SlideShare ist ein Scribd-Unternehmen logo

First Response - Session 11 - Incident Response [2004]

Als PPTX, PDF herunterladen
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

The eleventh session from a two day course I ran for potential first responders in a large financial services client.

BusinessTechnologie
1 von 16
Phil Huggins February 2004
 Description  Isolation & Mitigation  Letter of Preservation  Additional Monitoring  External Notifications  Restoring the Systems  Securing the Systems  Summary Meeting
 The goal of this phase is to respond to the data and conclusions drawn in the assessment phase  This includes:  Isolating compromised systems  Acquisition of systems  Increased logging and monitoring  Restoring systems  Increasing security
 This phase restores the system/s to a known and trusted state  The secondary goal of this phase is securing similar hosts to prevent additional attacks or at least increase monitoring to identify future attacks  The lessons learned will be shared so that future incidents are more successful
 The goal of acquisition is to save the state of the system  Document everything (even mistakes)  Trust nothing on the suspect system  Suspect systems should be modified as little as possible  Chain of Custody must be kept for all potential court evidence
 Systems that have been identified as compromised must be isolated to prevent damage to other systems and further damage to it  When possible, unplug from the network and plug into an empty hub or switch (to prevent network unreachable errors)  If it must be kept online, restrict access to and from it using ACLs on routers and switches  Apply network monitoring to those systems that are not removed from the network
 When external systems are identified, a Letter of Preservation should be issued  Carries legal weight in the US  It requests that logs and other data be preserved and not deleted  Additional legal procedures are typically required before the data is actually transferred  The letter must specify a given host or person to save data about  An example can be found in the EnCase Legal Journal
 Additional network monitoring devices may need to be deployed to:  Detect and observe future attacks  Collect additional evidence of an ongoing attack  Provide data to help identify the incident scope  These devices can be built during the Readiness Phase  Logging levels on firewalls, IDS, and servers may need to be increased  Some monitoring may not be allowed depending on User Privacy Policies
 Snort (http://www.snort.org)  Ethereal (http://www.ethereal.com)  tcpdump (http://tcpdump.org)  snoop (Included in Solaris)  NetWitness (http://www.forensicexplorers.com)
 Windump (http://windump.polito.it)  Snort (http://www.snort.org)  Etherpeek (http://www.wildpackets.com)  Ethereal (http://www.ethereal)  Net X-Ray (http://www.netxray.co.uk)  SnifferTechnologies (http://www.networkassociates.com/us/products/sn iffer/home.asp)  eEye Iris (http://www.eeye.com/html/Products/Iris/index.htm l)
 Niksun (http://www.axial.co.uk/niksun/niksun_produ cts.asp) DigitalGuardian (http://www.verdasys.com)
 FBI  Local Police Force  FIRST (www.first.org)  incidents.org (SANS)  incidents@securityfocus.com  Any public postings must be from a generic email account (watch out for X-headers with free HTML-email)
 It is important to not restore data that has trojans or backdoors  If a backup is known to not be compromised, it can be used  Otherwise, start with a new install  Ensure that the system has all patches installed
 If the method of attack is known, secure the compromised host from it first  After, secure hosts with the same vulnerability  If the exact method is not known yet, ensure that monitoring is in place to detect future attacks  After a forensic analysis is performed, secure any vulnerabilities that were found  Additional filters may be applied to the recovered host to detect future attempts
 Each person involved with the incident should attend a summary meeting  This will cover what worked and what did not work  Policies and procedures should be modified appropriately  Any ‘tricks’ that were discovered should be documented to help future responders
 This phase performs actions based on data found in the Assessment Phase  Additional monitoring and logging can be used to collect more data and ensure that new attacks are detected  External organizations may provide support or assistance  Ensure security holes are plugged and risks mitigated

Empfohlen

Ch19
Ch19Ch19
Ch19Joe Christensen
 
Threat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringThreat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringTalha Riaz
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...Alisha Henderson
 
Enhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningEnhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningErtugrul Akbas
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426Todd Deshane
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataErtugrul Akbas
 
Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Donald E. Hester
 
Lumension Security Solutions
Lumension Security SolutionsLumension Security Solutions
Lumension Security SolutionsHassaanSahloul
 

Empfohlen

Ch19
Ch19Ch19
Ch19Joe Christensen
 
Threat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringThreat Intelligence + Secuirity Monitoring
Threat Intelligence + Secuirity MonitoringTalha Riaz
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...Alisha Henderson
 
Enhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningEnhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningErtugrul Akbas
 
Cs seminar 20070426
Cs seminar 20070426Cs seminar 20070426
Cs seminar 20070426Todd Deshane
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataErtugrul Akbas
 
Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Donald E. Hester
 
Lumension Security Solutions
Lumension Security SolutionsLumension Security Solutions
Lumension Security SolutionsHassaanSahloul
 
Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskTripwire
 
Writing Nagios Plugins in Python
Writing Nagios Plugins in PythonWriting Nagios Plugins in Python
Writing Nagios Plugins in Pythonguesta6e653
 
SureLog SIEM Profiler
SureLog SIEM ProfilerSureLog SIEM Profiler
SureLog SIEM ProfilerErtugrul Akbas
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationTripwire
 
Outlier+Overview
Outlier+OverviewOutlier+Overview
Outlier+OverviewRami Mardini
 
IDS
IDSIDS
IDSprimeteacher32
 
Splunk for fisma
Splunk for fismaSplunk for fisma
Splunk for fismaGreg Hanchin
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Donald E. Hester
 
Security assessment
Security assessmentSecurity assessment
Security assessmentAntonio Bristow
 
Trusted systems1
Trusted systems1Trusted systems1
Trusted systems1Sumita Das
 
Firewalls
FirewallsFirewalls
FirewallsSanjeevsharma620
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Ertugrul Akbas
 
Ids 015 architecture and implementation of ids
Ids 015 architecture and implementation of idsIds 015 architecture and implementation of ids
Ids 015 architecture and implementation of idsjyoti_lakhani
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEMErtugrul Akbas
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Donald E. Hester
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewSusan Rantall
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comagathachristie113
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comVSNaipaul15
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comagathachristie266
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comKeatonJennings104
 
Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure ProjectsPhil Huggins FBCS CITP
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)Phil Huggins FBCS CITP
 

Weitere ähnliche Inhalte

Was ist angesagt?

Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskTripwire
 
Writing Nagios Plugins in Python
Writing Nagios Plugins in PythonWriting Nagios Plugins in Python
Writing Nagios Plugins in Pythonguesta6e653
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationTripwire
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Donald E. Hester
 
Trusted systems1
Trusted systems1Trusted systems1
Trusted systems1Sumita Das
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Ertugrul Akbas
 
Ids 015 architecture and implementation of ids
Ids 015 architecture and implementation of idsIds 015 architecture and implementation of ids
Ids 015 architecture and implementation of idsjyoti_lakhani
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Donald E. Hester
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewSusan Rantall
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comagathachristie113
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comVSNaipaul15
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comagathachristie266
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comKeatonJennings104
 

Was ist angesagt? (20)

Continuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing RiskContinuous Monitoring: Getting Past Complexity & Reducing Risk
Continuous Monitoring: Getting Past Complexity & Reducing Risk
 
Writing Nagios Plugins in Python
Writing Nagios Plugins in PythonWriting Nagios Plugins in Python
Writing Nagios Plugins in Python
 
SureLog SIEM Profiler
SureLog SIEM ProfilerSureLog SIEM Profiler
SureLog SIEM Profiler
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
 
Outlier+Overview
Outlier+OverviewOutlier+Overview
Outlier+Overview
 
IDS
IDSIDS
IDS
 
Splunk for fisma
Splunk for fismaSplunk for fisma
Splunk for fisma
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
 
Security assessment
Security assessmentSecurity assessment
Security assessment
 
Trusted systems1
Trusted systems1Trusted systems1
Trusted systems1
 
Firewalls
FirewallsFirewalls
Firewalls
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
 
Ids 015 architecture and implementation of ids
Ids 015 architecture and implementation of idsIds 015 architecture and implementation of ids
Ids 015 architecture and implementation of ids
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) Overview
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
 

Andere mochten auch

Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]Phil Huggins FBCS CITP
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]Phil Huggins FBCS CITP
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Phil Huggins FBCS CITP
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems Phil Huggins FBCS CITP
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspectivePhil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...Phil Huggins FBCS CITP
 

Andere mochten auch (20)

Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure Projects
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber security
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
 
Network Reconnaissance Infographic
Network Reconnaissance InfographicNetwork Reconnaissance Infographic
Network Reconnaissance Infographic
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspective
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
 
Measuring black boxes
Measuring black boxesMeasuring black boxes
Measuring black boxes
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
 

Ähnlich wie First Response - Session 11 - Incident Response [2004]

The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]Phil Huggins FBCS CITP
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.pptabhichowdary16
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervEstelaJeffery653
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromiseCal Bryant
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1Ankit Gupta
 
Security auditing architecture
Security auditing architectureSecurity auditing architecture
Security auditing architectureVishnupriya T H
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration TestingKiwiQA
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comphanleson
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorAnton Chuvakin
 
Intruders
IntrudersIntruders
Intruderstechn
 
Intruders
IntrudersIntruders
Intruderstechn
 

Ähnlich wie First Response - Session 11 - Incident Response [2004] (20)

Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Ch18
Ch18Ch18
Ch18
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOvervChapter 2Controlling a ComputerChapter 2 OverviewOverv
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
 
CH18-CompSec4e.pptx
CH18-CompSec4e.pptxCH18-CompSec4e.pptx
CH18-CompSec4e.pptx
 
Lecture26 cc-security1
Lecture26 cc-security1Lecture26 cc-security1
Lecture26 cc-security1
 
Security auditing architecture
Security auditing architectureSecurity auditing architecture
Security auditing architecture
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration Testing
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
 
22-ch7.pptx
22-ch7.pptx22-ch7.pptx
22-ch7.pptx
 
Intruders
IntrudersIntruders
Intruders
 
Intruders
IntrudersIntruders
Intruders
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 

Kürzlich hochgeladen

John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfAmzadHosen3
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...Aggregage
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...lizamodels9
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1kcpayne
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noidadlhescort
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756dollysharma2066
 

Kürzlich hochgeladen (20)

John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 

First Response - Session 11 - Incident Response [2004]

  • 2.  Description  Isolation & Mitigation  Letter of Preservation  Additional Monitoring  External Notifications  Restoring the Systems  Securing the Systems  Summary Meeting
  • 3.  The goal of this phase is to respond to the data and conclusions drawn in the assessment phase  This includes:  Isolating compromised systems  Acquisition of systems  Increased logging and monitoring  Restoring systems  Increasing security
  • 4.  This phase restores the system/s to a known and trusted state  The secondary goal of this phase is securing similar hosts to prevent additional attacks or at least increase monitoring to identify future attacks  The lessons learned will be shared so that future incidents are more successful
  • 5.  The goal of acquisition is to save the state of the system  Document everything (even mistakes)  Trust nothing on the suspect system  Suspect systems should be modified as little as possible  Chain of Custody must be kept for all potential court evidence
  • 6.  Systems that have been identified as compromised must be isolated to prevent damage to other systems and further damage to it  When possible, unplug from the network and plug into an empty hub or switch (to prevent network unreachable errors)  If it must be kept online, restrict access to and from it using ACLs on routers and switches  Apply network monitoring to those systems that are not removed from the network
  • 7.  When external systems are identified, a Letter of Preservation should be issued  Carries legal weight in the US  It requests that logs and other data be preserved and not deleted  Additional legal procedures are typically required before the data is actually transferred  The letter must specify a given host or person to save data about  An example can be found in the EnCase Legal Journal
  • 8.  Additional network monitoring devices may need to be deployed to:  Detect and observe future attacks  Collect additional evidence of an ongoing attack  Provide data to help identify the incident scope  These devices can be built during the Readiness Phase  Logging levels on firewalls, IDS, and servers may need to be increased  Some monitoring may not be allowed depending on User Privacy Policies
  • 9.  Snort (http://www.snort.org)  Ethereal (http://www.ethereal.com)  tcpdump (http://tcpdump.org)  snoop (Included in Solaris)  NetWitness (http://www.forensicexplorers.com)
  • 10.  Windump (http://windump.polito.it)  Snort (http://www.snort.org)  Etherpeek (http://www.wildpackets.com)  Ethereal (http://www.ethereal)  Net X-Ray (http://www.netxray.co.uk)  SnifferTechnologies (http://www.networkassociates.com/us/products/sn iffer/home.asp)  eEye Iris (http://www.eeye.com/html/Products/Iris/index.htm l)
  • 12.  FBI  Local Police Force  FIRST (www.first.org)  incidents.org (SANS)  incidents@securityfocus.com  Any public postings must be from a generic email account (watch out for X-headers with free HTML-email)
  • 13.  It is important to not restore data that has trojans or backdoors  If a backup is known to not be compromised, it can be used  Otherwise, start with a new install  Ensure that the system has all patches installed
  • 14.  If the method of attack is known, secure the compromised host from it first  After, secure hosts with the same vulnerability  If the exact method is not known yet, ensure that monitoring is in place to detect future attacks  After a forensic analysis is performed, secure any vulnerabilities that were found  Additional filters may be applied to the recovered host to detect future attempts
  • 15.  Each person involved with the incident should attend a summary meeting  This will cover what worked and what did not work  Policies and procedures should be modified appropriately  Any ‘tricks’ that were discovered should be documented to help future responders
  • 16.  This phase performs actions based on data found in the Assessment Phase  Additional monitoring and logging can be used to collect more data and ensure that new attacks are detected  External organizations may provide support or assistance  Ensure security holes are plugged and risks mitigated