Proactive incident response

1,520 views
1,359 views

Published on

Presentation on Proactive Incident Response with links to some interesting material to help improve your incident response capabilities

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,520
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Proactive incident response

  1. 1. Helping You Piece IT Together http://www.bhconsulting.ie info@bhconsulting.ie Proactive Incident Response ISACA Ireland
  2. 2. Who is Brian Honan?
  3. 3. Who is Brian Honan?
  4. 4. Infosec Certainties
  5. 5. Why Care?
  6. 6. Business Drivers
  7. 7. More than Half of US Companies Rate Data Security As a Major Concern - 12th annual Law and the Boardroom Study 2012 Cybersecurity has become the top global technological issue Source: Deloitte 2012 Global Financial Services Industry Security Study “IT security is no longer a trivial issue and is now becoming part of a company’s boardroom discussion” Source: IBM Boardroom Agenda Item
  8. 8. IT Critical
  9. 9. Systems Under Constant Threat
  10. 10. Threats Are Evolving
  11. 11. Modern Attackers
  12. 12. Resurgence of Hacktivism WE DO NOT FORGIVE. WE DO NOT FORGET. EXPECT US
  13. 13. Faces Behind the Masks
  14. 14. Crime As A Service
  15. 15. Crime As A Service
  16. 16. Malware As A Service
  17. 17. Criminal Marketplaces
  18. 18. DDOS As A Service
  19. 19. Irish Ransomware Victims What if This Was Your Office?
  20. 20. Irish Themed Ransomware
  21. 21. As Gaeilge What if This Was Your Office?
  22. 22. Greater Insider Threat
  23. 23. Impact
  24. 24. Espionage
  25. 25. Anatomy of an Attack
  26. 26. Natanz
  27. 27. Recognised Threat
  28. 28. Recognised Threat “the cyber threat to our nation is one of the most serious economic and national security challenges we face.” "industrial-scale processes involving many thousands of people lying behind both state sponsored cyber espionage and organised cyber crime".
  29. 29. Pyramid Of Pain Courtesy Tripwire
  30. 30. Traditional IT Security
  31. 31. Ancient Security
  32. 32. Ancient Security
  33. 33. Fortified Perimeter
  34. 34. Ingress/Egress Points
  35. 35. Layered Security
  36. 36. Perimeter Defences
  37. 37. Good Against
  38. 38. And
  39. 39. But Not Against
  40. 40. Or
  41. 41. Or
  42. 42. So In Reality Is Like
  43. 43. Crack the Outer Shell
  44. 44. Verizon DBIR
  45. 45. Breach Detection 69% 22% 9% Detected by 3rd Party Detected by Org Detected by Customer Source: Verizon DBIR 2013
  46. 46. Time To Discover Breach 34% 4% 62% Less than A month Years or More Months or More Source: Verizon DBIR 2013
  47. 47. Difficulty 78% 22% Not Difficult Moderate to Difficult Source: Verizon DBIR 2013
  48. 48. 2012 – IRISSCERT Incidents
  49. 49. Phishing, 74% Malware, 19% Other, 7% 2012 – IRISSCERT Incidents
  50. 50. Org Crime, 95% Other, 5% 2012 – IRISSCERT Incidents
  51. 51.  Increase in Targeted Attacks  Increase in DDOS Attacks  Increase in Activism  Ransomware Attacks 2012 – IRISSCERT Incidents
  52. 52.  Root Cause  Poor Passwords  Missing Patches  Vulnerabilities  Web Platforms  Out of Data Anti-Virus Software  Lack of Monitoring 2012 – IRISSCERT Incidents
  53. 53. Why Are We Bad in Detecting Incidents?
  54. 54. Are Tools Fit For Purpose?
  55. 55. Volume of Information
  56. 56. Drowning In Data
  57. 57. Dealing With The Future
  58. 58. Information Security
  59. 59. Continuous Cycle Identify critical information and Systems Conduct Assessment to Identify Risks and Threats Implement Security Controls to Manage Risks & Threats Monitor Effectiveness of Security Controls Analyze and Identify Improvements to Security Controls
  60. 60. Identify Information Assets
  61. 61. Risk Management Strategies
  62. 62. Select Appropriate Controls
  63. 63. Preventive Controls
  64. 64. Detective Controls
  65. 65. Security Tradeoffs
  66. 66. Positive Incident Response
  67. 67. Establish Team Information Security Operations Human Resources Legal Public Relations Facilities Management
  68. 68. Understand Your Business
  69. 69. Establish Relationships
  70. 70. Agree Roles & Responsibilities
  71. 71. Agree Policies & Procedures
  72. 72. Alarms in Place
  73. 73. Monitor Logs
  74. 74. Harden Systems
  75. 75. Use Security Tools
  76. 76. Segment Your Information
  77. 77. Analyse Network Patterns
  78. 78. Love Your Auditor
  79. 79. Ensure Controls Effective
  80. 80. Train Staff & Partners
  81. 81. Use Open Source Data
  82. 82. Use IOCs
  83. 83. Use IOCs
  84. 84. Use Blacklists
  85. 85. Break the Attack Chain
  86. 86. Agree Jurisdictional Issues
  87. 87. Agree Disclosure Rules
  88. 88. Don’t Forget The Basics
  89. 89. Patching
  90. 90. Strong Passwords (2FA?)
  91. 91. Anti-Virus
  92. 92. Set Traps
  93. 93. Dealing With The Cloud
  94. 94. Consumer Tech
  95. 95. Ensure IR Requirements in T&Cs
  96. 96. Encrypt Data
  97. 97. Share with Peers http://www.veriscommunity.net/doku.php
  98. 98. Questions ? Brian.honan@bhconsulting.ie www.bhconsulting.ie www.twitter.com/brianhonan www.bhconsulting.ie/securitywatch Tel : +353 – 1 - 4404065
  99. 99.  CSIRT Handbook http://www.cert.org/archive/pdf/csirt-handbook.pdf  Forming an Incident Response Team http://www.auscert.org.au/render.html?it=2252  Incident Response White Paper – BH Consulting http://www.bhconsulting.ie/Incident%20Response%20White%20Paper.pdf  RFC2350: Expectations for Computer Security Incident Response http://www.rfc-archive.org/getrfc.php?rfc=2350  Organisational Models for Computer Security Incident Response Teams http://www.cert.org/archive/pdf/03hb001.pdf  The SANS Institute’s Reading Room http://www.sans.org/reading_room Appendices
  100. 100.  Guidelines for Evidence Collection and Archiving (RFC 3227) http://www.ietf.org/rfc/rfc3227.txt  Resources for Computer Security Incident Response Teams (CSIRTs) http://www.cert.org/csirts/resources.html  RFC 2196: Site Security Handbook http://www.faqs.org/rfcs/rfc2196.html  ENISA Step by Step Guide for setting up CERTS http://enisa.europa.eu/doc/pdf/deliverables/enisa_csirt_setting_up_guide.pdf  CSIRT Case Classification (Example for enterprise CSIRT) http://www.first.org/resources/guides/csirt_case_classification.html Appendices
  101. 101.  ENISA Honeypot Paper http://www.enisa.europa.eu/media/press-releases/new-report-by-eu-agency-enisa- on-digital-trap-honeypots-to-detect-cyber-attacks  The HoneyNet Project http://www.honeynet.org  Verizon DBIR http://www.verizonenterprise.com/DBIR/2013/  BH Consulting Whitepaper on “Best Practises for Log Management” http://bhconsulting.ie/Best%20Practises%20for%20Log%20Management.pdf  The SANS reading room http://www.sans.org/rr/whitepapers/logging/  Event ID website given explanations to MS events http://www.eventid.net/ Appendices
  102. 102.  Local Logon Attempt Failures  Event IDs 529, 530, 531, 532, 533, 534 & 537.  Domain Logon Account Failures  Event IDs 675, 677  Account Misuse  Event IDs 530, 531, 532, 533  Account lockout  Event ID 539  Terminal Services  Event IDs 682, 683  Creation of a User Account  Event IDs 624, 626  User Account password Change  Event IDs 627, 628  User Account Status Change  Event IDs 626, 629, 630  Modification of Security Groups  Event IDs 632, 633, 636, 637  Modification of Security Log  Event IDs 612, 517  Policy Change  Event IDs 608, 609  Process Tracking  Event IDs 592, 593 (note due to volume of log entries only monitor process tracking during an investigation.) Appendices

×