1 Computer Security Incident Response Teams (CSIRTs) An Overview Maria Bada Global Cyber Security Capacity Centre, University of Oxford Sadie Creese Global Cyber Security Capacity Centre, University of Oxford Michael Goldsmith Global Cyber Security Capacity Centre, University of Oxford Chris Mitchell Global Cyber Security Capacity Centre, Royal Holloway, University of London Elizabeth Phillips Oxford University's Centre for Doctoral Training (CDT) Worcester College May 2014 1 2 Contents Abstract ................................................................................................................................................... 4 1 Introduction ......................................................................................................................................... 5 1.1 Scope and purpose........................................................................................................................ 5 1.2 Structure of the paper .................................................................................................................. 5 1.3 Audience ....................................................................................................................................... 5 2 CSIRTs - An introduction ...................................................................................................................... 6 2.1 The role and purpose of CSIRTs .................................................................................................... 6 2.2 Terminology .................................................................................................................................. 6 2.3 Services provided by CSIRT teams ................................................................................................ 6 2.4 Categories of CSIRTs...................................................................................................................... 7 2.5 Sectors of CSIRT operation............................................................................................................ 8 2.6 Building a new CSIRT ..................................................................................................................... 8 2.7 Determining the authority ............................................................................................................ 9 3 Existing CSIRTs.................................................................................................................................... 10 3.1 National CSIRTs/CERTs ................................................................................................................ 10 3.1.1 The UK CERT ......................................................................................................................... 10 3.1.2 The US-CERT ......................................................................................................................... 11 3.1.3 MyCERT Malaysia ................................................................................................................. 12 3.2 Multinational European CSIRTs/CERTs ....................................................................................... 12 3.2.1 CERT EU ................................................................................................................................ 12 3.2.2 European Government CERTs Group (EGC) ......................................................................... 12 3.3 CSIRT Cooperation and Coordination Organisations .................................................................. 13 3.3.1 FIRST – Forum of Incident Response and Security Teams ................................................... 13 3.3.2 AP-CERT Asia Pacific Computer emergency Response Team .............................................. 14 3.3.3 TERENA - Trans-European Research and Education Networking Association ..................... 14 3.3.4 TI Trusted Introducer ........................................................................................................... 15 3.3.5 CEENet.................................................................................................................................. 15 3.3.6 NATO NCIRC TC .................................................................................................................... 15 4 Case studies ....................................................................................................................................... 16 4.1 Qatar ........................................................................................................................................... 16 4.2 Tunisia ......................................................................................................................................... 17 4.3 Kenya........................................................................................................................................... 18 2 3 4.4 Other Case studies ...................................................................................................................... 19 References ............................................................................................................................................ 20 3 4 Computer Security Incident Response Teams (CSIRTs) An Overview Maria Bada Global Cyber Security Capacity Centre, University of Oxford, maria.bada@cs.ox.ac.uk Sadie Creese Global Cyber Security Capacity Centre, University of Oxford, sadie.creese@cs.ox.ac.uk Michael Goldsmith Global Cyber Security Capacity Centre, University of Oxford, michael.goldsmith@cs.ox.ac.uk Chris Mitchell Global Cyber Security Capacity Centre, Royal Holloway, University of London, c.mitchell@rhul.ac.uk Elizabeth Phillips Oxford University's Centre for Doctoral Training (CDT), Worcester College elizabeth.phillips@cybersecurity.ox.ac.uk Abstract Following the pioneering work at Carnegie-Mellon University in the US, national Computer Emergency Response Teams (CERTs) have been established worldwide to try to address the evergrowing threats to information systems and their use. The problem they are designed to address is clearly real and formidable, in mitigating the threats posed by cyber-criminals and state-sponsored cyber-attacks. This paper is presenting the role and purpose of Computer Security Incident Response Teams (CSIRTs) the services they provide, and also various examples of existing national and multinational CSIRTs as well as organizations which foster the cooperation and coordination of CSIRTs are presented. The paper then presents case studies as examples of national CSIRTs. 4 5 1 1.1 Introduction Scope and purpose The purpose of this paper is to present the mission and services provided by Computer Security Incident Response Teams (CSIRTs) both at a National and Organizational level. The primary mission of a Computer Security Incident Response Team (CSIRT) is to help other organizations to handle incidents occurring in computer networks, as well as provide a wider set of services. Apart from their main mission, CSIRTs need to be able to adapt to a continuous changing environment and present the flexibility to deal any unexpected incident. 1.2 Structure of the paper Section 2 of this paper describes the role and purpose of CSIRTs, the services they provide, as well as information on the different sectors of CSIRT cooperation and of building a new CSIRT. Section 3, provides an overview of existing CSIRTs in National level, such as the UK CERT, the US CERT, the MyCERT from Malaysia, as well as Multinational European CSIRTs, such as CERT EU and the European Government CERTs Group (EGC). Also, in this section various organizations which foster the cooperation and coordination of CSIRTs are being presented. Examples are the Forum of Incident Response and Security Teams (FIRST), The Asia Pacific Computer Emergency Response Team (APCERT), The Task Force of Computer Security and Incident Response Teams (TERENA TF-CSIRT), The Trusted Introducer (IT), The Central and Eastern European Networking Association (CEENet) and The NATO Computer Incident Response Capability - Technical Centre (NATO NCIRC TC). Section 4, presents case studies of countries who established their CERT. Each country follows different approach according to its sources and needs. Exapmles of Qatar, Tunisia and Kenya are described. 1.3 Audience This paper is written primarily for Computer Security Incident Response Team (CSIRT) experts, Computer Emergency Response Team (CERT) experts, Chief Information Officers (CIOs), Senior Agency Information Security Officers (SAISOs) and Information System Security Officers (ISSOs). The measures presented can be used both within government and industry contexts. 5 6 2 CSIRTs - An introduction This section presents the role and purpose of CSIRTs, the services they provide and the various sectors they can operate in. Moreover, the basic principles of building a new effective CSIRT, as well as the importance of the parameters within which the CSIRT will be able to act, are being presented. In order to be able to tackle any type of cybersecurity incident we need the capacity to be available at least in some organizational form, in particular a CSIRT. These are single organizations that present information to end users as well as organizations with the country. 2.1 The role and purpose of CSIRTs The name Computer Emergency Response Team is the historic designation for the first team (CERT/CC)1 at Carnegie Mellon University (CMU). CERT is now a registered service mark of Carnegie Mellon University that is licensed to other teams around the world. Some teams took on the more generic name of CSIRT (Computer Security Incident Response Team) to point out the task of handling computer security incidents instead of other tech support work. 2.2 Terminology CERT stands for Computer Emergency Response Team. Various abbreviations for the same sort of terms exist:  CERT or CERT/CC (Computer Emergency Response Team / Coordination Centre)  CSIRT (Computer Security Incident Response Team)  IRT (Incident Response Team)  CIRT (Computer Incident Response Team)  SERT (Security Emergency Response Team)  WARPs (Warning Advice and Reporting Points) At the moment both terms (CERT and CSIRT) are used synonymously. In this document the term CSIRT will be used. The history of CSIRTs is linked to the existence of malware, especially computer worms and viruses. Whenever a new technology arrives, its misuse is not long in following. The first worm in the IBM VNET was covered up. Shortly after, a worm hit the Internet on 3 November 1988, when the socalled Morris Worm paralysed a good percentage of it. This led to the formation of the CERT/CC at Carnegie Mellon University under a U.S. Government contract. With the massive growth in the use of information and communications technologies over the subsequent years, the now-generic term "CSIRT" refers to an essential part of most large organisations' structures. 2.3 Services provided by CSIRT teams CSIRT teams provide various services such as reactive as well as proactive. Also, part of their purpose is Artifact handling as and security quality management. These services need to be realistic and reflect the financial, labour and technical resources available to a nation. A more analytical list of the CSIRT services is presented below (Table 1). A CSIRT needs to act as a focal point for incident reporting and to be easily reached by users. A CSIRT has three essential attributes a) a central location in relation to its constituency b) an educational 1 http://www.cert.org/ 6 7 role with regard to computer security c) an incident handling role (Javaid, 2013). The accumulated experience of the personnel in a CSIRT is crucial, both in terms of responding to incidents and of educating others. The European Commission2 has presented also the requirements and tasks of a Computer emergency Response Team (CERT). ENISA3 also released a November 2013 a report titled Good practice guide for CERTs in the area of Industrial Control Systems - Computer Emergency Response Capabilities considerations for ICS. This report, “builds upon the current practice of CERTs with responsibilities for ICS networks, and also on the earlier work of ENISA on a baseline capabilities scheme for national/ governmental (n/g) CERTs,” without prescribing which entity should provide these services for the EU. The good practices guide divides ICS-CERC provisions into four categories: mandate capabilities, technical operational capabilities, organisational operational capabilities, and co-operational capabilities. Table 1. Services provided by CSIRTs Reactive Services Proactive Services Alerts and Warnings Announcements Incident Handling Technology Watch Incident Analysis Security Audits or Assessments Incident Analysis Configuration and Incident Response Maintenance of Security Support Development of Security Tools Incident Response Intrusion Detection Services Coordination Security Related Information Incident Response on Site Dissemination Vulnerability Handling Vulnerability Analysis Vulnerability Response Vulnerability Response Coordination CSIRT Services list from CERT/CC4 2.4 Artifact Handling Artifact Analysis Artifact Response Artifact Response Coordination Security Quality Management Risk analysis Business Continuity and Disaster Recovery Security Consulting Awareness Building Education/Training Product Evaluation or Certification Categories of CSIRTs General categories of CSIRTs include5:  Internal or organizational CSIRTs - provide incident handling services to their parent organization (e.g. a university).  National CSIRTs – coordinate and facilitate the handling of incidents for a particular country, or economy. 2 3 European Commission, 2013 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2013:0048:FIN:EN:PDF ENISA, Good practice guide for CERTs in the area of Industrial Control Systems - Computer Emergency Response Capabilities considerations for ICS, December 2013. http://www.enisa.europa.eu/activities/cert/support/baseline-capabilities/ics-cerc/good-practice-guide-for-certs-in-thearea-of-industrial-control-systems/at_download/fullReport 4 CSIRT Services list from CERT/CC: http://www.cert.org/csirts/services.html 5 Creating and Managing Computer Security Incident Handling Teams (CSIRTs), CERT Training and Education Networked Systems Survivability Software Engineering Institute Carnegie Mellon University, 2008. http://www.first.org/conference/2008/papers/killcrece-georgia-slides.pdf 7 8  Analysis Centers – focus on synthesizing data from various sources to determine trends and patterns in incident activity. This information can then be used to help predict future activity or provide early warning when current activity matches a set of previously determined characteristics.  Vendor Teams – coordinate with organizations who report and track vulnerabilities.  Incident Response Providers – provide incident handling services as a product to other organizations. These are sometimes referred to as Managed Security Service Providers (MSSPs). Various global and regional organizations devoted to incident management collaboration and coordination have been created. This includes organizations such as the:  Forum of Incident Response and Security Teams http://www.first.org/ 2.5 Sectors of CSIRT operation There can be more than one CSIRT in a country serving the interest of various constituencies for example the academic, banking sectors, the commercial sector, CIP/CIIP Sector, governmental/national sector, military, energy sector, financial sector and within organisation. These CSIRTs are focussed on and provide services and support to their defined constituency for the prevention of, handling, and response to cybersecurity incidents. However it is also possible for a country to designate an entity as a national CSIRT to serve a principle entity serving Government or government-related organisations. 2.6 Building a new CSIRT In order to create an effective CSIRT, Carnegie Mellon University (CMC, J Haller, 2011) believe that there are four core principles all CSIRTs must have:     Technical Excellence: The National CSIRT/CERT should have the most up to date resources and advice and in order to maintain this advantage, the advice they give must be sound which requires high levels of technical excellence. This may lead to the CSIRT only being initially with a small number of good quality capabilities rather than lots of poor quality capabilities. Trust: If the organizations and end users do not explicitly trust the CSIRT then they will be unable to share data with the CSIRT and will not be able to use all the facilities on offer. The trust is crucial for partner organisations and the organisations themselves would want confirmation that the CSIRT can handle sensitive information responsibly. Resource Efficiency: The CSIRT must be constantly adapting by analysing potential new threats and their potential impact. This will then help to steer the allocation of funding sources to test, which treats and incidents are truly of interest to the CSIRT. Cooperation: The CSIRT should cooperate as fully as possible (taking into account the sensitivity of some of their clients’ data) with national stakeholders, government and other National CSIRTs/CERTs so that the knowledge can be shared and they can collaborate on complex problems. Before the real work begins, it is crucial to identify key partners and Sponsors to ensure the financial security of the CSIRT. After this has been established, it is then necessary to determine any limiting factors such as time commitment, skill level of staff and the physical infrastructure available6. 6 Grobler Marthie and Bryk Harri, 2010. http://icsa.cs.up.ac.za/issa/2010/Proceedings/Full/17_Paper.pdf 8 9 2.7 Determining the authority Depending on the purpose of the CSIRT and its sponsor, the CSIRT may be capable of prescribing or mandating particular actions after cyber-attacks and may be able to enforce other security measures. However, in some instances government approval/advice may be required first before conducting any action. The parameters within which the CSIRT will be able to act will depend on the specific nation’s laws, cultures and customs. The precise nature of the CSIRT may determine the level of cooperation and sharing of sensitive data as some organizations may be reluctant to disclose information if they believe the CSIRT to be too self-governing. 9 10 3 Existing CSIRTs There are a large number of CSIRTs in existence, in many different countries. Every country has different CSIRT capabilities as well as a different level of maturity to dispose. African countries such as Kenya, Mauritius, South Africa and Tunisia have National CSIRTs/CERTs to present. Moreover, many countries in the rest of the world have already built CSIRTs. This section provides an overview of existing CSIRTs/CERTs at a National level, such as the UK CERT, the US CERT, the MyCERT from Malaysia, as well as Multinational European CERTs, such as CERT EU and the European Government CERTs Group (EGC). Also, in this section various organizations which foster the cooperation and coordination of CERTs are being presented. Examples are the Forum of Incident Response and Security Teams (FIRST), The Asia Pacific Computer Emergency Response Team (AP-CERT), The Task Force of Computer Security and Incident Response Teams (TERENA TF-CSIRT), The Trusted Introducer (IT), The Central and Eastern European Networking Association (CEENet) and The NATO Computer Incident Response Capability - Technical Centre (NATO NCIRC TC). 3.1 National CSIRTs/CERTs 3.1.1 The UK CERT UK’s National Computer Emergency Response Team (CERT-UK)7 works closely with industry, government and academia to enhance UK cyber resilience. CERT-UK has four main responsibilities that flow from the UK’s Cyber Security Strategy8:  National Cyber Security Incident Management.  Support to Critical National Infrastructure companies to handle cyber security incidents.  Promoting cyber security situational awareness across industry, academia, and the public sector.  Providing the single international point of contact for co-ordination and collaboration between national CERTs. CERT-UK falls under the Communications-Electronics Security Group (CESG)9, the UK Government’s National Technical Authority for Information Assurance. Their Incident Response Guidelines10, provide clear details to individuals and companies as to what falls within the scope of GovCertUK and what is beyond its control. An important part of their mission is to educate everyday users by producing interesting posters and clear information packs11 for organizations and end users. In order to reinforce the idea of simplicity for the users there are only four categories for reporting incidents, namely:  A. Concerned Targeted Attack must be reported to GovCertUK. Incidents that are concerted, repeating, targeted and causing harm to confidentiality, integrity or availability of ICT systems or data.  B. Targeted Attack must be reported to GovCertUK. Incidents that are repeating, targeted and causing harm to confidentiality, integrity or availability of ICT systems or data. 7 CERT UK https://www.cert.gov.uk/ UK’s Cyber Security Strategy https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategyfinal.pdf 9 CESG https://www.cesg.gov.uk 10 GovCertUK Incident Response Guidelines, http://www.cesg.gov.uk/publications/Documents/incident_response_guidelines.pdf 11 GovCertUK Information packs http://www.cesg.gov.uk/awarenesstraining/PET/Pages/index.aspx 8 10 11   C. Non-Targeted GovCertUK is to be tipped. Incidents that are general and non-targeted or incidents where the IT teams suspect suspicious behaviour. D. Other reporting GovCertUK is to be tipped. Cryptographic events such as loss of laptop/media, protective marking breaches etc. The term ‘’reported’’ means that a formal report needs to be submitted and ‘’tipped’’ that GovCertUK need to be informed but no formal report is required. The informal method of tipping off GovCertUK encourages companies to seek advice and inform GovCertUK even if they are unsure as it is not time consuming and they can still get advice and guidance, which improves the trust between GovCertUK and the organization or user. When an incident is reported and GovCertUK advices action needs to be taken, a step-by-step guide indicating how to resolve the situation is sent directly to the victim along with a summary of the incident containing the most important information should the organization want to conduct its own investigations at a later date. The UK CERT not only analyse and handle incidents, but also actively welcome samples of malicious code so that it can help improve their understanding and stress that a formal report need not be completed with the code. Moreover, GovCertUK stress that no ‘’blacklist’’ of companies is maintained and if a report leads to further action then no blacklisting will happen either. The transparent nature of GovCertUK allows the organizations to trust their actions and the users feel happy to report an incident. 3.1.2 The US-CERT US-CERT12 is a partnership between the Department of Homeland Security and the public and private sectors. It was established to protect the nation’s Internet infrastructure and coordinate defence against and responses to cyber-attacks across the nation. US-CERT was established in order to improve computer security preparedness and respond to cyber-attacks in the United States. In addition, US-CERT also provides a way for citizens, businesses and other institutions to communicate and coordinate directly with the United States government about cyber security. In a similar way to GovCertUK, they also produce a large number of self-help guides, which are publicly available. These publications range from instructions as to how to secure your computer from spyware to disposing of devices safely and anything in between. Their advice refers to both home and business users and include basic cloud security, home network security and information to help them understand denial of service attacks and how to avoid social engineering and phishing attacks. Government users are directed into specific alerts and bulletins relevant to the current situation as well as tools, programs and guidance about the reporting of incidents whereas Control System Users see more targeted information regarding the latest software update alerts, recommended practices, training and assessment tools for the organization. This targeted information ensures that home users are not bombarded with irrelevant information whereas technically aware Control System Users are given more detail in their information with regards to the technical skills and best practises needed to protect most cybersecurity attacks. 12 US-CERT https://www.us-cert.gov/about-us 11 12 3.1.3 MyCERT Malaysia MyCERT13 is the Malaysian CERT and works closely with the CERT coordination center and the partners below:  Asia Pacific Computer emergency Response Team (AP-CERT)  Organization of the Islamic Conference-Computer-Emergency Response Team14 (OIC-CERT)  The Honeynet Project15  Forum for Incident Response and Security Teams (FIRST)  The Anti-Phishing Working Group16 (APWG) MyCERT’s primary mission is to address the computer security concerns of internet users and its vision is to reduce the probability of successful attacks and lower the risk of consequential damage. MyCERT appreciates the importance of local end users but has a narrower range of facilities. 3.2 Multinational European CSIRTs/CERTs 3.2.1 CERT EU CERT EU is a permanent Computer Emergency Response Team (CERT-EU)17 for the EU institutions, agencies and bodies. The team is made up of IT security experts from the main EU Institutions (European Commission, General Secretariat of the Council, European Parliament, Committee of the Regions, Economic and Social Committee). It cooperates closely with other CERTs in the Member States and beyond as well as with specialised IT security companies. CERT-EU's mission is to support the European Institutions to protect themselves against intentional and malicious attacks that would hamper the integrity of their IT assets and harm the interests of the EU. The scope of CERT-EU's activities covers prevention, detection, response and recovery. CERTEU operates according to the following key values:  Highest standards of ethical integrity  High degree of service orientation and operational readiness  Effective responsiveness in case of incidents and emergencies and maximum commitment to resolve the issues  Building on, and complementing the existing capabilities in the constituents  Facilitating the exchange of good practices between constituents and with peers  Fostering a culture of openness within a protected environment, operating on a need to know basis CERT-EU gradually extends its services, on the basis of the requirements of its constituency and takes into account the available competencies, resources and partnerships. 3.2.2 European Government CERTs Group (EGC) Within the EU some of the countries with successful CSIRTs have joined together to form the European Government CERTs Group (EGC).18 The EGC exists to informally associate the CERTs across MyCERT http://www.mycert.org.my/en/ OIC-CERT http://www.oic-cert.net/v1/index.html 15 The Honeynet Project http://www.honeynet.org/about 16 APWG http://www.antiphishing.org/ 17 CERT EU http://cert.europa.eu/cert/ 18 The European Government CERTs Group http://www.egc-group.org/ 13 14 12 13 Europe. This group encourages the collaboration between nation CERTs which increases each country’s individual knowledge. The group tries to:  Jointly develop measures to deal with large-scale or regional network security incidents  Facilitate information sharing and technology exchange relating to IT security incidents and malicious code threats and vulnerabilities  Identify areas of specialist knowledge and expertise that could be shared within the group  Identify areas of collaborative research and development on subjects of mutual interest  Communicate common views with other initiatives and organizations. The countries which build the European Government CERTs group are:  Austria - GovCERT.AT  Belgium - CERT.be  Denmark - Danish GovCERT  Finland - CERT-FI  France - CERT-FR  Germany - CERT-Bund  Netherlands - NCSC-NL  Norway - NorCERT  Spain - CCN-CERT  Sweden - CERT-SE  Switzerland - GovCERT.ch  United Kingdom - CSIRTUK  United Kingdom - GovCertUK 3.3 CSIRT Cooperation and Coordination Organisations Successful cooperation19 among CSIRT or Abuse Teams located in different countries in many regions is a key factor for successful incident handling due to the global character of the Internet and security threat propagation. But also many other CSIRT services are strongly dependent on collaboration with other teams from different parts of the world. 3.3.1 FIRST – Forum of Incident Response and Security Teams The Forum of Incident Response and Security Teams20 (FIRST), consists of a network of individual computer security incident response teams that work together voluntarily to deal with computer security problems and their prevention, to stimulate rapid reaction to incidents and promote information sharing among members of the community at large. First’s mission includes:  FIRST develops and share of technical information, tools, methodologies, processes and best practices  FIRST encourages and promotes the development of quality security products, policies & services  FIRST develops and promulgates best computer security practices 19 20 ENISA, 2006, CERT_cooperation_ENISA.pdf FIRST http://www.first.org/ 13 14   FIRST promotes the creation and expansion of Incident Response teams and membership from organizations from around the world FIRST members use their combined knowledge, skills and experience to promote a safer and more secure global electronic environment. 3.3.2 AP-CERT Asia Pacific Computer emergency Response Team21 AP-CERT is a coalition of CERTs from 13 economies across the Asia Pacific region. AP-CERT organises an annual meeting called APSIRC conference and the first conference was held in 2002, in Tokyo, Japan. The mission of AP-CERT is to improve the region’s awareness and competency in relation to computer security incidents through:  Enhancing Asia Pacific regional and international cooperation on information security.  Jointly developing measures to deal with large-scale or regional network security incidents. Facilitating information sharing and technology exchange, including information security, computer virus and malicious code among its members.  Promoting collaborative research and development on subjects of interest to its members.  Assisting other CERTs and CSIRTS in the region to conduct efficient and effective computer emergency response.  Providing inputs and/or recommendations to help address legal issues related to information security and emergency response across regional boundaries. 3.3.3 TERENA - Trans-European Research and Education Networking Association The Trans-European Research and Education Networking Association22 (TERENA), offers a forum to collaborate, innovate and share knowledge in order to foster the development of Internet technology, infrastructure and services to be used by the research and education community. TERENA works in close collaboration to TF-CSIRT, providing secretarial support. 3.3.3.1 TERENA TF-CSIRT Task Force of Computer Security and Incident Response Teams Task Force of Computer Security and Incident Response Teams (TF-CSIRT) is a task force that promotes collaboration and coordination between CERTs in Europe and neighbouring regions, whilst liaising with relevant organisations at the global level and in other regions. TF-CSIRT provides a forum where members of the CERT community can exchange experiences and knowledge in a trusted environment in order to improve cooperation and coordination. It maintains a system for registering and accrediting CERTs, as well as certifying service standards. The task force also develops and provides services for CERTs, promotes the use of common standards and procedures for handling security incidents, and coordinates joint initiatives where appropriate. This includes the training of CERT staff, and assisting in the establishment and development of new CERTs. The task force further liaises with FIRST, ENISA, other regional CERT organisations, as well as defence and law enforcement agencies. Secretarial support for this task force is provided by TERENA with funding from the GN3 project. 21 22 AP-CERT http://www.apcert.org/ TERENA http://www.terena.org/ 14 15 3.3.4 TI Trusted Introducer Trusted Introducer (TI)23, provides European CERTs with a public repository that lists all known European CERTs and explains about the TI’s accreditation service. It facilitates trust by formally accrediting CERTs that are ready to take that step. Once accredited, a CERT can gain access to the restricted TI repository. There they can find details on fellow CERTs, readily downloadable contact lists and PGP-Key rings, secure discussion forum, automatic RIPE Database IRT-object registration and more. 3.3.5 CEENet The Central and Eastern European Networking Association (CEENet)24 is a regional cooperation in Central and Eastern Europe and includes some adjacent countries from Asia, has as goal to share computer networking knowledge between more and less developed members of the association. The primary mission of CEENet is to co-ordinate the international aspects of the academic, research and education networks in Central and Eastern Europe and in adjacent countries. Moreover, CEENet promotes and supports the technical and organizational collaboration between NRENs 3.3.6 NATO NCIRC TC NATO Computer Incident Response Capability - Technical Centre (NCIRC TC)25 is the Tier 2 of the NATO Computer Incident Response Capability (NCIRC). This site is maintained by NATO Information Assurance Technical Centre (NIATC) to provide operational CERT support to the NATO CIS community, including a) Incident Handling b) Vulnerability and Threat Information c) Vulnerability Assessment (online / on site) d) Consultancy Services (Scientific and Forensic) e) Online Data Collection and Monitoring (IDS, Antivirus, Firewalls) f) Online Support (auto updates, downloads, SOPs) and g) Offline incident analysis and security testing. 23 TI http://www.trusted-introducer.org/ CEENET http://www.ceenet.org/ 25 NCIRC NATO http://www.ncirc.nato.int/ 24 15 16 4 Case studies In this section we look in greater details at three examples of national CSIRTs/CERTs. More specifically Qatar, Tunisia and Kenya CERTs are being presented. It is obvious that each country follows a different approach according to its sources and needs. Through reviewing these examples we can get an idea of the scope of their activities, which in turn helps understand how one might assess their effectiveness. 4.1 Qatar The Middle East and specifically ictQATAR (Supreme Council of Information Technology of Qatar) as the premier national body responsible for technology initiatives, recognised the role of ICT plays in the region and the need for a long term strategic partnership with CERT/CC. As such, they sponsored Qatar Computer Emergency Response Team (Q-CERT)26 program and was the founding partner of the regional GCC-CERT initiative. It was initially influenced by the Council of Information and Communication Technology (ictQATAR), CERT/CC and Carnegie Mellon University’s Software Engineering Institute. Q-CERT's Vision is to be recognized as:  A leader in Qatar and the region in promoting IT Security Standards, Practices, Products and Services to improve the security of critical IT infrastructure.  A credible source of Cyber Security information.  A trusted confidant partner in responding to Cyber Security incidents.  A leader in building the CyberSecurity human capacities in State of Qatar. They divided their work efforts into three main categories, namely ‘’Critical Infrastructure Protection’’ ‘’Watch, Warning, Investigation and Response’’ and ‘’Outreach, Awareness and Teaching’’.  Critical Infrastructure Protection: Their aim was to assist key national resources in identifying and addressing information security vulnerabilities and threats and provide new approaches for damage assessment and recovering operations from affected systems alongside other tasks.  Watch, Warning, Investigation and Response: Their aim was to assist in creating new cybercrime and privacy laws and establish a national center for threat, vulnerability and security event data.  Outreach, Awareness and Teaching: They aim to be able to act as a forum for national dialog on cyber security and increase the awareness and understanding of cyber security issues within public and private institutions across the public. A Curriculum in Information Security was created which included a) Creating a Computer Security Incident Response Team (CSIRT) b) Managing Computer Security Incident Response Teams c) Fundamentals of Incident Handling d) Advanced Incident Handling e) Information Security for Technical Staff f) Advanced Information Security for Technical Staff g) Computer Forensics for Technical Staff h) OCTAVE Training Workshop 26 Q-CERT, http://www.qcert.org/ 16 17 Their initial ideas have set down a long term sponsorship for the CERT which will enable continuity and the security of future research which will be alongside their increasing relationship with CERT/CC. 4.2 Tunisia Tunisia 27 set up their CERT called CERT-TCC to have the national responsibility of acting to provide incident management services for:  Government  Public and Private Sector  Home Users  Professionals  Banks The CERT-TCC provides services free of charge to organizations and tries to ensure:  A centralized coordination for IT security issues (Trusted Point of Contact)  Centralized and specialized unit for incident response  Technology and security watch  Cyberspace monitoring  The expertise to support and assist to quickly recover from security incidents  Awareness of all categories of users The CERT-TCC adopted a limited resources low cost approach and relied more on open sourced approaches. These approaches reduced the cost but had an effect on trust associated with the CERT due to open sourced handling of sensitive data. Awareness is the main focal point of the CERT-TCC and their approach relies on the collaboration of national partners in order to provide free technical support to customers. They also provided attack simulations in order to assess the possible vulnerabilities of organizations. Tunisia, has established also a National Reaction Plan which is the formal plan which initiates the establishment of Coordination Crisis Cells across the country. This approach has been deployed with great success in 2004 for the African Football Cup and the Presidential Elections as well as during the Arab League in 2005. The high skills of the employees in combination to the low running costs, made available a wide range of services including incident analysis, incident response coordination, penetration testing, virus handling and hotlines in addition to secondary services such as security policy development, forensic evidence collection and monitoring of network and system logs. 27 Developing national CSIRT capabilities – A case study of Tunisian CERT http://www.itu.int/ITU-D/cyb/events/2009/tunis/docs/elmir-ansi-csirt-june-09.pdf 17 18 4.3 Kenya There have been various initiatives to establish a national CERT28 in Kenya. Kenya increasingly becomes more connected to and dependent on the internet and it was important to determine the risk exposure from not having a CERT. The first such initiative was CERT-Kenya that was sponsored by the Kenya Network Information Centre (KENIC) and the Telecommunication Service Providers of Kenya (TESPOK). The objective of the CERT-Kenya was to assist members of the local internet community in implementing proactive measures to reduce the risks of computer security incidents and to assist the community in responding to such incidents when they occur. However CERT-Kenya is currently not functional. The Kenya Information and Communications Act CAP411A mandates the Communications Commission of Kenya (CCK) to develop a national cyber security management framework through the establishment of a national Computer Incident Response Team (CIRT). CCK setup the Kenya Computer Incident Response Team Cordination Center (KE-CIRT/CC)29 whose mandate is to coordinate response and manage cyber security incidents nationally and to collaborate with relevant actors locally, regionally and internationally. Its functions are as follows:  Coordinating computer security incident response at the national level and acting as a national trusted point of contact  Liaising with the local sector Computer Incident Response Teams (CIRTs), regional CIRTs, international CIRTs and other related organizations  Gathering and disseminating technical information on computer security incidents, vulnerabilities, security fixes and other security information, as well as issuing alerts and warnings  Carrying out research and analysis on computer security, related technologies and advising on new trends  Facilitating the development of a national Public Key Infrastructure (PKI) and,  Capacity building in information security and creating and maintaining awareness on cybersecurity-related activities, among others The Industry Computer Security Incident Response Team (iCSIRT) is an initiative of Telecommunication Service Providers of Kenya (TESPOK). iCSIRT has been established to ensure network integrity and information security is maintained at the Kenya Internet Exchange Point (KIXP). Services currently offered by the iCSIRT include weekly reports on bad IPs reported on the member’s networks, security bulletins, alerts and warnings and general security incident handling. The overall goal of the iCSIRT is to develop and promote the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage and ensure continuity of critical services. The East Africa Communications Organization (EACO) set up a Cybersecurity Taskforce. The vision of the taskforce is to build confidence and security in the use of cyberspace in the East Africa (EA) 28 Mwende Njiraini, Establishing a National Computer Incident Response Team (CSIRT) in Africa: Kenyan case study, 2011, http://api.ning.com/files/CiKtTdA9zz-bWrycYFYBYPsPW3M6MW83isAbwDQEvM7UoZt7B9oQ9xLbNk*fZbBJxfUnVWV7k6nkQYcmpAtpSNljYOyGZT/EstablishingaNationalComputerSecurityIncidentResponseTeamCSIRTinAfricaAKenyanCaseStudy.pdf 29 KE- CIRT/CC http://www.cck.go.ke/industry/information_security/ke-cirt-cc/ 18 19 region while its mission is to enhance security of the cyberspace in the EA region through collaboration amongst all the stakeholders. 4.4 Other Case studies Other countries have established CERTs effectively. A few examples can be viewed from the case studies below:  Setting up a Governmental CERT - A case study of Spain's CCN-CERT http://www.first.org/conference/2007/papers/abad-carlos-slides.pdf  A National Cyber Security Strategy, A case study of Arab emirates CERT http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/bazargan-national-strategy-aeCERTdoha-feb-08.pdf  Vietnam Computer Emergency Response Team Case Studies http://www.cicc.or.jp/japanese/kouenkai/pdf_ppt/afit/7_Mr.%20Do%20Ngoc%20Duy%20Tr ac.pdf  Sri Lankan Computer Emergency Response Team Case Studies http://www.slcert.gov.lk/case.html  Digital Security Consulting Case Studies http://www.dsconsult.net/case-studies.php 19 20 References AP-CERT, Asia Pacific Computer emergency Response Team, Retrieved from http://www.apcert.org/ APWG, The Anti-Phishing Working Group. Retrieved from http://www.antiphishing.org/ Arora, Ashish and Telang, Rahul and Xu, Hao, Optimal Policy for Software Vulnerability Disclosure, 2005. Retrieved from http://dx.doi.org/10.2139/ssrn.669023 CERT. Retrieved from http://www.cert.org/ CERT EU. Retrieved from http://cert.europa.eu/cert/ CERT UK. Retrieved from https://www.cert.gov.uk/ CSIRT Services list from CERT/CC. Retrieved from http://www.cert.org/csirts/services.html ENISA, Good practice guide for CERTs in the area of Industrial Control Systems - Computer Emergency Response Capabilities considerations for ICS, December 2013. Retrieved from http://www.enisa.europa.eu/activities/cert/support/baseline-capabilities/ics-cerc/good-practice-guidefor-certs-in-the-area-of-industrial-control-systems/at_download/fullReport ENISA CERT Inventory – Inventory of CERT teams and activities in Europe, Version 2.12b, January 2014. Retrieved from http://www.enisa.europa.eu/activities/cert/background/inv/files/inventory-of-certactivities-in-europe ENISA, Step-by-Step Guide to Setting Up a CSIRT. Retrieved from: http://www.enisa.europe.eu/cert_guide/downloads/CSIRT_setting_up_guide_ENISA.pdf European Commission (EC), Proposal for a Directive of the European Parliament and of the council concerning measures to ensure a high common level of network and information security across the Union, Brussels, 7.2.2013, COM (2013) 48 final. Retrieved from http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2013:0048:FIN:EN:PDF Forming an Incident Response Team http://www.auscert.org.au/render.html?it=2252&cid=1920 FIRST, Creating and Managing Computer Security Incident Handling Teams (CSIRTs), CERT Training and Education Networked Systems Survivability Software Engineering Institute Carnegie Mellon University, 2008. http://www.first.org/conference/2008/papers/killcrece-georgia-slides.pdf FIRST, Forum of Incident Response and Security Teams. Retrieved from http://www.first.org/ GovCertUK Incident Response Guidelines. Retrieved from http://www.cesg.gov.uk/publications/Documents/incident_response_guidelines.pdf GovCertUK Information packs. Retrieved from http://www.cesg.gov.uk/awarenesstraining/PET/Pages/index.aspx Grobler Marthie and Bryk Harri, Common Challenges Faced During the Establishment of a CSIRT, IEEE, 2010. Retrieved from http://icsa.cs.up.ac.za/issa/2010/Proceedings/Full/17_Paper.pdf Internet Engineering Task Force (IETF), Site Security Handbook. http://www.ietf.org/rfc/rfc2196.txt Internet Engineering Task Force (IETF), Expectations for Computer Security Incident Response. http://www.ietf.org/rfc/rfc2350.txt 20 21 Internet Engineering Task Force (IETF), Internet Security Glossary. http://www.ietf.org/rfc/rfc2828.txt ITU, Developing national CSIRT capabilities – A case study of Tunisian CERT. Retrieved from http://www.itu.int/ITU-D/cyb/events/2009/tunis/docs/elmir-ansi-csirt-june-09.pdf Q-CERT, Qatar Computer Emergency Response Team. Retrieved from http://www.qcert.org/ Javaid, Muhammad Adeel, Benchmarks for Setting Up CERT (September 10, 2013). Available at SSRN: http://dx.doi.org/10.2139/ssrn.2389061 Kang, Jerry, Information Privacy in Cyberspace Transactions. Stanford Law Review, Vol. 50, p. 1193, 1998. Available at SSRN: http://ssrn.com/abstract=631723 Kenya Computer Incident Response Team Coordination Centre (KE-CIRT CC). Retrieved from http://www.cck.go.ke/industry/information_security/ke-cirt-cc/ Mwende Njiraini, Establishing a National Computer Incident Response Team (CSIRT) in Africa: Kenyan case study, 2011. Retrieved from http://api.ning.com/files/CiKtTdA9zz-bWrycYFYBYPsPW3M6MW83isAbwDQEvM7UoZt7B9oQ9xLbNk*fZbBJxfUnVWV7k6nkQYcmpAtpSNljYOyGZT/ EstablishingaNationalComputerSecurityIncidentResponseTeamCSIRTinAfricaAKenyanCaseStudy.pdf MyCERT Malaysia. Retrieved from http://www.mycert.org.my/en/ NATO Computer Incident Response Capability - Technical Centre (NCIRC TC). Retrieved from http://www.ncirc.nato.int/ NIST, Computer Security Incident Handling Guide, National Institute of Standards and Technology (NIST SP 80061). http://www.csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf OIC-CERT, Organization of the Islamic Conference-Computer-Emergency Response Team. Retrieved from http://www.oic-cert.net/v1/index.html Solove, Daniel J., A Taxonomy of Privacy. University of Pennsylvania Law Review, Vol. 154, No. 3, p. 477, January 2006; GWU Law School Public Law Research Paper No. 129. Available at SSRN: http://ssrn.com/abstract=667622 Spiekermann Sarah, Cranor Faith Lorrie, Engineering Privacy, IEEE Transactions on Software Engineering, Vol. 35, Nr. 1, 2009. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1085333 Spiekermann, Sarah and Berendt, Bettina and Grossklags, Jens, E-Privacy in 2nd Generation E-Commerce: Privacy Preferences versus Actual Behavior. Available at SSRN: http://ssrn.com/abstract=761107 Strandburg, Katherine J., Privacy, Rationality, and Temptation: A Theory of Willpower Norms. Rutgers Law Review, Vol. 57, No. 4, Spring 2005. Available at SSRN: http://ssrn.com/abstract=755284 TERENA, Trans-European Research and Education Networking Association. Retrieved from http://www.terena.org/ Terena, TF-CSIRT Guide to Setting up a CSIRT. http://www.terena.org/activities/tf-csirt/archive/acert7.html Trim Peter and Youl Youm Heung, Korea-UK Collaboration in Cyber Security: From Issues and Challenges to Sustainable Partnership Report Submitted to the Korean Government and the UK Government, March, 2014, British Embassy Seoul: Republic of Korea. Retrieved from http://www.iaac.org.uk/ItemFiles/ReportTrimYoumCyberSecurityMarch14.pdf 21 22 Trusted Introducer,(TI). Retrieved from http://www.trusted-introducer.org/ Software Engineering Institute (SEI), Avoiding the Trial-by-Fire Approach to Security Incidents. http://www.sei.cmu.edu/news-at-sei/columns/security_matters/1999/mar/security_matters.htm The European Governent CERTs Group. Retrieved from http://www.egc-group.org/ UK’s Cyber Security Strategy. Retrieved from https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cybersecurity-strategy-final.pdf US-CERT. Retrieved from https://www.us-cert.gov/about-us GOVCERT.NL CERT-IN-A-BOX. http://www.govcert.nl/render.html?it=69 The Central and Eastern European Networking Association (CEENET). Retrieved from http://www.ceenet.org/ Communications-Electronics Security Group, Retrieved from https://www.cesg.gov.uk The Honeynet Project. Retrieved from http://www.honeynet.org/about 22 23 The Global Cyber Security Capacity Centre is funded by Commonwealth Office and hosted by the Oxford the United Kingdom Foreign and Martin School Oxford Martin School, University of Oxford, Old Indian Institute, 34 Broad Street, Oxford OX1 3BD, United Kingdom Tel: +44 (0)1865 287430 • Fax: +44 (0)1865 287435 Email: cybercapacity@oxfordmartin.ox.ac.uk • • www.oxfordmartin.ox.ac.uk 23 Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Security Essentials Bootcamp Style (Security 401)" at http://www.giac.org/registration/gsec rig ht s. fu ll ins rr eta 04 ,A ut ho An Introduction to the Computer Security Incident Response Team (CSIRT) Set-Up and Operational Considerations NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SA Author Tom Campbell, CISSP, ABCP Date Submitted March 2003 Practical Requirements GSEC v.1.4b © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Table of Contents Abstract ..................................................................................................................................................... 3 Background............................................................................................................................................. 4 rig ht s. Computer Security.................................................................................................................................... 4 Preventative Operations ......................................................................................................................... 4 Detection operations............................................................................................................................... 4 Response operations ............................................................................................................................... 5 Recovery operations ............................................................................................................................... 5 Computer Security Incident..................................................................................................................... 5 Categories and Types of Security Incidents............................................................................................ 6 Computer Security Incident Response.................................................................................................... 7 Defining a CSIRT ............................................................................................................................... 8 fu ll CSIRT Defined.......................................................................................................................................... 8 CSIRT Acronyms...................................................................................................................................... 8 CSIRT Goal............................................................................................................................................... 8 CSIRT Objectives ..................................................................................................................................... 9 The Need for a CSIRT ................................................................................................................... 10 ut ho rr eta ins Benefits .................................................................................................................................................... 10 Economic .............................................................................................................................................. 10 Public Relations.................................................................................................................................... 10 Legal ..................................................................................................................................................... 11 Return on Investment ............................................................................................................................. 12 Annual Loss Expectancy....................................................................................................................... 12 Savings Provided by a CSIRT............................................................................................................... 12 Cost of a CSIRT .................................................................................................................................... 13 Actual Savings of a CSIRT.................................................................................................................... 13 CSIRT ROI............................................................................................................................................ 13 Facts and Statistics ................................................................................................................................. 13 ,A Roles and Responsibilities of a CSIRT ............................................................................... 15 4E46 NS In sti tu te 20 04 Non-Real-Time Incident Response Activities - Pre-Incident Activities.............................................. 15 Charter ................................................................................................................................................. 15 Policy.................................................................................................................................................... 16 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 Incident reporting procedures .............................................................................................................. 17 Incident information tracking and handling procedures ...................................................................... 18 Costing an Incident............................................................................................................................... 19 Real Time Incident Response Activities ................................................................................................ 19 Incident Handling ................................................................................................................................. 21 Incident Recovery ................................................................................................................................. 23 Investigation ......................................................................................................................................... 24 IT Security ............................................................................................................................................ 26 Management/Legal ............................................................................................................................... 26 Communications ................................................................................................................................... 26 Non-Real-Time Incident Response Activities - Post-Incident Activities ............................................ 27 Post Mortem ......................................................................................................................................... 27 SA Requirements of a CSIRT ............................................................................................................ 29 © Proper, Up-to-date Technology ............................................................................................................. 29 Correct, Trained People......................................................................................................................... 29 Complete and Tested Processes and Procedures.................................................................................. 30 Defined Authority and Support............................................................................................................. 30 1 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Adequate Funding .................................................................................................................................. 30 Organisational Buy-In............................................................................................................................ 30 04 ,A ut ho rr eta ins fu ll rig ht s. Areas Involved in a CSIRT ......................................................................................................... 32 Conclusion ............................................................................................................................................ 34 Bibliography ........................................................................................................................................ 35 © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 2 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Abstract rig ht s. The socio-economic environment of today is evolving and becoming more security conscious. People are taking an increasing number of steps to ensure their safety and security and, demanding the same of organisations in both government and industry. These changes in turn are being echoed in demands of information technology security. People are demanding that their personal information that is being processed, transmitted, or stored electronically be done so securely. The demands are being recognized by government and industry alike and are beginning to be reflected in the forms of laws and business practices. rr eta ins fu ll Threats and vulnerabilities, in one form or another, will likely always affect information technology. Organisations will need to continually identify where they are at risk and find ways to mitigate it. However, preventative actions are not always foolproof. As such, methods of detection must be put in place to identify when a compromise has taken place. Response activities, in turn, need to be established to deal with these detections. This is where the need for a Computer Security Incident Response Team (CSIRT) becomes more apparent. ho A Computer Security Incident Response Team (CSIRT) is one of the best ways to bring together the expertise necessary to deal with the wide range of possible computer security incidents that can arise. This paper will introduce the reader to the CSIRT and what is required to build and operate one. 04 ,A ut The paper will define and explain the need for a CSIRT. The paper will go on to introduce the possible roles and responsibilities, requirements for construction and operation and the possible organizational structure of a CSIRT. © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 3 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Background Before discussing Computer Security Incident Response it is a good idea to take a minute to see how and where it fits into the whole computer security picture. First and foremost is to define exactly what constitutes computer security. Computer Security rig ht s. Computer Security: fu ll Computer security is the preservation of the confidentiality, integrity and availability of all information that is processed, stored and transmitted using a computer. rr eta ins Confidentiality is the property that information is made available or disclosed only to authorized individuals, entities or processes. Integrity is the accuracy and completeness of information and assets and the authenticity of transactions. Availability is the accessibility of systems, programs, services and information to authorized users when needed and without undue delay. ,A ut Prevention Operations; Detection Operations; Response Operations; and Recovery Operations. 04     ho Computer Security can be divided into four operational categories: Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 20 Preventative Operations NS In sti tu te Preventative operations are all the activities performed Figure 1 –Security to prevent the compromise of the confidentiality, Operations integrity and availability of all the information that is processed, stored, and transmitted using a computer. Prevention activities range from creating an information security policy to conducting user training sessions to implementing technical solutions such as access controls or firewalls. SA Detection operations © Detection operations are all the activities performed to detect the compromise or attempted compromise of the confidentiality, integrity, and availability of all the 4 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. information that is processed, stored and transmitted using a computer Detection activities range from compliance inspections to whistle-blowers to implementing technical solutions such as Intrusion Detection Systems or Integrity Assurance Software. Response operations rig ht s. Response operations are all the activities performed to respond to the compromise or attempted compromise of the confidentiality, integrity, and availability of all the information that is processed, stored and transmitted using a computer. Response activities range from unplugging the network cable to blocking an IP address at the firewall. fu ll Recovery operations ho rr eta ins Recovery operations are all the activities performed to recover the confidentiality, integrity, and availability of the information that is processed, stored and transmitted using a computer after a compromise. Recovery operations range from initiating the Business Continuity or Disaster Recovery Plan to conducting user awareness sessions to implementing technical solutions such as disk mirroring or automated backups. ut Computer Security Incident FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 20 Key fingerprint = AF19 Computer Security Incident: 04 ,A The next step is to learn what it is exactly we are responding to, and as the name suggests, wear er espondi ngt oc omput eri nci dent s.Sol et ’ sdef i neex ac t l ywhat constitutes a computer security incident. sti tu te A Computer Security Incident is an adverse event that negatively impacts the confidentiality, integrity and availability of information that is processed, stored and transmitted using a computer. In Although they may not always be readily apparent, a computer incident has the following characteristics: SA NS The attacker or attack origin; The tool used; The vulnerability exploited; The actions performed; The intended target; The unauthorized result; and © - 5 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. - The attack objective. Categories and Types of Security Incidents The following table from the Incident Cost and Modelling Project, outlines some possible categories and types of security incidents. rig ht s. fu ll ins rr eta ho ut ,A 04 A169 4E46 In sti tu - Types Denial of Service Mail Bomb Ping Attacks Multiple Request Attack Root Compromise Packet Floods IRC Bots Virus Infections Port Scans System Mapping System Probe Identity Theft Unauthorised Release of Data Theft or Modification of Data Threats Hate Mail Harassment Mail IRC Abuse Flaming directly to Individual MP3 Warez: Sites Video998D Copyright 2F94 FDB5 DE3D F8B5 06E4 Content Violation Physical Theft of Hardware and Peripherals Theft of Software ID Theft Credit Card Theft Password Theft Unauthorized Commercial Activity Spam Chain Mail Mass Mail te Computer Interference Unauthorised Access Malicious Communication Copyright Violation Key fingerprint = AF19 FA27 Theft - 20 Category Service Interrupts © SA NS Commercial Use Unsolicited Bulk Email 6 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Other Illegal Activities - Child Pornography Table 1 –Categories and Types of Incidents1 Computer Security Incident Response With a computer security incident defined, it is fairly easy to then define computer security incident response. rig ht s. Computer Security Incident Response: fu ll Computer Security Incident Response is the set of activities performed in response to a Computer Security Incident. 04 ,A ut ho rr eta ins Now, hopefully with a better understanding of how and where Computer Security Incident Response fits into the whole computer security picture, it is time to look at the Computer Security Incident Response Team. SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 1 © Committee on Institutional Cooperation. Incident Cost and Analysis Modelling Projects (ICAMP) II. 7 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Defining a CSIRT CSIRT Defined A Computer Security Incident Response Team (CSIRT) is a prearranged group, comprised of personnel with expertise from various facets within an organisation, prepared to deal with the response activities related to computer security incidents for a defined constituency. fu ll rig ht s. It is important to note that for the purpose of this paper, prevention activities are not the responsibility of the CSIRT, though in some organisations this may not be the case. In addition, detection and recovery activities are not the direct responsibility of CSIRT but are not entirely removed from its operation. CSIRT Acronyms ins A CSIRT can go by other names and acronyms including but not limited to: 06E4 A169 4E46 In sti tu te 20 Key 04 ,A ut ho rr eta Acronym Name CIRT Cyber or Computer Incident Response Team CERT Cyber or Computer Emergency Response Team CIRC Cyber or Computer Incident Response Capability CERC Cyber or Computer Emergency Response Capability SIRT Security Incident Response Team SERT Security Response Team F8B5 fingerprint = AF19 FA27Emergency 2F94 998D FDB5 DE3D SIRC Security Incident Response Capability SERC Security Emergency Response Capability IRT Incident Response Team ERT Emergency Response Team IRC Incident Response Capability ERC Emergency Response Capability SA © CSIRT Goal NS Table 2 –CSIRT Acronyms 8 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. The overall goal of the CSIRT is to maintain the security service triad of confidentiality, integrity, and availability to electronic information and information technology assets in response to computer security incidents. CSIRT Objectives The objectives of the CSIRT are: rig ht s. 1. Define the incident response policies, procedures and services provided. 2. Create an incident reporting capability. ins ut ho 5. Investigate the incident: a. Identify the cause; b. Collect evidence; and c. Assign blame. rr eta 4. Recover from the incident: a. Determine the cause of the incident; b. Repair the damage; and c. Restore the system. fu ll 3. Handle the incident: a. Identify the incident; b. Contain the incident; and c. Eradicate the incident. 04 ,A 6. Assist in the prevention of a reoccurrence of the incident. © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 9 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. The Need for a CSIRT rig ht s. Computer Security Incident Response is not an option. No matter how well protected an organisation is there is no such thing as zero risk, even with trained personnel, proper technology and tested procedures. It is impossible to accurately and consistently, predict the type, frequency or severity of attacks. Vulnerabilities are published at an ever-increasing rate and as the complexity of technology increases, so does the likelihood that the number of vulnerabilities will in turn. The nature of computers and networking is increasing the initial threat base and introducing new motivations and capabilities that did not previously exist. The result is that computer security incidents will occur. ins fu ll There is an entire security operational phase dedicated to detection. Numerous detection mechanisms including technological, human, and procedural exist and are often employed but it is of little sense to put intrusion monitoring and detection mechanisms in place if there is no plan to deal with the intrusions when they occur. rr eta Benefits ho There are numerous benefits spanning various quantifiable and qualifiable categories that the existence of a CSIRT provides to an organisation. Benefits include such areas as: 4E46 sti tu te 20 04 ,A ut Economic The existence of a CSIRT often reduces the amount of staff and staff time required to handle an incident compared to not having a CSIRT. This translates to less time required by the incident handlers to manage incident reduces amount of A169 lost Key fingerprint = AF19 FA27the 2F94 998Dand FDB5 DE3DtheF8B5 06E4 productivity of the workers affected by the incident. As the age old adage professes: time is money. The less time wasted handling incidents the less spent on the costs of the incident handlers and the smaller the loss to productivity. This is all in addition, of course, to lost revenue, cost of damages and any insurance deductible. © SA NS In Public Relations News of i nc i dent s can sev er el y damage an or gani s at i on’ s reputation but efficient handling minimises potential for negative exposure. The existence of a CSIRT demonstrates that an organisation is taking the responsibility of incident handling seriously. In addition, a CSIRT will usually have communication procedures in place to deal specifically with communicating the proper information to the proper audiences. This will help dispel rumours and ensure only factual information is reported to 10 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. audiences such as employees, the public, the press, the shareholders, other organisations or the authorities. Legal 04 ,A ut ho rr eta ins fu ll rig ht s. Legal responsibilities are changing as the industry matures that may soon place the onus on organisations to secure their networks and stop attacks originating from them as the result of an attack, also known as downstream liability. A CSIRT may become a necessity to comply with government regulations. A CSIRT will also help deal with any liability issues that may arise due to the distribution of information whether correct or erroneous on attacks involving another organisations or product vulnerabilities. © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 11 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Return on Investment rig ht s. The return on investment (ROI) of a CSIRT is not a straightforward or easily calculated number but just as with the return on security investment (ROSI), with al i t t l eef f or ti tcanbedet er mi ned.I nshor t ,aCSI RT doesn’ tmakemoneybut rather focuses on reducing the losses due to the occurrence of an incident by containing, eradicating, and recovering from it as quickly and efficiently as possible. The earlier the incident is contained, the lower the chances of widespread damage. Additionally, a shorter the recovery period translates into a reduction in the amount of lost productivity. Annual Loss Expectancy ins fu ll To determine the costs of security incidents, we must first examine the Annual Loss Expectancy (ALE) of security incidents. The ALE of a security incident is the amount of losses in dollars multiplied by the likelihood of the loss occurring multiplied by the amount of times it is likely to happen over the course of a year. This gives us the calculation: rr eta ALE of security incidents = Loss ($) x Likelihood (%) x Frequency (#) ,A ut ho This is where incident costing comes into play. Incident costing will be examined in further detail later in the paper. Two types of costs exist when dealing with security incidents: quantifiable costs, such as the wages of the incident handlers, and qualifiable costs, such as loss to reputation. In addition these cost categories can be divided into costs incurred responding to and repairing damages resulting from the incident and costs associated with lost productivity and non-realized revenue. 04 This calculation needs to be performed for each type of incident. This will 20 Keyhelp fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 identify what types of security incidents result in the largest losses. tu te This may be the area of focus when defining the services the CSIRT will provide. sti Savings Provided by a CSIRT © SA NS In Determining the savings provided by a CSIRT for a particular organization requires a little research work combined with some educated guessing. You need to build some numbers. It will require looking at how the amount of damage increases over time. With certain incidents, such as viruses, damage can grow exponentially over time. With other types of incidents damage will grow at a steady rate. What needs to be determined is difference in containment, eradication, and recovery time a CSIRT provides versus not having a CSIRT. This will calculate into the 12 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. savings in terms of the reduction in damage to the system and reduced lost productivity. Cost of a CSIRT rig ht s. The costs of building and operating the CSIRT need to be examined. The costs will depend on the number and types of services provided, as well as, the size of the constituency they are provided to. This will help identify which services will cost the most to provide to which constituencies. This will help focus which services should be provided and to which constituency. fu ll Actual Savings of a CSIRT rr eta ins The cost of building and operating the CSIRT for a particular service and constituency should be weighed against the overall savings it provides. This gives us the calculation: ho Actual Savings of a CSIRT = Savings Provided –Cost of Building and Operating ut CSIRT ROI 4E46 20 04 ,A The ROI of a CSIRT is a calculable number, which will vary according to the services provided and the constituency they are provided to. It translates not into a positive gain for an organization but rather a in the losses.FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 Keyreduction fingerprint = AF19 tu te Facts and Statistics In sti The following list of facts and statistics is meant by no means to be all-inclusive and is merely for the purpose of further illustrating the necessity of the CSIRT within the organisation. They are of excellent use in support of a business case in favour of a creating a CSIRT. SA NS  Over time the level of knowledge required to attack has decreased while the attack complexity and the potential level of damage has increased. ©  Car negi e Mel l on’ s CERT Coordination Centre (CERT/CC) illustrates the number of reported cyber incidents has increased from six in 1988 to eightytwo thousand in 2002. 13 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.  The time required for malicious code to spread to a point where it can do serious infrastructure damage halves every eighteen months.  The speed with which an organisation can recognise, analyse, and respond to an incident will limit the damage and lower the cost of recovery.2  Results from Computer Security Institute (CSI) seventh annual "Computer Crime and Security Survey": rig ht s.  Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months. 04 ,A ut ho rr eta ins fu ll  Twenty-five percent (25%) of those acknowledging attacks reported from two to five incidents. Thirty-nine percent (39%) reported ten or more incidents. 2 © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 CERT©/CC: Computer Incident Response Team FAQ. 14 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Roles and Responsibilities of a CSIRT rig ht s. The roles and responsibilities of the CSIRT need to be clearly outlined, and the services the CSIRT provides need to be clearly defined and understood by both the CSIRT itself and its constituency. It is essential to define services, service levels, and the constituency they will be provided to. The exact functions of the CSIRT will vary depending on the organisational resources and requirements for information protection. If resources are lacking in the requisite expertise then it may require outsourcing or funding which would require a limit to the services. fu ll The activities performed by the CSIRT can be divided into two categories: realtime incident response activities and non-real-time incident response activities. Non-real-time incident response activities can be subdivided into pre-incident and post-incident activities. ins Non-Real-Time Incident Response Activities - Pre-Incident Activities = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 20 Key fingerprint Charter 04 ,A ut ho rr eta In order for a CSIRT to be effective and successful in their response activities, a good deal of preparation is required. Issues, such as what services will be provided, to which constituency, under what authority and at what cost to whom, need to be determined prior to handling an incident. There are a number of activities that can be performed including creating a charter, policy, incident reporting procedures, incident tracking and handling procedures, and incident costing. When the legwork is handled prior to the onset of an incident, the handling of the incident is more structured and likely to have a more positive out c ome.I ti swi s et oadher et ot heageol dadage,“ anounceofpr ev ent i oni s wor t hapoundofc ur e” . sti tu te The first piece of work that needs to be tackled is writing a CSIRT project charter. The charter will address issues such as the mission statement, the types of incidents addressed, the services provided, the constituency, the authority and the funding. SA NS In The mission statement should define the core activities of the CSIRT. It should al so c l ear l yout l i ne t heov er al lgoal sandobj ect i v es . Ref ert ot he‘ Def i ni nga CSI RT’s ect i onoft hi spaperf ormor ei nf or mat i onont hegoal sandobj ect i v esof a CSIRT. In addition, it should align wi t hy ouror gani z at i on’ ss ecur i t ypol i c y . © The types of incidents that the CSIRT will address must also be outlined. Refer t ot he‘ Backgr ound’s ect i onoft hi spaperf orex ampl esofcat egor i esandt y pesof computer security incidents. 15 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. In addition to the types of incidents that the CSIRT will respond to, should be the actual services that will be provided for each one. It is essential that there are clearly defined services for each type of incident to eliminate ambiguity. In addition to the services that will be provided, should be the service levels that accompany them. Include the hours of operation and levels of support. Is this a 24-7 capability or are incidents handled with one service level during working hours and another service level for evenings and weekends? Geographical location; Organisational Group or Division; or Organisational function. fu ll - rig ht s. Next is the issue of the constituency. To whom will these services be provided? For small organisations this may not be an issue, but for large organisations a perimeter will need to be established based on boundaries such as: rr eta ins The next issue that the charter should address is that of authority. The CSIRT authority must be granted from management and clearly outlined in the security policy. ut ho Finally the issue of funding needs to be addressed. Where will the CSIRT receive the budget it requires to provide its services? The services could be charged out proactively, like insurance, where in order to operate you must pay a premium, or reactively, by attempting to recover costs from the party responsible for the cause. ,A Policy 4E46 tu te 20 04 In order to eliminate any ambiguity that may arise, it is necessary to have clearly Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D 06E4 map A169 defined security policies, based on or in adherence to acts and F8B5 laws, which to procedures and standards. Simply stated, a policy is the rule and a standard or procedure is how to acceptably perform the process or function in adherence to the rule. SA NS In sti The first step is to research the laws of the country or region in which the organisation is operating. It is good idea to refer to legal counsel for input. Any policy an organisation writes, whether a security policy or not, must adhere to these. In addition, the organisation policies must comply with industry regulations. International and multinational organisations need to consider the legal and cultural differences of the areas in which they operate. © The main policy of importance with respect to incident response is the security policy. A complete security policy should address topics such as, access to information, information storage and disposal, and communication. If they are 16 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. not currently addressed in the security policy, they will need to be addressed prior to or during the construction of the CSIRT. Other policies, should they exist within the organisation, include the incident reporting policy, which should encourage an open reporting environment, and include the incident response policy, which should differentiate between human error and malicious intent. fu ll rig ht s. The legal department should review all policies prior to putting them in place. With respect to the computer incident response policy, the legal department should be consulted at the very least on the liability issues. Issues of importance include downstream liability, liability of the distribution of information, and liability due to monitoring. Downstream liability deals with when a compromised computer damages another computer. Liability due to the distribution of information, whether the information was correct or erroneous, includes activities such as distributing information on an attack involving another organisation or publishing product vulnerabilities. Liability due to monitoring, deals with whether you must inform users of monitoring or any changes in monitoring practices. ins Incident reporting procedures rr eta In order for a CSIRT to respond to an incident, there must be a mechanism in place to notify it that an incident has, is, or will occur. ho The first step is to determine a Point of Contact (PoC) responsible for the coordination of receiving reports and notifying the CSIRT. 4E46 te 20 04 ,A ut Reports can be received from a number of different sources, both human and non-human, Incident may be reported in the real or non-real time review of logs from an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS) or Firewalls. Employees of affected systems may report an incident or symptom of an incident. Whistleblowers may report something they have witnessed or Key fingerprint = AF19 FA27affected 2F94 998D FDB5 DE3D 06E4 A169 heard. Outsiders, such as other organisations or, in F8B5 some cases, the attackers themselves, may report the incident. SA NS In Telephone number; Facsimile number; Electronic mail address; Web site; Mailing address; and Additional information:  Operating Hours;  Time zone; and ©       sti tu In order to ensure the efficient and timely notification of the CSIRT, accurate and up-to-date contact Information should be kept. The primary method of contact should be indicated and the CSIRT contact information should include: 17 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.  Team members. Incident awareness and incident reporting awareness programs should be engaged. Users should be made aware of symptoms that may constitute an incident and encouraged to report incidents without fear of reprisal. Obvious Web Defacement Unauthorized access Discrete New, modified or deleted User Accounts New, modified or deleted files ins rr eta Table 3 –Incident Symptoms fu ll System Crash Anomalies Suspicious or unexplained activity rig ht s. Some of the possible symptoms of an incident are listed in the following table, which has been divided into two categories obvious and discrete: Incident information tracking and handling procedures ho In order to maintain control over all the information regarding the incident and reduce any possible confusion, it is a good idea to create an incident ticket. 04 ,A ut Tickets must have a unique identification number. In the case of multiple tickets opened pertaining to the same incident, designate one the master and the subsequent the dependents, providing links between them. 4E46 In sti tu te 20 Tickets should capture all FA27 the incident information. Everything be Key fingerprint = AF19 2F94 998D FDB5 DE3D F8B5 should 06E4 A169 documented including the date and time and where it was reported. If it was reported from a person, include their name, location, and contact information. If it was reported from an automated system, include the hardware manufacturer, operating system type and version, the name of the host, the physical location of host, the network address and the MAC address. This information should be collected for both the reporting system and affected system. Another important piece of information that should be kept up-to-date is the status. SA NS Handoff procedures should be determined for when tickets are transferred between individuals or departments. Part of these procedures should include escalation and de-escalation procedures. © Finally track all time spent on CSIRT activities by all parities. This should be done at regular intervals to ensure accurate reporting. 18 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Costing an Incident Unfortunately costing an incident is not an exact science but with a little effort a reasonably accurate amount can be determined. The Incident Cost Analysis Modelling Project or ICAMP has provided some excellent insight into costing methodologies. rig ht s. To cost an incident, both the quantifiable and qualifiable costs must be included. Additionally, not only do the actual losses need to be considered, but also, the lost opportunity for gains. What this means is, all other factors equal, if you have one of only two web sites that sells widgets and your web site becomes unavailable for a time period, customers are likely to purchase their widgets from the other web site. So the sales you would have normally realised during that time period, the gains, are lost or not gained. ins fu ll When trying to cost an incident there are several considerations. There is the cost of damages, the cost of the wages of incident handlers and those prevented from working, lost revenue, loss to reputation and insurance deductible. ,A ut ho Who worked on responding to or investigating the incident? How many hours did each of them spend? How many people were prevented from working because of the incident? How much productive time did each of them lose? How much do you pay each of those people to work for you? How much overhead do you pay (insurance, sick leave, etc.) for your 3 employees? 04       rr eta The wages of both the incident responders and those of the people prevented from working. There are a number of questions you will need to ask: 4E46 20 Lost revenue again =deals non-realised gains. canF8B5 be extrapolated Key fingerprint AF19with FA27 2F94 998D FDB5Data DE3D 06E4 A169 from the current revenue stream and compared against industry trends. tu te Loss to reputation is difficult to quantify but can result in the loss of current and potential clients. NS In sti Other considerations are lost contracts or bids, penalties for delays in payments or projects or lawsuits for breach of contract. 3 © SA Real Time Incident Response Activities Dittrich, David A. Developing an Effective Incident Cost Analysis Mechanism. 19 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Real time incident response activities deal with the actual handling and response measures taken once the incident has occurred. First and foremost, the protection of human life and safety takes precedence over everything. 04 ,A ut ho rr eta ins fu ll rig ht s. The figure below outlines, sequentially, the categorised activities performed by the different functional areas or groups during the handling of an incident. Every organisation is distinct in its structure and the division of the roles and responsibilities. Incident handling is made up of the incident identification, containing the incident, and eradicating the incident, and is handled by the CSIRT. Incident recovery includes identifying the damage, repairing the damage, and restoring the systems. The Business Continuity Planning or Disaster Recovery Team usually performs the recovery activities. The incident investigation is comprised of activities to identify the cause of the incident, collect evidence, and assign blame. The Security Team usually performs the investigative activities. The IT Security Team performs incident reoccurrence prevention. During the incident restitution activities the decision of whether to seek reparation for any damages or losses suffered needs to be decided by management with input from the legal department or legal counsel. Finally the incident communication activities, handled by a communications team, include the various internal and external communications. © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 20 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. rig ht s. fu ll ins rr eta ,A ut ho Figure 2 –Incident Response Flow 04 Incident Handling 4E46 tu te 20 The Incident Handling phaseFA27 is handled the CSIRT and is divided into three Key fingerprint = AF19 2F94by 998D FDB5 DE3D F8B5 06E4 A169 stages: identifying the incident, containing the incident, and eradicating the incident. sti Incident Identification SA NS In Identifying the incident is comprised of a number of activities. The first step is to determine whether it is an actual incident or simply perceived. This requires that the incident report be verified. It also needs to be determined whether this is the first report or a duplicate report. How to handle duplicate reports should be laid out in the tracking and handling procedures. © Next, it should be determined whether it is a security incident or non-security incident to determine whether it falls under the jurisdiction of the CSIRT. The 21 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. types of incidents qualified as security incidents should be indicated in the CSIRT policies. The scope of the incident needs to be determined by uncovering what has been affected. rig ht s. A priority level needs to be assigned to determine the immediate resource requirements. Certain incidents, such as a virus outbreak, may need all necessary resources activated in order for it to be handled immediately to reduce the amount of damage that will occur. rr eta ins fu ll Other types of incidents, such as receiving a piece of SPAM mail, will not cause immediate or widespread amounts of damage. As well, prioritising incidents will help an organisation better co-ordinate its resources if it is hit by multiple incidents simultaneously. A simple scale that can be used to prioritise incidents is located at the right in figure 3 –Incident prioritization matrix. The factors it uses to prioritise the incidents are the level of confidentiality of the information and the severity of the damage. Both are measured using a low-medium-high scale that needs to be decided on by each individual organisation, in terms of how it will be measured. 04 ,A ut ho Figure 3 –Incident Prioritization Matrix 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SA NS In sti tu te Once it has been verified that it is an actual security incident, the initial scope and priority assigned, it is time to activate the CSIRT. In some organisations the CSIRT is an operational team, in which case the previous steps would likely have been handled by it, and in others it is a group brought together at the time of an incident. It is absolutely essential that an up-to-date contact list be established and maintained for an emergency situation, such as an incident, where time is of the essence. Procedures should be established for the creation, maintenance, and testing of this contact list. The CSIRT contact list should include entries such as the persons job function, since in larger organisations employees may not know the name of the person to contact, as well as, their level of authority. Theempl oy ee’ snameandcont acti nf or mat i on,i ncl udi ngphonenumber s,both office and cell, pager number, email, and any other means of contacting the i ndi v i dualmus tbei ncl uded. Theempl oy ee’ shour sofwor kandav ai l abi l i t y ,as 22 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. they could be away on vacation and in both cases there may be a backup employee designated to replace him or her. Some additional information that may want to be included on the contact list are the numbers for contacting emergency services, such as the fire or police departments or third party support providers. Incident Containment rig ht s. The purpose of containing the incident is simply to limit extent of the attack. Temporary countermeasures should be taken should be taken appropriate to the situation. Some of these can include: rr eta ins fu ll Change network address; Quarantine the affected files or systems; Pull plug, either network or power; Change firewall rules; Increase the amount of bandwidth; Apply system patches; Monitor the system or network activity; Set traps; or Disable certain functions. ho          ,A ut Eradicate Incident 4E46 sti tu te 20 04 Eradicating the incident deals with eliminating the threat from the systems to prevent it from causing further damage. Ensure all the necessary information was collected and copies made and tested. Archive before Key fingerprint = AF19were FA27 2F94 998D FDB5 DE3Dbogus F8B5files 06E4 A169 deleting them. Correct any hardware or software bugs or configuration errors. When dealing with software, ensure the most current anti virus software is installed and operating. Clean and reformat all the infected media. When making backups, ensure they are clean. In Incident Recovery © SA NS The Business Continuity Planning or Disaster Recovery Teams are best suited to handle the recovery activities surrounding an incident. There are three stages to the incident recovery: identifying the damage that has occurred, repairing the damage, and then restoring the system. Integrity assurance software can assist in identifying subtle or hidden changes to a system. Restoring the sys...
Purchase answer to see full attachment