Adapting Incident Response to Meet the Threat

Adapting Incident

Response to Meet the

Threat

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Introductions: Today’s Speakers

• Jeff Schilling, Director, Global Incident Response and Digital

Forensics, Dell SecureWorks

• Ted Julian, Chief Marketing Officer, Co3 Systems


Agenda

• Why change your approach?

• Do you really know your environment?

• Do You really know/understand your threat?

• Where to focus your efforts to respond?

• Measuring success


About Co3’s Incident Response Management System

PREPARE

Improve Organizational

Readiness

• Appoint team members

• Fine-tune response SOPs

• Escalate from existing systems

• Run simulations (firedrills / table

tops)

MITIGATE

Document Results &

Improve Performance

• Generate reports for management,

auditors, and authorities

• Conduct post-mortem

• Update SOPs

• Track evidence

• Evaluate historical performance

• Educate the organization

ASSESS

Identify and Evaluate

Incidents

• Assign appropriate team members

• Evaluate precursors and indicators

• Correlate threat intelligence

• Track incidents, maintain logbook

• Prioritize activities based on criticality

• Generate assessment summaries

MANAGE

Contain, Eradicate, and

Recover

• Generate real-time IR plan

• Coordinate team response

• Choose appropriate containment

strategy

• Isolate and remediate cause

• Instruct evidence gathering and

handling

• Log evidence


About Dell SecureWorks

• Dell SecureWorks uses cyber threat

intelligence to provide predictive, continuous

and responsive protection for thousands of

organizations worldwide.

• Enriched by intelligence from our Counter

Threat Unit research team, Dell

SecureWorks’ Information Security Services

help organizations proactively fortify

defenses, continuously detect and stop

cyber-attacks, and recover faster from

security breaches.


My Press Box View

My view as the Director of the Army’s

Global Network Security Team My view as the Director of the Dell

SecureWorks Incident Response Practice


The Dell SecureWorks Incident Response Practice

• 300+ this year

• 42% of our engagements were with Medium-sized

business

• 58% were large enterprise customers

• 70% of our engagements were active Incident Response

• 30% were proactive engagements

• 20% of our projects involved Advance Persistent Threat

(Targeted Threat)

• Our observations from 2012 engagements:

End users still the primary targets (51% of the time)

Servers and applications running second (39% of the

time)

20% of our engagements involved insider threat activity

DO I NEED TO CHANGE

MY APPROACH?


Getting to “yes”

• Do you rarely see the same activity on your

networks with the same success?

• Do you conduct trend analysis of your

security incidents?

• Have you analyzed the things you can

control and the things you can’t?

People

Processes

Technology

• For the things you can’t control, have you

calculated the risks or outcomes?

• Have you insured or transferred that risk?

• Do you make adjustments to your security

controls based on trends?

• Do you have a plan or playbook to address

your most common Incidents?

• Do you rehearse and update these plans?

DO YOU REALLY KNOW

YOUR ENVIRONMENT?


Which picture best describes your network?

• Do you have an updated/accurate network diagram? Are you a part of the change management

process so you know when it changes?

• Have you studied your network flow to know what ports and protocols to accept and ones to

deny?

• Do you validate with Pen Tests, Vulnerability Scans, Netflow Monitoring?

• Do you have defined network boundaries with the Internet?

• Do you leverage Active Directory to assign risk and controls to organizational units?

• Is “white listing” embraced in your organization?

• Do you have a standard, secure image/baseline for hosts and servers?

• Do you centralize your event log monitoring?

• Do you limit workstation to workstation communication?

DO YOU REALLY KNOW

YOUR ENEMY?


Categories of threat

• Phishing with Dynamite

• Automated control for scale

• Can be defended with good Signature based controls

• Buys trade craft

• Can be sophisticated and polymorphic

• Favorite vectors

Server compromises

Non-targeted phishing

Web drive bys

• Smash and grab

• Playing chess

• Human controlled (just for you)

• Custom trade craft

• Favorite vectors

Highly targeted phishing

Water holing web drive bys

Some server compromises

• Highly targeted efforts

• Attempts to cover their tracks

• Will compromise partners to get to you

• Goal is to log on, become an insider

• Fly on the wall

• Hardest to detect, tries to hide in normal activity

• Usually has elevated privileges

• Often assumes not being monitored

• Rarely uses tradecraft: when they do, normally crawlers

• Usually has access to data that does not pertain to their job, that is what they take

• May use “close access” techniques

• Attempts to cover their tracks

• Managers/HR usually not surprised when insider is caught


Categories of Intent/Motive

• Disrupt

• Destroy

• Deny

• Revenge

• Embarrass

• Intimidate

• Competitive advantage

• Fill in an innovation gap

• Nation-state level espionage

• Steal your money

• Steal your clients money

• Identity Theft

• Fraud


Pulling it all together

• Commodity

• Advanced Persistent Threat

• Insider

• Crime

• Hacktivism

• Revenge

• Intellectual property theft

• Cyber Warfare

• Cardholder

Data/PII/Identity

• Core Business

Processes

• Critical

Infrastructure

• Intellectual

Property

• Web

applications

• Financial

data/processes

• Executive

communication

• Monetary loss

• Availability

• Confidentiality

• Integrity

• Personal harm

• Reputation

• Botnets

• Server

compromise

• DoS

• Malicious code

• Web infection

• Phishing

• Physical

Theft/Loss/

Damage

• Targeted Attacks

• Worms/Trojans

• IPS/IDS

• Firewall/Web app FW

• DDOS filtering

• Web/mail Proxy

• VM inspection

• Host level controls

• SIEM/Log monitoring

• Vulnerability mgt

• Access control

• DLP

• DRM

• User actions

• Policy


What should an IR plan look like?

• Base document (Policy and Guidelines, does not change very often)

Roles and responsibilities

Description of the overall process

Identification of Incident Types

Work flows

Identification of third party providers

• Playbooks/Appendix/Run Books (Procedures, constantly updated)

One for each Incident Type

Criteria for declaring an incident

Checklist driven actions

Point of Contact Lists

Key players on the Security team

Key players on the IT staff (if separate from the Security team)

Key decision makers outside of Security and IT

Third party providers (ISP, outside consulting, etc)


Threat Intelligence Maturity Model


How do you apply intelligence?

Conte

xt

and c

ounte

rmeasu

res

Feedback loop

What does it mean?

How to resist?

What is the next action?

WHERE TO FOCUS YOUR

RESPONSE EFFORTS?


Do you live on OODA Loop?


The “Broken Windows” approach

Questions

• Where is my most important data?

• Where are most of my incidents

happening?

• Where am I most vulnerable?

• What is (are) the worst possible thing(s)

that could happen?

• Can I detect where I am most vulnerable?

• Can contain where I am most vulnerable?

• Can I see insider threats?

Answers

• Identify your “broken windows”

• Establish network visibility

• Segment to protect critical assets, create

security zones

• Layered defense strategy

Intelligence informed SIEM

Network detection/prevention

Host level detection/prevention

Virtual machine detonation

• Get control of your elevated privileges, if

you can

• Protect and leverage your Active Directory

structure

• Whitelist your servers, protocols, and

ports

• Focus on SMTP and Web traffic

• Talk to managers and HR about high risk

employees with elevated privileges

HOW DO YOU

MEASURE SUCCESS?


Success, Failure, and False metrics

Indications of Failing Trends • Increase of recurring incidents

• Increased in dwell time

• Increase # of incidents reported by the user v. detected by SOC

• Increased number of root level and domain compromises

• Increase number of compromised servers / web applications

• Increase in the number of incidents involving CVE’s

• Increase in business impact of incidents

• Increase of incidents closed where root cause is indeterminate

Indication of Successful Trends • Decrease in time between

detection and containment

• Decrease in the number of successful commodity infections

• Decrease in number of incidents that spread to multiple host

• Increase in the number of APT and insider threat detections

• Decrease in 3rd party reporting of incidents (FBI, USSS, partners)

• Reduction in successful phishing

False Metrics • Increase or decrease in number of incidents

• Increase or decrease in number of detections

• Investment on security technology !


Conclusion

• Analyze your environment – know your strengths and

weaknesses

• Ensure you understand the threat’s capabilities, intent, and

vectors

• Focus your response on your “broken windows”

• Ensure you are achieving success and not reinforcing failure

in your Incident Response processes


Resources

• Dell SecureWorks Incident Response

http://go.secureworks.com/incident-response

• SANS Incident Response Training

http://www.sans.org/course/advanced-computer-forensic-analysis-incident-

response

• White Paper - Accelerating Incident Response: How Integrated Services Reduce

Risk and the Impact of a Security Breach

http://www.secureworks.com/resources/articles/featured_articles/accelerating-

incident-response-reducing-risk-and-impact

• NIST Computer Security Incident Handling Guide

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

• If you suspect a security breach, contact the Dell SecureWorks Incident

Response team at 877-884-1110.

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a

nightmare scenario as painless as possible,

making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for

privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and

very well designed.”

PONEMON INSTITUTE

Jeffery R. Schilling, CISM

Director of Incident Response and Digital

Forensics

m: +1 703-232-7992

[email protected]

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

Adapting Incident Response to Meet the Threat

Technology

Transcript of Adapting Incident Response to Meet the Threat