Security Ripcord

So far Windows Incident Response With Only System Resources has gotten a lot of attention. Mostly due to Harlan Carvey’s post about it, but I like to think that it is something people needed help with and can use.

To help understand peoples positions on incident response I have created the latest Security Ripcord Poll. I tried to think of different ways to approach this poll. How do I distinguish between big business, SMB, and home users? Do I want to focus on just one? How do I list out the different approaches?

Here is what I decided. Keep it simple. Focus on SMBs because as focus grows there are more options and as the focus shrinks there are less. Plus, if anybody wants to provide additional insight they can just do so in the comments of this post.

So, vote and show your opinion.

Go forth and do good things,

Don C. Weber

poll, security, incident response, Security Ripcord, harlan carvey

I have taken some time to write an incident response script using only the resources provided by the Windows operating system.  You can find out the why by reading the article I wrote titled Windows Incident Response With Only System Resources or the how by reviewing the code I wrote.  UPDATE: I broke the link when I did a bug fix.  So, this link may break in the future, please refer to the complete article for the most recent version.

I hope that some of you find this useful and that this centralizes a lot of the information necessary to understand the abilities inherent to the Windows operating system.  It is nothing ground breaking.  Just a few things that can be done if you do not have or are not allowed to obtain and use the number of very useful tools that are available online or through a vendor.

Go forth and do good things,

Don C. Weber

wmi, wmic, vbscript, Security Ripcord, incident response

One of the cool things about taking the SANS GCIH through their OnDemand classes is that you get 10 weeks to interact with the other students instead of the usual one week of a conference. Somebody in my class set up a YahooGroup and the students were able to post questions when they didn’t understand a subject and needed extra clarification. The teacher, Ed Skoudis, and experienced students monitored the group and help was almost real-time.

Although I have already achieved my GCIH Silver Certification I am still a member of the YahooGroup associated with the class. Yesterday one of the students posted a question. Since it was a good question I thought I would include it and my response.

swangods question:

Hi folks,
I don’t know how many of you might still pay attention to this group,
but here’s a question for you. The book recommends something like
$5-10k of available funds. I think some of this was for on the spot
purchases like storage media, hubs/switches, taps, maybe even a
server. Has anyone had any luck with justifying this spending ability
or authority, and how have you presented this to management and what
sort of discussions did you have to go through for this pre-approval?

My response:

Here are some things to think about that might help you in this situation.
This might be more information than you need but I got on a roll.

One think you might consider is combining the “jump bag” to operate as
tools for “incident response” and “disaster recovery”. This helps double
up the need for such a bag and it gives you a good excuse to keep people
from lifting items from it when they can’t find similar items that are
used for normal operations. Additionally, many of the items could be
pulled from duplicate stock or by upgrading old tools and hardware to more
current versions. As for servers and workstations you could also pull
systems when they are being updated. (Remember, you’ll need systems to
perform forensic duties as well as systems to do practice incidents.)

If you are trying to justify just building an incident response or
forensic work area then you are going to have to consider how many
incidents you expect in the next 5 to 10 years. As you should start a
working relationship with a forensic company anyway, ask them to brief you
on how much typical forensic responses to an incident will cost. Give
them a couple of likely scenarios your company might experience. Now
multiply that number by the number of incidents. Then do your research
about how much spinning up a workstation will cost (include training on
forensic tools as well as GCIH for other team members). When you have the
comparison have the forensic company come back in and give the same
presentation to your executives. Then you give a quick presentation after
the forensic company leaves about how developing a incident response plan
and preparing certain tools could reduce these costs. Before you go into
this meeting double check your costs and be sure you are not missing
anything. One or two changes down the road will not hurt anything but an
more than that and they will begin to wonder about whether it was a good
idea which they will remember the next time you ask for something.

Also, don’t go overboard. You might not be able to afford things right
away. Start developing a plan to acquire things through time. And
remember, if you need something during an incident your management will
generally be willing to fork over the money. Just be ready with
suggestions and acquisition recommendations. Use a purchase of necessary
equipment during a response as a part of your lessons learn. “We had to
purchase a 500 GB drive because the RAID we had to image was 450 GB. The
purchase delayed our response by 8 hours. The request for the external
hard drive was initially denied. Here is a list of other items that we
denied at the same time as the external hard drive but are also necessary
for incident response.”

Hope this helps,
Cutaway

I hope this helps anybody trying to justify their incident response toolkit, “jump bag,” or work area.

Go forth and do good things,
Cutaway

Security Ripcord, Ed Skoudis, incident response, disaster recovery

Check out the original post at the The Security Catalyst Community.  I please post any comments to the original article and not here. 

When an organization decides to designate a person to handle security for their information resources the first thing that individual is going to realize is that they to not have a procedure to use when if there is a security incident. Whether the incident is a virus infection or an unauthorized disclosure of information the organization needs a method to respond so that there is a risk assessment, incident management, and follow-up that considers security as well as business continuity. Although seemingly easy it quickly becomes a large task to spin up brand new incident response procedures from scratch. Luckily there are many resources out there to assist security professionals creating an incident response plan for their organization.

The following are what I consider to be good information resources to get started on an incident response plan:

1. Read a book titled, “Incident Response & Computer Forensics, Second Edition” (ISBN: 007222696X) by Kevin Mandia, Chris Prosise, Matt Pepe, and Scott Larson. This book will familiarize you with the basic steps, terminology, and tools utilized when responding to an incident. This is a great resource for anybody who has not been exposed to incident response.
2. For more detail on setting up an incident response plan take a look at the SANS book store (http://store.sans.org) for the “Computer Security Incident Handling Step-By-Step.” You can see a brief excerpt from the book at https://store.sans.org/samples/incidenthandling_sample.pdf.
3. As you are creating your response plan you will find that there is a lot of documentation involved. Instead of starting from scratch you can use the SANS incident handling forms located at http://www.sans.org/score/incidentforms/index.php?portal=327e9b8f50ffeb4c9d90867b082d6d05.
4. With a basic incident response plan in place you are going to need to understand the “enemy” better and prepare defenses within your environment. Although I have not had a chance to read this book yet I have purchased it because of the great reviews it has received. It is titled “Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses” (ISBN: 0131481045) and it is written by two well known and respected security instructors Edward Skoudis and Tom Liston. You can check out the website for this book and other resources by these and other security instructors at http://www.counterhack.net/Counter%20Hack/Welcome.html
5. Lastly, you should check out the comments to this article to see if anybody has posted references to other helpful resources. If you have one, POST IT.

Okay, enough with resources. What should you do “right now” if you have an incident and do not have a incident response plan ready to implement? Well, here are a few steps to get you moving down the right path.

1. Remain calm and do not make assumptions. There may be a perfectly logical explanation once you have gathered all of the information available and have had a chance review everything in a less stressful environment.
2. Do a quick risk assessment to help determine the level of response:
• can anybody be hurt by what is happening?
• do the systems involved contain sensitive information?
• will what is happening affect the rest of the environment or other networks outside of our environment?
• should the systems be shutdown or should they be left running and just unplug the network card?
3. Decide who is in charge and the other people who are going to need to be initially involved. Examples:
• Team leader
• System/network administrators
• Legal counsel
4. Get one team member to start thinking about and working with other administrators to get everything back up and running. The ultimate goal of an incident response is to help maintain business continuity. Do not, however, begin implementing any steps that might affect the information on the systems involved prior to deciding if they need to be forensically copied in their current state.
5. Determine if this is going to be an incident that involves a crime. If so, notify the proper authorities immediately as they will have methods and means to handle the incident. If you do not know who to call, contact your local police department and they will be able to point you in the right direction.
6. Start documenting everything. Even if you do not have an official form create a new notebook and designate a person to maintain the “case notes.”
1. How the incident was detected.
2. Any actions taken in response to the incident.
3. Any conversation you have with somebody outside of the organization.
4. Any interviews with persons involved.
5. Get a camera and start taking pictures of the systems involved before any change is made. Examples:
• Front and back of system(s)
• Cables
• Serial numbers
• Hard drive lights
• Server heads-up displays
• System and bios time
7. Create a “chain of custody” form for controlling anything that may be perceived as “evidence.”
• As the evidence is controlled by a new individual document it on this form.
• Try to contain “evidence” in a secure location with at least two methods of physical access control.
8. Start gathering and centralizing log files from firewalls, routers, IDS, switches, etc.
9. Determine if you are going to need to bring in a third party to assist with the incident response and/or computer forensics.
• A good state by state list is located at the “Computer Forensics Companies” web site: http://www.computerforensicscompanies.com/statelist.html.
10. Take your time and relax. It is okay to make mistakes or to not know an answer. If you have gotten this far you are doing great.
11. Once you have finished sit down with the team and go over the lessons learned. Use this experience to create a more detailed incident response plan as you will, probably, now have more managerial buy-in to allocate time to this project.

Okay, eleven steps are more than a few. Hopefully these will get you over the hump of the first incident response and moving forward towards creating a detailed plan for future incidents.

Go forth and do good things.
Cutaway

Security Ripcord, Incident Response, The Security Catalyst Community

I just added a post to the Security Catalyst site. During the recent podcast (Security Catalyst #27), Michael Santarcangelo wanted to start a forum topic about What Are The First 5 Actions, Security Catalyst Case Study. As I am starting to think about this very subject I am very interested in everybody’s point of view on this. Please comment on my post either at the Security Catalyst site or here. As I state in the forum I have very thick skin and I value your input.

———————————————

Some of these may seem a bit broad but that is how they are intended. That is because I think that these are the basis for a plan. Before you start deploying systems and connecting them to the Internet, or let end-users run around the internal network, you need to cover the basics and create a managed, secure environment. There should also be a sub-step for each of these to review the findings of the previous steps to see if the new information affects them.

1. Incident Response Policy - this is going to happen at some point. It would be tragic if it happened right off the bat but stranger things have happened. You need to identify how this is going to be handled and individual responsibilities.
2. Prioritized Asset Identification - How do you know how to protect something unless you have identified what needs to be protected and which is most important.
3. Acceptable Use Policy - This will help you determine how your external and internal protections will be configured.
4. Network Deployment Review - If they have a network plan figured out but it has not been review by the Security Manager then it is still in development. At the least the network plan needs to be reviewed at this point to ensure that the previous steps have not created changes.
5. Deployment Strategy - Now that you have a list of assets, know what the network will be used for, and understand the network deployment scheme you need to determine how you will deploy and manage your assets. This strategy should cover how systems are built, hardened, managed, updated, and connected to the network.

I have thick skin so please hack away at this. I will be doing this very thing very soon and I hope to use this as a sounding board.

Thank you,
Cutaway

———————————————

Yes, thank you all,

Cutaway