Incident Response Management Processes - PowerPoint Presentation

Incident Response Management Processes

Incident Response Management Processes

Incident Response Management Processes

Incident Response Management Processes

Preparation Identification and TriageEscalation and Notification Initial ContainmentAnalysis Containment Eradication Restoration Follow-Up Incident Response Management Processes

Top 10 Logs to Collect in Support of IR Both “allowed” and “denied” activity should be logged

What Good Looks like – SOC Analysis Tiers Team Duties Operations Level 0 Monitoring platform with automated filters and use cases to filter out false positives automatically Platform Level 1 24x7 SLA driven security analysis. Filter out additional false positives and carry out basic security analysis on true incidents. 24x7 Level 2 Second level of analysis by senior team with access to threat intelligence and business tools and systems for further business context enrichment. 8x5 Level 3 Advanced investigation of incidents escalated from Level 2. Communications with the business unit stakeholders and Legal. 8x5 Level 4 Access to team of specialist incident responders providing malware reverse engineering, targeted threat hunting and forensic investigations Retainer Threat Intelligence Access to threat intelligence from research carried out by specialist team. The TI will support operational, strategic, tactical and technical security analysis. Subscription

AgendaStrategy Common Entry MethodsIncident Response Baking in Threat IntelligenceLessons Learned

Baking in Threat Intelligence IDS/IPS AdvMalware AttackerDB Endpoint Monitoring TI Service

Evolution of Threat Indicators

Detection Pyramid Hash Values IP Address Domain Name Network Signature Host Signature Tools TTPs Cost to Threat Actor to Retool Impact to Adversary Threat Intelligence Endpoint IPS Device Blacklists Anti-Virus

Join The Dots Behavior Tactic Event Response Actor RAR Password PowerShell command RAT Malware Initiate IR Username Clear Event Logs Command & Control Reset Credentials Filenames UAC Bypass Exploit & Escalation Re-Image Host Directories Scheduled Task Data Destruction Collect Memory Image Tool Arguments Network Recon Credential Theft Collect Disk Image Preferred Tools Network Scanning Defensive Evasion Isolate Host Unique Toolset Batch File Use DDoS Disconnect from Internet Ping 127.0.0.1 Execute Script Lateral Movement Review Windows Event Logs Data Dumps Data Collection Data Exfiltration Threat Hunting TG-2460 TG-8288 TG-4127 TG-4192 TG-6529 TG-0919 TG-0416 TG-0110 TG-2768

Join The Dots Behavior Tactic Event Response Actor RAR Password PowerShell command RAT Malware Initiate IR Username Clear Event Logs Command & Control Reset Credentials Filenames UAC Bypass Exploit & Escalation Re-Image Host Directories Scheduled Task Data Destruction Collect Memory Image Tool Arguments Network Recon Credential Theft Collect Disk Image Preferred Tools Network Scanning Defensive Evasion Isolate Host Unique Toolset Batch File Use DDoS Disconnect from Internet Ping 127.0.0.1 Execute Script Lateral Movement Review Windows Event Logs Data Dumps Data Collection Data Exfiltration Threat Hunting TG-2460 TG-8288 TG-4127 TG-4192 TG-6529 TG-0919 TG-0416 TG-0110 TG-2768

Join The Dots Behavior Tactic Event Response Actor RAR Password PowerShell command RAT Malware Command & Control Scheduled Task Execute Script Filenames Tool Arguments Preferred Tools Lateral Movement Data Exfiltration Collect Memory Image Collect Disk Image Disconnect from Internet Review Windows Event Logs Threat Hunting TG-4127

AgendaStrategy Common Entry MethodsIncident Response Baking in Threat IntelligenceLessons Learned

People and Process Are Critical Predict, Defend, Detect, Respond Expertise and Staffing manpower must be properly deployed against today’s threats: variety of technical skills, expertise, credentials 24/7, 356 monitoring: outsource to expand capability ability to apply threat intelligence business skills: risk management, process development, advocacy Leadership and Accountability all employees appreciate the risks, know the tolerance a tone at the top fosters accountability for security policy checks and balances ensure that policy and procedure is followed business leaders engage in Incident Response planning Security Awareness and Training hackers prey on our tendency to be trusting and helpful insiders, even board members, can fall victim to email and phone phishing scams an informed, vigilant workforce is the best defense effective employee training and awareness programs should emulate the threats Hackers anticipate process and policy breakdowns due to understaffing, lack of training or lack of accountability

Top Controls to Mitigate Top Threats

How the NSA does it http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/Network admin credentials are king Once inside - good at finding hard coded passwords or transmitted clear text passwordsNo vulnerability is insignificant – even temporary ones Personal devices employees bring into the office on which they’ve allowed their kids to load Steam games, and which the workers then connect to the network.Partner connections such as HVAC

Advice from the NSALimit access privileges for important systems to those who really need them Segment networks and important data to make it harder for hackers to reach your jewels Patch systems and implement application whitelistingRemove hardcoded passwords and legacy protocols that transmit passwords in the clear Monitor network activity and produce logs that can record anomalous activity—plus a smart system administrator who actually reads the logs and pays attention to what they say

Thank You! Who has the first question? Eric Browning ebrowning@secureworks.com