Chapter 11

Incident Response


ATHENA



Incident Response Overview



Computer Forensics Defined



Contemporary Issues in Computer Forensics



Forensic Process



Forensic Tools



Forensic Problems



The Future of Computer Forensics


Incident Response –
Why is it Critical?


Resolve the problem
• Find out what happened
• How it happened
• Who did it



Create a record of the incident for later use



Create a record to observe trends
Create a record to improve processes
Avoid confusion




ATHENA



Elements of Incident Response

ATHENA



Preparation



Identification



Containment



Eradication



Recovery



Follow-up


Preparation

Without adequate preparation, it is extremely likely
that response efforts to an incident will be
disorganized and that there will be considerable
confusion among personnel. Preparation limits
the potential for damage by ensuring response
actions are known and coordinated.

ATHENA


Identification
The process of determining whether or not an
incident has occurred and the nature of an
incident. Identification may occur through the
use of automated network intrusion
equipment or by a user or SA.
Identification is a difficult process. Noticing the
symptoms of an incident is often difficult.
There are many false positives. However,
noticing an anomaly should drive the observer
to investigate further.

ATHENA


Who can identify an Incident







ATHENA

Users – My system is slow, my mail is missing,
my files have changed
System support personnel – servers locked up,
files missing, accounts add/deleted, weird stuff
happening , anomalies in the logs
Intrusion Detection Systems and Firewalls –
Automatically ID violations to policies


Possible Incident Classifications




ATHENA

Unauthorized Privileged (root) Access – Access gained to a
system and the use of root privileges without authorization.
Unauthorized Limited (user) Access – Access gained to a
system and the use of user privileges without authorization.
Unauthorized Unsuccessful Attempted Access – Repeated
attempt to gain access as root or user on the same host,
service, or system with a certain number of connections
from the same source.



Possible Incident Classifications
(cont.)





ATHENA

Unauthorized Probe – Any attempt to gather information about
a system or user on-line by scanning a site and accessing ports
through operating system vulnerabilities.
Poor Security Practices – Bad passwords, direct privileged
logins, etc, which are collected from network monitor systems.
Denial of Service (DOS) Attacks – Any action that preempts or
degrades performance of a system or network affecting the
mission, business, or function of an organization.


Possible Incident
Classifications (cont.)


ATHENA

Malicious Logic – Self-replicating software that is
viral in nature; is disseminated by attaching to or
mimicking authorized computer system files; or acts
as a trojan horse, worm, malicious scripting, or a logic
bomb. Usually hidden and some may replicate.

Effects can range from simple monitoring of traffic to
complicated automated backdoor with full system
rights.


Possible Incident Classifications
(cont.)





ATHENA

Hardware/Software Failure – Non-malicious failure of
HW or SW assets.
Infrastructure Failure – Non-malicious failure of
supporting infrastructure to include power failure, natural
disasters, forced evacuation, and service providers failure
to deliver services.
Unauthorized Utilization of Services – This can include
game play, relaying mail without approval, creating dialup access, use organizational equipment for personal
gain, and personal servers on the network.


Containment

The process of limiting the scope and magnitude of an
incident.
As soon as it is recognized that an incident has occurred

or is occurring, steps should immediately be taken to
contain the incident.

ATHENA


Containment - Example




Incidents involving using malicious code are
common, and since malicious code incidents can
spread rapidly, massive destruction and
compromise of information is possible.
It is not uncommon to find every workstation
connected to a LAN infected when there is a virus
outbreak.
• Internet Worm of 1988 attacked 6,000 computers in
the U.S. in one day.
• LoveBug Virus affected over 10Million computers
with damage estimated between $2.5B-$10B US
• Kournikova worm affects still being analyzed

ATHENA


Eradication




The process of removing the cause of the incident.
• For a virus – anti-virus software is best
• For a network may involve block/filter IP address at the
router/firewall
• Ideally, but difficult, best eradicated by bringing the
perpetrators into legal custody and convicting them in a
court of law.

ATHENA


Recovery


The process of restoring a system to its normal
operating status
• Unsuccessful incidents – assure system operation and
data not affected
• Complex and/or successful incidents – May require
complete restoration from known clean system backups.
Essential to assure the backups integrity and to verify
restore operation was successful

ATHENA


Follow-Up






Critical
Helps to improve incident handling procedures
Address efforts to prosecute perpetrators
Activities Include:
•
•
•
•

ATHENA

Analyze the Incident and the Response
Analyze the Cost of the Incident
Prepare a Report
Revise Policies and Procedures


What is Computer Forensics?
Computer Forensics can be defined simply,
as a process of applying scientific and
analytical techniques to computer
Operating Systems and File Structures in
determining the potential for Legal
Evidence.

ATHENA



Why is Evidence important?

ATHENA



In the legal world, Evidence is
EVERYTHING.



Evidence is used to establish facts.



The Forensic Examiner is not biased.


Who needs Computer Forensics?

ATHENA



The Victim!



Law Enforcement




Insurance Carriers



Ultimately the Legal System


Who are the Victims?

•Private Business
•Government
•Private Individuals

ATHENA


ATHENA


ATHENA


ATHENA


Reasons for a Forensic Analysis


ATHENA



ID the perpetrator.



ID the method/vulnerability of the network
that allowed the perpetrator to gain access
into the system.



Conduct a damage assessment of the
victimized network.



Preserve the Evidence for Judicial action.


Types of Computer Forensics

ATHENA



Disk Forensics




Network Forensics



E-mail Forensics



Internet (Web) Forensics



Source Code Forensics