Cyber security lecture for University students, following and expanding on previously delivered presentation on Enterprise Security Incident Management. More in-depth, with the Security Incident lifecycle focus

1. Enterprise Security Incident
Management - II
VŠE, Prague
Petr Špiřík, 22. 11. 2016

2. PwC
Information Security Incident Lifecycle
NIST 800-61

3. PwC
Key Terms
Operations vs Security incident
Means, motive & opportunity
Different objectives
Intentional vs accidental
Alert vs Incident vs Breach
Suspicion vs Assurance vs Damage
False positive & negatives
Risk appetite & sensitivity
Technical capabilities
Architecture (AV, FW, IPS)
Detection (SIEM, IDS)
Response
Process capabilities
Procedures, protocols & methodology
Communication & escalation paths
Decision making

4. PwC
Preparation
Technical
Enterprise
Architecture (segmentation, access control)
Hardening (scans, patches, configuration)
Logging & reporting
Visibility & control
Segregation of duties
Ticketing & knowledge management system
Take control over your environment
first, before you try to fight the
incidents
Security team
Logging & monitoring capabilities
Tools for incident response
Forensic/Malware lab (nice to have)
Secured area
Control over key chokepoints
Skilled team
Time invested in preparation phase will
save you during the incident

5. PwC
Preparation
Process
Enterprise
Contact with other functions (IT, business,
Risk management, PR & Communication)
Change management
Incident management in wider sense
Crisis management
Awareness & education
Leadership buy-in
Not only you, but your whole enterprise
needs to act accordingly
Security team
Reporting an incident – identify inputs &
tracking tools interaction
Communication plan
Ownership & governance
Policies & procedures
Templates
Incident response plans
Time invested in preparation phase will
save you during the incident

6. PwC
Detection
Technical
Logging
Continuous activity
Ingestion of log from
identified sources
Storage only (compliance)
Necessary first step
No output!
Reporting
Regular & automated
Defined KPIs & metrics
Strong for spotting trends and
anomalies
Good for predicting future
issues
Easy quick win – good
cost:benefit ratio
Output is static report,
consumed by security
team or leadership
Monitoring / Alerting
Real time
Defined use cases to monitor
(as opposed to “everything”)
Threshold based, complex
rules, function of time
Sensitivity is critical factor
(False positives)
Output is dynamic
alerting via console, SMS,
emails to analysts

7. PwC
Detection
Process
Enterprise
End users
“My computer behaves in a strange
way.”
Human resources
“We fired this guy and we suspect he
might try to damage the company.”
Administrators
“This is not how my domain
controller is supposed to respond.”
3rd parties (Clients, law enforcement,
public)
Security team
Eyes on the glass
“How many analysts do I assign to
security monitoring?”
Threat hunting
“I always assume compromise. And in
such case –what evidence would give the
attacker away?”
Investigation result
“This computer was not only infected
by commodity malware! There is more!”

8. PwC
Analysis
Triage
Is it security incident?
Analyst driven, never certain for 100%
If it is an incident, is it also a breach?
Who initiates the incident response?
What to do in uncertainty?
This is Yes or No question
What can be automated should be
automated as absolute priority.
Is it major?
Major or crisis management needed
Human well-being, company existence at risk
Wider, cross-functional IR team needed
Different rules, protocols – but also prepared
Potential links to Business Continuity
Major incidents are more sensitive to
process management than to technical
response.

9. PwC
Analysis
Preparation for response
Information gathering
Even negative information has value
Systems checked and artifacts gathered
Focus on actionable evidence
Narrowing scope is critical – the final
judgement does not need to happen now
This is going to incident response. The
time is definitely a factor. There is the
whole enterprise waiting to crush you.
Audit trail
Timestamps and non-repudiation
Documentation for legal consequences
Knowledge management
Project/team management in case of scale
explosion
If you are moving too fast to document
your actions – you are moving too fast.

10. PwC
Containment
First steps
Objectives
Stop further damage
Preserve the chain of custody
Look for additional compromise
Don’t shoot yourself in the leg
During containment phase, the primary
imperative is to stop the attack from
getting worse …
Actions
Impact assessment
Involve business stakeholders
Isolation & service reduction
Follow the procedures
… however, you also want to learn as
much as you can without alerting the
attacker or giving him what he wants

11. PwC
Containment
Deeper dive
Disconnect the network!
Not always best idea, not always applicable
Is the incident insider? APT? External breach?
Malware outbreak? Phishing campaign?
Prepared scenarios to the rescue
Isolate the incident in its domain (physical,
network, human resources)
Factor in the time & scale
Focus on breach escalation prevention
The initial containment vary from
shutting down system to doing nothing
Major incidents
Communication plan
Governance of the IR team
Regular updates & reassessments
Project plan to remediate
Don’t expect this will be over soon
Scale and complexity are your enemies
In major incident scenario, you are
most likely already in damage control
mode

12. PwC
Eradication
Remove all artifacts
Clean the compromised assets
Remove all entry points
Restore clean data from backups
Patch the vulnerabilities
Close the attacker’s way in
This is the latest stage when the attacker
learns you are after him. In military
terms, you are “operating in contested
environment”.
Project management
To know what to do is not that important
To carry out the plan is
Multiple team coordination
Shared responsibilities
Timelines & change windows
In enterprise environment, the project
manager can make or break the
outcome. Cooperation & execution is
key.

13. PwC
Recovery
Back to production
Business wants to get back operational ASAP
Incident needs be declared over
All compromised assets are clean
Partial recovery for large scale incidents
It is business decision to get back
online. Make sure this decision is
informed!
Continuous monitoring
Attackers do not give up easily
Be prepared for counter-attacks
Set up temporary more sensitive alerting
Go back to analysis if needed
The attacker spent resources to get in.
They will try to reclaim what they once
had.
Did you really eradicate every artifact?

14. PwC
Post-Incident Activity
Immediate & short term
Harden the environment
Cooperate with IT
Follow the change management
Use the knowledge you gained
Plug all the holes
Every incident is an opportunity to improve
Improve your detection systems!
It is no shame to fall victim to an attack.
Is IS a shame to fall victim to the same
attack repeatedly.
Metrics & KPIs
How do you measure success?
Is number of incidents good metric?
What is not measured does not exist
Metrics & KPIs are double edged sword
Useful vs. useless metrics
Long term, well established KPI monitoring
will improve your security posture
Good metrics can motivate team and
give you access to the resources needed.
Bad will put you into uphill battle.

15. PwC
Post-Incident Activity
Knowledge management
Lessons learned
Debriefing after an incident
All parties involved
Review procedures & templates
Plan for changes for the future
Blame is lame
The objective of post-incident activity is
to improve for the future, not to find
scapegoat.
Active defense
Profile the attackers
Profile your organization
Assume compromise
Hunt for the adversaries
Set up traps for the future
Every incident is a lesson – the result is
your threat intelligence

16. PwC
Summary
Thank you!
Questions & answers
Ask your questions now…
… or reach out to me after
Thank you all!
Contacts
petr.spirik@gmail.com
petr.spirik@cz.pwc.com
NIST Security (look for 800-61)
csrc.nist.gov
This presentation
https://www.slideshare.net/zapp0/enterprise-
security-management-ii