SANS InfoSec Reading Room - Incident Handling

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 83 papers as of May 26, 2013

Event Monitoring and Incident Response

By: Ryan Boyle (posted on May 15, 2013)

System security policies can still have security holes after implementation and may even introduce unintended consequences.

Using IOC (Indicators of Compromise) in Malware Forensics

By: Hun-Ya Lock (posted on April 22, 2013)

In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.

Track 3 - Intrusion Detection In-Depth GIAC Certified Intrusion Analyst (GCIA) Practical Assignment Version 4.0

By: Jan Stodola (posted on October 19, 2012)

InfiniBand Fabric and Userland Attacks

By: Aron Warren (posted on October 18, 2012)

InfiniBand™ is not a word used much in the hacking community. It is much like the phrase "Apple exploits" was to "Windows exploits" about 5 years ago or so.

Incident Handling in the Healthcare Cloud: Liquid Data and the Need for Adaptive Patient Consent Management

By: Barbara Filkins (posted on October 18, 2012)

The increasing use of electronic health record (EHR) systems, health information exchange (HIE) networks, and cloud computing significantly increases the exposure of sensitive medical information to loss of confidentiality, integrity, and availability due to data-related attacks, such as medical identity theft or insider threats (Ponemon Institute, 2011).

Shedding Light on Security Incidents Using Network Flows

By: Kevin Gennuso (posted on May 16, 2012)

Incident handlers, and information security teams in general, face significant challenges when dealing with incidents in modern networks.

Incident Handler's Handbook

By: Patrick Kral (posted on February 21, 2012)

An incident is a matter of when, not if, a compromise or violation of an organization's security will happen.

Quick and Effective Windows System Baselining and Comparative Analysis for Troubleshooting and Incident Response

By: Kevin Fuller (posted on February 14, 2012)

What is a baseline? The primary definition of baseline is that it is a line that is a basis of measurement (Farlex Inc, 2011).

Computer Forensic Timeline Analysis with Tapestry

By: Derek Edwards (posted on November 29, 2011)

One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.

Identifying Malicious Code Infections Out of Network

By: Ken Dunham (posted on August 29, 2011)

Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.

Responding to Zero Day Threats

By: Adam Kliarsky (posted on July 20, 2011)

The internet has become a pervasive threat vector to organizations of all sizes. As new technologies are adopted to keep pace with business trends, surreptitious sources lurk in the shadows to exploit the weaknesses exposed. Sophisticated, targeted attacks such as Aurora, APT, Stuxnet, and Night Dragon have been making headlines, with goals of monetary gain and intellectual property theft.

Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools

By: Jonny Sweeny (posted on June 28, 2011)

When an information security analyst is investigating incidents, he or she needs to have an organized set of tools.

Wireless Networks and the Windows Registry - Just where has your computer been?

By: Jonathan Risto (posted on May 6, 2011)

The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

Following Incidents into the Cloud

By: Jeff Reed (posted on March 1, 2011)

The availability and use of cloud computing continues to grow. Discussions of and references to its benefits and issues grow at a similar pace. As it continues to move from a sort of ‘SOA of the Wild West’ into the mainstream, more companies will face the myriad questions arising from its use. When, why, where and how should integration with the cloud occur? How can one be certain that a cloud provider will survive through an organization’s technology integration lifecycle?

Wireless Mobile Security

By: Erik Couture (posted on December 3, 2010)

Mobile Security: Current threats and emerging protective measures

Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysis

By: T.J. OConnor (posted on September 13, 2010)

Forensics tools exist in abundance on the Web. Want to find a tool to dump the Windows SAM database out of volatile memory? Google and you will quickly find out that it exists. Want to mount and examine the contents of an iPhone backup? A tool exists to solve that problem as well. But what happens when a tool does not already exist? Anyone who has recently performed a forensic investigation knows that you are often left with a sense of frustration, knowing data existed only you had a tool that could access it.

Integrating Forensic Investigation Methodology into eDiscovery

By: Colin Chisholm (posted on September 8, 2010)

The intent of this paper is twofold; to provide a primer on the eDiscovery process for forensic analysts and to provide guidance on the application of forensic investigative methodology to said process. Even though security practitioners such as forensic analysts operate in the legal vertical, they necessarily view and approach eDiscovery from a different perspective than legal professionals. This paper proposes that both parties can benefit when they integrate their processes; forensic tools and techniques have been used in the collection, analysis and presentation of evidence in the legal system for years. The history, and precedent, of applying forensic science to the legal process can be leveraged into the eDiscovery process. This paper will also detail how the scope and work for a forensic investigator during the eDiscovery process differs from a typical forensic investigation.

Orion Incident Response Live CD

By: John Jarocki (posted on May 7, 2010)

There are many frameworks for incident handling, including the Security Incident Handling Guide from the National Institute of Standards and Technology (NIST) (Scarefone, Grance, & Masone, 2008), (Mandia, Prosise, & Pepe, 2003), and the SANS six-step handling process (Skoudis, 2009). Carnegie-Mellon’s Software Engineering Institute even provided a study of these and more along with a framework for creating an incident management process tuned for a specific organization (Albert, Dorofee, Killcrece, & Zajicek, 2004). Tools for incident handling and response also exist, but responder tool kits are often built by collecting important tools one at a time until the expert incident handler has a custom set. This makes it difficult to bring in less-experienced incident response team members, and it creates challenges for collaboration during the incident as well as consistent collection and storage of evidence. Some Incident Response environments do exist, but they primarily focus on the analysis process, and do not provide a communication and collaboration framework. Nor do they usually provide a workflow based environment.

Scareware Traversing the World via a Web App Exploit

By: Mark Hillick (posted on April 19, 2010)

This paper will discuss the reasons behind this attack but more importantly, through following the six phases of Incident Handling in the SANS GCIH 504 course, it will provide direction on how such an incident should be handled from both the web-application side and the desktop perspective. This description will highlight how the attack was constructed with great precision and with greater control, resiliency and reliability than many top legitimate companies when they implement their IT solutions.

Incident Handling as a Service

By: Michel Lundell (posted on March 1, 2010)

This paper is about providing an incident handling service to companies that focus on their primary business and have limited resources to have an in-house IT security organization.

Winquisitor: Windows Information Gathering Tool

By: Michael Cardosa (posted on January 19, 2010)

Winquisitor is a tool that facilitates the timely retrieval of information from multiple Windows systems enabling the administrator to respond in an appropriate amount of time. Unlike other command line tools, Winquisitor allows multiple types of queries in a single command with several output formats.

Preventing Incidents with a Hardened Web Browser

By: Chris Crowley (posted on December 15, 2009)

There is substantial industry documentation on web browser security because the web browser is currently a frequently used vector of attack. This paper investigates current literature discussing the threats present in today's environment.

Cisco Security Agent and Incident Handling

By: Greg Farnham (posted on October 1, 2009)

An implementation of Cisco Security Agent (CSA) is analyzed and impacts to the incident handling process are identified. In addition, guidance is provided to configure CSA to support the incident handling process.

Simple Windows Batch Scripting for Intrusion Discovery

By: Tim Proffitt (posted on September 29, 2009)

Common free tools and automatic batch scripting that can be used to identify an intrusion on a Windows operating system.

Mitigating Insider Sabotage

By: Joseph Garcia (posted on September 28, 2009)

How failing to create an effective termination policy and deploy correct user access controls to deter insider threats can be costly.

Security Incident Handling in High Availability Environments

By: Algis Kibirkstis (posted on September 15, 2009)

SANS Whitepaper discussing a security incident handling process for high-availability systems.

Investigative Tree Models

By: Rodney Caudle (posted on September 15, 2009)

Investigative tree models provide a structured approach to incident handling during incident response. This SANS whitepaper explores definable, reproducible structures to be created facilitating controlled cost exposure during an incident response cycle.

Protecting Against Insider Attacks

By: BBrad Ruppert (posted on August 10, 2009)

Key factors in enhancing internal security controls and protecting a company from internal attacks. Often the greatest damage can be done by someone already inside these defenses. It is imperative that companies implement internal controls to monitor, detect, and prevent access to sensitive resources to only those individuals that require it to perform their specific job function. The goal of this paper will be to identify high risk areas commonly neglected and to provide some best practice tips to enhance internal security controls.

Incident Handlers Guide to SQL Injection Worms

By: Justin Folkerts (posted on June 18, 2009)

This paper seeks to demystify an innovative type of attack known as a SQL Injection Worm.

Virtual Rapid Response Systems

By: Chris Mohan (posted on June 11, 2009)

This paper aims to provide organizations with a quick and effective response to IT security breaches at remote locations with a virtual response platform.

The SirEG Toolkit

By: François Bégin (posted on April 23, 2009)

This paper provides the reader an overview of the SirEG Toolkit, then discusses the type of data it captures on a suspicious host and more importantly, how that data is captured.

A Guide to Encrypted Storage Incident Handling

By: Wylie Shanks (posted on April 9, 2009)

Encrypted storage solutions provide confidentiality of data; however, they have also created a need for effective incident response. Privacy legislation and regulatory compliance mandates are increasingly driving encrypted storage solution deployments. This document provides incident handlers with a few tools and processes in order to respond effectively to incidents involving encrypted storage solutions.

Security Incident Handling in Small Organizations

By: Glenn Kennedy (posted on December 16, 2008)

Intrusion Detection Likelihood: A Risk-Based Approach

By: Blake Hartstein (posted on November 5, 2008)

The goal of this paper is to highlight the useful aspects of Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS).

Tips for Making Security Intelligence More Useful

By: Mason Pokladnik (posted on October 9, 2008)

Expanding Response: Deeper Analysis for Incident Handlers

By: Russ McRee (posted on October 9, 2008)

Most incident handlers likely have a toolkit they’re fond of that, in all probability, contains tools most handlers are familiar with. It is the intent of this paper to expand common horizons and discuss tools that may not readily appear in a typical toolkit.

An approach to the ultimate in-depth security event management framework

By: Nicolas Pachis (posted on June 23, 2008)

Mining gold... A primer on incident handling and response

By: Stacy Jordan (posted on June 23, 2008)

Creating and Maintaining Policies for Working with Law Enforcement

By: Tim Proffitt (posted on May 21, 2008)

Incident Handling for SMEs (Small to Medium Enterprises)

By: Terry Morreale (posted on May 20, 2008)

Breach Notification in Incident Handling

By: Jeffery Buffington (posted on March 4, 2008)

Espionage - Utilizing Web 2.0, SSH Tunneling and a Trusted Insider

By: Ahmed Abdel-Aziz (posted on February 11, 2008)

Since the threat trend is moving from large number and unfocused attacks to fewer, highly targeted and financially motivated attacks [Kinghorn 2007], Espionage security incidents are naturally expected to be on the rise. Through the technical report, I hope to demonstrate to the readers an example of how social networking sites that are becoming evermore popular can aid an attacker [Walls 2007], especially in the reconnaissance and exploit stages of the attack. Also highlighting the danger of the improper use of the SSH reverse tunneling technique, and how important it is to have security policy that users are aware of and follow.

Baselines and Incident Handling

By: Chris Christianson (posted on January 29, 2008)

Preparation is an important part of the incident handling process (SANS, n.d.); it is the only part of the process that an incident handler can do ahead of time. Preparing well can help an incident handler to identify and respond to an incident more quickly. It can also help him or her to be more efficient throughout the entire incident handling process.

Documentation is to Incident Response as an Air Tank is to Scuba Diving

By: Chet Langin (posted on December 11, 2007)

Multi-Tool DVD Sets: An important addition to the Incident Handler/ Pen Tester's toolkit

By: Jamal Bandukwala (posted on November 20, 2007)

Creating and Managing an Incident Response Team for a Large Company

By: Timothy Proffitt (posted on July 18, 2007)

Using good communication skills, clear policies, professional team members and utilizing training opportunities, a company can run a successful incident response team.

An Incident Handling Process for Small and Medium Businesses

By: Mason Pokladnik (posted on June 18, 2007)

This paper's intention is to assist you in getting an incident response capability off the ground in a SMB environment by analyzing some of the constraints of a smaller corporate environment.

International Cybercrime Treaty: Looking Beyond Ratification

By: Daniel Robel (posted on March 28, 2007)

For the purposes of this paper, a global incident can be defined as an incident involving the computers, network, or assets of more than one nation-state. An incident implies harm or the attempt to harm. The term incident refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.

Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics

By: RickyD Smith (posted on February 9, 2007)

One of the first things that an incident handler takes for a potential computer incident is verifying that an incident has actually occurred. As part of the verification process, the incident handler will need to examine the system looking for the evidence of the incident.

Secure File Deletion: Fact or Fiction?

By: John R. Mallery (posted on January 18, 2007)

This paper will deal with how and where some of these files are created and how to securely remove them from a system.

Malware 101 - Viruses

By: Aman Hardikar (posted on June 15, 2006)

Incident Management 101 Preparation & Initial Response (aka Identification)

By: Robin Dickerson (posted on January 17, 2005)

According to SANS, there are six steps involved in properly handling a computer incident: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Incident Management 101 provides guidelines, procedures, and tools designed to assist security specialists with the first two phases of Incident Management Preparation and Initial Response (aka Identification phase).

Reporting Incidents to an ISP with BlackICE ClearICE Report Utility and the Importance of Submitting Firewall Logs to the Dshield.org Project

By: Victor Arnaud (posted on March 9, 2004)

This practical has two objectives: guide users of BlackICE to report incidents to their ISPs (using ClearICE Report Utility) and show users the importance of submitting firewall logs to the dshield.org project.

Implementing a Computer Incident Response Team in a Smaller, Limited Resource Organizational Setting

By: Mary Hall (posted on October 31, 2003)

Development and implementation of a Computer Incident Response Team is a major undertaking in any organization.

Windows Responders Guide

By: Koon Yaw Tan (posted on October 31, 2003)

This paper provides the first responder guide to handle incident occur on a Windows platform system.

Building an Incident Response Program To Suit Your Business

By: Tia R. Osborne (posted on October 31, 2003)

The purpose of this paper is to outline the key concepts of an Incident Response Program (IRP).

Developing a Computer Forensics Team

By: Christine Vecchio-Flaim (posted on October 31, 2003)

Efforts to establish sound information assurance programs are rapidly evolving due to increased connectivity, enhanced technology, and the continuous introduction of operating and application systems software.

Proposed Conceptual Tools for Managing Cost and Complexity When Securing Networks

By: Kathleen E. Howard (posted on October 31, 2003)

This paper will describe the cost and complexity issues facing security professionals, outline the desired outcome in facing these issues, and finally will suggest initial proposals for reaching those goals.

Identify Intrusions with Microsoft Proxy Server, Web Proxy Service and WinSock Proxy Service Log Fil

By: Saundra Coward (posted on October 31, 2003)

This paper provides a guide on how to identify intrusions using Microsoft's Proxy Server log files.

Nailing the Intruder

By: Vinay Narayan Disley (posted on October 31, 2003)

This paper is an attempt to link the various aspects of evidence relating to computer crime, the sources of such evidence and some tips on how to identify systems compromised and cull out evidence from the same.

Reporting Unauthorized Intrusions: A "How To" Guide

By: Melton J. Roland (posted on October 31, 2003)

This paper provides a "how to" guide for reporting unauthorized intrusions.

The Enemy Within: The Role of the Security Administrator in Apprehending and Terminating the Malicio

By: Robin Stuart (posted on October 31, 2003)

The following information is set forth to generally describe the tools available to security administrators to facilitate the apprehension and participate in the resolution of internal threats to your organization's sensitive or restricted resources.

Successful Partnerships for Fighting Computer Crime

By: Beth Binde (posted on October 31, 2003)

Given the wide range of possible criminal activities in the high technology arena, computer security officers need to be prepared to respond to computing incidents that are not only against the local acceptable use policy for computers and networks, but also violate federal, state or local statutes.

Information Security: Handling Compromises

By: Craig L. Bowser (posted on October 31, 2003)

While the corporate sector may not be guarding national secrets, they are protecting valuable information such as trade secrets, financial documents and personal information.

Collection and Dissemination of Computer and Internet Security Related Information

By: Scott Fox (posted on October 31, 2003)

Ongoing advances in technology and the growth of the Internet are introducing not only an increase in the number of vulnerabilities being found, but also an increase in the complexity of system administration, incident handling and forensic analysis work.

Adventures in Computer Forensics

By: Diana J. Michaud (posted on October 31, 2003)

Computer forensics is one piece to the investigative puzzle.

CodeRed II: Incident Handling Process and Procedures

By: Michael Goodwin (posted on October 31, 2003)

This paper uses the CodeRed II virus as a template to generate questions to help you better prepare for the next virus outbreak.

Building a Low Cost Forensics Workstation

By: Matthew McMillon (posted on October 31, 2003)

This paper will outline the fundamentals of computer forensic investigation and then, based on these essentials, create requirements for a low cost forensics workstation for use in electronic investigations.

Investigating an Internal Case of Internet Abuse

By: Mal Wright (posted on October 31, 2003)

I was recently required to investigate an incident of Internet abuse and this essay describes the detection, investigation and various tools used to collect the evidence.

Computer Incident Response Team

By: Michelle Borodkin (posted on October 31, 2003)

This paper is designed to answer the big questions about Computer Incident Response Teams including: What is a CIRT? Who should be on a CIRT and what function will they serve? And, What steps need to be taken to implement a CIRT?

Incident Response and Creating the CSIRT in Corporate America

By: Chris Thompson (posted on October 31, 2003)

The purpose of this document is to discuss implementing a formal incident response organization.

An Overview of Disk Imaging Tool in Computer Forensics

By: Madihah Mohd Saudi (posted on October 31, 2003)

The objective of this paper is to educate users on disk imaging tool, issues that arise in using disk imaging, offer recommended solutions to these issues and examples of disk imaging tool.

Combating Computer Crime

By: Jason Upchurch (posted on October 31, 2003)

Computer crime and computer related crimes are growing areas of concern for both law enforcement and businesses alike.

Corporate Incident Handling Guidelines

By: David Theunissen (posted on October 31, 2003)

If you are a large multinational corporation without a large security function, this paper will help you approach some of the common problems in preparing incident handling procedures.

From Events to Incidents

By: Charles Pham (posted on October 31, 2003)

This paper is an attempt at clarifying "events" and "incidents" for training purposes so that effective filtering can be apply when it come to reporting an incident.

Computer Forensics: Introduction to Incident Response and Investigation of Windows NT/2000

By: Norman Haase (posted on October 31, 2003)

The purpose of this paper is to be an introduction to computer forensics.

Computer Forensic Legal Standards and Equipment

By: Damian Tsoutsouris (posted on October 31, 2003)

Computer Incident Response Teams (CIRTs), network security, and intellectual property (IP) security are growing in importance and are becoming many companies' top priority in this age of increased security conscious commerce

One Incident Of Remediating The CRC 32 sshd1 Vulnerability

By: Rebecca Sander (posted on October 31, 2003)

The purpose of this paper is to document the process I used to respond to the CRC32 sshd1 vulnerability.

Deterring Cyber Attacks

By: Christy Bilardo (posted on October 31, 2003)

This paper provides a Strengths, Weaknesses, Opportunities and Threats [SWOT] Analysis to help you analyze three alternatives and recommend the best one to upper management.

The Coroners Toolkit - In depth

By: Clarke L. Jeffris (posted on October 31, 2003)

In this paper describes evidence gathering on a Unix system using 'The Coroners Toolkit' version 1.09 hereafter referred to as TCT.

Computer Forensics - We've Had an Incident, Who Do We Get to Investigate?

By: Karen Ryder (posted on October 31, 2003)

So how does a manager (IT or not) decide how to investigate an incident? This paper's aim is to provide Australian managers with a basis to make this decision by providing an insight into computer forensics and evidence handling, and giving advantages and disadvantages for each option.

What You Don't See On Your Hard Drive

By: Brian Kuepper (posted on October 31, 2003)

This paper will address the issue of retrieving data that has been deleted and hidden access and control of your computer, looking at the recent development of rootkits designed for Microsoft Windows operating systems.

Forgetting to Lock the Back Door: A Break-in Analysis on a Red Hat Linux 6.2 Machine

By: Gary Belshaw (posted on October 31, 2003)

This document is intended to highlight the steps taken in ascertaining the level of damage done in a network break-in (or hack attack) on our system, and the steps taken in rectifying the damage.