Web

COMPUTER SECURITY INCIDENT HANDLING SCENARIOS

Incident handling scenarios provide an inexpensive and effective way to build incident response skills and identify potential issues with incident response processes. The incident response team or team members are presented with a scenario and a list of related questions. The team then discusses each question and determines the most likely answer. The goal is to determine what the team would really do and to compare that with policies, procedures, and generally recommended practices to identify discrepancies or deficiencies. For example, the answer to one question may indicate that the response would be delayed because the team lacks a piece of software or because another team does not provide off-hours support. The questions listed below are applicable to almost any scenario. Each question is followed by a reference to the related section(s) of the document. After the questions are scenarios, each of which is followed by additional incident-specific questions. Organizations are strongly encouraged to adapt these questions and scenarios for use in their own incident response exercises.

SCENARIO QUESTIONS

Preparation

  • Would the organization consider this activity to be an incident? If so, which of the organization’s policies does this activity violate?
  • What measures are in place to attempt to prevent this type of incident from occurring or to limit its impact?

Detection and Analysis

  • What precursors of the incident, if any, might the organization detect? Would any precursors cause the organization to take action before the incident occurred?
  • What indicators of the incident might the organization detect? Which indicators would cause someone to think that an incident might have occurred?
  • What additional tools might be needed to detect this particular incident?
  • How would the incident response team analyze and validate this incident? What personnel would be involved in the analysis and validation process?
  • To which people and groups within the organization would the team report the incident?
  • How would the team prioritize the handling of this incident?

Containment, Eradication, and Recovery

  • What strategy should the organization take to contain the incident? Why is this strategy preferable to others?
  • What could happen if the incident were not contained?
  • What additional tools might be needed to respond to this particular incident?
  • Which personnel would be involved in the containment, eradication, and/or recovery processes?
  • What sources of evidence, if any, should the organization acquire? How would the evidence be acquired? Where would it be stored? How long should it be retained?

Post-Incident Activity

  • Who would attend the lessons learned meeting regarding this incident?
  • What could be done to prevent similar incidents from occurring in the future?
  • What could be done to improve the detection of similar incidents?

General Questions

  • How many incident response team members would participate in handling this incident?
  • Besides the incident response team, what groups within the organization would be involved in handling this incident?
  • To which external parties would the team report the incident? When would each report occur? 
  • How would each report be made? What information would you report or not report, and why?
  • What other communications with external parties may occur?
  • What tools and resources would the team use in handling this incident?
  • What aspects of the handling would have been different if the incident had occurred at a different day and time (on-hours versus off-hours)?
  • What aspects of the handling would have been different if the incident had occurred at a different physical location (onsite versus offsite)?

SCENARIOS

Scenario 1. Domain Name System (DNS) Server Denial of Service (DoS) 

On a Saturday afternoon, external users start having problems accessing the organization’s public websites. Over the next hour, the problem worsens to the point where nearly every access attempt fails. Meanwhile, a member of the organization’s networking staff responds to alerts from an Internet border router and determines that the organization’s Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both the organization’s public DNS servers. Analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. Also, all the DNS requests from that address come from the same source port.

The following are additional questions for this scenario.

  • Whom should the organization contact regarding the external IP address in question?
  • Suppose that after the initial containment measures were put in place, the network administrators detected that nine internal hosts were also attempting the same unusual requests to the DNS server. How would that affect the handling of this incident?
  • Suppose that two of the nine internal hosts disconnected from the network before their system owners were identified. How would the system owners be identified?

Scenario 2: Worm and Distributed Denial of Service (DDoS) Agent Infestation

On a Tuesday morning, a new worm is released; it spreads itself through removable media, and it can copy itself to open Windows shares. When the worm infects a host, it installs a DDoS agent. The organization has already incurred widespread infections before antivirus signatures become available several hours after the worm started to spread.

The following are additional questions for this scenario.

  • How would the incident response team identify all infected hosts?
  • How would the organization attempt to prevent the worm from entering the organization before
  • antivirus signatures were released?
  • How would the organization attempt to prevent the worm from being spread by infected hosts before antivirus signatures were released?
  • Would the organization attempt to patch all vulnerable machines? If so, how would this be done?
  • How would the handling of this incident change if infected hosts that had received the DDoS agent had been configured to attack another organization’s website the next morning?
  • How would the handling of this incident change if one or more of the infected hosts contained sensitive personally identifiable information regarding the organization’s employees?
  • How would the incident response team keep the organization’s users informed about the status of the incident?
  • What additional measures would the team perform for hosts that are not currently connected to the network (e.g., staff members on vacation, offsite employees who connect occasionally)?

Scenario 3: Compromised Database Server

On a Tuesday night, a database administrator performs some off-hours maintenance on several production database servers. The administrator notices some unfamiliar and unusual directory names on one of the servers. After reviewing the directory listings and viewing some of the files, the administrator concludes that the server has been attacked and calls the incident response team for assistance. The team’s investigation determines that the attacker successfully gained root access to the server six weeks ago.

The following are additional questions for this scenario.

  • What sources might the team use to determine when the compromise had occurred?
  • How would the handling of this incident change if the team found that the database server had been running a packet sniffer and capturing passwords from the network?
  • How would the handling of this incident change if the team found that the server was running a process that would copy a database containing sensitive customer information (including personally identifiable information) each night and transfer it to an external address?
  • How would the handling of this incident change if the team discovered a rootkit on the server?

Scenario 4: Unknown Exfiltration

On a Sunday night, one of the organization’s network intrusion detection sensors alerts on anomalous outbound network activity involving large file transfers. The intrusion analyst reviews the alerts; it appears that thousands of .RAR files are being copied from an internal host to an external host, and the external host is located in another country. The analyst contacts the incident response team so that it can investigate the activity further. The team is unable to see what the .RAR files hold because their contents are encrypted. Analysis of the internal host containing the .RAR files shows signs of a bot installation.

The following are additional questions for this scenario.

  • How would the team determine what was most likely inside the .RAR files? Which other teams might assist the incident response team?
  • If the incident response team determined that the initial compromise had been performed through a wireless network card in the internal host, how would the team further investigate this activity?
  • If the incident response team determined that the internal host was being used to stage sensitive files from other hosts within the enterprise, how would the team further investigate this activity?

Scenario 5: Unauthorized Access to Payroll Records

On a Wednesday evening, the organization’s physical security team receives a call from a payroll administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident and to determine what actions were performed.

The following are additional questions for this scenario.

  • How would the team determine what actions had been performed?
  • How would the handling of this incident differ if the payroll administrator had recognized the person leaving her office as a former payroll department employee?
  • How would the handling of this incident differ if the team had reason to believe that the person was a current employee?
  • How would the handling of this incident differ if the physical security team determined that the person had used social engineering techniques to gain physical access to the building?
  • How would the handling of this incident differ if logs from the previous week showed an unusually large number of failed remote login attempts using the payroll administrator’s user ID?
  • How would the handling of this incident differ if the incident response team discovered that a keystroke logger was installed on the computer two weeks earlier?

Scenario 6: Disappearing Host

On a Thursday afternoon, a network intrusion detection sensor records vulnerability scanning activity directed at internal hosts that are being generated by an internal IP address. Because the intrusion detection analyst is unaware of any authorized, scheduled vulnerability scanning activity, she reports the activity to the incident response team. When the team begins the analysis, it discovers that the activity has stopped and that there is no longer a host using the IP address.

The following are additional questions for this scenario.

  • What data sources might contain information regarding the identity of the vulnerability scanning host?
  • How would the team identify who had been performing the vulnerability scans?
  • How would the handling of this incident differ if the vulnerability scanning were directed at the
  • organization’s most critical hosts?
  • How would the handling of this incident differ if the vulnerability scanning were directed at external hosts?
  • How would the handling of this incident differ if the internal IP address was associated with the organization’s wireless guest network?
  • How would the handling of this incident differ if the physical security staff discovered that someone had broken into the facility half an hour before the vulnerability scanning occurred?

Scenario 7: Telecommuting Compromise

On a Saturday night, network intrusion detection software records an inbound connection originating from a watchlist IP address. The intrusion detection analyst determines that the connection is being made to the organization’s VPN server and contacts the incident response team. The team reviews the intrusion detection, firewall, and VPN server logs and identifies the user ID that was authenticated for the session and the name of the user associated with the user ID.

The following are additional questions for this scenario.

  • What should the team’s next step be (e.g., calling the user at home, disabling the user ID, disconnecting the VPN session)? Why should this step be performed first? What step should be performed second?
  • How would the handling of this incident differ if the external IP address belonged to an open proxy?
  • How would the handling of this incident differ if the ID had been used to initiate VPN connections from several external IP addresses without the knowledge of the user?
  • Suppose that the identified user’s computer had become compromised by a game containing a  Trojan horse that was downloaded by a family member. How would this affect the team’s analysis of the incident? How would this affect evidence gathering and handling? What should the team do in terms of eradicating the incident from the user’s computer?
  • Suppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of the incident? How would this affect the handling of the incident if the user were a system administrator? How would this affect the handling of the incident if the user were a high-ranking executive in the organization?

Scenario 8: Anonymous Threat

On a Thursday afternoon, the organization’s physical security team receives a call from an IT manager, reporting that two of her employees just received anonymous threats against the organization’s systems. Based on an investigation, the physical security team believes that the threats should be taken seriously and notifies the appropriate internal teams, including the incident response team, of the threats.

The following are additional questions for this scenario.

  • What should the incident response team do differently, if anything, in response to the notification of the threats?
  • What impact could heightened physical security controls have on the team’s responses to incidents?

Scenario 9: Peer-to-Peer File Sharing

The organization prohibits the use of peer-to-peer file-sharing services. The organization’s network

intrusion detection sensors have signatures enabled that can detect the usage of several popular peer-to-peer file-sharing services. On a Monday evening, an intrusion detection analyst notices that several file-sharing alerts have occurred during the past three hours, all involving the same internal IP address.

  • What factors should be used to prioritize the handling of this incident (e.g., the apparent content of the files that are being shared)?
  • What privacy considerations may impact the handling of this incident?
  • How would the handling of this incident differ if the computer performing peer-to-peer file sharing also contains sensitive personally identifiable information?

Scenario 10: Unknown Wireless Access Point

On a Monday morning, the organization’s help desk receives calls from three users on the same floor of a building who state that they are having problems with their wireless access. A network administrator who is asked to assist in resolving the problem brings a laptop with wireless access to the users’ floor. As he views his wireless networking configuration, he notices that there is a new access point listed as being available. He checks with his teammates and determines that this access point was not deployed by his team so that it is most likely a rogue access point that was established without permission.

  • What should be the first major step in handling this incident (e.g., physically finding the rogue access point, logically attaching to the access point)?
  • What is the fastest way to locate the access point? What is the most covert way to locate the access point?
  • How would the handling of this incident differ if the access point had been deployed by an external party (e.g., contractor) temporarily working at the organization’s office?
  • How would the handling of this incident differ if an intrusion detection analyst reported signs of suspicious activity involving some of the workstations on the same floor of the building?
  • How would the handling of this incident differ if the access point had been removed while the team was still attempting to physically locate it?

INCIDENT-RELATED DATA ELEMENTS

Organizations should identify a standard set of incident-related data elements to be collected for each incident. This effort will not only facilitate more effective and consistent incident handling but also assist the organization in meeting applicable incident reporting requirements. The organization should designate a set of basic elements (e.g., incident reporter’s name, phone number, and location) to be collected when the incident is reported and an additional set of elements to be collected by the incident handlers during their response. The lists below provide suggestions of what information to collect for incidents and are not intended to be comprehensive. Each organization should create its own list of elements based on several factors, including its incident response team model and structure and its definition of the term “incident.”

BASIC DATA ELEMENTS

Contact Information for the Incident Reporter and Handler

  • Name
  • Role
  • An organizational unit (e.g., agency, department, division, team) and affiliation
  • Email address
  • Phone number
  • Location (e.g., mailing address, office room number)

INCIDENT DETAILS

  • Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc.
  • The physical location of the incident (e.g., city, state)
  • Current status of the incident (e.g., ongoing attack)
  • Source/cause of the incident (if known), including hostnames and IP addresses
  • Description of the incident (e.g., how it was detected, what occurred)
  • Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses, and function
  • If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.)
  • Prioritization factors (functional impact, information impact, recoverability, etc.)
  • Mitigating factors (e.g., a stolen laptop containing sensitive data was using full disk encryption)
  • Response actions performed (e.g., shut off-host, disconnected host from the network)
  • Other organizations contacted (e.g., software vendor)
  • General Comments

INCIDENT HANDLER DATA ELEMENTS

  • Current Status of the Incident Response
  • Summary of the Incident
  • Incident Handling Actions
  • Log of actions taken by all handlers
  • Contact information for all involved parties
  • List of evidence gathered
  • Incident Handler Comments
  • Cause of the Incident (e.g., misconfigured application, unpatched host)
  • Cost of the Incident
  • Business Impact of the Incident

President

The divine scriptures are God’s beacons to the world. Surely God offered His trust to the heavens and the earth, and the hills, but they shrank from bearing it and were afraid of it. And man undertook it.
Back to top button