Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg
-
Upload
eric-vanderburg -
Category
Technology
-
view
1.169 -
download
0
Transcript of Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg
![Page 1: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/1.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Cybersecurity Incident Response Strategies and Tactics
TIMOTHY OPSITNICKE X E C U T I V E V I C E P R E S I D E N T & G E N E R A L C O U N S E L
ERIC VANDERBURGV I C E P R E S I D E N T, C Y B E R S E C U R I T Y
RIMS 2017 Northeast Ohio Regional Conference
October 5, 2017
![Page 2: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/2.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
About UsTCDI founded in 1988
Microsoft Certified Partner since 2003
Services include:◦ Digital forensics
◦ Cybersecurity
◦ eDiscovery
Minority owned enterprise
![Page 3: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/3.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Over 40 certifications
Published author
Licensed private investigator
Expert witness and thought leader
18 years in cybersecurity
Specializations include:
Risk management
Governance and compliance
Security strategy
TIMOTHY OPSITNICK
E X E C U T I V E V I C E P R E S I D E N T A N D G E N E R A L C O U N S E L
ERIC VANDERBURG
V I C E P R E S I D E N T, C Y B E R S E C U R I T Y
E-Discovery special master
Expert witness
Advisory board member for the Georgetown University Law Center’s CLE and the American College of e-Neutrals
Numerous publications and legal education seminars
Member of the Sedona Conference Working Group
![Page 4: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/4.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Introduction
![Page 5: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/5.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Impact of Cybersecurity IncidentsLoss of Valuable Information
Direct Financial Loss
Unfavorable Media Exposure/Damage to Reputation
Outages and Disruption
Data breach
Notification
Lawsuits
![Page 6: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/6.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Statistics◦ 87% responded to at least one incident in the past year
◦ 20% responded to at least 100 incidents
◦ 68% identified malware as the root cause of incidents
◦ 50% reported employee personal information (ex. SSN) was prioritized
*The Show Must Go On! The 2017 SANS Incident Response Survey
87% reported incidents
identified malware as cause
◦ 82% reported that remediation activities took place within one month of containment
◦ 33% take place within 24 hours68%
![Page 7: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/7.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Pre Response PlanningIdentify data types and locationsIdentify legal obligations◦Regulatory
◦Contractual
Create and implement security policies ◦ Incident Response Plan
◦Other Policies
![Page 8: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/8.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Analysis of legal obligations
National laws and directives
GDPR / EU directives
State / province laws
Civil liabilities
Legally-advisable practices
![Page 9: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/9.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Business value of IRProtects proprietary / classified information
Reduces impact to business operations
Minimizes public relations damages
Reduces costs of response
Ensures data is collected for evidentiary purposes
![Page 10: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/10.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident Response Planning
![Page 11: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/11.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
The Team
IT Compliance PrivacyHuman
Resources
Security / Risk Management
Third-party Cyber Security
teamLegal
Public Relations
Physical Security
Senior management
Law Enforcement
Liaison
![Page 12: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/12.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Counsel and PrivilegeEarly involvement affects whether communications will be considered privileged◦Early assessments are frank
◦Privilege law is complex
Law in area developing
Regulatory and legal requirements complex, e.g. notice
![Page 13: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/13.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Activating the team and the plan Initial scoping, typically IT
Trigger◦Confidentiality or privacy of information effected/or in care
◦ Integrity of systems or data
◦Availability of systems or data
![Page 14: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/14.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident Response Readiness
![Page 15: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/15.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Scenario planning◦Document procedures for likely incidents
◦Document steps for a non-specific incident
◦ Is geographic diversity needed?
◦Determine notification procedure
![Page 16: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/16.jpg)
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Employee theft of intellectual property and misconduct
An employee removes internal client information for sale to a competitor
A disgruntled employee destroys data critical to business success
An employee downloads illegal software containing a backdoor
![Page 17: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/17.jpg)
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Data breach
Large upload of files to unknown destination
Confidential information on public sources
Files mistakenly sent to the wrong customer
![Page 18: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/18.jpg)
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Malware or ransomware
Ransomware encrypts central data repository
Botnet causes company email and domain to be blacklisted due to spam and searches
Malware makes hundreds of machines unusable
Company receives notices of Denial of Service (DoS) attacks originating from the corporate network.
![Page 19: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/19.jpg)
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Lost or stolen device
Employee loses an encrypted laptop while on vacation.
Backup tapes are stolen from an employee’s vehicle while they are in a restaurant.
The phone of the CEO’s assistant is stolen at a coffee shop and the phone was unlocked at the time.
![Page 20: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/20.jpg)
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Key system failure
Power outage in the server room in the middle of the day.
Non-redundant firewall failure
![Page 21: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/21.jpg)
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Data loss or corruption
Multiple hard drives fail in the main database server.
Administrator accidentally deletes the wrong virtual machine.
A restore overwrites production data rather than going to an alternate location.
Encryption keys expire
![Page 22: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/22.jpg)
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Social engineering
Company instructed to change payment information.
Fake CEO emails instruct AR to make payments to an account.
Employees divulge passwords to a person claiming to be from IT.
![Page 23: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/23.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Table top exercises
PROCESS◦ IR team assembles◦Facilitator describes scenario
◦Plans are invoked and tested◦ Review actions◦ Completion and Success criteria◦ Notification methods and
messages
VALUE
◦New Insight gained
◦Plans updated
◦Team more comfortable with the process
![Page 24: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/24.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Security testing
Penetration testing
Vulnerability management
Red teaming
![Page 25: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/25.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Locking systems down
Configuration audits and System hardening
Hardening Zone PurposeUser Configuration Least privilege, secondary logonNetwork Configuration IP4 vs IP6, encryption, static/dynamicFeatures and Roles Configuration Add what you need, remove what you don't. GUI?Update Installation Address vendor-addressed vulnerabilitiesNTP Configuration Clock synchronizationFirewall Configuration Minimize your external footprint.Remote Access Configuration Authorization, types (RDP, SSH, admin tools)Service Configuration Minimize your attack surface.Logging and Monitoring Know what's happening on your system.
![Page 26: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/26.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Improving detection capability
SIEM
Anomaly detection
End user training
Motivation and Accountability
![Page 27: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/27.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Vendor or third party coordination and planning
Identify required third-parties
Establish expectations and contractual agreements
Make vendors aware of internal procedures
Solicit feedback
![Page 28: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/28.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Awareness training
Acceptable use◦Email, Internet, Social
Passwords
Incident indicators
Malware
Social engineering
Data handling
Other policy elements
![Page 29: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/29.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Process and system implementationPreservation
Log management and retention
Business continuity
Auditing
Prepare resources◦Human◦Technical
![Page 30: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/30.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident Response Execution
![Page 31: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/31.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident response phasesIdentification
Containment
Investigation
Eradication
Recovery
Reflection
![Page 32: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/32.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Identification
◦Use of dormant accounts◦Log alteration◦Presence of malicious code◦Notification by partner or peer◦Notification by hacker
◦Loss of availability◦Corrupt files◦Data breach◦Violation of policy◦Violation of law
Report Incident indicators (Employees or automated systems)
Validate indicators
Indicators
![Page 33: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/33.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Containment
Assemble the IR team
Quarantine◦Disable accounts, disconnect from network, isolate VM
Preserve Evidence
Expand IR resources as necessary
![Page 34: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/34.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Investigation
Interviewing
Analysis◦ Logs
◦ Memory
◦ Forensic images
◦ Public data
Documentation◦ IP address of compromised
system
◦ Time frame
◦ Malicious ports
◦ Flow records
![Page 35: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/35.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
EradicationResolution◦ List action items
◦ Rank in terms of risk level and time required
◦ Prioritize
◦ Coordinate and track remediation to completion
Validation◦ Confirm measures successfully remediated the incident
![Page 36: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/36.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
RecoveryRemediate vulnerabilities
Restore services
Restore data (Ensure that backups are clean)
Follow notification procedures in IRP
Restore confidence
![Page 37: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/37.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Reflection
Refine plans and processes
Create new IRPs
Debrief
![Page 38: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/38.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Reflection (continued)
Debrief (After-action review)◦Rankless discussion◦Goals◦Were goals achievable?◦Successes
◦Pitfalls◦Lessons learned◦Action items and responsibilities
◦Positive summary
![Page 39: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/39.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Key Issues
![Page 40: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/40.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Preserving chain of custody and evidenceAs soon as the team begins its work, must start and maintain a strict chain of custody
Chain of custody documents that evidence was under strict control and that no unauthorized person was given the opportunity to corrupt the evidence
![Page 41: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/41.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
When and if to engage Law enforcementNature of data compromised
Nature of incident (theft vs. external hacking vs. employee misconduct)
Regulatory scheme or statute applies to data or operations
Country or residence of persons involved in compromise or persons whose information implicated
Your industry
Specific benefit
Policy of Good Corporate Citizen
Prior relationship established
![Page 42: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/42.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Communications
Alternate
In person
![Page 43: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/43.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Engaging vendors
Pre selected
Experience
New entries in market
![Page 44: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/44.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Notice
Insurance carriers
Impacted individuals
Regulators
Credit reporting agencies
![Page 45: Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg](https://reader034.fdocuments.us/reader034/viewer/2022052117/5a66b6707f8b9ab87e8b47bd/html5/thumbnails/45.jpg)
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Questions?