Planning for Incident Response Security

This presentation covers incident response planning, computer forensics, denial of service scenarios, business impacts, incident response versus business continuity, and incident response costs as per IBM's 2022 Data Breach Report.

• Incident Response
• Security Planning
• Computer Forensics
• Business Impact
• Data Breach

ssai Follow

Uploaded on Mar 08, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Planning for Incident Response Security Planning Susan Lincke

2. Title of the Presentation | 3/8/2025| 2 Objectives Students should be able to: Define and describe an incident response plan and business continuity plan Describe incident management team, incident response team, proactive detection, triage Define and describe computer forensics: authenticity, continuity, forensic copy, chain of custody, root cause, Define external test, internal test, blind test, double blind test, targeted test. Develop a high-level incident response plan. Describe steps to obtain computer forensic information during an investigation. Describe general capabilities of a forensic tool. Describe steps to copy a disk. Define discovery, e-discovery, deposition, declaration, affidavit, fact witness, expert consultant, expert witness.

3. Title of the Presentation | 3/8/2025| 3 Denial of Service How to React to ? Stolen Laptop Stolen Laptop Theft of Proprietary Information System Failure Ransom! Ransom!

4. Title of the Presentation | 3/8/2025 | 4 Business Impact Criminal: Stolen data: financial, Point of sale, medical Regulation & liability Espionage: Stolen engineering or marketing plans, trade secrets Stolen government data Warfare: Denial of service Destruction

5. Title of the Presentation | 3/8/2025 | 5 Incident Response vs. Business Continuity Incident Response Planning (IRP) Security-related threats to systems, networks & data Data confidentiality Non-repudiable transactions Business Continuity Planning Disaster Recovery Plan Continuity of Business Operations BCP and can be the first step for Incident Response NIST SP 800-61 defines an incident as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

6. Title of the Presentation | 3/8/2025 | 6 Incident Response Costs: IBM 2022 Cost of a Data Breach Report Expenses Following a Breach Average Cost Detection and Escalation: forensic investigation, audit, crisis mgmt., board of directors involvement $1.44 million (33%) Notification: legal expertise, legal and customer communications $0.31 million (7%) Post Breach Response: help desk and incoming communications, reissuing payment cards, identity protection services, regulatory fines, sale discounts $1.18 million (27%) Lost Business: lost business due to system downtime, abnormal customer churn, customer procurement, goodwill $1.42 million (32.6%)

7. Title of the Presentation | 3/8/2025 | 7 The IBM s Cost of Data Breach 2021 IBM s statistics on breaches indicates the global average cost per breach is $4.87 million when the lifecycle exceeds 200 days; and $3.61 million otherwise [IBM21]. To reduce the total data breach cost if an organization has: an incident response team and performs testing (reduces by: $2.46 million), a strong emphasis on regulatory compliance ($2.3 million), a mature implementation of zero trust ($1.76 million), a high standard of encryption ($1.25 million), and security automation ($3.81 million) reduces time to find and contain an incident. use of artificial intelligence, and security analytics. Factors raising the cost of a breach > $5 million average includes: a high level of cloud migration, a large majority (81-100%) of employees working remotely; also caused delay in discovering and containing a breach.

8. Title of the Presentation | 3/8/2025 | 8 Review: Business Continuity Recovery Terms Interruption Window: Time duration organization can wait between point of failure and Alternate Mode startup. Service Delivery Objective (SDO): Level of service in Alternate Mode Maximum Tolerable Outage: Max time allowed for downtime and time in Alternate Mode Disaster Recovery Plan Implemented Regular Service Regular Service Service Delivery Objective Alternate Mode Time Restoration Plan Implemented (Acceptable) Interruption Window Interruption Maximum Tolerable Outage

9. Title of the Presentation | 3/8/2025 | 9 Vocabulary Attack vectors = source methods = root cause: Can include Email link and/or attachment (word doc) Direct install (bad judgment) Web drive-by or download Web app or other vulnerability Removable media, flash drive Improper use, loss or theft, Physical access or abuse Incident: A security event that compromises the integrity, confidentiality or availability of an information asset. Breach: An incident that results in the confirmed disclosure not just potential exposure of data to an unauthorized party.

10. Title of the Presentation | 3/8/2025 | 10 Vocabulary IMT: Incident Management Team IS Mgr leads, includes steering committee, IRT members Develop strategies & design plan for Incident Response, integrating business, IT, BCP, and risk management Obtain funding, Review postmortems Meet performance & reporting requirements IRT: Incident Response Team Handles the specific incident. Has specific knowledge relating to: Security, network protocols, operating systems, physical security issues, malicious code, etc. Permanent (Full Time) Members: IT security specialists, incident handlers, investigator Virtual (Part Time) Members: Business (middle mgmt), legal, public relations, human resources, physical security, risk, IT

11. Title of the Presentation | 3/8/2025 | 11 Stages in Incident Response Preparation Plan PRIOR to Incident Identification Determine what is/has happened Containment & Escalation Limit incident [If data breach] Notify any data breach victims Determine and remove root cause Analysis & Eradication Notification Ex-Post Response Return operations to normal Establish call center, reparation activities Recovery Process improvement: Plan for the future Lessons Learned

12. Title of the Presentation | 3/8/2025 | 12 Challenges during an Incident It can become chaotic: too many events too fast Management may attempt to micromanage and need to be trained Staff need to record all they do Evidence cannot be altered to be admissible in court of law Public Relations person interfaces with public

13. Title of the Presentation | 3/8/2025 | 13 Why is incident response important? Average Cost of Data Breach: Global $3.86M; U.S. $7.91M for 31,465 records Mega Breach: 1 M records: $40 million 50 M records: $350 million Mean Time to Identify (MTTI): Days to find, confirm breach Mean Time to Contain (MTTC): Days to resolve breach and restore service Global U.S. India Criminal attack System Glitch Human Error Mean Time to Identify 196.7 201 188 221 177 174 Mean Time to Contain 2018 Cost of a Data Breach Study: Global Report (IBM/Ponemon) 69.0 52 78 81 60 57

14. Title of the Presentation | 3/8/2025 | 14 Summary of Stages Step 1: Preparation: Plan before the attack Step 2: Identification: recognition of attack prioritize the symptoms to go after first. Step 3: Containment: the attacker can not proceed further you have halted but not cleared the attack. Step 4: Analysis and Eradication: The network is cleared of the attack you have found the root cause: what enabled the attacker entry into network Step 5: Recovery: retest system and restore normal operations Step 6: Lessons Learned: review what happened; how can you improve next time? Preparation Identification Containment Analysis & Eradication Recovery Lessons Learned

15. Title of the Presentation | 3/8/2025 | 15 Stage 1: Preparation What shall we do if different types of incidents occur? (BIA helps) When is the incident management team called? How can governmental agencies or law enforcement help? When do we involve law enforcement? What equipment do we need to handle an incident? What shall we do to prevent or discourage incidents from occurring? (e.g. banners, policies) Where on-site & off-site shall we keep the IRP? Preparation Identification Containment Analysis & Eradication Recovery Lessons Learned

16. Title of the Presentation | 3/8/2025 | 16 (1) Detection Technologies Organization must have sufficient detection & monitoring capabilities to detect incidents in a timely manner Proactive Detection includes: Network Intrusion Detection/Prevention System (NIDS/NIPS) Host Intrusion Detection/Prevention System (HIDS/HIPS) Antivirus, Endpoint Security Suite Security Information and Event Management (Logs) Vulnerability/audit testing System Baselines, Sniffer Centralized Incident Management System Input: Server, system logs Coordinates & co-relates logs from many systems Tracks status of incidents to closure Reactive Detection: Reports of unusual or suspicious activity

17. Title of the Presentation | 3/8/2025 | 17 Logs to Collect & Monitor Security Authent. Network Normal Log Issues Software App Config Failures Irregularity Events Attacks: SQL inject, invalid input, DDOS, XSS Change to security config. Unusual packets (IP, port) Unauth. accesses Deleted logs Logins, logoffs Change to network device config. Access to sensitive data Listed in other columns Overflow -ing logs Unapprove d accounts Blocked packets Lockouts/ expired password accounts Transfer sensitive/ unusual data Clearing/ changes to log config. Changes in privileges Unapprove d apps Changes to secured files: system code/data Unsuccessf ul login attempts Change in traffic pattern Simple passwords, 1- factor auth. Actions by admins System crashes

18. Title of the Presentation | 3/8/2025 | 18 Incidents may include Employees Reports Malware Violations of policy Data breach: stolen laptop, memory employee mistake Social engineering/fraud: caller, e-mail, visitors Unusual event: inappropriate login unusual system aborts server slow deleted files defaced website IT Detects a device (firewall, router or server) issues serious alarm(s) change in configuration an IDS/IPS recognizes an irregular pattern: unusually high traffic, inappropriate file transfer changes in protocol use unexplained system crashes or unexplained connection terminations

19. Title of the Presentation | 3/8/2025 | 19 (1) Management Participation Management makes final decision As always, senior management has to be convinced that this is worth the money.

20. Title of the Presentation | 3/8/2025 | 20 Planning for Incident Detection & Handling Security Workbook Incident Description Methods of Detection (In all cases: Warning Banner) Unusual network traffic observed via NIDS or firewall logs (in type or quantity). Daily log evaluations, high priority email alerts. Security alarm set for off- hours; or employee reports missing device. Procedural Response (In all cases an incident report is written) IT/Security addresses incident within 1 hour to prepare investigative plan; Firewall, database, IDS, or server log indicates a probable intrusion. (May qualify as espionage.) Intruder accesses internal network if confidential/proprietary servers involved, follow breach protocol. A laptop, backup tape, or memory source with confidential info. was lost or stolen. Email/call Security if memory contains conf. info immediately. Security initiates tracing of laptops via location s/w, writes Incident Report, evaluates if breach occurred. Mgmt calls police, if computer theft. Report to Mgmt & Security. Warn employees of attempt as added training. Security evaluates if breach occurred, writes incident report. Break-in, loss or theft Suspicious social eng. attempt was recognized OR info. was divulged, later recognized as being inappropriate. Training of staff leads to report from staff to IT Social Engineer- ing

21. Title of the Presentation | 3/8/2025 | 21 Planning for Incident Detection & Handling Security Workbook Incident DDOS Description Server or network approaches 85% or higher utilization Methods of Detection Security alarm set when threshold is reached; investigate rate of successful transactions; sniff network traffic to determine traffic legality Key confidential areas are inspected daily for WLAN availability Procedural Response Reject offending source IP addresses at firewall. Notify internet service provider. After 2 hours, contact security company handling DDOS attacks. A new WLAN masquerades as us. Notify Security or network admin immediately. Warn employees in affected area of an attack, first electronically, then with office visit. Incident is acted upon within 2 hours. Investigate zero trust volume alarm as priority 1 (within 15 min) Take images of affected devices. Close down confidential/ proprietary network to contain incident. Notify of disaster to business to initiate BC plan. Complete forensic collection. Follow Compromised PCI Handling Response Procedure, if appropriate. Trojan Wireless LAN Inappropriate access to proprietary or confidential information Preventive: 2-factor auth; restricted hours, devices, location for personnel; Detective: Zero trust alarms when volume of records accessed exceeds threshold; Data Breach

22. Title of the Presentation | 3/8/2025 | 22 Planning for Incident Detection & Handling Security Workbook Incident Violation of Policy Description Methods of Detection Host IPS detects unauthorized access; Unusual logs or inappropriate access by IP/MAC address; Excessive access to data Anti-virus employee reports unusual behavior or antivirus report. Procedural Response Remove permissions; Discuss with employee s management; Violation of organizational standards and rules: Unauthorized access or changes to IT, information, or service Antivirus software reports malware, whether it can be automatically cleaned; Employee reports unusual behavior If employee-reported, run second antivirus to check status. Follow Detected Malware Incident Handling Response Procedure. Weekly full backups maintained off-site. Documented procedure to save off, reload, and test backups. Follow data breach protocol above. Malware Ransomware Criminals infiltrate and encrypt our servers, ask for ransom to decrypt and not publish data Monthly offline monitoring of recent backups to ensure data looks normal and stable. Confirmed via above protocol: Data Breach or Intruder Accesses Internal Network An external party infiltrates the organization in order to steal proprietary infor. Surveillance / Espionage

23. Title of the Presentation | 3/8/2025 | 23 The planning is done and AN INCIDENT IS NOW OCCURRING

24. Title of the Presentation | 3/8/2025 | 24 Stage 2: Identification Triage: Categorize, prioritize and assign events and incidents What type of incident just occurred? What is the severity of the incident? Severity may increase if recovery is delayed Who should be called? Establish chain of custody for evidence Preparation Identification Containment Analysis & Eradication Recovery Lessons Learned

25. Title of the Presentation | 3/8/2025 | 25 (2) Triage Snapshot of the known status of all reported incident activity Sort, Categorize, Correlate, Prioritize & Assign Categorize: DoS, Malicious code, Unauthorized access, Inappropriate usage, Multiple components Prioritize: Limited resources requires prioritizing response to minimize impact Assign: Who is free/on duty, competent in this area?

26. Title of the Presentation | 3/8/2025 | 26 (2) Chain of Custody Evidence must follow Chain of Custody law to be admissible/acceptable in court Include: specially trained staff, 3rd party specialist, law enforcement, security response team System administrator can: Retrieve info to confirm an incident Identify scope and size of affected environment (system/network) Determine degree of loss/alteration/damage Identify possible path of attack

27. Title of the Presentation | 3/8/2025 | 27 Stage 3: Containment Activate Incident Response Team to contain threat IT/security, public relations, mgmt, business Isolate the problem Disable server or network zone communications Disable user access Change firewall configurations to halt connection Obtain & preserve evidence Preparation Identification Containment Analysis & Eradication Recovery Lessons Learned

28. Title of the Presentation | 3/8/2025 | 28 (3) Containment - Response Technical Collect data Analyze log files Obtain further technical assistance Deploy patches & workarounds Managerial Business impacts result in mgmt intervention, notification, escalation, approval Legal Issues related to: investigation, prosecution, liability, privacy, laws & regulation, nondisclosure

29. Title of the Presentation | 3/8/2025 | 29 Potential Containment Actions Image affected devices: MasterCard recommends that their PCI Forensic Investigators do this step first. Halt connections: This is a temporary fix, since most attackers can easily change their IP address. The Internet Service Provider may be able to help in filtering an attack pattern. Disable server communications or network zone: Potentially break access to a zone, by disconnecting network connections or powering down routers. Alternatively, safely power down a server or virtual machine. Disabling user access: Revoke privileges to internal users who violate policy; change passwords; enable 2-factor authentication; prohibit an executable. Alert related entities: Notify organizations whose data or systems may be affected (financial, payment card). Internet service provider can help to contain the attack. Continue to monitor: Closely monitor any continued progress in the attack Patch vulnerable software: After obtaining images, patch vulnerable software, when vulnerabilities detected.

30. Title of the Presentation | 3/8/2025 | 30 Stage 4: Analysis & Eradication Determine how the attack occurred: who, when, how, and why? What is impact & threat? What damage occurred? Remove root cause: initial vulnerability(s) Talk to ISP to get more information Rebuild System Improve defenses with enhanced protection techniques Perform vulnerability analysis Discuss recovery with management, who must make decisions on handling affecting other areas of business Preparation Identification Containment Analysis & Eradication Recovery Lessons Learned

31. Title of the Presentation | 3/8/2025 | 31 (4) Analysis It is important to discover What happened? Who was involved? What was the reason for the attack? Where did attack originate from? When did the initial attack occur? How did it happen? What vulnerability enabled the attack?

32. Title of the Presentation | 3/8/2025 | 32 (4) Remove root cause If Admin or Root compromised, rebuild system Implement recent patches & recent antivirus Change all passwords Fortify defenses with enhanced security controls Retest with vulnerability analysis tools

33. Title of the Presentation | 3/8/2025 | 33 Stage 5: Recovery Restore operations to normal Preparation Ensure that restore is fully tested and operational Identification Containment Analysis & Eradication Recovery Lessons Learned

34. Title of the Presentation | 3/8/2025 | 34 Workbook Incident Handling Response Procedure Incident Type: Malware detected by Antivirus software Contact Name & Information: Computer Technology Services Desk: 262-252-3344(O) Emergency Triage Procedure: Disconnect computer from Internet/WLAN. Do not reconnect. Allow antivirus to fix problem, if possible. Report to IT first thing during (next) business day. Escalation Conditions and Steps: If laptop contained confidential information, investigate malware to determine if intruder obtained entry. Determine if Breach Law applies. Containment, Analysis & Eradication Procedure: Run two versions of antivirus software to determine status. Security investigates problem through CVE analysis, as provided by antivirus reports. If confidential information was on the computer (even though encrypted), malware may have sent sensitive data across the internet; encryption was ineffective and breach law may apply. A forensic investigation is required. Clean disk. Check if virus was dangerous and if user had admin privileges: Type A: return computer. (A=Malware not dangerous and user not admin. = install s/w) Type B: Rebuild computer. (B=Either malware was dangerous and/or user was admin) Password is changed for all users on the computer. Confirm security settings before returning machine to owner. Other Notes (Prevention techniques): Note: Antivirus should record type of malware to log system.

35. Title of the Presentation | 3/8/2025 | 35 Workbook Incident Type: Handling of Compromised Payment Card Data Contact Name & Information: Computer Technology Services Desk: 262-252-3344(O) Emergency Triage Procedure: Disconnect computer from Internet/WLAN. Do not reconnect. Do not login to the compromised machine(s) or change password on it/them. Escalation Conditions and Steps: Inform management within 2 hours; they contact legal department. Inform acquiring bank within 24 hours. Provide MasterCard information within 24 hours; contact is at account_data_compromise@mastercard.com. Provide Visa s incident report within 3 days to regional risk center; find contact at ROC@Visa.com. Containment, Analysis & Eradication Procedure: (Assumes independent investigation by capable staff; otherwise PCI Forensic Invest. is called) Identify all compromised devices and systems (e.g., servers, terminals, databases, logs) Document all containment and remediation actions taken, including date/times, names, actions Preserve all evidence, including images and logs from all compromised and non-compromised devices. Expect to provide this evidence to PCI Forensic Analysts, if/when necessary. Prepare Incident Report within 24 hours to bank, MasterCard; 3 days to Visa with Incident Response Form. Other Notes (Prevention techniques): MasterCard reference documentation is: Mastercard Account Data Compromise User Guide. Visa reference documentation is: What To Do if Compromised. Some secure practices are provided in other sections of this Security Plan; additional forensic detail is required.

36. Title of the Presentation | 3/8/2025 | 36 Stage 6: Lessons Learned Follow-up includes: Writing an Incident Report What went right or wrong in the incident response? How can process improvement occur? How much did the incident cost (in loss & handling & time) Present report to relevant stakeholders Preparation Identification Containment Analysis & Eradication Recovery Lessons Learned

37. Title of the Presentation | 3/8/2025 | 37 Planning Processes Risk & Business Impact Assessment Response & Recovery Strategy Definition Document IRP and DRP Train for response & recovery Update IRP & DRP Test response & recovery Audit IRP & DRP

38. Title of the Presentation | 3/8/2025 | 38 Training Introductory Training: First day as IMT Mentoring: Buddy system with longer-term member Formal Training On-the-job-training Training due to changes in IRP/DRP

39. Title of the Presentation | 3/8/2025 | 39 Types of Penetration Tests External Testing: Tests from outside network perimeter Internal Testing: Tests from within network Blind Testing: Penetration tester knows nothing in advance and must do web research on company Double Blind Testing: System and security administrators also are not aware of test Targeted Testing: Have internal information about a target. May have access to an account. Written permission must always be obtained first

40. Title of the Presentation | 3/8/2025 | 40 Incident Management Metrics # of Reported Incidents # of Detected Incidents Average time to respond to incident Average time to resolve an incident Total number of incidents successfully resolved Proactive & Preventative measures taken Total damage from reported or detected incidents Total damage if incidents had not been contained in a timely manner

41. Title of the Presentation | 3/8/2025 | 41 Challenges Management buy-in: Management does not allocate time/staff to develop IRP Top reason for failure Organization goals/structure mismatch: e.g., National scope for international organization IMT Member Turnover Communication problems: Too much or too little Plan is too complex and wide

42. Title of the Presentation | 3/8/2025 | 42 Question The MAIN challenge in putting together an IRP is likely to be: 1. Getting management and department support 2. Understanding the requirements for chain of custody 3. Keeping the IRP up-to-date 4. Ensuring the IRP is correct

43. Title of the Presentation | 3/8/2025 | 43 Question The PRIMARY reason for Triage is: 1. To coordinate limited resources 2. To disinfect a compromised system 3. To determine the reasons for the incident 4. To detect an incident

44. Title of the Presentation | 3/8/2025 | 44 Question When a system has been compromised at the administrator level, the MOST IMPORTANT action is: 1. Ensure patches and anti-virus are up-to-date 2. Change admin password 3. Request law enforcement assistance to investigate incident 4. Rebuild system

45. Title of the Presentation | 3/8/2025 | 45 Question The BEST method of detecting an incident is: 1. Investigating reports of discrepancies 2. NIDS/HIDS technology 3. Regular vulnerability scans 4. Job rotation

46. Title of the Presentation | 3/8/2025 | 46 Question The person or group who develops strategies for incident response includes: 1. CISO 2. CRO 3. IRT 4. IMT

47. Title of the Presentation | 3/8/2025 | 47 Question The FIRST thing that should be done when you discover an intruder has hacked into your computer system is to: 1. Disconnect the computer facilities from the computer network to hopefully disconnect the attacker 2. Power down the server to prevent further loss of confidentiality and data integrity 3. Call the police 4. Follow the directions of the Incident Response Plan

48. Title of the Presentation | 3/8/2025 | 48 Summary Planning is necessary Without preparation, no incident will be detected Incident handlers should not decide what needs to be done. Preparation Stages: Identification: Determine what has happened Containment & Escalation: Limit incident Analysis & Eradication: Analyze root cause, repair Restore: Test and return to normal Process Improvement (Possibly) Breach Notification Identification Containment Analysis & Eradication If case is to be prosecuted: Evidence must be carefully handled: Authenticity & Continuity Expert testimony must be qualified, accurate, bullet-proof Recovery Lessons Learned

49. Title of the Presentation | 3/8/2025 | 49 Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Licensed Practicing Nurse Pat Software Consultant HEALTH FIRST CASE STUDY Designing Incident Response

50. Title of the Presentation | 3/8/2025 | 50 Workbook: Table of Incident Types Methods of Detection Incident Description Procedural Response An intruder has entered an internal network. Inappropriate proprietary information. A laptop, backup tape, or other memory source with confidential information was lost or stolen. Hacker intrusion access confidential to Data breach or Lost or stolen laptop or backup tape Violation of policy Violation of organizational standards and rules Information was divulged that was recognized after the fact as being inappropriate. Antivirus software reports malware, whether it can or cannot be automatically cleaned. A physical attack is initiated by an intruder or disgruntled customer or employee. Social Engineering Malware Physical attack (Thief, disgruntled customer/staff) Trojan WLAN A new WLAN masquerades as us.

Load More ...