9781284226065_PPT_CH07.pdf

Full Transcript

CHAPTER 7 Incident and Intrusion Response Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objective(s) and Key Concepts Key Concepts ▪ Describe contingency planning and incident response. ▪ Disaster recovery ▪ Evidence preservation ▪ Adding forensics to incident response Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Learning Objective(s) Disaster Recovery ▪ Forensic techniques may be best method for determining what caused the disaster and for avoiding a repeat of it ▪ Forensic process begins once an incident has been discovered ▪ Is not fully underway until after the disaster or incident is contained Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Steps taken after an information technology-related disaster to restore operations Disaster Recovery (Cont.) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Incidence response plan in place to respond to: ▪ Fire ▪ Flood ▪ Hurricane ▪ Tornado ▪ Hard drive failure ▪ Network outage ▪ Malware infection ▪ Data theft or deletion ▪ Intrusion Disaster Recovery (Cont.) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Disaster recovery Digital forensics Incident response Business continuity Types of Plans Focuses on keeping an organization functioning as well as possible until a full recovery can be made Disaster recovery plan (DRP) Focuses on executing a full recovery to normal operations Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Business continuity plan (BCP) Federal Standards for BCPs NIST 800-34 NFPA 1600 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ISO 27001 Business Impact Analysis ▪ Identifies the priority of different critical systems ▪ Considers maximum tolerable downtime (MTD) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ A study that identifies the effects a disaster would have on business and IT functions ▪ Studies include interviews, surveys, meetings, and so on Business Impact Analysis (Cont.) Maximum tolerable downtime (MTD) ▪ Related to: ▪ Mean time to repair (MTTR): the average time it takes to repair an item ▪ Mean time to failure (MTTF): the amount of time, on average, before a given device is likely to fail through normal use Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ A measure of how long a system or systems can be down before it is impossible for the organization to recover Business Impact Analysis (Cont.) Recovery point objective Acceptable risk of loss RTO Recovery time objective Target time to have everything up and running Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com RPO Business Impact Analysis (Cont.) ALE Single loss expectancy Annualized loss expectancy Calculated by multiplying the asset value by the exposure factor Calculated by multiplying the annual rate of occurrence by the SLE SLE = AV * EF ALE = ARO * SLE Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com SLE Describing the Incident Used to classify vulnerabilities Open industry standard; allows for the scoring of vulnerabilities based on severity Three groups of metrics: Base Temporal Environmental Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Common Vulnerability Scoring System (CVSS) CVSS: Base Group Metrics ▪ Attack Vector ▪ Privileges Required ▪ User Interaction ▪ Scope ▪ Confidentiality Impact ▪ Integrity Impact ▪ Availability Impact Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Attack Complexity CVSS Metrics Exploit Code Maturity Remediation Level Report Confidence Environmental Metric Group Modified Base Metrics Confidentiality Requirement Integrity Requirement Availability Requirement Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Temporal Metric Group Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) An effective model for evaluating the impact of an attack A risk rating using five categories How much damage would/did an attack cause? How easy is it for an attacker to reproduce this attack? How much effort is required to execute the attack? How many users will be impacted? How easy is it to discover the threat? Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Asks what the likelihood of an attack is and what damage it would cause Remote Network MONitoring (RMON) Provides a standardized method of classifying network traffic Standard monitoring specification that allows various network monitors to exchange network monitoring data Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Developed by the Internet Engineering Task Force (IETF) to support network monitoring and protocol analysis Mean Squared Deviation (MSD) ▪ Mean square deviation formula Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Mean Percentage Error (MPE) ▪ Mean percentage error formula Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Ishikawa Diagram ▪ Ishikawa diagram Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The Recovery Plan BIA Recovery plan Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com DRP BCP The Recovery Plan (Cont.) ▪ Alternate equipment identified? ▪ Mechanism in place for contacting all affected parties, employees, vendors, customers, and contractors, even if primary means of communication are down? ▪ Off-site backup of the data exists? ▪ Can backup be readily retrieved and restored? Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Alternate facilities identified? Types of Backups ▪ Full: all changes ▪ Incremental: all changes since the last backup of any type ▪ Hierarchical storage management (HSM): continuous backup Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Differential: all changes since the last full backup The Post Recovery Follow-Up Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ After recovery, find out what happened and why (involves forensics) ▪ Was disaster caused by some weakness in the system? ▪ Negligence by an individual? ▪ A gap in policy? ▪ An intentional act? Incident Response Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Follow-up Recovery Eradication Containment Detection Detection Detect there is an incident Identify its basic nature Go to containment Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Identify what systems are affected Containment Prevent it from affecting more systems Must occur before any other phase Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Limit the incident Eradication ▪ Perform comprehensive examination of what occurred and how far it reached ▪ Ensure that the issue was completely addressed Forensics begins at this stage Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Fix vulnerabilities ▪ Example: Remove the malware Recovery If malware: Ensure the system is back in full working order with no presence of malware Might need to restore software and data from backup Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Involves returning the affected systems to normal status Follow-Up ▪ Forensics plays a critical role Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ IT team must determine: ▪ How incident occurred ▪ What steps can be taken to prevent incident from reoccurring Preserving Evidence Denial of service (DoS) attacks ▪ Adverse events have negative results or negative consequences ▪ Example: an attack on a system Unauthorized access Malicious code Inappropriate usage Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ An event: ▪ Is any observable occurrence within a system or network ▪ Includes network activity, such as when a user accesses files on a server or when a firewall blocks network traffic Preserving Evidence (Cont.) ▪ Recovery often performed at the expense of preserving forensic evidence ▪ Forensic data is key to preventing future incidents Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Failure to preserve forensic information: ▪ Prevents IT team from effectively evaluating cause of incident ▪ Makes it difficult to modify company policies and procedures to reduce risk Adding Forensics to Incident Response ▪ Identify forensic resources the organization can use in case of an incident ▪ Weave forensic methodology into organization's incident response policy ▪ Provide appropriate training to staff for preserving evidence Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Identify an outside party that can respond to incidents with forensically trained personnel Summary ▪ Disaster recovery ▪ Adding forensics to incident response Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Evidence preservation