You are on page 1of 25

Incident Response

Roberto Martínez

Owner – Consultant ITlligent Security Certified EC Council Instructor Latam
CEH, ECSA, ENSA, CHFI, EDRP, ECVP, PMIT, ECSP MCT, MCSE, MCAD, MCTS, MCSA, Security+

Agenda
• • • • • • • Security Incidents Cyber Threats Incident response Digital Evidence How to prevent an Incident

Incident Computer security incident is defined as “Any real or suspected adverse event in relation to the security of computer systems or computer networks.”  .

Incidents include: • Violation of an explicit or implied security policy • Attempts to gain unauthorized access • Unwanted denial of resources • Unauthorized use of electronic resources .

Incident Categories .

High Impact Incidents .

The intrusion process .

Cyber Threats in 2010 .

it ’ s just 23 % . September. not 90 %.Cybercrime-as-a-Service (CaaS) market model. . indicated that “the effectiveness of an up to date anti virus against Zeus is thus not 100 %. not even 50 % . 2009’s “Measuring the in-the-wild effectiveness of Antivirus against Zeus” report by Trusteer.” meaning that cybercriminals have clearly started excelling into the practice of bypassing signature-based malware scanners.

  An Incident Response Plan includes: • Immediate action • Investigation • Restoration of resources • Reporting the incident to proper channels.  .Incident Response Well Defined set of procedures that address the post incident scenario.

• • It involves three basic functions:  qIncident reporting qIncident Analysis qIncident Response .Incident Handling Incident handling helps to find out trends and pattern regarding intruder activity by analyzing it.

Security Incident Response Form .

Digital Evidence • Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form. such as: – – – – – – – Graphic files Audio and video recording and files Web browser history Server logs Word processing and spreadsheet files E-mails Log files .”   Digital evidence is found in the files.

the data which is not saved can be lost permanently. if a user writes some data to the . • • Digital evidence is circumstantial that makes it difficult for the forensics investigator to differentiate the system´s activity.Challenging Aspects of Digital Evidence • Digital evidence are fragile in nature • • During the investigation of the crime scene. • • During the investigation. digital evidence can be altered maliciously or unintentionally without leaving any clear signs of alteration. • • After the incident. if the computer is turned off.

• It explains what actions should and should not be performed under normal and special conditions. . • It defines the roles and responsibilities of all people performing or assisting the forensic activities. • It should include all internal and external parties that may be involved.Forensic Policy • Forensic policy is a set of procedures describing the actions to be taken when an incident is observed.

Forensic Analysis Guidelines  Organizations should: Have a capability to perform computer and network forensics Determine which parties should handle each aspect of forensics Create and maintain guidelines and procedures for performing forensic tasks Perform forensics using a consistent process • • • • • • • • • .

How to prevent an incident A key to preventing security incident is to eliminate as many vulnerabilities as possible. • • Scanning the network • Auditing the network • Deploying Intrusion Detection / Prevention systems • Establishing Defense in Depth  .

Normalization Security monitoring environment is multi-vendor Events from different devices and vendors have different formats Need to compare similar—normalized—events from multiple vendors “apples-to-apples” .

Event Correlation Log / Alert                      Firewall    Logs         NIDS Logs                 .

NIPS. AV. AAA. Application Events. OS Logs Need to consolidate and normalize similar events from multiple vendors Universal SYSLOG support AAA .Log Consolidation A defense in depth strategy utilizes multiple devices Firewalls. HIPS. VPN.

Threat Correlation – Post Incident Analysis (IV) Post incident analysis to adjust incident severity based on context Did the attack reach destination? Is the victim vulnerable? How important is the victim system? Further events indicated a possible compromise? Analysis can be static or dynamic .

Demo .

org/ Netwitness .com Computer Hacking Forensic Investigator Concepti •  • •  Tools XPLICO .first.alienvault.aspx http://www.php?section=Home OSSIM .com/ http://www.netwitness.Threat management solutions.Resources Certifications EC Council Certified Incident Handler  •  http://www. monitoring and real-time network forensics.org/ .xplico.org/certification/ec-council_certified_incident_handler.Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT) •  http://www.org/certification/computer_hacking_forensic_investigator.aspx http://www.eccouncil. •  http://www.concepti.eccouncil.com/community.Open Source Security Information Management • •  Web Sites FIRST is the global Forum for Incident Response and Security Teams • http://www.

Questions ? .

com.mx Skype: skp_roberto.martinez@itlligent.mx  MSN: frml@live.Thank you! Roberto Martínez ITlligent Security Email: roberto.com.martinez   @r0bertmart1nez .