forensics assignment 13

didosld

forensic3e_ppt_ch13.pptx

Home >Information Systems homework help >forensics assignment 13

System Forensics, Investigation, and Response

Lesson 13

Incident and Intrusion Response

www.jblearning.com

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Learning Objective

Describe incident and intrusion response.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Key Concepts

Disaster recovery

Evidence preservation

How to integrate forensics to incident response

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

What Is Disaster Recovery?

Steps taken after an information technology-related disaster to restore operations

Forensic techniques may be best method for determining what caused the disaster and for avoiding a repeat of it

Forensic process begins once an incident has been discovered

Is not fully underway until after the disaster or incident is contained

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Incident Response Plan

In place to respond to:

Fire

Flood

Hurricane

Tornado

Hard drive failure

Network outage

Malware infection

Data theft or deletion

Intrusion

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Business Continuity, Incident Response, and Disaster Recovery

Digital forensics

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Incident response

Disaster recovery

Business continuity

Types of Plans

Business continuity plan (BCP)

Focuses on keeping an organization functioning as well as possible until a full recovery can be made

Disaster recovery plan (DRP)

Focuses on executing a full recovery to normal operations

Sometimes referred to as an incident response plan (IRP)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Types of Plans (Cont.)

In other words:

BCP concerned with maintaining at least minimal operations until organization can be returned to full functionality

DRP focuses on returning to full functionality

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Federal Standards for BCPs

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

ISO 27001: Requirements for Information Security Management Systems

Section 14 addresses business continuity management.

NIST 800-34: Contingency Planning Guide for Information Technology Systems

This contains a seven-step process for BCP and DRP projects from the U.S. National Institute for Standards and Technology (NIST).

NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs

This is from the U.S. National Fire Protection Association.

These standards provide a good overview of what should be covered in any business continuity plan, and some, like NIST 800-34, are also applicable to disaster recovery plans. For the purposes of forensic examination, you don’t need to be an expert in disaster recovery—just a basic overview of the process is sufficient.

7/3/2017

ISO 27001

NIST 800-34

NFPA 1600

Federal Standards for BCPs (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

ISO 27035

This standard guides you in how to formulate an incident response plan. It requires a structured and planned approach to detect, report, and assess information security incidents; respond to and manage information security incidents; detect, assess, and manage information security vulnerabilities; and continuously improve information security and incident management as a result of managing incidents

NIST 800-61

This standard also will help guide you in forming an incident response plan.

7/3/2017

ISO 27035

NIST 800-61

Business Impact Analysis (BIA)

A study that identifies the effects a disaster would have on business and IT functions

Studies include interviews, surveys, meetings, and so on

Identifies the priority of different critical systems

Considers maximum tolerable downtime (MTD)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Business impact analysis (BIA) is a process whereby the disaster recovery team contemplates likely disasters and what impact each would have on the organization.

7/3/2017

Maximum Tolerable Downtime (MTD)

A measure of how long a system or systems can be down before it is impossible for the organization to recover

Related to:

Mean time to repair (MTTR) – The average time it takes to repair an item

Mean time to failure (MTTF) – The amount of time, on average, before a given device is likely to fail through normal use

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

The Recovery Plan

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Includes BCP and DRP

Based on priorities established in BIA

7/3/2017

Recovery plan

BCP

DRP

BIA

The Recovery Plan (cont.)

Alternate equipment identified?

Alternate facilities identified?

Mechanism in place for contacting all affected parties, employees, vendors, customers, and contractors, even if primary means of communication are down?

Off-site backup of the data exists?

Can backup be readily retrieved and restored?

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Types of Backups

Full – All changes

Differential – All changes since the last full backup

Incremental – All changes since the last backup of any type

Hierarchical storage management (HSM) – Continuous backup

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

If you perform only full backups, restore just the last backup.

If your backup strategy includes differential or incremental backups, there will be additional backup data to restore.

HSM provides continuous online backup by using optical or tape “jukeboxes.” It appears as an infinite disk to the system, and can be configured to provide the closest version of an available, real-time backup.

7/3/2017

The Post-Recovery Follow-Up

After recovery, find out what happened and why (involves forensics):

Was disaster caused by some weakness in the system?

Negligence by an individual?

A gap in policy?

An intentional act?

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Incident Response

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Containment

Eradication

Recovery

Follow-up

Containment

Limit the incident

Prevent it from affecting more systems

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The first step is always to limit the impact of the incident. This means keeping it from affecting more systems.

In the case of a virus, the strategy is to keep the virus from spreading. Have a policy in place that instructs users to disconnect their computers from the network and then call tech support if they suspect they have a virus. This contains the virus and prevents it from spreading further.

The containment path may not be as clear for other incidents. For example, how would you contain a situation where an intruder is getting into the web server? First, you would isolate the web server from the rest of the network. Then you would attempt to prevent further intrusion, perhaps by changing passwords throughout the organization, on the assumption that the intruder might have compromised passwords.

Although the specifics of containment might vary, the goal does not. Limit the spread of the incident as much as possible. This phase must occur first.

7/3/2017

Eradication

Fix vulnerabilities

Example: Remove the malware

Perform comprehensive examination of what occurred and how far it reached

Ensure that the issue was completely addressed

Forensics begins at this stage

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Once the incident is contained, the next step is to eradicate the problem. In the case of malware, the issue is simply to remove the malware. The approach is not as clear for other attacks. For example, if the incident is an intruder infiltrating the network via SQL injection, what does eradication entail? The first step is to fix whatever vulnerability allowed the intruder to get in in the first place. In the case of SQL injection, it would involve correcting the vulnerabilities in the webpage that allowed this to occur.

Regardless of the particular incident, eradication needs to be thorough. This means a comprehensive examination of what occurred and how far it reached, to ensure that the issue was completely addressed.

Forensics must begin at this stage. If the vulnerability is simply eradicated, evidence will likely be eradicated along with it. It is imperative that you begin collecting evidence prior to eradicating the vulnerability. This may involve performing the forensic investigation prior to taking any eradication steps. In some cases it may not be possible to keep the systems on hold in order to perform a full forensic investigation. If that is the case, image the drives involved so that a forensic investigation can be conducted at a later time.

7/3/2017

Recovery

Involves returning the affected systems to normal status

If malware:

Ensure the system is back in full working order with no presence of malware

Might need to restore software and data from backup

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Recovery involves returning the affected systems to normal status. In the case of malware, that means ensuring the system is back in full working order with absolutely no presence of the malware. In many cases, this involves restoring software and data from a backup source that has been verified to be free from the malware infection.

7/3/2017

Follow-up

Forensics plays a critical role

IT team must determine:

How incident occurred

What steps can be taken to prevent incident from reoccurring

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Forensics plays a critical role in this stage as well. The IT team must determine how this incident occurred and what steps can be taken to prevent the incident from reoccurring. Obviously, the results of the forensic examination are instrumental to the follow-up stage.

7/3/2017

Preserving Evidence

An event:

Is any observable occurrence within a system or network

Includes network activity, such as when a user accesses files on a server or when a firewall blocks network traffic

Adverse events have negative results or negative consequences

Example: An attack on a system

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Computer Security Incidents

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

A computer security incident is any event that violates an organization’s security policies. This includes computer security policies, acceptable use policies, or standard security practices.

7/3/2017

Denial of service (DoS) attacks

Malicious code

Unauthorized access

Inappropriate usage

Preserving Evidence (Cont.)

Recovery often performed at the expense of preserving forensic evidence

Failure to preserve forensic information:

Prevents IT team from effectively evaluating cause of incident

Makes it difficult to modify company policies and procedures to reduce risk

Forensic data is key to preventing future incidents

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Regardless of incident details, evidence must be preserved.

Organization might not have initially thought a crime was committed but further investigation reveals a criminal act did occur.

For example, a hard drive crash might initially be thought to be a normal failure of the device, but further examination uncovers malware that caused the hard drive to fail much sooner than it should have. If proper forensic procedures have not been followed, it may be impossible to prosecute or pursue civil litigation.

7/3/2017

Adding Forensics to Incident Response

Identify forensic resources the organization can use in case of an incident

Identify an outside party that can respond to incidents with forensically trained personnel

Weave forensic methodology into organization's incident response policy

Provide appropriate training to staff for preserving evidence

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Summary

Disaster recovery

Evidence preservation

How to integrate forensics to incident response

Page ‹#›

System Forensics, Investigation, and Response