SlideShare a Scribd company logo

IRP on a Budget

Download as PPTX, PDF
S
Sean D. Goodwin

Designing an Incident Response Plan is difficult. On one hand, you have the extremely detailed "Best Practices" while on the other hand you have real world resource constraints.

Technology
1 of 29
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2017 Wolf & Company, P.C. Incident Response on a Budget New England HIMSS 2017
Baseline Knowledge • What is an Incident Response Plan? • Why do we need to create and manage another document? • What are the management phases of IRP?
WHAT IS IT? Section One
Definitions • “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” - NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations • “A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” - NIST SP 800-61r2 Computer Security Incident Handling Guide
WHY DO WE NEED IT? Section Two
Legal and Regulatory Implications • HIPAA Security Rule 164.08(a)(6) – Security Incident Procedures – Response and Reporting – Requires formal documentation • OCR “Wall of Shame” – Encourages a functional response plan – https://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/agreements/index.html
Best Practice • CIS CSC #19 Incident Response and Management • NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations • NIST 800-61r2 Computer Security Incident Handling Guide
2016 Verizon DBIR
2016 Verizon DBIR
WHAT ARE THE PHASES? Section Three
Phase One: Preparation
Management Phases • Preparation • Detection and Analysis • Containment, Eradication, and Recovery • Post-Incident
Phase One: Preparation • Incident Handling Team – Incident Response Manager – Security Analysts – Triage Analysts – Forensic Analysts – Threat Researchers – Management – Human Resources – Audit and Risk Management Specialists – General Council – Public Relations
Phase One: Preparation • Preparing to handle incidents – Communication – Hardware and Software – Analysis • Preventing incidents – Risk Assessments – Host Security – Network Security – Malware Prevention – User Awareness and Training
Phase Two: Detection and Analysis • Attack Vectors • Signs of an Incident • Sources of Precursors and Indicators • Incident Analysis • Incident Documentation
Phase Three: Containment, Eradication, and Recovery • Choosing a Containment Strategy • Evidence Gathering and Handling • Identifying the Attacking Hosts • Eradication and Recovery
Phase Four: Post-Incident • Lessons Learned • Using Collected Incident Data • Evidence Retention
THEORY IS GREAT… HOW ABOUT IN THE REAL WORLD??
Malware Infection On Tuesday afternoon around 16:30, an end user in the Marketing department gets a warning from the anti-virus engine saying a potentially malicious file has been identified. At the same time, this end user notices the files on her desktop wont open, and a webpage (.html file) has opened demanding a ransom for the safe return of her files.
Real World 1. Who does the Help Desk technician contact? 2. Suppose upon isolation of this PC, additional users in various departments are reporting similar issues. What steps would be taken to identify the full scope? 3. Suppose this occurs after hours, rather than during normal business hours. How would end users report such an issue?
Phishing Email On Tuesday morning after a long weekend a member of the Finance department is quacking running through missed emails trying to identify any major activities while he was out. He sees an email from the head of IT saying that the organization had found some users were using weak passwords, and had created a site on the Intranet for users to ensure their password would meet the new requirements. The Finance employee clicks the link provided and enters his credentials. He lets out a sigh of release when he is shown that his password is very strong, and there is no need for him to create a new one.
Real World 1. How would this event be detected? 2. How would the IRP team identify all effected end users? 3. How would the IRP resolve this incident? 4. Suppose this user was working remotely when this happened, does that change response activities? What if multiple executives are traveling?
Unauthorized Access to Payroll Records On a Wednesday evening, the organization’s physical security team receives a call from a payroll administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident and to determine what actions were performed.
Real World 1. How would the team determine what actions had been performed? 2. How would the handling of this incident differ if the payroll administrator had recognized the person leaving her office as a former payroll department employee? 3. How would the handling of this incident differ if the team had reason to believe that the person was a current employee? 4. How would the handling of this incident differ if the physical security team determined that the person had used social engineering techniques to gain physical access to the building?
Real World 5. How would the handling of this incident differ if logs from the previous week showed an unusually large number of failed remote login attempts using the payroll administrator’s user ID? 6. How would the handling of this incident differ if the incident response team discovered that a keystroke logger was installed on the computer two weeks earlier?
Telecommuting Compromise On a Saturday night, network intrusion detection software records an inbound connection originating from a watchlist IP address. The intrusion detection analyst determines that the connection is being made to the organization’s VPN server and contacts the incident response team. The team reviews the intrusion detection, firewall, and VPN server logs and identifies the user ID that was authenticated for the session and the name of the user associated with the user ID.
Real World 1. What should the team’s next step be (e.g., calling the user at home, disabling the user ID, disconnecting the VPN session)? Why should this step be performed first? What step should be performed second? 2. How would the handling of this incident differ if the external IP address belonged to an open proxy? 3. How would the handling of this incident differ if the ID had been used to initiate VPN connections from several external IP addresses without the knowledge of the user?
Real World 4. Suppose that the identified user’s computer had become compromised by a game containing a Trojan horse that was downloaded by a family member. How would this affect the team’s analysis of the incident? How would this affect evidence gathering and handling? What should the team do in terms of eradicating the incident from the user’s computer? 5. Suppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of the incident? How would this affect the handling of the incident if the user were a system administrator? How would this affect the handling of the incident if the user were a high-ranking executive in the organization?
Questions? Sean D. Goodwin, CISSP, CISA, QSA IT Assurance Senior Consultant SDGoodwin@wolfandco.com Michael Keighley, CISSP Manager of Information Security MaineGeneral Health michael.keighley@mainegeneral.org Michael Kanarellis, HITRUST CCSFP IT Assurance Senior Manager Mkanarellis@wolfandco.com

Recommended

Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Incident Response
Incident ResponseIncident Response
Incident ResponseDivya Kothari
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 

Recommended

Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Incident Response
Incident ResponseIncident Response
Incident ResponseDivya Kothari
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT InfomagnumARUN REDDY M
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security ChallengesJorge Sebastiao
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
BSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingBSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingJudy Nowak, OSCP, GCIH, CISSP
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in HealthcareQuick Heal Technologies Ltd.
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
Healthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthCareManagement
 
Bitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlBitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlJose Lopez
 
Insider Threat
Insider ThreatInsider Threat
Insider ThreatAndy Thompson
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionObserveIT
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
Mis 1
Mis 1Mis 1
Mis 1Rohit Garg
 

More Related Content

What's hot

Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security ChallengesJorge Sebastiao
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
Bitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlBitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlJose Lopez
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionObserveIT
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 

What's hot (20)

Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT Infomagnum
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
BSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingBSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident Tracking
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus Cloud
 
Healthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthcare Cyber Security Webinar
Healthcare Cyber Security Webinar
 
Bitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlBitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat Control
 
Insider Threat
Insider ThreatInsider Threat
Insider Threat
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat Detection
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
 

Similar to IRP on a Budget

Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
MassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation SessionMassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation SessionMassTLC
 
FCL-Introduction.pptx
FCL-Introduction.pptxFCL-Introduction.pptx
FCL-Introduction.pptxaratibhavsar
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftCase IQ
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfTop_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfinfosec train
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfShivamSharma909
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskBeyondTrust
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
Cybersecurity with AI - Ashrith Barthur
Cybersecurity with AI - Ashrith BarthurCybersecurity with AI - Ashrith Barthur
Cybersecurity with AI - Ashrith BarthurSri Ambati
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 

Similar to IRP on a Budget (20)

Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Mis 1
Mis 1Mis 1
Mis 1
 
MassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation SessionMassTLC Opening Slides and Simulation Session
MassTLC Opening Slides and Simulation Session
 
FCL-Introduction.pptx
FCL-Introduction.pptxFCL-Introduction.pptx
FCL-Introduction.pptx
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data Theft
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfTop_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdf
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
Cybersecurity with AI - Ashrith Barthur
Cybersecurity with AI - Ashrith BarthurCybersecurity with AI - Ashrith Barthur
Cybersecurity with AI - Ashrith Barthur
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

IRP on a Budget

  • 1. MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2017 Wolf & Company, P.C. Incident Response on a Budget New England HIMSS 2017
  • 2. Baseline Knowledge • What is an Incident Response Plan? • Why do we need to create and manage another document? • What are the management phases of IRP?
  • 4. Definitions • “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” - NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations • “A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” - NIST SP 800-61r2 Computer Security Incident Handling Guide
  • 5. WHY DO WE NEED IT? Section Two
  • 6. Legal and Regulatory Implications • HIPAA Security Rule 164.08(a)(6) – Security Incident Procedures – Response and Reporting – Requires formal documentation • OCR “Wall of Shame” – Encourages a functional response plan – https://www.hhs.gov/hipaa/for-professionals/compliance- enforcement/agreements/index.html
  • 7. Best Practice • CIS CSC #19 Incident Response and Management • NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations • NIST 800-61r2 Computer Security Incident Handling Guide
  • 10. WHAT ARE THE PHASES? Section Three
  • 12. Management Phases • Preparation • Detection and Analysis • Containment, Eradication, and Recovery • Post-Incident
  • 13. Phase One: Preparation • Incident Handling Team – Incident Response Manager – Security Analysts – Triage Analysts – Forensic Analysts – Threat Researchers – Management – Human Resources – Audit and Risk Management Specialists – General Council – Public Relations
  • 14. Phase One: Preparation • Preparing to handle incidents – Communication – Hardware and Software – Analysis • Preventing incidents – Risk Assessments – Host Security – Network Security – Malware Prevention – User Awareness and Training
  • 15. Phase Two: Detection and Analysis • Attack Vectors • Signs of an Incident • Sources of Precursors and Indicators • Incident Analysis • Incident Documentation
  • 16. Phase Three: Containment, Eradication, and Recovery • Choosing a Containment Strategy • Evidence Gathering and Handling • Identifying the Attacking Hosts • Eradication and Recovery
  • 17. Phase Four: Post-Incident • Lessons Learned • Using Collected Incident Data • Evidence Retention
  • 18. THEORY IS GREAT… HOW ABOUT IN THE REAL WORLD??
  • 19. Malware Infection On Tuesday afternoon around 16:30, an end user in the Marketing department gets a warning from the anti-virus engine saying a potentially malicious file has been identified. At the same time, this end user notices the files on her desktop wont open, and a webpage (.html file) has opened demanding a ransom for the safe return of her files.
  • 20. Real World 1. Who does the Help Desk technician contact? 2. Suppose upon isolation of this PC, additional users in various departments are reporting similar issues. What steps would be taken to identify the full scope? 3. Suppose this occurs after hours, rather than during normal business hours. How would end users report such an issue?
  • 21. Phishing Email On Tuesday morning after a long weekend a member of the Finance department is quacking running through missed emails trying to identify any major activities while he was out. He sees an email from the head of IT saying that the organization had found some users were using weak passwords, and had created a site on the Intranet for users to ensure their password would meet the new requirements. The Finance employee clicks the link provided and enters his credentials. He lets out a sigh of release when he is shown that his password is very strong, and there is no need for him to create a new one.
  • 22. Real World 1. How would this event be detected? 2. How would the IRP team identify all effected end users? 3. How would the IRP resolve this incident? 4. Suppose this user was working remotely when this happened, does that change response activities? What if multiple executives are traveling?
  • 23. Unauthorized Access to Payroll Records On a Wednesday evening, the organization’s physical security team receives a call from a payroll administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident and to determine what actions were performed.
  • 24. Real World 1. How would the team determine what actions had been performed? 2. How would the handling of this incident differ if the payroll administrator had recognized the person leaving her office as a former payroll department employee? 3. How would the handling of this incident differ if the team had reason to believe that the person was a current employee? 4. How would the handling of this incident differ if the physical security team determined that the person had used social engineering techniques to gain physical access to the building?
  • 25. Real World 5. How would the handling of this incident differ if logs from the previous week showed an unusually large number of failed remote login attempts using the payroll administrator’s user ID? 6. How would the handling of this incident differ if the incident response team discovered that a keystroke logger was installed on the computer two weeks earlier?
  • 26. Telecommuting Compromise On a Saturday night, network intrusion detection software records an inbound connection originating from a watchlist IP address. The intrusion detection analyst determines that the connection is being made to the organization’s VPN server and contacts the incident response team. The team reviews the intrusion detection, firewall, and VPN server logs and identifies the user ID that was authenticated for the session and the name of the user associated with the user ID.
  • 27. Real World 1. What should the team’s next step be (e.g., calling the user at home, disabling the user ID, disconnecting the VPN session)? Why should this step be performed first? What step should be performed second? 2. How would the handling of this incident differ if the external IP address belonged to an open proxy? 3. How would the handling of this incident differ if the ID had been used to initiate VPN connections from several external IP addresses without the knowledge of the user?
  • 28. Real World 4. Suppose that the identified user’s computer had become compromised by a game containing a Trojan horse that was downloaded by a family member. How would this affect the team’s analysis of the incident? How would this affect evidence gathering and handling? What should the team do in terms of eradicating the incident from the user’s computer? 5. Suppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of the incident? How would this affect the handling of the incident if the user were a system administrator? How would this affect the handling of the incident if the user were a high-ranking executive in the organization?
  • 29. Questions? Sean D. Goodwin, CISSP, CISA, QSA IT Assurance Senior Consultant SDGoodwin@wolfandco.com Michael Keighley, CISSP Manager of Information Security MaineGeneral Health michael.keighley@mainegeneral.org Michael Kanarellis, HITRUST CCSFP IT Assurance Senior Manager Mkanarellis@wolfandco.com

Editor's Notes

  1. NIST SP 800-53r4 - Security and Privacy Controls for Federal Information Systems and Organizations An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. NIST SP 800-61r2 Computer Security Incident Handling Guide An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. This guide addresses only adverse events that are computer security related, not those caused by natural disasters, power failures, etc. A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents are: An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash. Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host. An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money. A user provides or exposes sensitive information to others through peer-to-peer file sharing services.
  2. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule
  3. CSC #19 – “Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight).” NIST 800-53r4 IR-1 – Incident Response Policy and Procedures IR-2 – Incident Response Training IR-3 – Incident Response Testing IR-4 – Incident Handling IR-5 – Incident Monitoring IR-6 – Incident Reporting IR-7 – Incident Response Assistance IR-8 – Incident Response Plan IR-9 – Information spillage Response IR-10 – Integrated Information Security Analysis Team NIST 800-61r2 draft– responding quickly is critical to minimizing the impact
  4. Top Three Threat Actions: Hacking Malware Social
  5. 82% into network in minutes OR LESS 21% start exfiltration data in MINUTES
  6. Preparation Preparing to Handle Incidents Preventing Incidents Detection and Analysis Attack Vectors Signs of an Incident Sources of Precursors and Indicators Incident Analysis Incident Documentation Incident Prioritization Incident Notification Containment, Eradication, and Recovery Choosing a Containment Strategy Evidence Gathering and Handling Identifying the Attacking Hosts Eradication and Recovery Post-Incident Lessons Learned Using Collected Incident Data Evidence Retention
  7. PREPARING Communication Resources: Contact information for team members and others within and outside the organization (primary and backup contacts), such as law enforcement and other incident response teams; information may include phone numbers, email addresses, public encryption keys (in accordance with the encryption software described below), and instructions for verifying the contact’s identity On-call information for other teams within the organization, including escalation information
  8. PREPARING Communication Resources: Contact information for team members and others within and outside the organization (primary and backup contacts), such as law enforcement and other incident response teams; information may include phone numbers, email addresses, public encryption keys (in accordance with the encryption software described below), and instructions for verifying the contact’s identity On-call information for other teams within the organization, including escalation information Incident reporting mechanisms, such as phone numbers, email addresses, online forms, and secure instant messaging systems that users can use to report suspected incidents; at least one mechanism should permit people to report incidents anonymously Issue tracking system for tracking incident information, status, etc. Smartphones to be carried by team members for off-hour support and onsite communications Encryption software to be used for communications among team members, within the organization and with external parties; for Federal agencies, software must use a FIPS-validated encryption algorithm War room for central communication and coordination; if a permanent war room is not necessary or practical, the team should create a procedure for procuring a temporary war room when needed Secure storage facility for securing evidence and other sensitive materials Hardware and Software: Digital forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data Laptops for activities such as analyzing data, sniffing packets, and writing reports Spare workstations, servers, and networking equipment, or the virtualized equivalents, which may be used for many purposes, such as restoring backups and trying out malware Blank removable media Portable printer to print copies of log files and other evidence from non-networked systems Packet sniffers and protocol analyzers to capture and analyze network traffic Digital forensic software to analyze disk images Removable media with trusted versions of programs to be used to gather evidence from systems Evidence gathering accessories, including hard-bound notebooks, digital cameras, audio recorders, chain of custody forms, evidence storage bags and tags, and evidence tape, to preserve evidence for possible legal actions Analysis: Port lists, including commonly used ports and Trojan horse ports Documentation for OSs, applications, protocols, and intrusion detection and antivirus products Network diagrams and lists of critical assets, such as database servers Current baselines of expected network, system, and application activity Cryptographic hashes of critical files to speed incident analysis, verification, and eradication Jump Kit - For example, each jump kit typically includes a laptop, loaded with appropriate software (e.g., packet sniffers, digital forensics). Other important materials include backup devices, blank media, and basic networking equipment and cables. PREVENTING If security controls are insufficient, higher volumes of incidents may occur, overwhelming the incident response team. This can lead to slow and incomplete responses, which translate to a larger negative business impact (e.g., more extensive damage, longer periods of service and data unavailability). Risk Assessments: -Ongoing RA should identify threats for each system/application. Each risk should be prioritized, and the risks can be mitigated, transferred, or accepted until a reasonable overall level of risk is reached. Another benefit of conducting risk assessments regularly is that critical resources are identified, allowing staff to emphasize monitoring and response activities for those resources. Host Security: - Hardened standard builds, patching process, and principle of least privilege. Audit Logging – collection, alerting, review Network Security: Securing all connection points Monitoring connections Malware Prevention: Host level (workstation + server) Application level (email, web proxy, etc.) Application clients (email client, instant messaging, etc.) User Awareness Training: Policy and Procedure review Sharing of “Lessons Learned” from incidents
  9. It is not feasible to develop instructions for every incident. We need to be generally prepared for any incident, and focus additional efforts on the most common attack vectors. Attack Vectors: Removable Media: USB, CD/DVD, peripherals Attrition: DDoS, brute force authentication pages (passwords, Captchas, etc.) Web Attack: cross site scripting. Typically addressed in OWASP Top 10 Email: Attachments or links with malicious code Impersonation: Spoofing, Man in the Middle, rogue WAPs, SQL injection on web app Improper Usage: Violations of Acceptable Usage Policy – loss of sensitive data, illegal activities, etc. Loss/Theft Equipment: laptops, removable media, mobile devices, authentication tokens, etc. Signs of an Incident: These should be developed in house to identify what Indicators would be most applicable. Automated possibilities: IDS/IPS, AV/Anti-Malware, SIEM/Log analyzers, file integrity monitoring, 3rd party monitoring (watching for IPs or domain name in know malicious activity) Manual: user reported errors or anomalies Need a way to sort through the volume of reports, and have the appropriate level of understanding and expertise to make these signs actionable. Sources of Precursors and Indicators: Signs of an incident fall into one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in the future. An indicator is a sign that an incident may have occurred or may be occurring now. Typical Precursors (rare): Web server log entries that show the usage of a vulnerability scanner An announcement of a new exploit that targets a vulnerability of the organization’s mail server A threat from a group stating that the group will attack the organization. Some common indicators (extremely common): A network intrusion detection sensor alerts when a buffer overflow attempt occurs against a database server. Antivirus software alerts when it detects that a host is infected with malware. A system administrator sees a filename with unusual characters. A host records an auditing configuration change in its log. An application logs multiple failed login attempts from an unfamiliar remote system. An email administrator sees a large number of bounced emails with suspicious content. A network administrator notices an unusual deviation from typical network traffic flows. Incident Analysis Some systems can help automate some of the analysis leg work, but this is not an adequate substitution for experienced staff. Validation should follow a pre-defined process Once validated, the IRP should be enacted, with prioritization being based off the initial analysis. Efficiencies in analysis: Profile the Networks and Systems – understand the normal characteristics. File checksums, bandwidth usage. This is difficult to use when used alone. Understand Normal Behaviors – Frequent log reviews to help identify what is standard, and make the unusual stand out. This process will also validate the accuracy of log sources, and aid in initial analysis. Log Retention – Many incidents not caught right away, we will need historical logs to review to determine the scope of the incident. NIST SP 800-92 Guide to Computer Security Log Management provides additional guidance. Event Correlation – Tracing footsteps – see username in an application log, perhaps it can tie back to an IP from the firewall. An IDS may alert of an attack, and the local server log may confirm or deny success. NTP Synchronization – is no synchronization correlation can be extremely difficult Knowledgebase – detail out significance and validity of precursors and indicators that IRP team can reference. Should be easy to search and use. OSINT – google search of uncommon ports or IPs may help identify a common attack Packer Sniffers – need to be tuned to collect a management amount of data. Consider privacy implications. Focus efforts on most suspicious activity first Consider third parties, internal and external (SMEs, security staff, contractors, US-CERT, etc.) Incident Documentation As soon as an incident is suspected, the team (or analyst) should start recording all facts. Logbooks, laptops, cameras, audio recording are all possible. System events Conversations Observed changes in files All steps taken until resolution, including timestamps, supporting documentation obtained during investigation and resolution. Helps to have two people, one to work while the other records Status updates should be documented and communicated, typically ticketing system can be used. Be careful as this data will be extremely sensitive (exploitable vulnerabilities, recent breaches, etc.) The current status of the incident (new, in progress, forwarded for investigation, resolved, etc.) A summary of the incident Indicators related to the incident Other incidents related to this incident Actions taken by all incident handlers on this incident Chain of custody, if applicable Impact assessments related to the incident Contact information for other involved parties (e.g., system owners, system administrators) A list of evidence gathered during the incident investigation Comments from incident handlers Next steps to be taken (e.g., rebuild the host, upgrade an application).
  10. Choosing a Containment Strategy Containment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. For example, the strategy for containing an email-borne malware infection is quite different from that of a network-based DDoS attack. Organizations should create separate containment strategies for each major incident type, with criteria documented clearly to facilitate decision-making. Potential Damage to and theft of resources Need for evidence preservation Service availability (e.g., network connectivity, services provided to external parties) Time and resources needed to implement the strategy Effectiveness of the strategy (e.g., partial containment, full containment) Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution). Sandbox to monitor potentially OK - if an organization knows that a system has been compromised and allows the compromise to continue, it may be liable if the attacker uses the compromised system to attack other systems. Handlers should not assume that just because a host has been disconnected from the network, further damage to the host has been prevented. EXAMPLE – ping hosts, if no response, encrypt the entire drive. Evidence Gathering and Handling Primary focus is to resolve the incident, but don’t forget about potential legal proceedings. Evidence should be collected according to procedures that meet all applicable laws and regulations that have been developed from previous discussions with legal staff and appropriate law enforcement agencies so that any evidence can be admissible in court. This includes chain of custody for physical transfers. A detailed log should be kept for all evidence, including the following: Identifying information (e.g., the location, serial number, model number, hostname, media access control (MAC) addresses, and IP addresses of a computer) Name, title, and phone number of each individual who collected or handled the evidence during the investigation Time and date (including time zone) of each occurrence of evidence handling Locations where the evidence was stored. NIST SP800-86 Guide to Integrating Forensic Techniques into Incident Response can be useful. Identifying Attacking Hosts Although this information can be important, incident handlers should generally stay focused on containment, eradication, and recovery. Identifying an attacking host can be a time-consuming and futile process that can prevent a team from achieving its primary goal—minimizing the business impact. Validating the attacking host IPs address - A failure to respond does not mean the address is not real—for example, a host may be configured to ignore pings and traceroutes. Also, the attacker may have received a dynamic address that has already been reassigned to someone else. Researching host through search engines - Performing an Internet search using the apparent source IP address of an attack may lead to more information on the attack—for example, a mailing list message regarding a similar attack. Knowledge base / Incident Database – try to identify similar attacks Monitoring Possible Attacker Communication Channels – C&C usually uses IRC. Also, attackers may congregate on certain IRC channels to brag about their compromises and share information. However, incident handlers should treat any such information that they acquire only as a potential lead, not as fact. Eradication and Recovery Removing malware Disabling breached user accounts Identifying the mitigating exploited vulnerabilities Restore systems to normal operation Should be a phased approach based on priority
  11. Lessons Leaned Often overlooked, people return to business as usual. Each of these incidents should help the team identify new threats, improve technology, and lessons learned. Should be mandatory after significant incidents, and periodically to cover multiple minor incidents. Typical questions: Exactly what happened, and at what times? How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What would the staff and management do differently the next time a similar incident occurs? How could information sharing with other organizations have been improved? What corrective actions can prevent similar incidents in the future? What precursors or indicators should be watched for in the future to detect similar incidents? What additional tools or resources are needed to detect, analyze, and mitigate future incidents? Output can be useful in improving IRP training documentation. All policies and procedures impacted should be updated as well. Follow-up reports can be stored in Knowledge Repository to help with future incidents similar in nature. Using Collected Incident Data Collect data to use it, not simply collecting because it is there. Useful Metrics: Number of Incidents Handled – measures work performed, not quality, may help get additional resources for controls. Can also break into sub-categories to get trending information. Time per Incident – Total labor time / Time to discovery, impact assessment, and each stage of the process / response time to initial report / time to communicate to external parties (US-CERT, law enforcement, etc.) Objective Review – review for adherence to establish policies/procedures / damage before detection? / was root cause identified and remediated? / recurrence of previous incident? / estimated monetary damage Subjective Review – team member self review / review of team members / review policies and procedures against requirements and best practices / Evidence Retention Factors to consider when identifying retention period/schedules: Prosecution – may be needed in legal proceedings, and that could take years Data Retention – retention policy may say purge email 180 days – does the impact the Incident data set? (General Records Schedule 24 says IRP data for 3 years) Cost – depending on how much data is being retained, the added cost can be substantial
  12. MITRE Cyber exercise planning playbook https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf NIST SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
  13. Ransomware Playbook article https://www.demisto.com/playbook-for-handling-ransomware-infections/