Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations


Published on

As cyber attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. Event monitoring and correlation technologies and security operations are often tied to incident handling responsibilities, but the number of attack variations is staggering, and many organizations are struggling to develop incident detection and response processes that work for different situations.
In this webcast, we'll outline the most common types of events and indicators of compromise (IOCs) that naturally feed intelligent correlation rules, and walk through a number of different incident types based on these. We'll also outline the differences in response strategies that make the most sense depending on what types of incidents may be occurring. By building a smarter incident response playbook, you'll be better equipped to detect and respond more effectively in a number of scenarios.

Published in: Technology

SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations

  1. 1. An Incident Response Playbook: From Monitoring to Operations Dave Shackleford, Voodoo Security and SANS Joe Schreiber, AlienVault © 2014 The SANS™ Institute -
  2. 2. Introduction • The range and sophistication of today’s attacks are growing rapidly • More and more organizations are dedicating resources to detection and response tools and processes – Less effort and money is spent on purely “preventive” measures • We’ll explore a number of different types of incidents, as well as indicators and monitoring/response process considerations © 2014 The SANS™ Institute - 2
  3. 3. Use What for What? • Right Tool -> Right Job • Right Job -> Right Skills • Right Skills -> Right Response • Right Response -> [right] Incident © 2014 The SANS™ Institute - 3
  4. 4. How do I know which response? © 2014 The SANS™ Institute - 4
  5. 5. Make Plans. • Be prepared for an incident – Create several plans based on incident type – Have a contact methodology – Escalation Paths • So you have a plan? – What’s your backup? – Be Flexible • Time is against you • Outside Help – Pre-arrange services or consultants © 2014 The SANS™ Institute - 5
  6. 6. What if I’m missing something? • Use the Internet – IOCs – Threat Reputation – Malware Analyzers – Virus Scanners • Community Efforts – Open source tools – Message Boards © 2014 The SANS™ Institute - 6
  7. 7. Attack Types and Responses • Sensitive Data • Malware • Insider • Web Application © 2014 The SANS™ Institute - 7
  8. 8. Sensitive Data Exposure/Exfiltration • Data loss and exposure is one of the top concerns and incident types facing organizations today • In the 2014 Verizon DBIR, 1367 data loss incidents were investigated • Most security teams have been focused on data loss in some way since 2005-6. © 2014 The SANS™ Institute - 8
  9. 9. Indicators of sensitive data exposure • A number of leading indicators can lead to detection of exposure or exfiltration • Human-based: – Fraud alerts or identity theft – Notification from 3rd parties – Extortion attempts • Data indicators: – DLP alerts – Proxy logs – Firewall/IDS/IPS events © 2014 The SANS™ Institute - 9
  10. 10. Operations for Data Exposure Incidents • Specific operational steps to be considered for IR with data exposure: – First, unless directed by law enforcement, stop the leak! (if known how/where) – Determine who and what is affected then coordinate with HR/legal/PR – Leverage DLP or other monitoring tools to pattern match data types stored and in transit © 2014 The SANS™ Institute - 10
  11. 11. Advanced Malware Incidents • Not all malware incidents are advanced – Standard antivirus and host-based tools still catch many variants • Some malware is much more stealthy and sophisticated, however – Malware sandboxes, behavioral monitoring, and forensics techniques and tools may be needed © 2014 The SANS™ Institute - 11
  12. 12. Indicators of Advanced Malware • Advanced malware may be detected with a number of indicators: – Unusual processes or services on hosts – Known malicious registry keys and entries – File names or attributes – Network traffic signatures and patterns (ports, protocols, etc.) – Sandbox detonation events © 2014 The SANS™ Institute - 12
  13. 13. Operations for Advanced Malware Incidents • Response processes for advanced malware incidents should include: – Quarantine capabilities (host and network) – Volatile forensic data capture – Rapid development of IOC “fingerprints” to propagate to additional systems – Data leak response steps – Reverse engineering © 2014 The SANS™ Institute - 13
  14. 14. Insider Incidents • Insider incidents can be some of the most challenging to detect and respond to • Insider threats can lead to other types of incidents (data loss, destruction/availability, etc.) • Always coordinate with HR and legal teams for insider threat response • Many insider attacks are not that advanced…just hard to detect © 2014 The SANS™ Institute - 14
  15. 15. Indicators of Insider Incidents • Insider indicators may be more challenging to detect: – Disgruntled behavior – Unusual pattern of file/data access – Changes in working hours or behavior – Disregard for policies and procedures – Account logon failures and unusual patterns – Traffic from personal/work systems – Unusual system command use or attempts at privilege escalation © 2014 The SANS™ Institute - 15
  16. 16. Operations for Insider Incidents • Response processes for insider incidents should include: – Inclusion of law enforcement (maybe) and HR/legal (definitely) – Rapid root cause analysis • Was it accidental? A system hijack? Or deliberate? – Account monitoring – Privilege revocation (maybe) – Equipment seizure when possible – Forensic analysis – Risk analysis © 2014 The SANS™ Institute - 16
  17. 17. Web Application Incidents • Web app attacks are more common than ever • These attacks can lead to defacement and reputation impact, as well as data exposure • Application security often lags network and infrastructure controls • Many open source components, or products like CMS platforms, are notoriously vulnerable © 2014 The SANS™ Institute - 17
  18. 18. Indicators of Web Application Incidents • Web application attacks and breaches may exhibit the following indicators: – Unusual behavior or crashes in applications – Web and app server logs of repeated access attempts – Web and app server logs of SQL syntax and/or scripting characters – IDS/IPS events for known app attacks – High local resource utilization on Web and app servers – Web app firewall events for behavioral or signature-based attacks © 2014 The SANS™ Institute - 18
  19. 19. Operations for Web Application Incidents • Response processes for Web App incidents may include: – Coordination with server operations/admin teams and possibly development teams – Web app firewall or application filtering commands/rules – Load balancer and proxy redirection and traffic control – Correlation between presentation and persistent tier traffic and account data © 2014 The SANS™ Institute - 19
  20. 20. Conclusion • There are a lot of ways to detect and respond to incidents today • Many types of incidents have common tools and processes – Most have their own specific differences, however • Security monitoring and response teams can always enhance their capabilities with new events, correlation, and IOCs from inside and outside their networks © 2014 The SANS™ Institute - 20
  21. 21. Powered by AV Labs Threat Intelligence AlienVault USMTM ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring A Unified Approach SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response
  22. 22. Coordinated Analysis, Actionable Guidance • 200-350,000 IPs validated daily • 8,000 collection points • 140 countries Collaborative Threat Intelligence: AlienVault Open Threat ExchangeTM (OTX) Join OTX:
  23. 23. Questions? Q@SANS.ORG Thank You! © 2014 The SANS™ Institute - 23 Three Ways to Test Drive AlienVault USM Download a Free 30-Day Trial Try our Interactive Demo Join us for a LIVE Demo! envault-usm-live-demo