Docstoc

Incident Response

Document Sample
Incident Response Powered By Docstoc
					Public Safety and
Emergency Preparedness
Canada

Incident Response


                     1
      Overview

•   Preparing for an incident
•   Responding to an incident
•   Site level
•   Enterprise level
•   Government wide
•   CCIRC



                                2
3
  Definition

• Incident response is the set of technical
  reactions for computer network
  information security related incidents
• Incidents can be a threat to information,
  the compromise of a system, or a
  violation of security policy
• Incident response mandate is to resolve
  information security incidents as quickly
  and as effectively as possible
                                              4
    Preparing

•   Management involvement
•   Training
•   Identify critical assets and choke points
•   Harden systems
•   Intrusion detection
•   Have a team
•   Have a plan, procedures and checklists

                                                5
  Preparing

• Preparing for an incident just makes
  sense, it is not a question of if, but when
• An ounce of prevention is worth much
  more than a pound of cure
• Preparation encompasses all of the
  activities required to prepare the
  organization for the inevitable
  information security incidents
                                            6
 Documentation

• One of the key activities in incident
  response is documentation
• All actions and observations must be
  recorded
• Keep accurate notes
• Note taking, photos, video cameras, and
  audio dictation may be appropriate

                                        7
    Responding

•   Prepare for the incident
•   Identify the incident
•   Contain the damage
•   Eradicate the problem
•   Recover from the incident
•   Lessons learned
•   These are the six steps of incident
    response from the SANS Institute
                                          8
    Identification

•   Is the event an incident?
•   Gather data
•   Categorize the incident
•   Prioritize the response - triage
•   Assemble the IR team
•   Notify CCIRC (PSEPC)
•   Enter incident mode

                                       9
    Identification

•   Initial assessment
•   Scope of the incident
•   Critical services or assets?
•   One site
•   Multiple sites
•   Department wide
•   Government wide
•   Internet wide
                                   10
 IDS

• You really cannot have proper incident
  response without intrusion detection
• You will need to be able to correlate
  events between various log formats and
  network traces/IDS alerts
• If you have an IDS you really do need to
  have an incident response capability


                                         11
  Intrusion detection

• In order to be able to respond to a
  security incident, you must first be able
  to detect it
• A system that looks for suspicious
  activity and alerts administrators
• A security management system for
  computers and networks


                                              12
    Containment

•   Forensics?
•   Prevent further damage
•   Minimize the spread
•   Possibly pull the plug
•   Choke points
•   Being able to have new filters at
    firewalls and routers are critical

                                         13
 Eradication

• Remove the malicious code
• Perform forensic analysis
• Ensure the cause of the incident is
  known and can be dealt with
• When in doubt rebuild the system(s)
  securely



                                        14
    Eradication

•   Investigate the symptoms of the incident
•   Determine the full extent of the incident.
•   Identify and remove the root cause.
•   Improve the defenses
•   Obviously eradication changes the
    system state, forensic images must be
    made before eradication can begin

                                             15
 Recovery

• Returning to normal state
• Ensuring you have in fact resolved the
  incident, that eradication was successful
• Removing containment measures
• Monitoring for new outbreaks or signs of
  further intrusions



                                          16
    Lessons learned

•   The post mortem
•   Have a meeting
•   Look for solutions, not blame
•   Prepare two reports
•   One technical
•   One for management
•   Prepare for the next one

                                    17
 Site level

• Everything I have described and most
  training and documentation deals very
  well with a single site incident
• Response activities are easier to
  coordinate and perform in a small
  organization or a single site
• I probably haven’t told you anything you
  haven’t already heard so far
                                         18
 Multi site

• Incident response gets more
  complicated when multiple sites are
  involved in an incident
• Coordination becomes more awkward
• Requires clear responsibilities and
  communications
• SLA or MOU?

                                        19
 Enterprise

• In larger organizations incident response
  has a much higher requirement for
  coordinated activities
• Communications between teams
  becomes crucial
• This is where enterprise level planning
  and tools are required, the new trend in
  IR
                                         20
  Government

• At the next level the requirement for
  coordination is between different level of
  government, different government
  departments, critical infrastructure
  components and the private sector
• Complex relationships
• This is where CCIRC plays the most
  significant role
                                           21
 The Internet

• There have been incidents where the
  Internet as a whole has become
  impacted
• CCIRC also plays an international role
  with CERT/CC and other bodies
• The Internet Storm Center for example
   isc.sans.org

                                           22
    Challenges

• Incident response is always changing
• The attacks are getting more complex
• Responders have to keep up
• Preparing for new incidents is more
  crucial than ever
• Increasing your IR capabilities and
  proactive defenses are actually the most
  bang for your security buck
                                         23
    Problems

•   Failure to document
•   Failure to report
•   Inexperienced people
•   Insufficient procedures/policies
•   Failure to implement lessons learned
•   No practice drills


                                           24
    Solutions

•   Have upper management on side
•   Critical asset and service classification
•   Have policy and plans in place
•   Assess your current IR capabilities
•   Get experts involved ASAP
•   Enterprise IR and forensics tools
•   Share incident reports

                                                25
  Why share

• Rapid and accurate diagnosis of a
  widespread problem
• Rapidly disseminate warnings
  throughout the community
• Alert the community to suspicious
  activity and support collaborations that
  investigate and diagnose issues


                                             26
 Why share

• Reduce duplication of efforts across
  teams
• Share information on mitigation and
  remediation strategies
• Allows for a national view
• Allows for coordination of mandates and
  collaboration
• The sum of the whole is more than the
  parts
                                        27
  Collaboration

• Collaboration helps to leverage the
  technical knowledge that exists across
  the teams, to limit damage, and ensure
  continued operation of critical services
• CCIRC will work to promote trust in
  communication and cooperation about
  sensitive security issues


                                             28
Conclusion


             29
30

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:9/22/2011
language:English
pages:30