Post on 16-Apr-2017
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Professional Incident ResponseBrooks Garrett / October 16, 2014
Overview
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Brooks Garrett• Operations Architect, HP Fortify on Demand, 3 years
– CISSP• Volunteer Firefighter, Georgia, 5 years
– Firefighter I National Professional Qualification– Hazardous Materials Awareness– Emergency Medical Responder
• Husband and father• Rugby, programming, and tinkering
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify on Demand• Cloud based Application Security as a Service
– Static– Dynamic– Mobile
• Globally distributed deployments– 8 environments– 3 teams– 5 countries
• Coordination when responding isn’t trivial– Language– Culture– Time zones
Incident Response
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).”
Margaret Rouse, WhatIs.com Editorial Director
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is an incident?• A single virus on a single computer• A million viruses on a single computer• A single worm on all the computers• A single worm on all the computers on 3 continents• Your database anywhere it shouldn’t be• Heartland, Target, TJX
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Incident Response Program• 5 phases of incident response • Framework for managing incidents and resources• Framework for improving incident response• System of reporting on incidents• Incident Response Plan
Building by copying
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Incident response is hard• Framework must scale
– One member team– 20 teams of 5 members each– One virus– All the viruses
• Organizations that have plans ignore them until “The Big One”– Too little, too late
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Who can we copy?Firefighters
Click icon to add picture
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Professional Responders
Fire Rescue Medical
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Diverse incidents
Small Large Chaotic
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Sound familiar?• Very little information at start of incident• Incidents occur at random intervals• Incidents can be small (cat up a tree, single virus) or massive (Texas fertilizer plant, Target)• Car crash?
– Crashing daemons.• Building on fire?
– Servers on fire.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2
3
Preparation
Response
Recovery
1
Incident Response
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Preparation• Largest portion of time is in preparation
– 100’s of hours preparing for 10 minutes of chaos• Training and Certification
– GIAC GCIH– FEMA ICS– Know the plan (or at least where the plan is located)
• Pre-incident planning– Your chance for mulligans– Build a plan of action for broadly defined events
• Rehearsal– Dry run pre-incident plans– Tabletop simulation of attacks– It’s like role playing, just nerdier
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2
3
Preparation
Response
Recovery
1
Incident Response
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
• Training• Planning• Rehearsal
Response Phases – Fire / Rescue
Dispatch Size up Operations
•Alerting•Monitoring
•Isolation•Attack plan•Initial response
•Elimination•Overhaul•Collection of
evidence
•Return to normal operation
•After action report
Preparation Return to Service
Response
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
• Training• Planning• Rehearsal
Response Phases - IT
Identification Containment Eradication
•Alerting•Monitoring
•Isolation•Initial response
•Elimination•Collection of
evidence
•Return to normal operation
•After action report
Preparation Recovery
Response
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Identification• Must have “incident” defined• Dispatch is a must• First alert must be uniform for all events, incidents, and disasters• Provides a central place where all information is collected and dispensed
– SOC– SIEM– Grepping Syslog– EMail
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Incident Command System (ICS)• Hierarchal structure providing a clear chain of command• Framework providing clear procedures for management of command and delegation of
responsibilities• We can steal this and get free training
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Incident Command System
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Role: Incident Command• Ultimate authority during an incident• Also ultimate responsibility for incident response• Must be able to coordinate resources, delegate responsibility, and manage the overall
response• 10K foot view
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Role: Information Officer• The information officer is critical• One voice to both internal and external parties• One simple rule: Are you the Information Officer?
– YES, I can talk to people about this incident as authorized by command– NO, I can’t talk to people
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Role: Section• Each section is responsible for their assigned area• Receives delegated responsibilities from command• Operates at ground level
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Adapting ICS• First responder is “Command” and controls the incident• Command can be transferred to other resources as they respond• Who has command isn’t about rank
– Can be anyone at anytime– Should be based on who is most capable of managing the incident– Transfer of command must be communicated to all resources
• Freelancing gets people killed, don’t do it– Not even once
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Adapting ICS• We don’t need a safety officer
– Unless you have systems that sustain, protect, or threaten human life• We don’t need a liason officer
– Unless you will be interfacing with law enforcement, banks, etc.• Add or remove roles as incident size and organizational goals/requirements demand
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Scaling response within ICS• One person can be all roles for small incidents• Assign officers as needed
– Breach of PII data? You may want a Finance Officer (credit monitoring is expensive)• Roles may be added an removed during the incident as the situation demands
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2
3
Preparation
Response
Recovery
1
Incident Response
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
After action reports• Consistency is key• Incident Report
– Incident ID– Date– Type– Assets involved– Resources involved– Narrative
• Response Report– What worked– What needs improvement– Should include the Incident ID for cross reference
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Reporting Templates• US CERT• National Incident Management System – ICS Forms Booklet
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Brooks GarrettE: brooks.garrett@hp.comW: http://www.brooksgarrett.comT: @brooksgarrett
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Credits• Title slide image
– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/ul4owW
• Slide 12 image– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/jxjvz5
• Slide 13 – Fire– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/hVMFcr
• Slide 13 - Rescue– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/CEXxxoHP
• Slide 13 - Medical– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/CEXxxoHP
• Slide 14 - Small– Accessed: 6 Oct 2014– Pixabay– http://v.gd/XvUDvt
• Slide 14 - Large– Accessed: 6 Oct 2014– Reuters– http://v.gd/ChtCxm
• Slide 14 - Chaotic– Accessed: 6 Oct 2014– Getty Images– http://v.gd/xrtAJt
• Slide 12 - Rescue– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/CEXxxoHP
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Resources• SANS Incident Handler
Handbook– Accessed: 6 Oct 2014– http://v.gd/u9UVvG
• FEMA ICS Training– Accessed: 16 Oct 2014– http://v.gd/TqNdUl