Đang tải... (xem toàn văn)
Chapter 11 - Incident response. The main contents of this chapter include all of the following: Incident response overview, computer forensics defined, contemporary issues in computer forensics, forensic process, forensic tools, forensic problems, the future of computer forensics.
Chapter 11 Incident Response ATHENA Incident Response Overview Computer Forensics Defined Contemporary Issues in Computer Forensics Forensic Process Forensic Tools Forensic Problems The Future of Computer Forensics Incident Response – Why is it Critical? Resolve the problem • Find out what happened • How it happened • Who did it Create a record of the incident for later use Create a record to observe trends Create a record to improve processes Avoid confusion ATHENA Elements of Incident Response ATHENA Preparation Identification Containment Eradication Recovery Follow-up Preparation Without adequate preparation, it is extremely likely that response efforts to an incident will be disorganized and that there will be considerable confusion among personnel Preparation limits the potential for damage by ensuring response actions are known and coordinated ATHENA Identification The process of determining whether or not an incident has occurred and the nature of an incident Identification may occur through the use of automated network intrusion equipment or by a user or SA Identification is a difficult process Noticing the symptoms of an incident is often difficult There are many false positives However, noticing an anomaly should drive the observer to investigate further ATHENA Who can identify an Incident ATHENA Users – My system is slow, my mail is missing, my files have changed System support personnel – servers locked up, files missing, accounts add/deleted, weird stuff happening , anomalies in the logs Intrusion Detection Systems and Firewalls – Automatically ID violations to policies Possible Incident Classifications ATHENA Unauthorized Privileged (root) Access – Access gained to a system and the use of root privileges without authorization Unauthorized Limited (user) Access – Access gained to a system and the use of user privileges without authorization Unauthorized Unsuccessful Attempted Access – Repeated attempt to gain access as root or user on the same host, service, or system with a certain number of connections from the same source Possible Incident Classifications (cont.) ATHENA Unauthorized Probe – Any attempt to gather information about a system or user on-line by scanning a site and accessing ports through operating system vulnerabilities Poor Security Practices – Bad passwords, direct privileged logins, etc, which are collected from network monitor systems Denial of Service (DOS) Attacks – Any action that preempts or degrades performance of a system or network affecting the mission, business, or function of an organization Possible Incident Classifications (cont.) ATHENA Malicious Logic – Self-replicating software that is viral in nature; is disseminated by attaching to or mimicking authorized computer system files; or acts as a trojan horse, worm, malicious scripting, or a logic bomb Usually hidden and some may replicate Effects can range from simple monitoring of traffic to complicated automated backdoor with full system rights Conclusions ATHENA Computer forensics is an integral function within incident response Processes are the most important aspects of computer forensics The future of cyber crime will lead to an increased need for computer forensic capabilities Questions ? ATHENA Objective in this chapter ATHENA Physical Security Forensics Risk Identification What you after a system has been penetrated? ATHENA Physical Security ATHENA Access Control: physical barriers, Biometrics Social Engineering Environment: Temperature, Humidity, Airflow, Electrical interference, Electrostatic discharge (ESD) Wireless Cells, Location, Shielding (EMI, RFI), Fire Suppression Physical Security Shielding radio frequency interference (RFI) electromagnetic interference (EMI) Fire Suppression • Inergen (IG-541): nitrogen + agon + Carbon dioxide • Heptafluoropropane (HFC-227ea) (~FM-200) • Trifluromethane (FE-13) • Carbon Dioxide Systems ATHENA Forensics ATHENA Computer forensics is the application of computer skills and investigation techniques for the purpose of acquiring evidence Forensics has basic components: Collected, Examined, Preserved and Presented Forensics ATHENA Awareness What Your Role Is: First responder, Investigator, Crime scene technician Forensics ATHENA Chain of Custody Preservation of Evidence Collection of Evidence: SafeBack, Encase, ProDiscover Risk Identification Hard Reality – Systems fail and can be breached How much does it cost to build a wall of security How much which failed services will cost the most in downtime How can you mitigate the loss of those services? How can you quickly recover those failed services? ATHENA Risk Identification ATHENA Asset Identification Risk assessment Threat Identification Vulnerabilities Asset Identification Identify physical and logical company resources Assign hard dollar amounts to loss of those resources ATHENA Risk assessment Determine cost ARO * SLE = ALE ARO: Annualized Rate of Occurrence SLEL Single Loss Expectancy ALE: Annual Loss Expectancy ATHENA Determine cost of replacement and cost of outage Identify likelihood of failure occurring Identify how to avoid risk of loss Identify how to response to failure Threat Identification Create thread model that outlines possible security threats A common security model is called STRIDE – Spoofing – Tampering – Repudiation – Information Disclosure – Denial of Service – Elevation of privilege ATHENA Vulnerabilities Use threat model to review network for possible threats Determine how best to thwart those types of attacks Create security guide ATHENA ... Forensics? ATHENA The Victim! Law Enforcement Insurance Carriers Ultimately the Legal System Who are the Victims? •Private Business •Government •Private Individuals ATHENA ATHENA ATHENA ATHENA... transaction logs • Real-time analysis via network monitoring – Sniffers – Real-time tracing ATHENA E-mail Forensics E-mail forensics is the study of source and content of electronic mail as evidence... estimated between $2.5B-$10B US • Kournikova worm affects still being analyzed ATHENA Eradication The process of removing the cause of the incident • For a virus – anti-virus software is best