Educause Security Discussion mailing list archives
Re: Incident Response / Investigations / Digital Forensics strategy
From: Brad Judy <judy () COLORADO EDU>
Date: Tue, 7 Mar 2006 15:18:47 -0700
I'll also agree that one must either have both an in-house and an external ability to analyze compromised systems, or have all systems analyzed by a third-party. You will definitely have situations which require the expertise, impartiality, or certifications of a third party. In particular, if you have an incident with a system that processes credit cards, you will likely need (or at least want) to involve a third party who is proficient (and probably certified) on PCI compliance issues. Depending on the situation, there may be very specific requirements from the associated bank. As mentioned, in any high-profile cases, or cases where a conflict of interest might exist (i.e. those involved in system administration would be involved in forensics), you would want to use a third party in order to preserve integrity. I'm concerned about your note of examining essentially all virus/worm incidents with full forensics. While business critical systems or systems with sensitive data may warrant this level of investigation, most won't. If a typical desktop system that contains no sensitive data is infected with a known virus/worm, you can assume any accounts used on the system have had their passwords compromised and that the system itself needs to be rebuilt. Password changes, checks of audit logs on potentially compromised accounts, and a system rebuild should be adequate without forensic investigation. Given these two points, that generally leaves lesser hacks as the only items for in-house investigation: significant cases go to third parties (IT security firms, law enforcement) and minor ones don't need forensics. While there are some cases of escalation (i.e. in-house investigation unveils the need for third-party investigation), hopefully the first questions asked before you start investigating are: What data is on this system? (certain data types triggers immediate escalation) How critical is the role of this system? (life/safety systems likely require different procedures) Where was attacking traffic coming from? (certain sources might dictate immediate involvement of law enforcement agencies) This usually just leaves escalation due to 'surprise data' (everyone's favorite thing) that no one remembered was on the system (e.g. an old database), or that the attacker placed on the system (i.e. criminal content). No matter what path you choose, having a good, documented incident response process is very important. Brad Judy Information Technology Services University of Colorado at Boulder
-----Original Message----- From: James H Moore [mailto:jhmfa () RIT EDU] Sent: Tuesday, March 07, 2006 9:41 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Incident Response / Investigations / Digital Forensics strategy I have appreciated the response that I have gotten, and I am developing a list of names of good forensic investigators (and cross-checking it against the list developed from the NIST "CFTT" computer forensics tool testing mailing list, which unfortunately has had rather light traffic]. But I guess what I am in need of, and think that I am close to, is a strategy. 1) Most incidents start with events or aberrations that end users or support people notice. 2) It becomes and incident when someone notices that a safeguard has failed or has been circumvented. 3) More likely than not, the support person will do a little looking to see how bad the problem is. Most forensic investigators hate this, but the reality of the situation is that here is a trade-off. I can forensically grab an image of a hard drive (memory too if I have EnCase Enterprise) easily, if not quickly. But 3a) It takes time, lots of time 3a1) Some of this can be cut short by doing a forensic image and then have a regular disk copier standing by. Verifying the forensic copy. 3b) It takes storage, lots of storage, especially if you are interrupting investigations before systems admins poke around 3c) It takes computers/licenses to analyze the results OR 3d) It takes money, lots of money to have every incident interrupted at this point, and then ship the forensic image off for analysis 4) Considering the impact of various Notification laws, such as California's, New York's, and 20+ other states, consider what is now an "investigation". A user gets a worm or virus or spyware, the A/V can't just be set to clean, because if the worm or virus has the capability of sending files, or logging keystrokes, then you need to make the determination that you reasonably believe that the information was acquired or not acquired by an unauthorized person. So we are starting to work a lot of investigations. We are trying to look at the incident handling process, and the cost model for investigations and determine what we need. Any way that I slice it, it seems that I need both in-house investigations capabilities, and real forensics professionals standing by. This just seems hard, and it also seems to be hard to justify, because of the "lots of ...". I initially had approved $65K to establish a small forensics lab on campus. And I am working toward that goal, which is 2 forensic computers (incl write blockers, CRU trays, IDE/SATA/SCSI, and USB/Firewire), ESD protection, an IDE/SATA disk duplicator, licenses for SMART and EnCase Forensic workstation. A pool of disks. A dual-layer DVD writer. DVD media. Secure lockers. Etc) A couple of things out of the list have yet to be purchased (one of the forensic workstations, and the IDE/SATA duplicator). And although incidents are going up, I am asked to justify the completion of the lab. One way that I thought of doing that is to compare the cost of forensically copying a disk, and outsourcing the investigation to doing more in house, with the involvement of an outside forensic expert only if there is a threat of a lawsuit. - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) "We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information" - Peter Presidio -----Original Message----- From: Chris Green [mailto:cmgreen () UAB EDU] Sent: Tuesday, March 07, 2006 9:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Digital Forensics Professional Services Costs was [SECURITY] Use of Digital Forensics Professional Services It's looking like our state could join the ranks of everyone else in the notification laws. I'm looking at having in house expertise for the cases where we need to have some reasonable knowledge if there's a disclosure and outsourcing it if it's a high profile target or there is a good chance that there will be legal proceedings involving the data. On 3/6/06 2:15 PM, "James H Moore" <jhmfa () RIT EDU> wrote:We are looking at the costs of outsourcing Digital Forensics Professional Services, and the costs of keeping itin-house. Also, weare looking at determining the point where we do thetransition (when itgoes from an investigation to a forensic investigation).We haven'tdone pricing, and so that is what I am looking for is information / experiences that people have in the investigations andforensics area,and what influenced their decisions.-- Chris Green UAB Data Security, 5-0842
Current thread:
- Re: Incident Response / Investigations / Digital Forensics strategy Brad Judy (Mar 07)