How to VERISize v2 - BSidesQuebec2013


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Let’s start with a story. In August of 2012 Toyota fired a programmer that worked on their part sourcing software but failed to revoke his access immediately. A few hours after the programmer was fired, he logged into Toyota systems and planted logic bombs that caused some functions of the application to fail. He also downloaded trade secrets presumably to take to the next company he went to work for. Toyota IT security said it would take days to figure out the extent of the damage from this programmers actions. Let’s tell another story. 2 months ago on the Verizon Security blog we put up a story about a man that outsourced his own job. How many people heard about that? A company decided to start proactively reviewing its log files and found weird VPN connections coming in from China using an employees credentials. The company used 2FA on VPN and the employee was in his cubicle. It turns out that this guy had hired a Chinese company to do his programming work for him, and he mailed his RSA token to them so they could log in. He just showed up and collected a check.Let’s talk about security incidents.
  • All of us have security incidents
  • And (almost) all of us are aware of that.
  • Large majority of us are trying to reduce the frequency and severity of security incidents by applying controls
  • But the majority of the majority is using ad-hoc processes and select controls based on gut instinct or blindly following checklists.
  • In fact, most organizations don’t document their security incidents either because they don’t know about them or because they lack the process maturity to do so.
  • Among organizations that do record security incidents, many times it is in the form of free form text. Most are not using a defined schema to capture consistent data.
  • 85.3% of statistics are made up on the spot.
  • 100% of the statistics I just shared are made up but …
  • Overall very few organizations are recording security incidents using a standard schema that is open to the public and suitable for performing data analysis and sharing anonymized incident information with other organizations.
  • That’s what we’re here to talk about. VERIS is an open framework which you can use to record information security incidents in a format suitable for data analysis and sharing.
  • In order to place controls, we need to make decisions. This is a representation of what we need to make security decisions. We need to have some model of how the world works, we need to have data, and we need to have a framework to support that data. Our model builds the framework, our framework fills the data, and the data helps us to re-evaluate our models.
  • The goal is to move ever closer to evidence-based risk management. Right now our models are based on gut instinct and so our controls are based on gut instinct. There’s nothing wrong with that to start with, but …
  • Few of us are gathering the data to re-evalute our model. The loop never gets closed up. The most common excuse that I hear for why we can’t move towards EBRM is that we don’t have the data to do so, and yet few of us are gathering data.
  • No data means that we’re uncertain. We don’t know how often bad things happen to us. We don’t know how bad those things hurt us. We don’t know if those bad things have anything in common.
  • But in addition to not having data, we also don’t have a framework to describe things. A framework that allows us to put information into buckets so that we can count it properly. A vocabulary that ensures that when I talk about an incident you understand what I mean.
  • VERIS is our attempt to solve the framework piece of the puzzle.
  • We use VERIS to collect data about security incidents that we investigate and we use that to produce the Verizon Data Breach Investigations Report
  • Our analysis of a sample - of information security incidents that resulted in a loss of control of non public data - significant enough to ask for outside professional assistance.This is a sample of facts, we investigate these incidents
  • For those who may not know what the DBIR is…Emphasize the large number of partners this year (was 5 last year), and that they span prublic-private and international boundaries. We do this to widen the perspective of the report, reduce bias, and make the dataset as representative as we can of “what’s really going on out there.” If you’re talking to an org that might make a good partner, offer them the opportunity. We can follow up with more info.
  • Talk about the four A’s here
  • Even our so-called “highly adaptive adversaries” exhibit very clear patterns in their motives and methods. This is extremely important to grasp and leverage for securing our organizations.
  • Wrapping some analysis and wording around those frequency-based patterns yields this. In many ways, Table 1 summarizes the 2013 DBIR. The rest of the report puts a lot more #s and %s around these points, but the basic actor-focused approach exhibited here is the way we decided to organize our findings this year. And that makes sense. In analyzing the complex dataset we received for this report, we noticed a very strong correlation among the motives, methods, etc of different groups of threat actors.
  • This gives a more detailed view of the most common threat actions. It’s quite interesting that physical tampering (mostly ATM skimming) is the most common. Highlight that some actions are mostly used in financial crimes, others in espionage, some fairly equal in both. Some differences in large v small orgs.
  • This pulls out just “hacking” actions – those used to gain unauthorized network/system access. Main point is to show the large percentage of attacks that tie back to weak or stolen credentials. 4 of 5 intrusions trace back to this.
  • This is very similar to previous years.
  • Similar to previous years, except that “unrelated party” is at the top. Suggest reading the report to understand what that’s about.
  • You can do this too, and you might be able to do it better than we can.Gasp! Let’s do that as an exerciseCustomizationSampling BiasNear Misses
  • Customization. You can answer your own questions that Verizon is not going to answer for you
  • Sampling Bias
  • Near misses
  • This is an area that we do not have a lot of insight into right now. You probably have better data about this than we do.
  • Remember these three guys? Let’s VERISize this case.Is the actor Internal, External or Partner?What is the motivation of the actor? [espionage, fear, financial, fun, grudge, ideology]What is the role of the actor in this incident? [malicious, inappropriate, indirect, unintentional]
  • What actions were present in this incident [Malware, Hacking, Social, Misuse, Error, Physical, Environmental]
  • One common objection we hear about sharing incident data is that it is not real-time or tactical for defense. You won’t be able to use the information in VERIS to update your firewall black list. Some people feel then that the information is VERIS is less valuable. Tactical intel (what you can change right now) is surely part of the solution – BUT –It would be foolish to ignore or downplay the fact that we’re still having the same problems from 5, 10, 20 years ago and don’t seem to be learning our lesson. The DBIR tells us year after year “brute force attacks, social engineering, and malware.” Most orgs can’t answer “what are the top attacks against your organization in the last year” with any quantitative rigor. They fall back to anecdote and media regurgitation.
  • How to VERISize v2 - BSidesQuebec2013

    1. 1. Getting Started with VERIS Kevin Thompson Twitter: @bfist Risk and Intelligence Researcher, Verizon RISK Team
    2. 2. #ermascerity
    3. 3. VERIS - A Framework for Gathering Risk Management Information from Security Incidents Vocabulary for Event Recording and Incident Sharing
    4. 4. Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
    5. 5. Evidence-Based Risk Management
    6. 6. Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
    7. 7. Data = UNCERTAINTY “The difference between the amount of information required to perform the task and the amount of information already possessed by the organization.” Galbraith, J. Organization Design, Addison-Wesley, Reading, MA, 1977.
    8. 8. Framework = EQUIVOCALITY
    9. 9. VERIS Framework
    10. 10. VERIS Framework Data
    11. 11. The DBIR is an ongoing study that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why they’re doing it, and what might be done to prevent it. - 2013 DBIR 19 global contributors 47,000+ security incidents 621 confirmed data breaches
    12. 12. Methodology: Data Collection and Analysis • DBIR participants use the Vocabulary for Event Recording and Incident Sharing (VERIS) framework to collect and share data. • Enables case data to be shared anonymously to RISK Team for analysis VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. (i.e. you can do this too) VERIS:
    13. 13. Actor External State Crime Activist Internal Partner
    14. 14. Action Hacking SQLi XSS Brute Malware Misuse Social
    15. 15. How VERIS works INCIDENT REPORT “An external attacker sends a phishing email that successfully lures an executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…” VERIS takes this and…
    16. 16. How VERIS works …and translates it to this…
    17. 17. Understand the Framework Build your contacts Build your collector Practice, Practice, Practice Refine your process Make it your own
    18. 18. Basic Sections • • • • • Incident Tracking Victim Demographics Events Detection & Response Impact
    19. 19. Demographics • Company industry • Company size • Geographic location • of business unit in incident • Size of security department
    20. 20. Incident Classification A4 event model • Agent – What acts against us • Action – What the agent does to the asset error malware hacking misuse environmental external action • Asset social physical – What the agent acts against agent internal confidentiality possession asset partner type function • Attribute availability attribute utility authenticity integrity – The result of the agent’s action against the asset
    21. 21. Incident Classification A4 event model The series of events (a4) creates an “attack model” 1 > 2 > 3 > 4 > 5
    22. 22. A security INCIDENT is a series of EVENTS that adversely affect the information assets of an organization. Every event is comprised of the following ELEMENTS: Agent Source: External Type: Organized criminal group Action Category: Hacking Type: SQL injection Path: Web application Asset Type: Database Platform: Acme Server 2008 Attribute Type: Confidentiality Data: Payment card data 1> 2> 3> 4 > 5
    23. 23. Discovery & Mitigation + • Incident timeline • Discovery method • Evidence sources • Control capability • Corrective action – Most straightforward manner in which the incident could be prevented – The cost of preventative controls
    24. 24. Impact Classification $ • Impact categorization – Sources of Impact (direct, indirect) – Similar to ISO 27005/FAIR • Impact estimation – Distribution for amount of impact • Impact qualification – Relative impact rating
    25. 25. Build your understanding • Go to for full details of the framework.
    26. 26. Building Contacts • While you’re at join the VERIS mailing list. • You can ask questions about the framework and specific questions about how to categorize something.
    27. 27. Build your collector • People, this is just a survey! – Use any of the millions of online survey websites to make your collector. – Build this thing in Sharepoint and add a workflow to it.
    28. 28. Excel Spreadsheet laptop_incident_cost(params['data_count'], pa rams['data_variety'])[0]
    29. 29. Pro Tip – Minimize Data Entry
    30. 30. You want source code? • Tweet “Oui Kevin! @bfist #BSidesQuebec”
    31. 31. Don’t be afraid to customize!
    32. 32. Sharing is Caring • Share your data, it makes us all better off. – XML – JSON • Form partnerships with other organizations and compare incidents.
    33. 33. Kevin Thompson twitter: @bfist