Cover image for Incident Response

Book description

Seventy percent of businesses reported security breaches in 2000, and the rate is on the rise. Is your organization ready to respond to such an incident head-on? Will you be able to tell whether an incident is an attack or a glitch in the system? Do you know how to assess the possible damage from an incident? Incident Response shows you how to answer questions like these and create a plan for exactly what to do before, during, and after an incident. The authors of Incident Response draw on years of experience developing and taking part in incident response teams at the highest levels of government and business. They guide you through both the technical and administrative details of effective incident response planning as they describe:

  • What incident response is, and the problems of distinguishing real risk from perceived risk

  • The different types of incident response teams, and advantages and disadvantages of each

  • Planning and establishing an incident response team

  • State of the Hack® information about different types of attacks

  • Recommendations and details about available tools for incident response teams

  • Resources available to incident response teams

Whatever your organization's size or purpose, Incident Response shows how to put in place an incident-response process that's as planned, efficient, and businesslike as any other IT operation in a mature organization. Incidents happen, and being able to respond to them effectively makes good business sense.

Table of Contents

  1. Incident Response
    1. Foreword
    2. Preface
      1. Organization of This Book
      2. Conventions Used in This Book
      3. How to Contact Us
      4. Acknowledgments
        1. Kenneth R. van Wyk
        2. Richard Forno
    3. 1. What Is Incident Response?
      1. Real-Life Incidents
      2. What Is an Incident?
      3. About the Bad Guys
      4. What Is Incident Response?
      5. Risk Assessment and Incident Response
      6. Development of Incident Response Efforts
      7. Are You Ready? Are You Willing?
    4. 2. Incident Response Teams
      1. Who Should Do It?
      2. Public Resource Teams
      3. Internal Teams
      4. Commercial Teams
      5. Vendor Teams
      6. Ad Hoc Teams
      7. Forum of Incident Response and Security Teams (FIRST)
      8. Now Who Should Do It?
    5. 3. Planning the Incident Response Program
      1. Establishing the Incident Response Program
        1. Corporate Politics and Buy-In
        2. Funding and Placing the Team
        3. Confidentiality
        4. Adding Value
        5. Resourcing Options for IT Teams
        6. Matrix Organizations
        7. How Much Automation Is Too Much?
      2. Internal Versus External
      3. Types of Incidents
      4. Who Are the Clients?
      5. Summary
    6. 4. Mission and Capabilities
      1. Roles and Responsibilities
      2. Staffing and Training
      3. Involving the Critical Players
      4. List of Contacts
      5. Setting Up a Hotline
      6. Establishing Procedures
      7. Awareness and Advertising
      8. Fire Drills
      9. Issues and Pitfalls
        1. Business Comes First
        2. Statistics
        3. Customer Confidentiality
        4. Funding and Staffing
        5. Friend or Foe?
        6. Evidence Handling
        7. Privacy and Legal Concerns
        8. Policy
        9. Customer Expectations
    7. 5. State of the Hack
      1. The Moving Target
      2. Keeping Up with Attack Profiles
        1. Understanding the Technology
      3. Training
        1. The State of the Hack
          1. Denial of service
          2. Distributed Denial of Service (DDoS)
          3. Buffer overflows
          4. Race conditions
          5. setuid exploits
          6. Implementation flaws
          7. Network sniffers
          8. Tunneling
          9. Trojan horses and back doors
          10. Stealthing tools
          11. Viruses and worms
          12. Email-borne vermin
          13. Default configuration residue
        2. Forensics
    8. 6. Incident Response Operations
      1. We’ve Been Hit -- Now What?
      2. Incident Response Processes
        1. Identification
        2. Coordination
        3. Mitigation
        4. Investigation
        5. Education
      3. While Under Pressure
        1. Procedures Were Written for a Reason
        2. Be Pedantic, Explicit, and Never Assume
        3. Know Your Role and Your Boss’s Role
        4. Be Discreet
    9. 7. Tools of the Trade
      1. What’s Out There?
      2. Network-Based Tools
      3. Network Monitors and Protocol Analyzers
        1. Sniffer
        2. Ethereal
        3. TCPdump
        4. OSU Review
        5. Snort
        6. TCP.Demux
        7. NetDetector
        8. Net4
      4. Network-Based Intrusion Detection Systems
        1. Dragon
        2. Network Flight Recorder
        3. RealSecure
      5. Network Vulnerability Scanners
        1. SATAN/SAINT
        2. nmap
        3. Cybercop Scanner
        4. NetRecon
        5. ISS Network Scanner
      6. Other Essential Network-Based Tools
        1. MicroRACK
        2. Century Network Tap
      7. Host-Based Tools
        1. COPS
        2. Tiger
        3. ISS System Scanner
        4. Bindview BV-Control
        5. CMDS
        6. Emerald
        7. Tripwire
        8. Norton Utilities
        9. The Coroner’s Toolkit
      8. Communications
        1. Page-Back Mechanisms
        2. Dial-In Data Retrieval
          1. Modems
          2. Wireless modems
      9. Encryption
        1. RSA Secure PC
        2. PGP
      10. Removable Storage Media
        1. Floppy
        2. ZIP
        3. Jaz
        4. Orb
        5. CD Recorder
        6. External Hard Drives
        7. Tape
      11. The Incident Kit
      12. If We Ruled the World
    10. 8. Resources
      1. Security Information on the Web
      2. Incident Response Team Resources
      3. Commercial Incident ResponseService Providers
      4. Antivirus Products
      5. Mailing Lists and Newsgroups
      6. U.S. Government Resources
      7. Training, Conferences, and Certification Programs
      8. Legal Resources
        1. Relevant United States Federal Laws Regarding Computer Crime and Incident Response
          1. Identity Theft and Assumption Deterrence Act (18 USC 2028)
          2. Fraud and Related Activity in Connection with Access Devices (18 U.S.C. 1029)
          3. Computer Fraud and Abuse Act (18 U.S.C. 1030)
          4. Economic Espionage Act (18 U.S.C. 1831 and 1832)
          5. Electronics Communications Privacy Act (18 U.S.C. 2510)
          6. U.S. Department of Justice (DOJ) Guidelines for Warning Banners
    11. A. FIRST
      1. FIRST Statement of Mission and Strategic Goals
        1. Mission Statement
        2. Strategic Goals
      2. FIRST Member Team Information
        1. AFCERT
        2. ANS
        3. Apple
        4. AT&T
        5. AUSCERT
        6. BACIRT
        7. BadgIRT
        8. BCERT
        9. BSI/GISA
        10. BTCERTCC
        11. CARNet CERT
        12. CCTA
        13. CERT/CC
        14. CERTA
        15. CERTCC-KR
        16. CERT-IST
        17. CERT-IT
        18. CERT-NASK
        19. CERT-NL
        20. CERT-Renater
        21. CIAC
        22. Cisco PSIRT
        23. Cisco Systems
        24. Citigroup CIRT
        25. Compaq SSRT
        26. CSIRT.DK
        27. DANTE
        28. DERA
        29. DFN-CERT
        30. DIRT
        31. DK-CERT
        32. DND CIRT
        33. DOD-CERT
        34. EDS
        35. ELN-FIRST
        36. EWA-Canada
        37. FSC-CERT
        38. GE
        39. GI-REACT
        40. Goldman Sachs
        41. GTCERT
        42. Guardent
        43. HOUSECIRT
        44. HP
        45. IBM-ERS
        46. ILAN-CERT
        47. IP+CERT
        48. IRIS-CERT
        49. ISS
        50. IU-CERT
        51. JANET-CERT
        52. JPCERT/CC
        53. MCIRT
        54. MCIWorldCom
        55. Micro-BIT
        56. MxCERT
        57. NAI
        58. NASIRC
        59. NAVCIRT
        60. NCSA-IRST
        61. NEXTRA-CERT
        62. NIHIRT
        63. NIST/CSRC
        64. NORDUnet
        65. NU-CERT
        66. OSU-IRT
        67. OxCERT
        68. Para-CERT
        69. PruCERT
        70. PSU
        71. Riptech-CERT
        72. Rob Thomas
        73. SBACERT
        74. secu-CERT
        75. SGI
        76. SI-CERT
        77. Siemens-CERT
        78. SingCERT
        79. Sprint
        80. Sun
        81. SUNSeT
        82. SWITCH-CERT
        83. TeliaCERTCC
        84. Trident
        85. UCERT
        86. UNI-CERT
        87. UNINETT CERT
        88. UNIRAS
        89. VISA-CIRT
    12. B. Sample Incident Report
      1. Incident Chronology
        1. Security Office Comments and Recommendations
      2. Law Enforcement Coordination
      3. Damage Assessment
      4. Management Review
    13. Index
    14. Colophon