Contents Overview 1 Lesson: Introduction to Auditing and Incident Response 2 Lesson: Designing an Audit Policy 8 Lesson: Designing an Incident Response Procedure 15 Lab A: Designing an Incident Response Procedure 27 Course Evaluation 32 Module 12: Designing Responses to Security Incidents Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 12: Designing Responses to Security Incidents iii Instructor Notes In this module, students explore auditing and incident response as means for detecting and responding to security incidents. When an attack happens, the key to limiting damage is early detection and a rapid and orderly response. Auditing is an important tool to help students detect network abnormalities that may indicate attacks. An incident response procedure is a series of steps that students design in advance to guide their organization during a security incident. After completing this module, students will be able to:  Explain the importance of auditing and incident response.  Design an auditing policy.  Design an incident response procedure. To teach this module, you need Microsoft® PowerPoint® file 2830A_12.ppt. It is recommended that you use PowerPoint version 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all of the features of the slides may not be displayed correctly. To prepare for this module:  Read all of the materials for this module.  Complete the practices.  Complete the lab and practice discussing the answers.  Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials CD.  Visit the Web links that are referenced in the module. Presentation: 45 minutes Lab: 30 minutes Required materials Important Preparation tasks iv Module 12: Designing Responses to Security Incidents How to Teach This Module This section contains information that will help you to teach this module. Lesson: Introduction to Auditing and Incident Response This lesson introduces the concepts of auditing and incident response. It includes features of both and examples of threats to each. This material will be review for some students. Spend as much time as necessary on this lesson. There is no practice for this lesson. The log files used in the example on this page are located under Additional Reading on the Web page on the Student Materials CD. You can print these out before you teach this module and use the logs to generate class discussion. Emphasize the concept of chain of evidence and explain why it is important. Lesson: Designing an Audit Policy This section describes the instructional methods for teaching this lesson. Point out the additional reading listed on this page. Answers may vary. Use the security responses that students give to generate classroom discussion. Use this page to review the content of the module. Students can use the checklist as a basic job aid. The phases mentioned on the page are from Microsoft Solutions Framework (MSF). Use this page to emphasize that students must perform threat analysis and risk assessment on their own networks for the topic covered in this module, and then they must design security responses to protect the networks. Lesson: Designing an Incident Response Procedure This section describes the instructional methods for teaching this lesson. Discuss root causes of security incidents and emphasize that the event that triggers an alarm may not be the original cause of the security incident, but merely a result of the incident. Point out the job aid referenced under additional reading. Use it as a reference for discussion. Answers may vary. Use the security responses that students give to generate classroom discussion. Use this page to review the content of the module. Students can use the checklist as a basic job aid. The phases mentioned on the page are from MSF. Use this page to emphasize that students must perform threat analysis and risk assessment on their own networks for the topic covered in this module, and then they must design security responses to protect the networks. The Auditin g Process Why an Incident Response Procedure Is Important Common Auditing Tools and Sources Practice: Risk and Response Security Policy Checklist Guidelines for Analyzing a Securit y Incident Methods for Limiting Damage from an Attack Practice: Risk and Response Security Policy Checklist Module 12: Designing Responses to Security Incidents v Assessment There are assessments for each lesson, located on the Student Materials compact disc. You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. Lab A: Designing an Incident Response Procedure To begin the lab, open Microsoft Internet Explorer and click the name of the lab. Play the video interviews for students, and then instruct students to begin the lab with their lab partners. Give students approximately 20 minutes to complete this lab, and spend about 10 minutes discussing the lab answers as a class. For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for facilitating the lab environment used in this course. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2830A, Designing Security for Microsoft Networks. Lab Setup There are no lab setup requirements that affect replication or customization. Lab Results There are no configuration changes on student computers that affect replication or customization. General lab su gg estions Important Module 12: Designing Responses to Security Incidents 1 Overview ***************************** ILLEGAL FOR NON-TRAINER USE****************************** Network security for an organization is an exercise in prevention. A good security design that is properly implemented will prevent a majority of the most common attacks. However, it is very likely that an attacker will eventually penetrate the defenses that you design. When an attack happens, the key to limiting damage is early detection and a rapid and orderly response. Auditing is an important tool to help you detect network abnormalities that may indicate attacks. An incident response procedure is a series of steps that you design in advance to guide your organization during a security incident. After completing this module, you will be able to:  Explain the importance of auditing and incident response.  Design an auditing policy.  Design an incident response procedure. Introduction Objectives 2 Module 12: Designing Responses to Security Incidents Lesson: Introduction to Auditing and Incident Response ***************************** ILLEGAL FOR NON-TRAINER USE****************************** Auditing and incident response provide you with the means to detect and maintain a record of network events. They also give you a procedure to respond to events that you determine are attacks. After completing this lesson, you will be able to:  Describe the auditing process.  Explain why auditing is important.  Describe an incident response procedure.  Explain why an incident response procedure is important. Introduction Lesson ob j ectives Module 12: Designing Responses to Security Incidents 3 The Auditing Process ***************************** ILLEGAL FOR NON-TRAINER USE****************************** Auditing records specific events on a network. By auditing events on computers and applications, you can compare the audit logs on each computer to understand the actions of a user or an attacker. For example, consider a computer running Microsoft ® Windows® 2000 Server and also Microsoft Internet Security and Acceleration (ISA) Server that is functioning as a firewall. ISA Server protects a Web site on a computer running Windows 2000 Server and Internet Information Services (IIS). When a customer on the Internet accesses the Web server, he is authenticated by Basic authentication over Secure Sockets Layer (SSL) to an Active Directory ® directory services domain controller. In this example, when you enable auditing on the computers and applications, you can determine a user’s actions by examining the following: 1. Packet filter log file. By analyzing the packet filter log file, you determine that a computer with the IP address 131.107.1.31 created a SSL session with the Web server, which is published on the ISA Server firewall, for approximately 4 minutes, from 13:27 Pacific Daylight Time (PDT) to 13:31 PDT. 2. Security event log file from the IIS server and the IIS log file. By analyzing the Security event log file on the Web server, you determine that a user attempted to log on by using the account Ben and failed twice before succeeding at 13:29:07 PDT. By analyzing the IIS log file, you determine that the computer with the IP address 131.107.1.31 used a computer running Windows 2000 and Microsoft Internet Explorer version 5.01 to attempt to enroll a certificate from the Certsrv Web site. 3. Security event log file from the domain controller. By analyzing the Security event log file on the domain controller, you determine that the user who logged on by using the account Ben failed to log on twice due to using a bad password before ultimately succeeding. Key points 4 Module 12: Designing Responses to Security Incidents To ensure that you can accurately compare audit logs from different computers and resources, synchronize the times of all audited computers and resources on your network. To analyze the log files that are used in this example, see the files in the Log files folder, under Additional Reading on the Web page on the Student Materials CD. Note Additional readin g [...]... indicate security incidents Investigate all abnormal events to determine their causes and to confirm whether the events present a security risk Additional reading For more information about investigating security incidents, see Detecting Signs of Intrusion, at: http://www.cert.org /security- improvement/ modules/m09.html 22 Module 12: Designing Responses to Security Incidents Guidelines for Analyzing a Security. .. inadmissible in court • Contoso failed to conduct a review of the security incident It never discussed how the company responded to the incident or documented what went well and what did not go well As a result, Contoso could not apply any lessons learned to its security policy or incident response plan Module 12: Designing Responses to Security Incidents 29 To avoid repeating mistakes, Contoso can: • Create... Risk strategy Security response Security incidents are reported prematurely and to inappropriate people Avoid Create a security policy that includes procedures for employees to escalate potential security incidents to approved individuals Security incidents are leaked to the media before the team has met to discuss the incidents Avoid Create and distribute a communications plan for security incidents Ensure... Attacks and Countermeasures,” in Security Operations Guide for Windows 2000 Server, under Additional Reading on the Web page on the Student Materials CD The white paper, Microsoft Security Toolkit: Compromised Systems, at: http://www.microsoft.com/technet /security/ tools/tools/detect.asp 24 Module 12: Designing Responses to Security Incidents Guidelines for Documenting Security Incidents *****************************ILLEGAL... needs to know about the incident 20 Module 12: Designing Responses to Security Incidents How team members communicate details of the incident to nonteam members For many reasons, such as shareholder confidence, your organization may choose to keep the security incident confidential To prevent information from being leaked to nonteam members or to the public, create clear guidelines about how to communicate... law enforcement early to ensure that all evidence is gathered in a manner that enables the evidence to be admissible in court • Conduct a post -security incident review to ensure that lessons learned from the incident are incorporated into security policies and the incident response plan 30 Module 12: Designing Responses to Security Incidents 2 Who should be on Contoso’s business -to- business (B2B) incident... answer to Ashley’s questions 3 Click Send to save your answers to a folder on your desktop 4 Discuss your answers as a class 28 Module 12: Designing Responses to Security Incidents Lab A: Designing an Incident Response Procedure Lab Questions and Answers Answers may vary The following are possible answers 1 What specific errors did Contoso Pharmaceuticals make during the Yalovsky incident? What can Contoso... events to monitor, the level of detail to audit, and the computers or resources to audit By creating audit statements, you ensure that you only audit events that are relevant to business goals or technical requirements Audit statements also help to ensure that you audit events on all necessary computers and network devices to capture the intended action Module 12: Designing Responses to Security Incidents. .. Documenting the incident Module 12: Designing Responses to Security Incidents 27 Lab A: Designing an Incident Response Procedure *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to apply security design concepts to incident response procedures Scenario You are a consultant hired by Contoso Pharmaceuticals to. .. attackers 18 Module 12: Designing Responses to Security Incidents In addition, ensure that your team is: Available 24 hours a day Security incidents can occur at any time of the day or year Ensure that your team is available to provide rapid response to incidents Trained in responding to security incidents Individuals who have experience or training in responding to incidents will help your team respond . tasks iv Module 12: Designing Responses to Security Incidents How to Teach This Module This section contains information that will help you to teach. their respective owners. Module 12: Designing Responses to Security Incidents iii Instructor Notes In this module, students explore auditing