• Search
• Free Magazines
• Newest Links
• Categories
• Register
• Login

Practice Your Incident Response Using 12 Scenarios

Added by Papergrl

This is taken from NIST DRAFT Special Publication 800-61, Computer Security Incident Handling Guide.


Scenario 1: DNS Server Denial of Service

On a Saturday afternoon, external users start having problems accessing the organization's public Web sites. Over the next hour, the problem worsens to the point where nearly every attempt to access any of the organization's public Web sites fails. Meanwhile, a member of the organization's networking staff responds to automatically generated alerts from the Internet border router and determines that much of the organization's Internet bandwidth is being consumed by an unusually large volume of UDP packets to and from both of the organization's public DNS servers. An analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. The networking administrator also notices that all of the DNS requests from that address have a source port of either UDP 7 or UDP 19. While this analysis is taking place, the organization's network intrusion detection sensors record suspicious activity related to the echo and chargen services.

The following are additional questions for this scenario:

1. Whom should the organization contact regarding the external IP address used in all of the packets?

2. Suppose that after the initial containment measures were put in place, the network administrators detected that nine internal hosts were attempting the same unusual requests to the DNS server. How would that affect the handling of this incident?

3. Suppose that two of the nine internal hosts left the network before their system owners were contacted. How would the system owners be identified?


Scenario 2: Internally Generated Spam

On a Thursday morning, the organization's "abuse" e-mail account receives a complaint from a person about receiving spam from the organization. The message contains a copy of a spam (with full e-mail headers) that is promoting a get-rich-quick scheme. A security administrator who monitors the abuse account reviews the e-mail and determines that the headers appear to show that the spam was generated using the organization's mail server. The security administrator forwards the e-mail to the incident response team's address, along with a brief note about the activity. A member of the incident response team analyzes the activity and confirms that the spam headers are genuine and that it was sent from the organization's mail server.

The following are additional questions for this scenario:

1. How would the incident response team validate the origin of the spam?

2. How would the organization respond to complaints regarding the spam?


Scenario 3: Worm and DDoS Agent Infestation

On a Tuesday morning, a new worm is released on the Internet. The worm exploits a Microsoft Windows vulnerability that was publicly announced 2 weeks before, at which time patches were released. The worm spreads itself through two methods: (1) e-mailing itself to all addresses that it can locate on an infected host and (2) identifying and sending itself to hosts with open Windows shares. The worm is designed to generate a different attachment name for each copy that it mails; each attachment has a randomly generated filename that uses one of over a dozen file extensions. The worm also chooses from more than 100 e-mail subjects and a similar number of e-mail bodies. When the worm infects a host, it gains administrative rights and attempts to download a DDoS agent from different IP addresses using FTP. (The number of IP addresses providing the agent is unknown.) Although the antivirus vendors quickly post warnings about the worm, it spreads very quickly, before any of the vendors have released signatures. The organization has already incurred widespread infections before antivirus signatures become available 3 hours after the worm started to spread.

The following are additional questions for this scenario:

1. How would the incident response team identify all infected hosts?

2. How would the organization attempt to prevent the worm from entering the organization before antivirus signatures were released?

3. How would the organization attempt to prevent the worm from being spread by infected hosts before antivirus signatures were released?

4. Would the organization attempt to patch all vulnerable machines? If so, how would this be done?

5. How would the handling of this incident change if infected hosts that had received the DdoS agent had been configured to attack another organization s Web site the next morning?

6. How would the incident response team keep the organization's users informed about the status of the incident? What if e-mail services were overloaded or unavailable due to the worm?

7. What additional measures, if any, would the team take to take care of hosts that are not currently connected to the network (e.g., staff members on vacation, off-site employees that dial in occasionally)?


Scenario 4: Use of Stolen Credit Card Numbers

On a Monday morning, the organization's legal department receives a call from the FBI regarding some suspicious activity originating from the organization's network. Later that day, an FBI agent meets with the organization's CIO and two members of the legal department to discuss the activity. The FBI has been investigating activity involving online purchases made with several stolen credit card numbers, and more than 30 of the transactions during the past week have been traced to one of the organization's IP addresses. The agent asks for the organization's assistance, and in turn, the legal department and the CIO ask for the incident response team's assistance in acquiring the necessary evidence. It is vitally important that this matter be kept confidential.

The following are additional questions for this scenario:

1. From what sources might the incident response team gather evidence?

2. How would the team identify which host is currently using the specified IP address? How would the team demonstrate which host had been using the specified IP address a week ago?

3. What would the team do to keep the investigation confidential?


Scenario 5: Compromised Database Server

On a Tuesday night, a database administrator performs some off-hours maintenance on several production database servers. The administrator notices some unfamiliar and unusual directory names on one of the servers. After reviewing the directory listings and viewing some of the files, the administrator concludes that the server has been attacked and calls the incident response team for assistance. The team's investigation determines that the attacker successfully gained root access to the server 6 weeks ago.

The following are additional questions for this scenario:

1. What sources might the team use to determine when the compromise had occurred?

2. How would the handling of this incident change if the team found that the database server had been running a packet sniffer and capturing passwords from the network?

3. How would the handling of this incident change if the team found that the server was running a process that would copy a database containing sensitive customer information each night and email it to an external address?


Scenario 6: Virus Hoax

On a Wednesday afternoon, a user forwards an e-mail to the help desk about a terrible new virus. The user received the e-mail from a friend at another organization. The e-mail states that the new virus cannot be detected by antivirus software and that users should look for and delete three particular virus files from their hard drives. A help desk agent researches the message, determines that it is a virus hoax, and responds to the user by e-mail.

Meanwhile, other users receive the same virus warning e-mail from other outside parties and forward it to others inside and outside the organization. By Thursday afternoon, the help desk has received several calls that appear to be related to individuals deleting the three "virus files" from their hard drives; these files are actually legitimate files that certain applications use. The lead help desk agent asks for the incident response team's assistance.

The following is an additional question for this scenario:

1. Would the organization proactively identify hosts that are missing the three files? If so, how would this be done? If not, what negative effect would this have?


Scenario 7: Unauthorized Materials on the FTP Server

While creating a weekly usage report, a network administrator notices that off-hours bandwidth utilization on the organization's DMZ segment has been significantly higher than usual. The administrator configures network monitoring software to collect more detailed statistics on DMZ bandwidth usage. The next day, the administrator sees that an unusually large percentage of the activity involves the organization's FTP server. The network administrator contacts the FTP server administrator, who has just returned from vacation, regarding the increase in activity. The FTP administrator quickly determines that the server is hosting unauthorized materials, which appear to include pirated software, songs, and movies. The administrator contacts the incident response team regarding the activity.

The following are additional questions for this scenario:

1. Would the team attempt to identify all individuals who had uploaded illegal materials to the FTP server? If so, how would this be done?

2. Would the team attempt to verify that the unauthorized materials were illegal? If so, how would this be done?


Scenario 8: Outbound DDoS Attack

On a Sunday night, the organization's network intrusion detection sensor alerts on suspected outbound DDoS activity involving a high volume of ICMP pings. The intrusion analyst reviews the alerts; although the analyst cannot confirm that the alerts are accurate, they do not match any known false positives. The analyst contacts the incident response team so that it can investigate the activity further. Because the DDoS activity uses spoofed source IP addresses, it takes considerable time and effort to determine which host or hosts within the organization are producing it; meanwhile, the DDoS activity continues. The investigation shows that five servers appear to be generating the DDoS traffic. Analysis of the five servers shows that each contains signs of a DDoS rootkit. In addition, three of the servers appear to have been used to attack other internal hosts, and one appears to have been used for attacking external hosts as well.

The following are additional questions for this scenario:

1. How would the team determine which hosts within the organization were producing the traffic? Which other teams might assist the incident response team?

2. Would the organization contact the owners of the IP addresses that the DDoS attack had targeted? If so, who would contact them, and how would the contact be performed?

3. If the incident response team determined that the initial compromise had been performed through a modem in one of the servers, how would the team further investigate this activity?


Scenario 9: Unauthorized Access to Payroll Records

On a Wednesday evening, the organization's physical security team receives a call from a payroll administrator who caught an unknown person leaving her office. The administrator saw the person run down the hallway and enter a staircase that leads to a building exit. The administrator had left her workstation unlocked and unattended for just a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident and to determine what actions were performed (e.g., payroll data access or modification, Trojan horse delivery).

The following are additional questions for this scenario:

1. How would the team determine what actions had been performed?

2. How would the handling of this incident differ if the payroll administrator had recognized the person leaving her office as a former payroll department employee?

3. How would the handling of this incident differ if the physical security team determined that the person had used social engineering techniques to gain physical access to the building and the payroll department?

4. How would the handling of this incident differ if the team had reason to believe that the person was a current employee?

5. How would the handling of this incident differ if remote access logs from the previous week showed an unusually large number of failed login attempts using the payroll administrator s user ID?


Scenario 10: Hacking Tool Download

On a Friday afternoon, a network intrusion detection sensor records some suspicious FTP activity involving an internal user downloading files from an external FTP server. The intrusion analyst reviews the alerts and notices that the alerts are false positives. Although the alerts indicate that an attack has occurred, the supporting data recorded by the sensor show no signs of an attack. However, the data raise other concerns, because they show that the user is downloading executables from a suspicious directory structure containing repeated spaces and periods, as well as characters that are not usually seen in FTP directory names. The intrusion analyst uses an Internet search engine to look for more information on the executable names, and several of them match the names of hacking tools. The analyst contacts the incident response team to perform further analysis and determine how this activity should be handled.

The following are additional questions for this scenario:

1. How would the team determine what files the user had downloaded?

2. How would the team confirm that the files that had been downloaded were hacking tools?

3. How would the handling of this incident differ if the user suspected of downloading the tools was a member of the organization s information security team?

4. How would the handling of this incident differ if the user suspected of downloading the tools was a member of the incident response team?

5. How would the handling of this incident differ if the user suspected of downloading the tools was a contractor that had just found out that his contract was not being renewed?


Scenario 11: Disappearing Host

On a Thursday afternoon, a network intrusion detection sensor records vulnerability scanning activity directed at internal hosts that is being generated by an internal IP address. Because the intrusion detection analyst is unaware of any authorized, scheduled vulnerability scanning activity, she reports the activity to the incident response team. When the team begins the analysis, it discovers that the activity has stopped and that there is no longer a host using the IP address.

The following are additional questions for this scenario:

1. What data sources might contain information regarding the identity of the vulnerability scanning host?

2. How would the team identify who had been performing the vulnerability scans?

3. How would the team confirm that the files that had been downloaded were hacking tools?

4. How would the handling of this incident differ if the vulnerability scanning were directed at the organization's most critical hosts?

5. How would the handling of this incident differ if the vulnerability scanning were directed at external hosts?

6. How would the handling of this incident differ if the physical security staff discovered that someone had broken into the facility half an hour before the vulnerability scanning occurred?


Scenario 12: Telecommuting Compromise

On a Saturday night, network intrusion detection software records some probes and scans originating from an internal IP address. Host intrusion detection software on a few servers also records some of the probes and scans. The intrusion detection analyst determines that the internal IP address belongs to the organization's VPN server and contacts the incident response team. The team reviews the intrusion detection, firewall, and VPN server logs and identifies the external IP address that is generating the activity, the user ID that was authenticated for the session, and the name of the user associated with the user ID.

The following are additional questions for this scenario:

1. What should the team's next step be (e.g., calling the user at home, disabling the user ID, disconnecting the VPN session)? Why should this step be performed first? What step should be performed second?

2. Suppose that the identified user's personal computer had become compromised by a game containing a Trojan horse that was downloaded by a family member. How would this affect the team's analysis of the incident? How would this affect evidence gathering and handling?

3. How would the handling of this incident differ if the external IP address belonged to the identified user, but the IP address was a firewall device performing Network Address Translation (NAT) for 8 hosts behind it?

4. What should the team do in terms of eradicating the incident from the user s personal computer?

5. Suppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of the incident? How would this affect the handling of the incident if the user were a system administrator? How would this affect the handling of the incident if the user were a high-ranking executive in the organization?

6. How would the handling of this incident differ if the external IP address were not being used by the identified user?

7. How would the handling of this incident differ if the user reinstalled the operating system on the affected host before the team could perform any analysis on the host?

You don't have permission to post replies.

Please login or register.