skip to content
My Site Logo abdons blog

sans 405 1

sans 405.1

chapter 1 incidence handling definition

Incident handling is an action plan for dealing with the misuse of computer systems and networks, such as:

  • Intrusions
  • Malicious code infection
  • Cyber-theft
  • Denial of service
  • Other security-related events

Keep written procedures and policy in place so you know what to do when an incident occurs

incident handling:

plan for dealing with computer security-related events. the plan includes hooks to your general Disaster Recovery and Business Continuity plans that deal with fire, floods, and other disastrous events.

incident:

is an event it implies harm or the attempt to harm.

Ex: Unauthorized use of another user’s account, Unauthorized use of system privileges, …

event:

any observable occurrence in a system. observable, measurable occurrences in computer systems.

Ex: The system boot sequence A system crash (could be normal behavior for that system)

events provide the bulk of your organization’s case if the perpetrator of an incident is caught , Must be recorded in notebooks and logs , Recording it in multiple places helps improve evidence that’s corroborating evidence.

incident or event???

IPS capture an event that triggered a rule for a windows server attack script. but the server that was aimed to is a Linux running Apache , as the logs show , is it an incident because it malicious intent , or an event cuz it caused no harm ,here we have 2 systems with the same logs which strengths this piece of evidence.

take care , when you in root or admin , watch out for what your doing because there is no undo bouton , even if there is can u out-speed the device.

sharing !!

hackers share , data exploits and tricks , can u solo a whole community , i don’t think so , then what to do share its not a secret that your attacked every one eventually will , so learn and share so other defenders don’t face the same problem u faced.

apes-together-strong-0p1sf.gif

incident handling steps:

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

the day to day state you’ll be in are the first two steps spending you time getting ready , and finding the threat as soon as possible. DONT SKIP , you should never go to a step without finishing all the prior ones , even if you’re getting pushed to just don’t cuz it will cause more harm then you think. sometimes you may have to jump back because of the circumstances , you need to be flexible to jump back and do it all again.

preparation:

chances favors the prepared mind ,especially in incident handling, while in an incident is not a good time to get ready , commands / tools / even handwear needed , but be prepared.

the goal here is to get the team ready , the elements include People, Policy, Data, Software/Hardware, Communications, Supplies, Transportation, Space, Power and Environmental Controls, Documentation.

People:

the weakest factor is still us , humans , most of the attacks starts with phishing , so to prepare the people we need to train and assess them.

Policy:

warning banners is a must , it will help you collect the logs and evidence you need , the better the policy the faster the collection of these logs. things like “The use of the system may be monitored and recorded” , is needed and should be reviewed by legal.

during an incidence should you clean the incident and clean up , or watch the attacker to gather more evidence , either way this is not the time this should be already decide and written in you policy.

Law Enforcement:

why do you want to even call them, if the incidence include a threat to public health or safety , or will impact third parties or legal requirement , and so the attackers pay for there crimes .

why should we not call them, you may face control issues , or publicity issues , they may compel you to keep you system open to understand the attacker more and more , maybe seize martials and effect your work flow , some times they will need court orders to do specific things.

after all they are not an enemy and you may ask for there help its no shame , this is info you need to keep in mind.

know you local guy:

know you fbi / state / police officer by name . try and know him better , cuz after all he’s your guy.

Peer Notification:

if the a employee was attacked out side of the compony should he notify the compony, if a VPN employee include a banner to state that they are subject to remote search.

Remain Calm:

any one and every one falls under stress , but you need to have your own language indicating explicit meaning , so even if your stressed the massage is still delivered. a sign that you’re in a harry is when you cant take notes.

if you are going too fast to take good notes, you are just going too fast!

Notes:

u must take good notes , the 5 W’s , record you actions , commands , with date and time , any maybe take some photos , they are better than videos.

Management support:

show the management how they can get hurt by a hacker , writing a quarterly report showing what you have done , or the proactive actions that you have taken , illustrate an incident so they get it.

Team:

must be hand selected , and follow this approach , make a core team only fundamental members , then a larger team for any one willing to make an effort , make a team with a mix of backgrounds. sys admins, network management,..

Checklist:

the team doesn’t have to know each os and how to deal with it , so the system checklist , should be 5-20 page explaining how to deal with this system. don’t let the IR team get burned out.

Command post:

help the incident handling team , must communicate with them efficiently , local techie handler structuring the team,

the post need to provide what’s needed by the ir team food , hardware , rooms to sleep after a long day , use encrypted ways of communication , encrypted cellphones / PGP, …

Emergency Comm:

all methods must be available , maybe use things like a sheared voice mail , when the handlers team find some thing they send it , and people whom interested get updated without interfering withe the ir procedure.

accessing the system:

in emergencies the ir team may need higher privilege password , so the system admin have to give it , but with a set of rules notifying before logging in with admin , and only capable handlers are gives access to admin.

Reporting Facilities:

employees must be reworded when reporting an suspicious incident , make it easy phone calls emails , through a site, make it all available.

War Room:

lockable door and a lockable file cabinet , have an AC .

Training:

the team must practice ,when it comes to the on site u must be prepared , knowing more then one method to do a certain task is a must , the team must be ready at any time , an internal honeypot will be of value , maybe conduct some unnotified pen-testing to see how the team detect and respond , this War game should only be conducted with experienced teams.

the whole gang:

help-disk / system admins . network managers and you are all part of the big team, take there openions cuz they ara variable and if they report something look into it.

GRR rapid response :

it pull’s stores forensics artifacts for you.

jump bag:

it must be ready to go , neve BoRrOw anything from this bag as the thing that missing is the thing you need the most.

storage media:

USB’s CD’s and large HDD’s all you can get

software:

binary image-creation software, forensics software, sans SIFT kit , solid software’s are needed. an operating system image is a must SIFT is good.

Hardware:

hard drives, Ethernet TAP , patch cables , a laptop with multiple operating systems and good specs , VM’ ofc , some SSD’s.

others:

call list , cellphone with an extra battery , anti-static bags ,Desiccants , notebooks and forms , pens , jumpers , Screwdrivers , RJ-45 extender , tweezers , flashlight and some business cards to keep others in touch with you.

Items to support your biological systems, such as a change of clothes, deodorant, aspirin, antacid, and other items.

Identification:

how to detect an incident , either from sensors firewall ,ids logs , or someone notices it.

Alerting:

there in no problem when reporting something wrong , speed is a huge factor , and if it was wrong take it as training , reporting wrong is better then not reporting at all.

how many:

unless very shorted in staff you should never only send one handler , one core handler as a backup for him is the least you can send out .

information:

make sure to have notes , they’ll be useful even after a long time , first clues and thoughts are not always right oven close so no need to leak em , what if there is an insider data should never be shared about any indecent that not closed , team must be trusted.

communication:

if you using emails in an incident the attack e can easily sniff the network packets an know exactly what your planning also , also if you using VoIP this can be done , the best thing to do is use PGP or GUN to make sure you data is encrypted and no one access it excepts you maybe faxes can be used , or cellphones.

where can Identification happen:

it can be in any of these 4 tires:

Network:

monitored by firewalls IDS IPS , , logs are generated from routers , this give us the earliest warning.

host:

monitor what going in or out from a host , using personal firewalls port sentry systems. host-based:

monitor the host system , antivirus, file integrity checkers , end point security happens here.

application:

logs generated form the apps , like web apps server-side apps, incident responder mush have access to these logs , and make sure they contain the data you need, users {root} , inputs ,…

make sure you have access to attack identification info , across all the 4 levels

ports:

see what ports are open and used , attacker can also use legitime ports so keep your eyes open , dose the ip run the serves that should be running in the port ?

Cheat Sheets:

sans have some sheets to help you do your job, but if the attacker i extra carful is want help you that much , also you need to know the normal state of you system to so you know if there is a change to this state.