RETURN TO MAIN Identifying and Responding to Security Incidents in the Law Firm Presented by: Carlos...
-
Upload
jocelyn-mccullough -
Category
Documents
-
view
214 -
download
0
Transcript of RETURN TO MAIN Identifying and Responding to Security Incidents in the Law Firm Presented by: Carlos...
RETURN TO MAINRETURN TO MAIN
Identifying and Responding to Security Incidents in the Law Firm
Presented by:Carlos Batista, Information Security Manager
Alston & Bird LLP
RETURN TO MAINRETURN TO MAIN
Learning Objectives
Understand how one law firm developed and enacted a formal Computer Incident Response Team (CIRT)Identify key stakeholders in Incident ResponseIdentify most likely scenarios for a computer security breachDefine a methodology and establish measures for how to respond to such breaches
RETURN TO MAINRETURN TO MAIN
About Alston & Bird:
National, Full-Service Law Firm725 Attorneys, 5 U.S. Offices240 Servers & 2,100 DesktopsAlmost all IT & Security Services Hosted In-House25% of Servers Virtualized
RETURN TO MAINRETURN TO MAIN
The Benefits of a Computer Incident Response Team (CIRT)
Proactive approach to responding to a security breachBetter prepared to collect & analyze forensic quality evidenceLess downtime to impacted / breached & un-impacted systemsFirm’s reputation is better preserved by following proper containment strategies
RETURN TO MAINRETURN TO MAIN
#1 Key to CIRT Planning & Success:
Senior Management Support!
RETURN TO MAINRETURN TO MAIN
How to Form a CIRT – Key Players
Core TeamInformation Security Manager (CIRT Team Leader)IT Infrastructure ManagerDirector of I.T.Information Security AnalystFacilities Manager
Support TeamFinance ManagerBC / DR RepresentativeH.R. RepresentativeBusiness Development / Public RelationsAttorney / Loss PreventionC.I.O.
RETURN TO MAINRETURN TO MAIN
Identify Likely Breach Scenarios
There are many security breach scenarios – you need to narrow them down to a few and address how to respond to those. We chose to develop responses to four scenarios:
Significant Computer or Network Equipment TheftCompromise of Firm’s WebsiteVirus or Worm Outbreak on the NetworkUnauthorized Disclosure by Electronic Means
RETURN TO MAINRETURN TO MAIN
Identify a Methodology for Responding
Response scenarios are typically easier to devise when an overall strategy or methodology is followed.
We chose the PDCERF model (Schultz & Shumway) for incident response.
RETURN TO MAINRETURN TO MAIN
PDCERF Methodology DefinedPreparation – Being ready to respond before an incident actually occurs.Detection – Determining that something malicious has actually occurred.Containment – Limiting the extent of an incident, preventing further damage from occurring. Eradication – Finding and eliminating the root cause or causes that made the incident possible.Recovery – Restoring the environment to its pre-incident state but protected so the incident cannot reoccur.Follow-Up – Reviewing and integrating “lessons learned” into your incident response plans and security operations.
RETURN TO MAINRETURN TO MAIN
Scenario #2 – Compromise of Firm’s Website
RETURN TO MAINRETURN TO MAIN
Preparation
Determined Incident Response Posture & Obtained ApprovalConfigured FW, IDS/IPS Optimally for Attack DetectionConfigured Web Server & Database LoggingCreated Known-Good System Backups with MD5 HashesSynchronized Network Time across All DevicesEstablished Relationship with Infragard (FBI)Created CIRT Calling TreeCreated “Maintenance” WebsiteBuilt Documentation on CIRT Framework and Cutover ProceduresPrepare to Record Everything During an Incident (Timeline)
RETURN TO MAINRETURN TO MAIN
Detection
Interfaced with Support Groups / Help Center to define a Notification PlanDefined SLAs for Initial Response, First Meeting, and Incident Updates to ManagementDefined Procedures for Initial Evidence GatheringCreated Secure Repository for All Digital Evidence
RETURN TO MAINRETURN TO MAIN
Containment
VMWare Guest Machines For Website PausedVMWare Files Copied to a Forensic ServerImpacted Hosts Segmented From Rest of NetworkFull Disclosure Kept Strictly ConfidentialHelp Center Instructed to Inform Others Website is Experiencing “Technical Difficulties”External Parties Not Contacted (Not Currently)
RETURN TO MAINRETURN TO MAIN
Eradication
Depends Largely On The Determined Root CauseMay Involve Software Updates, Software Removal, Configuration Changes, Better Change Control, Operational Security, Physical Security, etcChanges Tested in QA / Development Environment As Much as Possible
RETURN TO MAINRETURN TO MAIN
Recovery
All Impacted Systems Are Flattened And RebuiltRebuilds Performed From Certified Known Good Backup (MD5)Procedures Developed for Rebuild to Minimize Possibility Of Breach ReoccurringMitigations to Address Root Cause of Breach ImplementedValidation Testing PerformedAccess to Fully Operational Website Re-enabled
RETURN TO MAINRETURN TO MAIN
Follow-Up
Post-Mortem Meetings to Review the Following: Timeline Response Time Recovery Procedures Evidence Gathered Investigatory Next Steps - If Applicable Parties Involved – Should Others Be Brought In? Disposition of Evidence What Can Be Done Better? Update Scenario Response Plan
RETURN TO MAINRETURN TO MAIN
CIRT – Next Steps
Continue Working on Scenarios – Incident Response is a Process, not a Project Implement Syslog ServerInvestigate using Tripwire for Integrity CheckIntegrate AlertFind Into CIRT ProceduresActively Test Scenarios – Challenging Because Downtime is Required
RETURN TO MAINRETURN TO MAIN
References
Schultz & Shumway: Incident Response – A Strategic Guide to Handling System and Network Security Breaches.
Mandia, Prosise & Pepe: Incident Response & Computer Forensics (2nd Edition).
SANS Institute (sans.org)
RETURN TO MAINRETURN TO MAIN
Questions / Comments?
“In God we trust…all others we virus scan.” - Anonymous