Transcript www.iltanet.org

RETURN TO MAIN
Identifying and Responding to Security
Incidents in the Law Firm
Presented by:
Carlos Batista, Information Security Manager
Alston & Bird LLP
RETURN TO MAIN
Learning Objectives
Understand how one law firm developed and
enacted a formal Computer Incident Response
Team (CIRT)
Identify key stakeholders in Incident Response
Identify most likely scenarios for a computer
security breach
Define a methodology and establish measures for
how to respond to such breaches
RETURN TO MAIN
About Alston & Bird:
National, Full-Service Law Firm
725 Attorneys, 5 U.S. Offices
240 Servers & 2,100 Desktops
Almost all IT & Security Services Hosted In-House
25% of Servers Virtualized
RETURN TO MAIN
The Benefits of a Computer Incident Response
Team (CIRT)
Proactive approach to responding to a security
breach
Better prepared to collect & analyze forensic quality
evidence
Less downtime to impacted / breached & unimpacted systems
Firm’s reputation is better preserved by following
proper containment strategies
RETURN TO MAIN
#1 Key to CIRT Planning & Success:
Senior Management Support!
RETURN TO MAIN
How to Form a CIRT – Key Players
Core Team
Information Security
Manager (CIRT Team
Leader)
IT Infrastructure
Manager
Director of I.T.
Information Security
Analyst
Facilities Manager
Support Team
Finance Manager
BC / DR Representative
H.R. Representative
Business Development /
Public Relations
Attorney / Loss
Prevention
C.I.O.
RETURN TO MAIN
Identify Likely Breach Scenarios
There are many security breach scenarios – you
need to narrow them down to a few and address
how to respond to those.
We chose to develop responses to four scenarios:
Significant Computer or Network Equipment Theft
Compromise of Firm’s Website
Virus or Worm Outbreak on the Network
Unauthorized Disclosure by Electronic Means
RETURN TO MAIN
Identify a Methodology for Responding
Response scenarios are typically easier to devise
when an overall strategy or methodology is
followed.
We chose the PDCERF model (Schultz &
Shumway) for incident response.
RETURN TO MAIN
PDCERF Methodology Defined
Preparation – Being ready to respond before an incident actually
occurs.
Detection – Determining that something malicious has actually
occurred.
Containment – Limiting the extent of an incident, preventing further
damage from occurring.
Eradication – Finding and eliminating the root cause or causes that
made the incident possible.
Recovery – Restoring the environment to its pre-incident state but
protected so the incident cannot reoccur.
Follow-Up – Reviewing and integrating “lessons learned” into your
incident response plans and security operations.
RETURN TO MAIN
Scenario #2 – Compromise of Firm’s Website
RETURN TO MAIN
Preparation
Determined Incident Response Posture & Obtained Approval
Configured FW, IDS/IPS Optimally for Attack Detection
Configured Web Server & Database Logging
Created Known-Good System Backups with MD5 Hashes
Synchronized Network Time across All Devices
Established Relationship with Infragard (FBI)
Created CIRT Calling Tree
Created “Maintenance” Website
Built Documentation on CIRT Framework and Cutover
Procedures
Prepare to Record Everything During an Incident (Timeline)
RETURN TO MAIN
Detection
Interfaced with Support Groups / Help Center to
define a Notification Plan
Defined SLAs for Initial Response, First Meeting,
and Incident Updates to Management
Defined Procedures for Initial Evidence Gathering
Created Secure Repository for All Digital Evidence
RETURN TO MAIN
Containment
VMWare Guest Machines For Website Paused
VMWare Files Copied to a Forensic Server
Impacted Hosts Segmented From Rest of Network
Full Disclosure Kept Strictly Confidential
Help Center Instructed to Inform Others Website is
Experiencing “Technical Difficulties”
External Parties Not Contacted (Not Currently)
RETURN TO MAIN
Eradication
Depends Largely On The Determined Root Cause
May Involve Software Updates, Software Removal,
Configuration Changes, Better Change Control,
Operational Security, Physical Security, etc
Changes Tested in QA / Development Environment
As Much as Possible
RETURN TO MAIN
Recovery
All Impacted Systems Are Flattened And Rebuilt
Rebuilds Performed From Certified Known Good
Backup (MD5)
Procedures Developed for Rebuild to Minimize
Possibility Of Breach Reoccurring
Mitigations to Address Root Cause of Breach
Implemented
Validation Testing Performed
Access to Fully Operational Website Re-enabled
RETURN TO MAIN
Follow-Up
Post-Mortem Meetings to Review the Following:









Timeline
Response Time
Recovery Procedures
Evidence Gathered
Investigatory Next Steps - If Applicable
Parties Involved – Should Others Be Brought In?
Disposition of Evidence
What Can Be Done Better?
Update Scenario Response Plan
RETURN TO MAIN
CIRT – Next Steps
Continue Working on Scenarios – Incident
Response is a Process, not a Project
Implement Syslog Server
Investigate using Tripwire for Integrity Check
Integrate AlertFind Into CIRT Procedures
Actively Test Scenarios – Challenging Because
Downtime is Required
RETURN TO MAIN
References
Schultz & Shumway: Incident Response – A Strategic
Guide to Handling System and Network Security Breaches.
Mandia, Prosise & Pepe: Incident Response & Computer
Forensics (2nd Edition).
SANS Institute (sans.org)
RETURN TO MAIN
Questions / Comments?
“In God we trust…all others we virus scan.” 
- Anonymous