Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

You Will Be Breached


Published on

Your organization will be breached. It's a matter of when, not if. How you respond may be the difference between recovering and closing your doors.

This talk is designed to help small businesses or businesses with small IT organizations to develop a viable incident response program.

Published in: Technology

You Will Be Breached

  2. 2. About Mike In IT full-time since 1998 Entered IT Security in 2007
  3. 3. Agenda Definition of a breach Background statistics on breaches Preparing your response plan Putting your plan into action Links to resources
  4. 4. Key Assumptions Small to medium-sized business (SMB) ◦ Typically fewer than 500 employees Few IT resources, few or none dedicated to IT security Incident Response IS NOT about tools!
  5. 5. What Is a Breach? Breach means an intrusion into a computer system, i.e. hacking, or exposure of sensitive data Causes of a breach: ◦ crimes of opportunity ◦ targeted attacks ◦ viruses ◦ web-delivered malware ◦ malicious insiders ◦ mistakes / unintentional disclosure ◦ Loss/theft of laptop or media
  6. 6. Lots of Breaches Anthem BCBS Premera CareFirst OPM Target Home Depot Staples eBAY Snapchat SendGrid White Lodging (2x) Dairy Queen Jimmy Johns Goodwill SUPERVALU California DMV Sony Did I mention Sony? The list goes on, and on, and on…
  7. 7. We’re Too Small to be a Target Verizon 2015 DBIR – 2,122 incidents of confirmed data loss ◦ 573 in small business 2015 Symantec ISTR – 34% of spear phishing attacks directed at companies with fewer than 250 employees 60% of all attacks targeted small and medium businesses ◦ 2015 Symantec ISTR 44% of small businesses reported a breach ◦ 2013 National Small Business Association Technology Survey
  8. 8. Costs of a Breach Verizon estimates between $52k - $87k costs for 1000 records lost Fines Possible jail terms under HIPAA Loss of customer and business partner confidence
  9. 9. Incident Response Framework P – Preparation I – Identification C – Containment E – Eradication R – Recovery L – Lessons Learned
  10. 10. Preparation There are no secrets to success. It is the result of preparation, hard work, and learning from failure. – Colin Powell
  11. 11. Preparation: Getting Started Get management support and executive sponsor! Define your incident handling team members ◦ Not just IT! IT, Security, Legal, HR, PR, Management, external IT vendor ◦ Designate an incident leader. This person needs to be calm under fire
  12. 12. Preparation: The Crown Jewels Need to define what’s important to your organization to guide protection / monitoring ◦ Email ◦ Online sales ◦ Data ◦ Proprietary information / trade secrets
  13. 13. Preparation: Basics Charter ◦ Executive level authorization to perform IR duties Policies ◦ Strong policies help enforce compliance and define roles and responsibilities ◦ Incident Handling policies provide legal authority to investigate, “sniff” network traffic, monitor activities Procedures ◦ Clear, thorough, tested procedures help reduce confusion when tensions are high ◦ Checklists ◦ Notification procedures – legal, PR, law enforcement
  14. 14. Preparation: Communications Define a communications plan ◦ Email and phone may be down or compromised; make sure you have cell numbers ◦ Identify alternate contacts ◦ Don’t forget to include IT vendor, network provider, etc. ◦ Law enforcement ◦ Test your calling tree at least annually ◦ Keep paper copies and keep them up to date
  15. 15. Preparation: Testing and Practice Perform incident handling tabletop exercises ◦ When problems are identified, be sure to update procedures Perform live response exercise annually
  16. 16. Identification: Sources Logs / SIEM ◦ When in doubt, err on excessive logging ◦ NSA – Spotting the adversary document ◦ Firewalls ◦ Authentication success & fail ◦ AV / IDS ◦ DHCP ◦ DNS ◦ Web servers Helpdesk 3rd parties & business partners
  17. 17. Identification: Assessment First priority is to determine if a security incident occurred Document the following ◦ Affected machine(s) ◦ Logged on users ◦ Open network connections ◦ Running processes ◦ How incident was identified ◦ Who reported it ◦ When it was reported ◦ What was happening
  18. 18. Containment Focus is stopping the spread Follow documented containment procedures Isolate affected host(s) ◦ Pull network cable / power down / firewall off ◦ Use attack signatures to build rules ◦ email / web filtering / IPS Image affected machines, store offline ◦ Tested forensics procedures are essential Continue documenting all activities tumblr
  19. 19. Containment: Notification Now is the time to activate the incident response team Follow communications plan, notify internal parties as appropriate If you’re going to contact law enforcement, now is the time Contact legal counsel
  20. 20. Eradication Focus is removal and restoration of affected systems Wipe / Rebuild / Restore Apply missing patches Scan for indicators of compromise Apply mitigations – firewall / WAF / IDS / update AV Change passwords
  21. 21. Recovery Goal is to bring systems back online without causing another incident Verify issue is resolved Increase monitoring ◦ Determine duration of increased monitoring
  22. 22. Mistakes Happen Success does not consist in never making mistakes, but in never making the same one a second time. – George Bernard Shaw
  23. 23. Lessons Learned Be sure to hold a lessons learned session after breach ◦ Hold within two weeks ◦ Identify what failed and why ◦ Implement fixes and update documentation
  24. 24. Execution Document all steps in a notebook ◦ Helps to have one person working, another keeping notes Measure twice, cut once… First, do no harm… ◦ In other words, don’t be too hasty Step back to see the forest for the trees
  25. 25. Summary All sizes of organizations are being attacked Effective incident response is about preparation and practice, not about tools! Incident response plans are key to recovery and limiting lossses There is a vast array of resources available to help you build your plan
  26. 26. Resources Local law enforcement, including FBI Professional Security Organizations ◦ ISSA ◦ InfraGard SANS ◦ NOREX ◦
  27. 27. Resources Creating a Computer Security Incident Response Team (CSIRT) ◦ NIST SP800-61 Rev. 2: Computer Security Incident Handling Guide ◦ SANS Incident Handling Forms ◦ Incident Handler’s Handbook ◦ handbook-33901 Incident Handling Annual Testing and Training ◦ annual-testing-training-34565
  28. 28. Resources SANS Policy Templates ◦ SANS Reading Room ◦ An Incident Handling Process for Small and Medium Businesses ◦ process-small-medium-businesses_1791 Blue Team Handbook: Incident Response Edition ◦ ISBN-13: 978-1500734756 ◦ Responder/dp/1500734756/
  29. 29. Resources NSA – Spotting the Adversary With Windows Event Log Monitoring ◦ g_Monitoring.pdf U.S. D.O.J Best Practices for Victim Response and Reporting ◦ minal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyb er_incidents.pdf Table Top Exercises for Incident Response ◦ When Breaches Happen: Top Five Questions to Prepare For ◦ questions-prepare-35220 Corporate Incident Response – Why You Can’t Afford to Ignore It ◦ response.pdf
  30. 30. References Verizon 2015 Data Breach Investigations Report ◦ report-2015_en_xg.pdf Symantec 2015 Internet Security Threat Report ◦ security-threat-report-volume-20-2015-social_v2.pdf 2013 National Small Business Association Technology Survey ◦
  31. 31. Contact Me @hardwaterhacker
  32. 32. Questions?