Incident Response Requires Superhumans

Incident Response
Requires Superhumans
Presented by

Dinesh O Bareja
&
Vineet Kumar
Dubai, October 30, 2013

• 2010 (base year)
• 2011
• 2012 ... NOW ?

Incident Response Requires Superhumans

Audience Profiling

• How many CISOs
• How many IS Managers
• How many pure play Incident Managers
• How many CISO/ISM with IM responsibility
()
• Do you sleep well …

• Overview: InfoSec Evolution / History
• Exponentially Growing Expectations
• Superhumans in Enterprise and LEA
• Superhuman: why, how..
• Today’s Takeaway – Risks and being a SH


Even a young
man has to use
a walking stick !

Technology advancement has brought about dramatic change
in life and work and continues it’s march of dynamic growth
It was an era of innocence and invention when computing
started upto the time when the internet was unveiled

Over the years it has metamorphosed into a force we are still
trying to understand and has brought with it ‘great
expectations’ from the human beings who are in charge!

http://www.geeksaresexy.net/2013/04
/26/the-evolution-of-essentials-comic/


Jokes apart, coming back to serious business..
To relive the past, we will (briefly) look at the
growth, maturity and metamorphoses of some
practices, solutions, strategies and technologies.


• Information Security yet to be discovered
but phone phreaking was around
• Security meant securing areas where
computers were housed
• System security meant administrator control
on who could write – edit – delete data
• Data breach prevention was through
controlled access to printer room
• Compliance was the accountants job

• Ides of March1992 – Michaelangelo virus
• Y2K
• 1994 ISACA (from earlier avatars of ’67, ‘69)
• Viruses to APTs
• Security lives are ruled by GRC, CIA Triad,
PDCA Cycle, MM, ROSI, KPI
• Compliance means regulatory and internal
policies and audit findings

• These all morph into professional art forms …
Risk Management, Incident Management,
Configuration Management, Problem…
Patch… Access… Change…


Virus – Worm – Trojan - Malware – Rootkit –
Backdoor - Botnets - APT
NMS – SIEM – Network Forensics
Simple Access Control – IDAM / SSO / Privilege
User Management / Provisioning…
LAN, WAN, Virtualization, Fabric, Wireless, Cloud
dBase, Lotus, Access, Excel, MS SQL, MySQL,
Oracle

http://movetheworld.wordpress.com/2008/01/16/evolution-of-information-security-technologies/

• Illiterate Messengers deliver written
messages so they cannot copy or read
• Cutting off a messenger’s tongue to disable
gossip risk
• Da Vinci’s ‘cryptex’ device
• Shoot the messenger
• Encrypted messages, smoke signals
• Eunuchs to protect Harems

risks – tech / business

flight timings

sales

what phone to buy/gift

global events

how to do a web checkin

gadgets

…….

people issues

enterprise targets
enterprise finance
all processes

business

onboarding /exits
background checks

compliance liabilities

IT networks
org growth

systems
© freedigitalphotos (royaltyfree, attribution)

contribute ideas
email


In fact the
CISO is still a
combined
responsibility
in a number of
small / midsized
organizations


•Exponentially Growing
Expectations


• Standards : ISO27001, ITIL, ISO20000,
ISO22301, OWASP Top 10, SOX, SSAE16/SAS-70, HIPAA.. + regulatory
requirements + policies
• SANS-CSC…. According to SANS ~73%
respondents are aware of SANS-CSC and
have adopted or are planning to… and the
primary driver is to improve enterprise
visibility and reduce security incidents

1.

2.
3.
4.
5.
6.
7.
8.
9.
10.

Inventory of Authorized and
Unauthorized Devices
Inventory of Authorized and
Unauthorized Software
Secure Configurations for Hardware
and Software on Mobile Devices,
Laptops, Workstations, and Servers
Continuous Vulnerability Assessment
and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and
Appropriate Training to Fill Gaps
Secure Configurations for Network
Devices such as Firewalls, Routers, and
Switches

11.

12.
13.
14.
15.
16.

17.
18.
19.

20.

Critical Control 11: Limitation and Control of
Network Ports, Protocols, and Services
Critical Control 12: Controlled Use of
Administrative Privileges
Critical Control 13: Boundary Defense
Critical Control 14: Maintenance,
Monitoring, and Analysis of Audit Logs
Critical Control 15: Controlled Access Based
on the Need to Know
Critical Control 16: Account Monitoring and
Control
Critical Control 17: Data Loss Prevention
Critical Control 18: Incident Response and
Management
Critical Control 19: Secure Network
Engineering
Critical Control 20: Penetration Tests and
Red Team Exercises



•Superhumans in
Enterprise and LEA


•
•
•
•
•
•
•
•
•
•
•
•

Company Policies, DR
Analytical Tools: RCA, SWOT etc
Business Operations & Depts
IT Operations
Applicable Laws, Regulations
Databases
Applications
Hardware
Malware, APT
Forensics investigation
Forensic analysis
Evidence collection, preservation..

•
•
•
•
•
•
•
•
•
•
•
•

SIEM, DLP, IPS/IDS, UTM
Log Analysis
Phishing
Windows, Linux (AIX, UX, MacOS)
Android, iOS, Symbian, BB
Mobile devices incl laptops
Network devices – firewalls etc
Configuration and hardening
Know all patches from year 0 (BC)
VAPT
Web servers, AD, MS Exchange
… more….


• Can Work under pressure
• Can go on without sleep, food or..
• Can walk in sleep
• Excellent communication skills
• Can win over and influence anyone
• Multi-lingual: geekspeak, normal-speak,
baby-speak


• Life is a bummer
• One has to have all that the IM has…. Plus:
• Deep knowledge and understanding of
Law (domestic/international) and statutes
• Criminal modus operandi
• ATM, Credit cards, financial fraud, email,
internet banking, data breach, IP theft,
espionage, social media crimes

• Traditional Policing

+

• Cyber Crime Investigation
• Cyber Security & Cyber
Forensics
• Cyber Forensics (Network,
Mobile, Cloud etc)
• Reverse Engineer &
Troubleshooter
• Evidence Handling &
presentation in the court of
law

• Cyber Intelligence, Social
Media Intel
• Security Researcher
• WhatsApp, Wechat, Viber
• Interception
• Excellent Presenter
• Trainer
• Participating in
International & National
Conferences
• CDR, Tower dump analysis,
location mapping
• CCTV Camera recording
recovery


• Good Negotiator, Facilitator
• Can Pitch for Funds
• Prepare RFP’s
• Event Manager
• Response in a flash expected
• Good magician (cracking Symmetric,
Asymmetric encryption, password hashes
within seconds)
• Software Developer, Programmer
• And the list goes on……

PRE-INCIDENT PREPARATION

RESPONSE

POST-INCIDENT

Identify Legal, Regulatory Obligations

Contain, Restore,
Quarantine

Clean Up and
Dispose

Evidence
Collection

Root Cause
Analysis

Identify
Weaknesses

Recommend
Changes

Forensic
Response

Update CMDB,
Risk Register

Policy
Development

Governance and
Awareness

CERT
Enablement

Threat
Intelligence

Tabletop Testing

Advanced Threat
Preparedness

Vendor
Enablement

Communication
Plan

Disciplinary Actions, Report to LEA


PREVENTIVE
ACTIVITIES

TECHNOLOGY CRIME (INCIDENT)
RESPONSE

POST-INCIDENT

Crime /Threat
Intelligence

Complaint Registration

Chain of
Custody

Response Team
Training

Categorization & Case Assignment

Crime Scene Visit, Evidence Collection

Evidence
Integrity
Arrests and
Case Filing

Information
Sharing

Technical
Investigation

Forensic
Investigation

Advisories and
Awareness

International
Vectors

Data
Extraction

Departmental
Report

Citizen
Outreach

Domestic
Vectors

Forensic
Analysis

Statistical
Update

Obtain Service Provider Evidence
Analysis and Report Preparation


•
•
•
•
•

•
•
•
•
•

6 complaints gets registered daily on our helplines
1.5 Crore Fraud
Cyber Stalking – Big Boss Contestant, Aashka Garodia
Email Threats – Anil Ambani
Facebook Case ( Fake Profile, Confession Pages, Fraud
Pages)
Cases reported statewide
Nigerian Scam
Credit / Debit Card Frauds
POS fraud – Car polish Scam
Cyber Attacks: Botnet, DOS, DDOS

• Day to Day traditional crime control
• Crime investigation (Murder, Dacoity,
Stalking, Threats etc)
• Raids
• Interrogation
• Intelligence Gathering
• Chain of custody
• Presentation in the court of law

• MS In Information & Cyber Forensics
• Well versed with the latest technologies and
research
• Programmer
• Malware Researcher



•Superhuman: why, how..


• Build threat intelligence capability
• Subscribe to mailing lists, attend
conferences, read, get certified, write
• Automate network monitoring with NMS,
DLP, SIEM, Network Forensics etc
• Risk Threats and Vulnerability Management
• Information Sharing
• Breach advisories and CERT bulletins

• The Incident Manager is informed about an
incident and decides whether it is an
incident or not before blowing the
whistle !
• Sets Incident priority
• Triage
• Pray !


• Set up war room
• Mobilize cross functional IM team
• Rollout containment procedures
• Initiate Communication plan
• Mobilize vendors
• Follow up with recovery and eradication
procedures
• Visit incident site, collect and save evidence

• Forensic Analysis
• Reporting to Authorities and Police
• Internal Root Cause Analysis
• Prepare Management Report
• Recommendations for improvement
• Obtain permissions and budget
• Update systems, policies and controls

• Phd/MS in Information Security
• Cyber Security Researcher
• Knowledge about 0 Days, APTs, Vulnerability Assessment,
Penetration Testing, Source Code Auditing, Web
• Data Analytics
• BigData
• Cloud Computing
• Cyber Security
• Cyber Defence
• Cyber Forensics (Network, Mobile, Tablet, Satphones, Gogles)
• Cyber law Expert



•Today’s Takeaway – Risks
and being a SH

• Capability and Capacity development in
Private sector is slow and in Government
sector it is slower
• Skills required are multi faceted and can
ONLY be acquired by hard core practical
on-the-job hands-on experience
• Institutes and training programs yet to be
developed to impart some skills, or, show
the path to aspirants

risks – tech / business

flight timings

sales

what phone to buy/gift

global events

…….

gadgets

…….

people issues

enterprise targets
enterprise finance
all processes

business

onboarding /exits
background checks

compliance liabilities

IT networks
org growth

systems
© freedigitalphotos (royaltyfree, attribution)

contribute ideas
email


In the near future, a bigger challenge:
Internet of Things


http://www.intel.com/content/www/us/en/intelligent-systems/iot/internet-of-things-infographic.html

• Re-learn continuous learning … you did it
passionately when you were junior, you
did it to rise – then why did you stop!
• Recognize your skill and strength….
Information Security is not an apology. It is
no longer a support function for a support
function. It is an essential function and high
time this is recognized by management

Information / Data Security is a
dynamic
domain,
constantly
changing hues and continually
exciting.

Practitioners, researchers, hackers,
auditors constantly face up to
new challenges


And we want to take
this opportunity to
present our unit – Cyber
Defence Research
Centre & Cyber Peace
Foundation

CDRC is a joint initiative of the Government of
the State of Jharkhand (India) and Jharkhand
Police.
The unit is operational since January 2012.
It is the first of it’s kind organization in the
country, and (probably) the ninth in the
world

Technology Research,
System Dev & Deployment

Cyber Patrol

eSamadhan
Citizen Outreach Tollfree
Helpline

PROTECTION

DETECTION

LEA Training,
Capacity &
Capability
Building

Statewide Security
Awareness program
for children,
citizens, industry

CDR Analysis, IMS,
Cyber Lab, VA/PT,
AppSec, Digital
Forensics

1

EDUCATION
eRaksha

Intelligence Gathering,
Honeynets

PREVENTION

INVESTIGATION

JH CERT
Incident Response,
Advisories,
Responsible Disclosure

eKavach
Critical Infrastructure
Protection – Training,
Intel, Response and
Knowledge Sharing

Law Enforcement

Investigation, Response, Evidence Gathering, Forensics, Cyber Policing

Jharkhand Secure

State Infrastructure Protection, Department al IT Security, State CERT

Technical Services

VA/PT, Application Security Testing, Technology Evaluation

Training
Public Outreach
Research

National Security

State Police, Judiciary and Govt, CID, CBI, NPA, IB,

Awareness, Toll free helpline, eSamadhan, Cyber café controls, ATM security

Cyber Patrol, India Honeynetwork, SCADA and Spam Honeynets,

National Infrastructure Protection under CIIP, Responsible Disclosure


OCTOBER
SCADA honeypot
development

AUGUST

APRIL
Moved into CDRC
Building, PHQ
Ranchi

FEBRUARY
Launch eSamadhan,
manual CDR analysis,
IMEI database, Lost
mobile cases
Establishment Planning
System Development:
Internet Monitoring
System and CDR +
Location Mapping
Analysis System

Program Launches:
- Judiciary Training
- “eKavach” Critical
Infrastructure
Protection
- Online knowledge
base for Cyber café
owners re open
source
- Bi lingual safety
guidelines for
Government
employees, parents
and children

JUNE
eKavach onsite
assessment at HEC

CID Training launch

India honeynetwork setup
with five sensors
CISF, RPF training
ATS interaction re cyber
security

NOVEMBER

Team Augmentation
and orientation

2012
09 JANUARY
Formation Day

MARCH
Jharkhand Cyber Café Rules
sent to Home Dept
Development of cyber café
software and Cyber Café
guidelines for owners

eRaksha program
launched

Event Partner
c0c0n 2012 ,
Thiruvananthpuram

MAY
ATM, Cyber Café
statewide Threat
Survey
Wi-fi War driving

Case: Interstate
credit card fraudsters
interrogated
Disclosure – threat to
CBI central server

Team training for
forensics tools

ISO 27001 Audit of Police Data
Center
Internal team training

Joint Meeting – Home
Dept, SB Jharkhand
Police, All Banks

JULY

JANUARY
High profile cases –
Hazaribagh (Sonia
Gandhi email threat)

Testing Vulnerability
disclosure system


SEPTEMBER
Cyber Lab setup
plan at PTC
Development for
Responsible
Disclosure system
Training delivery at
NPA

DECEMBER
Citizen Helpline
Toll free number
activated
1800-3456-533

Cyber Surveillance,
Social Media
Intelligence

Internet Monitoring, Social media Intelligence, Inputs
from cyber patrol and threat intelligence, Intelligence
from Social media (Orkut, Facebook, Linkedin, Twitter
etc.)

Critical Infrastructure
Protection

Inventory, response procedures and proactive security
training

Responsible Disclosure Vulnerability disclosure and intelligence information to
and Threat Intelligence affected parties
Public Helpline

Web based and toll free helpline

Research

Indian Honeynet collection and malware analysis

Cyber Patrol

Underground intelligence gathering activities

• Cyber Peace foundation, a NGO is founded by
senior officials of Jharkhand Police & experts to
promote information sharing between LEA
across countries to promote the public and
private partnership through it’s Public & Private
Partnership(PPP) through it’s Cyber Bridge
program
• Revealed for the first time today at ISACA Dubai
• Request all your support for this organization

ABOUT
US
CONTACT
INFORMATION

• Professional Positions

•
•
•
•
•

Pyramid Cyber Security & Forensics (Principal Advisor)
Jharkhand Police (Cyber Surveillance Advisor)
Open Security Alliance (Principal and CEO)
Bombay Stock Exchange (IGRC Technical Member)
Indian Honeynet Project (Founder)

• Professional skills and special interest areas

• Govt & Enterprise - Security Consulting, Advisory, Strategy,
Architecture, Analysis, Policy Development, Optimization
• Technologies - SOC, DLP, IRM, SIEM…
• Practices - Incident Response, SAM, Forensics, Regulatory
guidance, Government
• Blogger, Occasional columnist, wannabe photographer, research & survey

Contact Information
E: dinesh@opensecurityalliance.org

T: +91.9769890505

Twitter: @bizsprite

Facebook: dineshobareja

L: http://in.linkedin.com/in/dineshbareja

Also on Slideshare and Flickr

Acknowledgements & Disclaimer
Various resources on the internet have been referred to, to contribute to the information
presented here. Images have been acknowledged where possible and if we have infringed
on your rights it is unintentional – we assure you the immediate removal on being notified, of
any infringing material. The use (if any) of company names, brand names, trade marks is only
to facilitate understanding of the message being communicated - no claim is made to
establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise
mentioned. We apologize for any infraction, as this will be wholly unintentional, and
objections may please be communicated to us for remediation of the erroneous action(s).

A newer version of this presentation will be uploaded to Slideshare (dineshobareja).


• Professional Positions

•
•
•
•
•
•
•

Jharkhand Police – CTO & Head of CDRC
Cyber Peace Foundation – President (Honorary)
National Anti-Hacking Group (Founder)
Security Pulse – Honorary Advisor
Darnster – Honorary Advisor & Mentor
Attify – Honorary Advisor
Visiting Faculty for International & National Universities/Institutions
such as National Police Academy, Railway Staff College, College of
Millitary Engineering, Railway Staff College, Indian Institute of
Management, Indian Institute of Technology, Government of Gujarat

• Professional skills and special interest areas

• Ethical hacking, cybercrime, Cyber Intelligence, Cyber Forensics
• Intelligence, Forensics, Cyber Security, Cyber Defence, Cyber Crime
Investigation, Cyber Peace

• Awards

6 International, 11 National and 15 state level awards &
honors’
• Contact Information

• Email: cto@jhpolice.gov.in
• Phone: +91-9570000065
• L: http://in.linkedin.com/in/vineet707


• ENISA
• http://www.enisa.europa.eu/activities/cert/sup
port/incident-management
• http://tvtropes.org/pmwiki/pmwiki.php/Main/
GoalOrientedEvolution
• NIST
• http://www.intel.com/content/www/us/en/in
telligent-systems/iot/internet-of-thingsinfographic.html
• Google, Bing

Incident Response Requires Superhumans

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (7)

Similar to Incident Response Requires Superhumans

Similar to Incident Response Requires Superhumans (20)

More from Dinesh O Bareja

More from Dinesh O Bareja (8)

Recently uploaded

Recently uploaded (20)

Incident Response Requires Superhumans