Analysis of the Incident Handling Six-Step Process - Giac
Analysis of the Incident Handling Six-Step Process - Giac
Analysis of the Incident Handling Six-Step Process - Giac
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Analysis</strong> <strong>of</strong> <strong>the</strong> <strong>Incident</strong> <strong>Handling</strong> <strong>Six</strong>-<strong>Step</strong> <strong>Process</strong><br />
Jim Murray
<strong>Analysis</strong> <strong>of</strong> <strong>the</strong> <strong>Incident</strong> <strong>Handling</strong> <strong>Six</strong>-<strong>Step</strong> <strong>Process</strong><br />
Introduction<br />
<strong>Incident</strong> handling is sometimes portrayed as <strong>the</strong> glamour job <strong>of</strong> information security.<br />
What is more exciting <strong>the</strong>n thwarting a Denial <strong>of</strong> Service (DoS) attack by a Russian<br />
syndicate or nabbing that hacker before he makes <strong>of</strong>f with your company’s credit card<br />
numbers? In cinema and television, <strong>the</strong> incident handler is usually portrayed as <strong>the</strong> lone<br />
gunman with MacGyveresque skills that can face and defeat anything that comes his way.<br />
Although <strong>the</strong>se cinematic images are certainly exciting, to properly handle an incident,<br />
you need more than a turkey baster and some bubble gum. SANS defines <strong>the</strong> incidenthandling<br />
process as a six-step methodology, and this paper provides an analysis <strong>of</strong> that<br />
six-step process to help you understand what it takes to be successful when an incident<br />
arises.<br />
The <strong>Six</strong>-<strong>Step</strong> <strong>Process</strong><br />
<strong>Step</strong> One—Preparation<br />
The preparation phase is where you spend <strong>the</strong> bulk <strong>of</strong> your time as an incident handler.<br />
When discussing <strong>the</strong> skill sets required to be successful, <strong>Incident</strong> <strong>Handling</strong> has <strong>of</strong>ten been<br />
compared to emergency medicine. Both are usually performed in a highly stressful<br />
environment and require quick thinking and a calm presence. The amount <strong>of</strong> preparation<br />
you do before an event occurs is <strong>the</strong> most important factor in determining how successful<br />
you can handle an incident. Paramedics spend approximately 70 percent <strong>of</strong> <strong>the</strong>ir time<br />
preparing for emergency calls. The same should hold true for <strong>the</strong> incident handler. In <strong>the</strong><br />
Preparation phase <strong>of</strong> incident handling, many things need to be accomplished. The<br />
following list contains items that <strong>the</strong> incident handler should have in place before an<br />
incident occurs:<br />
• Establish applicable policies—Policies are <strong>the</strong> rules by which an entity operates.<br />
<strong>Incident</strong> Response policies should be in place to identify who is responsible for<br />
responding to an incident. Policies should also clearly state what <strong>the</strong> company’s<br />
stance is regarding monitoring and privacy. This is an important step because<br />
having <strong>the</strong> appropriate policies in place protects both <strong>the</strong> incident handler and <strong>the</strong><br />
company.<br />
• Build relationships with key players—Although working alone can make for<br />
great movie fodder, in <strong>the</strong> real world <strong>of</strong> incident handling, it is a death sentence. If<br />
you talk to a successful incident handler, you find that <strong>the</strong>y have a network <strong>of</strong><br />
contacts that would make <strong>the</strong> people at LinkedIn proud. The following is a list <strong>of</strong><br />
people that you should get to know well because, inevitably, <strong>the</strong>re will come a<br />
time when you need <strong>the</strong>ir assistance.<br />
o Law enforcement—Ei<strong>the</strong>r local, state or federal, get to know your law
enforcement contacts.<br />
o Human resources—You HR group can help with those pesky policy issues<br />
and gray areas.<br />
o System administrators—This is a group that you might need to rely on for<br />
<strong>the</strong>ir technical expertise and <strong>the</strong>y can help gain access to systems that are<br />
involved in <strong>the</strong> incident.<br />
o Legal counsel—Because you don’t want to have to update your resume<br />
prematurely or have to trade smokes for favors (end up in jail), you should<br />
have legal counsel.<br />
o Fellow incident handlers—If you have not seen a particular incident<br />
before, chances are that someone out <strong>the</strong>re has. It’s best to have access to<br />
many people with incident-handling expertise.<br />
• Build your response kit—This can be a duffle bag or a small carry-on suitcase.<br />
Regardless <strong>of</strong> what it is, this is what you have with you whenever you work an<br />
incident. You want to make sure that you spend enough time putting this toge<strong>the</strong>r,<br />
so that you are ready at a moment’s notice. You should never steal from your<br />
response kit. Sometimes we are testing something or working on an issue and we<br />
need a network cable or installation s<strong>of</strong>tware and know it is <strong>the</strong>re in our response<br />
kit. We tell ourselves that we are just going to borrow it and put it back as soon as<br />
we are done. Don’t do it because you know it will never make it back <strong>the</strong>re. Here<br />
is a list <strong>of</strong> things that you should consider having in your response kit:<br />
o Network cables—Include various sizes, both crossover and straightthrough<br />
o A small hub or tap<br />
o USB jump drive or external hard drive<br />
o Response laptop—This laptop should have everything you need on it, for<br />
instance, checklists, forms, response s<strong>of</strong>tware<br />
o Various peripheral cables—USB, Firewire, parallel, serial, console, and so<br />
on<br />
o Clean binaries and diagnostic s<strong>of</strong>tware<br />
o Call list<br />
o Notebooks, pens, pencils, and small audio recorder
o Plastic/anti-static bags for evidence<br />
o Forensic s<strong>of</strong>tware and imaging media<br />
o Blank CDs for burning s<strong>of</strong>tware from <strong>the</strong> response laptop<br />
• Create incident checklists—<strong>Incident</strong> checklists are like memory joggers. They<br />
are <strong>the</strong>re to help keep you on track. During an incident, things can get pretty<br />
hectic, and having checklists are a way to help you remember things that you<br />
might forget in <strong>the</strong> heat <strong>of</strong> <strong>the</strong> moment. One word <strong>of</strong> caution though: Don’t use<br />
checklists as <strong>the</strong> Ten Commandments that you cannot stray from. When incident<br />
handlers do not stray from <strong>the</strong> checklist as needed, things can get difficult.<br />
Checklists are guidelines; if something comes up in <strong>the</strong> course <strong>of</strong> an incident that<br />
is not covered by <strong>the</strong> checklist, don’t be afraid to work outside <strong>the</strong> box. Just make<br />
sure that you do it in a methodical and calm manner.<br />
• Establish communication plan—This task addresses how incident handlers<br />
communicate with each o<strong>the</strong>r during an incident and what identifies <strong>the</strong> escalation<br />
process. For communication within <strong>the</strong> team, you need to consider both in-band<br />
and out-<strong>of</strong>-band communication mechanisms. This protects you in <strong>the</strong> event that<br />
<strong>the</strong>re is an availability problem with <strong>the</strong> in-band mechanism or if <strong>the</strong>re is<br />
suspicion that <strong>the</strong> security <strong>of</strong> <strong>the</strong> in-band mechanism has been compromised. If<br />
possible, you should have a member <strong>of</strong> <strong>the</strong> team that is solely responsible for<br />
communication both within <strong>the</strong> team and with management. This provides a<br />
central point <strong>of</strong> contact and consistency <strong>of</strong> <strong>the</strong> messages that are communicated.<br />
• Perform threat modeling—This step requires that you think <strong>of</strong> <strong>the</strong> kinds <strong>of</strong><br />
attacks that can occur and how you respond to <strong>the</strong>m. You want to map out <strong>the</strong><br />
types <strong>of</strong> incidents that you expect to encounter both technical and physical. This<br />
could include DoS attacks, policy violations, compromise <strong>of</strong> information,<br />
compromise <strong>of</strong> systems, tornados, hurricanes, and so on. After you have a list <strong>of</strong><br />
<strong>the</strong> incidents that expect, you should have a plan on how you address <strong>the</strong>se<br />
incidents. This plan should be outlined in <strong>the</strong> six-step process answering <strong>the</strong><br />
following questions:<br />
o How will we prepare for <strong>the</strong> incident?<br />
o How will we identify <strong>the</strong> incident?<br />
o How will we contain <strong>the</strong> incident?<br />
o How will we eradicate <strong>the</strong> incident?<br />
o How will we recover from <strong>the</strong> incident?<br />
o How will we capture <strong>the</strong> lessons learned from <strong>the</strong> incident?
• Build an incident response team—This is one area that varies from company to<br />
company, but at a minimum, you should have a team <strong>of</strong> individuals that are<br />
identified to respond when an incident occurs. In most cases, incident response is<br />
not <strong>the</strong>ir primary responsibility. When building a team, some <strong>of</strong> <strong>the</strong> qualities you<br />
want to look for include:<br />
o Technical skills—You want to make sure that your team members are<br />
familiar with <strong>the</strong> technology.<br />
o Organizational skills—Because <strong>of</strong> <strong>the</strong> hectic pace <strong>of</strong> incident handling, it<br />
is essential to have someone on <strong>the</strong> team that can keep things straight.<br />
o Diplomatic skills—During an incident, <strong>the</strong>re are times when compromises<br />
need to be made between <strong>the</strong> various parties involved. Having someone<br />
who is level headed and can negotiate between <strong>the</strong> various parties is an<br />
advantage.<br />
• Practice, practice, practice—To hone your skills as an incident handler, you<br />
need to practice working incidents. One way to do this is to take part in Capture<br />
<strong>the</strong> Flag events at security conferences. These events are sometimes hosted by<br />
local security organizations, such as <strong>the</strong> Information Systems Security<br />
Association (ISSA) and Infragard. You can also work with o<strong>the</strong>r incident<br />
handlers in your area to set up practice sessions.<br />
<strong>Step</strong> Two—Identification<br />
In this phase <strong>of</strong> <strong>the</strong> process, you determine whe<strong>the</strong>r or not an incident exists. To start <strong>of</strong>f,<br />
let’s define <strong>the</strong> difference between an event and an incident. An event is defined as any<br />
observable occurrence in a system and/or network. An incident is defined as an adverse<br />
event in a system and/or network or <strong>the</strong> threat <strong>of</strong> such an event.Essentially, an event is<br />
anything that happens in your environment and an incident occurs when that event<br />
threatens or actually does harm to your environment. In a lot <strong>of</strong> cases you are called to<br />
action because someone sees an event or events that he believes are suspicious. Your job<br />
is to evaluate those events objectively and determine if <strong>the</strong>y truly define an incident.<br />
In this phase, it is extremely important that you don’t allow outside influences to cloud<br />
your judgment. There are several times that I have been called to <strong>the</strong> scene by an excited<br />
end user or system administrator that is certain that she has uncovered nefarious activity.<br />
These people supply you with all types <strong>of</strong> conjecture as to what <strong>the</strong>y think happened, and<br />
sometimes it is easy to get sucked into <strong>the</strong>ir excitement. Don’t do it. Ga<strong>the</strong>r all <strong>of</strong> <strong>the</strong><br />
facts and make your judgment based on those facts.<br />
<strong>Step</strong> Three—Containment<br />
After you have identified that an incident has actually, <strong>the</strong> next step in <strong>the</strong> process is to<br />
contain that incident. During <strong>the</strong> containment phase, you want to ensure that <strong>the</strong> incident<br />
does not get any worse; if your company is planning on pursuing legal action, this is <strong>the</strong>
phase in which you ga<strong>the</strong>r evidence. Containment is <strong>the</strong> step <strong>of</strong> <strong>the</strong> process that can at<br />
times get political, especially when dealing with production systems. To contain <strong>the</strong><br />
incident, you might want to remove <strong>the</strong> system from <strong>the</strong> network; however, because it is<br />
a revenue generating system, management might not allow this to take place. This is<br />
where <strong>the</strong> negotiating begins and it is important that you or your team has discussed <strong>the</strong>se<br />
scenarios in advance with management in <strong>the</strong> preparation phase, so that you are prepared<br />
for <strong>the</strong>m when <strong>the</strong>y arise. Some tasks that occur during <strong>the</strong> containment phase include:<br />
• Prevent fur<strong>the</strong>r contamination <strong>of</strong> <strong>the</strong> system or network—This is a<br />
balancing act because you want to stop <strong>the</strong> bleeding, although you also want to<br />
make sure that you preserve <strong>the</strong> state <strong>of</strong> <strong>the</strong> system as much as possible in case<br />
<strong>of</strong> litigation. Some <strong>of</strong> <strong>the</strong> tasks that can accomplish this include:<br />
o Remove <strong>the</strong> network cable or isolating <strong>the</strong> system on a separate VLAN<br />
o Use a firewall or access lists to prevent into or out <strong>of</strong> <strong>the</strong> system<br />
o Change DNS entries to direct traffic away from compromised system<br />
• Preserve Evidence—To do this, you might image <strong>the</strong> entire system or part <strong>of</strong> <strong>the</strong><br />
system or capture volatile data, such as running process, ram, network<br />
connections, and so on. Whatever method you use for preserving evidence, make<br />
sure that you are using clean binaries and document everything that you do. In<br />
some cases, it is inevitable that a task you perform will change something on <strong>the</strong><br />
system. Be prepared to explain what changed and why you performed that action.<br />
<strong>Step</strong> Four—Eradication<br />
Now that you have contained <strong>the</strong> incident, you need to begin <strong>the</strong> clean up process. It is<br />
during this phase that you analyze <strong>the</strong> information that you have ga<strong>the</strong>red to determine<br />
how <strong>the</strong> attack took place. To prevent <strong>the</strong> incident from happening again, it is important<br />
for you to understand how it was carried out.<br />
In some cases, you might be able to eradicate <strong>the</strong> attack without having to rebuild <strong>the</strong><br />
system. In most cases, though, especially with malware or rootkit attacks, <strong>the</strong> only way to<br />
truly be assured that eradication is successful is to perform a complete rebuild <strong>of</strong> <strong>the</strong><br />
system. If this is <strong>the</strong> case, make sure that <strong>the</strong> media you are rebuilding with or <strong>the</strong><br />
backups you are rebuilding from are not compromised as well. When Code Red attacked<br />
in June <strong>of</strong> 2000, many companies attempted to recover <strong>the</strong>ir systems from backups only<br />
to find that <strong>the</strong> backups <strong>of</strong> <strong>the</strong> systems were also infected with Code Red.<br />
After you have restored <strong>the</strong> system, make sure that you perform a vulnerability analysis<br />
on <strong>the</strong> system. This ensures that you have successfully eradicated <strong>the</strong> threat and have not<br />
introduced new vulnerabilities to <strong>the</strong> system.
<strong>Step</strong> Five—Recovery<br />
The recovery phase <strong>of</strong> this methodology is where you place <strong>the</strong> system back into <strong>the</strong><br />
production environment. In this phase, you work with your QA and business partners to<br />
validate that <strong>the</strong> system recovery is successful. This involves testing <strong>the</strong> system to make<br />
sure that all business processes and function are back to normal.<br />
You also want to monitor <strong>the</strong> system or process to ensure that <strong>the</strong> system is not<br />
compromised again and to look for additional signs <strong>of</strong> attack.<br />
<strong>Step</strong> <strong>Six</strong>—Lessons Learned<br />
In this final step, you utilize what you learned during <strong>the</strong> handling <strong>of</strong> <strong>the</strong> incident to<br />
enhance and improve your incident-handling process. Unfortunately, this is <strong>the</strong> phase <strong>of</strong><br />
<strong>the</strong> process that <strong>of</strong>ten gets overlooked or simply is not done. Many times, we are relieved<br />
to have systems back to normal or we get busy trying to catch up on things that were not<br />
done while we were working <strong>the</strong> incident that we don’t make <strong>the</strong> time to document <strong>the</strong><br />
incident or look for ways to improve <strong>the</strong> process.<br />
In this phase, you should:<br />
• Complete <strong>the</strong> incident report and present findings to management.<br />
• Look for ways to improve <strong>the</strong> process both from a technical and administrative<br />
aspect.<br />
• Have a clearly defined plan for implementing <strong>the</strong>se improvements.<br />
Summary:<br />
In <strong>the</strong> third episode <strong>of</strong> <strong>the</strong> Lord <strong>of</strong> <strong>the</strong> Rings trilogy, <strong>the</strong>re is a scene just before <strong>the</strong> start<br />
<strong>of</strong> <strong>the</strong> epic battle where one <strong>of</strong> <strong>the</strong> characters says, “I don't want to be in a battle, but<br />
waiting on <strong>the</strong> edge <strong>of</strong> one I can't escape is even worse.” There is no doubt that during<br />
your information security career, you will encounter an incident. By following this sixstep<br />
methodology, you ensure that you are prepared when <strong>the</strong> battle takes place and <strong>the</strong><br />
outcome is victory.