Incident Response - CompTIA Security+ SY0-701 - 4.8

00:01

Understanding how to deal with security incidents

00:04

are an important part of any security administrator's job.

00:07

Security incidents can involve many different situations.

00:10

For example, a user might click an attachment inside

00:13

of an email that runs an executable,

00:16

and that installs malware onto their system.

00:18

Or it may be that your WAN connection has been overwhelmed

00:21

with a distributed denial-of-service attack done

00:24

by botnets from people that are located anywhere in the world.

00:28

Or maybe you have to deal with information

00:30

that has been stolen or exfiltrated from your network,

00:33

and now the attackers want you to pay up

00:35

before that information is made public.

00:37

Or maybe a user has installed some software that

00:40

would effectively allow someone from the outside to gain access

00:43

to the inside private network.

00:46

All of these security issues could

00:48

occur in any organization at any time.

00:50

So you have to be prepared for anything to happen.

00:54

If you're interested on how organizations manage these

00:57

types of security issues, you may want to read through

01:00

the National Institute of Standards and Technology--

01:03

the document is called the "Special Publication 860--61

01:08

Revision 2."

01:09

And the title of this is the "Computer Security Incident

01:12

Handling Guide."

01:13

This document takes you through the entire lifecycle

01:16

of incident handling, including the preparation, the detection

01:19

and analysis, the containment, eradication, and recovery,

01:23

and any post-incident activities.

01:26

Before an incident even occurs, there's

01:29

a great deal of planning that takes place.

01:31

One of the things you should have available

01:33

is the list of communication methods.

01:35

There should be an up-to-date contact list

01:37

with all of the people who should be informed

01:40

when an incident occurs.

01:41

You also want to have an incident go bag

01:44

where you have all of the hardware and software required

01:47

to address any type of incident.

01:49

This might have laptops with specialized software.

01:52

There could be removable media for copying items

01:54

from one system to another.

01:56

You could have forensic software to be able to capture

01:59

information on that system.

02:01

And it might be a good idea to have

02:02

some type of digital imaging system

02:04

to be able to capture pictures and video.

02:07

It's also a good idea to have a number of resources that

02:10

can help during the incident.

02:11

For example, you may need documentation

02:13

of a particular server or perhaps some network diagrams.

02:17

It might also be a good idea to have security baselines

02:19

and to also have file hashes of all your critical files.

02:23

It's also a good idea to know what

02:25

you would use to be able to mitigate

02:27

this particular incident, especially if you're

02:29

dealing with malware or some other type

02:31

of malicious software.

02:33

It might be a good idea to have a known-good operating system

02:35

image or copies of application images

02:38

so that you can replace the bad code

02:40

with the known-good software.

02:42

And perhaps most importantly, there

02:44

should be a set of policies and procedures

02:46

that everyone will follow during one of these security

02:49

incidents.

02:51

Detecting a security incident is not

02:53

something that is always easy to recognize.

02:56

There may be different types of systems

02:58

that are attacked during a security incident,

03:00

and it may be difficult to simply look through the file

03:02

system and determine if a security incident has occurred.

03:06

Part of the problem is that, if you're

03:07

connected to the internet, there will be attacks on your systems

03:11

constantly.

03:11

And it might be difficult to determine

03:13

if an attack is simply a script that's running

03:16

or if this is a legitimate attack that has gained access

03:19

to your systems.

03:20

Even a security incident as common as a malware infection

03:24

can be a relatively complex process.

03:26

So you should make sure that you have the proper policies

03:29

and procedures on how to look for these incidents

03:31

and what to do when one's found.

03:34

There are probably a number of logs

03:36

that you could view right now that show instances where

03:39

an attempt to attack your network was made.

03:42

This can provide you with useful information

03:44

about where attacks may be originating

03:46

and what type of attacks they may choose to use.

03:49

For example, a web server log can capture a great deal

03:52

of information, especially when an attacker is

03:54

going through a vulnerability scan against your web server.

03:57

You should make sure you have a calendar so that when

04:00

Microsoft is going to release their latest set of patches

04:03

so that you can then begin the process of patching

04:06

all of your systems and looking for anyone

04:08

who may be attacking systems that have not already

04:10

been patched.

04:11

And in some cases, the attackers will contact you directly

04:15

and let you know that they're trying

04:16

to break into your systems.

04:18

This may be uncommon, but it's not

04:20

unheard of in the hacking community.

04:23

It's obviously important to know when an attack occurs.

04:26

And there may be things you can look at in your network that

04:28

can give you a notification that an attack is underway.

04:32

For example, you might get an alert

04:34

from your intrusion prevention system

04:36

that a buffer overflow attempt was made

04:38

against a particular server.

04:40

Or maybe an antivirus report is showing

04:42

that malware has been installed on a particular user's

04:45

workstation.

04:46

You might also find a situation where

04:49

an attacker has gained access to a system

04:51

and begins making changes to the security configurations.

04:54

If you have the proper monitoring in place,

04:56

you'll be informed if any of these configuration changes

04:59

are made.

05:00

And if you happen to find a large increase in network

05:03

traffic, that could indicate that an attacker is trying

05:06

to move a large amount of data out of your network

05:09

and into the hands of the attacker.

05:12

If you do find that an attack is underway,

05:14

you should try to stop that attack as quickly as possible.

05:17

This is not a situation where you

05:19

might want to wait to see what the attacker might do.

05:22

Some security systems will provide a way

05:24

to test for an attack inside of a sandbox.

05:27

A sandbox is a closed system where

05:29

you can run applications and see what the result of running

05:32

that application might be.

05:34

A good example is loading malware into a sandbox,

05:37

running that malware, and seeing what

05:40

part of the operating system was changed

05:42

when that malware executes.

05:44

Sometimes the process of isolating the malware

05:47

to a sandbox can cause the malware

05:49

itself to act differently.

05:51

For example, a malware could recognize

05:53

that it's being run inside of a virtual machine

05:56

with limited network connectivity.

05:58

And if it ever finds itself in that situation,

06:00

it simply deletes itself.

06:03

Once the incident is over, we need to go into recovery mode.

06:07

Recovery mode means that we need to get rid

06:09

of anything that may be bad software

06:11

and replace that with known-good software.

06:14

This means if we have malware, we

06:15

may want to remove the malware or simply reimage that system.

06:19

We may need to disable any user accounts that were breached

06:22

or created by the attacker.

06:24

And we need to fix any vulnerabilities that

06:26

allowed that attacker to get into our network

06:28

in the first place.

06:30

If we have known-good backups, we

06:32

may want to use those to overwrite

06:34

anything that may have been changed by the attackers.

06:37

Or we may want to use the original installation

06:39

media to completely reinstall the operating system.

06:42

The goal is to replace any files that may have been compromised,

06:46

and then lock everything down so the attackers can't get back

06:49

in.

06:50

After an attack is over is also a good time

06:53

for reflection and to understand what may have occurred

06:56

and how we can do better next time.

06:58

A good place to do this is in the post-incident meeting.

07:01

This is a meeting where everyone can be in the same room,

07:03

discuss the topics associated with the incident,

07:06

and come up with ways to resolve the issue more

07:08

efficiently next time.

07:10

These types of meetings are best done as soon as possible

07:13

after the incident was resolved.

07:15

This allows the people who participated in the incident

07:17

to have a better memory of what happened.

07:19

And we can also have better plans now when

07:21

the next incident occurs.

07:23

During this post-incident analysis,

07:26

we may want to ask some difficult questions, such as,

07:29

what exactly happened during this particular incident?

07:32

What was the timeline that took place

07:34

from the very beginning of the incident all

07:37

the way until the end?

07:38

It would also be interesting to see how well our planning

07:41

process worked.

07:42

We should be able to look at the documentation of this incident

07:45

and see if the process that we followed

07:48

was the best choice for this particular situation.

07:51

We can then make decisions on what

07:53

we might do different next time and then

07:55

integrate those changes into our incident-planning process.

07:59

It might also be useful to know if we missed

08:01

any of the indicators that might have warned us

08:04

that this incident was going to occur.

08:06

And if we did miss something, we might

08:08

want to change our monitoring so that we're looking

08:11

at some additional indicators.

08:13

All of the planning and training that

08:15

goes into incident response needs to take place

08:18

before an incident occurs.

08:21

Once the incident is live and on your network,

08:23

it's too late to do any type of on-the-job training.

08:27

There needs to be extensive documentation and testing

08:30

of that documentation so that everyone knows

08:32

what to do during an incident.

08:34

This means that we would have to understand what happens

08:37

during the initial response?

08:39

What are the plans for investigation

08:41

when an incident is identified?

08:43

What is the process for reporting on this incident

08:45

and so on?

08:46

In large organizations, especially

08:48

those with multiple incident response teams,

08:51

this training and planning process

08:53

can be relatively expensive.

08:55

But you may find that all of the resources and money put

08:58

into the training process may save you money

09:01

when a big incident occurs.