Linkz for Incident Response

Wednesday, November 20, 2013 Posted by Corey Harrell 1 comments
Due to changes with my employer last Spring my new responsibilities include all things involving incident response. I won’t go into details about what I’m doing for my employer but I wanted to share some linkz I came across. Similar to my responsibilities, these linkz include all things involving incident response. Enjoy ….

Incident Response Fundamentals

What better way to start out an Incident Response Linkz post than by providing series discussing incident response fundamentals. Securosis wrote an Incident Response Fundamental series about incident response. The topics covered include:

- Introduction, Data Collection/Monitoring Infrastructure
- Incident Command Principles
- Roles and Organizational Structure
- Response Infrastructure and Preparatory Steps
- Before the Attack
- Trigger, Escalate, and Size up
- Contain, Investigate, and Mitigate
- Mop up, Analyze, and QA

The links to all these articles can be found on the Incident Response Fundamentals: Index of Posts. Please note some of the links are broken on the index page and I did find a quick work around. When you see this go to the next article in the series since the first paragraph properly links to the previous article.

Doing Incident Response Faster

Building on their fundamental series Securosis released the React Faster and Better: New Approaches for Advanced Incident Response paper. Despite being a few years old, the information is still relevant today. To illustrate the paper’s focus I’ll quote from the Introduction article in their fundamentals series:

“We need to change our definition of success from stopping an attack (which would be nice, but isn’t always practical) to reacting faster and better to attacks, and containing the damage.

We’re not saying you should give up on trying to prevent attacks – but place as much (or more) emphasis on detecting, responding to, and mitigating them.”

The React Faster and Better: New Approaches for Advanced Incident Response paper discusses how they think you can perform incident response faster and better.

Incident Response's Evolution

Anton Chuvakin tackled incident response as a research project. He wrote a paper on the subject that is only available with a Gartner subscription. However, he was frequently blogging about his research and thoughts along the way. The one thing I noticed in his research that aligns with some of the other links I'm sharing. Incident response has been evolving into a continuous process. It involves constantly monitoring to detect compromises, triaging alerts, responding to incidents, and improving detection using the discovered indicators. As Anton mentioned in his Death of a Straight Line article, it's no longer a linear process with a start and finish. It now resembles having multiple loops going on at the same time. Below are a few of his blog posts

On Importance of Incident Response
http://blogs.gartner.com/anton-chuvakin/2013/07/15/on-importance-of-incident-response/

Incident Response: The Death of a Straight Line
http://blogs.gartner.com/anton-chuvakin/2013/06/05/incident-response-the-death-of-a-straight-line/

On Three IR Gaps
http://blogs.gartner.com/anton-chuvakin/2013/08/20/on-three-ir-gaps/

Incident Plan vs Incident Planning?
http://blogs.gartner.com/anton-chuvakin/2013/07/23/incident-plan-vs-incident-planning/

Top-shelf Incident Response vs Barely There Incident Response
http://blogs.gartner.com/anton-chuvakin/2013/08/09/top-shelf-incident-response-vs-barely-there-incident-response/

Fusion of Incident Response and Security Monitoring?
http://blogs.gartner.com/anton-chuvakin/2013/08/15/fusion-of-incident-response-and-security-monitoring/

Integrating SIEM with Incident Response

The AlienVault SIEM for ITIL-Mature Incident Response (Part 1) paper touches on how you can use a SIEM and log correlation to accomplish various things. One of which is to “develop an Incident Response process that includes a significant portion of repeatable, measurable and instructable processes.” The paper lays the groundwork –such as covering incident response implementations and it not being tech support – for the second part of the paper.

I found their second paper - SIEM for ITIL-Mature Incident Response (Part 2)  - to be the more interesting of the two. The paper goes into detail about evolving incident response into a mature service model. It accomplishes this by applying the five states of capability to the incident response process. The descriptions are accompanied by diagrams to better illustrate the activities and workflow for each stage.

Practical Plans for Incident Response

The next link isn’t to a resource freely available on the Internet but an outstanding book about incident response. There is a lot of information about the incident response process as well as technical information about carrying out the process. However, there is very little information about incident response plans an organization can leverage for their internal IR process. The book The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk is loaded with practical information to help build or improve your incident response plans. I plan to do a proper book review at some point but I wanted to at least mention it in this linkz edition.

Integrating Malware Analysis with Malware Response

Securosis Malware Analysis Quant research is a very interesting project. The purpose of the project in their words was to “designed Malware Analysis Quant to kick-start development of a refined and unbiased metrics model for confirming infection from malicious software, analyzing the malware, and then detecting and identifying proliferation within an organization.” Now setting the metrics stuff aside the reason I really like the paper is because of the process it outlines. It discusses confirming an infection, analyzing the malware, and then identifying other systems (malware proliferation). When looking at all of the literature available about incident response the one area lacking is practical information one can use to scope an incident. This paper provides some good information about the options for scoping a malware incident.

Malware Analysis Quant [Final Paper]
https://securosis.com/blog/malware-analysis-quant-final-paper

Link to the Final Paper
https://securosis.com/assets/library/reports/Securosis-MAQuant-v1.4_FINAL.pdf

Responding to Malware Infected Systems

Claus Valca over at grand stream dreams put together an outstanding post about malware response; the post is Anti-Malware Response “Go-Kit”. Claus goes into detail about the process he uses when responding to an infected system. The thing I really like about this post is he discusses the process and tools he uses. I enjoy seeing how others approach the same issue since I can learn a thing or two. To top it off the post contains a wealth of great links to articles and tools. This is one article you will want to take the time to read.

Memory Forensics to the Rescue

Rounding out this linkz post is an excellent write-up by Harlan Carvey. In his post Sniper Forensics, Memory Analysis, and Malware Detection Harlan goes into detail about a recent examination he performed. He was faced with an IDS alert and a laptop. By using a focused approach, converting a hibernation file into raw image, and performing memory forensics he was able to solve the case. Similar to Claus, this is another great post highlighting how someone addressed an issue with available tools. I see so much value in sharing this kind of information because not only do I learn but I can improve my own process. You’ll definitely want to check out this write-up.
Labels: ,