Incident Response Requires Superhumans


Published on

Incident management and response is a highly specialized job requiring the information Security professional to have multifaceted skills in technology, business, finance, HR and more. In fact the Incident Response professional needs to know so much in terms of technology, people skills or reaction time that he/she might as well be a superhuman!

Published in: Technology

Incident Response Requires Superhumans

  1. 1. Incident Response Requires Superhumans Presented by Dinesh O Bareja & Vineet Kumar Dubai, October 30, 2013
  2. 2. • 2010 (base year) • 2011 • 2012 ... NOW ? Incident Response Requires Superhumans Audience Profiling • How many CISOs • How many IS Managers • How many pure play Incident Managers • How many CISO/ISM with IM responsibility () • Do you sleep well …
  3. 3. • Overview: InfoSec Evolution / History • Exponentially Growing Expectations • Superhumans in Enterprise and LEA • Superhuman: why, how.. • Today’s Takeaway – Risks and being a SH Incident Response Requires Superhumans
  4. 4. Even a young man has to use a walking stick ! Technology advancement has brought about dramatic change in life and work and continues it’s march of dynamic growth It was an era of innocence and invention when computing started upto the time when the internet was unveiled Over the years it has metamorphosed into a force we are still trying to understand and has brought with it ‘great expectations’ from the human beings who are in charge! Incident Response Requires Superhumans
  5. 5. /26/the-evolution-of-essentials-comic/ Incident Response Requires Superhumans
  6. 6. /26/the-evolution-of-essentials-comic/ Incident Response Requires Superhumans
  7. 7. Jokes apart, coming back to serious business.. To relive the past, we will (briefly) look at the growth, maturity and metamorphoses of some practices, solutions, strategies and technologies. Incident Response Requires Superhumans
  8. 8. • Information Security yet to be discovered but phone phreaking was around • Security meant securing areas where computers were housed • System security meant administrator control on who could write – edit – delete data • Data breach prevention was through controlled access to printer room • Compliance was the accountants job Incident Response Requires Superhumans
  9. 9. • Ides of March1992 – Michaelangelo virus • Y2K • 1994 ISACA (from earlier avatars of ’67, ‘69) • Viruses to APTs • Security lives are ruled by GRC, CIA Triad, PDCA Cycle, MM, ROSI, KPI • Compliance means regulatory and internal policies and audit findings Incident Response Requires Superhumans
  10. 10. • These all morph into professional art forms … Risk Management, Incident Management, Configuration Management, Problem… Patch… Access… Change… Incident Response Requires Superhumans
  11. 11. Virus – Worm – Trojan - Malware – Rootkit – Backdoor - Botnets - APT NMS – SIEM – Network Forensics Simple Access Control – IDAM / SSO / Privilege User Management / Provisioning… LAN, WAN, Virtualization, Fabric, Wireless, Cloud dBase, Lotus, Access, Excel, MS SQL, MySQL, Oracle Incident Response Requires Superhumans
  12. 12. Incident Response Requires Superhumans
  13. 13. • Illiterate Messengers deliver written messages so they cannot copy or read • Cutting off a messenger’s tongue to disable gossip risk • Da Vinci’s ‘cryptex’ device • Shoot the messenger • Encrypted messages, smoke signals • Eunuchs to protect Harems Incident Response Requires Superhumans
  14. 14. Incident Response Requires Superhumans
  15. 15. risks – tech / business flight timings sales what phone to buy/gift global events how to do a web checkin gadgets ……. people issues enterprise targets enterprise finance all processes business onboarding /exits background checks compliance liabilities IT networks org growth systems © freedigitalphotos (royaltyfree, attribution) contribute ideas email Incident Response Requires Superhumans
  16. 16. In fact the CISO is still a combined responsibility in a number of small / midsized organizations Incident Response Requires Superhumans
  17. 17. Incident Response Requires Superhumans
  18. 18. Incident Response Requires Superhumans
  19. 19. Incident Response Requires Superhumans
  20. 20. • Overview: InfoSec Evolution / History •Exponentially Growing Expectations • Superhumans in Enterprise and LEA • Superhuman: why, how.. • Today’s Takeaway – Risks and being a SH Incident Response Requires Superhumans
  21. 21. Incident Response Requires Superhumans
  22. 22. Incident Response Requires Superhumans
  23. 23. Incident Response Requires Superhumans
  24. 24. Incident Response Requires Superhumans
  25. 25. • Standards : ISO27001, ITIL, ISO20000, ISO22301, OWASP Top 10, SOX, SSAE16/SAS-70, HIPAA.. + regulatory requirements + policies • SANS-CSC…. According to SANS ~73% respondents are aware of SANS-CSC and have adopted or are planning to… and the primary driver is to improve enterprise visibility and reduce security incidents Incident Response Requires Superhumans
  26. 26. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services Critical Control 12: Controlled Use of Administrative Privileges Critical Control 13: Boundary Defense Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs Critical Control 15: Controlled Access Based on the Need to Know Critical Control 16: Account Monitoring and Control Critical Control 17: Data Loss Prevention Critical Control 18: Incident Response and Management Critical Control 19: Secure Network Engineering Critical Control 20: Penetration Tests and Red Team Exercises Incident Response Requires Superhumans
  27. 27. • Overview: InfoSec Evolution / History • Exponentially Growing Expectations •Superhumans in Enterprise and LEA • Superhuman: why, how.. • Today’s Takeaway – Risks and being a SH Incident Response Requires Superhumans
  28. 28. Incident Response Requires Superhumans
  29. 29. • • • • • • • • • • • • Company Policies, DR Analytical Tools: RCA, SWOT etc Business Operations & Depts IT Operations Applicable Laws, Regulations Databases Applications Hardware Malware, APT Forensics investigation Forensic analysis Evidence collection, preservation.. • • • • • • • • • • • • SIEM, DLP, IPS/IDS, UTM Log Analysis Phishing Windows, Linux (AIX, UX, MacOS) Android, iOS, Symbian, BB Mobile devices incl laptops Network devices – firewalls etc Configuration and hardening Know all patches from year 0 (BC) VAPT Web servers, AD, MS Exchange … more…. Incident Response Requires Superhumans
  30. 30. • Can Work under pressure • Can go on without sleep, food or.. • Can walk in sleep • Excellent communication skills • Can win over and influence anyone • Multi-lingual: geekspeak, normal-speak, baby-speak Incident Response Requires Superhumans
  31. 31. • Life is a bummer • One has to have all that the IM has…. Plus: • Deep knowledge and understanding of Law (domestic/international) and statutes • Criminal modus operandi • ATM, Credit cards, financial fraud, email, internet banking, data breach, IP theft, espionage, social media crimes Incident Response Requires Superhumans
  32. 32. • Traditional Policing + • Cyber Crime Investigation • Cyber Security & Cyber Forensics • Cyber Forensics (Network, Mobile, Cloud etc) • Reverse Engineer & Troubleshooter • Evidence Handling & presentation in the court of law • Cyber Intelligence, Social Media Intel • Security Researcher • WhatsApp, Wechat, Viber • Interception • Excellent Presenter • Trainer • Participating in International & National Conferences • CDR, Tower dump analysis, location mapping • CCTV Camera recording recovery Incident Response Requires Superhumans
  33. 33. • Good Negotiator, Facilitator • Can Pitch for Funds • Prepare RFP’s • Event Manager • Response in a flash expected • Good magician (cracking Symmetric, Asymmetric encryption, password hashes within seconds) • Software Developer, Programmer • And the list goes on…… Incident Response Requires Superhumans
  34. 34. Incident Response Requires Superhumans
  35. 35. Incident Response Requires Superhumans
  36. 36. Incident Response Requires Superhumans
  37. 37. PRE-INCIDENT PREPARATION RESPONSE POST-INCIDENT Identify Legal, Regulatory Obligations Contain, Restore, Quarantine Clean Up and Dispose Evidence Collection Root Cause Analysis Identify Weaknesses Recommend Changes Forensic Response Update CMDB, Risk Register Policy Development Governance and Awareness CERT Enablement Threat Intelligence Tabletop Testing Advanced Threat Preparedness Vendor Enablement Communication Plan Disciplinary Actions, Report to LEA Incident Response Requires Superhumans
  38. 38. Incident Response Requires Superhumans
  39. 39. Incident Response Requires Superhumans
  40. 40. PREVENTIVE ACTIVITIES TECHNOLOGY CRIME (INCIDENT) RESPONSE POST-INCIDENT Crime /Threat Intelligence Complaint Registration Chain of Custody Response Team Training Categorization & Case Assignment Crime Scene Visit, Evidence Collection Evidence Integrity Arrests and Case Filing Information Sharing Technical Investigation Forensic Investigation Advisories and Awareness International Vectors Data Extraction Departmental Report Citizen Outreach Domestic Vectors Forensic Analysis Statistical Update Obtain Service Provider Evidence Analysis and Report Preparation Incident Response Requires Superhumans
  41. 41. • • • • • • • • • • 6 complaints gets registered daily on our helplines 1.5 Crore Fraud Cyber Stalking – Big Boss Contestant, Aashka Garodia Email Threats – Anil Ambani Facebook Case ( Fake Profile, Confession Pages, Fraud Pages) Cases reported statewide Nigerian Scam Credit / Debit Card Frauds POS fraud – Car polish Scam Cyber Attacks: Botnet, DOS, DDOS Incident Response Requires Superhumans
  42. 42. • Day to Day traditional crime control • Crime investigation (Murder, Dacoity, Stalking, Threats etc) • Raids • Interrogation • Intelligence Gathering • Chain of custody • Presentation in the court of law Incident Response Requires Superhumans
  43. 43. • MS In Information & Cyber Forensics • Well versed with the latest technologies and research • Programmer • Malware Researcher Incident Response Requires Superhumans
  44. 44. • Overview: InfoSec Evolution / History • Exponentially Growing Expectations • Superhumans in Enterprise and LEA •Superhuman: why, how.. • Today’s Takeaway – Risks and being a SH Incident Response Requires Superhumans
  45. 45. Incident Response Requires Superhumans
  46. 46. • Build threat intelligence capability • Subscribe to mailing lists, attend conferences, read, get certified, write • Automate network monitoring with NMS, DLP, SIEM, Network Forensics etc • Risk Threats and Vulnerability Management • Information Sharing • Breach advisories and CERT bulletins Incident Response Requires Superhumans
  47. 47. • The Incident Manager is informed about an incident and decides whether it is an incident or not before blowing the whistle ! • Sets Incident priority • Triage • Pray ! Incident Response Requires Superhumans
  48. 48. • Set up war room • Mobilize cross functional IM team • Rollout containment procedures • Initiate Communication plan • Mobilize vendors • Follow up with recovery and eradication procedures • Visit incident site, collect and save evidence Incident Response Requires Superhumans
  49. 49. • Forensic Analysis • Reporting to Authorities and Police • Internal Root Cause Analysis • Prepare Management Report • Recommendations for improvement • Obtain permissions and budget • Update systems, policies and controls Incident Response Requires Superhumans
  50. 50. Incident Response Requires Superhumans
  51. 51. Incident Response Requires Superhumans
  52. 52. Incident Response Requires Superhumans
  53. 53. • Phd/MS in Information Security • Cyber Security Researcher • Knowledge about 0 Days, APTs, Vulnerability Assessment, Penetration Testing, Source Code Auditing, Web • Data Analytics • BigData • Cloud Computing • Cyber Security • Cyber Defence • Cyber Forensics (Network, Mobile, Tablet, Satphones, Gogles) • Cyber law Expert Incident Response Requires Superhumans
  54. 54. • Overview: InfoSec Evolution / History • Exponentially Growing Expectations • Superhumans in Enterprise and LEA • Superhuman: why, how.. •Today’s Takeaway – Risks and being a SH Incident Response Requires Superhumans
  55. 55. • Capability and Capacity development in Private sector is slow and in Government sector it is slower • Skills required are multi faceted and can ONLY be acquired by hard core practical on-the-job hands-on experience • Institutes and training programs yet to be developed to impart some skills, or, show the path to aspirants Incident Response Requires Superhumans
  56. 56. risks – tech / business flight timings sales what phone to buy/gift global events ……. gadgets ……. people issues enterprise targets enterprise finance all processes business onboarding /exits background checks compliance liabilities IT networks org growth systems © freedigitalphotos (royaltyfree, attribution) contribute ideas email Incident Response Requires Superhumans
  57. 57. In the near future, a bigger challenge: Internet of Things Incident Response Requires Superhumans
  58. 58. Incident Response Requires Superhumans
  59. 59. Incident Response Requires Superhumans
  60. 60. • Re-learn continuous learning … you did it passionately when you were junior, you did it to rise – then why did you stop! • Recognize your skill and strength…. Information Security is not an apology. It is no longer a support function for a support function. It is an essential function and high time this is recognized by management Incident Response Requires Superhumans
  61. 61. Information / Data Security is a dynamic domain, constantly changing hues and continually exciting. Practitioners, researchers, hackers, auditors constantly face up to new challenges Incident Response Requires Superhumans
  62. 62. And we want to take this opportunity to present our unit – Cyber Defence Research Centre & Cyber Peace Foundation Incident Response Requires Superhumans
  63. 63. CDRC is a joint initiative of the Government of the State of Jharkhand (India) and Jharkhand Police. The unit is operational since January 2012. It is the first of it’s kind organization in the country, and (probably) the ninth in the world Incident Response Requires Superhumans
  64. 64. Incident Response Requires Superhumans
  65. 65. Technology Research, System Dev & Deployment Cyber Patrol eSamadhan Citizen Outreach Tollfree Helpline PROTECTION DETECTION LEA Training, Capacity & Capability Building Statewide Security Awareness program for children, citizens, industry CDR Analysis, IMS, Cyber Lab, VA/PT, AppSec, Digital Forensics 1 EDUCATION eRaksha Intelligence Gathering, Honeynets PREVENTION INVESTIGATION JH CERT Incident Response, Advisories, Responsible Disclosure Incident Response Requires Superhumans eKavach Critical Infrastructure Protection – Training, Intel, Response and Knowledge Sharing
  66. 66. Law Enforcement Investigation, Response, Evidence Gathering, Forensics, Cyber Policing Jharkhand Secure State Infrastructure Protection, Department al IT Security, State CERT Technical Services VA/PT, Application Security Testing, Technology Evaluation Training Public Outreach Research National Security State Police, Judiciary and Govt, CID, CBI, NPA, IB, Awareness, Toll free helpline, eSamadhan, Cyber café controls, ATM security Cyber Patrol, India Honeynetwork, SCADA and Spam Honeynets, National Infrastructure Protection under CIIP, Responsible Disclosure Incident Response Requires Superhumans
  67. 67. OCTOBER SCADA honeypot development AUGUST APRIL Moved into CDRC Building, PHQ Ranchi FEBRUARY Launch eSamadhan, manual CDR analysis, IMEI database, Lost mobile cases Establishment Planning System Development: Internet Monitoring System and CDR + Location Mapping Analysis System Program Launches: - Judiciary Training - “eKavach” Critical Infrastructure Protection - Online knowledge base for Cyber café owners re open source - Bi lingual safety guidelines for Government employees, parents and children JUNE eKavach onsite assessment at HEC CID Training launch India honeynetwork setup with five sensors CISF, RPF training ATS interaction re cyber security NOVEMBER Team Augmentation and orientation 2012 09 JANUARY Formation Day MARCH Jharkhand Cyber Café Rules sent to Home Dept Development of cyber café software and Cyber Café guidelines for owners eRaksha program launched Event Partner c0c0n 2012 , Thiruvananthpuram MAY ATM, Cyber Café statewide Threat Survey Wi-fi War driving Case: Interstate credit card fraudsters interrogated Disclosure – threat to CBI central server Team training for forensics tools ISO 27001 Audit of Police Data Center Internal team training Joint Meeting – Home Dept, SB Jharkhand Police, All Banks JULY JANUARY High profile cases – Hazaribagh (Sonia Gandhi email threat) Testing Vulnerability disclosure system Incident Response Requires Superhumans SEPTEMBER Cyber Lab setup plan at PTC Development for Responsible Disclosure system Training delivery at NPA DECEMBER Citizen Helpline Toll free number activated 1800-3456-533
  68. 68. Cyber Surveillance, Social Media Intelligence Internet Monitoring, Social media Intelligence, Inputs from cyber patrol and threat intelligence, Intelligence from Social media (Orkut, Facebook, Linkedin, Twitter etc.) Critical Infrastructure Protection Inventory, response procedures and proactive security training Responsible Disclosure Vulnerability disclosure and intelligence information to and Threat Intelligence affected parties Public Helpline Web based and toll free helpline Research Indian Honeynet collection and malware analysis Cyber Patrol Underground intelligence gathering activities Incident Response Requires Superhumans
  69. 69. Incident Response Requires Superhumans
  70. 70. • Cyber Peace foundation, a NGO is founded by senior officials of Jharkhand Police & experts to promote information sharing between LEA across countries to promote the public and private partnership through it’s Public & Private Partnership(PPP) through it’s Cyber Bridge program • Revealed for the first time today at ISACA Dubai • Request all your support for this organization Incident Response Requires Superhumans
  71. 71. ABOUT US CONTACT INFORMATION Incident Response Requires Superhumans
  72. 72. • Professional Positions • • • • • Pyramid Cyber Security & Forensics (Principal Advisor) Jharkhand Police (Cyber Surveillance Advisor) Open Security Alliance (Principal and CEO) Bombay Stock Exchange (IGRC Technical Member) Indian Honeynet Project (Founder) • Professional skills and special interest areas • Govt & Enterprise - Security Consulting, Advisory, Strategy, Architecture, Analysis, Policy Development, Optimization • Technologies - SOC, DLP, IRM, SIEM… • Practices - Incident Response, SAM, Forensics, Regulatory guidance, Government • Blogger, Occasional columnist, wannabe photographer, research & survey Incident Response Requires Superhumans
  73. 73. Contact Information E: T: +91.9769890505 Twitter: @bizsprite Facebook: dineshobareja L: Also on Slideshare and Flickr Acknowledgements & Disclaimer Various resources on the internet have been referred to, to contribute to the information presented here. Images have been acknowledged where possible and if we have infringed on your rights it is unintentional – we assure you the immediate removal on being notified, of any infringing material. The use (if any) of company names, brand names, trade marks is only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. We apologize for any infraction, as this will be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s). A newer version of this presentation will be uploaded to Slideshare (dineshobareja). Incident Response Requires Superhumans
  74. 74. • Professional Positions • • • • • • • Jharkhand Police – CTO & Head of CDRC Cyber Peace Foundation – President (Honorary) National Anti-Hacking Group (Founder) Security Pulse – Honorary Advisor Darnster – Honorary Advisor & Mentor Attify – Honorary Advisor Visiting Faculty for International & National Universities/Institutions such as National Police Academy, Railway Staff College, College of Millitary Engineering, Railway Staff College, Indian Institute of Management, Indian Institute of Technology, Government of Gujarat • Professional skills and special interest areas • Ethical hacking, cybercrime, Cyber Intelligence, Cyber Forensics • Intelligence, Forensics, Cyber Security, Cyber Defence, Cyber Crime Investigation, Cyber Peace Incident Response Requires Superhumans
  75. 75. • Awards 6 International, 11 National and 15 state level awards & honors’ • Contact Information • Email: • Phone: +91-9570000065 • L: Incident Response Requires Superhumans
  76. 76. • ENISA • port/incident-management • GoalOrientedEvolution • NIST • telligent-systems/iot/internet-of-thingsinfographic.html • Google, Bing Incident Response Requires Superhumans
  77. 77. Incident Response Requires Superhumans