Incident Handling -step By Step
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Incident Handling -step By Step as PDF for free.
More details
- Words: 1,362
- Pages: 27
Emergency Steps • Emergency Step 1. Remain calm • Emergency Step 2. Take good notes • Emergency Step 3. Notify the right people and get help • Emergency Step 4. Enforce a “need to know” policy • Emergency Step 5. Use out-of-band communications
Emergency Steps • Emergency Step 6. Contain the problem • Emergency Step 7. Make a backup of the affected system(s) as soon as you think an incident has occurred • Emergency Step 8. Get rid of the problem • Emergency Step 9. Get back in business Experienced incident handling professionals divide the process into six phases: preparation, identification, containment, eradication, recovery and follow-up Understanding these stages, and what can go wrong in each, facilitates responding more methodically and avoids duplication of effort.
Phase 1: Preparation • • • • • • • •
Establish policy and post warning banners Develop management support for an incident handling capability Select incident handling team members and organize the team Develop an emergency communications plan Provide easy reporting facilities Conduct training for team members Establish guidelines for inter-departmental cooperation Pay particular attention to relationships with system administrators and network managers • Develop interfaces to law enforcement agencies and other Computer Incident Response Teams (CIRTs)
Preparation: Establish policy and post warning banners • • • •
Post warning banners. Use proactive techniques to prevent incidents Establish a policy on presumption of privacy Establish an organizational approach to incident handling • Establish a policy for outside “peer” notification • Establish a policy for dealing with incidents involving remote computers • Establish extranet (partnernet) agreements and monitoring
Preparation: Develop management support for an incident handling capability
• Collect news articles and other publications describing computer break-ins • Graphically illustrate an incident • Collect historical support
Preparation: Select incident handling team members and organize the team
• Identify qualified people to join the team. • Choose local, centralized, or combination teams. • Identify the correct individuals in your organization’s Public Affairs Office • Establish visibility and a compensation plan for the team • Provide checklists
Preparation: Develop an emergency communications plan • Create a call list and establish methods for informing people quickly • Create an incident notification call tree • Use offsite backup for call lists and call trees • Ensure passwords and encryption keys are up-todate and accessible • Establish a primary point of contact and an incident command and communications centre • Establish secured communications • Set up resource acquisition plans for the teams
Preparation: Provide easy reporting facilities • • • • • •
Educate users early Publish a list of indicators of an incident Use the web Encourage email and/or phone reporting Reward reporting Continually update management
Preparation: Establish guidelines for inter-departmental cooperation • Encourage local handling of minor incidents— but with care • Coordinate closely with help desks • Report and record
Preparation: Pay particular attention to relationships with system administrators and network managers
• • • • •
Involve system administrators Conduct proactive training Recognize “power” log file reading Encourage regular system backups Involve network managers early
Preparation: Develop interfaces to law enforcement agencies and other Computer Incident Response Teams (CIRTs)
• Know the types of cases law enforcement will be interested in • Contact local law enforcement before there is an incident • Arrange a law enforcement briefing on evidence collection • Join or create a CIRT or FIRST team
IDENTIFICATION • Identification involves determining whether or not an incident has occurred, and if one has occurred, determining the nature of the incident • Identification normally begins after someone has noticed an anomaly in a system or network • This phase also includes informing and soliciting help from the people who can help you understand and solve the problem
IDENTIFICATION • Assign a person to be responsible for the incident
– Select a person to handle or coordinate identification and assessment
• Determine whether or not an event is actually an incident – Check for simple mistakes – Assess the evidence in detail
• Be careful to maintain a provable chain of custody – Get your lawyers involved – Identify every piece of evidence – Control access to evidence
• Coordinate with the people who provide your network services
– Coordinate closely with your Internet Service Provider, other networks
• Notify appropriate officials
– Notify your manager and security officer – Notify your local or organizational incident handling team.
CONTAINMENT The goal of the containment phase is to limit the scope and magnitude of an incident, to keep the incident from getting worse
• Deploy the on-site team to survey the situation
– Deploy a small team – Review the information that was provided to you from the identification – Be very careful to check any conclusions others have reached – Secure the area if possible
• Keep a low profile
– Avoid looking for the attacker with obvious methods – Maintain standard procedures – Consider planting “treasures” or “honey pots”
CONTAINMENT • • •
• •
Avoid, if possible, potentially compromised code – Be wary of compromised system binaries
Backup the system
– Backup to new (unused) media – Safely store any backup tapes so that they will not be lost or stolen
Determine the risk of continuing operations
– Acquire router and system logs and other sources of information – Review logs from neighbouring systems – Make a recommendation about when and whether to restart operations
Continue to consult with system owners
– Keep system owners and administrators briefed on progress – Never allow fault to be an issue during incident handling
Change passwords
– Change the password on the affected systems – If a sniffer is detected or suspected, expand the password change order.
ERADICATION • The goal of the eradication phase is to make sure the problem is eliminated and the avenue of entry is closed off. • When a system is compromised or put out of service, the compromise is usually seen as a problem of the system owner. If the problem comes back, the responsibility falls on the incident handling team.
ERADICATION • Determine cause and symptoms of the incident – You cannot fix a problem if you don’t know what happened
• Improve defences
– Implement appropriate protection techniques such as firewalls and/or router filters
• Perform vulnerability analysis
– Perform system, network, and other vulnerability analysis
• Remove the cause of the incident • Locate the most recent clean backup
Phase 5: RECOVERY In the Recovery Phase, your task is to return the system to a fully operational status • Restore the system
– Restore from backups if required – Make every effort to ensure you are not restoring compromised code – If no backups have been made prior to compromise
• Validate the system
– Once the system has been restored, verify that the operation was successful and the system is back to its normal condition
• Decide when to restore operations
– Put the final decision in the hands of the system owners
• Monitor the systems
– Back doors and other malicious code can be very well hidden
Phase 6 : FOLLOW-UP • the goal is to identify lessons that will help you do a better job in the future. • Some incidents require considerable time and effort. • Stress levels rise and relationships may become strained. Afterwards, the folks who were at the center of the storm tend to want to forget it and get on with their lives. • Performing follow-up activity is, however, one of the most critical activities in responding to incidents. This procedure, only slightly more popular than wisdom tooth removal, is known as “lessons learned”. • Organizations that follow up soon after any problems are contained improve their incident handling capability. • Quick follow up will also support any efforts to prosecute those who have broken the law.
Actions • • • • • • • • •
Start as soon as possible Assign the task to the On Site Team Include forms Encourage all affected parties to review the draft Attempt to reach consensus Conduct a Lessons Learned meeting Create an Executive Summary Send recommended changes to management Implement approved actions
Emergency Steps • Emergency Step 6. Contain the problem • Emergency Step 7. Make a backup of the affected system(s) as soon as you think an incident has occurred • Emergency Step 8. Get rid of the problem • Emergency Step 9. Get back in business Experienced incident handling professionals divide the process into six phases: preparation, identification, containment, eradication, recovery and follow-up Understanding these stages, and what can go wrong in each, facilitates responding more methodically and avoids duplication of effort.
Phase 1: Preparation • • • • • • • •
Establish policy and post warning banners Develop management support for an incident handling capability Select incident handling team members and organize the team Develop an emergency communications plan Provide easy reporting facilities Conduct training for team members Establish guidelines for inter-departmental cooperation Pay particular attention to relationships with system administrators and network managers • Develop interfaces to law enforcement agencies and other Computer Incident Response Teams (CIRTs)
Preparation: Establish policy and post warning banners • • • •
Post warning banners. Use proactive techniques to prevent incidents Establish a policy on presumption of privacy Establish an organizational approach to incident handling • Establish a policy for outside “peer” notification • Establish a policy for dealing with incidents involving remote computers • Establish extranet (partnernet) agreements and monitoring
Preparation: Develop management support for an incident handling capability
• Collect news articles and other publications describing computer break-ins • Graphically illustrate an incident • Collect historical support
Preparation: Select incident handling team members and organize the team
• Identify qualified people to join the team. • Choose local, centralized, or combination teams. • Identify the correct individuals in your organization’s Public Affairs Office • Establish visibility and a compensation plan for the team • Provide checklists
Preparation: Develop an emergency communications plan • Create a call list and establish methods for informing people quickly • Create an incident notification call tree • Use offsite backup for call lists and call trees • Ensure passwords and encryption keys are up-todate and accessible • Establish a primary point of contact and an incident command and communications centre • Establish secured communications • Set up resource acquisition plans for the teams
Preparation: Provide easy reporting facilities • • • • • •
Educate users early Publish a list of indicators of an incident Use the web Encourage email and/or phone reporting Reward reporting Continually update management
Preparation: Establish guidelines for inter-departmental cooperation • Encourage local handling of minor incidents— but with care • Coordinate closely with help desks • Report and record
Preparation: Pay particular attention to relationships with system administrators and network managers
• • • • •
Involve system administrators Conduct proactive training Recognize “power” log file reading Encourage regular system backups Involve network managers early
Preparation: Develop interfaces to law enforcement agencies and other Computer Incident Response Teams (CIRTs)
• Know the types of cases law enforcement will be interested in • Contact local law enforcement before there is an incident • Arrange a law enforcement briefing on evidence collection • Join or create a CIRT or FIRST team
IDENTIFICATION • Identification involves determining whether or not an incident has occurred, and if one has occurred, determining the nature of the incident • Identification normally begins after someone has noticed an anomaly in a system or network • This phase also includes informing and soliciting help from the people who can help you understand and solve the problem
IDENTIFICATION • Assign a person to be responsible for the incident
– Select a person to handle or coordinate identification and assessment
• Determine whether or not an event is actually an incident – Check for simple mistakes – Assess the evidence in detail
• Be careful to maintain a provable chain of custody – Get your lawyers involved – Identify every piece of evidence – Control access to evidence
• Coordinate with the people who provide your network services
– Coordinate closely with your Internet Service Provider, other networks
• Notify appropriate officials
– Notify your manager and security officer – Notify your local or organizational incident handling team.
CONTAINMENT The goal of the containment phase is to limit the scope and magnitude of an incident, to keep the incident from getting worse
• Deploy the on-site team to survey the situation
– Deploy a small team – Review the information that was provided to you from the identification – Be very careful to check any conclusions others have reached – Secure the area if possible
• Keep a low profile
– Avoid looking for the attacker with obvious methods – Maintain standard procedures – Consider planting “treasures” or “honey pots”
CONTAINMENT • • •
• •
Avoid, if possible, potentially compromised code – Be wary of compromised system binaries
Backup the system
– Backup to new (unused) media – Safely store any backup tapes so that they will not be lost or stolen
Determine the risk of continuing operations
– Acquire router and system logs and other sources of information – Review logs from neighbouring systems – Make a recommendation about when and whether to restart operations
Continue to consult with system owners
– Keep system owners and administrators briefed on progress – Never allow fault to be an issue during incident handling
Change passwords
– Change the password on the affected systems – If a sniffer is detected or suspected, expand the password change order.
ERADICATION • The goal of the eradication phase is to make sure the problem is eliminated and the avenue of entry is closed off. • When a system is compromised or put out of service, the compromise is usually seen as a problem of the system owner. If the problem comes back, the responsibility falls on the incident handling team.
ERADICATION • Determine cause and symptoms of the incident – You cannot fix a problem if you don’t know what happened
• Improve defences
– Implement appropriate protection techniques such as firewalls and/or router filters
• Perform vulnerability analysis
– Perform system, network, and other vulnerability analysis
• Remove the cause of the incident • Locate the most recent clean backup
Phase 5: RECOVERY In the Recovery Phase, your task is to return the system to a fully operational status • Restore the system
– Restore from backups if required – Make every effort to ensure you are not restoring compromised code – If no backups have been made prior to compromise
• Validate the system
– Once the system has been restored, verify that the operation was successful and the system is back to its normal condition
• Decide when to restore operations
– Put the final decision in the hands of the system owners
• Monitor the systems
– Back doors and other malicious code can be very well hidden
Phase 6 : FOLLOW-UP • the goal is to identify lessons that will help you do a better job in the future. • Some incidents require considerable time and effort. • Stress levels rise and relationships may become strained. Afterwards, the folks who were at the center of the storm tend to want to forget it and get on with their lives. • Performing follow-up activity is, however, one of the most critical activities in responding to incidents. This procedure, only slightly more popular than wisdom tooth removal, is known as “lessons learned”. • Organizations that follow up soon after any problems are contained improve their incident handling capability. • Quick follow up will also support any efforts to prosecute those who have broken the law.
Actions • • • • • • • • •
Start as soon as possible Assign the task to the On Site Team Include forms Encourage all affected parties to review the draft Attempt to reach consensus Conduct a Lessons Learned meeting Create an Executive Summary Send recommended changes to management Implement approved actions
Related Documents
Incident Handling -step By Step
November 2019 9
Step By Step
November 2019 33
Tunics Step By Step
November 2019 36
Step By Step
June 2020 27
Workflow Step By Step
December 2019 18