CYBR 4330 - Chapter 4

CPMT transfers info gleaned to other sub committees IR, DR, BC committees get overlapping info on attacks they could face, prioritization, and attack scenario end cases Each gets as much info as CPMT overall

What happens after CPMT completed BIA?

Contingency planning

addresses everything done by an organization to prepare for an unexpected incident

disaster

adverse event causing damage beyond the IR plan threshold

chalk talk

all involved individuals sit around a conference table and discuss their reponsibilities as the incident would unfold

incident

an adverse event that threatens the security of the org's info occurs when an adverse event affects info resources and/or assets, causing actual damage or other disruptions

incident response plan (IR plan)

A detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets. activated when an incident causes minimal damage with little or no disruption to business operations The responsibility for creating THIS often falls to the IRPT leader, who is typically a senior manager from the information security or information technology unit, possibly even the chief information security officer (CISO). should include alert roster

the IR team leader or the IR duty officer makes the determination that the IR plan must be activated.

After an indicator has been reported

Structured walk-through

All involved individuals walk through the steps they would take during an actual event Consist of an on-site walk-through Everyone discusses their actions at each particular location and juncutre indivs work on their own tasks and are responsible for identifying the faults in their own procedure

after-action review (AAR)

Before returning to routine duties, the CSIRT must conduct this review what happened during the event. a detailed examination of the events that occured, from fist detection to final recovery all key players review their notes, verify that IR documentation is accurate and precise all team members review their actions, identify what worked, didn't work, what should be improved allows team to update IRP serve as a training case for future staff brings to a clse the actions of the IR team

Factors of Training Techniques

Budget, time frame, needs of organizaton

reaction force

CSIRT team that responds to each type of end case team leader and scibe

Simulation

Each potential participant individually simulates the performance of each task stops short of the actual physical tasks required

the communities of interest and the CPMT

From WHERE •the executive leadership of the organization should begin building the team responsible for all subsequent IR planning, development, and administrative activities.

SANS InfoSec Reading Room Computer Security Officer SC Magazine InfoSec Magazine

High-quality infosec journals and magazines that have articles and columns on IR topics

IR policy

IR policy, similar in structure to other policies used by the organization defines IR roles and responsibilities for the organization in general and the CSIRT in particular as well as others who will be mobilized to activate the plan must gain ful support of top management, be clearly understood by affected parties gain support of comms of interest to protect CSIRT's actions

Parallel testing

Indivs act as if an actual incident has occurred perform required tasks and execute necessary procedures without interfering with the normal operations

Full interruption

Indivs follow each and every procedure, including interruption of service, restoration of data from backups, notification of appropriate indivs may be done after normal house most rigorous too risky for most businesses

•Defend the flag

KOTH + computer simulation several systems are set to attack system team must react to escalating levels of attack and defend system

IR Plan Testing

Key part of training the CSIRT Identify vulnerabilities, faults, and inefficient processes After problem identification, improvements are made, resulting plan can be relied on

Training for Technical Users

More detailed May require outside consultants and training orgs

Training for Managerial Users

More personal form of training, with smaller groups More interaction and discussion Resist organized training of any kind Champion can exert influence and convince managers to attend training events

After the incident

Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed separate functional areas Once the incident has been contained, this phase begins Lost or damaged data is restored, systems are scrubbed, eberything is restored IRP must describe stages necessary to recover from the most likely events of the incident and detail otherevents needed Follow-on incidents are highly probably when infected machines are brought back online or when other infected computers are brought back up - also likely in hacker attack

IR team

Organizing the IRP process begins with the responsible for development and administration of the IR plan, as well as development and training of the CSIRT needs to be organized as a separate entity begins by identifying and engaging a collection of stakeholders

•It is useful to look at published policies from other agencies and organizations when developing the policy. •Organization charts •Topologies for organizational or constituency systems and networks •Critical system and asset inventories •Existing DR or BC plans •Existing guidelines for physical security breach notifications •Any existing IR plans •Any parental or institutional regulations •Any existing security policies and procedures

Other sources of information for the policies include

Training for General Users

Provide training on the plan Users ask questions Org emphasizes key points Training on technical details of how to do their jobs securely Convenient time - employee orientation - receptive

Desk check

Simplest kind of validation involves distributing copies of the IR plan to each individual that will be assigned a role during an actual incident Review plan and create a list of correct and incorrect components not a true test Good way to review the percieved feasibility and effectiveness of the plan

•Desk check •Structured walk-through •Simulation •Full interruption

Strategies to test contingency plans

FALSE They are REACTIVE

T/F: IR procedures are a preventive control

FALSE at least semi-annual testing should be performed each scenario of the IR plan should be tested

T/F: Testing process stops once final plan is created

FALSE None exist, but: FIRST US-CERT CERT CC NIST Honeypots.net

T/F: There are dedicated IR journals and magazines

•Capture the Flag •King of the Hill •Computer simulations •Defend the flag •Online programming-level war games

The IRPT can use several methods in training the CSIRT as well as testing the IR plan

Developed, tested, and placed in an easy-to-access location

The most important thing is that the IR plan is what three things?

•preparation; •detection and analysis; •containment, eradication, and recovery; and post-incident activity

The overall IR process is made up of four phases

During the incident

The planners develop and document the procedurs that must be performed procedures are grouped and assigned to individuals Sysadmins tasks differ from mgt draft function-specific procedures The most important phase of the IR plan is the reaction to the incident The most important phase of the IR plan is the reaction to the incident Each viable attack scenario end case is examined in turn by the IR team The IRPT and the CSIRT discuss the end cases and begin to understand the actions that must be taken to react to the incident each end case requires IRP team to determine what individuals are needed to respond to each particukar end case IR plan should specify the team leader and scribe

pg 148

Tools for the CSIRT

==COMMS of INTEREST== •General management - understand what CSIRT is and does - preauthrozies interaction between CSIRT and key business functions •IT management - understand CSIRT's demands - " resourcs and access they will require - approve CSIRT actions •InfoSec management - understand on-hand requirements of the CSIRT ==ORGANIZATIONAL DEPTS== •The legal department - review procedures of CSIRT - understand steps they perform to ensure it's in legal guidelines - guidance on contracts and S:Ss •The human resources department (HR) - acquire personnel not on hand to complete team •The public relations (PR) department - briefed on what info can/should be disclosed to public if incident occurs - boilerplate notices •Departments that have overlapping InfoSec interests - physical security - auditing and risk management - insurance ==OTHER INTEREST GROUPS== •General users of information systems •Other stakeholders

Typical stakeholders often include (134-5)

trigger

circumstances that cause an IR team to be activated and the IR plan to be initiated A phone call from a user Notification from a sysadmin Notification from IDS Review of logs Loss of system connectivity Device malfunctions There are many indicators that an intrusion may be occurring

•Capture the Flag

flag = token file - placed on each team's system teams are timed to protect system both defend flag and attempt to capture opposite teams 1-1 or larger

incident response (IR)

focused on detecting and evaluating the severity of emerging unexpected events One of the core elements of CP process should attempt to contain and resolve incidents according to the incident response plan (IR plan). When incidents arise that cannot be contained or resolved, other elements of the CP process are activated using the documented escalation processes noted throughout the plan == a set of procedures that commence when an incident is detected must be carefully planned and coordinated

•Computer simulations

indivs/teams defend systems from computer simulated attacks not many of these available

IR duty officer

is a CSIRT member who is responsible for reviewing any adverse events and determining whether they are actual incidents After this individual determines an actual incident has occurred or is ongoing, he or she notifies the CSIRT and moves forward with the IR plan

Computer Security Incident Response Team (CSIRT)

may be a loose or informal association of IT and InfoSec staffers called up if an attack was detected team of people and their supporting policies, procedures, tech, and data necessary to prevent, detect, react, and recover from an incident that could damage org info at some level, all org members are members of this members of all communities of interest The IRPT and THIS will work to develop a series of predefined response procedures that will guide the CSIRT and information security staff through the IR steps

Training the CSIRT

one of the primary responsibilities of the IRPT requires ongoing training and rehearsal activities can be conducted in various ways - national training programs -- SANSFIRE an organization can set up its own training program in which senior, more experienced staff members share their knowledge with newer, less experienced employees - should include mentoring-type training Other training methods include a professional reading program, which is a list of trustworthy information sources to read on a regular basis

•King of the Hill

one team is KOTH and flag is placed in system 1+ teams work to breach KOTH may be better for CSIRT training and testing

•Online programming-level war games

onlin infosec ed/training war games users can go on different missions that are designed to improve skill sets Even military may use But so do hackers

Training delivery methods

pg. 151 - chart

Before the incident

planners draft a third set of procedures - tasks to prepare for the incident details of data backup schedules, DR preparation, training schedules, testing plans, copies of service agreements, BC plans BC plan = additional material on a service bureau that stores data off site via electronic vaulting include preventive measures to manage risks associate with an attask as well as preparation of the IR team training CSIRT, testing IR plan, selecting and maintaining CSIRT tools, training users

Training the end user

primarily the responsibility of individuals who provide security education training and awareness (SETA) should instruct end users on: •What is expected of them •How to recognize an attack •How to report a suspected incident and whom to report it to •How to mitigate the damage of attacks on the desktop •Good information security practices

stakeholders

representative collection of individuals with a stake int he successful and uninterrupted operation of the org's info infra used to collect vital info on the roles and responsibilities of the CSIRT

war gaming

simulation of attack and defense activities using realistic networks and info systems, with the exervise of IR plans being important element so popular = national competitions

Once all individual components of IR plan have been drafted and tested

the final IR plan document can be created.

1.Select a uniquely colored binder. 2.On the spine of the binder, place reflective tape 3.Under the front slipcover, place a classified document cover sheet. 4.Place an index on the first inside page. 5. For each category of attack, place the corresponding IR plan documents under a common tab and label the index. 6. Organize the contents so that the first page contains the "during attack" actions, followed by the "after attack" actions and finally the "before attack" actions. 7.Attach copies of any relevant documents in the back of the plan under a separate tab 8.Add more documents as needed. 9.Store the plan in a secure but easily reachable location.

the final IR plan document can be created. hard copy is essential because plans that are only accessible via digital media may not be available in some incident scenarios.

Forensic analysis

the process of systematically examining information assets for evidentiary material that can provide insight into how the incident transpired. Information on which machine was infected first or how a particular attacker gained access to the network provides insight about unknown vulnerabilities or exploits.

adverse events

unexpected event that might compromise info resources and assets

IRP Team

will work to build the IR policy, plan, and procedures that the CSIRT follows during IR actions From the communities of interest and the CPMT indivs from all relevant constituent groups composed most heavily from IT and InfoSec Reps from CPMT and org mgt team lead = lisaison between team and CPMT •As with any organizational team, the group will require a champion—typically the chief information officer (CIO), chief information security officer (CISO), or vice president of IT—as well as a selected or elected group leader to manage the team. meet regularly to build IR policy, complete development of IR plan structuring, development, and training of the CSIRT

•During the incident •After the incident •Before the incident

•For every potential attack scenario, the IR team creates an incident plan, which is made up of three sets of incident-handling procedures:

1.Form the incident response planning team (IRPT). 2.Develop the IR policy. 3.Integrate the BIA in the incident response mission. 4.Identify preventive controls. 5.Organize the computer security incident response team (CSIRT). 6.Create IR strategies and procedures. 7.Develop the IR plan. 8.Ensure plan testing, training, and exercises. 9.Ensure plan maintenance.

•In the case of IR planning, the CPMT follows these general stages:

Actions Taken During the Incident

•The next planning component is the determination of what must be done to react to the incident. •After it is determined that there is an attack, the next step is performed: determining the extent of exposure. •After the extent is determined, the team begins to attempt to contain the incident. •After the incident is contained, the team continues to monitor for reoccurrences. •When the incident has been contained and all system control regained, the actions during phase is complete.

•It is directed against information assets owned or operated by the organization. •It has a realistic chance of success. •It threatens the confidentiality, integrity, or availability of information resources and assets.

•When one of the threats identified in Module 1 turns into a valid attack, it is classified as an information security incident, but only if it has all of the following characteristics:

Draft plans

•can be used for the preliminary training of staff and for evaluating the effectiveness of the plan. Any errors or difficulties are remedied as these mature Once desired level of plan maturitu is achieved and these are reviewed, final assembly