Enterprise incident response 2017
Transcript of Enterprise incident response 2017
Enterprise Incident Response
VŠE, PraguePetr Špiřík, 18. 4. 2017
PwC
Agenda90 minutes together ahead
Topics
Security incident in the enterprise context
Frameworks and methodology
Lifecycle of the security incident
Future challenges & evolution
Rules of the game
Mutual respect
There are no stupid questions – ask!
Petr Špiřík (PwC EMEA CSIRT Lead)
12+ years of professional experience
Network security & SOC background
Former PwC CEE CISO
Major interests
• Incident response
• Cyber threat intelligence
• Active defense
• Education of cyber security
PwC
Key TermsLeveling the field
Process capabilities
Procedures, protocols & methodology
Communication & escalation paths
Decision making
Technical capabilities
Architecture (AV, FW, IPS)
Detection (SIEM, IDS)
Response & Triage tools
Alert vs Incident vs Breach
Suspicion vs Assurance vs Damage
False positive & negatives
Risk appetite & sensitivity
Operations vs Security incident
Means, motive & opportunity
Different objectives
Intentional vs accidental
PwC
Security IncidentWhat is this, anyway?
Operations incident
Network is down (power outage)
Computer freezes (misconfiguration)
Data is lost (corrupt backups)
Objectives
Become operational ASAP
Return back to normal
ITIL based
Security incident
Network is DDoSed
Environment is compromised
Data is exfiltrated
Objectives
Stop the bleeding
Understand the threat (Potential impact)
Competing interests (Business, CSIRT, Threat Intelligence)
PwC
Enterprise AspectDifference between SMB & Enterprise
Scalability & Complexity
30 minutes per machine is great …
… if you don’t have 10 000 machines
Manpower is the limiting factor
Automation is the way to go
Standards are necessary
Documentation is vital
Processes & governance enables the enterprise incident management
Speed of the enterprise
It is a business decision to turn off the server…
… but who is the business owner?
Complexity is not only technical
Global vs. local
Cost of action vs. cost of inaction
Interaction with Risk management
Enterprise has the agility of an iceberg and the consensus of a group of cats
PwC
Cost of SecurityHow secure you want to be?
Enterprise wants to …
Make profit!
Do business
Be agile
Not be blocked by security
Enterprise wants to be as secure as possible for as little cost as possible
Learn to answer the tough question in the educated way
Security wants to …
Spend resources
Limit access & operations
Have formal procedures & standards
Have control
Security in enterprise is always a cost, never profit
Learn to make a business case & accept the business decisions
PwC
Standards & FrameworksMaking our lives easier
NIST (800-61)
US-centric
800-X family
Detailed, ready to use
No formal certification
ISO (27001:2013)
EU-centric
High level
Process oriented
Certifiable by independent body
Adoption
Do not invent the wheel
Cost-benefit analysis
Multiple standards implementation
Scope is critical
Customization
Understand your own enterprise
Pick wisely
Involve business
Make sure you understand the framework
PwC
Information Security Incident LifecycleNIST 800-61
PwC
PreparationTechnical
Enterprise
Architecture (segmentation, access control)
Hardening (scans, patches, configuration)
Logging & reporting
Visibility & control
Segregation of duties
Ticketing & knowledge management system
Take control over your environment first, before you try to fight the incidents
Security team
Logging & monitoring capabilities
Tools for incident response
Forensic/Malware lab (nice to have)
Secured area
Control over key chokepoints
Skilled team
Time invested in preparation phase will save you during the incident
PwC
PreparationProcess
Enterprise
Contact with other functions (IT, business, Risk management, PR & Communication)
Change management
Incident management in wider sense
Crisis management
Awareness & education
Leadership buy-in
Not only you, but your whole enterprise needs to act accordingly
Security team
Reporting an incident – identify inputs & tracking tools interaction
Communication plan
Ownership & governance
Policies & procedures
Templates
Incident response plans
Time invested in preparation phase will save you during the incident
PwC
DetectionTechnical
Logging
Continuous activity
Ingestion of log from identified sources
Storage only (compliance)
Necessary first step
No output!
Reporting
Regular & automated
Defined KPIs & metrics
Strong for spotting trends and anomalies
Good for predicting future issues
Easy quick win – good cost:benefit ratio
Output is static report, consumed by security team or leadership
Monitoring / Alerting
Real time
Defined use cases to monitor (as opposed to “everything”)
Threshold based, complex rules, function of time
Sensitivity is critical factor (False positives)
Output is dynamic alerting via console, SMS, emails to analysts
PwC
DetectionProcess
Enterprise
End users
“My computer behaves in a strange way.”
Human resources
“We fired this guy and we suspect he might try to damage the company.”
Administrators
“This is not how my domain controller is supposed to respond.”
3rd parties (Clients, law enforcement, public)
Security team
Eyes on the glass
“How many analysts do I assign to security monitoring?”
Threat hunting
“I always assume compromise. And in such case –what evidence would give the attacker away?”
Investigation result
“This computer was not only infected by commodity malware! There is more!”
PwC
AnalysisTriage
Is it security incident?
Analyst driven, never certain for 100%
If it is an incident, is it also a breach?
Who initiates the incident response?
What to do in uncertainty?
This is Yes or No question
What can be automated should be automated as absolute priority.
Is it major?
Major or crisis management needed
Human well-being, company existence at risk
Wider, cross-functional IR team needed
Different rules, protocols – but also prepared
Potential links to Business Continuity
Major incidents are more sensitive to process management than to technical response.
PwC
AnalysisPreparation for response
Information gathering
Even negative information has value
Systems checked and artifacts gathered
Focus on actionable evidence
Narrowing scope is critical – the final judgement does not need to happen now
This is going to incident response. The time is definitely a factor. There is the whole enterprise waiting to crush you.
Audit trail
Timestamps and non-repudiation
Documentation for legal consequences
Knowledge management
Project/team management in case of scale explosion
If you are moving too fast to document your actions – you are moving too fast.
PwC
ContainmentStop the bleeding!
Stopping the attack
Primary objective is to stop further damage
Isolation & service reduction
Time is the critical factor
Involve business stakeholders
Follow the procedures
During containment phase, the primary imperative is to stop the attack from getting worse …
Intelligence gathering
Preserve the chain of custody
Watch & learn
Look for additional compromise
Know your enemy
Take notes
… however, you also want to learn as much as you can without alerting the attacker or giving him what he wants
PwC
ContainmentDeeper dive
Disconnect the network!
Not always best idea, not always applicable
Is the incident insider? APT? External breach? Malware outbreak? Phishing campaign?
Prepared scenarios to the rescue
Isolate the incident in its domain (physical, network, human resources)
Factor in the time & scale
Focus on breach escalation prevention
The initial containment vary from shutting down system to doing nothing
Major incidents
Communication plan
Governance of the IR team
Regular updates & reassessments
Project plan to remediate
Don’t expect this will be over soon
Scale and complexity are your enemies
In major incident scenario, you are most likely already in damage control mode
PwC
Eradication
Remove all artifacts
Clean the compromised assets
Remove all entry points
Restore clean data from backups
Patch the vulnerabilities
Close the attacker’s way in
This is the latest stage when the attacker learns you are after him. In military terms, you are “operating in contested environment”.
Project management
To know what to do is not that important
To carry out the plan is
Multiple team coordination
Shared responsibilities
Timelines & change windows
In enterprise environment, the project manager can make or break the outcome. Cooperation & execution is key.
PwC
Recovery
Back to production
Business wants to get back operational ASAP
Incident needs be declared over
All compromised assets are clean
Partial recovery for large scale incidents
It is business decision to get back online. Make sure this decision is informed!
Continuous monitoring
Attackers do not give up easily
Be prepared for counter-attacks
Set up temporary more sensitive alerting
Go back to analysis if needed
The attacker spent resources to get in. They will try to reclaim what they once had.
Did you really eradicate every artifact?
PwC
Post-Incident ActivityImmediate & short term
Harden the environment
Cooperate with IT
Follow the change management
Use the knowledge you gained
Plug all the holes
Every incident is an opportunity to improve
Improve your detection systems!
It is no shame to fall victim to an attack. Is IS a shame to fall victim to the same attack repeatedly.
Metrics & KPIs
How do you measure success?
Is number of incidents good metric?
What is not measured does not exist
Metrics & KPIs are double edged sword
Useful vs. useless metrics
Long term, well established KPI monitoring will improve your security posture
Good metrics can motivate team and give you access to the resources needed. Bad will put you into uphill battle.
PwC
Post-Incident ActivityKnowledge management
Lessons learned
Debriefing after an incident
All parties involved
Review procedures & templates
Plan for changes for the future
Blame is lame
The objective of post-incident activity is to improve for the future, not to find scapegoat.
Active defense
Profile the attackers
Profile your organization
Assume compromise
Hunt for the adversaries
Set up traps for the future
Every incident is a lesson – the result is your threat intelligence
PwC
Enterprise MaturityDon’t try to run if you can’t walk
COBIT maturity levels
Level 1 – Initial
Level 2 – Repeatable
Level 3 – Defined
Level 4 – Managed
Level 5 – Optimized
Be honest with yourself. Work up through the stack, one step at time. Do not go for shortcuts. It does not work.
Expectation management
New buzzword every year
Applicability to your organization
Effect of diminishing returns
Build on solid foundation
Going step by step is cost effective
Do not set up incident response team, if you don’t know your own infrastructure. Do not buy threat intelligence, if you cannot consume it.
PwC
Future ChallengesI got it! What’s next?
Hunting
Assume compromise
Set up your hunter team
Let them loose
Special mindset is required.
Clear boundaries need to be set!
Threat intelligence
Know your enemy
Share the information
Profile your organization
Automate & automate
It is not the threat intel, but how you apply it.
Build your own threat intelligence!
Active defense
Sinkholing & tarpitting
Active reconfiguration
Profile the attackers
Dynamic environment
Focus on your own environment.
Be sure to stay on the legal side!
PwC
SummaryThank you!
Questions & answers
Ask your questions now…
… or reach out to me after
Thank you all!
Contacts
NIST Security (look for 800-61)
csrc.nist.gov
This presentation
https://www.slideshare.net/zapp0/enterprise-incident-response-2017