Incident Response is when a problem occurs, it is identified and then you need to respond to it. Responding to such an incident would be deemed "Incident Response" and you need to know the underlying concepts to Incident Response for be able to run your network efficiently. In this article, we will look at all the underpinnings of Incident Response, Chain of Custody and how to deal with a problem that occurs on a Microsoft based network. An incident response plan is a plan that allows you to function appropriately in a time of 'incident' so that you can resolve issues, get back up and running and contain the incident all in one fall swoop.
Make an Incident Response Plan
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
Defining an Incident Response Plan
Now that you know what an Incident Response Plan is, you need to know why it is important and why it even exists. By now from reading through this book, you know that you need to consider security because you will see problems... eventually. Problems will occur, and if an incident does appear, you (and your staff) will need to know how to deal with it appropriately. If an incident does occur, you may want to consider the following items and they should all be incorporated into your plan:
Making an initial assessment: Making an initial assessment is critical to the plan. You need to know how to see an incident and assess if it is an incident or not. Take initial steps to determine if you are dealing with an actual incident or a false positive. Your initial assessment should be very brief.
- Communicating the incident: Communicating the incident is next in the plan and it probably one of the most important items. Make sure that if an incident occurs, you get this fact to the leader of the team so that the incident plan can become reality.
- Containing the damage and then minimizing the risk: Containing the damage and minimizing the risk is critical to an incident. For instance, if the incident in your initial assessment is a Worm that is self-replicating across your network, then you can contain the damage by unplugging the workstation that is affected from the switch or hub. This contains the damage, minimizes the risk.
- Identifying the type and severity of the compromise: Identifying the type and severity of the compromise is essential to see what kind of resources you need to put on it. If you have a very large problem that may cost the company millions (or worse yet put it out of business), you need to label it as such and give it a severity level like High Priority. You should attempt to determine the "exact" nature of the attack. Also, try to determine the attack point of origin - where exactly it is coming from and directly after, try to identify the systems that have been compromised.
- Protecting evidence: Protecting evidence is essential for a couple of reasons. For one, you never want to contaminate the evidence yourself; you may also want to make sure that someone else doesn't damage it intentionally.
- Notifying external agencies: Notifying external agencies like law enforcement agencies are something you need to plan for. Hopefully it doesn't need to come to this, but if it does, you need to know how to deal with it and who to contact. Most law enforcement agencies these days are either building or have built some form of Cybercrimes division.
- Recovering systems: Recovering systems lists as one of the most critical incident plan steps you can perform... after the incident; you have to get your systems back online.
- Assessing incident damage and cost: Assessing incident damage and cost is something you need to do for the company you work for. Especially with companies that are held publically by stockholders, if a major loss occurs, this will be very critical data to have. This needs to be done by a leader in the incident response team.
- Reviewing the response and updating policies: Reviewing the response and updating policies on constant basis or regular basis is something you need to implement as part of your strategy. Plan is no good unless its up to date and well prepared. Update a plan after an actual response is also a good idea to so you can assess the plan itself and how you may have been able to do things better.
It is very important that you thoroughly test your incident response process before an incident occurs. Without thorough testing, you cannot be confident that the measures you have in place will be effective in responding to incidents. When certain incidents occur, you may not only need to fix the immediate problem, but will also need to investigate the person behind it. Companies may find their Web sites or networks hacked by outside parties, receive threats via e-mail, or fall victim to any number of cybercrimes. In other cases, an administrator may discover that people internal to the organization are committing crimes or violating policies. Once systems are secure from further intrusion, you'll need to acquire information useful in finding and prosecuting the culprit responsible. Because any facts you acquire may become evidence in court, computer forensics must be used.
Computer forensics is the application of computer skills and investigation techniques for the purpose of acquiring evidence. It involves collecting, examining, preserving, and presenting evidence that is stored or transmitted in an electronic format. Because the purpose of computer forensics is its possible use in court, strict procedures must be followed for evidence to be admissible.
Even when an incident isn't criminal in nature, forensic procedures are important to follow. You may encounter incidents where employees have violated policies. For example, an employee may have violated a company's acceptable use policy and spent considerable time viewing pornography during work hours. By using forensic procedures to investigate the incident, you will create a tighter case against the employee. Because every action you took followed established guidelines and acquired evidence properly, the employee will have a more difficult time arguing the facts. Also, if during your investigation you find illegal activities (such as the person possessing child pornography), and then the internal investigation becomes a criminal one. Any actions you took in your investigation would be scrutinized, and anything you found could be evidence.
As we'll see in the sections that follow, there are a number of standards that must be met to ensure that evidence isn't compromised and information has been obtained correctly. By not following forensic procedures, judges may deem evidence inadmissible, defense lawyers may argue its validity, and the case may be damaged significantly. In many cases, the only evidence available is that which exists in a digital format. This could mean that the ability to punish an offender rests with your abilities to collect, examine, preserve, and present evidence.
Computer forensics is a relatively new field that emerged in law enforcement in the 1980s. Since then, it has become an important investigative practice for both police and corporations. It uses scientific methods to retrieve and document evidence located on computers and other electronic devices. By retrieving this information, it may result in the only evidence available to convict a culprit, or enhance more traditional evidence obtained through other investigative techniques.
Computer forensics uses specialized tools and techniques that have been developed over the years, and are accepted in court. Using these tools, digital evidence may be retrieved in a variety of ways. Electronic evidence may reside on hard disks and other devices, been deleted so its no longer visible through normal functions of the computer, or hidden in other ways. While invisible through normal channels, forensic software can reveal this data and restore it to a previous state.
Forensics has four basic components: evidence must be collected, examined, preserved and presented. The tasks involved in forensics will either fall into one of these groups, or be performed across most or all of them. A constant element is the need for documentation, so that every action in the investigation is recorded. When taking the test, remember the four basic components and that everything must be documented.
What Your Role Is
While law enforcement agencies perform investigations and gather evidence with the understanding that the goal is to find, arrest, prosecute and convict a suspect, the motivation isn't always clear in businesses. A network administrator's job is to ensure the network is back up and running, while a Webmaster works to have an e-commerce site resuming business. With this in mind, why would computer forensics be important to these jobs? The reason is that if a hacker takes down a Web site or network, he or she may continue to do so until they're caught. Identifying and dealing with threats is a cornerstone of security, whether those threats are electronic or physical in nature.
Even when police have been called in to investigate a crime, a number of people will be involved. Members of the IT staff assigned to an Incident Response Team will generally be the first people to respond to the incident, and then work with investigators to provide access and expertise to systems. Senior staff should be notified to deal with the effect of the incident, and any inability to conduct normal business.
If police aren't called in, and the matter is to be handled internally, then the Incident Response team will deal with a much broader range of roles. Not only will they deal with the initial response to the incident, but will conduct the investigation, and provide evidence to an internal authority. This authority may be senior staff, or in the case of law enforcement, an Internal Affairs department. Even though no police may be involved in the situation, the procedures used in the forensic examination should be the same.
When conducting the investigation, a person must be designated as being in charge of the scene. This person should be knowledgeable in forensics, and directly involved in the investigation. In other words, just because the owner of the company is available, she should not be in charge if she's computer illiterate and/or unfamiliar with procedures. The person in charge should have authority to make final decisions on how the scene is secured, and how evidence is searched, handled, and processed.
There are three specific roles that people may perform when conducting an investigation. The "First Responder" is the first person to arrive at a crime scene. This doesn't mean the janitor who notices a server is making funny noises, but someone who has the knowledge and skill to deal with the incident. The first responder may be an officer, security personnel, a member of the IT staff or Incident Response Team, or any number of other individuals. The first responder is responsible for identifying the scope of the crime scene, securing it, and preserving fragile evidence.
Identifying the scope of a crime scene refers to establishing its scale. What is affected and where could evidence exist? When arriving on the scene, it is their role to identify what systems have been affected, as these will be used to collect evidence. If these systems were located in one room, then the scope of the crime scene would be the room itself. If it were a single server in a closet, then the closet would be the crime scene. If a system of networked computers were involved, then the crime scene could extend to several buildings.
Once the crime scene has been identified, the first responder must then establish a perimeter and protect it. Protecting the crime scene requires cordoning off the area where evidence resides. Until it is established what equipment may be excluded, everything in an area should be considered a possible source of evidence. This includes functioning and nonfunctioning workstations, laptops, servers, handheld PDAs, manuals, and anything else in the area of the crime. Until the scene has been processed, no one should be allowed to enter the area, and people who were in the area at the time of the crime should be documented.
The first responder shouldn't touch anything that is within the crime scene. Depending on how the crime was committed, traditional forensics may also be used to determine the identity of the person behind the crime. In the course of the investigation, police may collect DNA, fingerprints, hair, fibers, or other physical evidence. In terms of digital evidence, it is important for the first responder not to touch anything as it may alter, damage or destroy data or other identifying factors.
Preserving fragile evidence is another important duty of the first responder. If a source of evidence is on, they should take steps to preserve and document it so it isn't lost. For example, a computer that may contain evidence may be left on, and have programs opened on the screen. If a power outage occurred, the computer would shut down and any unsaved information that was in memory would be lost. Photographing the screen or documenting what appeared on it would provide a record of what was displayed, and could be used later as evidence.
When investigators arrive on the scene, it is important that the first responder provides as much information to them as possible. If the first responder touched anything, it is important that the investigator is notified so that it can be added to a report. Any observations should be mentioned, as this may provide insight into resolving the incident.
The investigator may be a member of law enforcement or the Incident Response Team. If a member of the Incident Response Team arrives first and collects some evidence, and the police arrive or are called later, then it is important that the person in charge of the team hands over all evidence and information dealing with the incident. If more than one member of the team was involved in the collection of evidence, then documentation will need to be provided to the investigator dealing with what each person saw and did.
A chain of command should be established when the person investigating the incident arrives at the scene. The investigator should make it clear that he or she is in charge, so that important decisions are made or presented to him or her. A chain of custody should also be established, documenting who handled or possessed evidence during the course of the investigation. Once the investigation begins, anyone handling the evidence is required to sign it in and out, so that there is a clear understanding of who possessed the evidence at any given time.
Even if the first responder has conducted an initial search for evidence, the investigator will need to establish what constitutes as evidence and where it resides. If additional evidence is discovered, the perimeter securing the crime scene may be changed. Once established, the investigator will either have crime scene technicians begin to process the scene, or perform the duties of a technician. The investigator or a designated person in charge remains at the scene until all evidence has been properly collected and transported.
Crime Scene Technicians are individuals who have been trained in computer forensics, and have the knowledge, skills, and tools necessary to process a crime scene. The technician is responsible for preserving evidence, and will take great efforts to do so. The technician may acquire data from a system's memory, make images of hard disks before shutting them down, and ensure that systems are properly shut down before transport. Before transporting, all evidence will be sealed in a bag and/or tagged to identify it as a particular piece of evidence. The information identifying the evidence is added to a log, so that a proper inventory of each piece exists. Evidence is further packaged to reduce the risk of damage, such as from electrostatic discharge or jostling during transport. Once transported, the evidence is then stored under lock and key to prevent tampering, until such time that it can be properly examined and analyzed.
As you can see, the roles involved in an investigation have varying responsibilities, and require special knowledge to perform properly. While the paragraphs above provide an overview of what's involved, we still need to look at the specific tasks to understand how certain duties are carried out. Understanding these aspects of forensic procedure are not only vital to an investigation, but also for success in the field.
Rob Shimonski would like to thank Deb Shinder (www.shinder.net) for original content creation.