IT 6823 LM 12 – Incident Response and Recovery Dr. Lei Li

IT 6823 LM 12 – Incident Response and Recovery Dr. Lei Li

NIST Framework Core Image source: https://www.nist.gov/document/cybersecurityframeworkv1-1presentationpptx IT 6823 – LM9 IDS 2

Learning Outcomes Discuss the need for incident response Describe the elements of incident response policy Discuss the incident response team structure Explain the incident response life cycle Discuss the coordination and information sharing IT 6823 – LM9 IDS 3

Introduction Event Adverse events Computer security incident Need for Incident Response Image source: https://ayehu.com/5-cyber-security-incident-response-risks-and-how-to-avoidthem-using-automation/ IT 6823 – LM9 IDS 4

Needs for Incident Response Support responding to incidents systematically Use information gained during incident handling to better prepare for handling future incidents and to provide stronger protection for systems and data Comply with law, regulations, and policy FISMA FIPS IT 6823 – LM9 IDS 5

Incident Response Policy Mission Strategies and goals Senior management approval Organizational approach to incident response How the incident response team will communicate with the rest of the organization and with other organizations Metrics for measuring the incident response capability and its effectiveness Roadmap for maturing the incident response capability How the program fits into the overall organization. IT 6823 – LM9 IDS 6

Communication with Outside Parties IT 6823 – LM9 IDS 7

Incident Response Teams Central Incident Response Team Distributed Incident Response Teams Coordinating Team IT 6823 – LM9 IDS 8

Team Model Selection The Need for 24/7 Availability Full-Time Versus Part-Time Team Members Employee Morale Cost Staff Expertise IT 6823 – LM9 IDS 9

Incident Response Team Services Intrusion Detection Advisory Distribution Education and Awareness Information Sharing IT 6823 – LM9 IDS 10

Recommendations for Incident Handling Establish a formal incident response capability. Create an incident response policy, plan, and procedure Establish policies and procedures regarding incident-related information sharing. Provide pertinent information on incidents to the appropriate organization. Consider the relevant factors when selecting an incident response team model. Select people with appropriate skills for the incident response team Identify other groups within the organization Determine which services the team should offer IT 6823 – LM9 IDS 11

Incident Response Life Cycle IT 6823 – LM9 IDS 12

Preparation Communication and facilities Incident analysis hardware and software Incident analysis resources Incident mitigation software IT 6823 – LM9 IDS 13

Preparation – Preventing Incidents Risk Assessments Host Security Network Security Malware Prevention User Awareness and Training. IT 6823 – LM9 IDS 14

Detection & Analysis Attack Vectors Signs of incident Sources of Precursors and Indicators Alerts Logs Publicly available information People IT 6823 – LM9 IDS 15

Incident Analysis Profile Networks and Systems Understand Normal Behaviors Create a Log Retention Policy Perform Event Correlation Keep All Host Clocks Synchronized Maintain and Use a Knowledge Base of Information Use Internet Search Engines for Research Many more IT 6823 – LM9 IDS 16

Incident Documentation & Prioritization Documentation Prioritization Functional Impact of the Incident Information Impact of the Incident Recoverability from the Incident IT 6823 – LM9 IDS 17

Containment, Eradication, & Recovery Choosing a Containment Strategy Evidence Gathering and Handling Identifying the Attacking Hosts Validating the Attacking Host’s IP Address Researching the Attacking Host Using Incident Databases Monitoring Possible Attacker Communication Channels IT 6823 – LM9 IDS 18

Eradication and Recovery Phased and prioritized Eliminate components of the incident Identifying and mitigating all vulnerabilities Restore systems to normal operation Confirm that the systems are functioning normally Remediate vulnerabilities to prevent similar incidents IT 6823 – LM9 IDS 19

Post-Incident Activities Lessons learned Using collected incident data Number of incidents handled Time per incident Objective & subjective assessment IT 6823 – LM9 IDS 20

Post-Incident Activities Prosecution Data retention Cost IT 6823 – LM9 IDS 21

Coordination IT 6823 – LM9 IDS 22

Information Sharing Techniques Ad Hoc Partially automated Security consideration IT 6823 – LM9 IDS 23

Key Recommendations Plan incident coordination with external parties before incidents occur Consult with the legal department before initiating any coordination efforts Perform incident information sharing throughout the incident response life cycle Attempt to automate Balancing Share as much of the appropriate incident information as possible IT 6823 – LM9 IDS 24