Forensic Response and Investigation - Business Plan Example

Forensic Response and Investigation Plan affiliation: Table of Contents Table of Contents 2 0 Introduction 3 2.0 Forensic Response and Investigation Plan 3 2.1 Determining the Nature of the Attack 4 2.1.1 Forensic Investigative Response Approach 6 2.2.2 Business continuity 7 2.1.3 Priority Classification 8 2.2 Evidence Handling and Documentation 10 3.0 Coordination Plan 11 4.0 Metrics 13 References 14 1.0 Introduction For the past decade, computer systems have increased in their capacity and speed. With this change, network communication has grown and improved allowing computers to communicate with each other easily from remote locations. This has added opportunities for illegal activities where data can be destroyed or changed maliciously or even systems in an organization made to malfunction (Anson, Bunting, Johnson & Pearson, 2012). However, one of the biggest problems most organization are facing today is to control the security of their network. Network security is defined as the act of protecting a network and the services from disclosure, destruction, or unauthorized access. So as to ensure the network security and security of information on the network, an organization has to have a response and investigation plan. There are many reasons as to why an organization should use a response and investigation plan. According to Vacca and Rudolph (2011), a response and investigation plan offers solutions to how hacking/intrusion attacks can be handled by the organization reducing damage and loss. This, however, builds confidence with the shareholders and helps cut losses that are as a result of hacking. With that in mind, this paper intends to provide a response and investigation plan for a large manufacturing Aspen Company with extensive intellectual property distributed across multiple locations in the United States and Latin America. There have been several recent small scale hacking/intrusion attacks that appear to be reconnaissance efforts for a larger scale attack. Reentry, the company faced an attack which affected its customer and shareholders data. 2.0 Forensic Response and Investigation Plan Hacking/intrusion attack is not an issue that is going to go away anytime soon. As the internet grows, and more users come online, hackers and introducers want to have access to personal data or organization’s confidential information (Anson, Bunting, Johnson & Pearson, 2012). This means that Aspen Company has to be able to detect any act of hacking/intrusion done in their systems. So as to do so, there has to be a forensic response and investigation plan. The forensic response and investigation plan described in this section documents the procedures Aspen Company followed after their hacking/intrusion attack. The forensic response and investigation plan will include; determining the nature of the attack and evidence handling and documentation. 2.1 Determining the Nature of the Attack The first step after a hacking/intrusion attack occurred in Aspen Company was to determine the nature of the attack. The main objectives of this step were to; Determine the number and location of the affected resources, Determine the degree of damage to shareholders, customers, and Aspen Company’s resources, Segregate the affected resources from Aspen Company’s production and distribution network, Identify and detach the affected users from the Aspen Company’s network, and Document all evidence and processes for the law enforcement officials. Identifying the occurrence of hacking/intrusion attacks even if it is an IT-related issue cannot always be the sole obligation of the network and administration staff (Carvey, 2009). For instance, an electronic embezzling scheme would need to be identified by the financial staff. This means that the identification of the attack should be carried out by the head of the department before forwarding to the forensic response and investigation team. Additionally, systems and processes will need to be in place to assist pinpoint a hacking/intrusion attack. In this plan, the organization has to use a Windows 2000 network. This means that Aspen Company has to use a central file viewer, detailed knowledge of the Windows Registry, the central encryption authority, and intrusion detection software (Gogolin, 2012). However, these are just the tools for detection, and they will be analyzed in the forensic tools and intrusion detection section. What will determine whether a hacking/intrusion attack has occurred in Aspen Company can be summarized in a single word: ‘Documentation.’ The network and system administrations in materials requirements planning, distribution, finance, and intellectual property/document management should ensure that they document the fair state and use of their network. This means that they should document what should be running, for how long, where, and accessed by whom and why. This benchmark is very important in determining hacking/intrusion attack particularly when an internal or external criminal is making unlawful use of Aspen Company’s resources or is accessing data that he/she should not be accessing. With this information, it is moderately simple for the forensic response and investigation team to determine if a hacking/intrusion attack has occurred, what resources have been affected, and who is responsible for this. This is boundless news for Aspen Company and the law enforcement officials. Once the source of the attack has been determined, the network administrators have to sit down with Aspen Company’s senior management and the corporate counsel to determine the best procedure to be used for tracking the hacker or the intruder (Gogolin, 2012). They also have to determine the exposure, determine the corporate damage, inform the shareholders and the clients, and maintain network uptime while isolating the affected users and resources for investigation. The main goal here is to give the forensic response and investigation team all the information and tools needed to conduct an investigation. This information also has to be given to the law enforcement officials. However, when providing this information to the law enforcement officials, Aspen Company has to protect its network, its shareholders, and its customers. This means that there will be additional backup resources. On the hardware side, this means more use of mirrored hardware resources. 2.1.1 Forensic Investigative Response Approach During the process of forensic response and investigation, an electronic forensic toolkit will be required. The tool will include the following; Hard drive partition tools – These tools will not only allow the booting of virtually any computer off its base floppy, but the tools will be able to identify any operating system file partition. ZIP and CD-R disc utilities – The process of creating these disks is the task of specialized software. They have to be in the toolkit for full access to the discs. Text searching utilities – consist of a number of applications designed to search large gobs for text data (email stores, documents, and data stores) for keywords and phrases. File viewers - File viewers are faster and efficient than tracking down the appropriate file application. A single image viewer can cross both OS and application boundaries. Resource snapshot utilities – Fcheck is a file integrity checker reserved for hacking/intrusion detection systems. Using it can allow the administrator to take snapshots of file systems or directories. These snapshots can be used later as benchmarks for comparison of tampering. 2.2.2 Business continuity The above tools were used for the small-scale attacks that Aspen Company are facing now. In order to ensure business continuity and avoid any other attack, Asen Company has to adopt more advanced forensic tools such as Write Blocker, EnCase, and Ninja Forensic Imager for forensic response and investigation. By using a Software Write Blocker, Aspen Company can identify the hacking attempt. This is a design of software that lies between the authentic device driver for the disk and the operating system. By using this software, the automatic process of writing to the disk is stopped mainly through all disk access requests that employ standard operating system (Solomon & Rudolph, 2011). In the place of employing the write blockers, a specialized imaging device and investigation machines could be employed. EnCase is a software that contains preprogrammed scripts that can be used in a corroboration file to “habitually “manage many of the elements of the investigation. HBGary Responder is a dump review tool of GUI memory which carryon runtime and live memory analysis mainly employed to find out, detect and report on contemporary’s advanced threats to systems. This tool facilitates a responder to deconstruct and evaluate a memory scrapheap or dump without having to use the same affected or probable pretentious system’s API (Carvey, 2009). Ninja Forensic Imager is a top-quality and high- velocity Imager meant for Hard Disc Drive backup. This software can copy at about 2.4 Giga Bytes per minute and has the potential to avoid HDD sectors impacted with hacking. Among the data recovery applications that are available on the market to date is the Ninja as it has the best hard drive Imagers (Gogolin, 2012). To prevent the theft of data relating to intellectual property immediately after an acquisition, it is essential to see that all codes and designs in Aspen Company should be deleted from their computers. The issue that Aspen Company may face that it deleted selectively the data stored that was found widely across its IT landscape that too in an amorphous manner. To avoid a future attack on Aspen Company intellectual property data, it is necessary to develop a forensic technique, it is necessary to avoid technical flaws in deleting software employed by the IT department. The system and network administrator should monitor all the systems owned by the business for any security lapses , he/she should act as a mediator both in receiving the security lapse incident reports and to report the same to the proper organization of the incident. He/she should document the entire episode of hacking and should list the security incidents. He/she should also educate employees about the security awareness within Aspen Company to stop the occurrence of the incidents in the near future. Through penetration testing and vulnerability evaluation, Aspen Company support system is maintained in secure manner mainly through periodical network auditing. He should have zeal to learn about new incidents of attacks and vulnerabilities used by the attackers and should indulge in researching about new software patches. He/she should also constantly evaluate and construct new technologies for avoiding security risks and vulnerabilities. He/she should work on a continuous basis to update the present procedures and systems. 2.1.3 Priority Classification It is very vital for Aspen Company to be in a position to protect its systems and data from outside attacks. However, Aspen Company should be able to determine the attack level through priority classification. The threat level will be determined at three levels; high impact level, Medium impact level, and low impact level. If the attack is classified to be high impact level means that the attack would seriously affect Aspen Company’s resources, shareholders’ and customers’ information. The priority classification for high impact level will be; Involve critical computer systems, Unauthorized access to infrastructure services sensitive information, or systems, Serious vulnerabilities exposed requiring prompt action, Extensive outbreak within Aspen Company, and Disclosure of delicate information Medium impact level will mean that the attack will affect elements of Aspen Company, and they should be addressed as soon as possible. The priority classification for Medium impact level will be; Hacking/intrusion attempt, Involves vital servers, Breaches of CTPolicies, Denial of Service attacks, and User account compromise Low impact level will mean that the attack will not immediately affect any elements of Aspen Company but indicates some action. The attack should be monitored in case the level changes. The priority classification for low impact level will be; Hoaxes, Unsuccessful intrusion attempts, Unsolicited e-mail, Network scans, Odd systems behavior, and Unsuccessful intrusion attempts Plans for the System included far-reaching redesigning of Aspen Company. The Processing System itself is to a great extent contained in the Launch Control Center. Equipment is isolated into the Record and Playback Subsystem (RPS), the Central Data Subsystem (CDS), Checkout, Control, and Monitor Subsystem (CCMS). Little, errand committed PCs are in the four terminating rooms of the Control Center and are the essential segment of the CCMS. The key forensic artifacts for Aspen Company will be TZworks Sbag.exe, MUICache, and ACMru. The forensic artifacts will help Aspen Company view Registry key last write time, embedded creation date / time, embedded access date / time, embedded modify date / time, list of terms used in the “ phrase or word in a file” search, and list of terms used in the “for people or computer” search. This information is very important for attributing a security breach or catastrophic failure. 2.2 Evidence Handling and Documentation Once the evidence of hacking/intrusion attack has been keyed out and isolated, the network managers of Aspen Company should be the first in line of defense in an evidence-handling chain. Even though this process should be managed by law enforcement officials, in reality this process will fall onto the network and system administrators of Aspen Company (Vacca & Rudolph, 2011). This is because their priority is to stabilize and protect the network of Aspen Company. This is best from the network manager’s viewpoint as law enforcement officials may impound compromised data and machines for analysis off-site. This will affect the productivity and performance of Aspen Company. There should be proper documentation. The forensic response and investigation team should slip up on the side of too much, and use as much computerized documentation as possible. The affected resources and data will require brand names, serial numbers, MAC addresses, model numbers, and any other similar data. This data can be accessed by accessing the management database of Aspen Company. However, proper network documentation will provide domain names, IP addresses, drive paths, resource permissions and more. This information should be used and appended to the investigative documentation. Additionally, the evidence collected should be authenticated with signatures and digital time stamps. The rest of the documentation should include all the investigative actions, the reasons behind these reasons, the method used for investigation, and where and when everything took place. 3.0 Coordination Plan As said earlier, in order for the response and investigation plan to be fully functional, it will have a response and investigation team of specialist. These people should include, a team leader, legal representatives, support members, IT contacts, public relations representatives, and management representatives. The team leader is required because he/she is in charge of how the response and investigation team handles a crisis. Legal representations are also important since Aspen Company is involved in a personal user data. The IT contacts are also important because they are the team that are going to respond to the incident of hacking. After a hacking/intrusion attack has been detected, the supervisors should be notified immediately. After the notification, the response and investigation plan described above should be put into action. This communication should take place verbally, and the documentation will come later since the problem is of time sensitive nature. The faster the response and investigation plan is put into action, the faster the hacking/intrusion attack is battled with resulting in less damage to Aspen Company. All the supervisors up the chain in Aspen Company should be notified verbally of the nature of the hacking/intrusion attack. This will help them monitor their areas and at the same time be aware of the situation at hand before the news spread out. However, if the hacking/intrusion attack continues as a result of continued operation of one, either accidental or innocent, the internal stakeholder in Aspen Company should be notified in person immediately. This will help prevent any further loss of information. After stopping the hacking/intrusion attack and action review has been conducted, any personnel in Aspen Company in a critical position to stop the same hacking/intrusion attack from occurring again should be informed of the hacking/intrusion attack’s nature. He/she should also be informed of the determined procedures that are to be followed. An internal memo can suffice to begin with if several people are involved. However, the memo should be followed up by more details concerning the new security procedures. This can occur during Aspen Company’s in-person security training session. Notably, this should take place immediately after setting the new procedures. The personnel in the less-critical position in Aspen Company should be informed of the new security measures either through an internal memo or an ongoing training. However, this will depend on the security measures put forward and the nature of the hacking/intrusion attack. Lastly, all the internal stakeholders of Aspen Company should be informed of the nature of the hacking/intrusion attack, the damaged caused by the attack, and the ongoing security measures being implemented so as to warrant that the attack does not happen again. This can be done through the use of an internal memo, but the security training should be ongoing. Aspen Company has the obligation to notify the victims of the hacking/intrusion attack. However, this will depend on three factors: the nature of information affected, the state in which the victim lives in, and the likelihood of harm to either internal or external stakeholders (Vacca & Rudolph, 2011). Almost all states in United States and Latin America, the law requires organizations to notify all victims involved in data security breach. The method of notification can be a telephone call, a written letter, or an email. The method used will depend on the state that the victim lives in. Nonetheless, all of these methods must include the amount of information that has to be disclosed. 4.0 Metrics The incidence of hacking/intrusion attack on Aspen Company occurred through Attacking through a VPN tunnel. Attack through a VPN tunnel is a technique that was used for avoiding the firewalls. This is because the hacker was going through a VPN tunnel where the firewall of Aspen Company did not look what was going on there. The firewall of Aspen Company did not see the attack because the hacker was passing through it in a transparent way. In handling this type of attack, Aspen Company; Improved their security access and security policies through the use of strong user interface, They introduced host identity verification, They introduced Keystroke logger detection, They introduced Host security posture validation, and User education and security awareness References Anson, S., Bunting, S., Johnson, R., & Pearson, S. (2012). Mastering Windows network forensics and investigation. Hoboken, N.J: Wiley. Carvey, H. (2009). Windows Forensic Analysis DVD Toolkit. USA: Syngress Gogolin, G. (2012). Digital Forensics Explained. USA: CRC Press Solomon, M G & Rudolph, K. (2011). Computer Forensics Jumpstart. New York: John Wiley & Sons Vacca, J., & Rudolph, K. (2011). System forensics, investigation, and response. Sudbury, MA: Jones & Bartlett Learning. Read More