Computer Security Incident

DEFINITIONCOMPUTER SECURITY INCIDENT“Any real or suspected adverse event in relation to the security of computer system orcomputer networks”- (According to ‘CIRT FAQ’) in CERT/CCA single or a series of unwanted or unexpected computer security events that have asignificant probability of compromising business operations and threateningcybersecurity.- ISO Definition

There are no standard types for security Incidents!

INTRODUCTIONIncident SamplesScan activity to firewall serversWeb defacementInformation leakagePhishing sitesCompromised serverEspionageIntrusionDoS / DDoS attacksUse of proxy server as open proxySMTP relayVirus infectionSPAMLaptop TheftMalware distributionBotnet and C&COne-Click FraudIdentity TheftUnauthorized Access

INTRODUCTIONINCIDENT RESPONSEProcess of addressing computer security incidentsDetectAnalyseLimitGoals: GeneralObservesystem for unexpected behaviour or anything Progress of the incident is haltedsuspicious Affected systems return to normal operations Investigate anything considered unusual If the investigation finds something that isn’t explained byauthorized activity, immediately initiate response procedures

INCIDENT RESPONSENEED FOR INCIDENT RESPONSE Even the most vigilant, secure organizations can come up against acts of fraud, theft, computer intrusions, and othercomputer security incidents. Without up-front planning for Incident Response, it is much more difficult to recover from an incident.

INCIDENT RESPONSEPOLICIES & PROCEDURES Established procedures must be in place to: Detect & identify the attack Mitigate the damageThese procedures used in incident response can be thought of Recover from the attackas the incident handling life cycle. Without a formal process in place critical information may be lost

INCIDENT RESPONSEINCIDENT HANDLING LIFE dentReportResolutionIDSHotline/HelpdeskCall CenterVulnerabilityReportObtain ContactInformationCoordinateinformation& ResponseProvide TechnicalAssistanceSource: CERT/CC Incident Handling Life Cycle in CERT/CC “Handbook for Computer Incident Response Teams (CIRTs)

INCIDENT RESPONSESAMPLE OBJECTIVES Provide support for recovering from and dealing with incidents Provide technical support in response to computer security incidents Help to stop attack Contain the damage The objective for the Incident Response will be derived from the CIRT mission statement

INCIDENT ficationNo consensus has emerged in the security community as towhich taxonomy is the bestPrioritisation of incidents is based on multiple factors.Classification of an incident is done based on the mission,operation field and other related elements.

INCIDENT HANDLING

INCIDENT HANDLINGPLAYERS INVOLVEDAttackerVictimLEAA ReporterYour CIRTISPIH ProcedurePlayersOther CIRTs

INCIDENT HANDLINGLIFECYCLE IN A CIRT PERSPECTIVEPreparationFollow UpReceiving &TriageEradication &RecoveryIdentification& AnalysisContainment

INCIDENT HANDLINGPREPARATIONTo respond to incident, the incident handling methodologies are very important. Communication & Facilities Email Telephone Internal Communication POC (Point of Contact) List Hardware & Software Incident Response Systems Information Gathering Systems Mail / Web /dB Servers Monitoring system Remote Access Printer & FAX Shredder Whiteboard & Projector Notebook Computers Policy & Procedure Security PolicySecurity PlanIncident Response PolicyIncident Response PlanResource AvailabilityCapacity BuildingRFC 2350 "Expectations for Computer SecurityIncident Response” Types of Incidents and Level of Support Co-operation, Interaction and Disclosure ofInformation Communication and Authentication

INCIDENT HANDLINGPREPARATIONTo respond to incident, the incident handling methodologies are very important. Building Relationship with key players Incidents checklist Law Enforcement Checklists are guidelines Human Resource Incident checklist are like memory System Administratorsjoggers Legal Counsel Don’t use checklist as the 10 Fellow Incident HandlersCommandmentsIncidentneed to practice workingincidentsto hone their skills. ResponsehandlersKit Performthreat modeling Onsite Whatare the kindsof attacks?One waytoassignmentsdo this is to take part in cyber drillat securityconferences. Quick withResponseEnablersthe team sessions.mightAlso workotherincident handlers in the Whatareaaretothesetincidentup practice Communication Planencounter – technical and physical? In-band Communication How will we prepare for the incident? Out-band Communication How will we identify the incident? Build a central point of contact How will we contain the incident? How will we eradicate the incident? How will we recover from the incident? How will we capture the lessons learnedfrom the incident?

INCIDENT HANDLINGINCIDENT RESPONSE STRUCTURE: EXAMPLE

INCIDENT HANDLINGINCIDENT HANDLING SYSTEMS

INCIDENT HANDLINGBASICSReceivingTriageIdentification& AnalysisContainmentEradication &RecoveryFollow Up

INCIDENT HANDLINGBASICS : PREPERATIONTo respond to incident, the incident handling methodologies are very important Communication & Facilities External InternalTemplateHardware & SoftwarePolicy & Procedure

RECEIVINGINCIDENT HANDLING

INCIDENT HANDLINGRECEIVINGElements that allow the CIRT to receive incidents.CIRT can rely on humans/machines/autonomus systems to report incidents.Some of the common systems that allows the CIRT to receive incidents are: PhoneEmailPortalFaxSMS

INCIDENT HANDLINGTYPICAL INCIDENT REPORTING FORMATContact Info NameOrganization NameDivisionE-mail address or FAX numberPurpose of Reporting QuestionInformation providingRequest to coordinationOtherSummary of the Incident Source IP address or hostname Description about the incident System information of the system IP address or hostname Protocol / Port number Hardware / OS Timestamp Time zoneLog Information

TRIAGEINCIDENT HANDLING

INCIDENT HANDLINGTRIAGEIn hospital, where patients who need to be attended immediately are separated from thosewho can wait for assistance. Sorting, Categorizing, Prioritizing Depending on resources available Type Incident, Vulnerability, Virus, Information New report or related on-going report? If on-going report, is it part of an existing Incident? Same IP address? Linkage between separate reports Tracking number?

INCIDENT HANDLINGTRIAGETriage helps the incident handlers optimize the time taken for incident handling as well asperform effective incident handling.CategorizationIncidentPriorityHuman ResourceRelevanceIdentify & Track

INCIDENT HANDLINGTRIAGE: PRIORITYDue to limited resource and the growing number of incident reports, we may not be able to respond to every incidentsreported to us. Resource needed to deal with itImpact on constituencyCategory of incidentType or extent of damageTarget or source of an attack

INCIDENT HANDLINGTRIAGEClassification vs. Categorization

INCIDENT RESPONSEELEMENTSIncident Class(mandatory input field)Incident Type(optional but desired input field)Description / ExamplesSpamor "Unsolicited Bulk Email", this means that the recipient has not granted verifiable permission forthe message to be sent and that the message is sent as part of a larger collection of messages, allhaving an identical content.HarassmentDiscreditation or discrimination of somebody (i.e. Cyberstalking)Child/Sexual/Violence/.Child Pornography, glorification of violence, .Abusive ContentVirusWormMalicious CodeTrojanSoftware that is intentionally included or inserted in a system for a harmful purpose. A userinteraction is normally necessary to activate the code.SpywareDialerScanningAttacks that send requests to a system to discover weak points. This includes also some kind oftesting processes to gather information about hosts, services and accounts. Examples: fingerd, DNSquerying, ICMP, SMTP (EXPN, RCPT, ).SniffingObserving and recording of network traffic (wiretapping).Social EngineeringGathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, orthreats).Information Gathering

INCIDENT HANDLINGTRIAGE: PRIORITYHigh Urgent report like phishingIncident still activeHave to coordinate to other organizationMiddle Not urgent reportNot active incidentWill coordinate to other organizationLow Just a technical question to answerJust a FYI to usOthers

LETS DO A QUICK EXERCISETRIAGE AND INCIDENT HANDLING

INCIDENT HANDLINGTRIAGE: CLASSIFICATIONIncident Class(mandatory inputfield)Abusive ContentIncident Type(optional but desired inputfield)Description / ExamplesSpam‘Unsolicited bulk e-mail’, which means that the recipienthas not granted verifiable permission for the message to besent and that the message is sent as part of a largercollection of messages, all having an identical content.HarassmentDiscrediting, or discrimination against, somebody (ie, cyberstalking)Child/Sexual/Violence/.Child pornography, glorification of violence, .VirusWormMalicious CodeTrojanSpywareDialerSoftware that is intentionally included or inserted in asystem for a harmful purpose. A user interaction isnormally necessary to activate the code.

INCIDENT HANDLINGTRIAGE: CLASSIFICATIONIncident Class(mandatory inputfield)InformationGatheringIncident Type(optional but desired inputfield)Description / ExamplesScanningAttacks that send requests to a system to discover weakpoints. This includes also some kinds of testing processes togather information about hosts, services and accounts.Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT)SniffingObserving and recording network traffic (wiretapping).Social EngineeringGathering information from a human being in a non-technicalway (eg, lies, tricks, bribes, or threats).Exploiting KnownVulnerabilitiesAn attempt to compromise a system or to disrupt any serviceby exploiting vulnerabilities with a standardised identifiersuch as a CVE name (eg, buffer overflow, backdoors, crossside scripting, etc).Login AttemptsMultiple login attempts (Guessing or cracking passwords,brute force).New Attack SignatureAn attempt using an unknown exploit.Intrusion Attempts

INCIDENT HANDLINGTRIAGE: CLASSIFICATIONIncident Class(mandatory inputfield)InformationSecurityFraudOtherIncident Type(optional but desired inputfield)Description / ExamplesUnauthorised Access toInformationBesides the local abuse of data and systems, informationsecurity can be endangered by a successful account orapplication compromise. Furthermore, attacks that interceptand access information during transmission (wiretapping,spoofing or hijacking) are possible.Unauthorised Modification ofInformationUnauthorized Use of ResourcesUsing resources for unauthorised purposes, including profitmaking ventures (eg, the use of e-mail to participate in illegalchain letters for profit or pyramid schemes).CopyrightSelling or installing copies of unlicensed commercial softwareor other copyright protected materials (Warez).MasqueradeType of attacks in which one entity illegitimately assumes theidentity of another in order to benefit from it.All incidents which do not fit inone of the given categoriesshould be put into this class.If the number of incidents in this category increases, it is anindication that the classification scheme needs to be revised.

INCIDENT HANDLINGTRIAGE: RESPONSE LEVEL CLASSIFICATIONCriticalityLevelCriticality LevelDefinitionTypical cting criticalsystems orinformationwith potentialto be revenueor customerimpacting. Denial of60serviceMinutes CompromisedAsset (critical) InternalHacking(active) ExternalHacking(active) Virus / Worm(outbreak) Destructionof property(critical)OngoingResponse(Critical nicationRequirementCIRT IncidentManagerassigned towork case on24x7 basis.CIRT IncidentManagerassigned towork on caseduring normalbusiness hours.Case updatesent toappropriateparties on adaily basisduring criticalphase. If CSIRTinvolvement isnecessary torestore criticalsystems toservice thencase update willbe sent aminimum ofevery 2 hours.