Chapter 11
Incident Response
ATHENA
Incident Response Overview
Computer Forensics Defined
Contemporary Issues in Computer Forensics
Forensic Process
Forensic Tools
Forensic Problems
The Future of Computer Forensics
Incident Response –
Why is it Critical?
Resolve the problem
• Find out what happened
• How it happened
• Who did it
Create a record of the incident for later use
Create a record to observe trends
Create a record to improve processes
Avoid confusion
ATHENA
Elements of Incident Response
ATHENA
Preparation
Identification
Containment
Eradication
Recovery
Follow-up
Preparation
Without adequate preparation, it is extremely likely
that response efforts to an incident will be
disorganized and that there will be considerable
confusion among personnel. Preparation limits
the potential for damage by ensuring response
actions are known and coordinated.
ATHENA
Identification
The process of determining whether or not an
incident has occurred and the nature of an
incident. Identification may occur through the
use of automated network intrusion
equipment or by a user or SA.
Identification is a difficult process. Noticing the
symptoms of an incident is often difficult.
There are many false positives. However,
noticing an anomaly should drive the observer
to investigate further.
ATHENA
Who can identify an Incident
ATHENA
Users – My system is slow, my mail is missing,
my files have changed
System support personnel – servers locked up,
files missing, accounts add/deleted, weird stuff
happening , anomalies in the logs
Intrusion Detection Systems and Firewalls –
Automatically ID violations to policies
Possible Incident Classifications
ATHENA
Unauthorized Privileged (root) Access – Access gained to a
system and the use of root privileges without authorization.
Unauthorized Limited (user) Access – Access gained to a
system and the use of user privileges without authorization.
Unauthorized Unsuccessful Attempted Access – Repeated
attempt to gain access as root or user on the same host,
service, or system with a certain number of connections
from the same source.
Possible Incident Classifications
(cont.)
ATHENA
Unauthorized Probe – Any attempt to gather information about
a system or user on-line by scanning a site and accessing ports
through operating system vulnerabilities.
Poor Security Practices – Bad passwords, direct privileged
logins, etc, which are collected from network monitor systems.
Denial of Service (DOS) Attacks – Any action that preempts or
degrades performance of a system or network affecting the
mission, business, or function of an organization.
Possible Incident
Classifications (cont.)
ATHENA
Malicious Logic – Self-replicating software that is
viral in nature; is disseminated by attaching to or
mimicking authorized computer system files; or acts
as a trojan horse, worm, malicious scripting, or a logic
bomb. Usually hidden and some may replicate.
Effects can range from simple monitoring of traffic to
complicated automated backdoor with full system
rights.
Possible Incident Classifications
(cont.)
ATHENA
Hardware/Software Failure – Non-malicious failure of
HW or SW assets.
Infrastructure Failure – Non-malicious failure of
supporting infrastructure to include power failure, natural
disasters, forced evacuation, and service providers failure
to deliver services.
Unauthorized Utilization of Services – This can include
game play, relaying mail without approval, creating dialup access, use organizational equipment for personal
gain, and personal servers on the network.
Containment
The process of limiting the scope and magnitude of an
incident.
As soon as it is recognized that an incident has occurred
or is occurring, steps should immediately be taken to
contain the incident.
ATHENA
Containment - Example
Incidents involving using malicious code are
common, and since malicious code incidents can
spread rapidly, massive destruction and
compromise of information is possible.
It is not uncommon to find every workstation
connected to a LAN infected when there is a virus
outbreak.
• Internet Worm of 1988 attacked 6,000 computers in
the U.S. in one day.
• LoveBug Virus affected over 10Million computers
with damage estimated between $2.5B-$10B US
• Kournikova worm affects still being analyzed
ATHENA
Eradication
The process of removing the cause of the incident.
• For a virus – anti-virus software is best
• For a network may involve block/filter IP address at the
router/firewall
• Ideally, but difficult, best eradicated by bringing the
perpetrators into legal custody and convicting them in a
court of law.
ATHENA
Recovery
The process of restoring a system to its normal
operating status
• Unsuccessful incidents – assure system operation and
data not affected
• Complex and/or successful incidents – May require
complete restoration from known clean system backups.
Essential to assure the backups integrity and to verify
restore operation was successful
ATHENA
Follow-Up
Critical
Helps to improve incident handling procedures
Address efforts to prosecute perpetrators
Activities Include:
•
•
•
•
ATHENA
Analyze the Incident and the Response
Analyze the Cost of the Incident
Prepare a Report
Revise Policies and Procedures
What is Computer Forensics?
Computer Forensics can be defined simply,
as a process of applying scientific and
analytical techniques to computer
Operating Systems and File Structures in
determining the potential for Legal
Evidence.
ATHENA
Why is Evidence important?
ATHENA
In the legal world, Evidence is
EVERYTHING.
Evidence is used to establish facts.
The Forensic Examiner is not biased.
Who needs Computer Forensics?
ATHENA
The Victim!
Law Enforcement
Insurance Carriers
Ultimately the Legal System
Who are the Victims?
•Private Business
•Government
•Private Individuals
ATHENA
ATHENA
ATHENA
ATHENA
Reasons for a Forensic Analysis
ATHENA
ID the perpetrator.
ID the method/vulnerability of the network
that allowed the perpetrator to gain access
into the system.
Conduct a damage assessment of the
victimized network.
Preserve the Evidence for Judicial action.
Types of Computer Forensics
ATHENA
Disk Forensics
Network Forensics
E-mail Forensics
Internet (Web) Forensics
Source Code Forensics