Incidence Response Teams By Robert Nellis, CISSP P-CIRT Manager Paychex, Inc. firstname.lastname@example.org (585) 216-0448 What is an Incident Response Team? Computer Incident Response Team (CIRT) is a vital part of every organization. The team is responsible for ensuring that identified computer related events and incidents are handled in a methodical manner to accurately investigate, mitigate and report the event or incident to the appropriate management or outside agency. Formal Teams should be established for larger organizations. These teams would consist of team members listed in the following slides. Informal Teams should be established for smaller organizations and have an Incident Response Manager identified. Event or Incident? • Event - An event is defined as any observed activity that may be in violation of established Security Policies, Standards or Procedures governing systems, data and personnel. • Incident - An incident is defined as any observed activity reported to the CIRT team that has been investigated and confirmed to be in violation of established Security Policies, Standards or Procedures governing the security of owned systems, data and personnel The Team • CIRT Manager - Responsible for activation of P-CIRT team members as required by the reported incident or event. Review all documentation of activity, findings and recommended mitigation plans and provide briefings to Sr. Management, Legal, HR and Public Relations throughout the investigation. • CIRT Duty Officer – Responsible for gathering initial information regarding the event and alerting the appropriate team members need to investigate the event. Also responsible for compiling the documentation completed during the investigation. • CIRT Analysts - When assigned to the role of Duty Officer is responsible for initial information gathering of the reported incident or event. Classification of the reported event or incident and notification to additional team members. • Legal - Responsible for providing legal support and direction for all confirmed security breaches. These breaches include, but are not limited to client information, illegal activity or regulatory requirements. The Legal Representative will also act as the liaison to law enforcement agencies as needed. The Team (cont) • Human Resources - Responsible for providing support and direction for all events or incidents that involve employees. All activity performed by the CIRT team during the investigation of a security breach involving an employee should be approved by the HR Representative prior to commencing. • Public Relations - Responsible for all media communications of identified incidents that require disclosure. No external communications are to be made public by anyone other than the Public Relations Representative. • Law Enforcement - Responsible for providing support in all events identified as a violation of civil or criminal laws. Law enforcement will be contacted only under the direction of Corporate Counsel. • Associate Analysts - Responsible for providing support as needed for events or incidents that directly or indirectly impact their circle of influence. The Associate Analyst’s manager will be notified prior to engaging the individual in the event or incident. • Additional members – CIRT may also include members from Physical Security, Internal Audit, Compliance and RISK Management. The Process • Preparation – This step is the most vital and time consuming step in developing a CIRT team. The preparation step will never be completed as technology and attacks change, so will the documentation and tools necessary to prepare for an investigation. You will continue to review this step of the process and make changes as needed. Documentation is the key for this step as it will direct the actions taken for the remaining step in the process. • Identification – The identification of an event or incident will come from various sources. The companies Intrusion Detection, Monitoring systems, Firewall, Vendor Alerts and employees are all sources of identification. • Containment – The containment step must include all steps necessary to further reduce the chance that the event or incident will spread throughout the company. This step is also vital to maintain the appropriate level of confidentiality of the investigation. The Process (Cont) • Eradication – The Eradication step allows the safe removal of the event or incident from the environment without compromising the evidence of the event or incident. • Recovery – The recovery phase allows the environment to restored to the original state prior to the event or incident. This step should also be used to put measures in place to mitigate the event from occurring in the future. • Lessons Learned – The last step in this process is to review the investigation and identify improvements and process changes to improve the process. Tools • Forensic Hardware/Software – Encase, The Coroners Toolkit, The Sleuthkit • Open Source Tools – NMap, KNOPPIX, John the Ripper, TCP Dump. • Disk Tools – Ghost, Testdisk, File Scavenger, FindNTFS. • Analysis Tools – Grep, Excel, Access DB Hex Converter, Adobe Photoshop. • Laptop, External Hard Drive, CD/DVD Writer • Floppy Disks, CD/DVD’s, Flash Drive • Bound Notebook Resources List of important CERT Websites (US-Based): • US-CERT United States Computer Emergency Readiness Team http://www.us-cert.gov/ • CERT Coordination Center http://www.cert.org/ • National Vulnerability Database http://nvd.nist.gov/ • Common Vulnerabilities and Exposures http://cve.mitre.org/ • Department of Homeland Security – Daily Open Source Infrastructure Report http://www.dhs.gov/ • SANS Internet Storm Center http://isc.sans.org/ Resources (Cont) • InfraGard – Guarding the Nation’s Infrastructure http://www.infragard.net/ • FIRST – Forum of Incident Response and Security Teams http://www.first.org/ • Internet Crime Complaint Center http://www.ic3.gov/ NOTE:- the following sites contain resources to build CIRT from the ground-up. • FIRST – Forum of Incident Response and Security Teams http://www.first.org/resources/guides/ • CERT Coordination Center http://www.cert.org/csirts/ Tool Resources • Sleuthkit - http://www.sleuthkit.org/ • Encase – http://www.guidancesoftware.com/ • Knoppix - http://www.knoppix.org/ • GHOST - http://www.symantec.com/index.htm • Testdisk - http://www.cgsecurity.org/testdisk.html • Misc. Tools - http://www.insecure.org/, http://labmice.techtarget.com/security/incidentresponse.htm Privacy Laws • 23 States have privacy laws in place and 12 states with pending legislation. • What does this mean to the CIRT Team • Where do we find information regarding current legislation? http://www.ncsl.org/programs/lis/cip/priv/breach.htm • How do we interpret the statues? • Reaction time for reported events must be streamlined – States requiring disclosure of a breach indicate that this must happen in a reasonable timeframe???? • How do we document and protect evidence? Privacy Laws (Cont) • Who needs to be notified and when? • How do we notify? • Do outside agencies need to be notified? • What are the penalties for non-compliance? The Most Important Things To Remember • The most important thing to remember through the entire incident response process is to DOCUMENT!!!!!!!!! • Protect All evidence as if it were a criminal investigation • Review Incident documentation for process improvements • Continually train your staff Questions?