N I S T S World Headquarters P 215 North Marengo Avenue 8 Pasadena, CA 91101 0 0 Phone: 626.229.9191 - 6 Fax: 626.229.9199 1 a n New York Office d 551 5th Avenue, Suite 400 S New York, NY 10176 P Phone: 212.277.3700 8 0 Fax: 212.277.3707 Special Publication 800-61 0 - 8 Computer Security San Francisco Office 6 2200 Powell Street, Suite 800 A Emeryville, CA 94608 b Incident Handling Guide r Phone: 510.652.5011 id g Fax: 510.652.5018 e d Washington D.C. Office b Special Publication 800-86 y Loudoun Tech Center G Guide to Integrating Forensic 21400 Ridgetop Circle, Suite 101 u Sterling, VA 20166 ida Techniques into Incident Response Phone: 703.433.5400 n Fax: 703.433.5368 c e S Houston Office o 1300 Post Oak Blvd., Suite 550 ft w Recommendations of the Houston, TX 77056 a Phone: 832.200.9068 r National Institute of Standards and Technology e Fax: 832.200.9069 , I n c EMEA Headquarters . Thames Central, Fifth Floor Hatfield Road Slough, Berkshire SL1 1QE Phone: +44 (0)175.355.2252 Fax: +44 (0)175.355.2232 www.guidancesoftware.com Abridged by Guidance Software, Inc. ©2007 Guidance Software, Inc. All rights reserved. Guidance Software and the Guidance Software logo are trademarks, and EnCase is a registered trademark of Guidance Software, Inc. Special Publication 800-61 Computer Security Incident Handling Guide Special Publication 800-86 Guide to Integrating Forensic Techniques into Incident Response Abridged by Guidance Software, Inc. Recommendations of the National Institute of Standards and Technology Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technol- ogy (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to im- ply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. 1.1 Authority The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the require- ments of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), “Securing Agency Information Systems.” Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority, nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Com- merce, Director of the OMB, or any other Federal official. This guideline should not be held as binding to law enforcement personnel relative to the investigation of criminal activity. Forward The Federal Information Security Management Act (FISMA) of 2002 mandates that federal agencies must establish incident response capabilities consistent with the guidelines and standards established by the National Institute of Standards and Technology (NIST). Pursuant to this mandate, NIST issued Special Publication 800- 61 Computer Security Incident Handling Guide, which sets forth detailed technical, procedural and policy guidelines for federal agencies to implement a comprehensive incident response program, however the document did little to define the exact steps involved in the actual investigation and resolution of a given incident. In response to the high-level language of 800-61, in August of 2006, NIST published SP800-86 Guide to Integrating Forensic Techniques into Incident Response. Here, NIST defines in a much more precise and specific way the procedures, issues and technologies required to move an incident from the point of discovery all the way through to resolution. Together, these documents are now a fact for federal civilian agencies and with it so is the requirement that organizations augment their incident response capabilities by de- veloping a complete forensics program. In addition to acquiring appropriate forensic tools, FISMA compliance mandates extensive and ongoing training and the develop- ment of clear policies and procedures. As the leading provider of forensic software, investigative solutions, services and train- ing, Guidance Software is ideally positioned to help guide organizations through this process to ensure efficient and intelligent implementation of a system that not only en- ables compliance, but also allows you to radi- cally reduce costs and optimize network Automated Incident Incident security (see figure 1). Response, Response Classified Training Spillage and Its EnCase® software delivers eDiscovery Classified Enterprise Spillage/ unmatched forensic inves- Scalability eDiscovery Training tigation, incident response aTnhdis atuedcihtninoglo gcya pacboiulpitlieeds. ForSeonusnicdally nology Trai FTorareinninsigc with Guidance Software’s ch nin e g emacxnoatcmenen p srcSieavohpefei tntiwanslvai vreaeesl tlmostoewe rnsvp ti rciGonevsu h iidduien-- NEentawbolerkd- T S e r v i c e s CuTsratoinminizged all of the key areas necessary for compliance with NIST Incident Policy Response Development 800-61 and 800-86. Services Classified Forensic Spillage/ Services & eDiscovery Expert Witness Figure 1. Together, Guidance Software’s Services Testimony technology and services ensure compliance with the requirements set forth by FISMA. Table of Contents Computer Security Incident Handling Guide ..................................................1 1. Introduction ........................................................................................................3 2. Organizing A Computer Security Incident Response Capability ..................3 2.1 Events and Incidents ....................................................................................3 2.2 Need for Incident Response .........................................................................3 2.3 Incident Response Policy and Procedure Creation ......................................4 2.4 Incident Response Team Structure ...............................................................7 2.5 Incident Response Team Services ..............................................................10 2.6 Recommendations ......................................................................................10 3. Handling an Incident .......................................................................................12 3.1 Preparation .................................................................................................12 3.2 Detection and Analysis ...............................................................................14 3.3 Containment, Eradication, and Recovery ...................................................19 3.4 Post-Incident Activity .................................................................................23 3.5 Incident Handling Checklist ........................................................................24 3.6 Recommendations ........................................................................................26 4. Handling Denial of Service Incidents .............................................................29 4.1 Incident Definition and Examples ..............................................................29 4.2 Preparation .................................................................................................29 4.3 Detection and Analysis ...............................................................................30 4.4 Containment, Eradication, and Recovery ...................................................31 4.5 Checklist for Handling Denial of Service Incidents ..................................32 4.6 Recommendations ......................................................................................33 5. Handling Malicious Code Incidents ...............................................................35 5.1 Incident Definition and Examples ..............................................................35 5.2 Preparation .................................................................................................35 5.3 Detection and Analysis ...............................................................................35 5.4 Containment, Eradication, and Recovery ...................................................37 5.5 Checklist for Handling Malicious Code Incidents .....................................38 5.6 Recommendations ......................................................................................39 6. Handling Unauthorized Access Incidents ......................................................41 6.1 Incident Definition and Examples ..............................................................41 6.2 Preparation .................................................................................................41 6.3 Detection and Analysis ...............................................................................43 6.4 Containment, Eradication, and Recovery ...................................................45 6.5 Checklist for Handling Unauthorized Access Incidents .............................46 6.6 Recommendations ......................................................................................47 7. Handling Inappropriate Usage Incidents ......................................................49 7.1 Incident Definition and Examples ..............................................................49 7.2 Preparation .................................................................................................49 7.3 Detection and Analysis ...............................................................................50 7.4 Containment, Eradication, and Recovery ...................................................51 7.5 Checklist for Handling Inappropriate Usage Incidents ..............................52 7.6 Recommendations ......................................................................................52 8. Handling Multiple Component Incidents ......................................................54 8.1 Incident Definition and Examples ..............................................................54 8.2 Preparation, Detection, and Analysis .........................................................54 8.3 Containment, Eradication, and Recovery ...................................................54 8.4 Checklist for Handling Multiple Component Incidents .............................55 8.5 Recommendations ......................................................................................55 Appendix A— Recommendations ............................................................................56 Guide to Integrating Forensic Technologies into Incident Response ...65 1. Introduction ......................................................................................................66 2. Establishing and Organizing a Forensics Capability ...................................67 2.1 The Need for Forensics ..............................................................................67 2.2 Forensic Staffing ........................................................................................68 2.3 Interactions with Other Teams ...................................................................69 2.4 Policies .......................................................................................................69 2.5 Guidelines and Procedures .........................................................................71 2.6 Recommendations ......................................................................................71 3. Performing the Forensic Process ....................................................................73 3.1 Data Collection ...........................................................................................73 3.2 Examination ...............................................................................................76 3.3 Analysis ......................................................................................................76 3.4 Reporting ....................................................................................................76 3.5 Recommendations ......................................................................................77 4. Using Data from Data Files .............................................................................78 4.1 File Basics ..................................................................................................78 4.2 Collecting Files ..........................................................................................80 4.3 Examining Data Files .................................................................................83 4.4 Analysis ......................................................................................................84 4.5 Recommendations ......................................................................................85 5. Using Data from Operating Systems ..............................................................86 5.1 OS Basics ...................................................................................................86 5.2 Collecting OS Data ....................................................................................88 5.3 Examining and Analyzing OS Data ...........................................................91 5.4 Recommendations ......................................................................................91 6. Using Data From Network Traffic ..................................................................92 6.1 TCP/IP Basics.............................................................................................92 6.2 Network Traffic Data Sources ....................................................................92 6.3 Collecting Network Traffic Data ................................................................94 6.4 Examining and Analyzing Network Traffic Data .......................................96 6.5 Recommendations ....................................................................................102 7. Using Data from Applications .......................................................................103 7.1 Application Components ..........................................................................103 7.2 Types of Applications ...............................................................................105 7.3 Collecting Application Data .....................................................................108 7.4 Examining and Analyzing Application Data ............................................108 7.5 Recommendations ....................................................................................109 8. Using Data from Multiple Sources ...............................................................110 8.1 Suspected Network Service Worm Infection ...........................................110 8.2 Threatening E-mail ...................................................................................112 8.3 Recommendation ......................................................................................114 Appendix A— Recommendations ..........................................................................115 Glossary .................................................................................................................120 Section 1 — Special Publication 800-61 Computer Security Incident Handling Guide Recommendations of the National Institute of Standards and Technology Tim Grance Karen Kent Brian Kim January 2004 Abridged by Guidance Software, Inc.
Description: