KULIAH 12INCIDENT RESPONSE

(dirangkum dari buku Incident Response: A strategic Guide to Handling System and Network Security)

Aswin Suharsono

KOM 15008Keamanan Jaringan

2012/2013

KOM 15008Keamanan Jaringan

2012/2013

Definisi

• Incident: event (kejadian) yang mengancam keamanan sistem komputer dan jaringan.

• Event adalah semua hal yang bisa diobservasi (diukur)

• Contoh event: connect ke sistem lain dalam jaringan, mengakses file, mengirim paket, sistem shutdown, dsb.

• Event yang mengancam antara lain, system crashes, packet flood, penggunaan akun oleh orang yang tidak berhak, web deface, bencana alam, dan hal-hal lain yang membahayakan kinerja sistem

Incident Types• CIA related incidents:

– Confidentiality: Upaya masuk ke dalam sistem rahasia militer– Integrity– Availability

• Other Types– Reconnaissance Attacks– Repudiation

• Someone takes action and denies it later on.

Kenapa perlu incident response?

• Bagi Organisasi Respon yang sistematis terhadap insiden Recover quickly Mencegah insiden serupa di masa depan Menyiapkan langkah-langkah yang berkaitan dengan hukum

Incident Response Scope

• Technical:– Incident detection and investigation tools and procedures

• Management-related– Policy– Formation of incident response capability

• In-house vs. out-sourced

Incident Handling

Containment, Eradication and Recovery

Post-incident activity

Detection and Analysis

Preparation

PDCERF incident response method

Preparation

Incident Handling: Preparation

• Incident Handler Communications and Facilities– Contact information On-call information for other teams

within the organization, including escalation information Incident reporting mechanisms

– Pagers or cell phones to be carried by team members for off-hour support, onsite communications

– Encryption software– War room for central communication and coordination– Secure storage facility for securing evidence and other

sensitive materials

Incident Handling: Preparation• Incident Analysis Hardware and Software

– Computer forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data

– Blank portable media– Easily portable printer – Packet sniffers and protocol analyzers– Computer forensic software – Floppies and CDs with trusted versions of programs to be used to

gather evidence from systems– Evidence gathering accessories

• hard-bound notebooks• digital cameras• audio recorders• chain of custody forms• evidence storage bags and tags• evidence tape

Incident Handling: Preparation• Incident Analysis Resources– Port lists, including commonly used ports and Trojan horse

ports– Documentation for OSs, applications, protocols, and

intrusion detection and antivirus signatures– Network diagrams and lists of critical assets, such as Web,

e-mail, and File Transfer Protocol (FTP) servers– Baselines of expected network, system and application

activity– Cryptographic hashes of critical files to speed the analysis,

verification, and eradication of incidents

Incident Handling: Preparation

• Incident Mitigation Software– Media, including OS boot disks and CD-ROMs, OS media, and

application media– Security patches from OS and application vendors– Backup images of OS, applications, and data stored on secondary

media

Incident Handling: Detection and Analysis

• Incident Categories– Denial of Service– Malicious code– Unauthorized access– Inappropriate usage– Multiple component incidents

Incident Handling: Detection and Analysis

• Signs of an incident– Intrusion detection systems– Antivirus software– Log analyzers– File integrity checking– Third-party monitoring of critical services

• Incident indications vs. precursors– Precursor is a sign that an incident may occur in the future

• E.g. scanning– Indication is a sign that an incident is occurring or has occurred

Incident Handling: Detection and Analysis

• Incident documentation– If incident is suspected, start recording facts

• Incident Prioritization based on– Current and potential technical effects– Criticality of affected resources

• Incident notification– CIO– Head of information system– Local information security officer– Other incident teams– Other agency departments such as HR, public affairs, legal department

Incident Handling: Containment, Eradication, Recovery

• Containment strategies– Vary based on type of incident– Criteria for choosing strategy include

• Potential damage / theft of resources• Need for evidence information• Service availability• Resource consumption of strategy• Effectiveness of strategy• Duration of solution

Incident Handling: Containment, Eradication, Recovery

• Evidence gathering– For incident analysis– For legal proceedings

• Chain of custody• Authentication of evidence

Incident Handling: Containment, Eradication, Recovery

• Attacker identification– Validation of attacker IP address– Scanning attacker’s system– Research attacker through search engines– Using Incident Databases– Monitoring possible attacker communication channels

Incident Handling: Containment, Eradication, Recovery

• Eradication – Deleting malicious code– Disabling breached user accounts

• Recovery– Restoration of system(s) to normal operations

• Restoring from clean backups• Rebuilding systems from scratch• Replacing compromised files• Installing patches• Changing passwords• Tighten perimeter security• Strengthen logging

Incident Handling: Post-Incident Activity

• Evidence Retention– Prosecution of attacker– Data retention policies– Cost

That’s All