Re: Incident Response / Investigations / Digital Forensics strategy

[Brad Judy <judy () COLORADO EDU>]

I'll also agree that one must either have both an in-house and an
external ability to analyze compromised systems, or have all systems
analyzed by a third-party.  You will definitely have situations which
require the expertise, impartiality, or certifications of a third party.
In particular, if you have an incident with a system that processes
credit cards, you will likely need (or at least want) to involve a third
party who is proficient (and probably certified) on PCI compliance
issues.  Depending on the situation, there may be very specific
requirements from the associated bank.  As mentioned, in any
high-profile cases, or cases where a conflict of interest might exist
(i.e. those involved in system administration would be involved in
forensics), you would want to use a third party in order to preserve
integrity.

I'm concerned about your note of examining essentially all virus/worm
incidents with full forensics.  While business critical systems or
systems with sensitive data may warrant this level of investigation,
most won't.  If a typical desktop system that contains no sensitive data
is infected with a known virus/worm, you can assume any accounts used on
the system have had their passwords compromised and that the system
itself needs to be rebuilt.  Password changes, checks of audit logs on
potentially compromised accounts, and a system rebuild should be
adequate without forensic investigation.  

Given these two points, that generally leaves lesser hacks as the only
items for in-house investigation: significant cases go to third parties
(IT security firms, law enforcement) and minor ones don't need
forensics.  While there are some cases of escalation (i.e. in-house
investigation unveils the need for third-party investigation), hopefully
the first questions asked before you start investigating are: 

What data is on this system?  (certain data types triggers immediate
escalation)
How critical is the role of this system? (life/safety systems likely
require different procedures)
Where was attacking traffic coming from? (certain sources might dictate
immediate involvement of law enforcement agencies)

This usually just leaves escalation due to 'surprise data' (everyone's
favorite thing) that no one remembered was on the system (e.g. an old
database), or that the attacker placed on the system (i.e. criminal
content).

No matter what path you choose, having a good, documented incident
response process is very important.  

Brad Judy

Information Technology Services
University of Colorado at Boulder
 

> -----Original Message-----
> From: James H Moore [mailto:jhmfa () RIT EDU] 
> Sent: Tuesday, March 07, 2006 9:41 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Incident Response / Investigations / 
> Digital Forensics strategy
>
> I have appreciated the response that I have gotten, and I am 
> developing a list of names of good forensic investigators 
> (and cross-checking it against the list developed from the 
> NIST "CFTT" computer forensics tool testing mailing list, 
> which unfortunately has had rather light traffic].
>
> But I guess what I am in need of, and think that I am close 
> to, is a strategy.
>
> 1) Most incidents start with events or aberrations that end 
> users or support people notice.
>
> 2) It becomes and incident when someone notices that a 
> safeguard has failed or has been circumvented.
>
> 3) More likely than not, the support person will do a little 
> looking to see how bad the problem is.  Most forensic 
> investigators hate this, but the reality of the situation is 
> that here is a trade-off.  I can forensically grab an image 
> of a hard drive (memory too if I have EnCase
> Enterprise) easily, if not quickly. But
>   3a) It takes time, lots of time
>       3a1) Some of this can be cut short by doing a forensic 
> image and then have a regular disk copier standing by.  
> Verifying the forensic copy.
>   3b) It takes storage, lots of storage, especially if you 
> are interrupting investigations before systems admins poke around
>   3c) It takes computers/licenses to analyze the results
>
>                        OR
>   3d) It takes money, lots of money to have every incident 
> interrupted at this point, and then ship the forensic image 
> off for analysis
>
> 4) Considering the impact of various Notification laws, such 
> as California's, New York's, and 20+ other states, consider 
> what is now an "investigation".  A user gets a worm or virus 
> or spyware, the A/V can't just be set to clean, because if 
> the worm or virus has the capability of sending files, or 
> logging keystrokes, then you need to make the determination 
> that you reasonably believe that the information was acquired 
> or not acquired by an unauthorized person.  So we are 
> starting to work a lot of investigations.  
>
> We are trying to look at the incident handling process, and 
> the cost model for investigations and determine what we need. 
>  Any way that I slice it, it seems that I need both in-house 
> investigations capabilities, and real forensics professionals 
> standing by.  This just seems hard, and it also seems to be 
> hard to justify, because of the "lots of ...".  I initially 
> had approved $65K to establish a small forensics lab on 
> campus.  And I am working toward that goal, which is 2 
> forensic computers (incl write blockers, CRU trays, 
> IDE/SATA/SCSI, and USB/Firewire), ESD protection, an IDE/SATA 
> disk duplicator, licenses for SMART and EnCase Forensic 
> workstation.  A pool of disks.  A dual-layer DVD writer.  DVD 
> media.  Secure lockers.  Etc)
>
> A couple of things out of the list have yet to be purchased 
> (one of the forensic workstations, and the IDE/SATA 
> duplicator). And although incidents are going up, I am asked 
> to justify the completion of the lab.
> One way that I thought of doing that is to compare the cost 
> of forensically copying a disk, and outsourcing the 
> investigation to doing more in house, with the involvement of 
> an outside forensic expert only if there is a threat of a lawsuit.
>
> - - - -
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> (585) 475-5406 (office)
> (585) 475-4122 (lab)
> (585) 475-7950 (fax)
>
>
>
> "We will have a chance when we are as efficient at 
> communicating information security best practices, as hackers 
> and criminals are at sharing attack information"  - Peter Presidio
>
>
>
>
>
>
> -----Original Message-----
> From: Chris Green [mailto:cmgreen () UAB EDU]
> Sent: Tuesday, March 07, 2006 9:44 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Digital Forensics Professional 
> Services Costs was [SECURITY] Use of Digital Forensics 
> Professional Services
>
> It's looking like our state could join the ranks of everyone 
> else in the notification laws. I'm looking at having in house 
> expertise for the cases where we need to have some reasonable 
> knowledge if there's a disclosure and outsourcing it if it's 
> a high profile target or there is a good chance that there 
> will be legal proceedings involving the data.
>
> On 3/6/06 2:15 PM, "James H Moore" <jhmfa () RIT EDU> wrote:
>
> > We are looking at the costs of outsourcing Digital Forensics 
> > Professional Services, and the costs of keeping it 
> in-house.  Also, we 
> > are looking at determining the point where we do the 
> transition (when
> it
> > goes from an investigation to a forensic investigation).  
> We haven't 
> > done pricing, and so that is what I am looking for is information / 
> > experiences that people have in the investigations and 
> forensics area, 
> > and what influenced their decisions.
> --
> Chris Green
> UAB Data Security, 5-0842