CYBR 4330 - Chapter 7

The most critical question on the minds of an organization's management team is

"What do we do once we've detected an incident?"

Automated IR Systems

Automated IR systems to facilitate IR documentation are available through a number of vendors and include:. •Security information and event management (SIEM) systems. •Integrated configuration management components of a forensic management toolkit. Depending on the tools selected, they might be able to: •Track actions, •Monitor the configuration of systems, •Integrate antivirus and IDPS feedback, •Scan systems for events and policy violations. •Look for industry-specific regulatory compliance issues.

The CSIRT leader's second task is to

begin asserting control over the situation and make positive steps to regain control over the organization's information assets

Inappropriate Use

covers a spectrum of violations made by authorized users of a system who nevertheless use the system in ways specifically prohibited by management predominantly characterized as a violation of policy rather than an effort to abuse existing systems. •Attempting to access unauthorized information or to escalate one's access privileges would be a UA violation, whereas attempting to download, install, or use software, hardware, or services in violation of organizational policy constitutes inappropriate use. •Traditionally, IU incidents are identified by IT personnel or CSIRT teams but regulated and controlled by management. •What the organization and its employees must remember is that for the preceding actions to be considered IU violations, they must be counter to established policy. •Although ignorance of the law is no excuse, ignorance of policy is.

The first step in responding to a DoS incident

detection of the incident

distributed denial-of-service (DDoS)

is usually much more impactful than a DoS attack; results from the use of multiple systems to simultaneously attack a single target.

Unauthorized Access

refers to hacking efforts or attempts by insiders to escalate their privileges, access information, and access other assets to which they do not explicitly have authorization inclination is to use it as a synonym for hacking exceeding authorized access when an individual, an application, or another program, through access to the OS API, attempts to and/or gains access to an info asset without explicit permisson or authorization to do so.

The next step in responding to a DoS incident

selecting the appropriate containment strategy. •Although it may be possible to simply shut off the network connection that the incident is using as a conduit, sometimes it may not be possible or even feasible. Block address of attack source •In addition to blocking (at least temporarily) incoming addresses, the organization may want to consider the following strategies: •Trying to fix the source problem - patch the hole •Changing the organization's filtering strategy - only on emergency, temp basis •Trying to filter based on characteristics of the attack - rate limiting •Engaging upstream partners (ISP) •Eliminating or relocating the target system •The organization may have to go through a trial-and-error process until it finds a solution that eliminates the issues associated with the attack without disrupting normal operations.

Incident Recovery

the reestablishment of the pre-incident status of all organizational systems may take a substantial amount of time •A full recovery is defined as the time needed for the organization to verify that all traces of an incident are erased from its systems. •Incident recovery involves implementing the backup and recovery plans that should already be in place before the attack. •Any data that is suspected of corruption or modification must be recovered. •Although damaged data may be recovered, disclosed data may never be. Difficult part = the identification of data that may have been disclosed - may never be recovered

cookie

•A type of malware that has become less of a concern is the cookie, which can collect valuable personal information and then send it along to an attacker. session cookie: data file valid for just one session persistent cookie = stored on client computer for a long time, maybe forever - customize or enhance user experience - misused as a form of spyware = tracking cookies

After the IU Incident

•After an incident, the CSIRT typically turns copies of all documentation over to management for administrative handling, then monitors the affected systems for possible recurrences. •At this point, the CSIRT goes through standard activities to document the end of the incident, including discussion and AARs.

After the UA Incident

•After the UA has been contained, the task of identifying the avenue of attack and closing any still-open repeat mechanisms begins. •At the same time, the organization must identify the extent of the damage done by the UA and look for any residual effects, such as rootkits or back doors. Determine exactly how much damage is done so the CSIRT can effectively advise management Always presume that if a critical info asset are accessed, the data stoed within it is compromiesed •One task that must occur after a UA involving a lost, stolen, or hijacked user account is a reset of all passwords, including those for administrator accounts.

Incident Eradication

•After the immediacy of incident containment has passed, the organization is still faced with the contamination that inevitably results after an unauthorized access to a system. •The attacker will most likely have left a wide swath of damage and destruction, rootkits and back doors to allow future returns, or a "scorched earth" approach, leave malware behind to continue the damage. •Many practitioners feel that a compromised system can never be restored to a trusted state, and that rebuilding the system image from known and trusted media is the only way to recover from these types of intrusions.

After the DoS Incident

•After the organization has responded to the DoS incident, it should consider its overall philosophy of protect and forget or apprehend and prosecute. •In either case, the organization will want to collect some evidence to see how the incident occurred and to provide insight into how to avoid future recurrences.

Malware

•Deliberate software attacks occur when an individual or group designs and deploys software to attack a system and are referred to as malicious code, malicious software, or malware. •Malware is designed to steal, damage, or deny service to the target systems. •Some of the more common instances of malicious code are viruses and worms, Trojan horses, logic bombs, back doors, and rootkits.

During the Malware Incident

•Early detection of a malware incident relies heavily on the preparations described in the previous section. •Antivirus programs, antimalware, and IDPSs are the front line in detection. •End users are the first line in reporting where notifications to the organization's help desk of suspected malware infestation should be the first clue of a serious malware incident. Personnel should be aware of indicators of malicious code •Containment strategies for malware begin with the prevention strategies outlined earlier: antimalware and IPDSs. •These applications will not only detect malware, they will quarantine it and handle it in the manner in which the applications are configured, which ranges from simple annotation of log files to notification of organizational personnel to automatic deletion.

malware hoax

•Essentially a DoS attack, the malware (or virus) hoax is commonly used in phishing attacks aimed at getting users to visit a fake Web site; others are designed to work as human malware devices, tricking users into manually deleting or modifying key files. •A number of Internet resources enable individuals to research viruses and determine if they are fact or fiction.

Response strategies for malware outbreaks include

•Filtering e-mail based on subject, attachment type using malware signatures, or other criteria •Blocking known attackers •Interrupting some services •Severing networks from the Internet or each other •Engaging the users •Disrupting service

According to NIST, examples of UA include

•Gaining unauthorized administrative control of any server or service •Gaining unauthorized access to any network or computing resource, including connection to inadvertently open service ports or dialing into unsecured modems •Defacing or unauthorized modification of any public-facing or internal information service, including Web-based content •Guessing or cracking passwords, or subverting or bypassing multifactor authentication procedures, to gain unapproved access to any server or service •Viewing or copying any nonpublic information without proper authorization •Sniffing network traffic without explicit authorization •Using network and computing resources to distribute pirated content, including music and software •Using social engineering techniques, such as impersonating another person to gain unauthorized access •Using unattended or unsecured workstations without permission of the authorized user

Before the Malware Incident

•If at all possible, malware incidents should be detected in advance through antivirus and antimalware applications, as well as through effective security awareness programs designed to educate employees on how to handle suspicious events. •Other ways to prepare for a malware incident include: •Awareness programs informing users about current malware issues •Keeping up on vendor and IR agency postings and bulletins •Implementing appropriate IDPSs •Effective inventory and data organization •Implementing and testing data backup and recovery programs

Incident Containment and Eradication Strategies for Specific Attacks

•In selecting the appropriate reaction strategy the CSIRT leader must determine the appropriate response based on a number of variables, including the incident: •Type •Method of incursion •Current level of success •Expected or projected level of success •Current level of loss •Expected or projected level of loss •Target •Target's level of classification and/or sensitivity •Any legal or regulatory impacts mandating a specific response Mandates clear and effective CSIRT reaction procedures Each major type should have a separate containment strategy and planning process

Things that can be considered IU incidents include

•Inappropriate or unauthorized software or services •Organizational resources used for personal reasons— •Organizational resources used to harass coworkers •Restricted company information and other assets stored in external sites

Some examples of infractions and possible reactions:

•Inappropriate or unauthorized software or services—The offensive software or service is removed from systems by the CSIRT or follow-up IT teams; the matter is then referred to management. •Personal use of an organizational resource—Evidence is collected; the matter is then referred to management. •Organizational resources used to harass coworkers—Evidence is collected; the matter is then referred to management. •Restricted company information and other assets stored in external sites—Company information is removed from external storage with assistance from the offending employee; the matter is then referred to management.

Before the DoS Incident

•Long before a DoS (or DDoS) attack occurs, certain tasks should be performed to maximize the response: •Coordinating with the ISP - most imp partner - guidelines to respond •Collaborating and coordinating with professional response agencies - US-CERT •Implementation of prevention technologies - IDPS •Monitoring resources •Coordinating the monitoring and analysis capabilities •Setting up logging and documentation •Configuring network devices to prevent DoS incidents

Hybrid or Multicomponent Incidents

•Many incidents begin with one type of event, then transition to another. •These hybrid or multicomponent incidents may create complex response operations that involve multifaceted investigations and responses. •Dealing with these incidents requires that all the previous recommendations for preparation and prevention, containment, and response and recovery have been considered. •Timeliness is also a factor in prioritizing the response.

Response Preparation

•Most of the prevention strategies an organization should pursue are simply good security practices. •These would include the following: •Using risk assessment to make informed decisions •Acquiring and maintaining good host security •Acquiring and maintaining good network security •Implementing comprehensive malware prevention •Thorough and ongoing training to raise user awareness Specifically designed to get both the CSIRT and the rest of the org ready to detect, respond, and recover from the incidents •To manage an incident, NIST recommends using a checklist

Before the IU Incident

•Organizational policy is the primary strategy in preparing for and preventing IUs. •For a policy to become legally enforceable and defendable, it must meet the following criteria: •Dissemination (distribution) •Review (reading) •Comprehension (understanding) •Compliance (agreement) •Uniform enforcement •Only when all these conditions are met can an organization penalize employees who violate the policy without fear of legal retribution. •When the organization has effective policies in place, it should establish a security education, training, and awareness (SETA) program to fully integrate those policies. - classes - follow-up messages •Other preparation strategies fall under the category of good security practices, such as the proper configuration of IDPSs, log management systems, and filtering rules on network devices. •Other preparation strategies fall under the category of good security practices, such as the proper configuration of IDPSs, log management systems, and filtering rules on network devices. •In order to detect policy violations, however, the organization should consider periodic scans of internal systems as part of a configuration management program. Prepare for administrative fallout from policy violations Primary prevention tools: policies, config management policies

watchful waiting

•a tactic that deliberately permits the attack to continue while the entire event is observed and additional evidence is collected. •The use of this type of delayed containment may need to be previewed with legal counsel to see if it is feasible. may result in escalation only experienced CSIRTs requires a lot of disciplne and skill •Another thing to consider regarding containment is that attackers can devise means to cause further damage when containment steps are initiated.

its mission philosophy—protect and forget or apprehend and prosecute.

How the CSIRT responds to an incident relies in part on

incident response (IR) reaction strategies

IR strategies these procedures are the heart of the IR plan and the CSIRT's operations

denial-of-service (DoS)

designed to prevent the legitimate users of a system or network from using it

an assessment of the situation.

After the CSIRT has been notified and arrives, whether physically or virtually, the first task that must occur is •During this task, the CSIRT leader (also known as the incident commander), determines what type of incident, if any, has occurred and what reaction strategies are appropriate.

True

T/F: Each type of incident has its own unique characteristics that will dictate specific preparations

Here are some key recommendations for handling hybrid incidents

User software to support incident management Prioritize each incident component as it arises Contain each incident, then scan for others

During the IU Incident

When investigating a potential IU incident, consider level of authority an individual manager has when responding must gave clear policies key = whether org has created an expectation of privacy for the employee •Containment strategies for IU incidents predominantly focus on detecting the incident through technical means or managerial reports, then removing the offending technology. •For incidents in which employees are using systems for purely personal concerns that do not otherwise violate appropriate use guidelines, a determination whether to stop the activity or proceed with administrative punishment typically falls to the individual's supervisor.

Before the UA Incident

•Preparation and prevention of UA incidents involves a process that addresses industry-recommended security efforts. •Preparing to handle these incidents requires much the same effort as preparing for other incidents in installing, configuring, and maintaining effective IDPSs. •Other strategies that specifically target UA incidents include the centralization and protection of log servers and implementing an effective password policy. Using a common central log server and placing it in a more highly protected are of the network may not prevent UA incidents, but it will certainly asist in the post-event analyses that are needed to prevent reoccurrence •Implementing an effective password policy and having a complete and usable management policy as well as technology-enforced password requirements is critical. •Coupled with policies on changing passwords regularly, storing passwords securely, and other safe practices, the written policy is an effective first step in UA mitigation. •Enforcing those policies will further improve the organization's readiness for UA incidents. •The second half of the strategy—implementing the written policies as systems policies—will cement the strategies in place. In the event of a reported password breach, the org should plan to implement an immediate password change to prevent the widespread use of ill-gotten passwords and password files

•After an infection has been detected, it is up to the CSIRT to look for other possibly undetected infections by:

•Scanning internal systems to look for active service ports that are not supposed to be present on internal systems. •Prompt and aggressive use of updated scanning tools. •Analysis of the logs from e-mail servers, firewalls, IDPSs, and individual host log files for anomalous items. •Giving network and host intrusion systems access to signature files that can indicate when the behavior characteristics of malware infection have occurred. •Audit of the running processes on systems to validate that all running processes are expected and legitimate.

During the UA Incident

•The organization will most likely respond differently to an internal user attempting to escalate privilege than to an external hacker. •NIST recommends the following containment strategies: •Isolate •Disable network port •Block •Disable user account •Lockdown

After the Malware Incident

•The standard actions common to all incidents should be followed when the malware incident is over—specifically, reporting and AARs (after-action reviews). •The most critical action after a malware incident has been handled is to constantly monitor to prevent reinfection. Distribution of warnings that a particular malware incident that occurred and that is was successfully handled will serve to further educate the org's users as well as remind them of necessary steps

•Each complete containment strategy should include details about how the organization will handle:

•Theft or damage to assets •Whether to preserve evidence for potential criminal prosecution •Service-level commitments and contract requirements to customers •Allocation of necessary resources to activate the strategy •Graduated responses that may be necessary •Duration of containment efforts

Incident Containment

•This is the first phase of this part of the IR—the response function; once achieved, eradication and recovery can occur. begin to contain a confirmed incident •There are a number of ways a trained CSIRT can conduct incident containment; however, the methods that the team uses to stop an incident can have an adverse effect on the organization and its operations. Process by which the CSIRT acts to limit the scale and scope of an incident as it begins to regain control over the org's info assets •If an incident is internal, the simplest solution may be to shut down the affected systems. •If it is external, the simplest solution may be to disconnect the affected systems from the Internet or other external network. CSIRT may not wish to tip off attackers Apprpach can completely change how CSIRT responds to the incident, requiring a measure of "acceptable loss" while the CSIRT collects info for later prosecution CSIRT leader may also be required to notify upper management before executing a response beyond a predetrmined level •Close communication is a must to provide quick and effective authorization in response to the CSIRT's findings.

•With regard to malware prevention, NIST recommends the following:

•Use antivirus/antispyware software. •Block suspicious files by configuring servers and networking devices to prevent distribution of certain file extensions especially in e-mail and Web traffic. •Filter unwanted e-mail traffic and prohibit open relays •Minimize file transfer capabilities to those essential to business operations •Eliminate or prohibit file sharing and print sharing Educate, inform, and involve users at all stages

•The CSIRT's operational guidance should include the following applicable containment strategies:

•Verifying that redundant systems and data have not been compromised •Monitoring system and network activities •Disabling access to compromised systems that are shared with other computers •Changing passwords or disabling accounts of compromised systems •Disabling system services, if possible •Disconnecting compromised systems or networks from the local network or the Internet •Temporarily shutting down compromised systems

Identifying the Attacking Hosts

•When the IR plan has been activated and the CSIRT is actively responding to the threat, it must be able to identify the systems and network connection being used by the attacker. •To identify the attacker the following activities should be done: •Verification of the IP address of the attacking system •Web-based research of the attacking host IP address •Incident/attack database searches •Attacker back-channel and side-channel communications

Preventing Concurrent Recurrence

•While working to contain an incident, the CSIRT must ensure that the attacker does not initiate a new incident before the current incident is resolved. •When a second attack uses the same means and methods of the first attack and is undertaken while the first attack is still under way, this is considered a concurrent recurrence. •To prevent it, the team must continuously monitor not just the assets associated with the current incident but also the remaining assets that may be susceptible to attack using the same or similar attack methods. Key problem with a successful intrusion is the high probability that the attacker will immediately inform his or her peers