detect and respond… steps to preparing and responding to a breach detect and respond… steps to...
TRANSCRIPT
Detect and Respond… Steps to preparing and responding to a breach
Jeff Lockwood, CISSP
Purpose & Agenda
• Educate on what we have today– Tools for Fools- All the monitoring capabilities
we would want– Skilled Security Resources– Board level awareness on Data Breaches
• We are still in a struggle• Goal: Identify some steps and tools to assist in
implementing Incident Response
Some statistics
VzW Report Investigations Report- 79,790 Security Incidents- 2,122 Data Breaches
205- Average days Attackers had access to victims’ environments before they were discovered.
31% Target companies who discovered threat internally
69% of victims learn from a third party that they are compromised
.
What about this year
1.1 million records
80 million records
850,000 records
1 Million emails
25 million recordsProprietary data exposed
What are they after
Hacker Pricing for Stolen Credentials (Dell SecureWorks’ Counter Threat Unit )
• “Kitz” –verified health insurance, SSN, bank account info /logins (account &
routing numbers, account type), driver’s license, full name, address, phone, etc.
and counterfeit physical documents and hardware related to the identity data
in the package (e.g. credit cards, driver’s license, insurance cards, etc.)—-
ranging between $1200 – $1300 per Kitz. Add $100 – $500 for rush orders and other miscellaneous fees like wire transfer, escrow, etc.
• “Fullz” – If these records also include health insurance credentials for a US victim, then they were negotiated for about $500 each, based on what was included: full names, addresses, phone numbers, e-mail addresses (with passwords), dates of birth, SSN or EIN, one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs)
• Health Insurance Credentials – Health insurance credentials are $20 each. They include names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims). Note: when there is a dental, vision, or chiropractic plan associated with the health plan, each of those was an additional $20.
5
What are they after
Fees for Additional Stolen Credentials
• US credit card with CVV Code– $1 – $2
• Non-US credit card with CVV– $2 – $10
• Credit card with full track 2 and PIN– $5 – $50• Prestige credit cards (include Platinum, Diamond, Black) with
verified available balance– $20 – $400*
• Online bank account, < $10K— $250 – $1000*
• Compromised computer– $1 – $100
• PayPal, verified balance– $20 – $200*• Game accounts (Steam, Minecraft, WoW, PSN, XBOX Live/Microsoft)– $5 – $1000**
Skype account (premium)– $1 – $10
* Some hackers’ prices are based on 4% – 12% of verified current balance** Rare items are often “parted out’ or fenced separately
6
What do we do
– Detailed, step-by-step Incident Response Plan– Analysis of insurance policies to determine coverage– Legal counsel and key service providers “on speed
dial” – Government affairs/communications with regulators– Readiness exercises that simulate an actual attack– Business continuity planning– Security audits of key vendors– Litigation and regulatory preparedness
Mounting an Effective Response
– Policy and Procedures– Communication Plan and Logistics– Visibility– Threat Intelligence– Incident Response– Metrics– Automations
Incident Response Process
Sources: NIST SP800-61
Preparation
• What do we do based upon various types of incidents? (BIA helps. Start with a Policy)
• When is the incident management team called?• How can governmental agencies or law enforcement
help?• When do we involve law enforcement?• What resources do we need to handle an incident?• What shall we do to prevent or discourage incidents from
occurring? • Where on-site & off-site shall we keep the IRP?
Detection & Analysis
Organization must have sufficient detection & monitoring capabilities to detect incidents in a timely manner
Proactive Detection includes:• Network Intrusion Detection/Prevention System (NIDS/NIPS)• Host Intrusion Detection/Prevention System (HIDS/HIPS) • Antivirus, Endpoint Security Suite• Security Information and Event Management (Logs)• Vulnerability/audit testing• System Baselines, Sniffer• Centralized Incident Management System • Input: Server, system logs• Coordinates & co-relates logs from many systems• Tracks status of incidents to closure. Get to Root Cause
Reactive Detection: Reports of unusual or suspicious activity
Logs to Collect & Monitor
SecurityConfig
Changes to sec. config.
Changes to network device config.
Change in privileges
Change to files: system code/data
Authent.Failures
Unauthor-ized acceses
New Users
Lockouts & expired passwd accts
NetworkIrregularity
Unusual packets
Blocked packets
Transfer of sensitive data
Outgoing IP Address
Log Issues
Deleted logs
Overflowing log files
Clear/ change log config
Containment, Eradication & Recovery
• Activate Incident Response Team to contain threat
• IT/security, public relations, mgmt, business• Isolate the problem• Disable server or network zone comm.• Disable user access• Change firewall configurations to halt connection• Obtain & preserve evidence- Chain of Custody
Containment - Response
Technical• Collect data• Analyze log files• Obtain further technical
assistance• Deploy patches &
workarounds
Managerial• Business impacts result in
mgmt intervention, notification, escalation, approval
Legal• Issues related to:
investigation, prosecution, liability, privacy, laws & regulation, nondisclosure
Eradication
• Determine how the attack occurred: who, when, how, and why?• What is impact & threat? What damage occurred?• Remove root cause: initial vulnerability(s)• Rebuild System • Talk to ISP to get more information• Perform vulnerability analysis• Improve defenses with enhanced protection techniques• Discuss recovery with management, who must make decisions on
handling affecting other areas of business
Analysis
• What happened?• Who was involved?• What was the reason for the attack?• Where did attack originate from?• When did the initial attack occur?• How did it happen?• What vulnerability enabled the attack?
Remove root cause• If Admin or Root compromised, rebuild system• Implement recent patches & recent antivirus• Fortify defenses with enhanced security controls• Change all passwords • Retest with vulnerability analysis tools
Recovery
• Restore operations to normal• Ensure that restore is fully tested and operational
Common Mistakes
• Incident Response Plan a checklist item. ( Needs to be tailored)
• Plans are not tested• No authority for the incident response team- Need
Senior Leadership ownership and buy-in• Insufficient logging & Too much logging- Know
what is real and what is not• Improperly trained Incident Response Team- Skills
Gap Analysis• Lack of documentation
– Before/During/After• Getting containment confused with remediation
– MTTI vs MTTR• No one is really in charge• NO AUTOMATION!!!!!!!
Questions