NIST Computer Security Incident Handling Scenarios

Questions

  1. What measures should be in place to prevent this incident from occurring/limiting its impact.
  2. What precursors/indicators of the incidents should have been detected? Would any precursors/indicators cause the group to take action before the incident occurred?
  3. How would the incident response team validate the incident?
  4. To which people/group would the incident response team notify about this incident?
  5. What can be done to prevent such incidents from occurring again in the future?

Scenarios

Based off of the NIST Computer Security Incident Handling Guide:  Download Link

1) Domain Name System (DNS) Server Denial of Service (DoS)

On a Saturday afternoon, external users start having problems accessing the organization’s public websites. Over the next hour, the problem worsens to the point where nearly every access attempt fails. Meanwhile, a member of the organization’s networking staff responds to alerts from an Internet border router and determines that the organization’s Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both the organization’s public DNS servers. Analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. Also, all the DNS requests from that address come from the same source port.
The following are additional questions for this scenario:

  1. Whom should the organization contact regarding the external IP address in question?
  2. Suppose that after the initial containment measures were put in place, the network administrators detected that nine internal hosts were also attempting the same unusual requests to the DNS server. How would that affect the handling of this incident?
  3. Suppose that two of the nine internal hosts disconnected from the network before their system owners were identified. How would the system owners be identified?

2) Stolen Documents

On a Monday morning, the organization’s legal department receives a call from the Federal Bureau of Investigation (FBI) regarding some suspicious activity involving the organization’s systems. Later that day, an FBI agent meets with members of management and the legal department to discuss the activity. The FBI has been investigating activity involving public posting of sensitive government documents, and some of the documents reportedly belong to the organization. The agent asks for the organization’s assistance, and management asks for the incident response team’s assistance in acquiring the necessary evidence to determine if these documents are legitimate or not and how they might have been leaked.
The following are additional questions for this scenario:

  1. From what sources might the incident response team gather evidence?
  2. What would the team do to keep the investigation confidential?
  3. How would the handling of this incident change if the team identified an internal host responsible for the leaks?
  4. How would the handling of this incident change if the team found a rootkit installed on the internal host responsible for the leaks?

3) Compromised Database Server

On a Tuesday night, a database administrator performs some off-hours maintenance on several production database servers. The administrator notices some unfamiliar and unusual directory names on one of the servers. After reviewing the directory listings and viewing some of the files, the administrator concludes that the server has been attacked and calls the incident response team for assistance. The team’s investigation determines that the attacker successfully gained root access to the server six weeks ago.
The following are additional questions for this scenario:

  1. What sources might the team use to determine when the compromise had occurred?
  2. How would the handling of this incident change if the team found that the database server had been running a packet sniffer and capturing passwords from the network?
  3. How would the handling of this incident change if the team found that the server was running a process that would copy a database containing sensitive customer information (including personally identifiable information) each night and transfer it to an external address?
  4. How would the handling of this incident change if the team discovered a rootkit on the server?

4) Unknown Exfiltration

On a Sunday night, one of the organization’s network intrusion detection sensors alerts on anomalous outbound network activity involving large file transfers. The intrusion analyst reviews the alerts; it appears that thousands of .RAR files are being copied from an internal host to an external host, and the external host is located in another country. The analyst contacts the incident response team so that it can investigate the activity further. The team is unable to see what the .RAR files hold because their contents are encrypted. Analysis of the internal host containing the .RAR files shows signs of a bot installation.
The following are additional questions for this scenario:

  1. How would the team determine what was most likely inside the .RAR files? Which other teams might assist the incident response team?
  2. If the incident response team determined that the initial compromise had been performed through a wireless network card in the internal host, how would the team further investigate this activity?
  3. If the incident response team determined that the internal host was being used to stage sensitive files from other hosts within the enterprise, how would the team further investigate this activity?

5) Disappearing Host

On a Thursday afternoon, a network intrusion detection sensor records vulnerability scanning activity directed at internal hosts that is being generated by an internal IP address. Because the intrusion detection analyst is unaware of any authorized, scheduled vulnerability scanning activity, she reports the activity to the incident response team. When the team begins the analysis, it discovers that the activity has stopped and that there is no longer a host using the IP address.
The following are additional questions for this scenario:

  1. What data sources might contain information regarding the identity of the vulnerability scanning host?
  2. How would the team identify who had been performing the vulnerability scans?
  3. How would the handling of this incident differ if the vulnerability scanning were directed at the organization’s most critical hosts?
  4. How would the handling of this incident differ if the vulnerability scanning were directed at external hosts?
  5. How would the handling of this incident differ if the internal IP address was associated with the organization’s wireless guest network?
  6. How would the handling of this incident differ if the physical security staff discovered that someone had broken into the facility half an hour before the vulnerability scanning occurred?