CSIRT_16_Jun

CYBER SECURITY INCIDENT
RESPONSE TEAM (CSIRT)
and
CYBER SECURITY OPERATION
CENTER (SOC)
BY BGA INFORMATION SECURITY & CONSULTING
THX TO MITRE.ORG
BGA INFORMATION SECURITY & CONSULTING

About me
Candan BÖLÜKBAŞ
• about.me/bolukbas
• METU Computer Eng.
• CCNA, CCNP, CEH, CHFI, ITIL, MCP, ECSP, ECIH
• Enterprise Security Services Manager @BGA
• 7-year Developer, 6-year Security Admin
• Ex T.C. Cumhurbaşkanlığı Network & Security Admin
• candan.bolukbas@bga.com.tr
• @candanbolukbas

Agenda
• Introduction
• Cyber Attack in the world
• CSIRT statistics from the world
• CSIRT efficiency measurement
• Best Practices for Creating a CSIRT
• What is SOC?
• SOC Best Practices
• SIEM & SOC & CSIRT Relation
• Questions

Challenges that today’s security
organizations have to deal with:
Malware campaigns launched by organized criminal groups who look to
steal information that can be sold on the black market
Increasingly powerful distributed denial-of-service (DDoS) attacks that
can take out large websites
State-sponsored espionage that can penetrate even well-defended
networks.

As attacks have become more sophisticated, the
need for Computer Security Incident Response
Teams (CSIRTs) has grown.
Botnets
Distributed denial-of-
service (DDoS) attacks
Insider threats
Advanced persistent
threats (APTs).
CSIRT

What Are Some Best Practices for
Creating a CSIRT?
• Obtain management supportStep #1
• Determine the CSIRT strategic planStep #2
• Design the CSIRT visionStep #3
• Begin CSIRT implementationStep #4
• Evaluate CSIRT effectivenessStep #5

Step 1: Obtain Management Support and
Buy-In
• Executive and business or department managers and their staffs committing time to participate in
this planning process; their input is essential during the design effort.
• Along with obtaining management support for the planning and
implementation process, it is equally important to get management
commitment to sustain CSIRT operations and authority for the long term.
• It is important to elicit management's expectations and perceptions of
the CSIRT's function and responsibilities.

1%
2%
5%
11%
31%
50%
What percentage of your organization’s security budget is allocated to incident
response?
More than 50%
41% to 50%
31% to 40%
21% to 30%
10% to 20%
Less than 10%

Step 2: Determine the CSIRT
Development Strategic Plan
• Are there specific time frames to be met? Are they realistic, and if not, can they be changed?
• Is there a project group? Where do the group members come from? You want to
ensure that all stakeholders are represented.
• How do you let the organization know about the development of the CSIRT?
• If you have a project team, how do you record and communicate the
information you are collecting, especially if the team is geographically dispersed?

Step 3: Design Your CSIRT Vision
In creating your vision, you should identify your constituency
• Who does the CSIRT support and serve?
• Define your CSIRT mission, goals, and objectives. What does the CSIRT do for the identified
constituency?
• Select the CSIRT services to provide to the constituency (or others). How does the CSIRT
support its mission?
• Determine the organizational model. How is the CSIRT structured and organized?
• Identify required resources. What staff, equipment, and infrastructure
are needed to operate the CSIRT?
• Determine your CSIRT funding. How is the CSIRT funded for its initial
startup and its long-term maintenance and growth?

Step 4: Begin CSIRT Implementation
Once management and constituency buy-in is obtained for the vision,
begin the implementation:
• Hire and train initial CSIRT staff.
• Buy equipment and build any necessary network infrastructure
to support the team.
• Develop the initial set of CSIRT policies and procedures to
support your services.
• Define the specifications for and build your incident-tracking
system.
• Develop incident-reporting guidelines and forms for your constituency.

45%
28%
14%
11%
2%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
0
1
2-5
5-10
10+
How many team members are fully dedicated to CSIRT?

Step 5: Evaluate the Effectiveness of the
CSIRT
Information on effectiveness can be gathered through a variety of
feedback mechanisms, including:
• Benchmarking against other CSIRTs
• General discussions with constituency representatives
• Evaluation surveys distributed to constituency members on a
periodic basis
• Creation of a set of criteria or quality parameters
• Compare with Expectations for Computer Security
Incident Response (RFC 2350)
• Remember that Patience Can Be a Key!

How long it takes to respond Approximate average MTTI, MTTK, MTTF and
MTTV experienced by organizations in an APT
• Mean time to
verify
MTTV
• Mean time to
fix
MTTF
• Mean time to
know
MTTK
• Mean time to
identify
MTTI

80%
76%
67%
65%
56%
0% 20% 40% 60% 80% 100%
Most effective security tools for detecting security breaches
Anti-virus
IP reputation & threat feed services
Intrusion prevention/detection systems
SIEM
Analysis of NetFlow or packet captures

Reactive Services Proactive Services Security Quality Management Services
Alerts and Warnings Border Protection Device O&M Risk Analysis
SOC Infrastructure O&M
Incident Handling Custom Signature Creation
Business Continuity and Disaster Recovery
Planning
• Incident analysis (Forensic & Tracking) Tool Research and Development
• Incident response on site Security Audits or Assessments (Scan & Pentest) Security Consulting
• Incident response support Tool Engineering and Deployment
• Incident response coordination
Configuration and Maintenance of Security
Tools, Applications, and Infrastructures
Awareness Building
Vulnerability Handling Audit Data Collection and Distribution Education/Training
• Vulnerability analysis
• Vulnerability response Intrusion Detection Services Product Evaluation or Certification
• Vulnerability response coordination
Security-Related Information Dissemination
Artifact Handling
• Artifact analysis
• Artifact response
• Artifact response coordination

APT

DEMO

What Is a SOC?
The practice of defense against unauthorized activity within
computer networks, including monitoring, detection, analysis (such
as trend and pattern analysis), and response and restoration
activities. It includes:
◦ Computer Security Incident Response Team (CSIRT)
◦ Computer Incident Response Team (CIRT)
◦ Computer Incident Response Center (or Capability) (CIRC)
◦ Computer Security Incident Response Center (or Capability) (CSIRC)
◦ Security Operations Center (SOC)
◦ Cybersecurity Operations Center (CSOC)
◦ Computer Emergency Response Team (CERT)

SOC’s mission statement typically
includes the following elements:
1. Prevention of cybersecurity incidents through proactive:
a. Continuous threat analysis
b. Network and host scanning for vulnerabilities
c. Countermeasure deployment coordination
d. Security policy and architecture consulting.
2. Monitoring, detection, and analysis of potential intrusions in real time and through historical trending
on security-relevant data sources
3. Response to confirmed incidents, by coordinating resources and directing use of timely and
appropriate countermeasures
4. Providing situational awareness and reporting on cybersecurity status, incidents, and trends in
adversary behavior to appropriate organizations
5. Engineering and operating CND technologies such as IDSes and data collection/analysis systems.

Get Started
1. Founding: 0 to 6 Months
2. Build-Out: 6 to 12 Months
3. Initial Operating Capability: 12–18 Months
4. Full Operating Capability: 18 Months and More
The best way to test a SOC is to measure the SOC’s
performance in response to an actual Red Team penetration
of constituency assets.

SOC Roles and Incident Escalation

Typical SOC Tool Architecture Context to Tip-offs: Full-
Spectrum CND Data

The most prominent
challenge for any
monitoring system -
particularly IDSes- is
to achieve a high
true positive rate.

No matter how good
the tool or analyst,
overzealous
efforts to generate and
aggregate huge
amounts data into
one place diminish the
value of good data
because it is
lost in the noise of
worthless data.
Monitoring systems
such as IDS and SIEM
are not “fire
and forget”—they
require regular care
and feeding. BGA INFORMATION SECURITY & CONSULTING

SIEM Overview
• Perimeter network
monitoring
• Insider threat and audit
• APT detection
• Configuration
monitoring.
• Workflow and escalation
• Incident analysis and
network forensics
• Incident analysis and
network forensics
• Policy compliance

Overlap Between SIEM, Network Management System, and LM

Observations and Tips for Success
◦ Security and network management tools are not interchangeable.
◦ The best SIEMs were built from the ground up as SIEMs.
◦ Consider the whole package.
◦ A day to install; a year to operationalize.
◦ Each part of the SOC will use SIEM differently.
◦ A SIEM is only as good as the data you feed it.
◦ Automated response capabilities present the same challenges as
IPS.

Let’s consider some dos and don’ts when we
think the SOC has found something bad:
◦ Follow your SOPs.
◦ Don’t panic.
◦ Don’t jump to conclusions.
◦ Be careful about attribution.
◦ Assess the full extent of the intrusion.
◦ Understand the “so what?”
◦ Follow rules of evidence collection and documentation, when appropriate.
◦ Provide measured updates at measured times.
◦ Carefully assess the impact of countermeasures and response actions.
◦ Ensure the entire SOC is working toward the same goal.
◦ Don’t be afraid to ask for help.

References
[1] West-Brown, Moira J.; Stikvoort, Don; & Kossakowski, Klaus-Peter. Handbook for Computer Security Incident Response
Teams (CSIRTs) (CMU/SEI-98-HB-001). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1998.
Note that this document was superceded by the 2nd edition (CMU/SEI-2003-HB-002), published in April 2003.
[2] Kossakowski, Klaus-Peter. Information Technology Incident Response Capabilities. Hamburg: Books on Demand, 2001
(ISBN: 3-8311-0059-4).
[3] Kossakowski; Klaus-Peter & Stikvoort, Don. A Trusted CSIRT Introducer in Europe. Amersfoort, Netherlands:
M&I/Stelvio, February, 2000.
[4] Exposing One of China’s Cyber Espionage Units http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
[5] M-Trends® 2013: Attack the Security Gap http://pages.fireeye.com/MF0D0O0PDVp6y106k0TI0B3
[6] M-Trends® 2011: When Prevention Fails http://www.mandiant.com/assets/PDF_MTrends_2011.pdf
[7] M-Trends® 2012: An Evolving Threat http://www.mandiant.com/assets/PDF_MTrends_2012.pdf
[8] Cyber Security Incident Response 2014 http://www.lancope.com/files/documents/Industry-Reports/Lancope-
Ponemon-Report-Cyber-Security-Incident-Response.pdf
[9] Create a CSIRT https://www.cert.org/incident-management/products-services/creating-a-csirt.cfm
[10] CSIRT Services list from CERT/CC https://www.enisa.europa.eu/activities/cert/support/guide/appendix/csirt-services

References
[1] Wikimedia Foundation, Inc., “Advanced Persistent Threat,” 3 Feb 2014. [Online]. Available:
http://en.wikipedia.org/wiki/Advanced_persistent_threat. [Accessed 13 Feb 2014].
[2] R. G. Bace, Intrusion Detection, Indianapolis: Macmillan Technical Publishing, 2000.
[3] G. Killcrece, K.-P. Kossakowski, R. Ruefle and M. Zajicek, “State of the Practice of Computer Security Incident Response
Teams (CSIRTs),” October 2003. [Online]. Available: http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6571.
[Accessed 13 Feb 2014].
[4] Killcrece, Georgia; Kossakowski, Klaus-Peter; Ruegle, Robin; Zajicek, Mark, “Organizational Models for Computer
Security Incident Response Teams,” December 2003. [Online]. Available: www.cert.org/archive/pdf/03hb001.pdf.
[Accessed 13 Feb 2014].
[5] S. Northcutt, Network Intrusion Detection (3rd Edition), Indianapolis: New Riders Publishing, 2002.
[6] T. Parker, E. Shaw, E. Stroz, M. G. Devost and M. H. Sachs, Cyber Adversary Characterization: Auditing the Hacker Mind,
Rockland, MA: Syngress Publishing, Inc., 2004.
[7] L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley Professional, 2002.
[8] M. J. West-Brown, D. Stikvoort, K.-P. Kossakowski, G. Killcrece, R. Ruefle and M. Zajicekm, “Handbook for Computer
Security Incident Response Teams (CSIRTs),” April 2003. [Online]. Available: http://resources.sei.cmu.edu/library/asset-
view.cfm?assetid=6305. [Accessed 13 Feb 2014].

Questions

CSIRT_16_Jun

More Related Content

What's hot

Viewers also liked

Similar to CSIRT_16_Jun

CSIRT_16_Jun