Adapting Incident Response to Meet the Threat
-
Upload
resilient-systems -
Category
Technology
-
view
779 -
download
1
Transcript of Adapting Incident Response to Meet the Threat
Adapting Incident
Response to Meet the
Threat
Page 2
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Introductions: Today’s Speakers
• Jeff Schilling, Director, Global Incident Response and Digital
Forensics, Dell SecureWorks
• Ted Julian, Chief Marketing Officer, Co3 Systems
Page 3
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Agenda
• Why change your approach?
• Do you really know your environment?
• Do You really know/understand your threat?
• Where to focus your efforts to respond?
• Measuring success
Page 4
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
About Co3’s Incident Response Management System
PREPARE
Improve Organizational
Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table
tops)
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate
Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling
• Log evidence
Page 5
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
About Dell SecureWorks
• Dell SecureWorks uses cyber threat
intelligence to provide predictive, continuous
and responsive protection for thousands of
organizations worldwide.
• Enriched by intelligence from our Counter
Threat Unit research team, Dell
SecureWorks’ Information Security Services
help organizations proactively fortify
defenses, continuously detect and stop
cyber-attacks, and recover faster from
security breaches.
Page 6
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
My Press Box View
My view as the Director of the Army’s
Global Network Security Team My view as the Director of the Dell
SecureWorks Incident Response Practice
Page 7
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
The Dell SecureWorks Incident Response Practice
• 300+ this year
• 42% of our engagements were with Medium-sized
business
• 58% were large enterprise customers
• 70% of our engagements were active Incident Response
• 30% were proactive engagements
• 20% of our projects involved Advance Persistent Threat
(Targeted Threat)
• Our observations from 2012 engagements:
End users still the primary targets (51% of the time)
Servers and applications running second (39% of the
time)
20% of our engagements involved insider threat activity
DO I NEED TO CHANGE
MY APPROACH?
Page 9
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Getting to “yes”
• Do you rarely see the same activity on your
networks with the same success?
• Do you conduct trend analysis of your
security incidents?
• Have you analyzed the things you can
control and the things you can’t?
People
Processes
Technology
• For the things you can’t control, have you
calculated the risks or outcomes?
• Have you insured or transferred that risk?
• Do you make adjustments to your security
controls based on trends?
• Do you have a plan or playbook to address
your most common Incidents?
• Do you rehearse and update these plans?
DO YOU REALLY KNOW
YOUR ENVIRONMENT?
Page 11
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Which picture best describes your network?
• Do you have an updated/accurate network diagram? Are you a part of the change management
process so you know when it changes?
• Have you studied your network flow to know what ports and protocols to accept and ones to
deny?
• Do you validate with Pen Tests, Vulnerability Scans, Netflow Monitoring?
• Do you have defined network boundaries with the Internet?
• Do you leverage Active Directory to assign risk and controls to organizational units?
• Is “white listing” embraced in your organization?
• Do you have a standard, secure image/baseline for hosts and servers?
• Do you centralize your event log monitoring?
• Do you limit workstation to workstation communication?
POLL
DO YOU REALLY KNOW
YOUR ENEMY?
Page 14
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Categories of threat
• Phishing with Dynamite
• Automated control for scale
• Can be defended with good Signature based controls
• Buys trade craft
• Can be sophisticated and polymorphic
• Favorite vectors
Server compromises
Non-targeted phishing
Web drive bys
• Smash and grab
• Playing chess
• Human controlled (just for you)
• Custom trade craft
• Favorite vectors
Highly targeted phishing
Water holing web drive bys
Some server compromises
• Highly targeted efforts
• Attempts to cover their tracks
• Will compromise partners to get to you
• Goal is to log on, become an insider
• Fly on the wall
• Hardest to detect, tries to hide in normal activity
• Usually has elevated privileges
• Often assumes not being monitored
• Rarely uses tradecraft: when they do, normally crawlers
• Usually has access to data that does not pertain to their job, that is what they take
• May use “close access” techniques
• Attempts to cover their tracks
• Managers/HR usually not surprised when insider is caught
Page 15
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Categories of Intent/Motive
• Disrupt
• Destroy
• Deny
• Revenge
• Embarrass
• Intimidate
• Competitive advantage
• Fill in an innovation gap
• Nation-state level espionage
• Steal your money
• Steal your clients money
• Identity Theft
• Fraud
POLL
Page 17
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Pulling it all together
• Commodity
• Advanced Persistent Threat
• Insider
• Crime
• Hacktivism
• Revenge
• Intellectual property theft
• Cyber Warfare
• Cardholder
Data/PII/Identity
• Core Business
Processes
• Critical
Infrastructure
• Intellectual
Property
• Web
applications
• Financial
data/processes
• Executive
communication
• Monetary loss
• Availability
• Confidentiality
• Integrity
• Personal harm
• Reputation
• Botnets
• Server
compromise
• DoS
• Malicious code
• Web infection
• Phishing
• Physical
Theft/Loss/
Damage
• Targeted Attacks
• Worms/Trojans
• IPS/IDS
• Firewall/Web app FW
• DDOS filtering
• Web/mail Proxy
• VM inspection
• Host level controls
• SIEM/Log monitoring
• Vulnerability mgt
• Access control
• DLP
• DRM
• User actions
• Policy
Page 18
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
What should an IR plan look like?
• Base document (Policy and Guidelines, does not change very often)
Roles and responsibilities
Description of the overall process
Identification of Incident Types
Work flows
Identification of third party providers
• Playbooks/Appendix/Run Books (Procedures, constantly updated)
One for each Incident Type
Criteria for declaring an incident
Checklist driven actions
Point of Contact Lists
Key players on the Security team
Key players on the IT staff (if separate from the Security team)
Key decision makers outside of Security and IT
Third party providers (ISP, outside consulting, etc)
Page 19
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Threat Intelligence Maturity Model
Page 20
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
How do you apply intelligence?
Conte
xt
and c
ounte
rmeasu
res
Feedback loop
What does it mean?
How to resist?
What is the next action?
WHERE TO FOCUS YOUR
RESPONSE EFFORTS?
Page 22
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Do you live on OODA Loop?
Page 23
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
The “Broken Windows” approach
Questions
• Where is my most important data?
• Where are most of my incidents
happening?
• Where am I most vulnerable?
• What is (are) the worst possible thing(s)
that could happen?
• Can I detect where I am most vulnerable?
• Can contain where I am most vulnerable?
• Can I see insider threats?
Answers
• Identify your “broken windows”
• Establish network visibility
• Segment to protect critical assets, create
security zones
• Layered defense strategy
Intelligence informed SIEM
Network detection/prevention
Host level detection/prevention
Virtual machine detonation
• Get control of your elevated privileges, if
you can
• Protect and leverage your Active Directory
structure
• Whitelist your servers, protocols, and
ports
• Focus on SMTP and Web traffic
• Talk to managers and HR about high risk
employees with elevated privileges
HOW DO YOU
MEASURE SUCCESS?
Page 25
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Success, Failure, and False metrics
Indications of Failing Trends • Increase of recurring incidents
• Increased in dwell time
• Increase # of incidents reported by the user v. detected by SOC
• Increased number of root level and domain compromises
• Increase number of compromised servers / web applications
• Increase in the number of incidents involving CVE’s
• Increase in business impact of incidents
• Increase of incidents closed where root cause is indeterminate
Indication of Successful Trends • Decrease in time between
detection and containment
• Decrease in the number of successful commodity infections
• Decrease in number of incidents that spread to multiple host
• Increase in the number of APT and insider threat detections
• Decrease in 3rd party reporting of incidents (FBI, USSS, partners)
• Reduction in successful phishing
False Metrics • Increase or decrease in number of incidents
• Increase or decrease in number of detections
• Investment on security technology !
Page 26
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Conclusion
• Analyze your environment – know your strengths and
weaknesses
• Ensure you understand the threat’s capabilities, intent, and
vectors
• Focus your response on your “broken windows”
• Ensure you are achieving success and not reinforcing failure
in your Incident Response processes
Page 27
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Resources
• Dell SecureWorks Incident Response
http://go.secureworks.com/incident-response
• SANS Incident Response Training
http://www.sans.org/course/advanced-computer-forensic-analysis-incident-
response
• White Paper - Accelerating Incident Response: How Integrated Services Reduce
Risk and the Impact of a Security Breach
http://www.secureworks.com/resources/articles/featured_articles/accelerating-
incident-response-reducing-risk-and-impact
• NIST Computer Security Incident Handling Guide
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
• If you suspect a security breach, contact the Dell SecureWorks Incident
Response team at 877-884-1110.
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Jeffery R. Schilling, CISM
Director of Incident Response and Digital
Forensics
m: +1 703-232-7992
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013