Putting Your Incident Response to the Test · Aristotle, Greek philosopher and scientist ©2018...
Transcript of Putting Your Incident Response to the Test · Aristotle, Greek philosopher and scientist ©2018...
OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.
Putting Your Incident Response to the Test: How Ready Are You, Really?Jeff Laskowski, Director, FireEye Mandiant Evan Pena, Global Red Team Lead, FireEye Mandiant
Why test incident response?
“For the things we have to learn before we can do them, we learn by doing them.”
Aristotle, Greek philosopher and scientist
©2018 FireEye
Brutal Truth
§ Security compromises are inevitable…but they can be mitigated
§ Are you prepared?How do you know?
©2018 FireEye
Ever Increasing Complexity of Systems
©2018 FireEye
Accelerating Technology Innovation
©2018 FireEye
Few Risks or Repercussions for the Attackers
©2018 FireEye
Importance of Internal Detection
GLOBAL
38%
62%
Notification By Source
Internal
External
KEY
1100
1000
700
900
800
600
500
400
300
200
100
0
Day
s
GLOBAL EMEAAMERICAS APAC
186
57.5101
124.5
42.575.5
305
24.5
175
1088
320.5
498
Internal Discovery
External Notification
KEY
All Notification
Median Dwell Time, By Region
Source: M-Trends 2018
©2018 FireEye
Who We Are
©2018 FireEye
©2018 FireEye
What Do Leaders Need To Know/Ask Before A Breach?
§ What are our current cyber risks and what is the potential business impact related to each risk? What is our plan to address those risks?
§ How are our executives informed about cyber risks and their potential business impact to the company?
§ Does our cyber security program apply industry standards and best practices?
§ How many and what types of cyber incidents do we detect in a typical week? At what point is the executive team notified?
§ How comprehensive is our cyber incident response plan and how often is it tested?
©2018 FireEye
What Will Leaders Ask During A Breach?
“If you’re breached and you know it, somebody else knows too. You are in an absolute foot race to get your arms around what happened and what you are doing about it. ”
Kevin Mandia, CEO, FireEye
©2018 FireEye
Response Capability By Security MaturityIN
CID
ENT R
ESPO
NSE
CA
PABI
LITY
Technology Reliant(Anti-virus, Firewalls, IDS/IPS,
Siem Monitoring)
• May have people but donot have responseprocesses
• Alert-response challenges
• Limited process to controlcritical data
Response Capability(Basic IR Capability, ThreatDetection, Log Analytics,
On-demand CIRT Services)
• Core procedures in places,efficiencies may vary
Threat Intel andData Analytics
(Advanced IR Capability,Threat Intelligence and
Subscriptions, APT Hunting)
• Solid response capability,consistently refiningresponse processes andprocedures
PREDICTIVE
PROACTIVE
REACTIVE
OptimizedSecurity MaturityAd hoc
(Advanced IR Capability,Threat Intelligence andThreat Intelligence andThreat Intelligence andThreat Intelligence and
Subscriptions, APT Hunting)Subscriptions, APT Hunting)
• Solid response capability,• Solid response capability,
©2018 FireEye
An Intelligence-Led Approach to Services
FireEye Threat Intelligence
Attacker Telemetryand Proliferation
Machine Intel Victim IntelAdversary Intel
AttackerContext
Indicators ofCompromise
Attacker TTPs Victim Behavior Before,During and After Incident
©2018 FireEye
Testing Your IR Processes – At Many Levels
Paper-based, inject-driven roll play assessing technical response capability and/or crisis management capabilities
Technical Executive
Why Assess technical response capability Assess crisis management capability, through lens of executive team
Who • Cyber incident response team (CSIRT)• Security / SOC manager• Technical team
• Chief Information Security Office (CISO)• C-Suite executives• General Counsel• Public relations and corporate
communications
What • How analysts follow defined IRP, communication plan and escalation matrix
• When to isolate hosts on network• When to reimage a system• When and how to engage legal counsel
and third party vendors
• Decision-making around the impact of containment tactics
• Considerations for paying extortion or ransom threats
• Breach disclosure requirements to regulators and key stakeholders
• Customer notification best practices• Media communication best practices
Tabletop Exercises
©2018 FireEye
Case Study – Executive Tabletop Exercise
§ Who: Global consulting firm
§ Why: Validate executive communications throughout an incident
§ Simulated incident included an unconfirmed data loss, executive extortion, social media, and systems outage during remediation
§ Outcomes:– Clarified notification and escalation thresholds between CIO, Executives and
Board level communication– Identified out-of-band communications protocols to be used during an incident– Improved incident response plan to address gaps
©2018 FireEye
Where the rubber meets the roadRed Team Assessments
Test your ability to respond to a real world attack without the real-world risk.
Red Team Operations Red Team for Security Operations
Objective Test ability to protect key assets, such as executive email and customer data against targeted attack
Evaluate detect, prevent and respond capabilities
How it works Emulate real-world targeted attack, doing whatever is necessary to accomplish the goal
Mandiant incident responder works with your security team, coaching along the way
Customer security team involvement
Respond to targeted attack. Option for security team to know they are in exercise
Respond to attack scenarios with Mandiant incident responder observing and coaching
©2018 FireEye
Case Study – Red Team Assessment
§ Who: Building materials manufacturer
§ Why: Evaluate their security posture by achieving pre-defined goals (access CEO emails, intellectual property, etc.)
§ History: PoC hired Mandiant twice before while working at former companies
§ How: Phishing -> priv+/lateral movement -> CEO used iPAD! -> Exchange admin -> email delegation rules FTW
§ Outcomes: – Updated password policy– Logging and alert email delegation rules– Various other account and infrastructure security configuration updates
©2018 FireEye
Helping you practice for a better tomorrow
§ Assess existing technical capabilities and processes through targeted attack investigations in virtualized environment
§ A cyber “range” is configured to simulate a typical enterprise environment
§ Practice detecting and responding to new and emerging real-world attack scenarios and threat actor TTPs
ThreatSpace: Practice responding to real-world threats without real consequences
©2018 FireEye
Incident Response Retainers –Rapid Response When Needed Most
§ Pre-established terms and conditions for service in event of a suspected or confirmed cyber security incident save precious time when it matters most
§ Provides your organization a trusted partner to call when the inevitable happens
§ Proactive approach to reduce response time and speed containment
§ Ultimately reducing business impact and cost of a breach
©2018 FireEye
Key Takeaways
§ Testing your response process is critical to program development
§ Use the right tools for the job
§ Selecting the right security partner– First hand investigation experience matters– Tailored TTPS– Beyond automation– Objective oriented– Ability to covertly test– Compliance and beyond
Q&A
Thank you!
Read our latest case study at:fireeye.com/services/red-team-assessments
Jeff [email protected]
Evan [email protected]
Contact us at: