CSE 3501: Information Security Analysis and

Audit
Module 5 Incident Management and Response

www.nadeshrk.webs.com
 Incident Response
• An incident is a set of one or more security events or
conditions that requires action and closure in order to
maintain an acceptable risk profile.

• An incident response capability is therefore necessary for

rapidly detecting incidents, minimizing loss and destruction,
mitigating the weaknesses that were exploited and restoring
IT services.

www.nadeshrk.webs.com
 Definition
• Incident management is the capability to effectively manage
unexpected disruptive events with the objective of minimizing
impacts and maintaining or restoring normal operations
within defined time limits

• Incident response is the operational capability of incident

management that identifies, prepares for and responds to
incidents to control and limit damage; provide forensic and
investigative capabilities; and maintain, recover and restore
normal operations as defined in service level agreements
(SLAs).

www.nadeshrk.webs.com
Incident Types

www.nadeshrk.webs.com
 Incident
• Malicious code
• Network reconnaissance
• Unauthorized access
• Inappropriate usage
• Multiple component

www.nadeshrk.webs.com
 Impact of information
security incidents:
• Functional impact (current and likely future negative
impact to business functions)

• Information impact (effect on the confidentiality,

integrity, and availability of the organization’s
information)

• Recoverability from the incident (time and types

of resources that must be spent on recovering
from the incident)

www.nadeshrk.webs.com
 Need for incident
response
• to respond quickly and effectively when security breaches
occur.

• to be able to use information gained during incident

handling to better prepare for handling future incidents.

• to provide stronger protection for systems and data.

• to help deal properly with legal issues that may arise during
incidents.

• to comply with law, regulations, and policy directing a

coordinated, effective defense against information.
www.nadeshrk.webs.com
 Goals of incident
response
• formal, focused, and coordinated approach to responding to
incidents.

• adhere to organization’s mission, size, structure, and functions.

• formulate policy, plan, and procedure creation to counter adverse

events.

• to provide stronger protection for systems and data.

• to minimize loss or theft of information and disruption of services.

• to respond quickly and effectively when security breaches occur.

www.nadeshrk.webs.com
 How to identify an
•
incident
incident analysis hardware and software to identify an incident.

• appropriate incident handling communication means and

facilities.

• incident analysis resources to identify an incident.

• incident mitigation software to identify an incident.

• different response strategies to identify incidents through attack

vectors, such as external/removable media, attrition, web,
email, impersonation, improper usage by organization’s
authorized users, loss or theft of equipment and others that are
beyond the scope of the above mentioned.
www.nadeshrk.webs.com
 Signs of security incident
• Precursors: a sign that an incident may occur
in the future.

• Indicator: a sign that an incident may have

occurred or may be occurring now.

www.nadeshrk.webs.com
 Signs of security incident
• web server log entries that show the usage of a vulnerability scanner.

• announcement of a new exploit that targets a vulnerability of the organization’s mail

server.

• threat from a group stating that it will attack the organization.

• network intrusion detection sensor alerts when a buffer overflow attempt occurs against a

database server.

• antivirus software alerts when it detects that a host is infected with malware.

• system administrator sees a file name with unusual characters.

• host records an auditing configuration change in its log.

• application logs multiple failed login attempts from an unfamiliar remote system.

• email administrator sees a large number of bounced emails with suspicious content.

• Network administrator notices an unusual deviation from typical network traffic flows.

www.nadeshrk.webs.com
 Steps for Incident Handling Process
• Identification
• Incident recording
• Initial response
• Communicating the incident
• Containment
• Formulating a incident response strategy
• Incident classification
• Incident investigation
• Data collection
• Forensic analysis
• Evidence protection
• Notify external agencies
• Eradication
• System recovery
• Incident documentation
• Incident damage and cost analysis
• Review and update the response policies
• Training awareness

www.nadeshrk.webs.com
 Step 1: Identification
• Obtaining and validating information related to information security issues

• Common issues and incidents of information security that may require action and whom to report

 Initial analysis for validation

 Profiling Networks and Systems
 Studying networks, systems and applications
 Creating and implementing a log retention
 Correlating events using evidence of an incident
 Synchronizing hosts clock using protocols (Network Time Protocol
(NTP) to record time of attack.)
 Maintain and use a knowledge base of information
 Use internet search engines for research
 Run packet sniffers to collect additional data
 Filter the data to segregate

www.nadeshrk.webs.com
 Step 2: Incident recording
• Any occurrences of incident must be recorded and
the incident response team should update the
status of incidents along with other pertinent
information.

• Observations and facts of the incident may

be stored in any of the following sources such
as logbook, laptops, audio recorders and
digital cameras etc.

www.nadeshrk.webs.com
 Incident record template
• Current status of the incident as new, in progress, forwarded for
investigation, resolved etc.
• Summary of the incident
• Indicators related to the incident
• Other incidents related to this incident
• Actions taken by all incident handlers on this incident
Chain of custody, if applicable
• Impact assessments related to the incident
• Contact information for other involved parties (system owners,
system administrators etc.)
• List of evidence gathered during the incident investigation
• Comments from incident handlers
• Next steps to be taken (rebuild the host, upgrade an application
etc.)
www.nadeshrk.webs.com
 Step 3: Initial response
• Commence initial response to an incident based on
the type of incident, the criticality of the resources
and data that are affected, the severity of the
incident, existing Service Level Agreements (SLA) for
affected resources, the time and day of the week,
and other incidents that the team is handling.

• Generally, the highest priority is handling incidents

that are likely to cause the most damage to the
organization or to other organizations.

www.nadeshrk.webs.com
 Step 4: Communicating the incident

• The incident should be communicated in

appropriate procedures through the
organization’s points of contact (POC) for
reporting incidents internally.

• Therefore, it is important for an organization

to structure their incident response capability
so that all incidents are reported directly to
the incident response team, whereas others
will use existing support.

www.nadeshrk.webs.com
 Step 5: Containment
Containment and Quarantine

• Containment is important before an incident overwhelms resources or

increases damage.

• Most incidents require containment so that is an important consideration

early in the course of handling each incident.

• Containment provides time for developing a tailored remediation strategy.

• An essential part of containment is decision-making where the situation

may demand immediate action such as shut down a system, disconnect it
from a network and disable certain functions.

www.nadeshrk.webs.com
 Various containment
strategies
• Potential damage to and theft of resources
• Need for evidence preservation
• Service availability (network connectivity, services
provided to external parties etc.)
• Time and resources needed to implement the strategy
• Effectiveness of the strategy (partial containment, full
containment etc.)
• Duration of the solution (emergency workaround to be
removed in four hours, temporary workaround to be
removed in two weeks, permanent solution etc.)

www.nadeshrk.webs.com
 Quarantine
• Handling an incident may necessitate the use of
strategies to contain the existing predicament and
one such method being redirecting the attacker to
a sandbox (a form of containment) so that they
can monitor the attacker’s activity, usually to
gather additional evidence.

• Hence, once a system has been compromised and

if allowed with the compromise to continue, it may
help the attacker to use the compromised system
to attack other systems.
www.nadeshrk.webs.com
 Step 6: Formulating a
response strategy
• An analysis of the recoverability from an incident determines the
possible responses that the team may take when handling the incident.

• An incident with a high functional impact and low effort to recover from
is an ideal candidate for immediate action from the team.

• Each response strategy should be formulated based on business impact

caused by the incident and the estimated efforts required to recover
from the incident

• Incident response policies should include provisions concerning incident

reporting at a minimum,what must be reported to whom and at what
times.

www.nadeshrk.webs.com
 Step 7: Incident
classification
• Classifying and prioritizing information
security incidents
• An incident may be broadly classified based on common attack vectors such as
external/ removable media; attrition; web; email; improper usage; loss or
theft of equipment; miscellaneous.

• Incident classification guidelines and

templates
• Incident prioritization guidelines and
templates

www.nadeshrk.webs.com
 Step 8: Incident
investigation
• One of the key tasks of an incident response
team is to receive information on possible
incidents, investigate them, and take action to
ensure that the damage caused by the
incidents is minimized.
• Following up an incident investigation
• Lessons learnt from security incident
• Process change for the future
• Incident record keeping

www.nadeshrk.webs.com
 Step 9: Data collection
• Evidences collected should be accounted for at all times whenever evidence is
transferred from person to person, chain of custody forms should detail the transfer
and include each party’s signature.

• A detailed log should be kept for all evidence, including the following:

• Identifying information (e.g. the location, serial number, model number, hostname,
media access control (MAC) addresses and IP addresses of a computer).

• Name, title, and phone number of each individual who collected or handled the
evidence during the investigation.

• Time and date (including time zone) of each occurrence of evidence handling.

• Locations where the evidence was stored.

www.nadeshrk.webs.com
 Step 10: Forensic
analysis
• Therefore, it is appropriate to obtain snapshots through full
forensic disk images, not file system backups.

• Disk images should be made to sanitized write-protectable

or write-once media. This process is superior to a file
system backup for investigatory and evidentiary purposes

• Some of the useful resources in forensic aspects of incident

analysis may include digital forensic workstations and/ or
backup devices to create disk images, preserve log files,
and save other relevant incident data

www.nadeshrk.webs.com
 Step 11: Evidence
protection
• It is generally desirable to acquire evidence from a system
of interest as soon as one suspects that an incident may
have occurred.

• Users and system administrators should be made aware of

the steps that they should take to preserve evidence.

• In addition, evidence should be accounted for at all times

whenever evidence is transferred from person to person,
chain of custody forms should detail the transfer and
include each party’s signature and a registry or log be
maintained location of the stored evidence.

www.nadeshrk.webs.com
 Step 12: Notify external agencies

• An organization’s incident response team should plan its

incident coordination with those parties before
incidents occur to ensure that all parties know their
roles and that effective line of communication are
established.

• Some of the organizations’ external agencies may

include other or external incident response teams, law
enforcement agencies, Internet service providers and
constituents, law enforcements/ legal departments and
customers or system owner etc.
www.nadeshrk.webs.com
 Step 13: Eradication
• Eliminating components of the incident such
as deleting malware and disabling breached
user accounts as well as identifying and
mitigating all vulnerabilities that were
exploited follow next to successful
containment and quarantine.

• During the process, it is important to identify

all affected hosts within the organization so
that they can be remediated.

www.nadeshrk.webs.com
 Step 14: Systems recovery
• In recovery, administrators restore systems to normal operation,
confirm that the systems are functioning normally, and (if
applicable) remediate vulnerabilities to prevent similar incidents.

• Recovery may involve such actions as restoring systems from

clean back-ups, rebuilding systems from scratch, replacing
compromised files with clean versions, installing patches,
changing passwords and tightening network perimeter security
(e.g. firewall rulesets, boundary router access control lists etc.).

• Higher levels of system logging or network monitoring are often

part of the recovery process.

www.nadeshrk.webs.com
 Step 15: Incident
documentation
• A logbook is an effective and simple medium for recording all facts
regarding incidents.

• Documenting system events, conversations and observed changes in

files can lead to a more efficient, more systematic and less error prone
handling of the problem.

• Every step taken from the time the incident was detected to its final
resolution should be documented and time-stamped.

• Every document regarding the incident should be dated and signed by

the incident handler as such information can also be used as
evidence in a court of law if legal prosecution is pursued.

www.nadeshrk.webs.com
 Importance of keeping records and evidence
relating to information security incidents

• Audio and video documentation strategies

• Update the status of information security

incidents - Possible communication methods

• Incident status template

• Incident report templates

• Submitting information security reports

www.nadeshrk.webs.com
 Step 16: Incident
damage and cost
•
assessment
Cost is a major factor, especially if employees are requiredto
be onsite 24/7. Organizations may fail to include incident
response-specific costs in budgets, such as sufficient funding
for training and maintaining skills.

• The incident data, particularly the total hours of involvement

and the cost, may be used to justify additional funding of the
incident response team.

• Cost of storing evidence and the cost of retaining functional

computers that can use the stored hardware and media can be
substantial.
www.nadeshrk.webs.com
 Step 17: Review and
update the response
policies
• The organization must review and update response
policies, related activities, gather information from
the handlers, provide incident updates to other
groups, and ensure that the team’s needs are met.

• The gambit of the work may also include

periodically reviewing and updating threat update
information through briefings, web postings, and
mailing lists published by authorized agencies or
public bodies.
www.nadeshrk.webs.com
 Step 18: Training and
•
awareness
creating an incident response training and awareness policy and plan.
• developing procedures for performing incident handling and reporting.
• setting guidelines for communicating with outside parties regarding
incidents.
• training IT staff on complying with the organization’s security standards
and making users aware of policies and procedures regarding appropriate
use of networks, systems and applications.
• training should be provided for SOP (delineation of the specific technical
processes, techniques, checklists and forms) users.
• staffing and training the incident response team.
• providing a solid training program for new employees.
• training to maintain networks, systems and applications in accordance
with the organization’s security standards.
• creating awareness of policies and procedures regarding appropriate use
of networks, systems, and applications.

www.nadeshrk.webs.com