際際滷

際際滷Share a Scribd company logo

Laying the Corporate Groundwork for Effective Incident Investigation

Albert Hui
Albert Hui

The document summarizes steps for effective incident investigation at the corporate level. It recommends establishing an emergency communications protocol and designating a secure "war room." It also stresses the importance of centralized logging, with adequate log retention, management, and coverage of applications, platforms, and systems. Centralized logging improves log integrity and facilitates backup and correlation during investigations. The presentation provides examples of policy content and access control procedures to prepare the infrastructure for efficient incident response.

1 of 15
8th HTCIA Asia Pacific Conference December 3rd 2014 @ Hong Kong LAYING THE CORPORATE GROUNDWORK FOR EFFECTIVE INCIDENT INVESTIGATION THE QUICK WINS Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISC Principal Consultant
WHO AM I? Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISC Principal Consultant albert@securityronin.com Spoken at Black Hat, ACFE Asia Pacific Fraud Conference, HTCIA Asia Pacific Conference, and Economist Corporate Network. Risk Consultant for Banks, Government and Critical Infrastructures. SANS GIAC Advisory Board Member. Co-designed the first Computer Forensics curriculum for Hong Kong Police Force. Former HKUST Computer Science lecturer.
AGENDA Policy Communications Protocol Physical Logistics Infrastructure Map Access Control Logging
POLICY Warning Banner: The use of the system may be monitored and recorded. (Have legal review, e.g. EU Data Privacy Directives may forbid this) Have users sign / agree to policy during annual training program
EMERGENCY COMMUNICATIONS PROTOCOL Primary point of contact Call tree Out-of-band communications channel Conference bridge
PHYSICAL LOGISTICS Designate a room to be the war room: Locked door Locked cabinet Big whiteboard No windows Concrete walls
INFRASTRUCTURE MAP Make readily available: Network diagrams (logical level, showing all access paths and data links) Floor plan Asset inventory (including hardware, OS, purpose) Any system / network management tools
EMERGENCY ACCESS CONTROL Break Glass procedure Privileged account access released (e.g. sealed envelop) Activities logged for review After incident, access key changed to prevent reuse
ENABLE ADEQUATE LOGGING At least enable up to Warning level If practical, Information level
CENTRALIZE LOGGING Why? Increased log retention period (by overcoming storage limit of log-generating devices) Facilitates centralized management (e.g. backup and correlation (SIEM)) Improved log integrity (compromising log-generating device can tamper with log entries)
POPULAR SOFTWARE CHOICES Snare Agents (https://www.intersectalliance.com/our-product/) Kiwi Syslog Server (http://www.kiwisyslog.com/products/kiwi-syslog-server/product-overview.aspx)
PROPER LOG COVERAGE Applications Platform (e.g. web server, DB server) System (e.g. login / logout)
RECAP Policy Communications Protocol Physical Logistics Infrastructure Map Access Control Logging
ANY QUESTIONS? ? ?
THANK YOU albert@securityronin.com

More Related Content

Laying the Corporate Groundwork for Effective Incident Investigation

  • 1. 8th HTCIA Asia Pacific Conference December 3rd 2014 @ Hong Kong LAYING THE CORPORATE GROUNDWORK FOR EFFECTIVE INCIDENT INVESTIGATION THE QUICK WINS Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISC Principal Consultant
  • 2. WHO AM I? Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISC Principal Consultant albert@securityronin.com Spoken at Black Hat, ACFE Asia Pacific Fraud Conference, HTCIA Asia Pacific Conference, and Economist Corporate Network. Risk Consultant for Banks, Government and Critical Infrastructures. SANS GIAC Advisory Board Member. Co-designed the first Computer Forensics curriculum for Hong Kong Police Force. Former HKUST Computer Science lecturer.
  • 3. AGENDA Policy Communications Protocol Physical Logistics Infrastructure Map Access Control Logging
  • 4. POLICY Warning Banner: The use of the system may be monitored and recorded. (Have legal review, e.g. EU Data Privacy Directives may forbid this) Have users sign / agree to policy during annual training program
  • 5. EMERGENCY COMMUNICATIONS PROTOCOL Primary point of contact Call tree Out-of-band communications channel Conference bridge
  • 6. PHYSICAL LOGISTICS Designate a room to be the war room: Locked door Locked cabinet Big whiteboard No windows Concrete walls
  • 7. INFRASTRUCTURE MAP Make readily available: Network diagrams (logical level, showing all access paths and data links) Floor plan Asset inventory (including hardware, OS, purpose) Any system / network management tools
  • 8. EMERGENCY ACCESS CONTROL Break Glass procedure Privileged account access released (e.g. sealed envelop) Activities logged for review After incident, access key changed to prevent reuse
  • 9. ENABLE ADEQUATE LOGGING At least enable up to Warning level If practical, Information level
  • 10. CENTRALIZE LOGGING Why? Increased log retention period (by overcoming storage limit of log-generating devices) Facilitates centralized management (e.g. backup and correlation (SIEM)) Improved log integrity (compromising log-generating device can tamper with log entries)
  • 11. POPULAR SOFTWARE CHOICES Snare Agents (https://www.intersectalliance.com/our-product/) Kiwi Syslog Server (http://www.kiwisyslog.com/products/kiwi-syslog-server/product-overview.aspx)
  • 12. PROPER LOG COVERAGE Applications Platform (e.g. web server, DB server) System (e.g. login / logout)
  • 13. RECAP Policy Communications Protocol Physical Logistics Infrastructure Map Access Control Logging