Incident Response & Digital Forensics

Expand all

Incident Response & Digital Forensics

The increasing volume and complex nature of electronic threats presents a constant challenge to organizations’ capability to identify and understand when they are the subject to a threat or attack.  But even when they are able to identify such incidents, determining the most effective and appropriate course of action, is not always clear.

In fulfilling this need, our clients can capitalize on the plethora of knowledgeable and experienced resources available within our ITHACA Labs®.   When you identify or suspect such occurrence, our Computer and Emergency Response Team (CERT) may be commissioned to act independently or to complement your organization’s internal incident response team acting as investigators, or even as actual implementers as the need may be.

Following a structured, best practice procedure, based on NIST (US National Institute of Science and Technology) Computer Security Incident Handling Guide the ITHACA Labs® CERT team can help your organization Identify, Manage, and Recover from an attack which may threaten your organization’s image, financial stability and operational integrity.  Alternatively, in case we are commissioned to assist your internal incident response team, we are flexible in that we may work based on your organization’s incident response plan/methodology.

Our Incident response methodology and approach, organized in a six-step process for handling security incidents, is described below:

 

Preparation

During the preparation phase, the roles and responsibilities of the Incident Response Team will be defined.  On the part of the client, the team members may include:

  • The organization’s Public Relations (PR) department
  • System and Network Administrators responsible for the systems under attack
  • Business managers
  • A Human Resources (HR) department representative for the event that this incident is related to an employee
  • The legal department

During this phase a logbook will be established in which we will be documenting our observations, findings and communications.  Every action taken from the time the incident was detected to its final resolution, will be clearly documented and time-stamped, so that it can serve as a basis for developing a risk mitigation process of preventing or responding to similar incidents in the future.

Detection & Analysis

During the Detection & Analysis phase our CERT team will interview key personnel responsible for the administration and maintenance of the affected systems and security controls. These observations (e.g. a complaint of a server being unavailable, excessive logins of malicious activity on the network or host Intrusion Prevention Systems, a web server crash or modification of critical files) will be treated as malicious/suspicious activity and will be thoroughly examined and evaluated.

In addition we will gather and analyze log entries, security alerts and configuration files from system, network and security control devices in order to determine the type and/or types of the attack, since attacks could occur in countless ways and have different impact.

Furthermore, during the analysis process, we will study network, systems, and software applications to gain a solid understanding of what their normal behavior is, so the extent of the incident’s impact can be determined.

Below it is briefly explained what the impact of different types of attacks/incidents may be on the organization’s systems and network infrastructure:

  • Denial of Service: an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources.
  • Malicious Code: a virus, worm, Trojan horse, or other code-based malicious entity that successfully infects a host.
  • Unauthorized Access: a person gains logical or physical access without permission to a network, system, application, data, or other IT resource.
  • Inappropriate Usage: a person violates acceptable use of any network or computer policies.
  • Multiple Components: a single incident that encompasses two or more incidents.

Some incidents may fit into more than one category. Our CERT team will categorize incidents based on the mechanism by which they spread, for example:

  • A virus that creates a backdoor should be handled as a malicious code incident, not an unauthorized access incident, because the malicious code was the only spread mechanism used.
  • A virus that creates a backdoor which was used to gain unauthorized access should be treated as a multiple component incident because two spread mechanisms were used.

Containment

Based on the outcome of the Detection & Analysis phase our CERT team experts will formulate a response course of action suggesting the measures that your organization should take towards containing the incident’s impact. These guidelines will be based on the type and criticality of the incident.  

Eradication

During this phase, threats identified during the Detection & Analysis phase, such as vulnerabilities, breached user accounts, mis-configured network, security and system components, or back door programs, will be patched, removed, or re-configured accordingly.

Recovery

During this phase our CERT team experts will ensure that the affected systems and/or networks are fully operational.
This is generally a task that will be performed by your internal team with the guidance and overseeing of our experts.  These tasks may include:

  • Restore infected systems and verify that they are working properly.
  • Rebuild infected systems from scratch.
  • Replace compromised files with clean ones.
  • Change systems’ passwords.
  • Harden the affected systems in order to prevent similar incidents from occurring in the future.
  • Monitor systems and networks, including the restored ones, to determine that are no longer infected.

Once the affected components have been restored, it is up to the organization’s management to decide when to restore relevant business operations.

Post-Incident Activity

During this phase the CERT team will organize a meeting with all parties involved in order to present our findings, observations and assessment as to what has happened, and if applicable, how the incident could have been avoided/prevented. Among other issues, during this meeting we will discuss the following:

  • Describe the course of events that took place during the incident.
  • Describe what the course of events on the part of the organization should be in case a similar incident occurs in the future.
  • Advice the organization on additional tools and resources, which could be employed towards building their capability to alert on and prevent similar incidents in the future.