorized listening port: disconnect
                      from network. If no physical access, contact Network IRT members to
                      block/disable port.
                  o Disable any process that is actively corrupting or deleting data
                  o Disable any malware processes. See Malware Detection and Removal
                      for more information.
                  o Change any passwords that may have been compromised. Notify
                      owners of accounts that may have been compromised to change their
                      passwords on all systems.

          Phase 2 - Investigation
          1. Log and other evidence analysis

          Phase 3 - Closure
          1. Send Incident Summary to IRT
          2. Notify all impacted parties of findings and resolution

4.2 – Compromised Credentials
      4.2.1 – Serious - Severity Level


          1. Open Help desk system Ticket

11
     See Appendix C – Rootkit Detection
12
     See Appendix D – Malware Detection and Removal


Sections 4 & 5 - Incident Response Procedures                                   Page 4 of 14
       2. Follow Communication Procedure for Serious Incident (Sec 3.2.2)
       3. Determine source of compromise: Possibilities include -
           User shared password or other credentials
           Someone had physical access to user's computer
           User was victim of phishing or other password harvesting attack
           Unencrypted credentials transmitted over an unsecured wireless network
           Victim of Man-in-the middle attack (did the click through any certificate
              warnings or experience unusual behavior on the network?)
       4. Close exposure: If possible, correct any security holes that led to the account
          compromise.
       5. Change passwords/revoke certificate
       6. Assess whether critical systems were accessed
       7. Implement System Compromise Action Plan (Sec 4.1) to verify system
          integrity
       8. Document Incident: Record document details in Help desk system. IRT
          Coordinator will include incident in Monthly Report
       9. Lessons learned: Review incident at Monthly IRT meeting and document
          lessons learned in Monthly Report. In addition, share findings with any
          departments that may benefit.


   4.2.2 – Medium – Severity Level


       1. Open Help desk system Ticket
       2. Follow Communication Procedure for Medium Severity Incident (Sec 3.2.2)
       3. Determine source of compromise: Possibilities include -
           User shared password or other credentials
           Someone had physical access to user's computer
           User was victim of phishing or other password harvesting attack
           Unencrypted credentials transmitted over an unsecured wireless network
           Victim of Man-in-the middle attack (did the click through any certificate
              warnings or experience unusual behavior on the network?)
       4. Close exposure: If possible, correct any security holes that led to the account
          compromise.
       5. Change passwords/revoke certificate
       6. Document Incident: Record document details in Help desk system. IRT
          Coordinator will include incident in Monthly Report
   4.2.3 – Low – Severity Level


       1. Open Help desk system Ticket
       2. Notify IRT mailing-list
       3. Determine source of compromise: Possibilities include -
           User shared password or other credentials
           Someone had physical access to user's computer
           User was victim of phishing or other password harvesting attack
           Unencrypted credentials transmitted over an unsecured wireless network


Sections 4 & 5 - Incident Response Procedures                                  Page 5 of 14
               Victim of Man-in-the middle attack (did the click through any certificate
                warnings or experience unusual behavior on the network?)
          4. Close exposure: If possible, correct any security holes that led to the account
             compromise.
          5. Change passwords/revoke certificate
          6. Document Incident: Record document details in Help desk system. IRT
             Coordinator will include incident in Monthly Report

4.3 – Network Attack

      Serious - Severity Level
         1. Open Ticket in Help desk system
         2. Follow Communication Procedures for Serious Severity Incidents
         3. Network staff on IRT will lead investigation
         4. If any compromised systems are uncovered, implement System Compromise
            Action Plan
         5. Document incident: Record details in Help desk system. Archive pertinent log
            files. Draft incident summary.
      Medium - Severity Level
         1. Open Ticket in Help desk system
         2. Follow Communication Procedures for Medium Severity Incidents
         3. Network staff on IRT will lead investigation
         4. Document incident: Record details in Help desk system. Archive pertinent log
            files.
      Low - Severity Level
          Inform network staff. They will follow normal troubleshooting procedures.



4.4 – Malware

      Serious - Severity Level
         1. Open Help desk system Ticket
         2. Follow Communication Procedures for Serious Severity Incidents (Sec 3.2.1)
         3. Detect and mitigate malware:
                                 13
                o On Windows
         4. Change user's password
         5. Assess whether sensitive data14 may have been exposed
         6. Consider potential data exposure, account compromise, or access to other
            systems and implement System Compromise Action Plan (Sec 4.1) if
            necessary.
         7. Document incident: Record findings in Help desk system. IRT Coordinator will
            include details include in Monthly Report.
      Medium - Severity Level

13
     See Appendix D – Malware Detection and Removal
14
     See Appendix A – Sensitive Data


Sections 4 & 5 - Incident Response Procedures                                     Page 6 of 14
       1. Open Help desk system Ticket
       2. Follow Communication Procedures for Medium Severity Incident (Sec 3.2.2)
       3. Detect and mitigate malware:
                                15
               o On Windows
       4. Change user's password
       5. Document incident: Record findings in Help desk system. IRT Coordinator will
           include details include in Monthly Report.
     Low - Incident Level
       1. Open Help desk system Ticket
       2. Detect and mitigate malware:
                                16
               o On Windows
       3. Change user's password
       4. Document incident: Record findings in Help desk system.


4.5 – Equipment Loss or Theft

     Serious - Incident Level
        1. Safety and Security must be notified first. If someone reports a loss/theft to
           COMPUTING SERVICES, refer them to Safety and Security
        2. Open Help desk system Ticket
        3. Check network logs for system
        4. Assess whether sensitive data17 was on system: Interview owner, review their
           job role and what systems they have access to.
        5. Follow Communication procedure for Serious Incidents (Sec 3.2.1)
        6. Document Incident: Record findings in Help desk system. IRT Coordinator will
           include details in Monthly Report.
     Medium and Low - Incident Level
        1. Safety and Security must be notified first. If someone reports a loss/theft to
           COMPUTING SERVICES, refer them to Safety and Security
        2. Open Help desk system Ticket
        3. Check network logs for system
        4. Assess whether sensitive data18 was on system
        5. Follow Communication procedure for Medium Severity Incidents (Sec 3.2.2)
        6. Document Incident: Record findings in Help desk system. IRT Coordinator will
           include details in Monthly Report.


4.6 – Physical Break-in
     Serious - Severity Level
        1. Notify Safety and Security if they are not already informed
        2. Open Help desk system Ticket

15
   See Appendix D – Malware Detection and Removal
16
   See Appendix D – Malware Detection and Removal
17
   See Appendix A – Sensitive Data
18
   See Appendix A – Sensitive Data


Sections 4 & 5 - Incident Response Procedures                                 Page 7 of 14
       3.Follow Communication Procedure for Serious Severity Incidents (Sec 3.2.1)
       4.Review logs of accessible systems to determine if they were used
       5.Scan for malware
       6.Reset passwords
       7.If necessary, implement System Compromise Action Plan (Sec 4.1)
       8.Document incident: Record findings in Help desk system. IRT Coordinator will
         include details in monthly report.
   Medium - Severity Level
     1. Notify Safety and Security if they are not already informed
     2. Open Help desk system Ticket
     3. Follow Communication Procedure for Medium Severity Incidents (sec 3.2.2)
     4. Review logs of accessible systems to determine if they were used
     5. Scan for malware
     6. Reset passwords
     7. Document incident: Record findings in Help desk system. IRT Coordinator will
         include details in monthly report.
   Low - Severity Level
     1. Notify Safety and Security if they are not already informed
     2. Open Help desk system Ticket
     3. Notify IRT mailing-list
     4. Review logs of accessible systems to determine if they were used
     5. Scan for malware
     6. Reset passwords
     7. Document incident: Record findings in Help desk system


4.7 – Social Engineering

   Serious - Incident Level
      1. Open Help desk system Ticket
      2. Follow Communication Procedure for Serious Incident (Sec 3.2.1)
      3. Change passwords
      4. Assess whether critical systems were accessed
      5. If necessary, implement System Compromise Action Plan (Sec 4.1)
      6. Document Incident: Record findings in Help desk system. IRT Coordinator will
         include details in monthly report.
      7. Lessons Learned: Review in IRT monthly meeting. Share information with
         College community when appropriate
   Medium - Incident Level
      1. Open Help desk system Ticket
      2. Follow Communication Procedure for Medium Severity Incident (Sec 3.2.2)
      3. Change passwords
      4. Document Incident: Record findings in Help desk system. IRT Coordinator will
         include details in monthly report.
      5. Lessons Learned: Review in IRT monthly meeting. Share information with
         College community when appropriate
   Low - Incident Level


Sections 4 & 5 - Incident Response Procedures                             Page 8 of 14
       1. Change passwords
       2. Document Incident: Record details in Help desk system

4.8 – Law Enforcement Request
      Notify General Counsel and Safety and Security regarding any contact from law
       enforcement
      Notify IRT Coordinator
      If an investigation is required, follow appropriate Action Plan and maintain chain
       of evidence.


4.9 – Policy Violation

TBD – Topics include:
         Harassment Complaint
         Offensive Content on College System
         Copyright Complaints
         Rogue Device Detection
         System Spoofing
         Account Spoofing




5. Appendix


Appendix A. – Sensitive Data

   Confidential and Sensitive Data Types
      Personally Identifiable Information (PII): Name, SSN, Date of Birth,
         Address
      Financial Information: Credit Card, College financial, bank account data,
         financial aid
      Medical Records: Physical and mental health, counseling
      Personnel Records
      Student Records: grades, housing, discipline
      Private Course Information: grades, exams
      Research data and other intellectual property

Appendix B. – N/A




Sections 4 & 5 - Incident Response Procedures                                  Page 9 of 14
Appendix C. – Rootkit Detection
Linux/UNIX
      Evidence of a rootkit:
          Login problems such as no one can login or only root can login. Any
            unusual behavior with login as well as adding or changing passwords is
            suspicious..
          System utilities are slower, or awkward, or show strange and unexpected
            results.
          Files or directories named "..." or ".. " (dot dot space).
          Files with haxor looking names like "r00t-something
          Logs that are missing completely, or missing large sections, or a sudden
            change in logging behavior.
          Files that cannot be deleted or moved.
          Indications of a "sniffer", such as log messages of an interface entering
            "promiscuous" mode.
      rkhunter is the preferred tool. To use:
         1. wget http://superb-west.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-
            1.3.0.tar.gz (latest version as of 11/19/2007)
         2. check md5 with md5sum
         3. tar xvzf rkhunter-1.3.0.tar.gz
         4. cd to rkhunter dir. run ./installer.sh
         5. update sigs with /usr/local/bin/rkhunter --update
         6. run using /usr/local/bin/rkhunter -c
      chkrootkit may also be used but does not run quite as many checks.
         1. wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
         2. tar xvfz chkrootkit.tar.gz
         3. cd chkrootkit-<version>/
         4. make sense
Windows
      Sysinternals rootkit revealer is the preferred tool and is available here.
      To use:
         1. Download and unzip file.
         2. Launch Rootkitrevealer.exe and do File-Scan
         3. See
            http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.ms
            px for more information

Appendix D. – Malware Detection and Removal
       On Windows
       The first step in the process is to figure out the thing(s) you're battling, even if you
       only get a whiff of information. This can come from:
           Symantec
           TrendMicro
           Spybot
       A nagging popup box that insists on installing some "tool" such as "Virus
       Avenger".


Sections 4 & 5 - Incident Response Procedures                                     Page 10 of 14
       Then you go to Google...
       For mitigating malware (all free) --
           Sysinternals Process Explorer -- gives you more detail than Windows
              Task Manager. You can watch for processes that are active, and drill
              down to the .dll or .exe that's at the root of the process. This is helpful if
              you delete a file and it comes right back -- after you delete a file, go right
              back to Process Explorer and watch for any processes that flair up, if only
              briefly.
           Pocket Killbox -- deletes files that are being used by Windows upon
              reboot.
           Hijack This! -- Identifies browser hijacks and other malware set to run at
              startup
           Go through msconfig/startup tab and uncheck any unknown items that are
              set to run at startup.
           Go through registry and delete any references to any .exes or .dlls that
              you found via any of the above.
           Helix or Ultimate Boot -- linux based OS's that load into memory and
              allows you to access the infected machine's hard drive. Good for deleting
              things that can't be deleted because Windows is running. Also includes
              AV, spyware, registry editing and hard drive cloning tools.



Appendix E. – Bit Imaging of Drives

Linux/Unix
      1. Record the partition listing and all info (e.g fdisk -l > part.info)
      2. Create a bit image of the physical drive and md5sum
             o Can use netcat to pipe image (on analysis system nc -l -p 33333 >
                diskname.img0
             o Can use dd or Helix's dcfldd
                      dd if=/dev/xxx (of=xxx.dd or | nc analysis-ip port-num)
                      dcfldd hashwindow=0 hashlog=drive.md5.txt if=/dev/xxx
                        (of=xxx.dd or | nc analysis-ip port-num)
                             md5sum will create/check hash
      3. Split out logical images from physical image
             o FTK's mmls will extract partition table from dd image
             o use dd or dcfldd: bs=block/sector size, skip=sector number to start
                extract, count=length of partition in sectors. Use .img as extension
      4. Mount partitions read-only if needed
             o mount -o ro,noexec,loop x.img /mnt/xxx/yyy
   Notes on LVM Partitions
      Can create an image file(s) directly from host using /dev/VolGroup...
      But to import LVM after first dd:
          losetup -a
          losetup -d (if needed to unmount other loop devices)
          losetup /dev/loop0 /path/to/lvm.img


Sections 4 & 5 - Incident Response Procedures                                   Page 11 of 14
            pvscan
            vgimport <volumegroupname>
            vgchange -ay <volumegroupname> (probably unnecessary)
            mount /dev/<volumegroupname> (probably unnecessary)
            dd if=/dev/<volumegroupname>/lv00
             of=/path//to/images/<host><volumegroup>lv00.img
         Note: If Volume was striped and the dd image is of a physical drive it won't
             work (Couldn't find uuid "xxxx" when run pvscan).
     After the vgimport you will find your volume group in /dev/<volumegroupname>
     You can dd from there or just point whatever tool at the loop device if you wish.
Windows
     1. Use dd from gmgarner on Helix \IR\FAU\dd.exe (can also use Helix live
        acqusition tool)
     2. Physical Drive (\\.\PhysicalDrive(0,1,2...)) or Logical Drive (\\.\C:)
     3. e.g dd.exe if=\\.\C: of=D:\Cdrive.img --md5sum --verfymd5 --
        md5out=D:\CDrive.md5




Appendix F. – Log Analysis

   Windows OS
      If suspicion of rootkit, insert Helix CD and launch the Helix version of CMD
        (Quick Launch Menu - Command Prompt or CD:/IR/Shells/cmd.exe
     1. Review Event Viewer logs. Keep in mind that an attacker or a malicious app
        might manipulate the logs.
     2. http://www.eventid.net/search.asp is a database of event id's for more info on
        suspicious entries
     3. Review Registry for the following: (use regedt32.exe to access registry)
            o Search History: HKEY_CURRENT_USER\Software\Microsoft\Internet
                Explorer\Explorer Bars\{.....}\FilesNamedMRU
            o Typed URLs: HKEY_CURRENT_USER\Software\Microsoft\Internet
                Explorer\TypedURLs
            o Last Commands Executed:
                HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
                \Explorer\RunMRU
            o Last Files Saved:
                HKEY_USERS\...sid...\Software\Microsoft\Windows\CurrentVersion\Ex
                plorer\ComDlg32\OpenSaveMRU\*

   Linux OS
       On a live system, if suspicion of rootkit, run commands from the /Static-
         binaries directory on Helix CD




Sections 4 & 5 - Incident Response Procedures                               Page 12 of 14
       1. Review the following (again, a good rootkit will manipulate entries in many of
          these files):
              o /var/log/lastlog ; database of login/logout timestamps
              o /var/log/wtmp ; valid user login/logout
              o /var/log/secure ; access denied log
       2. Review other system and service logs in /var/log
       3. Review logs on any external syslog servers that the system may be reporting
          to.
       4. Review any shell history files that are available



Appendix G. – Forensic Analysis

Linux/Unix
   Using Command-line tools and the Sleuth Kit
      1. Create Timeline
             o Mac-Robber: mac-robber pathname to start Can then pipe to a file
                (.mac) or netcat.
             o mactime: sorts mac-robber output by times. mactime -b path-to-.mac (-
                y:year first) (-z:time zone) (date range). Pipe to timeline file (.txt)
      2. Strings search: Search image files for ASCII strings (4 characters by default)
             o -a grab all strings
             o --radix=d output offset in bytes
             o -f prints filename next to string
             o -n min-x grab strings of at least x
             o Can create a "Dirty Word List" and use cat *.img| strings | grep -f
                dirty.txt
      3. Extract unallocated data
             o Use SleuthKit tool dls
             o dls some.img > some.dls
      4. Recovering files
             o Undeleted file
                     Divide byte offset by block size to get block number
                     ifind some.img -d block_num to get inode number
                     ffind some.img inode_num will give file
             o Deleted Files
                     Divide byte offset in .dls file by block size to get dls block
                        number
                     dcalc some.img -u dls_block will give bluck number in original
                        image
                     ifind some.img -d block_num to get inode number
                     ffind some.img inode_num will give file
   Using Autopsy
      1. Create case and add host




Sections 4 & 5 - Incident Response Procedures                                Page 13 of 14
     2. Add image - enter path of partition image files, select partition, select symlink-
        Next
     3. Enter hash file to check if there is one. Enter mount point of partition (/root,
        /opt etc)- Click Add
     4. Repeat steps two and 3 for all partition files
     5. Can create timelines, file analysis, keyword search etc.
   Windows Forensics
     1. Helix Live - Allows
     2. Windows Forensics Toolchest
           o Different config files per OS
           o On Helix CD \IR\wft
           o syntax: wft.exe -cfg wftxp.cfg -shell cmdxp.exe -dst file or UNC
           o Creates html files which can be reviewed
     3. Autopsy – As above




Sections 4 & 5 - Incident Response Procedures                                 Page 14 of 14

								
To top