Story Board IR MethodologyDeter, Detect, Defend & RespondMay 18, 2017
Gregg BrauntonNational DirectorCISSP, C|HFI, C¦EH, GCFA, CSFE, GSEC, MCP, (G2B2)Threat Management & Incident ResponseCatholic Health Initiatives
Help | About
2Story Board IR Methodology (JUNE 2017)
CHI “About Us”
3
CHI Organizational Profile:• 17 states • 104 hospitals, 4 academic health centers and major teaching hospitals as well as 30 critical-access
facilities• 100,000+ employees• 2,500+ clinics; community health-services organizations; home-health agencies; living communities;
and other facilities and services that span the inpatient and outpatient continuum of care
Story Board IR Methodology (JUNE 2017)
Agenda
4
The Context – The critical need for a functional IR framework
Why Storyboarding? – linear vs visual
Case Study – Physicians Wireless Incident
Work Products – reporting, data points, and building the investigative file
Q & A
*Case Study – (Side Bar Bonus Material) WannaCry Global Ransomware Response
Story Board IR Methodology (JUNE 2017)
Cyber Incident HITS your company HARD!
12 Servers, 2 Dozen PCs, Across 3 Data Centers
SOC Extra Staffing : $25,000
3rd party IR Team Parachute In : $250,000
Host, DB, Mobile, Data Network Forensics : $750,000
Media Management & Consultants : $250,000
Customer Notification : $50,000
Customer Info/Triage Helpdesk : $50,000
Cyber Insurance Deductible: $1,500,000
FREE IR Response Framework
PRICELESS
To Orchestrate, Investigate, Document &
Report on the Incident. . . . . .
Context – an IR framework helps to be “Compromise ready”
14Story Board IR Methodology (JUNE 2017)
2017 BakerHostetler Data Security Incident Response Report
Context – an IR framework helps to be “Compromise ready”
15
2017 BakerHostetler Data Security Incident Response Report
Story Board IR Methodology (JUNE 2017)
Context – an IR framework helps to be “Compromise ready”
16Story Board IR Methodology (JUNE 2017)
2017 BakerHostetler Data Security Incident Response Report
Context – an IR framework helps to be “Compromise ready”
17
2017 BakerHostetler Data Security Incident Response Report
Story Board IR Methodology (JUNE 2017)
Context – an IR framework helps to be “Compromise ready”
18
2017 BakerHostetler Data Security Incident Response ReportStory Board IR Methodology (JUNE 2017)
Story Board IR – Supporting the CSIRT Framework
19Story Board IR Methodology (JUNE 2017)
The Context – The MOST IMPORTANT IR Component
20
DOCUMENTING and RETELLING the STORY
Initial Event Triage Analysis
ContainmentEradicationRecovery
Root CauseReportMetrics
Story Board IR Methodology (JUNE 2017)
The Context – IR framework key functional components
21
(1) A CharterIR imperatives, Authority, Organization/Staffing, Roles and Responsibilities
(2) CSIRT FrameworkPeople, Process, Technology
(3) Investigative File
Story Board IR Methodology (JUNE 2017)
Why Storyboarding – You’ll need a accurate story
22Story Board IR Methodology (JUNE 2017)
Storyboarding – Tools Needed – KISS principle
23
• WebEx/Screen Share and conference line
• OneNote
• Visio
Story Board IR Methodology (JUNE 2017)
Why Storyboarding – Synergy, Speed, Accuracy
24Story Board IR Methodology (JUNE 2017)
4 components, 3 tools of story boarding
(1) (Visio) Incident diagram - Establishing a common frame of reference using visualizations
• Relatable objects• Live view, Live feedback
(2) (WebEx & Conference Line) Interactive IR – fusion and synergya) Visually Interactive IR : Map out the problem setb) Visually Interactive IR : Walk the “problem set” visually annotating
remediation action items (RAIs)c) Synergy, Speed, Accuracy, (ALL TEAMS) Representation
(3) (OneNote) Combined, structured workflow and notes, investigative file and report work product
(4) (Visio) Incident Timeline – visual histogram
Why Storyboarding – Synergy, Speed, Accuracy
25
“Humans are not ideally set up to understand logic; they are ideally set up to understand stories.” —Roger Schank
……a person’s brain is hardwired to recognize and make sense of visual information more efficiently, which is useful considering that 90 percent of all information that comes to the brain is visual.
Story Board IR Methodology (JUNE 2017)
26Story Board IR Methodology (JUNE 2017)
Why Storyboarding – Visual vs Text – 3 second TEST
27Story Board IR Methodology (JUNE 2017)
Why Storyboarding – Visual vs Text – 3 second TEST
Why Storyboarding – Synergy, Speed, Accuracy
28
If you consider body language, traffic signs, maps, facial cues, advertisements, and the plethora of other forms of visual communication a person experiences everyday, it’s not hard to see why our brains might have adapted to discern visual concepts easier. For example, 40 percent of nerve fibers to the brain are connected to the retina.
Visuals have been found to improve LEARNING by up to 400 percent.
Story Board IR Methodology (JUNE 2017)
Why Storyboarding – Synergy, Speed, Accuracy
29
Modern applications are already successfully experimenting with this information, with many mobile apps focusing on images, from Instagram and Snapchat to Pinterest and Vine. And it doesn’t seem to be a passing trend: Engagement per follower is 58 times higher on Instagram than on Facebook.
“Gone is the age of left brain dominance, the future belongs to storytellers.”—Daniel Pink
Story Board IR Methodology (JUNE 2017)
Proving visualizations work – a brief exercise
30
Traditional IR – Linear
vs
Storyboard IR - Visual
Story Board IR Methodology (JUNE 2017)
Proving visualizations work – text vs imagery
31Story Board IR Methodology (JUNE 2017)
Traditional IR – mapping a web ecosystem
32
Main Portal hub: NEOCASE (Neocase), Employee Portal, “Web Portal Front End”https://chiep.neocaselive.com; local repository of policies, Live Chat / Case Mgmnt
Portal Pivots to Other HR related sites:LEARN/HEALTHSTREAM (HealthStream)INTERNALhttp://www.xxyylearn.com
MYHEATHLYSPIRIT (CHI Home Grown)INTERNALhttp://home.xxyy.net
WORKDAY (Workday)https://wd5.xxyy.com/:: HR data; self and team:: Manager Zone
FIDELITY (FIDELITY)https://abcd.xxyy.com:: 401K/403B/457 investment plan
KRONOS (KRONOS)INTERNALhttps://kronosnavigator.xxyy.net:: time and attendance
HEALTHEQUITY (Heath Equity)https://www.xxyy.com:: personal health care spending account:: medical claim payment portal
Story Board IR Methodology (JUNE 2017)
Storyboard IR – mapping a web ecosystem
33
PORTAL
INSIDE CHI:: Links to HR/Payroll Connect
WORKDAY (Workday)https://wd5.xxyy.com/
:: HR data; self and team:: Manager Zone
Taleohttps://chi2.xxyy.net/
:: job postings
NEOCASE (Neocase)Employee Portal
Web Portal Front End https://chiep.neocaselive.com
:: local repository of policies:: Live Chat / Case Mgmnt
LEAVEPRO (Reed Group)https://chi.xxyy.com:: leave of absence
HEALTHEQUITY (Heath Equity)https://www.xxyy.com
:: personal health care spending account:: medical claim payment portal
FIDELITY (FIDELITY)https://abcd.xxyy.com
:: 401K/403B/457 investment plan
MYHEATHLYSPIRIT (CHI Home Grown)INTERNAL
http://home.xxyy.net
https://chituition.tap.xxyy.com:: tuition reimbursement
TALX (Equifax)https://secure.theworknumber.xxyy.com
AON HEWITThttps://lb32.resources.xxyy.com
LEARN/HEALTHSTREAM (HealthStream)INTERNAL
http://www.xxyylearn.com
KRONOS (KRONOS)INTERNAL
https://kronosnavigator.xxyy.net:: time and attendance
CLARITYINTERNAL
https://epmo.chi.xxyy.net:: project management time tracking
CHI
FTP Pivot ServerXx.xx.xx.xx
Story Board IR Methodology (JUNE 2017)
34
Linear
Story Board IR Methodology (JUNE 2017)
35
Visual
Story Board IR Methodology (JUNE 2017)
The Context
36
Everyone Needs a Functional & Synergistic IR Framework
(1) Collaboration Space – common viewTechnical synergy – Webex, Phone, RecordingIR Handlers (Always 2 deep) synergy – OneNote
(2) Consistent Data Points and ArtifactsStart/Stop timeExecutive SummariesAt-the-time of incident risk and Residual riskRAIs – Remediation/Response/Recovery Action ItemsTime/Effort/Cost
(3) Investigative File (work product)The Story, visuals, diagrams, timelines (might need 2,12,24 months later)OneNote
Story Board IR Methodology (JUNE 2017)
Storyboarding – Tools Needed – KISS principle
37
• WebEx/Screen Share and conference line
• OneNote
• Visio
Story Board IR Methodology (JUNE 2017)
Case Study – physician wireless
38
Traditional IR – Conference Call– Individual notes
(Confusion, Different Stories)
vs
Storyboard IR – Visual– Conference Call– Live Visual, Interactive Diagramming– Shared OneNote notes
(Order, Synergistic Story)
Story Board IR Methodology (JUNE 2017)
Traditional IR – initial IOC context
39
Initial IOC: CTI reports NATed address 66.76.4.188 hitting known sinkholes
Story Board IR Methodology (JUNE 2017)
Story Board IR – initial IOC context
40
MS Sink holes· spynet2.microsoft.com
· spynetalt.microsoft.com
NATed Outbound
66.76.4.188
Story Board IR Methodology (JUNE 2017)
Traditional IR – infected machine context
41
Initial IOC: CTI reports NATed address 66.76.4.188 hitting sinkholesSource system: physician laptop 10.30.30.33 on the physician wireless using NATedaddress FW logs show mapping to reported sinkhole
Story Board IR Methodology (JUNE 2017)
Story Board IR – infected machine context
42
10.30.30.10Host: BYOD10
MS Blackholes· spynet2.microsoft.com
· spynetalt.microsoft.com
10.30.30.33Host: BYOD33
10.30.30.15Host: BYOD15
NATed Outbound
66.76.4.188
URL FilteringSIEM Logging
DLP
Story Board IR Methodology (JUNE 2017)
Traditional IR – infected host system/data connection context, what is at risk?
43
Initial IOC: CTI reports NATed address 66.76.4.188 hitting sinkholesSource system: physician laptop 10.30.30.33 on the physician wireless using NATedaddress FW logs show mapping to reported sinkholeConnectivity and At Risk Systems: physicians use BYOD PCs on physician wireless which provides access via router to hospital bed management system. Doctors also connect to private clinic using RDP to access PT records in clinic EMR. ACLs on the router are not locked down, with ANY,ANY between interfaces connecting physician wireless to production network.
Story Board IR Methodology (JUNE 2017)
Story Board IR – infected host system/data connection context, what is at risk?
44
10.30.30.10Host: BYOD10
MS Blackholes· spynet2.microsoft.com
· spynetalt.microsoft.com
10.30.30.33Host: BYOD33
10.30.30.15Host: BYOD15
NATed Outbound
66.76.4.188
Production LAN
Hospital
2 Way ACL/Static Route10.30.30/23 permit TCP to host 10.1.1.107 port ANY
10.1.1.107 permit TCP to 10.30.30/23 port ANY
Docs Private Office
RDP into Clinic EMR
Small Business ServerDC, File/Print, IIS, DBSharepoint, Exchange
URL FilteringSIEM Logging
DLP
Bed Mgmnt System AppHost: BEDAPP01
10.1.1.107Win2000
IIS, .ASP siteAD authentication to App
Story Board IR Methodology (JUNE 2017)
Story Board IR – flushing out sources of data/logs/artifacts/IOC threads
45
Initial IOC: CTI reports NATed address 66.76.4.188 hitting sinkholesSource system: physician laptop 10.30.30.33 on the physician wireless using NATedaddress FW logs show mapping to reported sinkholeConnectivity and At Risk Systems: physicians use BYOD PCs on physician wireless which provides access via router to hospital bed management system. Docs also connect to private clinic using RDP to access PT records in clinic EMR.Other Connectivity : bed management system on the internal LAN, locally connected to other production systems on the backbone via router and ACLs. Other System Information : other systems on the network include a SIEM, AD controllers, MS Exchange server. There is a separate internal production egress point to the Internet protected by FW with URL filtering, DLP and logging to the SIEM.
Story Board IR Methodology (JUNE 2017)
Story Board IR – flushing out sources of data/logs/artifacts/IOC threads
46Story Board IR Methodology (JUNE 2017)
St. Joseph Hospital, Solute, NC
3100 Main St, Solute, NC
Darby, NC
10.30.30.10Host: BYOD10
MS Blackholes· spynet2.microsoft.com
· spynetalt.microsoft.com
10.30.30.33Host: BYOD33
10.30.30.15Host: BYOD15
NATed Outbound
66.76.4.188
Production LAN
DatacenterDomain
ControllerSplunkSIEM
2 Way ACL/Static Route10.30.30/23 permit TCP to host 10.1.1.107 port ANY
10.1.1.107 permit TCP to 10.30.30/23 port ANY
Docs Private Office
RDP into Clinic EMR
Small Business ServerDC, File/Print, IIS, DBSharepoint, Exchange
URL FilteringSIEM Logging
DLP
Bed Mgmnt System AppHost: BEDAPP01
10.1.1.107Win2000 Server
IIS, .ASP siteAD authentication to App
Exchange 2010Server
OWA Internet access URL https//webmail.hospital.org
Router110.20.1.1
Router210.20.1.2
Logs
Logs
Logs
Logs
LogsLogs
DFIRdm
DFIRdm
DFIRdm
DFIRd
DFIRd
Logs
Logs
Logs
Story Board IR – Timelining
47Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File
48
Tour of OneNote IR Template
Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File – RAIs Root
49Story Board IR Methodology (JUNE 2017)
I. Executive Summary
<< Executive high level summary of the event. Use common business language >>
Chain of Events (High Level):
<< Date:Time – brief sentence on the significant event. New line for each chain of event item >>
<< Date:Time – brief sentence on the significant event. New line for each chain of event item >>
II. Total Impact to Users and Systems
<< Intent here is to provide impact statements. Short, accurate, conveys impact to users and systems >>
III. Continued or Residual Risk to Systems and Data
<< The key determination - to discern if ePHI, PII or PCI data remains a risk of being viewed, accessed or
acquired (by unauthorized persons or not>>
IV. Remediation, Ongoing Tasks AND/OR Review and Action Plans. The following section details the
various remediation efforts and/or work assignments that took place as result of this incident.
V. Summary Analysis/Findings and Root Cause
Summary statement information speaking to root cause and remediation actions taken.
Root Cause: << root cause statement >>
Actions Items Completed During the Incident to Remediate: << one or more RAIs completed >>
Post Incident Recommended Remediation: << any further remediation recommendations >>
50Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File – RAIs Root
51Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File – RAIs Root
52Story Board IR Methodology (JUNE 2017)
V. Summary Analysis/Findings and Root Cause
Summary statement information speaking to root cause and remediation actions taken. If there are multiple root
cause, an option is to break out each separate root cause in an individual paragraph. These root cause/findings will
be recorded and tracked in RSAM as a Corrective Action Plan (CAP). NOTE: once the RCA/Findings are entered
as a CAP in RSAM, return to this summary and post the RSAM CAP #s to this document.
Root Cause: Physician wireless segment is protected from production LAN using insecure ACLs.
Actions Items Completed During the Incident to Remediate: Router "path" to bed management system closed
down. Physicians redirected to Citrix based access to bed management system.
Post Incident Recommended Remediation: Ensure router configuration is decommissioned.
Root Cause: Bed Management System is a Windows 2000 server. Windows 2000 server is deprecated and should
not be used for any production system or for storing ePHI.
Actions Items Completed During the Incident to Remediate: Windows logs configured to dump to Splunk.
Post Incident Recommended Remediation: Business owner, vendor and IT teams to immediately being work to
stand up Win2012 R2 bed management system and decommission the Windows 2000 server. CAP 123456 created
and assigned to security compliance team.
Root Cause: Firewall, Router and Bed Management server not logging to Splunk.
Actions Items Completed During the Incident to Remediate: NA.
Post Incident Recommended Remediation: Configure Firewall, Router and Bed Management to log to Splunk
Root Cause: << root cause statement >>
Actions Items Completed During the Incident to Remediate: << one or more RAIs completed >>
Post Incident Recommended Remediation: << any further remediation recommended. These would result in a
longer term Correction Action Plan to be follow up on by the Security Compliance team >>
Story Board IR – The Investigative File – RAIs Root
53Story Board IR Methodology (JUNE 2017)
ITS-CSIRT-PROC 07 Incident Findings and Recommended Action Items (RAI) Report.docx
Story Board IR – The Incident Report (NO REWRITE)
Story Board IR – The Investigative File Timelining
54Story Board IR Methodology (JUNE 2017)
55Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File Timelining
56Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File – Story Board
57Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File Timelining
Story Board IR – That’s the Story
58
Bonus Content – (side bar discussion) if time and interest• Ransomware Threat Profile Investigative file• OneNote in Action : CHI WannaCry Response Management
Story Board IR Methodology (JUNE 2017)