Incident Management Framework - Phoenix ISSA

italiansaucyΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

55 εμφανίσεις

Incident Management
Evolution of Protection

Implementing a Pro
-
Active

Approach to
Cybersecurity

Benjamin Stephan, Director of Incident Management

FishNet

Security

P A G E
1


Introduction


Today’s Threat Landscape


Incident Management Life Cycle


Incident Management Framework


Next Steps

Agenda

Statistics in this presentation provided by
Ponemon

Institute Annual Study on Cyber Crime Costs.

P A G E
2


…and they are highly motivated to take your data…


State sponsored


Crime syndicates


Hacktivists


…for a number of reasons


Financial Gain


Industrial Espionage


IP Theft


Political motivation


Botnet

Services




Cybercrime has become a high stakes game…

P A G E
3


The top trends related to a breach:


Negligence


Lack of CISO leadership


Lack of external consulting support


First time offense


Lost or stolen device


Median annualized cost of cyber crime is $5.9 million per year,
with a range of $1.5 million to $36.5 million each year.


Increase of 56% over 2010


Average per capita cost was $284 per enterprise seat


Varies by size of the organization with smaller firms incurring a greater per
capita cost of $1,008 on average versus larger organizations


Threat Trends of 2011

*Results provided by
Ponemon

study.

P A G E
4

Corporate Security Posture Related to Breach Cost

*
SES: Security Effectiveness Score; Developed by PGP Corporation and
Ponemon

Institute.
The higher the score the more effective an organization is at achieving security initiatives.

P A G E
5

Corporate Security Posture Related to Breach Cost

*
SES: Security Effectiveness Score; Developed by PGP Corporation and
Ponemon

Institute.
The higher the score the more effective an organization is at achieving security initiatives.

P A G E
6


Malicious traffic evading traditional perimeter security solutions


Difficulty validating alerts and determining scope of incident


Lack of endpoint visibility


Lack of defined incident management


and response processes


Untested procedures and infrastructure


Inability to respond to every alert


Insufficient view of network traffic



What Are Your Challenges?

P A G E
7


Difficult or impossible to truly understand and gauge risk


Time to contain an event and return to a trusted state takes too
long


Overwhelmed with alerts


Spend excessive time reducing false


positives


Incident response is time consuming,


expensive and incomplete


Potential loss of data


No formalized operational procedures

What Is The Impact?

P A G E
8

How can you defend against the unknown?

How can your company benefit protect it’s critical
assets?

The Solution

P A G E
9

Solution: Incident Life Cycle, IMF, Incident Workflow

P A G E
10

Incident Management Lifecycle

Inoculation
Reaction
Tactical
Operational
Detect
Confirm
Triage
Contain
Remediate
Improve
P A G E
11

1.
Operational


Detect malicious traffic ‘on the wire’


Identify symptoms of an attack via log analysis


Confirm symptoms through automated and manual procedures


Analyze 3
rd

party threat feeds


Engage legal counsel


Capture relevant malware artifacts

2.
Tactical


Validate findings against endpoint data


Triage live systems based on symptomatic evidence


Determine scope, uncover additional information


Work with critical business units to determine risk potential


Deploy targeted analytic solutions to further quantify attack profile


Control the threat to extend investigation time


Incident Management Life Cycle

P A G E
12

3.
Reaction


Disconnect compromised systems or networks


Cut C&C Communication, kill active processes


Escalate drastic containment procedures for authorization


Defend sensitive and critical assets


Engage 3
rd

party support as necessary


Wipe all identified malware and related artifacts


Schedule custom scans to mitigate secondary re
-
infection

4.
Inoculation


Update virus signatures where applicable


Implement strong enterprise solutions


Document findings and results


Update policies and procedures to compensate for deficiencies


Ensure management support of pro
-
active measures




Incident Management Life Cycle

P A G E
13


2011 has been inundated with Cyber
Warfare attacks from across the globe.


The attackers have become more and
more aggressive and sophisticated.


In an effort to assist companies in
defending against this onslaught of
attacks; FishNet Security has architected
an Incident Management Framework
(IMF).


The IMF is a
security framework
based on
the “best of breed” incident response
controls outlined in many known security
frameworks. Such as ISO, ITIL, PCI, NIST,
etc.

Incident Management Framework (IMF)

P A G E
14


By providing companies with a baseline framework dedicated to
incident management, an entity can:


Minimize product costs through strategic enterprise solutions


Mitigate risk exposure through effective operational controls


Improve staff efficiency through better understanding of cyber
threats


Bridge the “gap” between “legal” and “IT”


Implement advanced malware countermeasures to defend the
corporate network

Incident Management Framework (IMF)

P A G E
15

1.
Communication


Internal


When an incident occurs there must be defined escalation protocols to ensure the right
individuals are communicated with and “kept in the loop”


Reporting an event can be one of the most important initial actions. There are laws that
must be considered as well as public relation issues


External


Companies must have established relationship with third party entities and law
enforcement, prior to an incident.

2.
Collection


Acquisition


Electronically stored information (ESI) must be collected in a forensically sound manner.


Chain of Custody


Physical access to any collected information must be maintained at all times.


Physical security controls must be implemented to ensure accurate accounting of
physical access.


Data Retention


Policies must be defined as to how long ESI will be stored.


Failure to define policies can lead to potential spoliation issues.


Incident Management Framework (IMF)

P A G E
16

3.
Analysis


Technical


On the Host: suspicious hosts must be analyzed for malicious content,
rogue file execution, compromise of sensitive data, etc.


On the Wire: data traversing the network must be collected and analyzed
to determine migration of viruses, transmission of sensitive data,
anomalous packets, etc.


Operational


One of the key aspects of investigating an incident is determining
unauthorized versus authorized access. The majority of incidents will
include illegitimate use of an authorized account.


Example: help desk user account access HR file shares


Logs play a key role in incident analysis. However, the quantity of
information to be reviewed can be extremely large. A Security Information
and Event Management (SIEM) system can help review the logs in a
more efficient manor.




Incident Management Framework (IMF)

P A G E
17

4.
Containment


Prepare action plans for known “potential” threats.


The plans must cite the situation or incident and then outline how the
response team will react.


Example:


Situation: a service account is compromised and is transferring sensitive information
out of the network.


Reaction:


Capture sensitive data traversing the network


Identify the role of the service account


Reset the password for the account or disable it


Disconnect infected devices from the network


Quantify the data
exfiltrated

from the network


Work with legal regarding notification processes


Execute analysis procedures


Execute cleanup procedures




Incident Management Framework (IMF)

P A G E
18

5.
Mitigation


Remediation


Analyze the results of an investigation to determine what is required to
clean up the results of the infection.


Use 3
rd

party providers to identify vulnerabilities and help mitigate the risk
of secondary infection.


Prevention


Conduct a “post mortem analysis” of all investigations.


Learn what went wrong and how it can be prevented in the future.


Create a robust and repeatable process for vulnerability management.


Testing


Develop and execute regular “table top” exercises to test the company’s
ability to respond to an incident.


Leverage hot, warm, and cold testing procedures.




Incident Management Framework (IMF)

P A G E
19

6.
Legal Counsel


Litigation Hold


Ensure plans are in place to disseminate, execute, and validate litigation holds.


Request for Discovery


Preparing an “ESI Profile” will significantly help minimize the impact of fulfilling on
requests for discovery.


Liability


Work with internal and external counsel to ensure:


Notification laws are met


Non
-
disclosure agreements are fulfilled


Service level agreements are accurately defined

7.
Immediate Response


Active: ensure there are accurate and up to date procedures in place to react
to an incident.


Passive: engage third party entities to provide immediate incident response
support where needed.


Classify sensitive data to ensure critical information is protected.




Incident Management Framework (IMF)

P A G E
20

8.
Documentation


Formal Plan


All companies must have a formal Incident Management program in
place. The program will outline the entity’s strategy regarding incident
response and prevention.


The plan must have full support of top level management.


Procedures


There must be formal and documented procedures that outline how
employees are to respond in an incident.


Procedures must be reviewed at least annually and kept up to date and
in line with actual practices.


Roles and Responsibilities


A formal emergency response team must be defined. The team must
include both active players as well as key business stakeholders.




Incident Management Framework (IMF)

P A G E
21


Incident Management Life Cycle + Incident Management
Framework = Incident Management Workflow


Incident Management Workflow

P A G E
22

Incident Response Workflow
Operational
Tactical
Reaction
Innoculation
Ticketing
Solution
Post Event
Mitigation
Investigation
Evidence of
Control
Validation
Assignment
Detection
Event is
assigned to
C
-
SIRT
Investigator
Contact C
-
SIRT
Management
Analysis
Litigation Request Occurs
Collection of Evidence
Review Reported Event
Create Chain of Custody
Event Validated
SIEM Event
,
Help Desk
,
System Alert
,
User
Complaint
,
Fireeye Alert
Legal
Counsel is
Consultted
Triage Suspected
Devices
Event Contained
False Positive
Additional
Devices
Identified
Infected Devices
Cleaned
Create Targeted Rescan
Document Analysis
Results
Conduct Random
Sample to Validate
Containment
Creation of Ticket
Assignment to C
-
SIRT
Upgrade Security
Controls
Document Containment
Measures
Present
Results to
Legal
Assignment to C
-
SIRT
Investigator
Initiate Containment
Tickets
Finalize Incident Ticket
with Results of
Investigation
Post Mortem C
-
SIRT
Meeting
P A G E
23

Attack Scenarios

P A G E
24

Scenario #1

P A G E
25

Web Server Compromise & Pivot

Website

Attacker

Root Kit

Uploaded using

SQL injection

P A G E
26

Root Kit


P A G E
27

Reverse Proxy

Reverse Proxy

Installed on server

Using Root Kit

Attacker

RDP Traffic

P A G E
28

Scenario #2

P A G E
29

Attacker

Online Banking Fraud

Website

SQL injection

Exploit to embed

XSS code

P A G E
30

Online Banking Fraud

Consumer

Consumer

Consumer

Consumer

Hacker Site

Victimized Site

Keylogger

P A G E
31

Online Banking Fraud

Attacker

Consumer

Consumers

Online Banking

Hacker logs into

Online banking site and creates
fraudulent transactions.

Online banking credentials

Sent to hacker

P A G E
32

Scenario #3

P A G E
33

POS
Keylogger

Back Office

Processor

Internet

POS Server

POS Server

P A G E
34

POS
Keylogger

Internet

Back Office

Hacker used global remote
credentials to access environment

Keylogger

installed on each POS
device. Card Swipe readers send
PAN via standard keyboard I/O.

Reseller / Integrator
uses global accounts to
provide Tech support.

POS Server

P A G E
35

ROI on Cyber Defense

1
st

Instance

of threat

Saturation

Detection

Containment

1
st

Instance

of threat

Detection

Containment


Early exposure of known
unknown


Rapid response


Fewer required resources


Rapid remediation

Time/cost

Uncompromised endpoints

Scope of compromise

scope

scope

Time/cost

Resources

BEFORE

AFTER

P A G E
36


From the point of detection to containment is referred to as the
“Return To Trusted State” (RTTS)


Average RTTS in 2011 was 18 days


Increase of 4 days over 2010


Average cost of $413,784 per event or $22,896 per day


Increase of 67% over 2010


The threats range in difficulty to contain (average RTTS):


Malicious Insider = 45.5 days to contain


Malicious Code = 41.6 days to contain


Web
-
based attacks = 23.5 days to contain


DOS/DDOS = 13.1 days to contain


Stolen Devices = 10.7 days to contain


ROI on Cyber Defense (Statistics)

P A G E
37

ROI on Cyber Defense (Statistics)

P A G E
38


What are your next steps?


ACT NOW!


Plan for an attack on your network.


Implement enterprise grade products in


your organization.


Implement a strong security framework.



DEFEND YOUR NETWORK!



Defining YOUR Plan

P A G E
39

Questions


P A G E
40

Thank You

Benjamin Stephan

Director, Incident Management

FishNet

Security

Benjamin.Stephan@FishNetSecurity.com