AS-7-DISCUSSIONS,ASSIGNMENTS
Colin Horn
winsec3e_ppt_ch13.pptxSecurity Strategies in Windows Platforms and Applications
Lesson 13
Microsoft Windows Incident Handling and Management
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cover image © Sharpshot/Dreamstime.com
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective(s)
Perform incident handling by using appropriate methods.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Windows incidents
Windows incident handling tools
Acquiring and managing evidence
Incident response plan
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2021 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Handling Security Incidents Involving Microsoft Windows OS and Applications
Event
Any observable occurrence within a computer or network
Incident
Any event that:
Violates security policy
Poses an imminent threat to security policy
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Securing resources involves defining activities that are both appropriate and inappropriate, and ensure that you only allow appropriate activities. Any action that occurs within a computing environment is called an event. Any event that either violates security policy or poses an imminent threat to your security policy is called a security incident.
There are many types of security incidents, from minor to major incidents. An incident can be as simple as too many failed login attempts or as complex as coordinated attempts to compromise a database that contains confidential information. Examples of security incidents include but are not limited to:
Excessive bandwidth use caused by the compromise of a system
Commercial use of IT resources
Compromised computers
Copyright infringement
Digital harassment
IP spoofing
Intruder activity
Network attack or denial-of-service condition
Virus or Internet worm activity
4
Handling Security Incidents Involving Microsoft Windows OS and Applications
Examples of incidents
Virus or Internet worm activity
Internet protocol (IP) spoofing
Intruder activity
Network attack or denial of service (DoS) condition
The first step in responding to an incident is to recognize that an incident has occurred.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5
Handling Security Incidents Involving Microsoft Windows OS and Applications
To minimize number and impact of incidents:
Develop, maintain, and enforce a clear security policy that management supports and promotes.
Conduct routine vulnerability assessments to discover vulnerabilities that could lead to incidents.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6
Handling Security Incidents Involving Microsoft Windows OS and Applications
To minimize number and impact of incidents:
Ensure all computers and network devices have the latest available patches installed.
Train all computer system users on acceptable and unacceptable behavior.
Establish frequent and visible security awareness reminders.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Handling Security Incidents Involving Microsoft Windows OS and Applications
To minimize number and impact of incidents:
Enforce strong passwords throughout your environment.
Frequently monitor network traffic, system performance, and all available log files to identify any incidents or unusual events.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Handling Security Incidents Involving Microsoft Windows OS and Applications
To minimize number and impact of incidents:
Ensure you have a solid business continuity plan (BCP) and disaster recovery plan (DRP) that you test at least annually.
Create a computer security incident response team (CSIRT).
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9
Formulating an Incident Response Plan
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Plan
Computer Security Incident Response Team (CSIRT)
Plan for communication
Plan for security
Test plan
Revise procedures
Handling Incident Response
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
Sample Incident Reporting Form
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.
You’ll be required to prove to the court that the evidence did not change during the investigation. You’ll have to provide your own evidence that all collected evidence exists without changes as it did when it was collected.
The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.
Since you don’t know if you’ll have to present evidence in court, you should collect all evidence during an incident investigation as if you will take it to court. If you carefully preserve the chain of custody and do not go to court, you just have well documented evidence. This type of information is great for analyzing incidents for the lessons learned step of incident response. On the other hand, if you are careless in the way you collect evidence and then end up going to court, your carelessness will likely result in having your evidence rejected by the court. Without the evidence you need to prove your case you may not be able to prevail. Always treat each investigation as if it will end up in court.
12
Incident Handling and Management Tools for Microsoft Windows and Applications
Two basic types:
Tools that help manage the CSIRT’s activities and gather information about the incident response process
Tools that collect information about the incident itself
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
CSIRT Responsibilities
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
Tracking incidents
Reporting on incidents
Archiving incident reports
Communicating incident information
Investigating Microsoft Windows and Applications Incidents
Collect technical information to support incident investigation and resolution
Collect evidence of incident activity to discover what happened, why it happened, how to stop it from happening again
Discover traces of past activity in memory, stored on disks, or in log files
Find evidence of incident activity
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
15
Questions to Ask During an Investigation
What happened?
Who did it?
When did it happen?
Where did the incident originate and where was its target?
Why did the attacker attack this system?
How did it happen?
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What happened?—Gather as much information about the incident as possible.
Who did it?—Discover as much information as possible about the source of the attack.
When did it happen?—Collect information on when the incident started and when it stopped.
Where did the incident originate and where was its target?—Discover the source’s location and the target of the attack.
Why did the attacker attack this system?—Discover the attack’s purpose and goal.
How did it happen?—Attempt to understand how the attacker compromised your security controls and accessed your system.
16
Acquiring and Managing Incident Evidence
Treat investigation as if it will end up in court
Investigation should produce evidence of an incident and possibly support action against an attacker
Evidence may be pictures, executable files, log files, other
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
17
Types of Evidence
Most common types of evidence in computer incidents:
Real evidence–physical object
Documentary evidence–written evidence or file contents
Required to prove accusation
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
18
Chain of Custody
Only original evidence is useful
Evidence that has not changed since the incident
Collection methods can change evidence
Handling methods can change evidence
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.
You’ll be required to prove to the court that the evidence did not change during the investigation. You’ll have to provide your own evidence that all collected evidence exists without changes as it did when it was collected.
The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.
19
Sample Chain of Custody Log
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
20
Evidence Collection Rules
Each state and local jurisdiction may impose slightly different rules
Familiarize yourself with local laws and policies
Different rules govern different types of evidence
Contact local law enforcement to learn how they approach investigations
Contact your organization’s legal representatives, beginning with your CSIRT team legal representative
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
21
Best Practices for Handling Incidents
Harden operating systems and software to avoid incidents.
Assess computers periodically to expose vulnerabilities.
Validate BCPs and DRPs.
Get full management support for a CSIRT.
Create a CSIRT.
Conduct a risk assessment to identify potential incidents that require attention first.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
22
Best Practices for Handling Incidents (Cont.)
Develop an incident response plan around the six steps to handling incidents.
Create an incident reporting form and procedures.
Distribute and publicize the incident reporting form and procedures.
Test the incident response plan before attackers do.
Identify and acquire incident management software.
Identify and acquire incident investigation software.
Train key CSIRT members on proper evidence collection and handling.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
23
Summary
Windows incidents
Windows incident handling tools
Acquiring and managing evidence
Incident response plan
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
24
