NIST SP 800-86 0

2017

Draft NIST SP 800-86

GUIDE TO COMPUTER AND NETWORK DATA ANALYSIS: APPLYING

FORENSIC TECHNIQUES TO INCIDENT RESPONSE
LIVIA NGUYEN
NIST SP 800-86 1

Table of Contents

Introduction ..................................................................................................................................... 2
Purpose............................................................................................................................................ 2
Problem ........................................................................................................................................... 2
Solutions based on SP ..................................................................................................................... 3
Requisitioned Equipment ................................................................................................................ 5
Requisitioned Personnel.................................................................................................................. 6
Implementation Timeline ................................................................................................................ 7
May June 2017 Employment Process ....................................................................................... 7
Budget ............................................................................................................................................. 7
Benefits ........................................................................................................................................... 8
Conclusion ...................................................................................................................................... 9
Appendix A ................................................................................................................................... 10
Incident Respond Contact List .................................................................................................. 10
Appendix B: Evaluation System ................................................................................................... 11
Evaluation System .................................................................................................................... 11
Reference ...................................................................................................................................... 12
NIST SP 800-86 2

Introduction

The document will be used for investigation of any crimes or policy violation that happen within

the company. The guides will provide details information on an incident that occurred within the

company that might affect the company. Digital Forensic skills will be applied to any incident

responds event for investigation purposes. This document is not to be used for criminal

investigation outside of the company incident. It will be used to help the company gather

evidence to support them with further investigation. Any evidence collected, examine, analyze

during the incident can be used to report to any legal advisors, law enforcement official, and

management who will oversee solving the problem.

Purpose

Give the company a guideline on how to support and speed up the investigation process, by

collecting, analyze and report the evidence to the official, or whoever in charge of the case.

Create procedure on what the company should do when an employee is violating a corporate rule

and what the company should do.

Problem

The problem that we encounter the most is that most people do not know how to respond to an

emergency. Company that do not have a proper polices and policy specifically Incident Respond

and Investigation within the company would make it hard for them to find evidences. It is a big

problem for employees who do not know how to respond to incident and do not know how to

make sure that they document everything suspicious that will be helpful later in the investigation

process. It is important that the company have all the evidences that they need to back them up

during court if the company decide to legally fight the case.

NIST SP 800-86 3

Another problem that the company might encounter is to make sure that the evidence was only

collect to help fix the current problem or backup the investigator, and that this is not a real digital

forensic investigation process. The company do not have the right to present the evidence to

court like they are an investigation. The evidence can only be present to legal official to back up

the company claim in court during the court process.

Solutions based on SP

First thing, the company need to develop an incident response policy. Then a procedure is

needed to respond to any incident that might happen within the time that the system was

compromised or infected.

Incident Response Policy and Procedure

I. The company need to keep a log book of people entering the facility, and or an activity

that might lead to incident that might put the company in danger.

a. Date and time the incident occurred or discovered.

b. People that the employee have contact.

c. People that contacted the employee.

d. Names of what has been affected.

e. Any other activities that will be useful toward the investigation later.

II. Contact the people that will be responsible of fixing the problem. (See Appendix A for

Contact List)

a. Contact the Computer Emergency Response Team (CERT) immediately if

encounter any suspicious activities occurred.

NIST SP 800-86 4

b. Contact the Computer Security Officer if see any suspicious activities on

individual work station.

c. Contact the Lead System Analyst if see any threats have occurred that could cause

bigger problem.

d. Contact the Computer Incident Advisory Capability after figured out the problem

and need help on taking the next step.

III. Network

a. Used forensics tool to and applied it to troubleshooting to find virtual or physical

location of the problem.

b. Monitor and log any activities that was done during the time of investigation.

c. Recover lost data

d. Used tool to acquired data from any employees.

e. Used regulation compliance to protect important databased.

IV. Digital Forensic Investigation will be applied to respond to incident by assisting with the

investigation.

a. Collecting Evidence

i. Collect the evidence

ii. Identify the evidence

iii. Document the evidence

b. Examine the evidence

i. Used forensic tools to examine the evidence

ii. Collect data from the evidence

iii. Extract any data that related or causes to the incident

NIST SP 800-86 5

iv. Log all examine process along the way

c. Analyze the evidence question probable reason that lead to the incident

i. What is the result of the examination?

ii. What causes the indecent to happen?

iii. How did it happen?

iv. When, where, and why did it happen?

d. Reporting

i. What is the activities that cause to incident to happen.?

ii. What tools was used during the investigation process?

iii. What could be done to improve the current policy and procedure to

prevent similar incident from happening again?

iv. Log of all activities and document what was done during the investigation

v. Follow up with the investigation

Requisitioned Equipment

Log Control SolarWinds Log & Event Manager services

o Node based licensing

o Real-time event correlation

o Search log data

o Real-time remediation

o File integrity monitoring

o High data compression

Forensic Hardware

o Forensic Analysis Workstation

NIST SP 800-86 6

o Forensic Field Kit

o Intelligent Computer Solution

Forensic Software

o Autopsy

o Wireshark

o FTK

o Belkasoft Acquisition Tool

Requisitioned Personnel

OIG Office of Inspector

ISO - Installation Security Officer

CSO - Computer Security Officer

CSA - Computer Security Analyst

LSA - Lead System Analyst

CERT - Computer Emergency Response Team

CIAC - Computer Incident Advisory Capability

IT Managers

Operations Manager

Risk Management Professionals

Business Continuity and Disaster Recovery Team (BCDR)

Incident Respond team

NIST SP 800-86 7

Implementation Timeline

May June 2017 Employment Process

July 2017 Developing a company policy

July 2017 Developing a company procedure

August 2017 Finalize the policy and procedure

August 2017 Buying requisitioned equipment

September 2017 Running test with new equipment

September 2017 Regulation compliance process

September 2017 Finalized the plan

October 2017 Training OIG, ISO, CSO, CSA, LSA, CERT, and CIAC on the new policy.

October 2017 - Training employee on the news

November 2017 Released official plan

Budget

Plan Cost Estimate: $500K Annually

SolarWinds- The power to Mange IT

Log Management Software for Security, Compliance, and troubleshooting.

Starting Price: $4495

Forensic Analysis Workstation

NIST SP 800-86 8

$14k - $23k per machine

Forensic Field Kit

$2k 44k per machine

Intelligent Computer Solution

$5k $15k per machine

Hiring Specialist

Varies - Depend on roles

Benefits

Keeping the corporate network safe from compromised.

Logbook show employee and employers access make it easier to figured out who did

something.

Keep intruders from coming inside of the company facilities and being able to figured

how people get in and fix the problem.

Easily keeping track of incident that happen within the corporate.

Fasten the case process by providing law official with evidence that was found by the

companys investigator.

Figure out the problem and fix it before it gets big and increased the risk.

Managing risk of security event and being able to decide whether to make great changes

or it is not something big to concerned about.

Train the employees to react when an incident happen will keep the company safe from

any compromising event.

NIST SP 800-86 9

Conclusion

The document is beneficial for the corporate and will help keep the company safe from
Information Security event. It is suggested for that policies and procedure relating to the NIST
800-86 is being implemented in the company policies. It will also help the company with
investigating event within the company that can be taken care of in the company. If the company
decide to bring it to court, the evidence that was collected can be used to backup what they claim
and at the same time speed up the court case process. The company is at a higher chance to win
a court case if they have proper evidence to back up their claim and that is why it is important to
log the event and keeping a report of any incident that happen within the company.
NIST SP 800-86 10

Appendix A

Incident Respond Contact List

Roles Phone Number Email Address

ISO - Installation Security Officer 480-216-8434 name@corporate.com

CSO - Computer Security Officer 480-216-8415 name@corporate.com

CSA - Computer Security Analyst 480-216-8754 name@corporate.com

LSA - Lead System Analyst 480-216-8269 name@corporate.com

CERT - Computer Emergency Response 480-216-8146 name@corporate.com

Team

CIAC - Computer Incident Advisory 480-216-8544 name@corporate.com

Capability

OIG Office of Inspector 480-216-1549 name@corporate.com

IT Managers 480-216-1654 name@corporate.com

Operations Manager 480-216-2076 name@corporate.com

Risk Management Professionals 480-216-4057 name@corporate.com

Business Continuity and Disaster Recovery 480-216-1028 name@corporate.com

Team (BCDR)

Incident Respond team 480-216-5639 name@corporate.com

NIST SP 800-86 11

Appendix B: Evaluation System

Evaluation System
Case Numbers Description Risk Contacted Output
(Low-Medium- Personnel
High)
C-01 Intruders Medium OIG
C-02 System High CERT
Compromise OIG
C-03 Unauthorized Medium IT Managers
Access CSO
C-04 Suspicious Medium OIG
Activity
C-05 Data Loss High OIG
CSO
CERT
C-06 Email Low Operations Manager
C-07 Exploitation High OIS
CSO
CERT
CIAC
C-08 Malware Medium CERT
Infection Risk Management
Professional
C-09 Disaster Event High BCDR Team
CERT
CIAC
NIST SP 800-86 12

Reference:

Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006, August). Guide to Integrating Forensic

Techniques Into Incident Response. Retrieved April 3, 2017, from

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

Information Security - Incident Response Procedures. (2005, July 7). Retrieved April 3, 2017,

from https://www.epa.gov/sites/production/files/2016-01/documents/cio_2150-p-08.2.pdf

Log management software for security, compliance, and troubleshooting. (n.d.). Retrieved April

22, 2017, from http://www.solarwinds.com/log-event-manager