Computer Hacking

Forensic Investigator

Module IV
Computer Security
Incident Response Team
 Scenario

Target Company Ltd, a data warehousing

has lots of important business information
stored in it’s huge database. The data and
information present in the company’s
database serves as a key aspect to its next
business moves.
An e-mail claiming to pass all the relevant
and vital business information to their
competitor surprised the company’s top
management. A team of hackers threatens
the management to expose all the business
secrets of the Target Company Ltd. to the
competitor unless they receive a big
paycheck !!!
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Module Objectives
~ Introduction
~ What is an incident?
~ Incident response team
~ How to report an incident?
~ CSIRT categorization
~ Need for CSIRT
~ What does CSIRT do?
~ Others types of CSIRT’s
~ Handling Incidents
~ Vision
~ Standard practices

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Module Flow

Introduction Incident definition

Report an incident Incident response team

CSIRT categorization Need for CSIRT

Handling Incidents Others types of CSIRT’s

Vision Standard practices

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Present Networking Scenario

~ Increase in the number of companies venturing

into e-business coupled with high Internet
usage
~ Decrease in vendor product development cycle
and product’s testing cycle
~ Increase in complexity of Internet as a network
~ Alarming increase in intruder activities and
tools, expertise of hackers and sophistication of
hacks
~ Lack of thoroughly trained professionals as
compared to the number and intensity of
security breaches
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Vulnerability

~ Vulnerability is defined as “Existence of a weakness;

design or implementation error that can lead to an
unexpected, undesirable event compromising the
security of the system.”
source: [Link]
~ Some common vulnerabilities are:
• Buffer overflows
• SQL Injection
• Cross side scripting
• Default installation
• Misconfiguration

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Vulnerability Statistics

Source: [Link]/tech_tips/incident_reporting.html

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 What Is an Incident?
~ According to [Link]
Computer security incident is
defined as “Any real or
suspected adverse event in
relation to the security of
computer systems or
computer networks “
~ It also includes external
threats such as gaining
access to systems, disrupting
their services through
malicious spamming,
execution of malicious codes
that destroy or corrupt
systems

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 How to Identify an Incident?

~ A system alarm from an intrusion detection tool

indicating security breach
~ Suspicious entries in network
~ Accounting gaps of several minutes with no
accounting log
~ Other events like unsuccessful login attempts,
unexplained new user or files, attempts to write
system files, modification or deleting of data
~ Unusual usage patterns, such as programs
being compiled in the account of users who are
non-programmers
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Whom to Report an Incident?

~ Incident reporting is the process of reporting

the information regarding the encountered
security breach in a proper format
~ The incident should be reported to the CERT
Coordination center, site security manager, and
other site
~ It can also be reported to law enforcement
agencies such as FBI,USSS Electronic crimes
branch or Department of Defense Contractors
~ It should be reported to receive technical
assistance and to raise security awareness to
minimize the losses
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Incident Reporting

~When a user encounters any breach, following

should be reported:
• Intensity of the security breach
• Circumstances, which revealed vulnerability
• Shortcomings in the design and impact or level of
weakness
• Entry logs related to intruder’s activity
• Specific help needed should be clearly defined
• Correct time-zone of the region and synchronization
information of the system with a National time
server via NTP (Network Time Protocol)
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Category of Incidents

~ There are 3 category of incidents:

• Low level
• Mid Level
• High Level

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Category of Incidents - Low Level

~ Low level incidents are the least severe kind of

incidents
~ It is recommended that they should be handled
within a working day after the event occurs
~ Low level incidents can be identified when the
following things happen:
• Loss of personal password
• Suspected sharing of organization’s accounts
• Unsuccessful scans and probes
• Presence of any computer virus or worms

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Category of Incidents- Mid Level

~ The incidents at this level are comparatively more

serious and thus, should be handled the same day
the event occurs (normally within two to four hours of the event).
~ They can be identified by observing :
• Violation of special access to a computer or computing facility
• Unfriendly employee termination
• Unauthorized storing and processing data
• Destruction of property related to a computer incident (less than
$100,000)
• Personal theft of data related to computer incident($100,000)
• Computer virus or worms of comparatively larger intensity
• Illegal access to buildings
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Category of Incidents- High Level

~ These are the most serious incidents and are

considered as “Major” in nature
~ High level incidents should be handled
immediately after the occurrence of the incident
~ These include:
• Denial of Service attacks
• Suspected computer break-in
• Computer virus or worms of highest intensity; [Link] back door.
• Changes to system hardware, firmware or software without
authentication.
• Destruction of property exceeding $100,000.
• Personal theft exceeding $100,000 and illegal electronic fund
transfer or download/sale.
• Any kind of pornography, gambling or violation of any law.
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Handling Incidents

~ Incident handling helps to find out trends and pattern

regarding intruder activity by analyzing it
~ It involves three basic functions: incident reporting,
incident analysis, and incident response
~ It recommends network administrators for recovery,
containment, and prevention to constituents
~ It allows incident reports to be gathered in one location
so that exact trends and pattern can be recognized and
recommended strategies can be employed
~ It helps the corresponding staffs to understand the
process of responding and to tackle unexpected threats
and security breaches

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Procedure for Handling Incident

~ The incident handling process is divided into

six stages
~ These stages are:
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Follow up
~ Source: FCC Computer Security incident response Team

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 1. Preparation

~ Preparation enables easy coordination among staffs

~ Provides baseline protection
~ Uses virus detection and eradication tools
~ Company staff is given relative training at this stage

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 2. Identification

~ It involves validating, identifying and reporting the

incident
~ Determining the symptoms given in ‘how to identify an
incident’
~ Identifying nature of the incident
~ Identifying events
~ Protecting evidence
~ Reporting events

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 3. Containment

~ Limit the extent and intensity of an incident

~ Avoid logging as root on the compromised
system
~ Conventional methods to trace back should be
avoided as this may alert the attackers
~ Prepare complete backups of infected systems
~ Change the passwords of all unaffected systems
in the LAN

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 4. Eradication

~ Additional information along with the

information gathered in the 3rd phase should be
looked into to find out reasons for the particular
incident
~ Use standard anti-virus tools to remove
virus/worms from storage medias.
~ Improve security measures by enabling
firewalls, router filters or assigning new IP
address
~ Perform vulnerability analysis

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 5. Recovery

~ Determine the course of actions

~ Monitor and validate systems
~ Determine integrity of the backup itself by
making an attempt to read its data
~ Verify success of operation and normal
condition of system
~ Monitor the system by network loggers, system
log files and potential back doors

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 6. Follow up

~ Revise policies and procedures from the lessons

learnt from the past
~ Determine the staff time required and perform
the following cost analysis:
• Extent to which the incidents disrupted the
organization
• Data lost and its value
• Damaged hardware and its cost

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 continued….

~ Document the response to incident by finding

answers to the following :
• Was the preparation for the incident sufficient?
• Whether the detection occurred promptly or not, and
why?
• Using additional tools could have helped or not?
• Was the incident contained?
• What practical difficulties were encountered?
• Was it communicated properly?

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 What Is CSIRT?

~ A team of trained professionals

~ CSIRT members detect incidents at early stages and
make reports to prevent further incidents
~ CSIRT protects and secures critical information of an
organization
~ It secures organization’s data, hardware, and critical
business policy
~ It provides training on security awareness, intrusion
detection, and penetration testing
~ Documents and develops program
~ It strengthens organization’s security
~ Decreases the response time during any future security
breach
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Why an Organization Needs an
Incident Response Team?
~ It helps organizations to recover from computer
security breaches and threats
~ It is a formalized team which performs incident
response work as its major job function
~ As an ad-hoc team, it is responsible for ongoing
computer security incident

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Need for CSIRT

~ CSIRT provides rapid response to maintain the

security and integrity of the systems
~ Experienced in handling compromised
network/systems.
~ Being in a network of likeminded professionals,
the CSIRT team members get to know the
vulnerabilities firsthand
~ CSIRT helps in deploying systems that follow
the security policy of the organization

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Example of CSIRT

~ Internal CSIRT provides services to their parent

organization such as bank, manufacturing company,
university, or any government agencies
~ National CSIRT provides services to the entire nation
example being Japan Computer Emergency Response
Team Coordination Center (JPCERT/CC)
~ Analysis Centers synthesize data, determine trends
and patterns in an incident activity to predict future
activity or provide early warnings
~ Vendor teams identify vulnerabilities in software and
hardware products
~ Incidents Response Providers who offer services to
paid clients
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 CSIRT Vision

~ Identify the organization

~ Specify the mission, goals and objectives of
CSIRT for an organization
~ Select the services to be offered by the CSIRT
~ Determine how the CSIRT should be
structured for the organization
~ Plan the budget required by the organization
to implement and manage the CSIRT
~ Determine the resources (equipment, staff,
infrastructure) to be used by CSIRT
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Vision

Source: [Link]/tech_tips/incident_reporting.html

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Best Practices for Creating a CSIRT

~ Step 1: Obtain management support and buy-in

~ Step 2: Determine the CSIRT strategic plan
~ Step 3: Gather relevant information
~ Step 4: Design the CSIRT vision
~ Step 5: Communicate the CSIRT vision and
operational plan
~ Step 6: Begin CSIRT implementation
~ Step 7: Announce the operational CSIRT

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Step 1: Obtain Management Support
and Buy-In
~ Without management approval and support,
creating an effective incident response
capability can be extremely difficult and
problematic.
~ Once the team is established, how is it
maintained and expanded with budget,
personnel, and equipment resources?
~ Will the role and authority of the CSIRT
continue to be backed by management across
the various constituencies or parent
organization?
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Step 2: Determine the CSIRT
Development Strategic Plan
~ Are there specific timeframes to be met? Are
they realistic, and if not, can they be changed?
~ Is there a project group? Where do the group
members come from?
~ How do you let the organization know about the
development of the CSIRT?
~ If you have a project team, how do you record
and communicate the information you are
collecting, especially if the team is
geographically dispersed?

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Step 3: Gather Relevant Information

~ Meet with key stakeholders to discuss the

expectations, strategic direction, definitions,
and responsibilities of the CSIRT. The
stakeholders could include :
• Business managers.
• Representatives from IT.
• Representatives from the legal department.
• Representatives from human resources.
• Representatives from public relations.
• Any existing security groups, including physical
security.
• Audit and risk management specialists.
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Step 4: Design your CSIRT Vision

~ In creating your vision, you should

• Identify your constituency. Who does the CSIRT support and
service?
• Define your CSIRT mission, goals, and objectives. What does
the CSIRT do for the identified constituency?
• Select the CSIRT services to provide to the constituency (or
others). How does the CSIRT support its mission?
• Determine the organizational model. How is the CSIRT
structured and organized?
• Identify required resources. What staff, equipment, and
infrastructure is needed to operate the CSIRT?
• Determine your CSIRT funding. How is the CSIRT funded for
its initial startup and its long-term maintenance and growth?

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Step 5: Communicate the CSIRT
Vision
~ Communicate the CSIRT vision and operational
plan to management, constituency, and others
who need to know and understand its
operations.
~ As appropriate, make adjustments to the plan
based on their feedback.

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Step 6: Begin CSIRT Implementation

~ Hire and train initial CSIRT staff.

~ Buy equipment and build any necessary
network infrastructure to support the team.
~ Develop the initial set of CSIRT policies and
procedures to support your services.
~ Define the specifications for and build your
incident-tracking system.
~ Develop incident-reporting guidelines and
forms for your constituency.

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Step 7: Announce the CSIRT

~ When the CSIRT is operational, announce it

broadly to the constituency or parent
organization.
~ It is best if this announcement comes from
sponsoring management.
~ Include the contact information and hours of
operation for the CSIRT in the announcement.
~ This is an excellent time to make available the
CSIRT incident-reporting guidelines.
Source: [Link]

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Other Response Teams Acronyms and
CSIRTs around the world

Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 World CSIRT
[Link]

~Asia Pacific CERTs ~South American CERTs

• Australia CERT (AUSCERT) • CAIS
• Hong Kong CERT (HKCERT/CC) • CAIS- Brazilian Research Network
CSIRT
• Indonesian CSIRT (ID-CERT)
• NIC BR Security Office Brazilian
• Japan CERT-CC (JPCERT/CC) CERT
• Korea CERT (CERT-KR) • NBS
• Malaysia CERT (MyCERT) ~European CERTs
• Pakistan CERT(PakCERT) • EuroCERT
• Singapore CERT (SingCERT) • FUNET CERT
• Taiwan CERT (TWCERT) • CERTA
• China CERT (CNCERT/CC) • DFN-CERT
• JANET-CERT
~North American CERTs
• CERT-NL
• CERT-CC
• UNINETT-CERT
• US-CERT • CERT-NASK
• Canadian Cert • Swiss Academic and Research
• Cancert Network CERT
• Forum of Incident Response and Security
Teams
• FIRST
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
 Summary

~ Increase in the number of products and relative

increase in the number of hacking tools has put
Security in the spotlight
~ Incident reporting is the process of reporting the
information regarding the encountered security breach
in a proper format
~ It involves three basic functions: incident reporting,
incident analysis, and incident response
~ CSIRT provides rapid response to maintain the security
and integrity of the systems
~ Without management approval and support, creating
an effective incident response capability can be
extremely difficult and problematic
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited