Adapting Incident Response to Meet the
7K - views

Adapting Incident Response to Meet the

Similar presentations


Download Presentation

Adapting Incident Response to Meet the




Download Presentation - The PPT/PDF document "Adapting Incident Response to Meet the" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentation on theme: "Adapting Incident Response to Meet the"— Presentation transcript:

Slide1

Adapting Incident Response to Meet the Threat

Jeff Schilling Director, Global Incident Response and Digital Forensics

SecureWorks

Slide2

Agenda

Why change your approach?Do you really know your environment?

Do You really know/understand your threat?Where to focus your efforts to respond?Measuring success

Slide3

My Press Box View

My view as the Director of the Army’s

Global Network Security Team

My view as the Director of the Dell

SecureWorks

Incident Response Practice

Slide4

The Dell SecureWorks

Incident Response Practice300+ projects last

year42% of our engagements were with Medium-sized business58% were large enterprise customers

70% of our engagements were active Incident Response

30% were proactive engagements

20% of our projects involved Advance Persistent Threat (Targeted Threat)

Our observations from 2012 engagements:

End users still the primary targets (51% of the time)

Servers and applications running second (39% of the time)

20% of our engagements involved insider threat activity

Slide5

Do I need to change my approach?

Slide6

Getting to “yes”

Do you rarely see the same activity on your networks with the same success?Do you conduct trend analysis of your security incidents?

Have you analyzed the things you can control and the things you can’t?

People

Processes

Technology

For the things you

can’t control

, have you calculated the risks or outcomes?

Have you insured or transferred that risk?

Do

you make adjustments to your security controls based on trends?

Do you have a plan or playbook to address your most common Incidents?

Do you rehearse and update these plans?

Slide7

Do you

really know your environment?

Slide8

Which picture best describes your network?

Do you have an updated/accurate network diagram? Are you a part of the change management process so you know when it changes?

Have

you studied your network flow to know what ports and protocols to accept and

ones

to deny?

Do you validate with Pen Tests, Vulnerability Scans,

Netflow

Monitoring?

Do you have defined network boundaries with the Internet?

Do you Leverage Active Directory to assign risk and controls to Organizational Units?

Is “white listing” embraced in your organization?

Do you have a standard, secure image/baseline for hosts and servers?

Do you centralize your event log monitoring?

Do you limit workstation to workstation communication?

OR

Slide9

Do you

really know your enemy?

Slide10

Categories of threat

Phishing with Dynamite

Automated control for scale

Can be defended with good

Signature based controls

Buys trade craft

Can be sophisticated and

polymorphic

Favorite vectors

Server compromises

Non-targeted phishing

Web drive

bys

Smash and grab

Playing chess

Human controlled (just for you)

Custom trade craft

Favorite vectors

Highly targeted phishing

Water holing web drive

bys

Some server compromises

Highly targeted efforts

Attempts to cover their tracks

Will compromise partners to get

to you

Goal

is to log on, become an insider

Fly on the wall

Hardest to detect, tries to hide in

normal activity

Usually has elevated privileges

In most cases, assumes not being

monitoredRarely uses tradecraft: when they do, normally crawlers Usually has access to data that does not pertain to their job, that is what they takeMay use “close access” techniquesAttempts to cover their tracksManagers/HR usually not surprised when insider is caught

May be some overlap in APT and Insider threat detection

Commodity

Threat

Slide11

Categories of Intent/Motive

Disrupt

Destroy

Deny

Revenge

Embarrass

Intimidate

Competitive advantage

Fill in an innovation gap

Nation-state level espionage

Steal

your Money

Steal your clients money

Identity Theft

Fraud

Hacktivists

/Revenge

Cyber Warfare

Intellectual Property Theft

Crime

Slide12

Pulling it all together

Commodity

Advanced

Persistent Threat

Insider

Crime

Hacktivism

Revenge

Intellectual property theft

Cyber

Warfare

Cardholder Data/PII/Identity

Core Business Processes

Critical Infrastructure

Intellectual Property

Web applications

Financial data/processes

Executive communication

Monetary loss

Availability

Confidentiality

Integrity

Personal harm

Reputation

Botnets

Server compromise

DoS

Malicious code

Web infection

Phishing

Physical Theft/Loss

/

Damage

Targeted AttacksWorms/Trojans

IPS/IDSFirewall/Web app FW

DDOS filtering

Web/mail ProxyVM inspection

Host level controlsSIEM/Log monitoringVulnerability

mgt

Access control

DLP

DRM

User actions

Policy

Slide13

What should an IR plan look like?

Base document

(

Policy and Guidelines, does not change very often

)

Roles and responsibilities

Description of the overall process

Identification of Incident Types

Work flows

Identification of third party providers

Playbooks/Appendix/Run Books

(

Procedures, constantly updated

)

One for each Incident Type

Criteria for declaring an incident

Checklist driven actions

Point of Contact Lists

Key players on the Security team

Key players on the IT staff (if separate from the Security team)

Key decision makers outside of Security and IT

Third party providers (ISP, outside consulting,

etc

)

Slide14

Threat Intelligence Maturity Model

Data Collection

Data Collection

Data Collection

Analysis

Investigation

Synthesis

Decision Making and Action

Analysis Investigation Synthesis

Decision Making and Action

Decision Making and Action

Analysis Investigation Synthesis

Time

Maturity

Enhanced from “BI Capability Maturity Model”

Slide15

Feedback loop

How do you

apply

intelligence?

Hostile actor ID

Actor

motivations

Attacker

tactics

Incident Response

Hiring practices

Data protection

Business Operations

What does it mean?

How to resist?

What is the next action?

Threat Intelligence Database

Physical security

Context and countermeasures

Hostile actor ID

Material threats

IT Security

Intel on tradecraft

Slide16

Where to focus your Response Efforts?

Slide17

Do you live on OODA Loop?

Observe

Orient

Decide

Act

Vulnerabilities

Adversaries

Your

Assets

Analysis & Classification

Counter Measure Control and Efficacy

Malware

Risk

Assessment

Counter-measure Plan

Develop & Deploy Counter-measures

Apply Threat Intel to control

Detect SOC Ops

Incident Response

Contain

/

Eradicate

Slide18

The “Broken Windows” approach

AnswersIdentify your “broken windows”

Establish network visibilitySegment to protect critical assets, create security zonesLayered defensive strategy

Intelligence informed SIEM

Network detection/prevention

Host level detection/prevention

Virtual machine detonation

Get control of your elevated privileges, if you can

Protect and leverage your Active Directory structure

Whitelist your servers, protocols and ports

Focus on SMTP and Web traffic

Talk to managers and HR about high risk employees with elevated privileges

Questions

Where is my most important data?

Where are most of my incidents happening?

Where am I most vulnerable?

What is (are) the worst possible thing(s) that could happen?

Can I detect where I am most vulnerable?

Can contain where I am most vulnerable?

Can I see the insider threat?

Slide19

How do you measure success?

Slide20

Success, Failure and False metrics

Indications of Failing Trends

Increase of recurring incidentsIncreased in dwell time

Increase # of incidents reported

by the user v. detected by SOC

Increased number of root level

and domain compromise

Increase number of compromised servers/web applications

Increase in the number of

incidents involving CVE’s

Increase of business impact of

Incident

Increase of incidents closed where root cause is indeterminate

Indication of Successful Trends

Decrease in time between detection and containment

Decrease in the number of successful commodity infections

Decrease in number of incidents that spread to multiple host

Increase in the number of APT and Insider threat detection

Decrease in third party reporting of incidents (FBI, USSS, partners)

Reduction in successful Phishing

False Metrics

Increase or decrease in number of incidents

Increase or decrease in number of detections

Investment on security technology

!

Slide21

Conclusion

Analyze your environment; Know your strengths and weaknessesEnsure you understand

the threat’s capabilities, intent and vectorsFocus your response on your “broken windows”

Ensure you are achieving success and not reinforcing failure in your Incident Response processes

Slide22

Resources

Dell

SecureWorks

Incident Response

http://go.secureworks.com/incident-response

SANS

Incident Response Training

http://www.sans.org/course/advanced-computer-forensic-analysis-incident-response

White Paper - Accelerating

Incident Response: How Integrated Services Reduce Risk and the Impact of a Security Breach

http://

www.secureworks.com/resources/articles/featured_articles/accelerating-incident-response-reducing-risk-and-impact

NIST Computer Security Incident Handling Guide

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

If you suspect a security breach, contact the Dell

SecureWorks

Incident Response team at

877-884-1110

.

Slide23

Questions?