Robert beggs incident response teams - atlseccon2011
•
0 likes•331 views
1) The nature of cyber attacks has changed and now pose a serious threat as attackers are financially motivated and have access to powerful hacking tools, while law enforcement lacks resources to properly respond. 2) Traditional incident response methods are ineffective as they are reactive and lack coordination between technical and business teams, often making mistakes. 3) The document argues that organizations need to implement an agile incident response program including a computer security incident response team (CSIRT) that takes a proactive and coordinated approach to security incident prevention and management.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Robert beggs incident response teams - atlseccon2011
Similar to Robert beggs incident response teams - atlseccon2011 (20)
More from Atlantic Security Conference
More from Atlantic Security Conference (11)
Recently uploaded
Recently uploaded (20)
Robert beggs incident response teams - atlseccon2011
- 1. Incident Response Teams Why Your Organization Needs One – Now! Page 1© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
- 2. Take-Aways • Nature of attacks has changed • Law enforcement, judiciary not prepared • Failure of traditional incident response • Agile incident management • Computer Security and Incident Response Teams, CSIRTs – moving to SMEs © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document. Page 2 "Fools you are . . . who say you like to learn from your mistakes ... I prefer to learn from the mistakes of others, and avoid the cost of my own.“ O. v Bismark
- 3. The Threat Has Changed • Attackers financially motivated – skills are rewarded; “business competitors” are hacking • “Trickle down effect” – powerful, easy to use tools are widely available • Opportunistic, automated attacks • Targeted (social engineering; HBGary, Government) • Persistent agents © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document. Page 3
- 4. Law Enforcement … • 61,000 police officers in Canada • 245 specialize in cybercrime (0.4%) • Overall, lack budget and training • Still developing legal infrastructure to support criminal investigations (lawful intercept legislation) • In short, an effective response is generally up to the victim • Are you ready? … Page 4© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
- 5. Data Security Incidents Non-compliance with the corporate security policy or procedures, or any event that negatively impacts the confidentiality, integrity and availability of your corporate data Page 5© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
- 6. “Traditional” Incident Response • Event-triggered: you have lost the initiative • Competing priorities – technical (investigation) versus business (recovery) • Mistakes are frequent Page 6© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
- 7. The Failure of Traditional IR - 1 Corporate • Tactical, short-term perspective • Competing priorities – business versus technology • Poorly defined roles and responsibilities • Failure to support technical personnel • Corporate secrecy (external entities) • Failure to learn from previous incidents; no formal method to create a corporate memory (internal) Page 7© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
- 8. The Failure of Traditional IR - 2 Technical • Technical staff lack contacts, communications skills for dealing with management, externals • Failure to provide comprehensive response (legal, HR, etc) • Focus on the technology; can lose sight of the business • Difficult to deal with privileged users (system administrators, database admins) • Difficult to deal with internal attackers Page 8© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
- 9. The Failure of Traditional IR - 3 Technical • Unable to keep up with methodology and tools of attackers (encryption, anti-forensics, live response) • Lack of “appropriate” training (scenario-based technical training, current attacks, soft skills) • Lack tools for effective incident response • Not all problems have a technical solution! Page 9© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
- 10. Page 10© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
- 11. Agile Incident Management Incident management is the totality of proactive and reactive measures undertaken to help prevent and manage data security incidents across an organization Page 11© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
- 12. Agile Incident Management Proactive Strategic Plan Risk Assessment Policy and SOPs Roles, Responsibilities Activity Monitoring Pro-Active Data Forensics End-User Education Integrate with 3rd Parties Reactive Fast, Focused, Flexible Preservation Live System Forensics Static Forensics Network Forensics Training, “Memory” © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document. Page 12 CSIRT
- 13. Computer Security and Incident Response Teams, CSIRTs • Types: – National-level – Specific verticals (critical infrastructure) – Universities – Vendors – Businesses • Multi-dimensional team focused on responding to all possible security incidents – (IT, security, HR, PR, physical security, business owners, legal …) Page 13
- 14. Computer Security and Incident Response Teams, CSIRTs • Formal teams – 5 – 10 members – 24x7 availability – Well trained – High-stress roles, burn-out is common • Require committed support of large organizations to gain benefits © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document. Page 14
- 15. Moving the CSIRT “Down the Chain” • Bring CSIRT to SMEs • Change perspective: – “First responders” are the end users – CSIRT responds to incidents (“triage”) – Collect and preserve evidence – Manage internal, external relationships – Maintain corporate memory © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document. Page 15
- 16. Agile CSIRTs – Reliance on 3rd Parties • 3rd parties (“partner sourcing”) • Technology audits, assessments, evaluation, certification • Alerts, warnings • Repository of documentation, tools, techniques • Post-event analysis – the “post mortem” • Education and training • Metrics and benchmarking • External validation of team and processes © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document. Page 16
- 17. Agile CSIRTS – Key Success Factors • What are your core CSIRT functions? • Defined and documented roles, responsibilities • Business and technical functions represented • Access to tools – Open source, proprietary • Access to information – Similar organizations – Security warnings, briefings, CSIRTS – Law enforcement © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document. Page 17
- 18. Agile CSIRTs – Key Success Factors • Training – Seminar, boot-camp – Scenario-based • Risk assessment based – what do you need? – Ethical hacking – Incident response techniques – Malware analysis – Data forensics (live systems, static forensics) – Criminal and intellectual property law © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document. Page 18
- 19. References • CERT (www.cert.org) • DigitalDefence (www.digitaldefence.ca) – Free access to Canadian CSIRT community! – Online repository of whitepapers, documents, tools – Contact dd-csirt@digitaldefence.ca © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document. Page 19
- 20. Contact Me Page 20© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.