Establishing Cyber Security Incident

Response Capabilities
Event and incidents

• An event is any observable occurrence in a system or

network
• Examples;
§ user connecting to a file share
§ a server receiving a request for a web page
§ a user sending email
§ firewall blocking a connection attempt
Event and incidents cont…
• A computer security incident is a violation or
imminent threat of violation of computer security
policies, acceptable use policies, or standard security
practices
• Examples;
§ An attacker obtains sensitive data and threatens that the
details will be released publicly if the organization does not
pay a designated sum of money
§ A user provides or exposes sensitive information to others
through peer-to-peer file sharing services
§ An attacker commands a botnet to send high volumes of
connection requests to a web server, causing it to crash
Importance of proper incident handling

• Cyber attacks are happening more often

• And in large scale
If an organization doesn’t have a proper incident
handling plan;
• Number of resources which got affected can be large
• Total amount of down time can be increased
• Can badly affect the organization’s reputation
• Etc…
Typical Information Security Threats
Faced by Users
• Email Scams
• Phishing
• Malware
• Spyware
• Ransomware
• Dumpster Diving
• Social Engineering
Email Scams
Is an unsolicited email that claims the prospect of a
bargain or something for nothing.
Phishing
Phishing is a way of attempting to acquire information
such as usernames, passwords, and credit card details
by masquerading as a trustworthy entity in an
electronic communication.
Countermeasures
• Deploy an anti-virus solution
• Block spam
• Block risky file extensions
§ Program executables (.exe)
§ Compressed archive file package for Java classes and
data (.jar)
§ Dynamic Link Library (.dll)
§ Binary executable (.bin)
§ Etc…
• Activate your client firewall
• Manually verify URL before entering your credentials
(e.g. https:, spelling, etc…)
 Malware
Malware, short for malicious software, is software
designed to disrupt computer operation, gather
sensitive information, or gain unauthorized access to
computer systems. While it is sometimes software, it
can also appear in the form of script or code.
 Spyware
Spyware is a type of malware
(malicious software) installed on
computers that collects
information about users without
their knowledge. The presence of
spyware is typically hidden from
the user and can be difficult to
detect. Spyware is often secretly
installed on a user's personal
computer without their
knowledge.
 Ransomware
A type of malware
which restricts
access to the
computer system
that it infects, and
demands a ransom
paid to the
creator(s) of the
malware in order
for the restriction
to be removed.
Ransomware infection chain
Countermeasures
• Deploy an anti-virus solution
• Install software from trusted sources
• Avoid opening unknown attachments
• Avoid clicking on unknown URLs
• Avoid inserting un-trusted external media devices
• Clean old/unnecessary files
• Take frequent backups and keep a recent backup copy
off-site
• Don’t enable macros in document attachments
received via e-mail
• Install latest patches
Dumpster Diving

Search the trashed

things to gain any
information
• Storage devices
• Written data on papers
Social Engineering
The process of deceiving people into giving away
access or confidential information.

• Online
• Phone
• Face to face
• Any other means
Countermeasures

• Improve the awareness among employees

• Dispose sensitive information securely
Incident handling lifecycle
Incident handling process
Preparation

Goal:
The goal of preparation phase is to get your team
ready to handle incidents
§ Establishing an incident response team
§ Incident handler communications and facilities
§ Incident analysis software and hardware
Preparation cont…
• Establishing an incident response team
§ Team models
o Central incident response team
A single incident response team handles incidents throughout the
organization
o Distributed incident response team
The organization has multiple incident response teams, each
responsible for a particular logical or physical segment of the
organization
o Coordinating team
An incident response team provide advice to other teams without
having authority over them (Sri Lanka CERT|CC, FinCSIRT former
Bank CSIRT)
Preparation cont…
§ Team model selection
o The need for 24/7 availability
o Full-time vs part-time team members
o Employee morale
o Cost
o Staff expertise
Preparation cont…

§ Team members selection (a multi disciplinary team is the

best )
o Senior management
o Information security officers
o Network/systems management
o Legal council
o Public affaires/Public relations
o Disaster recovery/Business continuity
Preparation cont…

§ Incident response team services

setup trainings to deal with the scenarios practical to your
organization
example services;
o Intrusion detection
o Advisory distribution
o Education and awareness
o Information sharing
Preparation cont…

• Incident handler communications and facilities

§ Contact information
§ On-call information
§ Incident reporting mechanisms
§ Issue tracking system
§ Smart phones
§ Encryption software
§ War room
§ Secure storage facility
Preparation cont…
• Jump Bag

A ‘Jump Bag’ is the term used to describe the container

holding all of the tools incident responders need to appropriately
respond to a computer security incident. It is important to
ensure that the jump bag is ready to deploy at a short notice and
that it will contain all of the necessary tools and accessories.
Preparation cont…
• Preparing a jumpbag
§ Get something to carry all of your tools
§ Tools to document your response (note books, audio recording
devices, digital camera, time keeping device)
§ Have a laptop
§ Backup media (hard drive, pen drive, CDROM media, DVD media)
§ Wireless attack response (wireless network card, wireless auditing
software)
§ Communication resources (cell phone, charger, call list, encryption
software to support information transfer)
§ Network/technical tools (hub, ethernet network cables, hardware
write blocker, etc.)
§ Miscellaneous tools, equipment and resources ()
Detection and Analysis
Detection and Analysis

Goal:
The goal of this phase is to analyze the event and
deciding whether it is an incident or not.
Detection and Analysis cont…

• Signs of an incident
§ Web server log entries that show the usage of a
vulnerability scanner
§ A threat from a group stating that the group will attack the
organization
§ Antivirus software alerts when it detects that a host is
infected with malware
§ A system administrator sees a filename with unusual
characters
Detection and Analysis cont…

• Incident detection and analysis would be easier if

every indicator was guaranteed to be accurate.
Unfortunately, this is not the case;
Examples;
§ Anti-virus software may provide false positives
§ IDS may provide false positives
§ Modification of a critical file could happen due to a human
error, rather than a security incident
• Performing the initial analysis and validation is a
challenging task
Detection and Analysis cont…
• Prioritizing incidents
Critical decision making point in the incident handling
process. Should consider;
§ Functional impact of the incident
§ Information impact of the incident
§ Recoverability from the incident
Detection and Analysis cont…
• Recommendations for making incident analysis easier
and more effective
§ Profile Networks and Systems
§ Understand normal behavior
§ Create a log retention policy
§ Perform event correlation
§ Keep all host’s clocks synchronized
§ Maintain and use a knowledge base of information
§ Run packet sniffers to collect additional data
§ Filter the data
§ Seek assistance from others (ex. National CERTs, CSIRTs)
Containment, Eradication and Recovery
Containment

Goal:
The goal of the containment phase is to prevent the
attacker from getting any deeper into the impacted
system or spreading to other systems.
Containment cont…

• Deciding a containment strategy

Containment strategies differ based on the type of
incident. For example, the strategy for containing an
email-borne malware infection is quite different from
that of a network-based DDoS attack.
Organizations should create separate containment
strategies for each major incident type.
Containment cont…
• Criteria for determining the appropriate strategy
include;
§ Potential damage to and theft of resources
§ Need for evidence preservation
§ Service availability (e.g., network connectivity, services
provided to external parties)
§ Time and resources needed to implement the strategy
§ Effectiveness of the strategy (e.g., partial containment, full
containment)
§ Duration of the solution (e.g., emergency workaround to
be removed in four hours, temporary workaround to be
removed in two weeks, permanent solution)
Eradication

Goal:
The goal of the eradication phase is to get rid of the
attacker’s artifacts on the system.

During eradication, it is important to identify all

affected hosts within the organization so that they
can be remediated.
Recovery
Goal:
The goal of recovery phase is to place the impacted
systems back in the production in a safe manner.

It may include;
§ Restoring systems from clean backups
§ Rebuilding systems from scratch
§ Replacing infected files with clean versions
§ Installing patches
§ Changing passwords
§ Strengthening network perimeter security
Post-incident activity
Post-incident activity

• Lessons learned
Goal:
The goal of the lessons learned phase is to
document what happened and improve the
incident handling capabilities.
Post-incident activity cont…

• Lessons learned
§ One of the most important yet most often omitted part of
incident response is learning and improving
§ Include holding a “lessons learned” meeting with all
involved parties after an incident
§ This could be extremely helpful in improving security
measures and incident handling process
Post-incident activity cont…
• The meeting should be held within several days of the
end of the incident. Questions to be answered in the
meeting include;
§ Exactly what happened, and at what times?
§ How well did staff and management perform in dealing
with the incident? Were the documented procedures
followed? Were they adequate?
§ What information was needed sooner?
§ Were any steps or actions taken that might have inhibited
the recovery?
Post-incident activity cont…
§ What would the staff and management do differently the
next time a similar incident occurs?
§ How could information sharing with other organizations
have been improved?
§ What corrective actions can prevent similar incidents in the
future?
§ What precursors or indicators should be watched for in the
future to detect similar incidents?
§ What additional tools or resources are needed to detect,
analyze, and mitigate future incidents?
Recommendations
§ Acquire tools and resources that may be of value during
incident handling
§ Prevent incidents from occurring by ensuring that
networks, systems, and applications are sufficiently secure
§ Identify precursors and indicators through alerts generated
by several types of security software
§ Establish mechanisms for outside parties to report
incidents
§ Require a baseline level of logging and auditing on all
systems, and a higher baseline level on all critical systems
§ Profile networks and systems
§ Understand the normal behaviors of networks, systems,
and applications
Recommendations cont…
§ Create a log retention policy
§ Perform event correlation
§ Keep all host clocks synchronized
§ Maintain and use a knowledge base of information
§ Start recording all information as soon as the team
suspects that an incident has occurred
§ Safeguard incident data
§ Prioritize handling of the incidents based on the relevant
factors
§ Include provisions regarding incident reporting in the
organization’s incident response policy
§ Establish strategies and procedures for containing incidents
§ Follow established procedures for evidence gathering and
handling
Recommendations cont…
§ Capture volatile data from systems as evidence
§ Obtain system snapshots through full forensic disk images,
not file system backups
§ Hold lessons learned meetings after major incidents
Thank You!