SANS InfoSec Reading Room - Incident Handling

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 61 papers as of Nov 8, 2009

Cisco Security Agent and Incident Handling

By: Greg Farnham (posted on October 1, 2009)

An implementation of Cisco Security Agent (CSA) is analyzed and impacts to the incident handling process are identified. In addition, guidance is provided to configure CSA to support the incident handling process.

Simple Windows Batch Scripting for Intrusion Discovery

By: Tim Proffitt (posted on September 29, 2009)

Common free tools and automatic batch scripting that can be used to identify an intrusion on a Windows operating system.

Mitigating Insider Sabotage

By: Joseph Garcia (posted on September 28, 2009)

How failing to create an effective termination policy and deploy correct user access controls to deter insider threats can be costly.

Security Incident Handling in High Availability Environments

By: Algis Kibirkstis (posted on September 15, 2009)

SANS Whitepaper discussing a security incident handling process for high-availability systems.

Investigative Tree Models

By: Rodney Caudle (posted on September 15, 2009)

Investigative tree models provide a structured approach to incident handling during incident response. This SANS whitepaper explores definable, reproducible structures to be created facilitating controlled cost exposure during an incident response cycle.

Incident Handlers Guide to SQL Injection Worms

By: Justin Folkerts (posted on June 18, 2009)

This paper seeks to demystify an innovative type of attack known as a SQL Injection Worm.

Virtual Rapid Response Systems

By: Chris Mohan (posted on June 11, 2009)

This paper aims to provide organizations with a quick and effective response to IT security breaches at remote locations with a virtual response platform.

The SirEG Toolkit

By: François Bégin (posted on April 23, 2009)

This paper provides the reader an overview of the SirEG Toolkit, then discusses the type of data it captures on a suspicious host and more importantly, how that data is captured.

A Guide to Encrypted Storage Incident Handling

By: Wylie Shanks (posted on April 9, 2009)

Encrypted storage solutions provide confidentiality of data; however, they have also created a need for effective incident response. Privacy legislation and regulatory compliance mandates are increasingly driving encrypted storage solution deployments. This document provides incident handlers with a few tools and processes in order to respond effectively to incidents involving encrypted storage solutions.

Security Incident Handling in Small Organizations

By: Glenn Kennedy (posted on December 16, 2008)

Intrusion Detection Likelihood: A Risk-Based Approach

By: Blake Hartstein (posted on November 5, 2008)

The goal of this paper is to highlight the useful aspects of Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS).

Tips for Making Security Intelligence More Useful

By: Mason Pokladnik (posted on October 9, 2008)

Expanding Response: Deeper Analysis for Incident Handlers

By: Russ McRee (posted on October 9, 2008)

Most incident handlers likely have a toolkit they’re fond of that, in all probability, contains tools most handlers are familiar with. It is the intent of this paper to expand common horizons and discuss tools that may not readily appear in a typical toolkit.

MALWARE 101 – VIRUSES

By: Aman Hardikar (posted on July 15, 2008)

An approach to the ultimate in-depth security event management framework

By: Nicolas Pachis (posted on June 23, 2008)

Mining gold... A primer on incident handling and response

By: Stacy Jordan (posted on June 23, 2008)

Creating and Maintaining Policies for Working with Law Enforcement

By: Tim Proffitt (posted on May 21, 2008)

Incident Handling for SMEs (Small to Medium Enterprises)

By: Terry Morreale (posted on May 20, 2008)

Breach Notification in Incident Handling

By: Jeffery Buffington (posted on March 4, 2008)

Espionage - Utilizing Web 2.0, SSH Tunneling and a Trusted Insider

By: Ahmed Abdel-Aziz (posted on February 11, 2008)

Since the threat trend is moving from large number and unfocused attacks to fewer, highly targeted and financially motivated attacks [Kinghorn 2007], Espionage security incidents are naturally expected to be on the rise. Through the technical report, I hope to demonstrate to the readers an example of how social networking sites that are becoming evermore popular can aid an attacker [Walls 2007], especially in the reconnaissance and exploit stages of the attack. Also highlighting the danger of the improper use of the SSH reverse tunneling technique, and how important it is to have security policy that users are aware of and follow.

Baselines and Incident Handling

By: Chris Christianson (posted on January 29, 2008)

Preparation is an important part of the incident handling process (SANS, n.d.); it is the only part of the process that an incident handler can do ahead of time. Preparing well can help an incident handler to identify and respond to an incident more quickly. It can also help him or her to be more efficient throughout the entire incident handling process.

Documentation is to Incident Response as an Air Tank is to Scuba Diving

By: Chet Langin (posted on December 11, 2007)

Multi-Tool DVD Sets: An important addition to the Incident Handler/ Pen Tester's toolkit

By: Jamal Bandukwala (posted on November 20, 2007)

Creating and Managing an Incident Response Team for a Large Company

By: Timothy Proffitt (posted on July 18, 2007)

Using good communication skills, clear policies, professional team members and utilizing training opportunities, a company can run a successful incident response team.

An Incident Handling Process for Small and Medium Businesses

By: Mason Pokladnik (posted on June 18, 2007)

This paper's intention is to assist you in getting an incident response capability off the ground in a SMB environment by analyzing some of the constraints of a smaller corporate environment.

International Cybercrime Treaty: Looking Beyond Ratification

By: Daniel Robel (posted on March 28, 2007)

For the purposes of this paper, a global incident can be defined as an incident involving the computers, network, or assets of more than one nation-state. An incident implies harm or the attempt to harm. The term incident refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.

Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics

By: RickyD Smith (posted on February 9, 2007)

One of the first things that an incident handler takes for a potential computer incident is verifying that an incident has actually occurred. As part of the verification process, the incident handler will need to examine the system looking for the evidence of the incident.

Secure File Deletion: Fact or Fiction?

By: John R. Mallery (posted on January 18, 2007)

This paper will deal with how and where some of these files are created and how to securely remove them from a system.

Incident Management 101 Preparation & Initial Response (aka Identification)

By: Robin Dickerson (posted on January 17, 2005)

According to SANS, there are six steps involved in properly handling a computer incident: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Incident Management 101 provides guidelines, procedures, and tools designed to assist security specialists with the first two phases of Incident Management Preparation and Initial Response (aka Identification phase).

Reporting Incidents to an ISP with BlackICE ClearICE Report Utility and the Importance of Submitting Firewall Logs to the Dshield.org Project

By: Victor Arnaud (posted on March 9, 2004)

This practical has two objectives: guide users of BlackICE to report incidents to their ISPs (using ClearICE Report Utility) and show users the importance of submitting firewall logs to the dshield.org project.

Implementing a Computer Incident Response Team in a Smaller, Limited Resource Organizational Setting

By: Mary Hall (posted on October 31, 2003)

Development and implementation of a Computer Incident Response Team is a major undertaking in any organization.

Windows Responders Guide

By: Koon Yaw Tan (posted on October 31, 2003)

This paper provides the first responder guide to handle incident occur on a Windows platform system.

Building an Incident Response Program To Suit Your Business

By: Tia R. Osborne (posted on October 31, 2003)

The purpose of this paper is to outline the key concepts of an Incident Response Program (IRP).

Developing a Computer Forensics Team

By: Christine Vecchio-Flaim (posted on October 31, 2003)

Efforts to establish sound information assurance programs are rapidly evolving due to increased connectivity, enhanced technology, and the continuous introduction of operating and application systems software.

Proposed Conceptual Tools for Managing Cost and Complexity When Securing Networks

By: Kathleen E. Howard (posted on October 31, 2003)

This paper will describe the cost and complexity issues facing security professionals, outline the desired outcome in facing these issues, and finally will suggest initial proposals for reaching those goals.

Identify Intrusions with Microsoft Proxy Server, Web Proxy Service and WinSock Proxy Service Log Fil

By: Saundra Coward (posted on October 31, 2003)

This paper provides a guide on how to identify intrusions using Microsoft's Proxy Server log files.

Nailing the Intruder

By: Vinay Narayan Disley (posted on October 31, 2003)

This paper is an attempt to link the various aspects of evidence relating to computer crime, the sources of such evidence and some tips on how to identify systems compromised and cull out evidence from the same.

Reporting Unauthorized Intrusions: A "How To" Guide

By: Melton J. Roland (posted on October 31, 2003)

This paper provides a "how to" guide for reporting unauthorized intrusions.

The Enemy Within: The Role of the Security Administrator in Apprehending and Terminating the Malicio

By: Robin Stuart (posted on October 31, 2003)

The following information is set forth to generally describe the tools available to security administrators to facilitate the apprehension and participate in the resolution of internal threats to your organization's sensitive or restricted resources.

Successful Partnerships for Fighting Computer Crime

By: Beth Binde (posted on October 31, 2003)

Given the wide range of possible criminal activities in the high technology arena, computer security officers need to be prepared to respond to computing incidents that are not only against the local acceptable use policy for computers and networks, but also violate federal, state or local statutes.

Information Security: Handling Compromises

By: Craig L. Bowser (posted on October 31, 2003)

While the corporate sector may not be guarding national secrets, they are protecting valuable information such as trade secrets, financial documents and personal information.

Collection and Dissemination of Computer and Internet Security Related Information

By: Scott Fox (posted on October 31, 2003)

Ongoing advances in technology and the growth of the Internet are introducing not only an increase in the number of vulnerabilities being found, but also an increase in the complexity of system administration, incident handling and forensic analysis work.

Adventures in Computer Forensics

By: Diana J. Michaud (posted on October 31, 2003)

Computer forensics is one piece to the investigative puzzle.

CodeRed II: Incident Handling Process and Procedures

By: Michael Goodwin (posted on October 31, 2003)

This paper uses the CodeRed II virus as a template to generate questions to help you better prepare for the next virus outbreak.

Building a Low Cost Forensics Workstation

By: Matthew McMillon (posted on October 31, 2003)

This paper will outline the fundamentals of computer forensic investigation and then, based on these essentials, create requirements for a low cost forensics workstation for use in electronic investigations.

Investigating an Internal Case of Internet Abuse

By: Mal Wright (posted on October 31, 2003)

I was recently required to investigate an incident of Internet abuse and this essay describes the detection, investigation and various tools used to collect the evidence.

Computer Incident Response Team

By: Michelle Borodkin (posted on October 31, 2003)

This paper is designed to answer the big questions about Computer Incident Response Teams including: What is a CIRT? Who should be on a CIRT and what function will they serve? And, What steps need to be taken to implement a CIRT?

Incident Response and Creating the CSIRT in Corporate America

By: Chris Thompson (posted on October 31, 2003)

The purpose of this document is to discuss implementing a formal incident response organization.

An Overview of Disk Imaging Tool in Computer Forensics

By: Madihah Mohd Saudi (posted on October 31, 2003)

The objective of this paper is to educate users on disk imaging tool, issues that arise in using disk imaging, offer recommended solutions to these issues and examples of disk imaging tool.

Combating Computer Crime

By: Jason Upchurch (posted on October 31, 2003)

Computer crime and computer related crimes are growing areas of concern for both law enforcement and businesses alike.

Corporate Incident Handling Guidelines

By: David Theunissen (posted on October 31, 2003)

If you are a large multinational corporation without a large security function, this paper will help you approach some of the common problems in preparing incident handling procedures.

From Events to Incidents

By: Charles Pham (posted on October 31, 2003)

This paper is an attempt at clarifying "events" and "incidents" for training purposes so that effective filtering can be apply when it come to reporting an incident.

Computer Forensics: Introduction to Incident Response and Investigation of Windows NT/2000

By: Norman Haase (posted on October 31, 2003)

The purpose of this paper is to be an introduction to computer forensics.

Computer Forensic Legal Standards and Equipment

By: Damian Tsoutsouris (posted on October 31, 2003)

Computer Incident Response Teams (CIRTs), network security, and intellectual property (IP) security are growing in importance and are becoming many companies' top priority in this age of increased security conscious commerce

One Incident Of Remediating The CRC 32 sshd1 Vulnerability

By: Rebecca Sander (posted on October 31, 2003)

The purpose of this paper is to document the process I used to respond to the CRC32 sshd1 vulnerability.

Deterring Cyber Attacks

By: Christy Bilardo (posted on October 31, 2003)

This paper provides a Strengths, Weaknesses, Opportunities and Threats [SWOT] Analysis to help you analyze three alternatives and recommend the best one to upper management.

The Coroners Toolkit - In depth

By: Clarke L. Jeffris (posted on October 31, 2003)

In this paper describes evidence gathering on a Unix system using 'The Coroners Toolkit' version 1.09 hereafter referred to as TCT.

Computer Forensics - We've Had an Incident, Who Do We Get to Investigate?

By: Karen Ryder (posted on October 31, 2003)

So how does a manager (IT or not) decide how to investigate an incident? This paper's aim is to provide Australian managers with a basis to make this decision by providing an insight into computer forensics and evidence handling, and giving advantages and disadvantages for each option.

What You Don't See On Your Hard Drive

By: Brian Kuepper (posted on October 31, 2003)

This paper will address the issue of retrieving data that has been deleted and hidden access and control of your computer, looking at the recent development of rootkits designed for Microsoft Windows operating systems.

Forgetting to Lock the Back Door: A Break-in Analysis on a Red Hat Linux 6.2 Machine

By: Gary Belshaw (posted on October 31, 2003)

This document is intended to highlight the steps taken in ascertaining the level of damage done in a network break-in (or hack attack) on our system, and the steps taken in rectifying the damage.

Protecting Against Insider Attacks

By: BBrad Ruppert (posted on )

Key factors in enhancing internal security controls and protecting a company from internal attacks. Often the greatest damage can be done by someone already inside these defenses. It is imperative that companies implement internal controls to monitor, detect, and prevent access to sensitive resources to only those individuals that require it to perform their specific job function. The goal of this paper will be to identify high risk areas commonly neglected and to provide some best practice tips to enhance internal security controls.