Creating a Computer Security Incident Response Team Attendee Workbook
|
|
|
- Eustace Garrison
- 5 years ago
- Views:
Transcription
1 Creating a Computer Security Incident Response Team Attendee Workbook CERT Training and Education Networked Systems Survivability Software Engineering Institute Carnegie Mellon University This material is approved for public release. Distribution is limited to attendees by the Software Engineering Institute.
2 This work is sponsored by the Office of the Under Secretary of Defense (Acquisition and Technology), U.S. Department of Defense Carnegie Mellon University. Requests for permission to reproduce these materials or to prepare derivative works of these materials for other than government purposes should be addressed to the SEI Licensing Agent or sent to NO WARRANTY This Carnegie Mellon University and Software Engineering Institute material is furnished on an as-is basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. This work was created in the performance of Federal Government Contract Number F C with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for United States government purposes pursuant to the copyright license under the clause at Use of any trademarks in these materials is not intended in any way to infringe on the rights of the trademark holder. CERT, CERT Coordination Center, and Carnegie Mellon are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
3 Table of Contents Table of Contents...1 Creating a CSIRT Workbook:...3 Introduction:...3 Incident Management and CSIRTs Defined:...4 Setting the Context:...5 Scenario 1: What if Your Organization Was Compromised?...8 Scenario 1: What Have You Learned?...9 Scenario 2: A CSIRT TALE - Adventures in Creating a Computer Security Incident Response Team...11 Scenario 2 - A CSIRT Tale: What Worked and What Did Not Work Identifying Key Issues and Decisions...14 Defining Your Framework:...15 Range and Level of Services:...19 Selecting Services...19 Identifying Policies and Procedures...20 Organizational Issues:...21 CSIRT Resources: Staff, Equipment, and Infrastructure...23 Putting It into Practice - Ideas for Your Action Plan:...25 Taking the Next Steps: Carnegie Mellon University 1 of 26
4 2 of Carnegie Mellon University
5 Creating a CSIRT Workbook: Introduction: 1. What are your goals for this workshop? 2. What specific questions would you like to have answered during this workshop? Carnegie Mellon University 3 of 26
6 Incident Management and CSIRTs Defined: 3. What do you think a CSIRT is? 4. Why has your organization or constituency decided to create a CSIRT? 5. What do you think the goals of your CSIRT are or will be? 4 of Carnegie Mellon University
7 Setting the Context: Scenario 1: What if Your Organization Was Compromised? Review the following questions and think about the 3 or 4 that are most important for you and your CSIRT development effort. Answer those questions. When you are back at your organization you can revisit the other questions. 6. What CSIRT scenario did you choose? 7. How would your organization respond to this type of incident if it happened now? 8. Who would respond? Who should respond? Who else needs to be involved? Carnegie Mellon University 5 of 26
8 9. What is your main concern? Recovery? Tracking and Tracing? Something else? 10. How long would the response take? 11. Who makes the decisions? Does everyone know who is making the decisions? 12. How would you like your organization to respond? 6 of Carnegie Mellon University
9 13. What staff and processes are required to effectively respond? 14. What assets need to be protected? 15. Is there any information that needs to be recovered? Do you have backups? Is the information stored on trusted media? How can you be sure the data has not changed? 16. Who will perform the recovery operations? Do they have the required skills and knowledge to do this? Are there detailed procedures to do this? Carnegie Mellon University 7 of 26
10 17. Who needs to be contacted? Are they internal or external to your organization? - Do you have their contact information? - What will you tell them? Do you say something different if they are internal versus external staff? - What actions do they need to take? - How will you contact them? - Do they know what to do once you contact them? 18. What proactive steps does your organization take to prevent such occurrences? 8 of Carnegie Mellon University
11 Scenario 1: What Have You Learned? 19. What do you know about incident response in your organization? 20. What don't you know about incident response in your organization? 21. What do you need to know to effectively plan and implement a CSIRT? 22. To whom do you need to talk? Carnegie Mellon University 9 of 26
12 23. What needs to be changed in the current way your organization provides or does not provide response? 24. How would a CSIRT change the response? 25. What does your organization want the new CSIRT to do? 26. What ideas has this scenario given you regarding decisions and issues or actions to be addressed when creating a CSIRT at your organization? 10 of Carnegie Mellon University
13 Scenario 2: A CSIRT TALE - Adventures in Creating a Computer Security Incident Response Team The CEO of the organization asked the CIO to implement a Computer Security Incident Response Team as a part of the company's new strategic security plan. It just so happened that CIO was very involved with an upcoming merger effort that was underway and assigned the project to the manager of the network group at the organization. The manager of the network group had recently hired a new employee who was very interested in computer security. She named this person as CSIRT Team Leader and gave him the job of implementing the CSIRT. The manager of the network group told the new CSIRT Team leader to go off and do good things and bring back a plan for implementing the new team. The new CSIRT Team Leader received a copy of the company s organizational chart and geographic office locations and then headed off to use their favorite Internet search engine to look for information on Computer Incident Security Response Teams. Finding some references at the CERT Coordination Center (CERT/CC), The Australian Computer Emergency Response Team (AusCERT), The System Administration, Networking, and Security (SANS) Institute, Security Focus, and a Request for Comment (RFC) from the Internet Engineering Task Force (IETF) entitled Expectations for Computer Security Incident Response, the new CSIRT Team Leader began to build a plan. Looking at the organization chart and geographic dispersion of the offices, the CSIRT Team Leader saw that there were already system and network administrators at each local office. These he felt were prime candidates for being liaisons with the new CSIRT. He also noticed that there was an existing Helpdesk and decided to use this service as a central reporting point for all incoming computer security requests or incident reports. The CSIRT Team Leader took the plan back to the network manager, who reviewed it and forwarded it to the CIO. Both approved it and decided there was enough money in the budget to hire two new CSIRT staff members. Another part of the organization was experiencing some lay-offs, so two system and network administrators scheduled to be laid off were moved into the new CSIRT to fill the two open positions. While the personnel transfers were going on and with the approval of the CIO, the CSIRT Team Leader met with the Helpdesk manager who agreed to handle all computer security calls and pass them on to the CSIRT. The CSIRT Team Leader sent to all system and network administrators at all remote sites and told them that they would be responsible for carrying out actions and tasks as assigned by the CSIRT Carnegie Mellon University 11 of 26
14 The CSIRT were given a set of cubicles in the network area and decided to use their existing equipment for the new CSIRT work. Once the equipment was moved into the cubicles, the CSIRT was opened for business. During the first week no calls or reports were received. During the second week one of the system administrators at a remote site called the CSIRT Team Leader to report that their site had been the victim of a serious virus attack that had affected 50% of the machines. The system administrator said that they had reported the incident to the Helpdesk but had not received a response. The CSIRT Team Leader checked with the Helpdesk and found that over 50 reports had been received, but none had been passed to the CSIRT. When asked why these reports were not forwarded to the CSIRT, the Helpdesk staff replied that they did not know they were supposed to handle such calls in that manner. The helpdesk then forwarded one of the virus reports to the CSIRT including a sample virus. One of the new staff that had been moved into an Incident Handling position received the mail. While reviewing it, he accidentally clicked on the virus link. This action not only infected his machine but sent infected messages automatically to the rest of the CSIRT team and the Network group (as their addresses where in his address book.) The CSIRT team then sent out an message to the rest of the organization telling them how to prevent the virus from spreading. The message also told all staff to report any similar problems to the Helpdesk so that the problems would be forwarded to the CSIRT staff for handling. The CSIRT Team Leader soon received a mail message from another department head saying that they had their own virus handling procedures and would not report to someone else or follow orders from someone else. The CEO, unfortunately, was also the recipient of one of the infected messages. Not realizing what the message was and seeing it came from a member of the CSIRT staff he clicked on the link thereby infecting his system. The CIO and CSIRT Team Leader were quickly summoned to the CEO's office where they were asked to explain why this security problem had not been effectively managed by the new CSIRT. 12 of Carnegie Mellon University
15 Scenario 2 - A CSIRT Tale: What Worked and What Did Not Work. Review Scenario 2. Working in small groups of 2-4 people, answer the questions below. 27. What did the organization handle well? 28. What didn't the organization handle well? 29. What could have been done differently to address those things that did not go well? Carnegie Mellon University 13 of 26
16 Identifying Key Issues and Decisions 30. Working in the same group, list the key issues and decisions that need to be made when creating a CSIRT? 31. Working by yourself, what key issues and decisions need to be made regarding the CSIRT at your organization? 14 of Carnegie Mellon University
17 Defining Your Framework: 32. Who are your stakeholders? How do you identify them? How do you reach them? 33. Who should be on your CSIRT project development team? 34. Gathering Information: From whom do you need to obtain information? What key information do you need? 35. Reviewing Existing CSIRTs: Are there any ideas that you might be able to use in the development of your CSIRT? Carnegie Mellon University 15 of 26
18 36. Who else will your CSIRT interact with? 37. Does your organization or constituency have an organizational security policy? 38. What are your critical assets? _ 39. Have you evaluated the importance of each asset, so you know what ones are top priorities when responding to events and incidents? _ 40. Is your CSIRT one of those assets? Why or why not? _ 41. Should it be? 16 of Carnegie Mellon University
19 42. Can you think of any business or organizational issues that may affect the creation of your CSIRT? 43. What type of constraints can hinder or limit the establishment of your CSIRT? _ 44. What ideas or recommendations can you suggest for dealing with these constraints? _ 45. Who is your constituency? If you do know write it down. If you do not know, how will this be decided? Carnegie Mellon University 17 of 26
20 46. Defining your mission: Do you have a mission? If so, write it down. If not, could you write down three to four statements explaining what you think your mission should be? 47. How will your CSIRT be funded? 18 of Carnegie Mellon University
21 Range and Level of Services: Selecting Services 48. What services could a CSIRT provide? 49. What issues are associated with selecting and providing CSIRT services? 50. What services do you think your CSIRT will need to provide? Carnegie Mellon University 19 of 26
22 51. How do you define a service? 52. Are there any special issues that must be addressed to implement your CSIRT services? Identifying Policies and Procedures 53. What policies do you already have? What policies will your CSIRT need? 54. What procedures do you already have? What procedures will your CSIRT need? 20 of Carnegie Mellon University
23 Organizational Issues: 55. Where does the CSIRT fit in your organization? 56. To whom does or will your CSIRT report? 57. What is the authority of your CSIRT? 58. What information should be reported to your CSIRT? 59. What type of reporting guidelines will you need? 60. Who will analyze the information? Carnegie Mellon University 21 of 26
24 61. In what manner will the information flow out of your CSIRT? _ 62. Who else might your CSIRT need to collaborate or coordinate with? 63. In class Exercise: An Organizational Dilemma - A large commercial company was making plans to create a CSIRT. The company had many different geographical locations around the world. The planning team could not determine how to have a CSIRT work across these many different areas. Working in small groups, recommend some strategies for how the CSIRT could be organizationally structured. What issues will be important to address? 64. What organizational model might work for your CSIRT? 22 of Carnegie Mellon University
25 CSIRT Resources: Staff, Equipment, and Infrastructure 65. What initial CSIRT staff will you need? 66. Where will you get your CSIRT staff? Existing staff? Outsourcing? Hire new staff? 67. Do you have any idea how large your CSIRT will need to be? 68. What initial equipment will your CSIRT require? Carnegie Mellon University 23 of 26
26 69. What CSIRT infrastructure requirements will need to be met? 70. What other resources do you need? 24 of Carnegie Mellon University
27 Putting It into Practice - Ideas for Your Action Plan: Spend time working on your action plan Carnegie Mellon University 25 of 26
28 Taking the Next Steps: 71. What issues still need to be addressed? 72. What else do you need to do? 73. What are your greatest concerns? 26 of Carnegie Mellon University