Notes from CPNT-260 at SAIT.
A computer incident is an anomoly or something different or abnormal. An incident can be unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network.
Goals of IR
- Prevent incident mishandling.
- confirm whther an incident occurred.
- promote accumulation of accurate information.
- establish controls for proper retrieval and handling of evidence.
- protects privacy rights established by law and policy.
- minimize disruption to business and network operations.
The IR team includes resources from multiple departments of an organization.
- Human Resources
- Technical Experts
- Security Professionals
- Corporate Security Officers
- Business managers
- End users
- help desk
This team is sometimes called the CSIRT. CSIRT is Computer Security Incident Response Team.
- Pre-incident Preparation: take actions to prepare the organization and CSIRT before an incident occurs.
- Detection of incidents: identify a potential computer security incident.
- Initial response:
- perform initial investigation
- record basic details surrounding the incident
- assemble IR team.
- notify stakeholders.
- Formulate response strategy:
- determine best response
- obtain management approval
- Incident investigation
- perform thorough collection of data
- review data collected to determine what happened.
- accurately report information about the investigation
- employ security measures
- procedural changes
- record lessons learned
- develop long term changes
Detecting an incident
Look for signs of breach such as: * account discrepancies * data modification and deletion * users complaining of poor performance. * atypical traffic patterns. * large numbers of failed login attempts. * SIEM (Security Information and Event Management) * Centralizing Log Systems such as SYSLOG * IDS (Intrusion Detection Systems) * Network Sniffers * Process management tools * Forensics tools
Handling an incident
Steps must be clearly defined in security policies to ensure all actions have a clear focus. The most fundamental objetive is to restore control of the affected systems and limit the impact and damage. Sometimes shutting down the system or disconnecting the system from the network is the only practical solution.
- protect human life.
- protect sensitive information.
- prevent damage to systems.
- minimize disruption of computing resources.
Recovering from an incident
- Review policies and procedures
- Evaluate the situation
- Avoid panic
- Collect information
- Take appropriate action
- Request Information
- Evaluate Situation
- Stop the attack/Secure scene
- Preserve evidence
- Organize examination
- Note findings
- Determine causes
Disk Images on Linux
Disks are physical devices. Partitions are logical divisions. File systems are format in which files are organized in the partitions.
Create an 8MB (512 byte block size * 16,000) file system:
$ dd if=/dev/zero of=disk.img bs=512 count=16k 16384+0 records in 16384+0 records out 8388608 bytes (8.4 MB) copied, 0.0426032 s, 197 MB/s $ mkfs.ext3 disk.img mke2fs 1.42.9 (28-Dec-2013) disk.img is not a block special device. Proceed anyway? (y,n) y Discarding device blocks: done Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) Stride=0 blocks, Stripe width=0 blocks 2048 inodes, 8192 blocks 409 blocks (4.99%) reserved for the super user First data block=1 Maximum filesystem blocks=8388608 1 block group 8192 blocks per group, 8192 fragments per group 2048 inodes per group Allocating group tables: done Writing inode tables: done Creating journal (1024 blocks): done Writing superblocks and filesystem accounting information: done $ ls /mnt $ sudo mount disk.img /mnt $ ls /mnt lost+found/ $ df Filesystem Size Used Avail Use% Mounted on ... /dev/loop0 6.8M 50K 6.3M 1% /mnt $ mount -l ... /home/mo/tmp/disk.img on /mnt type ext3 (rw,relatime,seclabel,data=ordered) # echo 'hello, world!' > /mnt/README # umount /mnt # ls /mnt