Wp 10 Common Mistakes Incident Responders

7/31/2019 Wp 10 Common Mistakes Incident Responders

1/8

White Paper

Emergency Incident Response: 10 CommonMistakes o Incident Responders

By Michael G. SpohnPrincipal Consultant

McA ee Foundstone Pro essional Services

Incident Response and Forensic Practice


2/8

Emergency Incident Response: 10 Common Mistakes of Incident Responders2

Table o ContentsIntroduction 3

Engagement Scenario 3

The Top 10 Mistakes 4

1: Nobody is in charge 4

2: Failure to establish a command center 4

3: Failure to fnd and know the enemy 4

4: Failure to create a containment plan 55: Failure to document 5

6: Failure to create an incident timeline 5

7: Con using containment with remediation 5

8: Failure to monitor and secure network perimeters 6

9: Inadequate logging 6

10: Orphaned enterprise antivirus systems 7

Summary 7

About The Author 7

About Foundstone Pro essional Services 7


3/8

3Emergency Incident Response: 10 Common Mistakes of Incident Responders

IntroductionAs a senior investigator on the McA ee Foundstone incident response and orensic team, I have handledmy share o incidents. In the last ew years I have been on site at more than 100 organizations helpingthem deal with serious security breaches. These engagements range rom common malware in estations,

employee misconduct incidents, and even high-profle breaches by groups such as Anonymous andLulzSec. Most o these incidents involve partial or total business disruption, the the t o intellectualproperty, trade secrets, fnancial in ormation, and/or sensitive personal in ormation.

In every one o these engagements, I have learned something I did not know be ore. This is what makessecurity breach investigations so exciting or me. Over time, I began to recognize patterns o behavior oincident response teams I worked with and, in almost all cases, these incident responders were incapableo dealing with the threats they were acing in an e fcient and repeatable manner. O course. I thiswere not the case, why would they need a company like McA ee Foundstone to respond?

In this brie white paper, I summarize the top 10 incident response mistakes I see in the feld. My purposehere it to highlight these issues so you can review your incident response practices and determine whetheryou su er rom these shortcomings.

Engagement ScenarioIn a typical McA ee Foundstone engagement, a client will call us and request immediate assistance inhelping contain a security breach, and, in almost all cases, we have an investigator on the customer sitewithin 24 hours.

When it comes to success ul incident response practices, I have ound the ollowing to be consistently true: The size o the organization is not relevant. In larger organizations it may take longer to contain an

incident, but the process is the same. The industry is not relevant. The specifcs o handling a security breach are not dependent on what the

client does. Sure, there are privacy and regulatory issues specifc to certain industries, but we handle allincidents according to the strictest standards. So should you.

The crisis management skills o a client vary. For example, ederal government agencies generally havemore mature crisis-handling capabilities than a mid-sized law frm. Even so, I have ound the di erenceis not relevant enough to make a big di erence.

The technical skills o a client vary. This does make a di erence. Clients that have a high level o technicalskills, particularly in the area o network management, are generally more success ul in e fcient contain-ment o security incidents.

All organizations exhibit a consistent pattern o behavior under stress

The point o this list to convince you that a mature and disciplined approach to incident response willwork in your organization.


4/8

4 Emergency Incident Response: 10 Common Mistakes of Incident Responders

The Top 10 Mistakes

1: Nobody is in chargeI cannot emphasize how important it is to have one person assigned to manage an incident responseundertaking. Over the last decade, organizations have moved to more decentralized managementstructures. Lines o authority are so t. Geographic boundaries have disappeared.

The person assigned as incident manager has the ultimate responsibility or containment o an incident. Isometimes am asked to serve in this role, but I pre er that role to be flled by an insider. A senior manageror director is usually the best choice. C-level executives rarely serve in this role. Whoever is assigned thisrole does not have to have advanced technical skills. Communication, organization, and delegations skillsare more important.

2: Failure to establish a command centerIt is quite common or organizations to try to manage serious incidents using con erence calls, mobilephones, and email. Trust methis does not work. It is critically important that a single con erence roomor o fce be established as a command center.

The chosen location should be large enough to handle a dozen people, have large whiteboards or post-it-note easels, a con erence/speaker phone, and be securable. Access to the command center should belimited to those individuals responsible or managing the incident. The command center will serve as acentral hub or all communications, containment planning, task delegation, and status updates.

3: Failure to fnd and know the enemyI you ask our clients what they value most rom our emergency incident response services, they willusually say: crisis management skills and threat management. Threat management is a skill that requiresthe ability to fnd a threat source and understand its modus operandi (MO). We call it know the enemy.This e ort is not particularly di fcult, but most clients are not very good at it.

The enemy varies depending on the incident type. The important thing is to identi y the threat andclearly understand how it operates. For example, in a serious malware outbreak, our process or fndingand knowing the enemy consists o the ollowing steps:

Identi y the attack vector Per orm live orensic analysis Isolate hosts and obtain samples Profle the malware and understand how it communicates Submit malware samples to the antivirus vendor Leverage enterprise the antivirus tools

Trust meyou cannot create an e ective incident containment strategy unless you understand your enemy.


5/8


4: Failure to create a containment planWhen I arrive on site at a hot incident, I am always intrigued by the elevated level o chaos. Mostorganizations do not have an established and documented crisis management plan in place. So, wehave to do it or them. Usually within the frst our hours o battling a security breach, I produce a

concise (one- to two-page) incident containment strategy document. This containment plan is a criticalcomponent o the McA ee Foundstone incident response methodology. We always create one.

In short, the methodology consists o the ollowing steps: Determine the attack vector and scope o incident Know the enemyidenti y their tools and tactics Collaboratively design a containment strategy and document it Create a task list based on containment plan Delegate and monitor tasks until containment is achieved

5: Failure to documentI admit it. I am an old-timer rom the old school that still uses investigative notebooks. Things have changed.Young people today have never known a world without electronics. The use o text messaging and email has

changed the meaning o documentation. This has caused many incident responders to orget the importanceo good documentation.

You cannot rely on your help desk ticketing system to document your incident. We encourage all respondersto keep a notebook with them at all time and document their actions. All events and delegated tasks shouldbe documented and kept in a centralized and secure location.

6: Failure to create an incident timelineIn my view, the creation o an incident timeline is one o the most important tasks when battling anincident. Essentially, this means you must document events and sort them by date/time rom oldest tonewest. Your list does not have to be ancyjust complete and accurate.

A detailed incident timeline provides you an investigative compass to direct your containment strategy.It also adds clarity to complex investigations and helps you ocus on the big picture. Finally, it creates a

terrifc briefng tool or senior leaders.

7: Con using containment with remediationA very common incident response mistake organizations make is to con use containment with remedia-tion. To be e ective, you must ocus on containment frst and deal with remediation e orts later. Why?Containment ocuses on stopping a threat, whereas remediation ocuses on fxing vulnerabilities. Thinko an emergency incident response as a building fre. You want to spend all your initial e orts on dousingthe fre. Repairing the roo comes later.

Emergency incident response is a containment process. It is critically important that everyone on yourincident response team understands the importance o containment frst. Any task that is not critical toyour containment e orts should be set aside or later.


6/8

Emergency Incident Response: 10 Common Mistakes of Incident Responders6

8: Failure to monitor and secure network perimetersIt amazes me how many organizations have still not implemented network monitoring technology.Without the ability to know what kind o tra fc is moving across your networks, you are powerless tode end against network-based threats. I cannot emphasize enough the importance o securing your

network perimeters and monitoring outbound network tra fc.Why outbound tra fc? Because your enemy must transport your sensitive data rom your network to theirs.During an incident involving a security breach, we always ocus on securing the network perimeter andthen working inward. Securing the perimeter will handcu the enemys ability to communicate. Once thisis done, you can then work inward rom the perimeter fnding and destroying their tools.

9: Inadequate loggingPlain and simple, the vast majority o organizations we deal with do not have adequate logging mechanismsin place. For a reason that escapes me, the resistance to e ective logging is still alive and well. We mustchange this mindset. Logs are the most e ective source o evidence in most incidents. The most valuablelogs in my experience are network perimeter logs.

E ective incident response teams must have quick access to log fles including but not limited to: Syslogs or other centralized logs Firewall logs, IDS/IPS Web proxy logs Microso t Windows event logs VPN logs DHCP logs DNS logs Microso t Active Directory (AD) logs Enterprise AD logs


7/8


10: Orphaned enterprise antivirus systemsThis mistake may surprise you. There is a strong eeling in the security community that modern enterpriseantivirus systems are no longer e ective against todays sophisticated and polymorphic threats. I concedewe are losing the battle on this rontbut your enterprise antivirus system is still a key component o

your de ense arsenal. In act, in most malware or APT incidents I have handled in the last our years, anenterprise antivirus system was used to counter the threat.

Organizations get in trouble when they ail to leverage their antivirus tools. Common mistakes in thisarea include:

Failure to monitor and/or en orce antivirus compliance Outdated agents Outdated signature fles (.DATs) Failure to provide daily oversight o antivirus systems Failure to created automated event alerts Failure to monitor antivirus vendor alerts

SummaryThere you have it. The top 10 most common mistakes I see incident responders make. As you can see,none o these mistakes are di fcult to correct. In act, your organization can use this list as a gauge othe e ectiveness o your current incident response practices. At McA ee Foundstone, we are passionateabout security. We strive to help organizations increase their security posture. This is best accomplishedby proactive e orts. We encourage you to spend time ensuring your incident response plans are currentand e ective.

About the AuthorMichael Spohn is a principal security consultant at McA ee Foundstone, where he provides incident response(IR) and digital orensic services to clients. His duties include creating IR management programs, analyzing andtesting existing IR plans, conducting orensic investigations, and providing IR and orensic training. He is also amember o the McA ee Foundstone Emergency IR Team, which provides emergency services to clients when

an elevated security breach occurs.

About McA ee Foundstone Pro essional ServicesMcA ee Foundstone Pro essional Services o ers expert services and education to help organizationscontinuously and measurably protect their most important assets rom the most critical threats. Througha strategic approach to security, McA ee Foundstone identifes and implements the right balance otechnology, people, and process to manage digital risk and leverage security investments more e ectively.The companys pro essional services team consists o recognized security experts and authors with broadsecurity experience with multinational corporations, the public sector, and the US military.


8/8

2821 Mission College BoulevardSanta Clara, CA 95054888 847 8766www.mca ee.com

McA ee, the McA ee logo, and McA ee Foundstone are registered trademarks or trademarks o McA ee, Inc. or its subsidiaries in theUnited States and other countries. Other marks and brands may be claimed as the property o others. The product plans, specifcations anddescriptions herein are provided or in ormation only and subject to change without notice, and are provided without warranty o any kind,express or implied. Copyright 2012 McA ee, Inc.40703wp_incident-response_0612_ nl_ASD

Wp 10 Common Mistakes Incident Responders

Documents

Transcript of Wp 10 Common Mistakes Incident Responders