CYBR 4330 - Chapter 4
CPMT transfers info gleaned to other sub committees IR, DR, BC committees get overlapping info on attacks they could face, prioritization, and attack scenario end cases Each gets as much info as CPMT overall
What happens after CPMT completed BIA?
Contingency planning
addresses everything done by an organization to prepare for an unexpected incident
disaster
adverse event causing damage beyond the IR plan threshold
chalk talk
all involved individuals sit around a conference table and discuss their reponsibilities as the incident would unfold
incident
an adverse event that threatens the security of the org's info occurs when an adverse event affects info resources and/or assets, causing actual damage or other disruptions
incident response plan (IR plan)
A detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets. activated when an incident causes minimal damage with little or no disruption to business operations The responsibility for creating THIS often falls to the IRPT leader, who is typically a senior manager from the information security or information technology unit, possibly even the chief information security officer (CISO). should include alert roster
the IR team leader or the IR duty officer makes the determination that the IR plan must be activated.
After an indicator has been reported
Structured walk-through
All involved individuals walk through the steps they would take during an actual event Consist of an on-site walk-through Everyone discusses their actions at each particular location and juncutre indivs work on their own tasks and are responsible for identifying the faults in their own procedure
after-action review (AAR)
Before returning to routine duties, the CSIRT must conduct this review what happened during the event. a detailed examination of the events that occured, from fist detection to final recovery all key players review their notes, verify that IR documentation is accurate and precise all team members review their actions, identify what worked, didn't work, what should be improved allows team to update IRP serve as a training case for future staff brings to a clse the actions of the IR team
Factors of Training Techniques
Budget, time frame, needs of organizaton
reaction force
CSIRT team that responds to each type of end case team leader and scibe
Simulation
Each potential participant individually simulates the performance of each task stops short of the actual physical tasks required
the communities of interest and the CPMT
From WHERE •the executive leadership of the organization should begin building the team responsible for all subsequent IR planning, development, and administrative activities.
SANS InfoSec Reading Room Computer Security Officer SC Magazine InfoSec Magazine
High-quality infosec journals and magazines that have articles and columns on IR topics
IR policy
IR policy, similar in structure to other policies used by the organization defines IR roles and responsibilities for the organization in general and the CSIRT in particular as well as others who will be mobilized to activate the plan must gain ful support of top management, be clearly understood by affected parties gain support of comms of interest to protect CSIRT's actions
Parallel testing
Indivs act as if an actual incident has occurred perform required tasks and execute necessary procedures without interfering with the normal operations
Full interruption
Indivs follow each and every procedure, including interruption of service, restoration of data from backups, notification of appropriate indivs may be done after normal house most rigorous too risky for most businesses
•Defend the flag
KOTH + computer simulation several systems are set to attack system team must react to escalating levels of attack and defend system
IR Plan Testing
Key part of training the CSIRT Identify vulnerabilities, faults, and inefficient processes After problem identification, improvements are made, resulting plan can be relied on
Training for Technical Users
More detailed May require outside consultants and training orgs
Training for Managerial Users
More personal form of training, with smaller groups More interaction and discussion Resist organized training of any kind Champion can exert influence and convince managers to attend training events
After the incident
Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed separate functional areas Once the incident has been contained, this phase begins Lost or damaged data is restored, systems are scrubbed, eberything is restored IRP must describe stages necessary to recover from the most likely events of the incident and detail otherevents needed Follow-on incidents are highly probably when infected machines are brought back online or when other infected computers are brought back up - also likely in hacker attack
IR team
Organizing the IRP process begins with the responsible for development and administration of the IR plan, as well as development and training of the CSIRT needs to be organized as a separate entity begins by identifying and engaging a collection of stakeholders
•It is useful to look at published policies from other agencies and organizations when developing the policy. •Organization charts •Topologies for organizational or constituency systems and networks •Critical system and asset inventories •Existing DR or BC plans •Existing guidelines for physical security breach notifications •Any existing IR plans •Any parental or institutional regulations •Any existing security policies and procedures
Other sources of information for the policies include
Training for General Users
Provide training on the plan Users ask questions Org emphasizes key points Training on technical details of how to do their jobs securely Convenient time - employee orientation - receptive
Desk check
Simplest kind of validation involves distributing copies of the IR plan to each individual that will be assigned a role during an actual incident Review plan and create a list of correct and incorrect components not a true test Good way to review the percieved feasibility and effectiveness of the plan
•Desk check •Structured walk-through •Simulation •Full interruption
Strategies to test contingency plans
FALSE They are REACTIVE
T/F: IR procedures are a preventive control
FALSE at least semi-annual testing should be performed each scenario of the IR plan should be tested
T/F: Testing process stops once final plan is created
FALSE None exist, but: FIRST US-CERT CERT CC NIST Honeypots.net
T/F: There are dedicated IR journals and magazines
•Capture the Flag •King of the Hill •Computer simulations •Defend the flag •Online programming-level war games
The IRPT can use several methods in training the CSIRT as well as testing the IR plan
Developed, tested, and placed in an easy-to-access location
The most important thing is that the IR plan is what three things?
•preparation; •detection and analysis; •containment, eradication, and recovery; and post-incident activity
The overall IR process is made up of four phases
During the incident
The planners develop and document the procedurs that must be performed procedures are grouped and assigned to individuals Sysadmins tasks differ from mgt draft function-specific procedures The most important phase of the IR plan is the reaction to the incident The most important phase of the IR plan is the reaction to the incident Each viable attack scenario end case is examined in turn by the IR team The IRPT and the CSIRT discuss the end cases and begin to understand the actions that must be taken to react to the incident each end case requires IRP team to determine what individuals are needed to respond to each particukar end case IR plan should specify the team leader and scribe
pg 148
Tools for the CSIRT
==COMMS of INTEREST== •General management - understand what CSIRT is and does - preauthrozies interaction between CSIRT and key business functions •IT management - understand CSIRT's demands - " resourcs and access they will require - approve CSIRT actions •InfoSec management - understand on-hand requirements of the CSIRT ==ORGANIZATIONAL DEPTS== •The legal department - review procedures of CSIRT - understand steps they perform to ensure it's in legal guidelines - guidance on contracts and S:Ss •The human resources department (HR) - acquire personnel not on hand to complete team •The public relations (PR) department - briefed on what info can/should be disclosed to public if incident occurs - boilerplate notices •Departments that have overlapping InfoSec interests - physical security - auditing and risk management - insurance ==OTHER INTEREST GROUPS== •General users of information systems •Other stakeholders
Typical stakeholders often include (134-5)
trigger
circumstances that cause an IR team to be activated and the IR plan to be initiated A phone call from a user Notification from a sysadmin Notification from IDS Review of logs Loss of system connectivity Device malfunctions There are many indicators that an intrusion may be occurring
•Capture the Flag
flag = token file - placed on each team's system teams are timed to protect system both defend flag and attempt to capture opposite teams 1-1 or larger
incident response (IR)
focused on detecting and evaluating the severity of emerging unexpected events One of the core elements of CP process should attempt to contain and resolve incidents according to the incident response plan (IR plan). When incidents arise that cannot be contained or resolved, other elements of the CP process are activated using the documented escalation processes noted throughout the plan == a set of procedures that commence when an incident is detected must be carefully planned and coordinated
•Computer simulations
indivs/teams defend systems from computer simulated attacks not many of these available
IR duty officer
is a CSIRT member who is responsible for reviewing any adverse events and determining whether they are actual incidents After this individual determines an actual incident has occurred or is ongoing, he or she notifies the CSIRT and moves forward with the IR plan
Computer Security Incident Response Team (CSIRT)
may be a loose or informal association of IT and InfoSec staffers called up if an attack was detected team of people and their supporting policies, procedures, tech, and data necessary to prevent, detect, react, and recover from an incident that could damage org info at some level, all org members are members of this members of all communities of interest The IRPT and THIS will work to develop a series of predefined response procedures that will guide the CSIRT and information security staff through the IR steps
Training the CSIRT
one of the primary responsibilities of the IRPT requires ongoing training and rehearsal activities can be conducted in various ways - national training programs -- SANSFIRE an organization can set up its own training program in which senior, more experienced staff members share their knowledge with newer, less experienced employees - should include mentoring-type training Other training methods include a professional reading program, which is a list of trustworthy information sources to read on a regular basis
•King of the Hill
one team is KOTH and flag is placed in system 1+ teams work to breach KOTH may be better for CSIRT training and testing
•Online programming-level war games
onlin infosec ed/training war games users can go on different missions that are designed to improve skill sets Even military may use But so do hackers
Training delivery methods
pg. 151 - chart
Before the incident
planners draft a third set of procedures - tasks to prepare for the incident details of data backup schedules, DR preparation, training schedules, testing plans, copies of service agreements, BC plans BC plan = additional material on a service bureau that stores data off site via electronic vaulting include preventive measures to manage risks associate with an attask as well as preparation of the IR team training CSIRT, testing IR plan, selecting and maintaining CSIRT tools, training users
Training the end user
primarily the responsibility of individuals who provide security education training and awareness (SETA) should instruct end users on: •What is expected of them •How to recognize an attack •How to report a suspected incident and whom to report it to •How to mitigate the damage of attacks on the desktop •Good information security practices
stakeholders
representative collection of individuals with a stake int he successful and uninterrupted operation of the org's info infra used to collect vital info on the roles and responsibilities of the CSIRT
war gaming
simulation of attack and defense activities using realistic networks and info systems, with the exervise of IR plans being important element so popular = national competitions
Once all individual components of IR plan have been drafted and tested
the final IR plan document can be created.
1.Select a uniquely colored binder. 2.On the spine of the binder, place reflective tape 3.Under the front slipcover, place a classified document cover sheet. 4.Place an index on the first inside page. 5. For each category of attack, place the corresponding IR plan documents under a common tab and label the index. 6. Organize the contents so that the first page contains the "during attack" actions, followed by the "after attack" actions and finally the "before attack" actions. 7.Attach copies of any relevant documents in the back of the plan under a separate tab 8.Add more documents as needed. 9.Store the plan in a secure but easily reachable location.
the final IR plan document can be created. hard copy is essential because plans that are only accessible via digital media may not be available in some incident scenarios.
Forensic analysis
the process of systematically examining information assets for evidentiary material that can provide insight into how the incident transpired. Information on which machine was infected first or how a particular attacker gained access to the network provides insight about unknown vulnerabilities or exploits.
adverse events
unexpected event that might compromise info resources and assets
IRP Team
will work to build the IR policy, plan, and procedures that the CSIRT follows during IR actions From the communities of interest and the CPMT indivs from all relevant constituent groups composed most heavily from IT and InfoSec Reps from CPMT and org mgt team lead = lisaison between team and CPMT •As with any organizational team, the group will require a champion—typically the chief information officer (CIO), chief information security officer (CISO), or vice president of IT—as well as a selected or elected group leader to manage the team. meet regularly to build IR policy, complete development of IR plan structuring, development, and training of the CSIRT
•During the incident •After the incident •Before the incident
•For every potential attack scenario, the IR team creates an incident plan, which is made up of three sets of incident-handling procedures:
1.Form the incident response planning team (IRPT). 2.Develop the IR policy. 3.Integrate the BIA in the incident response mission. 4.Identify preventive controls. 5.Organize the computer security incident response team (CSIRT). 6.Create IR strategies and procedures. 7.Develop the IR plan. 8.Ensure plan testing, training, and exercises. 9.Ensure plan maintenance.
•In the case of IR planning, the CPMT follows these general stages:
Actions Taken During the Incident
•The next planning component is the determination of what must be done to react to the incident. •After it is determined that there is an attack, the next step is performed: determining the extent of exposure. •After the extent is determined, the team begins to attempt to contain the incident. •After the incident is contained, the team continues to monitor for reoccurrences. •When the incident has been contained and all system control regained, the actions during phase is complete.
•It is directed against information assets owned or operated by the organization. •It has a realistic chance of success. •It threatens the confidentiality, integrity, or availability of information resources and assets.
•When one of the threats identified in Module 1 turns into a valid attack, it is classified as an information security incident, but only if it has all of the following characteristics:
Draft plans
•can be used for the preliminary training of staff and for evaluating the effectiveness of the plan. Any errors or difficulties are remedied as these mature Once desired level of plan maturitu is achieved and these are reviewed, final assembly