Chapter 13: Incident

Response and Handling

Cybersecurity Operations

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 535
Chapter 13 - Sections & Objectives
 13.1 Incident Response Models
• Apply incident response models to an intrusion event.

 13.2 CSIRTs and NIST 800-61r2

• Apply standards specified in NIST 800-61r2 to a computer security
incident.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 536
 13.1 Incident Response
Models

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 537
Incident Response Models
The Cyber Kill Chain
 Seven steps
1. Reconnaissance – researching target information
2. Weaponization – Pairing remote malware with backdoor to create a
payload
3. Delivery – Delivering weapon through email or something else
4. Exploitation – Trigger code and execute it
5. Installation – Install backdoor to install malware
6. Command and Control - Outside server channel used to manipulate
target
7. Actions on Objectives – Attacker achieves attack objective

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 538
Reconnaissance

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 539
Weaponization

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 540
Delivery

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 541
Exploitation

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 542
Installation

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 543
Command and Control

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 544
Actions on Objectives

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 545
Incident Response Models
The Diamond Model of Intrusion
 4 parts an event is a time-bound activity restricted to a specific
step where an adversary uses a capability over some
• Adversary infrastructure against a victim to achieve a specific result.
• Capability
• Victim
• Infrastructure
 Meta-Features
• Timestamp
• Phase
• Result
• Direction
• Methodology
• Resources
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 546
Meta-features
 Timestamp – This indicates the start and stop time of an event and is an
integral part of grouping malicious activity.
 Phase – This is analogous to steps in the Cyber Kill Chain; malicious activity
includes two or more steps executed in succession to achieve the desired
result.
 Result – This delineates what the adversary gained from the event. Results
can be documented as one or more of the following: confidentiality
compromised, integrity compromised, and availability compromised.
 Direction – This indicates the direction of the event across the Diamond
Model. These include Adversary-to-Infrastructure, Infrastructure-to-Victim,
Victim-to-Infrastructure, and Infrastructure-to-Adversary.
 Methodology – This is used to classify the general type of event, such as
port scan, phishing, content delivery attack, syn flood, etc.
 Resources – These are one or more external resources used by the
adversary for the intrusion event, such as software, adversary’s knowledge,
information (e.g., username/passwords), and assets to carry out the attack
(hardware, funds, facilities, network access).

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 547
The Diamond Model and the Cyber Kill Chain

Activity thread example 548

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Activity threads
 1. Adversary conducts a web search for victim company Gadgets,
Inc. receiving as part of the results their domain gadgets.com.
 2. Adversary uses the newly discovered domain gadets.com for a
new search “network administrator gadget.com” and discovers
forum postings from users claiming to be network administrators of
gadget.com. The user profiles reveal their email addresses.
 3. Adversary sends phishing emails with a Trojan horse attached to
the network administrators of gadget.com.
 4. One network administrator (NA1) of gadget.com opens the
malicious attachment. This executes the enclosed exploit allowing
for further code execution.
 5. NA1’s compromised host sends an HTTP Post message to an IP
address, registering it with a CnC controller. NA1’s compromised
host receives an HTTP Response in return.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 549
Activity threads
 6. It is revealed from reverse engineering that the malware has
additional IP addresses configured which act as a back-up if the
first controller does not respond.
 7. Through a CnC HTTP response message sent to NA1’s host,
the malware begins to act as a proxy for new TCP connections.
 8. Through the proxy established on NA1’s host, Adversary does a
web search for “most important research ever” and finds Victim 2,
Interesting Research Inc.
 9. Adversary checks NA1’s email contact list for any contacts from
Interesting Research Inc. and discovers the contact for the
Interesting Research Inc. Chief Research Officer.
 10. Chief Research Officer of Interesting Research Inc. receives a
spear-phish email from Gadget Inc.’s NA1’s email address sent
from NA1’s host with the same payload as observed in Event 3.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 550
What is the VERIS Schema?
 The Vocabulary for Event Recording
and Incident Sharing (VERIS) is a set
of metrics to describe security
incidents in a structured way.
 The VERIS Community Database
(VCDB) is an open and free collection
of publicly-reported security incidents
in VERIS format.
 In the VERIS schema, risk is defined
as the intersection of four landscapes
of Threat, Asset, Impact, and Control.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 551
Create a VERIS Record
 When creating records to add to the database, start with the
basic facts about the incident.
 It is helpful to use the VERIS elements outlined by the
community.
 After the initial records are created, additional details should
be added to aid in data analysis.

Presentation_ID Basic veris record

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 552
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 553
Top-Level and Second-Level Elements
 There are five top-level elements of the VERIS schema, each
of which provides a different aspect of the incident. Each top-
level element contains several second-level elements. These
elements are useful for classifying data that has been
collected about an incident.
• Impact Assessment
• Discovery and Response
• Incident Description
• Victim Demographics
• Incident Tracking

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 554
Incident Response Models
The VERIS Schema

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 555
The VERIS Community Database
 VERIS Community Database (VCDB) is useful since through
the proper use of the VERIS schema and a willingness to
participate, organizations can submit security incident details
to the VCDB for the community to use.
  help researchers who study security incident trends and
organizations to make reliable risk management calculations.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 556
 13.2 CSIRTs and NIST 800-
61r2

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 557
CSIRT Overview
 Generally, a computer security incident is any malicious or
suspicious act which violates a security policy or any event that
threatens the security, confidentiality, integrity, or availability of an
organization’s assets, information systems, or data network.
 A Computer Security Incident Response Team (CSIRT) is an
internal group commonly found within an organization that provides
services and functions to secure the assets of that organization.
 A CSIRT does not necessarily only respond to incidents that have
already happened.
 A CSIRT may also provide proactive services and functions such
as penetration testing, intrusion detection, or even security
awareness training.
 These types of services can help to prevent incidents, but also
increase response time, and mitigate damage.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 558
CSIRTs and NIST 800-61r2
CSIRTs
 Computer Security Incident Response Team (CSIRT)
provides services and functions to secure assets.
 Different types include
• Internal – used in banks, hospitals,
universities, etc.
• National – handles incidents for a
country
• Coordination center – incident
handling across multiple CSIRTs
• Analysis centers – data from many
sources to identify trends
• Vendor teams – remediation for vulnerabilities in hardware/software
• Managed security service providers – a fee-based service

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 559
CSIRTs and NIST 800-61r2
CSIRTs (Cont.)
 Computer Emergency Response Team (CERT) is a
trademarked acronym owned by Carnegie Mellon University.
 A CERT provides security
awareness, best
practices, and security
vulnerability information,
but does not respond to
security incidents.
 Other countries have
asked for permission to
use the CERT acronym.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 560
CSIRTs and NIST 800-61r2
NIST 800-61r2
 The NIST 61r2 standard provides guidelines for incident
handling.
 Stakeholders include management, information assurance, IT
support, legal department, public affairs and media relations,
human resources, business continuity planning, as well as
physical security and facilities management
 NIST defines four steps in the incident response process life
cycle

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 561
Establishing an Incident Response Capability

 The NIST 800-61r2 standard provides guidelines for incident handling :

analyzing incident-related data, determining the appropriate response, …
 The first step for an organization is to establish a computer security incident
response capability (CSIRC).
 For establishing and maintaining a CSIRC, NIST recommends creating
policies, plans, and procedures.
• Policy elements: how incidents should be handled based on the organization’s
mission, size, and function.
• Plan Elements : to minimize caused damage, adjust plan according to learned
lessons and well inform involved party
• Procedure Elements : The procedures should follow the incident response plan.
o Standard operating procedures (SOPs) such as following technical processes,
using techniques, filling out forms and following checklists
o SOPs should be detailed so that the mission and goals of the organization are in
mind when these procedures are followed.
o SOPs minimize errors that may be caused by personnel that are under stress
o It is important to share and practice these procedures, making sure that they are
useful, accurate, and appropriate.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 562
Policy and plan elements

Policy elements

Plan elements

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 563
Incident Response Stakeholders

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 564
 Incident Response Stakeholders
 Management – Managers create the policies that everyone must follow. Management must
coordinate the incident response with other stakeholders and minimize the damage of an incident.
 Information Assurance – can change things such as firewall rules during some stages of incident
management such as containment or recovery.
 IT Support – because they has a deeper understanding, it is more likely that they will perform the
correct action to minimize the effectiveness of the attack or preserve evidence properly.
 Legal Department – review the incident policies, plans, and procedures to make sure that they do
not violate any local or federal guidelines. Also, if any incident has legal implications, a legal expert
will need to become involved. This might include prosecution, evidence collection, or lawsuits.
 Public Affairs and Media Relations – sometimes media and public might need to be informed of an
incident, such as when their personal information has been compromised during an incident.
 Human Resources – The human resources department might need to perform disciplinary
measures if an incident caused by an employee occurs.
 Business Continuity Planning – Persons in charge of business continuity planning are aware of
security incidents and the impact they have had on the organization as a whole. This will allow them
to make any changes in plans and risk assessments.
 Physical Security and Facilities Management – When a security incident happens because of a
physical attack (tailgating, shoulder surfing…) these teams are informed and involved. It is also their
responsibility to secure facilities that contain evidence from an investigation.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 565
NIST Incident Response Life Cycle
 NIST defines four steps in the incident response process life
cycle, as shown in the figure.
• Preparation – The members of the CSIRT are trained in how to
respond to an incident.
• Detection and Analysis - Through continuous monitoring, the CSIRT
quickly identifies, analyzes, and validates an incident.
• Containment, Eradication, and Recovery - The CSIRT implements
procedures to contain the threat, eradicate the impact on organizational
assets, and use backups to restore data and software. This phase may
cycle back to detection and analysis to gather more information, or to
expand the scope of the investigation.
• Post-Incident Activities - The CSIRT then documents how the incident
was handled, recommends changes for future response, and specifies
how to avoid a reoccurrence.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 566
13.3 Chapter Summary

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 567
Chapter Summary
Summary
 The Cyber Kill Chain outlines the steps an attacker must complete to accomplish
their goal. These steps are reconnaissance, weaponization, delivery, exploitation,
installation, command & control
 The Diamond Model of intrusion is used to diagram a series of intrusion events.
It is ideal for showing how the adversary pivots from one event to the next.
 The Diamond Model has 4 parts used to represent a security incident or event:
adversary, capability, infrastructure, and victim.
 VERIS can be used to submit security incident details to the VCDB for
community use.
 The VERIS schema top level elements include impact assessment, discovery &
response, incident description, victim demographics, and incident tracking.
 A CSIRT is a group that provides services and functions in response to security
incidents.
 Types of CSIRTs include internal, national, coordination centers, analysis
centers, vendor teams, and managed security service providers.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 568
Chapter Summary
Summary (Cont.)
 CERT is a trademarked acronym owned by Carnegie Mellon University, but used
with permission by other countries. A CERT provides security awareness, best
practices, and security vulnerability information; a CERT does not respond to
security incidents.
 The NIST 800-61r2 standard provides guidelines for incident handling. The four
phases of an incident response process life cycle are preparation; detection and
analysis; containment, eradication, and recovery; and post-incident activities.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 569