Incident Response Methodology is one of the popular process to investigate the incident which is unlawful, unauthorized or unacceptable action on computer system or computer network.
Measures of Central Tendency: Mean, Median and Mode
Incident response process
1. PRESENTED BY
BHUPESHKUMAR M.V. NANHE
DEPARTMENT OF FORENSIC SCIENCE,
SHRI SHIVAJI COLLEGE OF ARTS, COMMERCE & SCIENCE, AKOLA (MH)
2. Synopsis
Introduction to Computer Security Incident
Goals of Incident Response
Experts involves in Incident Response
Incident Response Methodology
Pre-Incident Preparation
Detection of Incident
Formulate a Response Strategy
Data Collection
Data Analysis
Reporting
Resolution
02/15
3. Introduction to Computer Security Incident
Computer Security Incident as any unlawful, unauthorized or
unacceptable action that involve a computer system or a computer
network.
Such actions can be;
Email harassment
Embezzlement
Possession and dissemination of child pornography
DoS attacks
Theft of trade secretes
03/15
4. Goals of Incident Response
Confirms whether an incident occurred or not
Minimizes disruption of business and network operation
Promote accumulation of accurate information
Protect privacy rights established by law and policy
Provide accurate report and useful recommendations
Allows criminal or civil actions against perpetrator(s)
Protect your organization’s reputation and assest
Educates senior management
04/15
5. Experts involves in Incident Response Process
Computer Security Incident Response Team (CSIRT) respond the
incident and that includes followings experts.
Technical experts,
Cyber Security experts,
Legal counsel,
Corporate security officer,
Business Managers,
End User
Human Recourses personnel
Workers
05/15
7. Pre-Incident Preparation
Preparation of Organization
Implementing host based security
Implementing network based security
Employing an intrusion detection system (IDS)
Creating strong access control
Training end user
Preparation of CSIRT
The hardware needed to investigate computer security incidents
The software needed to investigate computer security incidents
The documentation needed to investigate computer security incidents
07/15
8. Detection of Incident
IDS Detection of remote attack
Numerous failed logon attempts
Logins into dormant or default
accounts
New account not created by system
administrator
Unfamiliar file and executable
program
Altered pages on webserver
Gaps in log files
Slower System performance
System Crash
Receipt of Email Exporting your
organization
Child Pornography
08/15
9. Initial Response
Interviewing the system administration
Interviewing business unit personnel
Reviewing the IDS report and network-based logs to identify the
data
Reviewing the network topologies and access control list .
09/15
10. Formulate a Response Strategy
Based on the results of all known facts, determine the best response and
obtain management approval.
Determine what civil, criminal, administrative or other actions area
appropriate to take, based on the conclusion drawn from the investigation.
10/15
11. Data Collection
1. Network Based Evidence
Obtain IDS logs
Obtain existing router logs
Obtain relevant firewall logs
Perform network monitoring
Obtain Backup
2. Host Based Evidence
Obtain volatile data during a live response
Obtain the system time/date for every file on the victim system
Obtain backup
3. Other Evidence
Obtain oral testimony from witnesses
11/15
14. Resolution
Identify the organization’s top priorities and resolve them
Returning all the system in operational status
Implement proper computer as well as network security
Restore any affected or compromised system
Apply corrections required to address any host-based vulnerabilities
14/15