Creative Commons License: You are

free to share and remix but you must

provide attribution and you must share
alike.

Incident
Response

Michael McDonnell
GIAC Certified Intrusion Analyst

michael@winterstorm.ca
Incident Response Overview

1. Events and Incidents

2. Response vs Handling
3. Process and Capability
4. Questions
 Incidents are Events

Any real or suspected

adverse event
related to information systems

A violation existing
Information security policy
Security Incidents are Common

Any real or suspected

adverse event
related to information systems

A violation existing
Information security policy
Incidents are… Viruses
Incidents are… Hackers
Incidents are… Hackers
Incidents are… Vandalism
Incidents are… Theft
Incidents are… Data Loss
Incidents are… “Outages”
Incidents are… Espionage
Incidents are not… Disasters (maybe)
Incidents are… Continuous
 Incident Response is a Capability

1.Events: Monitor and Detect

2.Incidents: Identify and Analyze

3.Actions: Contain and Correct

4.Lessons: Learn and Improve

 Incidents Response is…

A Process
that manages risk associated
with information systems

A Capability
of an organization to respond
to continuous security threats
Incidents Response vs Handling

Strategic vs Operational
Continual vs Discreet
Process vs Action
Improvement vs Remediation
 Incidents Response is…

Systematic
Consistent
Fast & Efficient
Driver for Improvement
Authoritative/Empowered
Sensitive/Confidential
Documented
Incidents Response Teams

Supported by Management
Cross-functional
Well Trained
Good Communicators
Technical Experts
Well Equipped
Have Broad Access
 Incident Response is a Process

1. Preparation 1. Be Prepared
2. Detection and Analysis 2. Be Systematic & Organized
3. Containment/Mitigation 3. Act Quickly
4. Recovery 4. Fix the Problem
5. Post-Incident Analysis 5. Make Improvements
Preparation: Training
Preparation: Communications
Preparation: Hardware & Software
Preparation: Continuous Monitoring
Preparation: Analysis & Migitation
 Detection & Analysis

Different threat require different responses

Incident Categories:
1. Denial of Service
2. Malicious Software
3. Unauthorized Access
4. Inappropriate Usage
5. Hybrid
Detection:
 How was it detected?
 Is it really an incident or an unusual event?
 Can it be confirmed?

Analysis:
 What is at risk? (“System Profile”)
 What is normal for that system?
 Correlate events for more information
 Carefully record and document data
Detection & Analysis
Detection & Analysis
 Diagnosis Matrix

Extremely helpful for inexperienced or ad-hoc incident handlers.

Part of diagnosis means seeking help from others

• Sysadmins for knowledge of normal system operations
• Managers for knowledge of impact
 Incident Documentation

Begin as soon as an incident is suspected

Include:
 System events
 Telephone conversations
 Observed or initiated changes
 Note the current status frequently with timestamps.

At any given moment:

 Current status and priority
 Summary of incident
 Actions taken by handlers
 Contact information for other parties
 List of evidence gathered
 Comments for other handlers
 Next steps to be taken
Incident Priority: Effect & Criticality
 Incident Containment & Mitigation

Identify and block the attacker

Patch the system
Take the system offline
Upgrade software
Restore from backup
Reboot

It is key to consult external databases for advice,

and data about the type of attack, the attacker, the
problem, and its solution.
Incident Containment & Mitigation
 Incident Post-Mortem

Incident Response is a driver for improvements in

information security. So it is critical to conduct a
post-incident analysis and report.
Exactly what happened, and at what times?
How well did staff and management perform in dealing with the incident? Were
the documented procedures followed? Were they adequate?
What information was needed sooner?
Were any steps or actions taken that might have inhibited the recovery?
What would the staff and management do differently the next time a similar
incident occurs?
What corrective actions can prevent similar incidents in the future?
What additional tools or resources are needed to detect, analyze, and mitigate
future incidents?
What Personally Identifiable Information involved? Is disclosure advised?
Incident Post-Mortem
Incident Checklist
 Incident Reporting

What should you report?

What happened?
Why did it happen?
What was done to correct it?
What impact did it have?
What did it cost?
What could have been done differently?
How could it have been avoided?
Is it resolved? What else is needed?
How likely is it to happen again? How often?
What is the long term impact?
 Information Security is an Outcome

"Our systems are secure

from hackers“

"We have blocked 17,342

viruses to date“

“Our systems are all online“ “We are Secure”

“Insiders cannot steal our
information”

“We have backups”

 Information Security is a Process

“We want to improve

security“

"We need to protect against

more threats"
“We want to be "We want to reduce risk"
more Secure”
"We want to increase
customer confidence"

"We want to decrease the

number of compromises"
Defence in Depth lowers Risk
 Process leads to Outcome

Firewalls do not make you secure

Anti-virus does not make you secure
Policies do not make you secure
VPNs do not make you secure
Guards do not make you secure
Passwords do not make you secure

Incident Response is a Capability

that enables them to make you
MORE secure
 Questions?

Email:
michael@winterstorm.ca

Slides:
http://winterstorm.ca/download/