Incident Response: Detection, Decision, Organizing and Preparing The CSIRT

User Generated

zngurjhue

Computer Science

Description

Tasks

Address the following items base on the team the industry you identified in your introduction in 5 sentence or less per item:

  1. Define incidents that pose a risk to the organization
  2. Describe the purpose and function of the CSIRT
  3. Discuss the skills and abilities needed in the CSIRT
  4. Explain the standing operating procedures associated with CSIRT operations
  5. Describe training and deployment of the CSIRT
Submission Requirements
  1. No more than 5 sentences per item
  2. use APA format
  3. response must reflect the industry you identified with in your introduction

Unformatted Attachment Preview

Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 5 Incident Response: Detection and Decision Making Objectives • Define incidents that pose a risk to the organization • Discuss the elements necessary to detect incidents • Explain the components of an intrusion detection and prevention system • Describe the processes used in making decisions about incident detection and escalation Principles of Incident Response and Disaster Recovery, 2nd Edition 2 Introduction • Organizations’ challenge – Classifying events as they occur • Event – Any observable system or network occurrence • Adverse event – Event with negative consequences • Systems: computer, personnel, organization based – Not all events computer or network oriented • Event sources – Product of routine system activities, critical situations Principles of Incident Response and Disaster Recovery, 2nd Edition 3 Introduction (cont’d.) • Incident – Occurs when an adverse event becomes a genuine threat to ongoing operations • Incident classification process – Evaluating circumstances around events – Determining possible incidents (incident candidates) – Determining if adverse event constitutes an actual incident • Incident response (IR) design team role – Designing the process used to make a judgment Principles of Incident Response and Disaster Recovery, 2nd Edition 4 Introduction (cont’d.) • IR team responsibility – Classifying an incident • Sources for tracking and detecting incident candidates – – – – End user reports and other documents Intrusion detection and prevention systems (IDPSs) Virus management software Systems administrators • Careful incident candidate reporting training – Allows vital information to be relayed to the IR team Principles of Incident Response and Disaster Recovery, 2nd Edition 5 Introduction (cont’d.) • NIST incident classification scheme for networkbased incident – – – – – Denial of service Malicious code Unauthorized access Inappropriate usage Multiple component Principles of Incident Response and Disaster Recovery, 2nd Edition 6 Detecting Incidents • Events occurring in and around an organization – May indicate presence of an incident candidate – May be normal operation mimicking incident candidate • Indication: adverse event underway – Has probability of becoming an incident • Precursor: activity now occurring – Incident could occur in the future • D. L. Pipkin incident indicator categories – Possible, probable, and definite Principles of Incident Response and Disaster Recovery, 2nd Edition 7 Possible Indicators of an Incident • Presence of unfamiliar files – Unfamiliar or unexplained files in illogical locations • Presence or execution of unknown programs or processes – Unfamiliar programs running, or processes executing • Unusual consumption of computing resources – Memory or hard disk consumption spikes and falls • Unusual system crashes – System crashing, hanging, rebooting, or freezing more frequently than usual Principles of Incident Response and Disaster Recovery, 2nd Edition 8 Principles of Incident Response and Disaster Recovery, 2nd Edition 9 Probable Indicators of an Incident • Activities at unexpected times – Network traffic levels exceed baseline levels • Presence of unexpected new accounts – Periodic review indicates unfamiliar accounts • Unlogged new account with root or special privileges • Reported attacks – Verify user technical sophistication • Notification from IDPS – Must determine if notification real or a false positive Principles of Incident Response and Disaster Recovery, 2nd Edition 10 Definite Indicators • Definite indicators requiring IR plan activation – – – – – Use of dormant accounts Changes to logs Presence of hacker tools Notifications by partner or peer Notification by hacker • Confirmed events indicating attack underway – Loss of availability or integrity or confidentiality – Violation of policy or violation of law Principles of Incident Response and Disaster Recovery, 2nd Edition 11 Identifying Real Incidents • Actual incidents versus nonevents – Vast majority of incidents: false positives • Ways to process incidents – Incident center; geographically separate review locations; isolated incident candidate evaluations • Noise: legitimate activities wrongly reported – Activate feedback process to prevent flagging – Inherent in the nature of best-tuned systems • Causes of noise or false positives – Sensor placement; policy; lack of awareness Principles of Incident Response and Disaster Recovery, 2nd Edition 12 Identifying Real Incidents (cont’d.) • Data collection tuning process – Provides careful change analysis to data collection rules • False negative – Incident deserving attention that is not reported • New or modified systems placed in service – May need additional data collection process tuning • Tuning process objective – Allow valid incidents while controlling false positives Principles of Incident Response and Disaster Recovery, 2nd Edition 13 Intrusion Detection and Prevention Systems • Intrusion detection and prevention system (IDPS) – Network burglar alarm – Determines if network used in compliance with policy • Intrusion – Instigator attempting to gain unauthorized entry or disrupt normal operations – Access outside intended system or network use – Attack types: automated or self-propagating – Purpose of intrusion: harm an organization Principles of Incident Response and Disaster Recovery, 2nd Edition 14 Intrusion Detection and Prevention Systems (cont’d.) • Intrusion detection systems (IDSs) – Detects a violation and activates an alarm • Alarm types: audible, visual, silent – Custom configuration levels available • Intrusion prevention system (IPS) – Detects intrusion and prevents successful attack using an active response • IDPS source – http://csrc.nist.gov/publications/nistpubs/80094/SP800-94.pdf Principles of Incident Response and Disaster Recovery, 2nd Edition 15 IDPS Terminology • Alarm or alert – Indication system just attacked or under attack • Alarm clustering – Consolidation of almost identical alarms into a single higher-level alarm • Alarm compaction – Form of alarm clustering based on similarities • Alarm filtering – Process of classifying attack alerts to distinguish or sort false positives from actual attacks more efficiently Principles of Incident Response and Disaster Recovery, 2nd Edition 16 IDPS Terminology (cont’d.) • Confidence value – Value associated with an IDPS’s ability to detect and identify an attack correctly • Evasion – Process by which attacker changes network packets format and/or timing to avoid being detected • False attack stimulus – Event triggering alarms causing false positive when no actual attack in progress • False negative – IDPS’s failure to react to an actual attack event Principles of Incident Response and Disaster Recovery, 2nd Edition 17 IDPS Terminology (cont’d.) • False positive – Alarm or alert indicating attack in progress or attack successful when there is no attack • Filtering – Process of reducing IDPS events in order to receive a better confidence in the alerts received • Noise – Ongoing activity from alarm events • Site policy – Rules and configuration guidelines governing IDPSs implementation and operation Principles of Incident Response and Disaster Recovery, 2nd Edition 18 IDPS Terminology (cont’d.) • Site policy awareness – IDPS’s ability to dynamically modify its site policies in reaction or response to environmental activity • True attack stimulus – Event triggering an alarm causing IDPS to react as if a real attack were in progress • Tuning – Process of adjusting an IDPS • Maximize true positive detection efficiency • Minimize both false positives and false negatives Principles of Incident Response and Disaster Recovery, 2nd Edition 19 Why Use an IDPS? • Prevent problem behaviors – Increase perceived risk of discovery and punishment • Detect attacks and security violations – Not prevented by other security measures • Detect and deal with preambles to attacks • Document existing threat to an organization • Act as quality control for security design and administration – Especially of large and complex enterprises • Provide useful information about intrusions Principles of Incident Response and Disaster Recovery, 2nd Edition 20 Why Use an IDPS? (cont’d.) • Straightforward deterrent measure – Increases fear of detection and discovery among would-be attackers or internal system abusers • NIST defined uses – Identifying security policy problems – Documenting the existing threat to an organization – Deterring individuals from violating security policies • Provides cover if network: – Fails to protect itself from known vulnerabilities – Unable to respond to rapidly changing threat environment Principles of Incident Response and Disaster Recovery, 2nd Edition 21 Forces Working against an IDPS • • • • • Tools fail to detect or correct a known deficiency Vulnerability-detection performed too infrequently Patch and upgrade installation delayed Inability to disable or protect essential services Use an IDPS for a Defense in Depth strategy – Doorknob rattling conducted by footprinting – Fingerprinting – Early warning allows time to prepare for attack • Automated responses lead to unintended consequence Principles of Incident Response and Disaster Recovery, 2nd Edition 22 Justifying the Cost • Prepare and defend business case using IDPS data • NIST IDPS key items – Total cost of ownership well exceeds acquisition costs – Designed with personnel availability around the clock • Justify IDPS using Defense in Depth concept • IDPS can provide information in post-attack review – Remedy deficiency and trigger improvement process – Forensic data • IDPS systems: Network-based, host-based, and application-based systems Principles of Incident Response and Disaster Recovery, 2nd Edition 23 IDPS Network Placement • Placement of sensor and detection devices or software programs – Has significant effect on IDPS operation • Three widely used IDPS placement options – Network-based – Host-based – Application-based Principles of Incident Response and Disaster Recovery, 2nd Edition 24 Network-Based IDPS • Network-based IDPS (NIDPS) – Monitors segment traffic • Looks for ongoing or successful attack indications • Resides on a computer or appliance connected to that network segment – Programmed to recognize attacks and respond • Examines packets • Looks for patterns indicating intrusion event under way or about to begin – Detects more attack types than host-based IDPS – More complex configuration, maintenance program Principles of Incident Response and Disaster Recovery, 2nd Edition 25 Network-Based IDPS (cont’d.) • Inline sensor – Deployment on firewall interior of a firewall • All traffic must pass through sensor, then report back to the NIDPS • NIDPS deployment – Watch specific host computer grouping on specific network segment – Installed to monitor all traffic between systems making up an entire network Principles of Incident Response and Disaster Recovery, 2nd Edition 26 Principles of Incident Response and Disaster Recovery, 2nd Edition 27 Network-Based IDPS (cont’d.) • Passive sensor – Sits off to the side of a network segment – Monitors traffic without mandating traffic physically pass through the sensor • Switched port analysis (SPAN) port or mirror port – Switch or key networking device placed next to a hub – NIDPS uses that device’s monitoring port • Snort open source software (http://www.snort.org) – For complex IDPS sensors and analysis systems – Manage and query system from a desktop computer Principles of Incident Response and Disaster Recovery, 2nd Edition 28 Principles of Incident Response and Disaster Recovery, 2nd Edition 29 Network-Based IDPS (cont’d.) • Signature matching – NIDPSs look for attack patterns • Compares measured activity to known signatures in their knowledge base • Determines if attack occurred or may be under way – Uses special TCP/IP stack implementation – NIDPS looks for invalid data packets – Application protocol verification • Higher-order protocols examined for unexpected packet behavior or improper use • May have valid packets excessive quantities Principles of Incident Response and Disaster Recovery, 2nd Edition 30 Network-Based IDPS (cont’d.) • Signature matching (cont’d.) – DNS cache poisoning • Valid packets exploit poorly configured DNS servers • Inject false information • Corrupt servers’ answer to routine DNS queries from other systems on the network • Wireless NIDPS – Monitors and analyzes wireless network traffic – Looks for potential problems with wireless protocols – Sensor deployment: at the access points, on specialized components, or in mobile stations Principles of Incident Response and Disaster Recovery, 2nd Edition 31 Network-Based IDPS (cont’d.) • Wireless NIDPS (cont’d.) – Centralized management stations collect information – Detection • Unauthorized wireless LANs (WLANs) and WLAN devices; poorly secured WLAN devices; unusual usage patterns; use of wireless network scanners; DoS attacks and conditions; impersonation and manin-the-middle attacks – Issues • Higher protocol monitoring; physical security; sensor range; access point and wireless switch locations; wired network connections; cost Principles of Incident Response and Disaster Recovery, 2nd Edition 32 Network-Based IDPS (cont’d.) • Advantages and disadvantages of NIDPSs Principles of Incident Response and Disaster Recovery, 2nd Edition 33 Host-Based IDPSs • Host-based IDPS (HIDPS) – Resides on a particular computer or server (host) • Monitors activity on that system – Known as system integrity verifiers • Benchmarks and monitors key system files status • Detects when intruder creates, modifies, or deletes monitored files – Can monitor system configuration databases and stored configuration files – Uses principle of configuration or change management Principles of Incident Response and Disaster Recovery, 2nd Edition 34 Host-Based IDPSs (cont’d.) • Host-based IDPS (cont’d.) – Alert or alarm triggers • File attributes change, new files created, existing files deleted – Can monitor systems logs for predefined events – HIDPS log file provides an independent audit trail – Very reliable • False positive alert produced only when authorized monitored file changed – Can access encrypted information – Information to determine legitimate traffic present Principles of Incident Response and Disaster Recovery, 2nd Edition 35 Host-Based IDPSs (cont’d.) • HIDPS configuration – Simple change-based system • Relies on file classification into various categories • Triggers alert on changes within a critical data folder • Can log all activity and instantly page or e-mail any administrator • Can generate large volume of false alarms – Can monitor multiple computers simultaneously – Must identify and categorize folders and files • Common method: red, yellow, and green • Some systems use an alternative scale of 0–100 Principles of Incident Response and Disaster Recovery, 2nd Edition 36 Principles of Incident Response and Disaster Recovery, 2nd Edition 37 Host-Based IDPSs (cont’d.) • Advantages and Disadvantages of HIDPS Principles of Incident Response and Disaster Recovery, 2nd Edition 38 Application-Based IDPS • Application-based IDPS (AppIDPS) – Examines an application for abnormal events • Looks for anomalous occurrences – Tracks interaction between users and applications • Allows tracing of specific activity back to individual users – Can view encrypted data – Types of requests examined • File systems, network, configuration, execution space – The need for intrusion detection is organization dependent Principles of Incident Response and Disaster Recovery, 2nd Edition 39 Application-Based IDPS (cont’d.) • Advantages and disadvantages of AppIDPS Principles of Incident Response and Disaster Recovery, 2nd Edition 40 Principles of Incident Response and Disaster Recovery, 2nd Edition 41 IDPS Detection Approaches • Signature-based IDPS (knowledge-based) – Examines data traffic in search of patterns matching known signatures – Weaknesses • Signatures must be continually updated • Time frame over which attacks occur • Anomaly-based IDPS (behavior-based IDPS) – Samples network activity and applies statistical analysis against a baseline – Clipping level • Measured activity outside baseline parameters Principles of Incident Response and Disaster Recovery, 2nd Edition 42 IDPS Detection Approaches (cont’d.) • Anomaly-based IDPS (cont’d.) – Advantage • Can detect new attack types – Disadvantages • Requires overhead and processing capacity • May not detect minor changes to system variables generating false positives Principles of Incident Response and Disaster Recovery, 2nd Edition 43 IDPS Detection Approaches (cont’d.) • Log file monitor (LFM) – Type of IDPS similar to the NIDPS – Reviews servers, network devices, other IDPSs log files – Can look at multiple log files from a number of different systems – Uses a holistic approach • Requires considerable resource allocation Principles of Incident Response and Disaster Recovery, 2nd Edition 44 Automated Response • New systems can respond incident threats autonomously – Based on preconfigured options – Goes beyond usual IDPS and IPS defensive actions • Trap and trace – Uses a combination of resources to: • Detect an intrusion • Trace the intrusion back to its source – Allows security administrators to take the offense – Legal issue: temptation to back hack Principles of Incident Response and Disaster Recovery, 2nd Edition 45 Automated Response (cont’d.) • Honeypots and honeynets • Honeypots – Servers configured to resemble production systems – Closely monitored network decoys – Advantages • Distracts adversaries from more valuable machines • Provides early warning about new attack trends • Allows in-depth examination of adversaries – Two general types • Production and research Principles of Incident Response and Disaster Recovery, 2nd Edition 46 Automated Response (cont’d.) • Honeytoken – System resource placed onto a functional system • No normal use for that system – Unauthorized access triggers notification or response • Honeynet (honeypot farm) – High-interaction honeypot – Designed to capture extensive information on threats – Network of systems designed for attackers interaction • Inbound connections: indicates probe, scan, attack • Outbound connections: indicates system compromise Principles of Incident Response and Disaster Recovery, 2nd Edition 47 Automated Response (cont’d.) • Legal issues with honeypots and honeynets – – – – Line between enticement and entrapment Fourth amendment to the U.S. Constitution Electronic Communications Protection Act Pen Register, Trap and Trace Devices law (Pen/Trap statute) – Wasp trap syndrome • Downside of current enhanced automated response systems may outweigh the upside Principles of Incident Response and Disaster Recovery, 2nd Edition 48 Incident Decision Making • Incident known to be underway – Must determine actual incidents and false positives • US-CERT steps to detect incidents – Collect incident candidates using well-documented procedures – Investigate candidates using systems and methods at your disposal – If candidate not authorized activity • Immediately initiate intrusion response procedures • NIST recommendations – Profile networks and systems Principles of Incident Response and Disaster Recovery, 2nd Edition 49 Incident Decision Making (cont’d.) • NIST recommendations (cont’d.) – – – – – – – – – – Understand normal behaviors Use centralized logging; create a log retention policy Perform event correlation Keep all hosts’ clocks synchronized Maintain and use a knowledge base of information Use Internet search engines for research Run packet sniffers to collect data and filter data Consider experience as being irreplaceable Create diagnosis matrix for less-experienced staff Seek assistance from others, when needed Principles of Incident Response and Disaster Recovery, 2nd Edition 50 Principles of Incident Response and Disaster Recovery, 2nd Edition 51 Collection of Data to Aid in Detecting Incidents • Routine data collection and analysis – Required to assist in incident detection and declaration • Data collected by automatic recording systems – Assist in better understanding normal and routine system operations that process, transmit, and store information • Understanding the norm – Assists in the detection of the abnormal Principles of Incident Response and Disaster Recovery, 2nd Edition 52 Principles of Incident Response and Disaster Recovery, 2nd Edition 53 Principles of Incident Response and Disaster Recovery, 2nd Edition 54 Collection of Data to Aid in Detecting Incidents (cont’d.) • Manage logging and other data collection mechanisms – Individual or aggregated log files • • • • Critical to manage sources Contain indicators and documentation of intrusion Must first be enabled Protect logs through server hardening – Managing logs • Be prepared to handle the amount of data generated by logging; rotate logs on a schedule • Be able to archive logs, encrypt logs, dispose of logs Principles of Incident Response and Disaster Recovery, 2nd Edition 55 Collection of Data to Aid in Detecting Incidents (cont’d.) • Detect compromised software – Use separate HIDPS sensor or agent to monitor the HIDPS itself – Quarantine and examine logs if compromise suspected Principles of Incident Response and Disaster Recovery, 2nd Edition 56 Collection of Data to Aid in Detecting Incidents (cont’d.) • Watch the network for unexpected behavior – – – – – Monitor networks for signs of intrusion Notify users of monitoring Review and investigate alert mechanism notifications Review and investigate network error reports Review network performance statistics and investigate anomalies – Identify unexpected, unusual, or suspicious network traffic and its possible implications – If reviewing network traffic on a system other than the one being monitored, ensure connection secure Principles of Incident Response and Disaster Recovery, 2nd Edition 57 Collection of Data to Aid in Detecting Incidents (cont’d.) • Watch systems for unexpected behavior (cont’d.) – Review systems storing, processing transmitting critical data – Notify users of monitoring – Review and investigate alert mechanism notifications – Review and investigate system error reports – Review system performance statistics and investigate anomalies – Continuously monitor process activity – Identify unexpected, unusual, or suspicious process, user or other behavior and possible implications Principles of Incident Response and Disaster Recovery, 2nd Edition 58 Collection of Data to Aid in Detecting Incidents (cont’d.) • Watch systems for unexpected behavior (cont’d.) – Periodically execute network mapping and scanning tools to understand what intruders learn about your networks and systems – Periodically execute vulnerability scanning tools on all systems – If reviewing network traffic on a system other than the one being monitored, ensure connection secure Principles of Incident Response and Disaster Recovery, 2nd Edition 59 Collection of Data to Aid in Detecting Incidents (cont’d) • Watch files and directories for unexpected changes – Best performed by using an HIDPS • Configure to perform a scheduled scan of systems • Compare current file version against an archive equivalent or hash value • Hash: useful in performing file verification • May show problems with false positives – Use a user reporting process for unusual file activity • Modification in size, content, or date – Critical to select correct files to monitor Principles of Incident Response and Disaster Recovery, 2nd Edition 60 Collection of Data to Aid in Detecting Incidents (cont’d) • Investigate unauthorized hardware attached to your organization’s network – Periodically check the network • Electronically and visually • Unauthorized equipment may tap into the system and redirect or record traffic without authorization • Inspect physical resources for signs of unauthorized access – Physical access trumps electronic security – Examine doors, windows, locks, ceilings, gates – Report signs of tampering or breaches Principles of Incident Response and Disaster Recovery, 2nd Edition 61 Collection of Data to Aid in Detecting Incidents (cont’d) • Review reports about suspicious and unexpected behavior – Promptly review all help desk reports, anonymous reporting hotlines, e-mail boxes – If problem detected early, may prevent spreading • Take appropriate actions – Must respond to an intrusion appropriately Principles of Incident Response and Disaster Recovery, 2nd Edition 62 Challenges in Intrusion Detection • Intrusion detection – Tedious and technically demanding process • Two key facets of incident detection – Effective use of technology to assist in detection – Necessity of cooperation • Between incident response and information security professionals and the entire IT department • Necessary to integrate IT systems and network administrators – As part of CSIRT operations, or CSIRT team building Principles of Incident Response and Disaster Recovery, 2nd Edition 63 Summary • Must classify events as they occur – NIST provides incident classification scheme • Three broad categories of incident indicators – Possible, probable, and definite • Must create process to collect and evaluate incident candidates • IDPS determines if network being used in ways out of compliance with policy – Several compelling reasons to acquire and use an IDPS Principles of Incident Response and Disaster Recovery, 2nd Edition 64 Summary (cont’d.) • Operations effected by sensor and detection devices placement or software programs • IDPS types – Network-based IDPS, host-based IDPS, applicationbased IDPS • Two widely used detection options – Signature based and statistical anomaly based • LFM: reviews the log files • Individual or aggregated log files – Data sources used for incident decision making Principles of Incident Response and Disaster Recovery, 2nd Edition 65 Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 6 Incident Response: Organizing and Preparing the CSIRT Objectives • Describe the purpose and function of the CSIRT • Discuss the skills and abilities needed in the CSIRT • Explain the standing operating procedures associated with CSIRT operations • Describe training and deployment of the CSIRT Principles of Incident Response and Disaster Recovery, 2nd Edition 2 Introduction • Coordinated reaction to unexpected events – Requires a designated group of individuals • Deal with the situation, reestablish information asset security • Carefully selected with appropriate skill range • Alternates required to assume responsibilities • Distinct from Incident Response Planning (IRP) team • IRP team’s primary incident response responsibility – Develop and implement policy and plans Principles of Incident Response and Disaster Recovery, 2nd Edition 3 Introduction (cont’d.) • IR reaction team responsibility – Respond to notice from a predefined entity as to an incident possibility – CSIRT works to regain control of information assets at risk, determine what happened, and prevent repeat occurrences • IR reaction team’s other names – – – – Computer Security Incident Response Team (CSIRT) Security Incident Response Team (SIRT) Computer Emergency Response Team (CERT) IR team Principles of Incident Response and Disaster Recovery, 2nd Edition 4 Introduction (cont’d.) • Computer Security Incident Response Team – Loose or informal implementation • Association of IT and InfoSec staffers • Called up if attack on information assets detected – More formal implementation • Set of people, policies, procedures, technologies, information • Detect, react, and recover from incident potentially resulting in unwanted information modification, damage, destruction, or disclosure • Prevention: entire information security staff involved Principles of Incident Response and Disaster Recovery, 2nd Edition 5 Building the CSIRT • Formal CSIRT – Carnegie Mellon CERT/CC defined stages • • • • • Step 1: Obtain management support and buy-in Step 2: Determine the CSIRT strategic plan Step 3: Gather relevant information Step 4: Design the CSIRT vision Step 5: Communicate the CSIRT vision and operational plan • Step 6: Begin CSIRT implementation • Step 7: Announce the operational CSIRT • Step 8: Evaluate CSIRT effectiveness Principles of Incident Response and Disaster Recovery, 2nd Edition 6 Step 1: Obtaining Management Support and Buy-In • Formal management support – Required for CSIRT success • CSIRT members assigned additional duties – CSIRT work: part-time or as detached assignments – Must ensure irresolvable conflicts with primary job responsibilities removed – Senior management must direct subordinate managers • Allow CSIRT members time on CSIRT activities • Resources requiring funding and support – Time/materials for incident preparation/reaction Principles of Incident Response and Disaster Recovery, 2nd Edition 7 Step 1: Obtaining Management Support and Buy-In (cont’d.) • Constant and ongoing management support – Sustains team efforts – Ensures long-term success to manage incidents • CSIRT champion – May be same person as the IR function champion – Typically the chief information officer (CIO) – Must be an upper-level executive • Requires organizational power and authority to ensure success Principles of Incident Response and Disaster Recovery, 2nd Edition 8 Step 2: Determining the CSIRT Strategic Plan • Formal plan encompasses: – Team scope and responsibilities – Reporting structure and functional processes Principles of Incident Response and Disaster Recovery, 2nd Edition 9 Step 2: Determining the CSIRT Strategic Plan (cont’d.) • Formal plan items to address – – – – – – – Time frame for CSIRT development Gap analysis: needed versus available skills CSIRT structure and team model Available and needed funding Training and testing methods and requirements Formal and informal communications requirements Procedures for updating and modifying documents and activities Principles of Incident Response and Disaster Recovery, 2nd Edition 10 Time Frame for Development of the CSIRT • First CSIRT strategic plan item to determine – How soon team needs to be up and running • Management response: “yesterday” • Cold reality – Weeks or months – Use informal organization response procedures Principles of Incident Response and Disaster Recovery, 2nd Edition 11 Gap Analysis of Needed versus Available Personnel Resources (Skills) • Harsh reality – Few departments overstaffed to support ongoing operations • Small-to-medium-sized organizations – May include the entire IT/InfoSec skillset – “Off duty” and “on call” IT staff expected to respond to incidents • If organizations constantly calling back primary IT and InfoSec personnel – Must conclude additional resources needed Principles of Incident Response and Disaster Recovery, 2nd Edition 12 Gap Analysis of Needed versus Available Personnel Resources (cont’d.) • Obtaining additional resources – Understand skills needed to effectively respond to incident – Determine if staff already has resources – Possible management determinations • Willingness to acquire needed personnel to fill gaps • Willingness to provide existing personnel training • Willingness to live with consequences of team’s inability to respond • Other option: outsourcing the CSIRT function Principles of Incident Response and Disaster Recovery, 2nd Edition 13 Gap Analysis of Needed versus Available Personnel Resources (cont’d.) • Typical CSIRT experience areas needed – – – – – – – – – Malware scanning, elimination, recovery System administration Network administration (switches, routers, gateways) Firewall administration Intrusion detection systems Cryptography Data storage and recovery Documentation creation and maintenance Experience creating and following policy and plans Principles of Incident Response and Disaster Recovery, 2nd Edition 14 CSIRT Structure and Team Model • Incident discovery leads to CSIRT notification – CSIRT determines incident impact and acts appropriately – Success dependent on participation and cooperation of individuals • CSIRT structural categories – Central CSIRT: single CSIRT handles incidents – Distributed CSIRTs: multiple CSIRTs handle incidents for a particular logical or physical segment – Coordinating team: CSIRT provides guidance and advice to other teams with no authority Principles of Incident Response and Disaster Recovery, 2nd Edition 15 CSIRT Structure and Team Model (cont’d.) • CSIRT staffing models – Employees: organization performs all IR work • Limited contractor technical and administrative support – Partially outsourced: portions of IR work outsourced • 24-hour-a-day; 7-day-a-week (24/7) monitoring • Basic IR work performed in-house; contractors assist – Fully outsourced: all IR work outsourced to on-site contractor • Used when organization lacks available, qualified employees Principles of Incident Response and Disaster Recovery, 2nd Edition 16 CSIRT Structure and Team Model (cont’d.) • Team model selection factors to consider – – – – – – Need for 24/7 availability Full-time versus part-time team members Employee morale Cost Staff expertise Organizational structures Principles of Incident Response and Disaster Recovery, 2nd Edition 17 Available and Needed Funding for Initial and Ongoing CSIRT Operations • Everything in business costs money – Time, people, and building a CSIRT operation – Top management must commit to funding CSIRT • Team member needs – – – – Time away from current responsibilities Formal or informal training Equipment to detect and manage incidents Special communications equipment • NIST recommends tools for use by incident handlers Principles of Incident Response and Disaster Recovery, 2nd Edition 18 Training and Testing Methods and Requirements for the CSIRT • CSIRT testing and training methods – Defined in the strategic plan • Planning team – Must enumerate management expectations • Most organizations – Provide some training for CSIRTs • In-house and informal • Few organizations – Conduct formal testing regimes • Fear creating incidents in the process Principles of Incident Response and Disaster Recovery, 2nd Edition 19 Formal and Informal Communications Requirements • Formal and informal communications methods – Included in the CSIRT strategic plan – Used between CSIRT personnel and other personnel – Must be clearly defined methods for: • Contacting CSIRT personnel • Notifying CSIRT of potential incidents • Critical requirement – Upward flow of information from CSIRT to organizational and IT/InfoSec management • CSIRT must report preliminary finding to management Principles of Incident Response and Disaster Recovery, 2nd Edition 20 Procedures for Updating and Modifying CSIRT Documents and Activities • Final component of any formal plan – Mechanism by which plan can and should be updated • CSIRT development plan designed to guide CSIRT planning, training, testing – Routinely review (annually) and modify – Guides CSIRT planning, training, testing • Guiding documents for updating CSIRT document – Formal Incident Response Policy and CSIRT plans – Provide response team preparation and training – May combine CSIRT strategic plan with an IR plan Principles of Incident Response and Disaster Recovery, 2nd Edition 21 Step 3: Gathering Relevant Information • CSIRT formation – IRP team collects organization IR and service needs • Information used to craft CSIRT • Ensures necessary skills and abilities available – IR planning committee • Establishes CSIRT scope and responsibilities • Determines team constituency and abilities – Converse with stakeholders • Identify team skills and abilities • Identify end user needs Principles of Incident Response and Disaster Recovery, 2nd Edition 22 Step 4: Designing the CSIRT Vision • Planning elements – May have been developed as part of strategy • Planning element steps – – – – Identify constituency Define CSIRT’s mission, goals, and objectives Determine organizational model Select CSIRT services to provide to the constituency (or others) – Identify required resources to operate CSIRT – Determine CSIRT funding Principles of Incident Response and Disaster Recovery, 2nd Edition 23 Identifying Your Constituency • CSIRT must know: – Who it works for – What systems to focus on • Clear chain of command necessary – Critical once CSIRT on site • CSIRT can take charge of the situation • CSIRT can exert influence to regain control of systems • Requires top management support – Provides emergency authority to CSIRT leader Principles of Incident Response and Disaster Recovery, 2nd Edition 24 Identifying Your Constituency (cont’d.) • “Scope of operations” – Determining systems falling under CSIRT’s responsibility – Be aware of its existence • Know who to serve • CSIRT constituents – Defined by who provides funding • CSIRTs work collaboratively – With other CSIRTs in their geographic and logical areas Principles of Incident Response and Disaster Recovery, 2nd Edition 25 Defining Your CSIRT’s Mission, Goals, and Objectives • CSIRT identifies for whom it works – Who it provides services to – Reporting relationships it must work within • CSIRT must identify its mandate – Mission, goals, and objectives • Mission of the CSIRT – States purpose clearly and succinctly – Establishes team tone – Provides path to obtainment of goals and objectives Principles of Incident Response and Disaster Recovery, 2nd Edition 26 Defining Your CSIRT’s Mission, Goals, and Objectives (cont’d.) • Mission of the CSIRT (cont’d.) – Common failing among multiple CSIRTs • Lack of precision in defining mission • Failure to communicate mission so CSIRT tries to validate priorities: leads to revisions on the fly – Clear and concise mission statement • Allows for established service list, service levels, and quality framework – Purpose statement supplements mission statement – Approaches to incident response (philosophy) • Protect and forget, or apprehend and prosecute Principles of Incident Response and Disaster Recovery, 2nd Edition 27 Principles of Incident Response and Disaster Recovery, 2nd Edition 28 Defining Your CSIRT’s Mission, Goals, and Objectives (cont’d.) • Goals and objectives of the CSIRT – Based on constituent or parent organization business goals – CSIRT keys to success • Protect critical assets • Enable and support constituency’s critical business processes and systems – CSIRT goals coupled with detailed procedures • Enable team to effectively contain and resolve incidents – No goals results in inconsistent and incomplete incident response Principles of Incident Response and Disaster Recovery, 2nd Edition 29 Selecting the CSIRT Services to Provide to the Constituency (or Others) • CSIRT main focus: performing incident response – May shift gears to deal with threat – May significantly overlap with other traditional information security tasks • Will have an IR focus – CSIRT constantly works with IR-based tools and technologies • Allows for training and focus on incidents • Can better deal with intrusions Principles of Incident Response and Disaster Recovery, 2nd Edition 30 Selecting the CSIRT Services to Provide to the Constituency (or Others) (cont’d.) • CSIRT services categories – Reactive services – Proactive services – Security quality management services • Advisory distribution – Describes new vulnerabilities – Provides information on mitigating the vulnerabilities – Useful in helping others identify incident signs Principles of Incident Response and Disaster Recovery, 2nd Edition 31 Principles of Incident Response and Disaster Recovery, 2nd Edition 32 Selecting the CSIRT Services to Provide to the Constituency (or Others) (cont’d.) • Vulnerability assessment – IR team determines how vulnerability exploited, the risks, and recommends risk mitigation – IR team may performs auditing or penetration testing – Incident handlers • Well suited to perform vulnerability assessments • Intrusion detection – May be performed by IR team • Allows team to gain knowledge – Ideally performed by another team with IR team assisting Principles of Incident Response and Disaster Recovery, 2nd Edition 33 Selecting the CSIRT Services to Provide to the Constituency (or Others) (cont’d.) • Education and awareness – Resource multipliers – Communicated by workshops and seminars, Web sites, newsletters, posters, & stickers on monitors • Technology watch – Look for new trends in information security threats – Recommend improvements in security controls • Patch management – Not recommended for IR team (too time consuming) – Needed most when addressing large-scale incidents Principles of Incident Response and Disaster Recovery, 2nd Edition 34 Identify Required Resources • CSIRT needs – Qualified individuals to perform tasks – Time, funding, managerial support • Incident response personnel – Single employee in charge of incident response – Fully outsourced model: person oversees and evaluates service provided – All other models: team manager or deputy team manager in charge – Managers perform variety of tasks with: • Technical, communication, and positive attitude skills Principles of Incident Response and Disaster Recovery, 2nd Edition 35 Identify Required Resources (cont’d.) • Technical skills – Technical lead • Has strong technical skills and IR experience • Has oversight of and final responsibility for IR team technical work quality – Incident lead • Primary contact point for handling a specific incident • May not perform actual incident handling • Coordinates handlers’ activities, gathers information, provides updates, ensures team’s needs met Principles of Incident Response and Disaster Recovery, 2nd Edition 36 Identify Required Resources (cont’d.) • Technical skills (cont’d.) – CSIRT members need excellent technical skills – Technical inaccuracy in functions undermines team’s credibility – Poor technical judgment can cause incidents to worsen – Critical technical skill areas include: • System administration, network administration, programming, technical support, intrusion detection – Team members need good problem-solving skills Principles of Incident Response and Disaster Recovery, 2nd Edition 37 Identify Required Resources (cont’d.) • Technical skills (cont’d.) – Provide opportunities for learning and growth • • • • • • • • • Budget enough funding for technical conferences Provide books, magazines, technical references Provide opportunities to perform other tasks Rotate staff members in and out of the CSIRT Maintain sufficient staff for uninterrupted time off work Create a mentoring program Allow members to temporarily trade places Occasionally bring in outside experts Develop incident-handling scenarios and simulate Principles of Incident Response and Disaster Recovery, 2nd Edition 38 Identify Required Resources (cont’d.) • Nontechnical skills – Teamwork skills for cooperation and coordination – Communication skills • Speaking • Writing • Determine your funding – CSIRT leader and IRP team require a clearly defined budget • Guides effort in planning preparation, training, and testing Principles of Incident Response and Disaster Recovery, 2nd Edition 39 Step 5: Communicating the CSIRT’s Vision and Operational Plan • Communication important when developing CSIRT – Include a feedback mechanism – Keep stakeholders informed and involved • Managerial team or individual serving as champion – First group to communicate CSIRT’s vision and plan • Champion begins cultivating a marketing stance • Fully informed champion can: – Convince top management of general success • Demonstrates champion is on top of the situation • Opens doors for additional resources and support Principles of Incident Response and Disaster Recovery, 2nd Edition 40 Step 5: Communicating the CSIRT’s Vision and Operational Plan (cont’d.) • Educating remaining top management – Serves two purposes: • Closes loop on the preparation phase of CSIRT team building • Moves group into an operational capacity – Pro forma notification • CSIRT may have already begun supporting the organization informally – Adjust executive mindset of top management as to the group status – Communicate forthcoming CSIRT to employees Principles of Incident Response and Disaster Recovery, 2nd Edition 41 Step 6: Beginning CSIRT Implementation • Execution of plans begin – Obtain management approval with a formal sign-off • Substeps: – Recruit and train initial CSIRT staff – Purchase equipment and prepare the required network infrastructure – Define and prepare necessary CSIRT policies and procedures – Define and acquire incident-tracking system – Prepare incident-reporting guidelines and forms Principles of Incident Response and Disaster Recovery, 2nd Edition 42 Step 6: Beginning CSIRT Implementation (cont’d.) • Incident-reporting guidelines – Enable constituency to interact with the CSIRT • Incident reporting process – Should be concrete – Include directives on how to make reports • Guidance on responding to incidents – How request prioritized, applicable service levels and response times, how notifications and escalations managed, & how resolution documented and reported • Critical aspect of the IR plan: guideline and procedure definitions for incident response Principles of Incident Response and Disaster Recovery, 2nd Edition 43 Step 7: Announce the operational CSIRT • Provide formal or informal notice to employees – Describe availability of CSIRT service • Items to include in announcement – – – – – Staff members and leadership Mission and goals Services and functions Operating hours Contact methods and number • Circulate as part of security awareness program • Keep information in front of employees Principles of Incident Response and Disaster Recovery, 2nd Edition 44 Step 8: Evaluating CSIRT Effectiveness • Two key mechanisms for IR plan – Test of CSIRT’s ability to respond to an incident – Means test for IR plan suitability, comprehensiveness • CSIRT uses performance measures (metrics) • Closing the loop – After action review (AAR): performed at end • • • • Detailed event examination: detection to recovery Key players review notes, members review actions Update plan Serves as training case for future staff Principles of Incident Response and Disaster Recovery, 2nd Edition 45 Step 8: Evaluating CSIRT Effectiveness (cont’d.) • CSIRT performance measures – Methods for assessing relative worth and operations of a subject of interest – Identify operation areas to assess, collect data from those areas • Review data periodically to determine if improving – Feedback mechanism options • • • • Compare local CSIRT measures to other CSIRTs Solicit comments from CSIRT’s constituency Use periodic surveys to gain insight from constituency Collect, report, and audit a set of empirical measures Principles of Incident Response and Disaster Recovery, 2nd Edition 46 Step 8: Evaluating CSIRT Effectiveness (cont’d.) • CSIRT performance measures (cont’d.) – Useful to build baseline of past measures • Compare current performance to past performance • Determines effect of CSIRT on its user community – Measurements used for comparison • Incidents reported • Response times • Resolution rates for reported incidents Principles of Incident Response and Disaster Recovery, 2nd Edition 47 Final Thoughts on CSIRT Development • CSIRT development can be tedious, difficult process • Time necessary to build effective CSIRT varies – Dependent on organization’s size, industry, staffing, availability of needed skills – May take months or years: requires patience • First signal of progress – Dramatic increase in number of identified incidents – Trust CSIRT to respond after notification • See http://csrc.nist.gov/publications/nistpubs and http://www.cert.org/csirts Principles of Incident Response and Disaster Recovery, 2nd Edition 48 Outsourcing Incident Response • Organizations outsourcing part of IR capacity – Due to increase popularity of managed security services • Specialized companies – Install equipment firewalls and IDSs – Remotely monitor equipment from centralized facility Principles of Incident Response and Disaster Recovery, 2nd Edition 49 Principles of Incident Response and Disaster Recovery, 2nd Edition 50 Current and Future Quality of Work • Important consideration – Quality of service provider’s work • Other considerations – Current quality of work – Efforts to ensure quality of future work • Minimizing turnover and burnout • Providing solid new employee training program • Auditing or objectively assessing quality of service provided Principles of Incident Response and Disaster Recovery, 2nd Edition 51 Division of Responsibilities • Organizations unwilling to give outside resource authority operational decisions – Must decide point where service provider hands off incident response • Partially outsourced model – Service provider delivers incident report with recommendations for handling incident – Internal team ultimately makes operational decisions Principles of Incident Response and Disaster Recovery, 2nd Edition 52 Sensitive Information Revealed to the Contractor • How to limit issues – Divide IR responsibilities – Restrict access to sensitive information • Example – Contractor can determine user ID used in an incident • Will not know person associated with the user ID – Trusted employees can take over investigation Principles of Incident Response and Disaster Recovery, 2nd Edition 53 Lack of Organization-Specific Knowledge • Accurate analysis and prioritization of incidents – Dependent on specific environment knowledge – Provide service provider regularly updated documents • Incidents concerning organization • Critical resources • Response level under various sets of circumstances – Report all changes and updates to IT infrastructure, network configuration, systems • If there is a lack of organization-specific knowledge: – Contractor has to make a best guess – Leads to problems in-house if communications weak Principles of Incident Response and Disaster Recovery, 2nd Edition 54 Lack of Correlation • Important to have correlation among multiple data sources • Contractor requires administrative privileges: – To critical systems and security device logs – With remote access over secure channel • Issues – Increases administration costs – Introduces additional access entry points – Increases risk of unauthorized disclosure of sensitive information Principles of Incident Response and Disaster Recovery, 2nd Edition 55 Handling Incidents at Multiple Locations • Effective IR work – Often requires physical presence at the facilities – Considerations for off-site service provider • How quickly it can have a CSIRT at any facility • How much this will cost – Considerations for on-site visits • Facilities or areas where service provider should not be permitted Principles of Incident Response and Disaster Recovery, 2nd Edition 56 Maintaining IR Skills In-House • When organization has completely outsourced IR – Strive to maintain basic IR skills in-house • Organization can perform incident handling if service provider unable to act • For service provider’s recommendation – Technical staff must understand: • Significance • Technical implications • Impact Principles of Incident Response and Disaster Recovery, 2nd Edition 57 Summary • Organizations designate groups to: – Deal with unexpected situations – Reestablishing information assets security • Formal or informal development CSIRT requires several stages • CSIRT formal plan requires management support • Skills needed to respond to incidents • IR team availability necessary to respond to incident • Building CSIRT requires adequate financial support • Strategic plan: testing, training, contact information Principles of Incident Response and Disaster Recovery, 2nd Edition 58 Summary (cont’d.) • Formal plan final component: update mechanism • IRP team collects information on IR and service needs to develop plan details • Communicate CSIRT planning to general management and employees • After planning phase: CSIRT implemented • CSIRT effectiveness mechanisms: – IR plan tests and CSIRT performance measures • CSIRT development can be tedious • Organizations may outsource all or part of process Principles of Incident Response and Disaster Recovery, 2nd Edition 59
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running Head: INCIDENT RESPONSE

1

Incident Response
Student
Institution

INCIDENT RESPONSE

1.

2

Define incidents that pose a risk to the organization

The incidents that pose risks to the healthcare industry as far as information security is concerned
include when there is denial of service whereby an operation cannot be initialized or cannot
proceed to the next step; also when there is malicious code in the Entity Relation Program (ERP)
used by the healthcare organization that result in outputting of wrong information. Risks can also
be experienced when any person can access the system that is unauthorized entry, (Mejía,
Muñoz, Ramírez, & Peña, 2016). Also when there are incidents of inappropriate usage of the
ERP in that the users are not restricted in areas where they should access. Also when there are
different parameters that do the same function that is multiple c...


Anonymous
I use Studypool every time I need help studying, and it never disappoints.

Studypool
4.7
Indeed
4.5
Sitejabber
4.4

Related Tags