Incident Response…Be prepared for “not if” but “when” it happens.

James Campbell

www.pwc.co.uk

PwC 2

Agenda

Threat Recap

1Reality and Models

2Response Components

3 Practical Defence

4

PwC 3

Who is attacking?

Espionage Hacktivism

Organised Crime

Terrorism/Sabotage

Tools and

TechniquesInsiders

PwC

Reality Check

4

PwC

IR Models

NIST 800-61

5

PwC

IR Models

ISO/IEC 27035:2011 Information technology Security techniques — Information security incident management

• Plan and prepare: • establish an information security incident management policy, form an

Incident Response Team; • Detection and reporting:

• someone has to spot and report “events” that might be or turn into incidents;• Assessment and decision:

• someone must assess the situation to determine whether it is in fact an incident;

• Responses:• contain, eradicate, recover from and forensically analyse the incident, where

appropriate;• Lessons learnt:

• make systematic improvements to the organisation’s management of information security risks as a consequence of incidents experienced.

6

PwC

Mitigation•Tactical and Strategic mitigations•Long term or short term•Accessibility and actions required•Mitigation Vs Isolation Vs Business Impact•Mitigation Deployment Plan•Resource Coordination•Mitigation verification

IR Models

7

Detection•Intrusion Detection, Analysis and Discovery•Network Monitoring•Host Monitoring•Centralised Log File Analysis•Physical Factors•Signature Development

Triage•Making sense of alerts•Prioritisation•Visibility of External and Internal Influences•Business Operations Visibility•Further analysis needed?•Data Enrichment

Response•Communications Plan•Response Coordination•Response Escalation plan•Forensic Response and Readiness•Initial Reporting and Awareness •Investigation

Threat Intelligence•Threats Against an Organisation•Threat Actor Knowledge•APT, Hacktivists, Crime, •Insider, Corporate Espionage•Tools Techniques and Procedures•Messaging and Education

PwC

Triage, Risk and Scope

8

Triage, what are you trying to answer…Key Questions

•How was the incident identified?

• Is it an incident?

•When did the incident occur?

•What is compromised?

•Who is compromised?

•How did the compromise happen?

•Who is the suspected threat actor?

• Internal, APT, Terrorism, Hacktivism, Crime

•Was it targeted or non targeted?

•Has anyone taken initial steps or actions?

? ?

?

??

? ?

PwC

Triage, Risk and Scope…

9

Understand the risks, key questions…

• What are the critical elements and systems required to stay operational?

• What are the critical information assets?

• What are your worst fears?

Scoping, in order to scope you need to know your organisation in detail.

• What do your operational systems look like?

• What does your network look like?

• How geographically disperse are you?

• Are there data privacy considerations, or evidential considerations?

• What in house resources do you have, technology and or people?

• What is the appetite to monitor vs mitigate?

PwC 10

Communications, Coordination

Coordination•Roles and Responsibilities •Set and agree objectives and goals early on•Ensure you have access to the necessary resources…

Beyond the typical incident• Crisis management, legal, media monitoring• Alerting and or reporting obligations to regulators and

law enforcement• Alerting stakeholders, such as customers or business

partnerships

PwC 11

Communications, Coordination

Communications•Agreed communications methods, out of band options?•Agreed escalation paths, in/out of hours•Communications frequency•Communication audience (what and when to communicate)

Poor Communication = Failure

PwC 12

Effective Incident Response

Du

rati

on

of

com

pro

mis

e

Rolling Remediation

Surgical Strike

• What wave of compromise are you in?

• How long have the attackers been in your environment?

• How regularly do they access it?

• How deeply are they entrenched?

• How have you been communicating about remediation?

• Has data already been exfiltrated?

Day

Week

Month

Year High Risk

High Risk

PwC 13

Lets go Tactical Detection, Isolation and Mitigation vs Business Impact

Detection•What don’t we know, how can we find out?•What don’t we have visibility of, and how we can improve this?•Increased host based logging (event logs run out quickly!)•Central logging and capture host/network

Isolation•Isolate critical systems and or information•Segregation and security enhancement

Mitigation (quick wins, but only after consideration)•Initial blocking of C2•Resetting passwords•Deploying updated AV signatures, covering malware family

Detection

Isolation

Mitigation

PwC 14

Time to Investigate

PwC 15

Going Strategic

• Enhance network visibility; consolidate egress points where cost and performance benefits can be realised.

• Continue to identify any remaining vulnerabilities through internal and external penetration testing.

• Conduct a forensic and crisis readiness review• Consider implementing application whitelisting across the entire

network• Further centralise and enhance logging capability• Subscribe to threat intelligence services• Consider segmentation of sensitive areas• Executive and user education and awareness campaign• Further technical controls

PwC

Bring it all together now…Prepare, Test and Repeat!

16

Forensic and crisis readiness

Incidentpolicy & playbook development

Incident

Pre incident

IncidentComponents

PwC

Bring it all together now…Incident Response KPI’s

17

EVENT Threat actor establishes access to environment.

REPORTINGDocument facts and containment approach,

DETECTION Triage alert & confirm incident

CONTAINMENTRemoving access and actor

REMEDIATIONFully address the root cause of the issue.

Dwell time Containment time

Remediation time

Practical defence, prevention is better than cure…

Build incident response ‘muscle-memory’ and prepare

Use what’s free to limit exploits and unauthorised execution

Limit privileges

Leverage your endpoints

Increase your visibility

Harden your domain controllers

Questions…

James.C.Campbell@uk.pwc.com@SomeIRguy

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.