File000119

Module VI – Incident Handling

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Tech Insight: Finding Common
Ground For Security, IT Teams
Source: http://darkreading.com/
Tips for security and IT teams to better cooperate on hot-button issues of password
policies, patch management, and network security
Dec 19, 2008 | 03:48 PM
By John Sawyer
Disagreements are a common occurrence between IT security and other IT groups, but nothing brings
out their differences of opinion and practice like incident response or an emergency patch, such as
Microsoft's fix this week for Internet Explorer.
A security team can butt heads with other IT groups for many reasons -- anything from personality
conflicts and management styles to fundamental differences in opinion about how IT systems should be
managed. A few key problem areas that come up regularly in organizations of all sizes are password
policies, patch management, and network security with firewalls and VPNs.
Passwords are the weakest link as well as the biggest lightning rod: Users don't want complex, hard-to-
remember passwords. Security wants passwords that are uncrackable. And systems admins don't want
to be caught in the middle implementing a policy that results in users constantly complaining or
needing regular password resets. The process of developing secure password policies almost always
ends with none of the involved parties happy with the outcome.
Getting all groups on the same page about passwords usually requires a compromise all around, but
several things can ease the pain of implementation. Educating users on the importance of passwords,
along with tips and tricks on creating a secure password, is by far the cheapest method. Self-service
portals for password resets, too, can help reduce the load on the help desk and sys admins after new
password policies are put into effect.

EC-Council
Scenario
Orient Recruitment Inc. is an online human resource recruitment
firm. The web server of the firm is critical for its normal business
operations.
Neo, the network administrator observed some unusual activity
targeted towards the web server. The web server was overloaded
with connection requests from huge number of different sources.
Before he could realize the potential of the attack, the website of
Orient Recruitment Inc. was already down due to Denial of Service
Attack.
The company’s management called up the local Incident Response
team to look into the matter and solve the DoS issue.
What steps will the incident response team take to investigate the
attack?

EC-Council
Module Objective
• What is an Incident?
• Security Incidents
• Incident Reporting
• Incident Response
• Incident handling
• What is CSIRT?
• Who Works in a CSIRT ?
• Types of Incidents and Level of Support
• How CSIRT Handles Case: Steps
• World CERTs
This module will familiarize you with:

EC-Council
Module Flow
What is an Incident?
Security Incidents
Incident Reporting
Incident Response
Incident Handling
What is CSIRT?
Who Works in a CSIRT ?
Types of Incidents
and Level of Support
How CSIRT Handles
Case: Steps
World CERTs

EC-Council
What is an Incident
Computer security incident is defined as “Any real or suspected adverse event in
relation to the security of computer systems or computer networks”
It also includes external threats such as gaining access to systems, disrupting their
services through malicious spamming, and execution of malicious codes that
destroy or corrupt systems

EC-Council
Security Incidents
• Evidence of tampering with data
• Denial of service attack on the agency
• Web site defacement
• Unauthorized access or continuous attempts at unauthorized
access (both from either internal or external sources)
• Social engineering incidents
• Virus attacks that badly affect servers or multiple workstations
• Other incidents that could undermine the confidence and trust in
the state’s information technology systems
A security incident includes:

EC-Council
Category of Incidents
Low level
Mid Level
High Level
There are 3 category of incidents:

EC-Council
Category of Incidents: Low Level
• Loss of personal password
• Suspected sharing of the organization’s accounts
• Unsuccessful scans and probes
• Presence of any computer virus or worms
They can be identified when there is:
Low level incidents are the least severe kind of incidents
They should be handled within one working day after the event occurs

EC-Council
Category of Incidents: Mid Level
• Violation of special access to a computer or computing facility
• Unfriendly employee termination
• Unauthorized storing and processing data
• Destruction of property related to a computer incident (less than
$100,000)
• Personal theft of data related to a computer incident($100,000)
• Computer virus or worms of comparatively larger intensity
• Illegal access to buildings
They can be identified by observing:
The incidents at this level are comparatively more serious and thus, should be
handled the same day the event occurs

EC-Council
Category of Incidents: High Level
• Denial of Service attacks
• Suspected computer break-in
• Computer virus or worms of highest intensity; e.g: Trojan, back door
• Changes to system hardware, firmware, or software without
authentication
• Destruction of property exceeding $100,000
• Personal theft exceeding $100,000 and illegal electronic fund
transfer or download/sale
• Any kind of pornography, gambling, or violation of any law
These include:
These are the most serious incidents and are considered as “Major” in nature
High level incidents should be handled immediately after the incident occurs

EC-Council
Issues in Present Security Scenario
Increase in the number of companies venturing into e-business coupled
with high Internet usage
Decrease in vendor product development cycle and product testing cycle
Increase in complexity of the Internet as a network
Alarming increase in intruder activities and tools, expertise of attackers,
and sophistication of hacks
Lack of thoroughly trained professionals as compared to the number and
intensity of the security breaches

EC-Council
How to Identify an Incident
A system alarm from an intrusion detection tool indicating security breach
Suspicious entries in network
Accounting gaps of several minutes with no accounting log
Other events such as unsuccessful login attempts, unexplained new user or files,
attempts to write system files, and modification or deleting of data
Unusual usage patterns, such as programs being compiled in the account of users
who are non-programmers

EC-Council
How to Prevent an Incident
• Scanning the network/system for security loopholes
• Auditing the network/system
• Deploying intrusion detection/prevention systems on the
network/system
• Establishing defense-in-depth
• Securing clients for remote users
Intrusions can be prevented by:
A key to preventing security incidents is to eliminate as many vulnerabilities as
possible

EC-Council
The diagram below illustrates the relationship between Incident Response, Incident
handling, and Incident management
Defining the Relationship between Incident
Response, Incident Handling, and Incident
Management

EC-Council
Incident Management

EC-Council
Incident Management
Incident management is not just responding to an incident when it
happens but includes proactive activities that help to prevent incidents
by providing guidance against the potential risks and threats
Includes the development of a plan of action, a set of processes that are
consistent, repeatable, of high quality, measurable, and understood
within the constituency
Who performs Incident Management?
• Human resource personnel
• Legal council
• The firewall manager
• An outsourced service provider

EC-Council
Incident Management (cont’d)
Figure : Five High-Level Incident Management Processes

EC-Council
Threat Analysis and Assessment
Threat analysis is a systematic detection, identification, and evaluation of vulnerabilities of a
facility, operation, or system
The threat analysis is a process of scrutinizing the conditions and processes that are important
for business interruption
• Examining the physical security processes
• Creating the risk management program
• Identifying and examining the threats related to customers
• Providing the data, trends, methodologies, and possibility of risk actions
• Identifying and defining the security process flows
The critical tasks of threat analysis and assessment
include:

EC-Council
Vulnerability Analysis
• Defining and classifying network or system resources
• Assigning relative levels of importance to the resources
• Identifying potential threats to each resource
• Developing a strategy to deal with the most serious potential
problems
• Defining and implementing ways to minimize the consequences
if an attack occurs
Steps in vulnerability analysis:
Vulnerability analysis or vulnerability assessment is a process of identifying,
defining, and classifying the security breaches in a computer, network, and
communications infrastructure

EC-Council
Estimating Cost of an Incident
• Lost productivity hours
• Investigation and recovery efforts
• Loss of business
• Loss or theft of resources
Tangible cost:
• Corporate reputation being ruined
• Loss of goodwill
• Psychological damage
• Directly impacted may feel victimized
• May impact morale or initiate fear
• Legal liability
• Effect on the shareholder’s value
Intangible cost:

EC-Council
Change Control
Change control involves all procedures that handles or controls the
authorized changes to the organization’s assets such as software and
hardware
It involves the mechanism of change request, result recording,
documenting, testing the results after the changes, and gaining
approval for the requests
It involves analyzing the problem, updating the results, and sending a
request of change to the concerned personnel or representative
This is reviewed by the management which authorizes the required
changes
Change

EC-Council
Incident Reporting

EC-Council
Incident Reporting
• Intensity of the security breach
• Circumstances, which revealed the vulnerability
• Shortcomings in the design and impact or level of weakness
• Entry logs related to the intruder’s activity
• Correct time-zone of the region and synchronization information of
the system with a National time server via NTP (Network Time
Protocol)
When a user encounters any breach, report
the following:

EC-Council
Computer Incident Reporting

EC-Council
Whom to Report an Incident
Incident reporting is the process of reporting the information
regarding the encountered security breach in a proper format
The incident should be reported to the CERT Coordination center,
site security manager, or other sites
It can also be reported to the law enforcement agencies such as
FBI,USSS Electronic crimes branch, or Department of Defense
Contractors
It should be reported to receive technical assistance and raise security
awareness to minimize the losses

EC-Council
Report a Privacy or Security
Violation
• Date, time, and location of the incident
• The nature of the violation
• Type of the private data involved
• Other persons involved
• Any immediate harm known or observed
• Immediate corrective actions already taken
Gather the following information at the time of
security violation:

EC-Council
Preliminary Information Security
Incident Reporting Form
PRELIMINARY INFORMATION SECURITY INCIDENT REPORTING FORM
Background Information
Name of Bureau/Department :
Brief description on the affected system (e.g. function, URLs):
Physical location of the affected system:
Within B/D Third-party service provider facility
System administration/operation by:
In-house IT team End user Outsourced service provider
Reporting Entity Information
Name: Designation:
Office Contact: 24 hours Contact:
Email Address: Fax Number:
Incident Details
Date/Time (Detected): Date/Time (Reported to OGCIO):
Symptoms of Incidents:
Impacts:
Defacement of web site
Service interruption (denial of service attack / mail bomb / system failure)
Massive malicious code attack
Lost/damage/unauthorized alternation of information
Compromise/leakage of sensitive information
Intrusion/unauthorized access
Others, please specify: _______________________________
Please provide details on the impact and service interruption period, if any:
Actions Taken:
Current System Status:
Other Information:

EC-Council
Why Organizations do not
Report Computer Crimes?
Misunderstanding of the scope of the problem
• This does not happen to other organizations
Fear of negative publicity
• Proactive reporting and handling of the incident will allow many organizations
to put their spin on the media reports
Potential loss of customers
Desire to handle things internally
Lack of awareness of the attack

EC-Council
Incident Response

EC-Council
Responding to a Security
Incident
• Identify the affected resources
• Analyze the incident
• Assign event identity and severity level
• Assign incident task force members
• Containing threats from further affecting the systems
• Evidence collection
• Forensic analysis
Guidelines to be followed for a methodical manner of
response handling stage and investigation are as follows:
Computer incident response is based on the documented and untampered
evidence

EC-Council
Incident Response Procedure
• The IIC, IL work with the system personnel to determine the area and scope that the
incident covers
Identify the Affected Resources
• An assessment is made by the IIC combined with the IL and system personnel for
determining the security levels
Analyze the incident
• The incidents require a unique identifier that is collision free to allow tracking and
archiving of incidents for historical reference
• The identity of the incident is assigned by the IIC, followed by the name assignment
and severity level assigned to the incident
Assign Event Identity and Severity Level
The guidelines to be followed in the response handling stage are:

EC-Council
(cont’d)
• IIC in combination with the IL coordinates a task force to resolve the
incident
• The task force consists of technical managers of resources, division
managers, etc.
Assign Incident Task Force Members
• Threats are to be contained by removing the suspect resources from
normal operations
• IIC and IL are responsible for determining risks
Containing Threats
• The information related to the incident is taken as an evidence
• Information can be collected from interviews with administrators, log
files, exploit code left by the attacker
Evidence Collection

EC-Council
(cont’d)
• Forensic analysis and discovery of an incident should include:
• The perpetrators and victims of the events
• Events that took place
• When and what time, the events occurred
• Where the events occurred and what they infected
• How the events occurred
Forensic Analysis

EC-Council
Security Incident Response
(Detailed Form)
Contact Information and Incident
Last Name:______________________ First Name: ________________________
Job Title: ____________________________________________________
Phone: __________________________ Alt Phone: _________________________
Mobile: __________________________ Pager: _____________________________
Email: ____________________________ Fax: _______________________________

EC-Council
(Detailed Form) (cont’d)
Incident Description
Date/Time and Recovery Information
Date/Time of First Attack: Date: ____________ Time: _______________
Date/Time of Attack Detected: Date: ____________ Time: _______________
Has the Attack Ended: Yes No
Duration of Attack (in hours):
Severity of Attack: Low Medium High
Estimated Recovery Time of this Report (Clock) _________________________
Estimated Recovery Time of this Report (Staff Hours) _________________________
Estimated Damage Account as of this Report ($$$ Loss) _________________________
Number of Hosts Affected: _________________________
Number of Users Affected: _________________________

EC-Council
Exposing
Confidential/Classi
fied/ Unclassified
Data
Theft of
Information
Technology
Resources/ Other
Assets
Creating accounts Altering
DNS/Website/Dat
a/ Logs
Destroying Data
Anonymous FTP
abuse
Attacking
Attackers/ Other
Sites
Credit Card Fraud Fraud Unauthorized
Use/Access
Using Machine
Illegally
Impersonation Increasing
Notoriety of
Attacker
Installing a Back
Door/Trojan
Horse
Attacking the
Internet
ICQ Abuse/IRC
Abuse
Life Threatening
Activity
Password Cracking Sniffer Don’t Know
Type of Incident Detected:
Other (Specify) _________________________________________________________
SB1386 – Is Email Notification Required? Yes No
SB1386 - Email Notification Sent Out? Yes No
Comments (Specify Incident Details and additional information):
_________________________________________________________________________

EC-Council
General Information
How Did You Initially Become Aware of the Incident?
Automated Software Notification
Automated Review of Log Files
Manual Review of Log Files
System Anomaly ( i. e., Crashes, Slowness)
Third Party Notification
Don’t Know
Other (Specify)
Attack Technique (Vulnerability Exploited / Exploit Used)
CVE/CERT VU or BugTraq Number
Virus, Trojan Horse, Worm, or Other Malicious Code
Denial of Service or Distributed Denial of Service Attack
Unauthorized Access to Affected Computer Privileged Compromise (Root/Admin Access) User Account
Compromise/Web Compromise (Defacement)
Scanning/Probing
Other
Suspected perpetrator(s) or possible motivation(s) of attack:
CSU staff/students/ faculty
Former staff/ students/faculty
External Party
Unknown
Other (Specify)

EC-Council
Malicious Code
Virus, Worm
Name or Description of Virus
_________________________________________
Is Anti-Virus Software Installed on the Affected Computer(s)? Yes (Name) No
Did the Anti-Virus Software Detect the Virus? Yes No
When was your Anti-Virus Software Last Updated? _________________________
Network Activity
Protocols
Name or Description of Virus
TCP UDP ICMP IPSec IP Multicast Ipv6 Other
Please Identify Source Ports Involved in the Attack: _______________________
Please Identify Destination Ports Involved in the Attack: _______________________

EC-Council
Impact of Attack
Hosts
Individual Hosts
Does this Host represent an Attacking or Victim Host? Victim Attacker Both
Host Name: IP Address:
Operating System Affected: Patch Level (if known):
Applications Affected: Database:
Others:
Primary Purpose of this Host:
User Desktop Machine User Laptop Machine Web Server
Mail Server FTP Server Domain Controller
Domain Name Server Time Server NFS/File System Server
Database Server Application Server Other Infrastructure Services
Bulk Hosts
Bulk Host Information (Details): ________________________________________
Comments (Please detail incident): ______________________________________

EC-Council
Data Compromised:
Did the attack result in a loss/compromise of sensitive or personal information? Yes No Other
Comments: ________________________________________________________________________
Did the attack result in damage to system(s) or date: Yes (Specify) No Other
Comments: ________________________________________________________________________
Law Enforcement:
Has Law Enforcement Been Notified? Yes No
Remediation:
Please detail what corrective actions have been taken (specify):
Comments: ________________________________________________________________________
Did Your Detection and Response Process and Procedures Work as Intended?
Comments: ________________________________________________________________________
Please provide Discovery Methods and Monitoring Procedures that would have Improved Your Ability to Detect an Intrusion.
Comments: ________________________________________________________________________
Are there Improvements to Procedures and Tools that would have Aided You in the Response Process
Comments: ________________________________________________________________________
Are there Improvements that would have Enhanced Your Ability to Contain an Intrusion
Comments: ________________________________________________________________________
Are there Correction Procedures that would have Improved Your Effectiveness in Recovering Your Systems
Comments: ________________________________________________________________________

EC-Council
Incident Response Policy
Clearly outline management's support for the policy
Decide an organizational approach
Determine outside notification procedures
Address remote connections and encompass all remote employees or contractors
Define partner agreements
Identify the members of the incident team and describe their roles, responsibilities, and functions
Develop an internal communications plan that identifies who you will notify and how you will contact them
Define a method for reporting and historically archiving the incident

EC-Council
Incident Response Guidelines
Check if potential incident is verified
Contact department/agency security staff
• I.T. Manager -
• [designee/others by department procedure] -
Contact CSIRT’s member
• Call GOVnet Beeper
• GOVnet will then contact CSIRT members (csirt@.state.vt.us)
• If there is no response within ten minutes, call the office of the CIO
Isolate system(s) from GOVnet [unless CSIRT’s decision is to leave the
system connected to monitor active attacker]

EC-Council
(cont’d)
Maintain a log book - who/ what / when / where
Find out whether the incident was caused by virus,
worm, or attacker
Estimate the extent of the problem and the number
of systems affected

EC-Council
(cont’d)
Contact local police authority with jurisdiction at the location of the incident (This
MUST BE coordinated with CSIRT)
Follow server/operating system specific procedures to snapshot the system
Inoculate/restore the system
Close the vulnerability and ensure that all patches have been installed
Return to normal operations
Prepare report and conduct follow-up analysis
Revise prevention and screening procedures
Remember to log all actions

EC-Council
Response Handling Roles
The incident reported to a security team is set for investigation
A full time member of the security team acts as Incident Investigator and
Coordinator (IIC)
A member of the incident response team acts as Incident Liaison (IL)
IIC assigns the security level to the incident and performs investigative duties
and technical analysis
IIC duties require unrestricted access to resources directly affected by the
incident
IL acts as coordinator and liaison to the resources needed by the IIC

EC-Council
Roles and Responsibilities of
SSM, ISSM, and ISSO
• Maintains user’s accounts, passwords, keys, etc.
• One of the major responsibilities of the senior management is to secure the
organization’s computer systems
• The responsibility for the success of the organization lies with the senior managers
Senior System Manager (SSM):
• Checks the level of security to manage the risks
• Establishes the risk management process
• Ensures information resources for audit requirements and participation by all levels
of employees to implement policies and procedures.
• Prepares disaster recovery plan for information resources and maintain it
Information System Security Manager (ISSM):
• Identifies threats and vulnerabilities
• Identifies restricted, sensitive, and unrestricted information resources
• Develops and maintains risk management processes, disaster recovery/ contingency
planning for information, and updated security procedures
Information System Security Officer (ISSO):

EC-Council
Contingency/Continuity of
Operations Planning
Contingency plan provides backup for documents to overcome from the disaster
It is necessary for a company or business to function normally
Guidelines for contingency planning are as follows:
• Focuses on the development and maintenance of the plan
Starting Point
• Problems are analyzed
• Checks what sort of problems/disasters can occur
• Checks for the likelihood of occurrence of the problem
• Checks for the severity of the problem
Impact assessment
• Developing phase is designed to structure or develop the contingency plan
• It acts on the threats and regulates the business process by setting an order or
priority of working
Developing the plan

EC-Council
Operations Planning (cont’d)
• In this phase, the developed plan is tested
• Determines whether the plan can actually work in real time
disaster environment
• Testing results are documented for future reference
Testing the plan
• Personnel need to undergo training to get familiar with the plan
which helps them to perform their tasks and responsibilities
effectively
Personnel training
• Maintaining the plan involves updating
• As processes are added or deleted by the organization, the plans
should be updated regularly
Maintaining the plan

EC-Council
• Supporting Information (past incident analysis report, vulnerability analysis
reports etc.)
• Notification/activation ( supplies notification procedures and offers
activation of the plan)
• Recovery (recovers the data with the help of backups)
• Reconstitution (restores the original information after the disaster)
• Plan Appendices (provides records of further analysis)
Components of the contingency planning:

EC-Council
Continuity of operations provides an alternative site to the organization for a
period of one month so as to recover from the disaster and perform normal
organizational operations

EC-Council
Budget/Resource Allocation
Budget and resource constraints are major
roadblocks of an incident handling and response
planning process
Budget and resources are generally allocated
according to previous experiences and perceived risk
to the organizations' resources
There is no standard rule or practice for budget
allocation as return of investment for incident
handling in information system cannot be measured
Documentation of the previous incidents and losses
to the organization may help decision makers to
estimate the potential cost of savings

EC-Council
Incident Handling

EC-Council
Handling Incidents
Incident handling helps to find out trends and pattern related to the intruder’s
activity by analyzing it
It involves three basic functions:
• Incident reporting
• Incident analysis
• Incident response
It recommends network administrators for recovery, containment, and
prevention to constituents
It allows incident reports to be gathered in one location so that the exact trends
and pattern can be recognized and recommended strategies can be employed
It helps the corresponding staffs to understand the process of responding and to
tackle unexpected threats and security breaches

EC-Council
Procedure for Handling Incident
Preparation
Identification
Containment
Eradication
Recovery
Follow-up
The incident handling process is divided into six stages:

EC-Council
1. Preparation
Preparation enables easy coordination among staff
Provides baseline protection
Uses virus detection and eradication tools
Company staff is given training at this stage

EC-Council
2. Identification
Identification involves validating, identifying, and reporting the
incident
Determining the symptoms given in ‘how to identify an incident’
Identifying nature of the incident
Identifying events
Protecting evidence
Reporting events

EC-Council
3. Containment
Containment limits the extent and intensity of an incident
It avoids logging as root on the compromised system
It avoids conventional methods to trace back as this may alert
the attackers
It prepares complete backups of the infected systems
It changes the passwords of all unaffected systems in the LAN

EC-Council
4. Eradication
Look into additional information along with the information gathered in
the 3rd (Containment) phase to find out the reasons for the particular
incident
Use standard anti-virus tools to remove virus/worms from the storage
media
Improve security measures by enabling firewalls, router filters, or
assigning new IP address
Analyze the vulnerability

EC-Council
5. Recovery
Determine the course of actions
Monitor and validate systems
Determine the integrity of the backup itself by making an attempt to
read its data
Verify the success of the operation and normal condition of the system
Monitor the system by network loggers, system log files, and potential
back doors

EC-Council
6. Follow-up
• Extent to which the incidents disrupted the organization
• Data lost and its value
• Damaged hardware and its cost
Determine the staff time required and
perform the following cost analysis:
Revise policies and procedures from the lessons learned from the
past

EC-Council
6. Follow-up (cont’d)
• Was the preparation for the incident sufficient?
• Whether the detection occurred promptly or not, and why?
• Using additional tools could have helped or not?
• Was the incident contained?
• What practical difficulties were encountered?
• Was it communicated properly?
Document the response to incident by
finding answers to the following:

EC-Council
Post-Incident Activity
Every incident response team should advance to reflect new threats, improved technology,
and lessons learned
The important aspect of these activities are updating of the incident response policies and
procedures for better security
Using collected incident data helps to provide several measures for the success of the incident
response team
• Number of incidents handled
• Time per incident
• Objective assessment of each incident
• Subjective assessment of each incident
The metrics for incident related data includes:

EC-Council
Post-Incident Activity (cont’d)
• The policies should be created for the time the evidence from an incident has to
be retained
• The factors to be considered for policy creation are:
• At the time of prosecuting the attacker, the evidence needs to be retained until the legal
actions are completed
• Most organizations have data retention policies that state how long certain types of data
may be kept
Evidence Retention

EC-Council
Education, Training, and Awareness
Education, training, and awareness program educates
people on how to handle computer related incidents
Education and training provides skills required to
implement the incident handling policies
Practical training removes the developmental errors,
improves procedures, and reduces the occurrence of mis-
communication
Well-trained members can prevent an incident or limit the
resulting damage

EC-Council
Education, Training, and
Awareness (cont’d)
• Identification and operation of the utility shut-off devices
• Location of the incident handling areas
• Emergency responsibilities and re-assignment plans for all positions
Training should be conducted at specified intervals,
and it should include:
• Knowledge and participation
• Concerning plan's strategies
• Contingency arrangements
The awareness campaign should be designed for
several purposes such as:

EC-Council
Post-Incident Report
Post-Incident Report Incident Ref. No.: ________
Bureau/Department : ____________________________________________
Reporting Officer Details
Report Date : ___________________________________________________
Reported By
Name : ____________________________________________
Designation : _____________________________________________
Phone No. : _____________________________________________
Email Addr. : ______________________________________________
Incident Details
Incident Date : ___________________________________________________
Type of Incident:
System Name and Description:
Summary of Incident:

EC-Council
Post-Incident Report (cont’d)
Event Sequence:
Date / Time Event
Action Taken and Result:
Current System Status:
Personnel Involved:
Name Designation Phone No. Email Eec. Role
Hacker Details (if any):
Computer Virus Details (if any):
Other Affected Sites/Systems:
Damage (including disruption/suspension of service):
Cost Factor (including loss caused by the incident and the recovery cost/manpower):
Recommended Action to Prevent Recurrence:
Other Comments:
Experience Learnt:

EC-Council
Procedural and Technical
Countermeasures
• Information is downgraded or declassified depending on the loss of sensitivity of the
information due to the passage of time or on occurrence of a specific event
• Declassification is not automatically an approval for public disclosure
Media is Downgraded or Declassified:
• Destruction of media is an ultimate form of sanitization
• Once the media is destroyed, it cannot be recycled as originally intended
• Media sanitization is a process of deleting confidential data from storage media, with
reasonable guarantee that the data cannot be retrieved and reconstructed
• The sanitization process is especially important when storage media are transferred,
becomes obsolete, no longer usable, or are no longer required by an information system
Destruction/Sanitization of Media:
• The activity must provide the volume, level, and sensitivity of the classified material
• Sensitivity of the operational assignment
• Potential for aggressive action
Emergency Destruction:

EC-Council
Vulnerability Resources
• It publishes information about a wide variety of vulnerabilities including their technical
descriptions impact, solutions and workarounds, and lists of the affected vendors
US-CERT Vulnerability Notes Database
(http://www.kb.cert.org/vuls/):
• It is the U.S. government repository of standards based vulnerability management data
that includes databases of security checklists, security related software flaws,
misconfigurations, product names, and impact metrics
National Vulnerability Database (http://nvd.nist.gov/):
• List or dictionary of publicly known information security vulnerabilities and exposures
international in scope and free for public use
Common Vulnerabilities and Exposures List
(http://cve.mitre.org/):

EC-Council
CSIRT

EC-Council
What is CSIRT?
• CSIRT provides 24x7 Computer Security Incident Response
Services to any user, company, government agency, or
organization
• It provides a reliable and trusted single point of contact for
reporting computer security incidents worldwide
• It provides the means for reporting incidents and disseminating
important incident-related information
Computer Security Incident Response Team
(CSIRT): Incident Response Services 24x7

EC-Council
CSIRT: Goals and Strategy
• To manage security problems by taking a proactive
approach towards customers’ security vulnerabilities and by
responding effectively to potential information security
incidents
• To minimize and control the damage
• To provide or assist with effective response and recovery
• To prevent future events
Goals of CSIRT:
• It provides a single point of contact for reporting local
problems
• It identifies and analyzes what has happened including the
impact and threat
• It researches on solutions and mitigation strategies
• It shares response options, information, and lessons learned
Strategy of CSIRT:

EC-Council
CSIRT Vision
• Identify the organization
• Specify the mission, goals, and objectives of an organization
• Select the services to be offered by the CSIRT
• Determine how the CSIRT should be structured for the organization
• Plan the budget required by the organization to implement and
manage the CSIRT
• Determine the resources (equipment, staff, infrastructure) to be used
by CSIRT
CSIRT Vision is to:

EC-Council
Motivation behind CSIRTs
An increase in the number of computer security incidents being
reported and the increase in number and type of organizations being
affected by the computer security incidents
A more focused awareness by organizations on the need for security
policies and practices as part of their overall risk-management
strategies
New laws and regulations that impact how organizations are required
to protect the information assets
The realization that systems and network administrators alone cannot
protect organizational systems and assets
The realization that a prepared plan and strategy is required

EC-Council
Why Does an Organization Need
an Incident Response Team?
Incident Response Team helps organizations to
recover from computer security breaches and
threats
It is a formalized team that performs incident
response work as its major job function
As an ad-hoc team, it is responsible for ongoing
computer security incident

EC-Council
Who Works in a CSIRT?
• Manager or team lead
• Assistant managers, supervisors, or
group leaders
• Hotline, help desk, or triage staff
• Incident handlers
• Vulnerability handlers
• Artifact analysis staff
• Platform specialists
• Trainers
• Technology watch
CSIRT staff roles may
include:
• Support staff
• Technical writers
• Network or system administrators,
CSIRT infrastructure staff
• Programmers or developers (to build
CSIRT tools)
• Web developers and maintainers
• Media relations
• Legal or paralegal staff or liaison
• Law enforcement staff or liaison
• Auditors or quality assurance staff
• Marketing staff
Other roles may include:

EC-Council
Staffing Your Computer Security Incident
Response Team: What are the Basic Skills
Needed?
Basic Skills:
Personal Skills
• Communication:
• Written and oral
• Presentation Skills
• Diplomacy
• Ability to follow policies and procedures
• Team skills
• Integrity
• Knowing one's Limits
• Coping with stress
• Problem solving
• Time management
Technical Skills
• Programming skills
Incident Handling Skills

EC-Council
Team Models
• Central Incident Response Team
• Distributed Incident Response Teams
• Coordinating Team
Incident response team structure models
fall into one of the three categories:
• Employees
• Partially Outsourced
• Fully Outsourced
Incident response teams can also use any
of the three staffing models:

EC-Council
Delegation of Authority
A properly planned delegation of the authority ensures an effective response to the
incidents in accordance with the organization’s response policy
Members of the incident response team should be given authority according to their
skills, expertise, and experience
Delegation of authority include:
• Allocation of tasks
• Empowerment
• Assignment of responsibility
• Accountability

EC-Council
CSIRT Services Can be Grouped
into Three Categories
• These services are triggered by an event or request, such as a report of a
compromised host, wide-spreading malicious code, software
vulnerability, or something that was identified by an intrusion detection
or logging system
• They are the core component of CSIRT’s work
Reactive services:
• These services provide assistance and information to prepare, protect,
and secure constituent systems in anticipation of attacks, problems, or
events
• Performance of these services will directly reduce the number of
incidents in the future
Proactive services:

EC-Council
CSIRT Services Can be Grouped
into Three Categories (cont’d)
• These services augment the existing and well-established
services that are independent of incident handling and
traditionally performed by other areas of an organization
such as the IT, audit, or training departments
• If the CSIRT performs or assists with these services, the
CSIRT’s point of view and expertise can provide insight to
improve the overall security of the organization and identify
risks, threats, and system weaknesses
• These services are generally proactive but contribute
indirectly to reduce the number of incidents
Security quality management services:

EC-Council
CSIRT Case Classification
Incident Category Sensitivity* Description
Incident Category S3 DOS or DDOS attack.
Forensics S1 Any forensic work to be done by CSIRT.
Compromised
Information
S1
Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or
Intellectual Property.
Compromised Asset S1, S2
Compromised host (root account, Trojan, rootkit), network device, application, user account. This
includes malware-infected hosts where an attacker is actively controlling the host.
Unlawful activity S1
Theft / Fraud / Human Safety / Child Porn. Computer-related incidents of a criminal nature, likely
involving law enforcement, Global Investigations, or Loss Prevention.
Internal Hacking S1, S2, S3
Reconnaissance or Suspicious activity originating from inside the Company corporate network,
excluding malware.
External Hacking S1, S2, S3
Reconnaissance or Suspicious Activity originating from outside the Company corporate network
(partner network, Internet), excluding malware.
Malware S3
A virus or worm typically affecting multiple corporate devices. This does not include compromised
hosts that are being actively controlled by an attacker via a backdoor or Trojan. (See Compromised
Asset)
Email S3 Spoofed email, SPAM, and other email security-related events.
Consulting S1, S2, S3 Security consulting unrelated to any confirmed incident.
Policy Violations S1, S2, S3
•Sharing offensive material, sharing/possession of copyright material.
•Deliberate violation of Infosec policy.
•Inappropriate use of corporate asset such as computer, network, or application.
•Unauthorized escalation of privileges or deliberate attempt to subvert access controls.
Incident Categories: All incidents managed by the CSIRT should be classified into one of the categories listed below:

EC-Council
• Threats to the physical safety of human beings
• Root or system-level attacks on any machine either multi-user or dedicated-
purpose
• Compromise of the restricted confidential service accounts or software
installations, particularly those with authorized access to the confidential data
• Denial of service attacks on any of the service accounts or software installations
The computer security incident response team will
assign resources according to the following priorities,
listed in a decreasing order:
Types of Incidents and Level of
Support

EC-Council
Types of Incidents and Level of
Support (cont’d)
• Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks,
password cracking attacks, and destructive virus outbursts
• Compromise of the individual’s user accounts, i.e. unauthorized access to a user or
service account
• Forgery and misrepresentation, and other security-related violations of local rules
and regulations, e.g. Netnews and e-mail forgery, unauthorized use of IRC bots
• Types of incidents other than those mentioned above will be prioritized according to
their apparent severity and extent
The computer security incident response team will
assign resources according to the following priorities,
listed in a decreasing order:

EC-Council
Service Description Attributes
Attribute Description
Objective Purpose and nature of the service
Definition Description of scope and depth of service
Function Descriptions Descriptions of individual functions within the service
Availability The conditions under which the service is available: to whom, when and how
Quality Assurance
Quality assurance parameters applicable for the service. Includes both setting and limiting of
constituency expectations
Interactions and
Information
Disclosure
The interactions between the CSIRT and parties affected by the service, such as the
constituency, other teams, and the media
Includes setting information requirements for parties accessing the service, and defining the
strategy with regards to the disclosure of information (both restricted and public)
Interfaces with
Other Services
Define and specify the information flow exchange points between this service and other CSIRT
services it interacts with
Priority
The relative priorities of functions within the service, and of the service versus other CSIRT
services
For each service provided, the CSIRT should provide its constituency with service descriptions (or formal service level
agreements) in as much detail as possible
In particular, any service provided by the CSIRT should include an explanation of the attributes and descriptions as outlined in
the table, below:

EC-Council
Incident Specific Procedures-I
(Virus and Worm Incidents)
Step 1
• Isolate the system
Step 2
• Notify the appropriate people
Step 3
• Identify the problem
Step 4
• Prevent the virus or worm from further infecting
Step 5
• Inoculate the system(s)
Step 6
• Return to a normal operating mode
Step 7
• Follow up analysis

EC-Council
Incident Specific Procedures-II
(Hacker Incidents)
• Step 1: Identify the problem
• Step 2: Notify the appropriate people
• Step 3: Identify the attacker
• Step 4: Notify CERT
• Step 5: Follow up analysis
(A) Attempted Probes into a State of Vermont System
• Option 1: Removal of attacker from the system
• Step 2: Snap-shot the System
• Step 3: Lock out the attacker
• Step 4: Restore the system
• Step 5: Notify other agencies
• Step 6: Follow up analysis
• Option 2: Monitoring of the attacker’s activity
(B) Active Hacker Activity
(C) Evidence of Past Incidents
Log all actions in every phase*

EC-Council
Incident Specific Procedures-III
(Social Incidents, Physical Incidents)
• Step 1: Identify potential risk
• Log all actions*
Social Incidents:
• Log all actions*
Physical Incidents:

EC-Council
How CSIRT Handles Case:
Steps
Inform the appropriate people
Keep a log book
Release the information
Maintain a list of contacts
Report
Follow up analysis

EC-Council
US-CERT Incident Reporting
System
US-CERT is a partnership between the department of Homeland security and the public
and private sectors. Established to protect the nation's Internet infrastructure, US-CERT
coordinates defense against and responses to cyber attacks across the nation. This system is
used to report cyber-related incidents to US-CERT.

EC-Council
US-CERT Incident Reporting
System (Cont’d)

EC-Council
CSIRT Incident Report Form

EC-Council
CERT(R) Coordination Center:
Incident Reporting Form

EC-Council
Example of CSIRT
Internal CSIRT provides services to their parent organization such as
bank, manufacturing company, university, or any government agencies
National CSIRT provides services to the entire nation, example being
Japan Computer Emergency Response Team Coordination Center
(JPCERT/CC)
Analysis Centers synthesize data, determine trends, and patterns in an
incident activity to predict future activity or provide early warnings
Vendor teams identify vulnerabilities in software and hardware products
Incidents Response Providers offer services to the paid clients

EC-Council
Best Practices for Creating a CSIRT
Step 1
• Obtain management support and buy-in
Step 2
• Determine the CSIRT strategic plan
Step 3
• Gather relevant information
Step 4
• Design the CSIRT vision
Step 5
• Communicate the CSIRT vision and operational plan
Step 6
• Begin CSIRT’s implementation
Step 7
• Announce the operational CSIRT

EC-Council
Step 1: Obtain Management
Support and Buy-in
Without management approval and support, creating an effective incident
response capability can be difficult and problematic
Once the team is established, how is it maintained and expanded with
budget, personnel, and equipment resources?
Will the role and authority of the CSIRT continue to be backed by
management across the various constituencies or parent organization?

EC-Council
Step 2: Determine the CSIRT
Development Strategic Plan
Are there specific timeframes to be met? Are they realistic, and if not, can
they be changed?
Is there a project group? Where do the group members come from?
How do you let the organization know about the development of the CSIRT?
If you have a project team, how do you record and communicate the
information you are collecting, especially if the team is geographically
dispersed?

EC-Council
Step 3: Gather Relevant
Information
• Business managers
• Representatives from IT
• Representatives from the legal department
• Representatives from human resources
• Representatives from public relations
• Any existing security groups, including physical security
• Audit and risk management specialists
The stakeholders could include:
Meet with key stakeholders to discuss the expectations, strategic direction, definitions, and
responsibilities of the CSIRT

EC-Council
Step 4: Design your CSIRT Vision
• Identify your constituency: Who does the CSIRT support and service?
• Define your CSIRT mission, goals, and objectives: What does the
CSIRT do for the identified constituency?
• Select the CSIRT services to provide to the constituency (or
others): How does the CSIRT support its mission?
• Determine the organizational model: How is the CSIRT structured
and organized?
• Identify required resources: What staff, equipment, and
infrastructure are needed to operate the CSIRT?
• Determine your CSIRT funding: How is the CSIRT funded for its
initial startup and its long-term maintenance and growth?
In creating your vision, you should:

EC-Council
Step 5: Communicate the
CSIRT Vision
Communicate the CSIRT’s vision and operational plan to the management,
constituency, and others who need to know and understand its operations
As appropriate, make adjustments to the plan based on their feedback

EC-Council
Step 6: Begin CSIRT
Implementation
Hire and train the initial CSIRT staff
Buy equipment and build any necessary network infrastructure to support the
team
Develop the initial set of CSIRT policies and procedures to support your
services
Define the specifications for and build your incident-tracking system
Develop incident-reporting guidelines and forms for your constituency

EC-Council
Step 7: Announce the CSIRT
When the CSIRT is operational, announce it to the
constituency or parent organization
It is best if this announcement comes from sponsoring
management
Include the contact information and hours of operation for
the CSIRT in the announcement
This is an excellent time to make the CSIRT incident-
reporting guidelines available

EC-Council
Limits to Effectiveness in CSIRTs
• A CSIRT can work smarter by investing in automation
• Policy Experimentation and Future Scenarios
• When a problem is well-understood, it can be solved. This is typically
accomplished by altering some of the policies in the system, or by
reengineering parts of it
Remedy:
A fundamental problem for a CSIRT is to balance a growing work load with limited
human resources

EC-Council
Working Smarter by Investing in
Automated Response Capability
Figure: Working smarter by investing in automated response capability

EC-Council
World CERTs

EC-Council
World CERTs
• Australia CERT (AUSCERT)
• Hong Kong CERT (HKCERT/CC)
• Indonesian CSIRT (ID-CERT)
• Japan CERT-CC (JPCERT/CC)
• Korea CERT (CERT-KR)
• Malaysia CERT (MyCERT)
• Pakistan CERT(PakCERT)
• Singapore CERT (SingCERT)
• Taiwan CERT (TWCERT)
• China CERT (CNCERT/CC)
Asia Pacific CERTs
• CERT-CC
• US-CERT
• Canadian Cert
• Cancert
• Forum of Incident Response and Security
Teams
• FIRST
North American CERTs
• CAIS
• CAIS- Brazilian Research Network
CSIRT
• NIC BR Security Office Brazilian CERT
• NBS
South American CERTs
• EuroCERT
• FUNET CERT
• CERTA
• DFN-CERT
• JANET-CERT
• CERT-NL
• UNINETT-CERT
• CERT-NASK
• Swiss Academic and Research Network
CERT
European CERTs

EC-Council
Australia CERT (AUSCERT)

EC-Council
Hong Kong CERT (HKCERT/CC)

EC-Council
Indonesian CSIRT (ID-CERT)

EC-Council
Japan CERT-CC (JPCERT/CC)

EC-Council
Singapore CERT (SingCERT)

EC-Council
Taiwan CERT (TWCERT)

EC-Council
China CERT (CNCERT/CC)

EC-Council
CERT-CC

EC-Council
US-CERT

EC-Council
Canadian Cert

EC-Council
Forum of Incident Response and
Security Teams

EC-Council
CAIS

EC-Council
NIC BR Security Office Brazilian
CERT

EC-Council
EuroCERT

EC-Council
FUNET CERT

EC-Council
DFN-CERT

EC-Council
JANET-CERT

EC-Council
http://www.first.org/about/organization/teams/

EC-Council
http://www.apcert.org/about/structure/members.html

EC-Council
Summary
Increase in the number of products and relative increase in the number of hacking tools has
put security in the spotlight
Computer security incident is defined as any real or suspected adverse event in relation to the
security of computer systems or computer networks
Handling Incidents involves three basic functions: incident reporting, incident analysis, and
incident response
Incident reporting is the process of reporting the information regarding the encountered
security breach in a proper format
CSIRT provides rapid response to maintain the security and integrity of the systems
Without management’s approval and support, creating an effective incident response
capability can be difficult and problematic

EC-Council

File000119

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to File000119

Similar to File000119 (20)

More from Desmond Devendran

More from Desmond Devendran (20)

Recently uploaded

Recently uploaded (20)

File000119