A data breach is bound to happen, particularly when the end user falls victim to a phishing attack. In this discussion, we will explore a collection of case studies surrounding the compromise of end user credentials, and the lessons learned related to the initial response, the investigation, and the reporting of incidents. The presentation provides a recipe for risk reduction as well as well-managed incident response execution to all audience members, particularly those responsible for managing the incident response process.
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Spring Security Briefing: Lessons Learned from Recent Data Breach
1. INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
Ron Pelletier, CISSP, CBCP, CISA, QSA
VP and Executive Manager
A SERIES OF LESSONS LEARNED
THE INCIDENT RESPONSE PROCESS
2. INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
AGENDA
• Setting Stage for Incident Response – LifeCycle Approach
• Real World Attack Scenarios Prompt Incident Response
• Accumulating the Lessons Learned
• Applying the Lessons Learned
PONDURANCE 2
3. INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
INCIDENT RESPONSE LIFE CYCLE
Identification Containment Eradication Recovery
Establish
monitoring to
recognize,
identify, & detect
an incident as
soon as possible
Establish
programmatic
methods to stop
the incident from
propagating or
extending its
impact
Establish
procedures, tools
and know-how to
eliminate the
source and
prevent
recurrence
Establish
communications
with stakeholders
and procedures to
continue normal
operations
4. INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
REAL WORLD ATTACK SCENARIOS PROMPT INCIDENT RESPONSE
PONDURANCE 4
Situation 2: A compromise of email credentials (phishing attack possible) leads
to social engineering and transfer of more than one hundred thousand dollars
Situation 1: A phishing attack (leveraging Dyre Trojan) leads to an unauthorized
transfer of hundreds of thousands of dollars
Situation 3: A phishing attack leads to the compromise of end user credentials
and potential exposure of a number of sensitive records
Situation 4: A phishing attack (most probable cause) leads to the compromise
of admin credentials and millions of sensitive records
Pondurance Provided Direct Assistance to these 3
5. INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
ACCUMULATING THE LESSONS LEARNED
PONDURANCE 5
Prepare
Do I know where my sensitive data lives?
Am I prepared to defend against attacks? Phishing attacks?
Is my helpdesk prepared to correlate attacks, attack patterns?
Does my retention schedule work against me?
What is my exposure to SSO, or passwords in multi use?
By Three Key Phases
Execute
Do I have a favorable and flexible risk assessment process?
Do I have a timely and tested response capability?
Can I parameterize the discovery process to limit my exposure?
Do I know how my systems are configured for discovery?
Learn
Do I know my legal and regulatory obligations for reporting?
Am I capable of aggregating and confirming discovery results?
Have I pre-contracted the expertise to investigate/report?
The Challenging Questions to Consider
6. INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
Prepare
APPLYING THE LESSONS LEARNED
PONDURANCE 6
• Discourage use of Email as a personal “database”
• Conduct Incident Response AND eDiscovery exercises to target
potential data exposure
• Ensure defense-in-depth including additional capabilities for
advanced detection (dynamic egress/ingress monitoring)
• Establish correlative reporting for service desks, other reporting
intake functions
• Evaluate retention for unintended exposure (e.g., Email “deleted”
folders)
• Ensure Incident Response Team personnel represent all parts of
the organization, are properly trained
• Ensure end users are properly trained on retention and disposition
of data (think about common data stores like Email)
• Analyze the potential reuse of network passwords for external
portals such as OWA, VPN, external data stores/portals, etc.
• Develop meaningful Policies and /Procedures, including those that
target investigation and discovery
Key Take-Away:
Prepare during a period
of calm…
…don’t wait until
adversity is at your
doorstep
7. INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
APPLYING THE LESSONS LEARNED
PONDURANCE
7
• Incident Response is not a linear process, may require dynamic
alerting to, and collaboration with, various risk management
functions (legal, DR/BCP, compliance, IT, etc.)
• Additional threat management capabilities may provide evidence
to leverage and assess exposure and reporting liability
• The risk management process should consider proper evaluation
of threat actors, attack methods BEFORE move to reporting
• Consider leveraging Incident Response process, eDiscovery
methods and risk assessment-at-incident with penetration tests
• Evaluate “mapped” drives as well as public and private folders
within OWA for potential exposure
• A PST file does not always provide same view as OWA, discovery
may require caveats/parameterization (assess accordingly)
• Establish a timeframe related to incident, provide search terms to
discovery analysts and KNOW what is a true exposure and what is
not, or not likely to be
Key Take-Away:
The average IQ goes to
zero during an
emergency…
…use your
plan, but
build in some
flexibility
Execute
8. INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
APPLYING THE LESSONS LEARNED
PONDURANCE
8
• Exercise your plans as often as tolerated by the organization, but
no less than once per year
• Involve management in response plans and exercises, or be
prepared for management to deviate and execute untested
procedures at time of incident
• Develop organizational clarity by classifying data (and for heaven’s
sake find out where it lives!)
• Regarding eDiscovery, the “de-duplication” process is difficult,
particularly when tens of thousands of records are involved…know
what you are looking for ahead of time
• Develop consistency among independent entities that may
operate under a shared services model, limit top-level liability
• Pre-arrange for services that provide competency and flexibility,
attempt to limit “unknown” or surprise costs…but plan accordingly
• Share the wealth in lessons learned
Key Take-Away:
If you do not exercise
your incident response
plan and procedures…
…you have denied yourself
invaluable knowledge
through controlled failure
Learn
9. INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
Ron Pelletier, CISSP, CBCP, CISA, QSA
VP and Executive Manager
QUESTIONS?
THE INCIDENT RESPONSE PROCESS