Incidence Response Teams.ppt - I

Document Sample
Incidence Response Teams.ppt - I Powered By Docstoc
					Incidence Response
     Robert Nellis, CISSP
       P-CIRT Manager
          Paychex, Inc.
        (585) 216-0448
    What is an Incident Response
Computer Incident Response Team (CIRT) is a vital part of every
organization. The team is responsible for ensuring that identified computer
related events and incidents are handled in a methodical manner to
accurately investigate, mitigate and report the event or incident to the
appropriate management or outside agency.

Formal Teams should be established for larger organizations. These teams
would consist of team members listed in the following slides.

Informal Teams should be established for smaller organizations and have an
Incident Response Manager identified.
           Event or Incident?
• Event - An event is defined as any observed
  activity that may be in violation of established
  Security Policies, Standards or Procedures
  governing systems, data and personnel.
• Incident - An incident is defined as any
  observed activity reported to the CIRT team that
  has been investigated and confirmed to be in
  violation of established Security Policies,
  Standards or Procedures governing the security
  of owned systems, data and personnel
                               The Team
•   CIRT Manager - Responsible for activation of P-CIRT team members as required by
    the reported incident or event. Review all documentation of activity, findings and
    recommended mitigation plans and provide briefings to Sr. Management, Legal, HR
    and Public Relations throughout the investigation.

•   CIRT Duty Officer – Responsible for gathering initial information regarding the event
    and alerting the appropriate team members need to investigate the event. Also
    responsible for compiling the documentation completed during the investigation.

•   CIRT Analysts - When assigned to the role of Duty Officer is responsible for initial
    information gathering of the reported incident or event. Classification of the reported
    event or incident and notification to additional team members.

•   Legal - Responsible for providing legal support and direction for all confirmed security
    breaches. These breaches include, but are not limited to client information, illegal
    activity or regulatory requirements. The Legal Representative will also act as the
    liaison to law enforcement agencies as needed.
                       The Team (cont)
•   Human Resources - Responsible for providing support and direction for all events or
    incidents that involve employees. All activity performed by the CIRT team during the
    investigation of a security breach involving an employee should be approved by the
    HR Representative prior to commencing.

•   Public Relations - Responsible for all media communications of identified incidents
    that require disclosure. No external communications are to be made public by anyone
    other than the Public Relations Representative.

•   Law Enforcement - Responsible for providing support in all events identified as a
    violation of civil or criminal laws. Law enforcement will be contacted only under the
    direction of Corporate Counsel.

•   Associate Analysts - Responsible for providing support as needed for events or
    incidents that directly or indirectly impact their circle of influence. The Associate
    Analyst’s manager will be notified prior to engaging the individual in the event or

•   Additional members – CIRT may also include members from Physical Security,
    Internal Audit, Compliance and RISK Management.
                      The Process
• Preparation – This step is the most vital and time consuming step in
  developing a CIRT team. The preparation step will never be
  completed as technology and attacks change, so will the
  documentation and tools necessary to prepare for an investigation.
  You will continue to review this step of the process and make
  changes as needed. Documentation is the key for this step as it will
  direct the actions taken for the remaining step in the process.

• Identification – The identification of an event or incident will come
  from various sources. The companies Intrusion Detection,
  Monitoring systems, Firewall, Vendor Alerts and employees are all
  sources of identification.

• Containment – The containment step must include all steps
  necessary to further reduce the chance that the event or incident will
  spread throughout the company. This step is also vital to maintain
  the appropriate level of confidentiality of the investigation.
            The Process (Cont)
• Eradication – The Eradication step allows the safe
  removal of the event or incident from the environment
  without compromising the evidence of the event or

• Recovery – The recovery phase allows the environment
  to restored to the original state prior to the event or
  incident. This step should also be used to put measures
  in place to mitigate the event from occurring in the future.

• Lessons Learned – The last step in this process is to
  review the investigation and identify improvements and
  process changes to improve the process.
• Forensic Hardware/Software – Encase, The
  Coroners Toolkit, The Sleuthkit
• Open Source Tools – NMap, KNOPPIX, John
  the Ripper, TCP Dump.
• Disk Tools – Ghost, Testdisk, File Scavenger,
• Analysis Tools – Grep, Excel, Access DB Hex
  Converter, Adobe Photoshop.
• Laptop, External Hard Drive, CD/DVD Writer
• Floppy Disks, CD/DVD’s, Flash Drive
• Bound Notebook
List of important CERT Websites (US-Based):

• US-CERT United States Computer Emergency
  Readiness Team
• CERT Coordination Center
• National Vulnerability Database
• Common Vulnerabilities and Exposures
• Department of Homeland Security – Daily Open Source
  Infrastructure Report
• SANS Internet Storm Center
             Resources (Cont)
• InfraGard – Guarding the Nation’s Infrastructure
• FIRST – Forum of Incident Response and Security
• Internet Crime Complaint Center

NOTE:- the following sites contain resources to build CIRT
  from the ground-up.

• FIRST – Forum of Incident Response and Security
• CERT Coordination Center
               Tool Resources
•   Sleuthkit -
•   Encase –
•   Knoppix -
•   GHOST -
•   Testdisk -
•   Misc. Tools -,
                       Privacy Laws
• 23 States have privacy laws in place and 12
  states with pending legislation.
• What does this mean to the CIRT Team
• Where do we find information regarding current legislation?
• How do we interpret the statues?
• Reaction time for reported events must be streamlined – States
  requiring disclosure of a breach indicate that this must happen in a
  reasonable timeframe????
• How do we document and protect evidence?
            Privacy Laws (Cont)
•   Who needs to be notified and when?
•   How do we notify?
•   Do outside agencies need to be notified?
•   What are the penalties for non-compliance?
   The Most Important Things To
• The most important thing to remember
  through the entire incident response
  process is to DOCUMENT!!!!!!!!!
• Protect All evidence as if it were a criminal
• Review Incident documentation for
  process improvements
• Continually train your staff