Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment


  2. 2. About Mike In IT full-time since 1998 Entered IT Security in 2007 Certifications: CISSP, GCIH, GPEN, GWAPT
  3. 3. Agenda Definition of a breach Background statistics on breaches Preparing your response plan Putting your plan into action Links to resources
  4. 4. Key Assumptions Small to medium-sized business (SMB) ◦ Typically fewer than 500 employees Few IT resources, few or none dedicated to IT security
  5. 5. What Is a Breach? Breach means an intrusion into a computer system, i.e. hacking, or exposure of sensitive data Causes of a breach: ◦ mistakes ◦ crimes of opportunity ◦ targeted attacks ◦ viruses ◦ web-delivered malware ◦ malicious insiders ◦ unintentional disclosures ◦ Loss/theft of laptop or media
  6. 6. High Profile Breaches Anthem BCBS Premera Montana DPHHS Target Home Depot Staples Michaels eBAY Snapchat SendGrid White Lodging (2x) Dairy Queen Jimmy Johns Goodwill P.F. Chang’s California DMV Sony Did I mention Sony?
  7. 7. Closer to Home Hornbachers (SUPERVALU) ND University System
  8. 8. We’re Too Small to be a Target Verizon 2015 DBIR – 2,122 incidents of confirmed data loss ◦ 573 in small business 2015 Symantec ISTR – 34% of spear phishing attacks directed at companies with fewer than 250 employees 44% of small businesses reported a breach ◦ 2013 National Small Business Association Technology Survey 60% of all attacks targeted small and medium businesses ◦ 2015 Symantec ISTR
  9. 9. Costs of a Breach Verizon estimates between $52k - $87k costs for 1000 records lost Fines Possible jail terms under HIPAA Loss of customer and business partner confidence
  10. 10. Incident Response Framework P – Preparation I – Identification C – Containment E – Eradication R – Recovery L – Lessons Learned
  11. 11. Preparation There are no secrets to success. It is the result of preparation, hard work, and learning from failure. – Colin Powell
  12. 12. Preparation: Getting Started Get management support and executive sponsor! Define your incident handling team members ◦ Not just IT! IT, Security, Legal, HR, PR, Management, external IT vendor ◦ Designate an incident leader. This person needs to be calm under fire
  13. 13. Preparation: The Crown Jewels Define what’s important to your organization ◦ Email ◦ Online sales ◦ Data ◦ Proprietary information / trade secrets Need to define to guide protection and monitoring efforts
  14. 14. Preparation: Basics Charter ◦ Executive level authorization to perform IR duties Policies ◦ Strong policies help enforce compliance and define roles and responsibilities ◦ Incident Handling policies provide legal authority to investigate, “sniff” network traffic, monitor activities Procedures ◦ Clear, thorough, tested procedures help reduce confusion when tensions are high ◦ Checklists ◦ Notification procedures – legal, PR, law enforcement
  15. 15. Preparation: Communications Define a communications plan ◦ Email and phone may be down or compromised; make sure you have cell numbers ◦ Identify alternate contacts ◦ Don’t forget to include IT vendor, network provider, etc. ◦ Law enforcement ◦ Test your calling tree at least annually ◦ Keep paper copies and keep them up to date
  16. 16. Preparation: Testing and Practice Perform incident handling tabletop exercises ◦ When problems are identified, be sure to update procedures Perform live response exercise annually
  17. 17. Identification: Sources Logs / SIEM ◦ When in doubt, err on excessive logging ◦ NSA – Spotting the adversary document ◦ Firewalls ◦ Authentication success & fail ◦ AV / IDS ◦ DHCP ◦ DNS ◦ Web servers Helpdesk 3rd parties & business partners
  18. 18. Identification: Assessment First priority is to determine if a security incident occurred Document the following ◦ Affected machine(s) ◦ Logged on users ◦ Open network connections ◦ Running processes ◦ How incident was identified ◦ Who reported it ◦ When it was reported ◦ What was happening
  19. 19. Containment Focus is stopping the spread Follow documented containment procedures Isolate affected host(s) ◦ Pull network cable / power down / firewall off ◦ Use attack signatures to build rules ◦ email / web filtering / IPS Image affected machines, store offline ◦ Tested forensics procedures are essential Continue documenting all activities tumblr
  20. 20. Containment: Notification Follow communications plan, notify internal parties as appropriate If you’re going to contact law enforcement, now is the time Contact legal counsel
  21. 21. Eradication Focus is removal and restoration of affected systems Wipe / Rebuild / Restore Apply missing patches Scan for indicators of compromise Apply mitigations – firewall / WAF / IDS / update AV Change passwords
  22. 22. Recovery Goal is to bring systems back online without causing another incident Verify issue is resolved Increase monitoring ◦ Determine duration of increased monitoring
  23. 23. Mistakes Happen Success does not consist in never making mistakes, but in never making the same one a second time. – George Bernard Shaw
  24. 24. Lessons Learned Be sure to hold a lessons learned session after breach ◦ Hold within two weeks ◦ Identify what failed and why ◦ Implement fixes and update documentation
  25. 25. Execution Document all steps in a notebook ◦ Helps to have one person working, another keeping notes Measure twice, cut once… First, do no harm… ◦ In other words, don’t be too hasty Step back to see the forest for the trees
  26. 26. Summary All sizes of organizations are being attacked Effective incident response is about preparation and practice, not about tools! Incident response plans are key to recovery and limiting liability There is a vast array of resources available to help you build your plan
  27. 27. Resources Local law enforcement, including FBI Professional Security Organizations ◦ ISSA ◦ ◦ InfraGard ◦ SANS ◦ NOREX ◦
  28. 28. Resources Creating a Computer Security Incident Response Team (CSIRT) ◦ NIST SP800-61 Rev. 2: Computer Security Incident Handling Guide ◦ SANS Incident Handling Forms ◦ Incident Handler’s Handbook ◦ handbook-33901 Incident Handling Annual Testing and Training ◦ annual-testing-training-34565
  29. 29. Resources SANS Policy Templates ◦ SANS Reading Room ◦ An Incident Handling Process for Small and Medium Businesses ◦ process-small-medium-businesses_1791 Blue Team Handbook: Incident Response Edition ◦ ISBN-13: 978-1500734756 ◦ Responder/dp/1500734756/
  30. 30. Resources NSA – Spotting the Adversary With Windows Event Log Monitoring ◦ g_Monitoring.pdf U.S. D.O.J Best Practices for Victim Response and Reporting ◦ minal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyb er_incidents.pdf Table Top Exercises for Incident Response ◦ When Breaches Happen: Top Five Questions to Prepare For ◦ questions-prepare-35220 Corporate Incident Response – Why You Can’t Afford to Ignore It ◦ response.pdf
  31. 31. References Verizon 2015 Data Breach Investigations Report ◦ report-2015_en_xg.pdf Symantec 2015 Internet Security Threat Report ◦ security-threat-report-volume-20-2015-social_v2.pdf 2013 National Small Business Association Technology Survey ◦
  32. 32. Contact Me @hardwaterhacker
  33. 33. Questions?