Transcript Click to add title

Incident Management
Evolution of Protection
Implementing a Pro-Active
Approach to Cybersecurity
Benjamin Stephan, Director of Incident Management
FishNet Security
Agenda
P A G E
 Introduction
 Today’s Threat Landscape
 Incident Management Life Cycle
 Incident Management Framework
 Next Steps
Statistics in this presentation provided by Ponemon Institute Annual Study on Cyber Crime Costs.
1
Cybercrime has become a high stakes game…
 …and they are highly motivated to take your data…
 State sponsored
 Crime syndicates
 Hacktivists
 …for a number of reasons
 Financial Gain
 Industrial Espionage
 IP Theft
 Political motivation
 Botnet Services
P A G E
2
Threat Trends of 2011
P A G E
 The top trends related to a breach:
 Negligence
 Lack of CISO leadership
 Lack of external consulting support
 First time offense
 Lost or stolen device
 Median annualized cost of cyber crime is $5.9 million per year,
with a range of $1.5 million to $36.5 million each year.
 Increase of 56% over 2010
 Average per capita cost was $284 per enterprise seat
 Varies by size of the organization with smaller firms incurring a greater per
capita cost of $1,008 on average versus larger organizations
*Results provided by Ponemon study.
3
Corporate Security Posture Related to Breach Cost
*SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute.
The higher the score the more effective an organization is at achieving security initiatives.
P A G E
4
Corporate Security Posture Related to Breach Cost
*SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute.
The higher the score the more effective an organization is at achieving security initiatives.
P A G E
5
What Are Your Challenges?
P A G E
 Malicious traffic evading traditional perimeter security solutions
 Difficulty validating alerts and determining scope of incident
 Lack of endpoint visibility
 Lack of defined incident management
and response processes
 Untested procedures and infrastructure
 Inability to respond to every alert
 Insufficient view of network traffic
6
What Is The Impact?
P A G E
 Difficult or impossible to truly understand and gauge risk
 Time to contain an event and return to a trusted state takes too
long
 Overwhelmed with alerts
 Spend excessive time reducing false
positives
 Incident response is time consuming,
expensive and incomplete
 Potential loss of data
 No formalized operational procedures
7
The Solution
How can you defend against the unknown?
How can your company benefit protect it’s critical
assets?
P A G E
8
Solution: Incident Life Cycle, IMF, Incident Workflow
P A G E
9
Incident Management Lifecycle
P A G E
Detect
Operational
Improve
Confirm
Inoculation
Remediate
Tactical
Reaction
Contain
Triage
10
Incident Management Life Cycle
1. Operational
 Detect malicious traffic ‘on the wire’
 Identify symptoms of an attack via log analysis
 Confirm symptoms through automated and manual procedures
 Analyze 3rd party threat feeds
 Engage legal counsel
 Capture relevant malware artifacts
2. Tactical





Validate findings against endpoint data
Triage live systems based on symptomatic evidence
Determine scope, uncover additional information
Work with critical business units to determine risk potential
Deploy targeted analytic solutions to further quantify attack profile
 Control the threat to extend investigation time
P A G E
11
Incident Management Life Cycle
3. Reaction
 Disconnect compromised systems or networks
 Cut C&C Communication, kill active processes
 Escalate drastic containment procedures for authorization




Defend sensitive and critical assets
Engage 3rd party support as necessary
Wipe all identified malware and related artifacts
Schedule custom scans to mitigate secondary re-infection
4. Inoculation




Update virus signatures where applicable
Implement strong enterprise solutions
Document findings and results
Update policies and procedures to compensate for deficiencies
 Ensure management support of pro-active measures
P A G E
12
Incident Management Framework (IMF)
 2011 has been inundated with Cyber
Warfare attacks from across the globe.
 The attackers have become more and
more aggressive and sophisticated.
 In an effort to assist companies in
defending against this onslaught of
attacks; FishNet Security has architected
an Incident Management Framework
(IMF).
 The IMF is a security framework based on
the “best of breed” incident response
controls outlined in many known security
frameworks. Such as ISO, ITIL, PCI, NIST,
etc.
P A G E
13
Incident Management Framework (IMF)
P A G E
 By providing companies with a baseline framework dedicated to
incident management, an entity can:
 Minimize product costs through strategic enterprise solutions
 Mitigate risk exposure through effective operational controls
 Improve staff efficiency through better understanding of cyber
threats
 Bridge the “gap” between “legal” and “IT”
 Implement advanced malware countermeasures to defend the
corporate network
14
Incident Management Framework (IMF)
P A G E
1. Communication
 Internal


When an incident occurs there must be defined escalation protocols to ensure the right
individuals are communicated with and “kept in the loop”
Reporting an event can be one of the most important initial actions. There are laws that
must be considered as well as public relation issues
 External

Companies must have established relationship with third party entities and law
enforcement, prior to an incident.
2. Collection
 Acquisition

Electronically stored information (ESI) must be collected in a forensically sound manner.
 Chain of Custody


Physical access to any collected information must be maintained at all times.
Physical security controls must be implemented to ensure accurate accounting of
physical access.
 Data Retention

Policies must be defined as to how long ESI will be stored.
 Failure to define policies can lead to potential spoliation issues.
15
Incident Management Framework (IMF)
P A G E
3. Analysis
 Technical

On the Host: suspicious hosts must be analyzed for malicious content,
rogue file execution, compromise of sensitive data, etc.
 On the Wire: data traversing the network must be collected and analyzed
to determine migration of viruses, transmission of sensitive data,
anomalous packets, etc.
 Operational

One of the key aspects of investigating an incident is determining
unauthorized versus authorized access. The majority of incidents will
include illegitimate use of an authorized account.
 Example: help desk user account access HR file shares

Logs play a key role in incident analysis. However, the quantity of
information to be reviewed can be extremely large. A Security Information
and Event Management (SIEM) system can help review the logs in a
more efficient manor.
16
Incident Management Framework (IMF)
P A G E
4. Containment
 Prepare action plans for known “potential” threats.


The plans must cite the situation or incident and then outline how the
response team will react.
Example:
 Situation: a service account is compromised and is transferring sensitive information
out of the network.
 Reaction:
– Capture sensitive data traversing the network
– Identify the role of the service account
– Reset the password for the account or disable it
– Disconnect infected devices from the network
– Quantify the data exfiltrated from the network
– Work with legal regarding notification processes
– Execute analysis procedures
– Execute cleanup procedures
17
Incident Management Framework (IMF)
P A G E
5. Mitigation
 Remediation

Analyze the results of an investigation to determine what is required to
clean up the results of the infection.

Use 3rd party providers to identify vulnerabilities and help mitigate the risk
of secondary infection.
 Prevention

Conduct a “post mortem analysis” of all investigations.

Learn what went wrong and how it can be prevented in the future.
 Create a robust and repeatable process for vulnerability management.
 Testing

Develop and execute regular “table top” exercises to test the company’s
ability to respond to an incident.

Leverage hot, warm, and cold testing procedures.
18
Incident Management Framework (IMF)
P A G E
6. Legal Counsel
 Litigation Hold

Ensure plans are in place to disseminate, execute, and validate litigation holds.
 Request for Discovery

Preparing an “ESI Profile” will significantly help minimize the impact of fulfilling on
requests for discovery.
 Liability

Work with internal and external counsel to ensure:
 Notification laws are met
 Non-disclosure agreements are fulfilled
 Service level agreements are accurately defined
7. Immediate Response

Active: ensure there are accurate and up to date procedures in place to react
to an incident.
Passive: engage third party entities to provide immediate incident response
support where needed.


Classify sensitive data to ensure critical information is protected.
19
Incident Management Framework (IMF)
P A G E
8. Documentation
 Formal Plan

All companies must have a formal Incident Management program in
place. The program will outline the entity’s strategy regarding incident
response and prevention.
 The plan must have full support of top level management.
 Procedures

There must be formal and documented procedures that outline how
employees are to respond in an incident.
 Procedures must be reviewed at least annually and kept up to date and
in line with actual practices.
 Roles and Responsibilities

A formal emergency response team must be defined. The team must
include both active players as well as key business stakeholders.
20
Incident Management Workflow
P A G E
 Incident Management Life Cycle + Incident Management
Framework = Incident Management Workflow
21
Incident Response Workflow
Assignment
Detection
Operational
SIEM Event, Help Desk,
System Alert, User
Complaint, Fireeye Alert
Tactical
Reaction
Innoculation
P A G E
22
Litigation Request Occurs
Legal
Counsel is
Consultted
Event is
assigned to
C-SIRT
Investigator
Validation
Review Reported Event
Triage Suspected
Devices
Conduct Random
Sample to Validate
Containment
Evidence of
Control
Event Validated
Create Chain of Custody
Additional
Devices
Identified
Collection of Evidence
Investigation
Analysis
Document Analysis
Results
Infected Devices
Cleaned
False Positive
Event Contained
Mitigation
Create Targeted Rescan
Ticketing
Solution
Post Event
Upgrade Security
Controls
Contact C-SIRT
Management
Creation of Ticket
Assignment to C-SIRT
Assignment to C-SIRT
Investigator
Initiate Containment
Tickets
Document Containment
Measures
Finalize Incident Ticket
with Results of
Investigation
Present
Results to
Legal
Post Mortem C-SIRT
Meeting
P A G E
Attack Scenarios
23
P A G E
Scenario #1
24
P A G E
Web Server Compromise & Pivot
Website
Attacker
Root Kit
Uploaded using
SQL injection
25
P A G E
Root Kit
26
P A G E
Reverse Proxy
Reverse Proxy
Installed on server
Using Root Kit
Attacker
RDP Traffic
27
P A G E
Scenario #2
28
Online Banking Fraud
P A G E
SQL injection
Attacker
Exploit to embed
XSS code
Website
29
P A G E
30
Online Banking Fraud
Victimized Site
Hacker Site
Consumer
Keylogger
Consumer
Consumer
Consumer
P A G E
Online Banking Fraud
Consumers
Consumer
Online Banking
Hacker logs into
Online banking credentials
Online banking site and creates
fraudulent transactions.
Sent to hacker
Attacker
31
P A G E
Scenario #3
32
P A G E
POS Keylogger
Internet
POS Server
Back Office
POS Server
Processor
33
P A G E
POS Keylogger
Reseller / Integrator
uses global accounts to
provide Tech support.
Internet
Keylogger installed on each POS
device. Card Swipe readers send
PAN via standard keyboard I/O.
Back Office
POS Server
Hacker used global remote
credentials to access environment
34
1st Instance
of threat
Saturation
scope
1st Instance
of threat
Detection
Containment
Time/cost
Uncompromised endpoints
AFTER
P A G E
scope
BEFORE
ROI on Cyber Defense
Detection
Containment
Time/cost
Scope of compromise
Resources
• Early exposure of known
unknown
• Rapid response
• Fewer required resources
• Rapid remediation
35
ROI on Cyber Defense (Statistics)
P A G E
 From the point of detection to containment is referred to as the
“Return To Trusted State” (RTTS)
 Average RTTS in 2011 was 18 days

Increase of 4 days over 2010
 Average cost of $413,784 per event or $22,896 per day

Increase of 67% over 2010
 The threats range in difficulty to contain (average RTTS):
 Malicious Insider = 45.5 days to contain
 Malicious Code = 41.6 days to contain
 Web-based attacks = 23.5 days to contain
 DOS/DDOS = 13.1 days to contain
 Stolen Devices = 10.7 days to contain
36
ROI on Cyber Defense (Statistics)
P A G E
37
Defining YOUR Plan
 What are your next steps?
 ACT NOW!
 Plan for an attack on your network.
 Implement enterprise grade products in
your organization.
 Implement a strong security framework.
DEFEND YOUR NETWORK!
P A G E
38
P A G E
Questions
39
Thank You
P A G E
Benjamin Stephan
Director, Incident Management
FishNet Security
[email protected]
40