This document provides an overview of an incident response presentation on the topic of "Incident Response Requires Superhumans". It discusses how expectations for incident response have grown exponentially with technology advancement. It outlines some of the multi-faceted skills and expertise required of incident response professionals, including deep technical knowledge across many domains as well as soft skills like communication and working under pressure. The document cautions that developing capable incident response teams is challenging due to the hands-on experience required and calls for continuous learning to address the dynamic nature of the field.
2. • 2010 (base year)
• 2011
• 2012 ... NOW ?
Incident Response Requires Superhumans
Audience Profiling
• How many CISOs
• How many IS Managers
• How many pure play Incident Managers
• How many CISO/ISM with IM responsibility
()
• Do you sleep well …
3. • Overview: InfoSec Evolution / History
• Exponentially Growing Expectations
• Superhumans in Enterprise and LEA
• Superhuman: why, how..
• Today’s Takeaway – Risks and being a SH
Incident Response Requires Superhumans
4. Even a young
man has to use
a walking stick !
Technology advancement has brought about dramatic change
in life and work and continues it’s march of dynamic growth
It was an era of innocence and invention when computing
started upto the time when the internet was unveiled
Over the years it has metamorphosed into a force we are still
trying to understand and has brought with it ‘great
expectations’ from the human beings who are in charge!
Incident Response Requires Superhumans
7. Jokes apart, coming back to serious business..
To relive the past, we will (briefly) look at the
growth, maturity and metamorphoses of some
practices, solutions, strategies and technologies.
Incident Response Requires Superhumans
8. • Information Security yet to be discovered
but phone phreaking was around
• Security meant securing areas where
computers were housed
• System security meant administrator control
on who could write – edit – delete data
• Data breach prevention was through
controlled access to printer room
• Compliance was the accountants job
Incident Response Requires Superhumans
9. • Ides of March1992 – Michaelangelo virus
• Y2K
• 1994 ISACA (from earlier avatars of ’67, ‘69)
• Viruses to APTs
• Security lives are ruled by GRC, CIA Triad,
PDCA Cycle, MM, ROSI, KPI
• Compliance means regulatory and internal
policies and audit findings
Incident Response Requires Superhumans
10. • These all morph into professional art forms …
Risk Management, Incident Management,
Configuration Management, Problem…
Patch… Access… Change…
Incident Response Requires Superhumans
13. • Illiterate Messengers deliver written
messages so they cannot copy or read
• Cutting off a messenger’s tongue to disable
gossip risk
• Da Vinci’s ‘cryptex’ device
• Shoot the messenger
• Encrypted messages, smoke signals
• Eunuchs to protect Harems
Incident Response Requires Superhumans
20. • Overview: InfoSec Evolution / History
•Exponentially Growing
Expectations
• Superhumans in Enterprise and LEA
• Superhuman: why, how..
• Today’s Takeaway – Risks and being a SH
Incident Response Requires Superhumans
25. • Standards : ISO27001, ITIL, ISO20000,
ISO22301, OWASP Top 10, SOX, SSAE16/SAS-70, HIPAA.. + regulatory
requirements + policies
• SANS-CSC…. According to SANS ~73%
respondents are aware of SANS-CSC and
have adopted or are planning to… and the
primary driver is to improve enterprise
visibility and reduce security incidents
Incident Response Requires Superhumans
26. 1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Inventory of Authorized and
Unauthorized Devices
Inventory of Authorized and
Unauthorized Software
Secure Configurations for Hardware
and Software on Mobile Devices,
Laptops, Workstations, and Servers
Continuous Vulnerability Assessment
and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability
Security Skills Assessment and
Appropriate Training to Fill Gaps
Secure Configurations for Network
Devices such as Firewalls, Routers, and
Switches
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
Critical Control 11: Limitation and Control of
Network Ports, Protocols, and Services
Critical Control 12: Controlled Use of
Administrative Privileges
Critical Control 13: Boundary Defense
Critical Control 14: Maintenance,
Monitoring, and Analysis of Audit Logs
Critical Control 15: Controlled Access Based
on the Need to Know
Critical Control 16: Account Monitoring and
Control
Critical Control 17: Data Loss Prevention
Critical Control 18: Incident Response and
Management
Critical Control 19: Secure Network
Engineering
Critical Control 20: Penetration Tests and
Red Team Exercises
Incident Response Requires Superhumans
27. • Overview: InfoSec Evolution / History
• Exponentially Growing Expectations
•Superhumans in
Enterprise and LEA
• Superhuman: why, how..
• Today’s Takeaway – Risks and being a SH
Incident Response Requires Superhumans
29. •
•
•
•
•
•
•
•
•
•
•
•
Company Policies, DR
Analytical Tools: RCA, SWOT etc
Business Operations & Depts
IT Operations
Applicable Laws, Regulations
Databases
Applications
Hardware
Malware, APT
Forensics investigation
Forensic analysis
Evidence collection, preservation..
•
•
•
•
•
•
•
•
•
•
•
•
SIEM, DLP, IPS/IDS, UTM
Log Analysis
Phishing
Windows, Linux (AIX, UX, MacOS)
Android, iOS, Symbian, BB
Mobile devices incl laptops
Network devices – firewalls etc
Configuration and hardening
Know all patches from year 0 (BC)
VAPT
Web servers, AD, MS Exchange
… more….
Incident Response Requires Superhumans
30. • Can Work under pressure
• Can go on without sleep, food or..
• Can walk in sleep
• Excellent communication skills
• Can win over and influence anyone
• Multi-lingual: geekspeak, normal-speak,
baby-speak
Incident Response Requires Superhumans
31. • Life is a bummer
• One has to have all that the IM has…. Plus:
• Deep knowledge and understanding of
Law (domestic/international) and statutes
• Criminal modus operandi
• ATM, Credit cards, financial fraud, email,
internet banking, data breach, IP theft,
espionage, social media crimes
Incident Response Requires Superhumans
32. • Traditional Policing
+
• Cyber Crime Investigation
• Cyber Security & Cyber
Forensics
• Cyber Forensics (Network,
Mobile, Cloud etc)
• Reverse Engineer &
Troubleshooter
• Evidence Handling &
presentation in the court of
law
• Cyber Intelligence, Social
Media Intel
• Security Researcher
• WhatsApp, Wechat, Viber
• Interception
• Excellent Presenter
• Trainer
• Participating in
International & National
Conferences
• CDR, Tower dump analysis,
location mapping
• CCTV Camera recording
recovery
Incident Response Requires Superhumans
33. • Good Negotiator, Facilitator
• Can Pitch for Funds
• Prepare RFP’s
• Event Manager
• Response in a flash expected
• Good magician (cracking Symmetric,
Asymmetric encryption, password hashes
within seconds)
• Software Developer, Programmer
• And the list goes on……
Incident Response Requires Superhumans
42. • Day to Day traditional crime control
• Crime investigation (Murder, Dacoity,
Stalking, Threats etc)
• Raids
• Interrogation
• Intelligence Gathering
• Chain of custody
• Presentation in the court of law
Incident Response Requires Superhumans
43. • MS In Information & Cyber Forensics
• Well versed with the latest technologies and
research
• Programmer
• Malware Researcher
Incident Response Requires Superhumans
44. • Overview: InfoSec Evolution / History
• Exponentially Growing Expectations
• Superhumans in Enterprise and LEA
•Superhuman: why, how..
• Today’s Takeaway – Risks and being a SH
Incident Response Requires Superhumans
46. • Build threat intelligence capability
• Subscribe to mailing lists, attend
conferences, read, get certified, write
• Automate network monitoring with NMS,
DLP, SIEM, Network Forensics etc
• Risk Threats and Vulnerability Management
• Information Sharing
• Breach advisories and CERT bulletins
Incident Response Requires Superhumans
47. • The Incident Manager is informed about an
incident and decides whether it is an
incident or not before blowing the
whistle !
• Sets Incident priority
• Triage
• Pray !
Incident Response Requires Superhumans
48. • Set up war room
• Mobilize cross functional IM team
• Rollout containment procedures
• Initiate Communication plan
• Mobilize vendors
• Follow up with recovery and eradication
procedures
• Visit incident site, collect and save evidence
Incident Response Requires Superhumans
49. • Forensic Analysis
• Reporting to Authorities and Police
• Internal Root Cause Analysis
• Prepare Management Report
• Recommendations for improvement
• Obtain permissions and budget
• Update systems, policies and controls
Incident Response Requires Superhumans
53. • Phd/MS in Information Security
• Cyber Security Researcher
• Knowledge about 0 Days, APTs, Vulnerability Assessment,
Penetration Testing, Source Code Auditing, Web
• Data Analytics
• BigData
• Cloud Computing
• Cyber Security
• Cyber Defence
• Cyber Forensics (Network, Mobile, Tablet, Satphones, Gogles)
• Cyber law Expert
Incident Response Requires Superhumans
54. • Overview: InfoSec Evolution / History
• Exponentially Growing Expectations
• Superhumans in Enterprise and LEA
• Superhuman: why, how..
•Today’s Takeaway – Risks
and being a SH
Incident Response Requires Superhumans
55. • Capability and Capacity development in
Private sector is slow and in Government
sector it is slower
• Skills required are multi faceted and can
ONLY be acquired by hard core practical
on-the-job hands-on experience
• Institutes and training programs yet to be
developed to impart some skills, or, show
the path to aspirants
Incident Response Requires Superhumans
60. • Re-learn continuous learning … you did it
passionately when you were junior, you
did it to rise – then why did you stop!
• Recognize your skill and strength….
Information Security is not an apology. It is
no longer a support function for a support
function. It is an essential function and high
time this is recognized by management
Incident Response Requires Superhumans
61. Information / Data Security is a
dynamic
domain,
constantly
changing hues and continually
exciting.
Practitioners, researchers, hackers,
auditors constantly face up to
new challenges
Incident Response Requires Superhumans
62. And we want to take
this opportunity to
present our unit – Cyber
Defence Research
Centre & Cyber Peace
Foundation
Incident Response Requires Superhumans
63. CDRC is a joint initiative of the Government of
the State of Jharkhand (India) and Jharkhand
Police.
The unit is operational since January 2012.
It is the first of it’s kind organization in the
country, and (probably) the ninth in the
world
Incident Response Requires Superhumans
65. Technology Research,
System Dev & Deployment
Cyber Patrol
eSamadhan
Citizen Outreach Tollfree
Helpline
PROTECTION
DETECTION
LEA Training,
Capacity &
Capability
Building
Statewide Security
Awareness program
for children,
citizens, industry
CDR Analysis, IMS,
Cyber Lab, VA/PT,
AppSec, Digital
Forensics
1
EDUCATION
eRaksha
Intelligence Gathering,
Honeynets
PREVENTION
INVESTIGATION
JH CERT
Incident Response,
Advisories,
Responsible Disclosure
Incident Response Requires Superhumans
eKavach
Critical Infrastructure
Protection – Training,
Intel, Response and
Knowledge Sharing
66. Law Enforcement
Investigation, Response, Evidence Gathering, Forensics, Cyber Policing
Jharkhand Secure
State Infrastructure Protection, Department al IT Security, State CERT
Technical Services
VA/PT, Application Security Testing, Technology Evaluation
Training
Public Outreach
Research
National Security
State Police, Judiciary and Govt, CID, CBI, NPA, IB,
Awareness, Toll free helpline, eSamadhan, Cyber café controls, ATM security
Cyber Patrol, India Honeynetwork, SCADA and Spam Honeynets,
National Infrastructure Protection under CIIP, Responsible Disclosure
Incident Response Requires Superhumans
67. OCTOBER
SCADA honeypot
development
AUGUST
APRIL
Moved into CDRC
Building, PHQ
Ranchi
FEBRUARY
Launch eSamadhan,
manual CDR analysis,
IMEI database, Lost
mobile cases
Establishment Planning
System Development:
Internet Monitoring
System and CDR +
Location Mapping
Analysis System
Program Launches:
- Judiciary Training
- “eKavach” Critical
Infrastructure
Protection
- Online knowledge
base for Cyber café
owners re open
source
- Bi lingual safety
guidelines for
Government
employees, parents
and children
JUNE
eKavach onsite
assessment at HEC
CID Training launch
India honeynetwork setup
with five sensors
CISF, RPF training
ATS interaction re cyber
security
NOVEMBER
Team Augmentation
and orientation
2012
09 JANUARY
Formation Day
MARCH
Jharkhand Cyber Café Rules
sent to Home Dept
Development of cyber café
software and Cyber Café
guidelines for owners
eRaksha program
launched
Event Partner
c0c0n 2012 ,
Thiruvananthpuram
MAY
ATM, Cyber Café
statewide Threat
Survey
Wi-fi War driving
Case: Interstate
credit card fraudsters
interrogated
Disclosure – threat to
CBI central server
Team training for
forensics tools
ISO 27001 Audit of Police Data
Center
Internal team training
Joint Meeting – Home
Dept, SB Jharkhand
Police, All Banks
JULY
JANUARY
High profile cases –
Hazaribagh (Sonia
Gandhi email threat)
Testing Vulnerability
disclosure system
Incident Response Requires Superhumans
SEPTEMBER
Cyber Lab setup
plan at PTC
Development for
Responsible
Disclosure system
Training delivery at
NPA
DECEMBER
Citizen Helpline
Toll free number
activated
1800-3456-533
68. Cyber Surveillance,
Social Media
Intelligence
Internet Monitoring, Social media Intelligence, Inputs
from cyber patrol and threat intelligence, Intelligence
from Social media (Orkut, Facebook, Linkedin, Twitter
etc.)
Critical Infrastructure
Protection
Inventory, response procedures and proactive security
training
Responsible Disclosure Vulnerability disclosure and intelligence information to
and Threat Intelligence affected parties
Public Helpline
Web based and toll free helpline
Research
Indian Honeynet collection and malware analysis
Cyber Patrol
Underground intelligence gathering activities
Incident Response Requires Superhumans
70. • Cyber Peace foundation, a NGO is founded by
senior officials of Jharkhand Police & experts to
promote information sharing between LEA
across countries to promote the public and
private partnership through it’s Public & Private
Partnership(PPP) through it’s Cyber Bridge
program
• Revealed for the first time today at ISACA Dubai
• Request all your support for this organization
Incident Response Requires Superhumans
72. • Professional Positions
•
•
•
•
•
Pyramid Cyber Security & Forensics (Principal Advisor)
Jharkhand Police (Cyber Surveillance Advisor)
Open Security Alliance (Principal and CEO)
Bombay Stock Exchange (IGRC Technical Member)
Indian Honeynet Project (Founder)
• Professional skills and special interest areas
• Govt & Enterprise - Security Consulting, Advisory, Strategy,
Architecture, Analysis, Policy Development, Optimization
• Technologies - SOC, DLP, IRM, SIEM…
• Practices - Incident Response, SAM, Forensics, Regulatory
guidance, Government
• Blogger, Occasional columnist, wannabe photographer, research & survey
Incident Response Requires Superhumans
73. Contact Information
E: dinesh@opensecurityalliance.org
T: +91.9769890505
Twitter: @bizsprite
Facebook: dineshobareja
L: http://in.linkedin.com/in/dineshbareja
Also on Slideshare and Flickr
Acknowledgements & Disclaimer
Various resources on the internet have been referred to, to contribute to the information
presented here. Images have been acknowledged where possible and if we have infringed
on your rights it is unintentional – we assure you the immediate removal on being notified, of
any infringing material. The use (if any) of company names, brand names, trade marks is only
to facilitate understanding of the message being communicated - no claim is made to
establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise
mentioned. We apologize for any infraction, as this will be wholly unintentional, and
objections may please be communicated to us for remediation of the erroneous action(s).
A newer version of this presentation will be uploaded to Slideshare (dineshobareja).
Incident Response Requires Superhumans
74. • Professional Positions
•
•
•
•
•
•
•
Jharkhand Police – CTO & Head of CDRC
Cyber Peace Foundation – President (Honorary)
National Anti-Hacking Group (Founder)
Security Pulse – Honorary Advisor
Darnster – Honorary Advisor & Mentor
Attify – Honorary Advisor
Visiting Faculty for International & National Universities/Institutions
such as National Police Academy, Railway Staff College, College of
Millitary Engineering, Railway Staff College, Indian Institute of
Management, Indian Institute of Technology, Government of Gujarat
• Professional skills and special interest areas
• Ethical hacking, cybercrime, Cyber Intelligence, Cyber Forensics
• Intelligence, Forensics, Cyber Security, Cyber Defence, Cyber Crime
Investigation, Cyber Peace
Incident Response Requires Superhumans
75. • Awards
6 International, 11 National and 15 state level awards &
honors’
• Contact Information
• Email: cto@jhpolice.gov.in
• Phone: +91-9570000065
• L: http://in.linkedin.com/in/vineet707
Incident Response Requires Superhumans