OVERCOMING incident response ROADBLOCKSBenoît H. Dicaire & Serge Mélone

iQ7 2018 Annual Conference — October 26, 2018

AGENDA

Benoît H. Dicairewww.linkedin.com/in/bhdicaire514 718-0002

Security & Privacy StrategistBenoît design risk strategies to help companies create better products, and services.

Serge mélonewww.linkedin.com/in/smelone514 594-7346

Security & Technology Risk Manager Serge implement risk strategies to help companies create better products, and services.

FINANCIAL SYSTEMS

LARGE ENTERPRISES CONSUMER DEVICES

ENERGY EQUIPMENT AVIATION AUTOMOTIVE INDUSTRY

GOVERNMENT INDUSTRIAL EQUIPMENT

INTRODUCTIONEveryone is a target

INTRODUCTIONYour organization perspective…

WE CONDUCTED AN INTRUDER TEST.

The test should cover the entire infrastructure so that the company can quickly eliminate all discovered vulnerabilities.

WE’VE NEVER BEEN ATTACKED SO OUR SECURITY SYSTEM MUST BE GOOD.

Caution: threats continue to grow and become more complex.

WE’VE DESIGNED HIGH-END SECURITY TOOLS.

Security tools are only effective when properly configured, integrated and controlled within all security operations.

WE COMPLY WITH INDUSTRY REGULATIONS AND BEST PRACTICES.

Compliance requirements often only meet the minimum safety measurements and not all critical systems and information.

A THIRD PARTY PROVIDER RUNS OUR SECURITY.

Regardless of the competence and capabilities of the provider, the question is whether complex threats in a company will be taken seriously enough for a third party to sufficiently protect it.

WE’VE INVESTED IN STRICT SECURITY CONTROLS.

It is not enough to rely on standard IT security controls alone. Critical business elements should be above all protected.

OUR SECURITY IS MANAGED ADEQUATELY BY THE IT TEAM.

A threat can take over an entire business. Therefore, management should work closely with IT.

WE ONLY NEED TO SECURE OUR INTERNET APPLICATIONS.

One should also be equipped against internal threats and member/ staff abuse.

WE’VE COMPLETED OUR SECURITY PROJECT.

Security is an ongoing project that can never be completed.

WE AREN’T STATISTICALLY AT RISK.

Every company is at risk for a data breach and should be prepared.

INTRODUCTIONYour organization approach to cybersecurity…

Governance Body/ Board/ Audit Committee

Senior Management

REGULATOR

EXTERNAL AUDIT

3. Safety Barrier

Internal Audit

1. Safety Barrier

Internal Controlling Measures

Management Controlling

2. Safety Barrier

Security

Risk Management

Quality

Inspection

Compliance

Finance Controlling

1. Response planning2. Detection3. Containment4. Eradication5. Recovery6. Takeaways

AGENDAOVERCOMING incident response ROADBLOCKS

RESPONSE PLANNINGPrepare for the inevitable…

Your business must be prepared – an intrusion is inevitable for many organizations and preventative security measures will eventually fail. The question you must accept isn’t whether security incidents will occur, but rather how quickly they can be identified and resolved.

Rob McMilan, Sr Director Analyst — Gartner

RESPONSE PLANNINGAssume you will be compromised, if not already…

RESPONSE PLANNINGSecurity Incidents are just another type of incidents

RESPONSE PLANNINGMajor losses of productivity and of service availability are to be expected

Source: ENISA Business Continuity Process

RESPONSE PLANNINGCrisis are not too far…

Domino effect ON A MAJOR incident

Nega

tive s

ocia

l med

ia co

vera

ge

Loss of sales

Empl

oyee

s una

ble t

o acc

ess

syst

ems

Extr

eme p

ress

ure o

n op

erat

ions

Fore

nsic

inves

tigat

ions

Cost

of al

ertin

g cus

tome

rs

Nega

tive l

ocal

/ nat

ional

pres

s

Cont

ract

ual b

reac

hRe

gula

tory

inve

stiga

tions

Remed

iation co

sts

Loss of customers

Loss of jobs

Loss of organization/ business

DETECTIONHandling security incidents requires recognition of signs of an incident

VulnerabilityTargets

Assets

DETECTIONTAXONOMY

6. ASSETS:a. Datab. Systems that vary in

criticality

4. FOUR TYPES OF TARGET a. Public sectorb. Private enterprisec. Individualsd. Critical national infrastructure (CNI)

5. VULNERABILITY:Can be technical (lack of firewall) or human (employees being tricked)

1. FOUR GROUPS OF ATTACKERS:a. Governmentb. Enterprisesc. Cybercriminalsd. Cyberterrorists or hacktivists

2. CAPABILITY:The ability to hack, steal or damage

3. INCENTIVE:Different motives to attack

ATTACKERS

CAPABILITY

INCENTIVE

DETECTIONSometimes it’s just about precursors of compromise

is ca

rele

ss

with

han

dlin

g

bears

resp

onsib

ility f

or

bears responsibility for

is responsible for

applies

send

enab

le

enables

use

distributes

entices to install

contain

patc

hes

depends on is susceptible to

attack

uses

links

Distributed Denial of Service attacks

Botnets

SPAM

DRIVE-BY EXPLOITS

Apps

Vulnerabilities

Identity theftMalware

Targeted attacksUserManufacturer Social engineering

appli

es

DETECTIONAbnormal behaviour identification requires proper knowledge

Policy

Evaluation

Techniques

ProcessProductBusiness packageEcosystem

Vulnerabilities

Configurations

Behaviours (Users & Entities)

Log Management

Asset Management

Identity and Access Management (IAM)

Cyber threat hunting

Security Tools Operations (IDS, IPS, Anti-Virus, etc.)

Events Correlation

CONTAINMENTStop it before getting overwhelmed

CONTAINMENTAttackers Classification

ATTACKER OBJECTIVE MEANS APPROACH

STATE ACTORS, INTELLIGENCE

§ Information§ Espionage§ Combat crime§ Damage

§ Enormous financial possibilities§ Benefits more important than costs

§ Buy knowledge§ Training§ Inconspicuous attacks§ Sustainable

TERRORISTS § Damage§ Attention§ Political manipulation

§ Average financial means § Buying knowledge on the black market§ Physical and mental attacks

ORGANIZED CRIME § Money§ Business§ Earn money§ Focus: cost benefits

§ Existing gangs§ Organized specialists§ Blackmail

HACKTIVISTS, GROUPS§ Attention§ Damage§ Highlighting system vulnerabilities

§ Minimal means§ Huge bandwidth and coverage

§ Motivated amateurs & specialists§ Momentum

VANDALS, SCRIPT KIDDIES

§ Fame§ Reputation§ Attention

§ Minimal means§ Little knowledge

§ Applying available toolsOpportunistic

Aim

CONTAINMENTComplexity of Cyber Attack Capabilities are Growing

DATA IN SECURE BUSINESS SYSTEMS

§ Mainframe systems§ Internetworking § Emergence of open systems

INTERNET ACCESS AND HIGHLY CONNECTED SYSTEMS

§ Online access to citizen data§ Advances in internetworking§ Citizen self service

ACCESS ANYWHERE & ANYTIME

§ Integrated online eligibility systems

§ Big data§ Cloud§ Mobile

DATA EVERYWHERE; USER EXPERIENCE DRIVEN

§ Wearable technology§ Internet of things§ Smart devices§ Drones§ Artificial intelligence§ Mobile payment§ Etc.Low

THE ATTACK LIFECYCLE AKAKILL CHAIN :1. Recon

2. Weaponize

3. Deliver

4. Exploit

5. Control

6. Execute

7. Maintain

EVOLUTION OF TECHNOLOGY

Now2000s 2010-20141990s

High

Cyber terrorismInsecure codes

Cyber crime

Identity theft

HackersData breach

Network attacks

Malware

Critical infrastructure attacks

Foreign state sponsored cyber espionage

Cyber warfare

CONTAINMENTAdvanced Persistent Threat (APT)

Initial infection

Data espionage/ sabotaging systems

Obtaining further rights

Eliminating evidence

Continuous monitoring

Preparing for/ diverting attacks

Looking for victims

Spying on the network

Cyber-attack lifecycle

FOR ANAPT ATTACK

ERADICATIONBe nice or leave…

ERADICATIONPlay by your rules…

A playbook per specific threat§ Malware such as Cloudbleed

§ Ransomware such as WannaCry

§ Stolen or lost laptop

§ Stolen privileged user identity

§ Distributed Denial of Service

§ Etc.

ERADICATIONDo not expect all playbooks to have the same maturity level…

Example of improvement for threat and vulnerability management

Example of improvement for applications security

1. AD HOC OR INITIAL2. REPEATABLE

3. DEFINED4. MANAGED

5. OPTIMIZED

An improvement will increase cybersecurity applications maturity from level 2 to 3.

Only on a level 1 maturity in managing threats and vulnerabilities

The target state is set to level 4 for threat and vulnerability management

RECOVERYGet everything back to “normal”

RECOVERYAll stakeholders execute their contingency and recovery plans

OWNER

EMPLOYEE

MANAGEMENT

CUSTOMER

SUPPLIER PUBLIC

SHAREHOLDER

PARTNER

INTERNal STAKEHOLDER EXTERNAL STAKEHOLDER

TakeawaysUnlocking your incident response capability

TAKEAWAYSDon’t reinvent the wheel

TAKEAWAYSContinuous improvement with security and privacy inputs

Technicalmeasures

Validation andimprovement

Riskanalysis

Policies, organizational measures

3

4

1

2INCIDENT Management

Process

§ Computer Emergency Rescue Team (CERT)

– CERT (Carnergie Mellon University)

– CanCERT (EWA Canada)

– Canadian Cyber Incident Response Centre (Canada)

– OpenCert

– CertAQ (CSQPQ)

§ ISO/IEC 27035 Information security incident management

1. Principales of Incident Management

2. Guidelines to plan and prepare for incident response

3. Guidelines for incident response operations

§ ISO/IEC 27037:2012 Guidelines for identification, collection, acquisition and preservation of digital evidence

TAKEAWAYSReference materials

§ Computer Security Incident Handling Guide (NIST SP800-61 Rev. 2)

§ Create a Computer Security Incident Response Team (Carnergie Mellon University)

§ Good Practice Guide for Incident Management (ENISA)

– Study on CSIRT Maturity – Evaluation Process

– Security requirements for the procurement of products and services

§ Gestion des événements de cybersécurité (Canada)

§ Association of Chief Police Officers Good Practice Guide for Digital Evidence

§ Best Practices for Victim Response and Reporting of Cyber Incidents (US dept of Justice)

§ Data compromise procedure (Visa)