incident response: how to prepare
DESCRIPTION
Boxing legend Joe Louis famously said, "Everyone has a plan... until they get hit." While grizzled incident response veterans can relate to this sentiment, they all know that thorough preparation is crucial to success. Response procedures that are so thoroughly ingrained that executing them is like muscle memory have a chance, even in the fog of battle. Have you thoroughly prepared your organization to respond when the inevitable happens? How confident are you that it will work in a real-world situation? Proper incident response preparation is key to answering these questions and is frankly the foundation of any incident response capability. This webinar will review critical components of IR preparation including: - IR Underpinnings - Flexible Frameworks - Leadership Challenges Our featured speakers for this webinar will be: - Ted Julian, Chief Marketing Officer, Co3 Systems - Sean Mason, Global Incident Response Leader, CSCTRANSCRIPT
Incident Response: How to Prepare
June 11, 2014
Intro
Process Fundamentals
Technical Fundamentals
AGENDA
Staying Evergreen
Leadership Challenges
• Ted Julian, CMO – Co3 Systems
• Sean Mason, Global Incident Response Leader - CSC
Introductions
AGILE WEB DEVELOPER
Sean A. Mason @SeanAMason
SEC ANALYST
SR. IT AUDITOR
SW DEV MANAGER
SUPPLY CHAIN DEVELOPER
IR LEADER
INFO SEC TEAM LEAD
PMP CISA CISSP CISM ISSMP CSSLP
DIRECTOR IR
’96-’00 ’01-’03 ’04-’06 ‘07 ’08-’10 ‘11 ’12-13 ’14-
BS MIS McKendree University
Technical School USAF
MBA Webster University
NMDC & AIMC GE Crotonville CCFP
EXEC IR LEADER
END-TO-END IR: BEFORE, DURING, AND AFTER
Prepare Improve Organizational
Readiness
• Appoint team members
• Fine tune response SOPs
• Link in legacy applications
• Run simulations (fire drills, table tops)
Mitigate Document Results
& Improve Performance
• Generate reports for management, auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
Assess Identify and Evaluate Incidents
• Assign appropriate team members
• Evaulate precursors and indicators
• Track incidents, maintain logbook
• Automatically prioritize activities based on criticality
• Log evidence
• Generate assessment
Manage Contain, Eradicate and Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and handling
Recent incidents highlight
exposure to top brands
Leadership Challenges
• Credibility
LEADERSHIP
• Trust
• Rapport
• Consistency
Process Fundamentals
IR EVOLUTION
IR
END-TO-END IR: BEFORE, DURING, AND AFTER
•Movement
•Methods
•Accounts
•Actors
•Timelines
•Rebuild Host(s)
•Reset Password(s)
•Countermeasures
•Lessons Learned
•Contain Host(s)
•Reset Password(s)
•Acquire Evidence
• SIEM
• AV/HIPS
• Proxy
• ATD
• DLP
• Etc…
Detect Contain &
Collect
Analyze Remediate
Intel
• Wiki or other Platform
• Flexibility
• Track Changes
• “Open” Access
DOCUMENTATION — “A plan doesn’t need to be a single document anymore.”
• Who is needed for wing-to-wing IR? (think outside security)
• Who is on-call and when? (consider Holidays)
• Pre-built DL’s for e-mails and info
• Think through basics:
• Phones, chat rooms, conference lines, and remote access
PEOPLE
Name Role Phone #
Ray Incident Coordinator 555-2368
Danny Incident Coordinator 555-0840
Kate Network Team 606-0842
Jenny AD Team 867-5309
Alicia CISO 489-4608
Mike Incident Response 330-281-8004
Emily CIO 212-664-7665
Philip Legal Counsel 818-775-3993
Ramona Public Relations 212-664-7665
Business Leaders?
Law Enforcement?
• Clear expectations for returning phone calls
• Who does what? (think outside security)
• Set expectations
• Helps define process
RACI
• Define an incident severity model- one common lexicon
INCIDENT SEVERITIES — “Not all incidents are created equal.”
Rating Impact Description
Breach 1 1 Intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc.
Breach 2 2 Intruder has exfiltrated nonsensitive data or data that will facilitate access to sensitive data
Breach 3 3 Intruder has established command and control channel from asset with ready access to sensitive data
Cat 1 4 Intruder has compromised asset with ready access to sensitive data
Cat 2 5 Intruder has compromised asset with access to sensitive data but requires privilege escalation
Cat 3 6 Intruder is attempting to exploit asset with access to sensitive data
Cat 6 7 Intruder is conducting reconnaissance against asset with access to sensitive data
Vuln 1 8 Intruder must apply little effort to compromise asset and exfiltrate sensitive data
Vuln 2 9 Intruder must apply moderate effort to compromise asset and exfiltrate sensitive data
Vuln 3 10 Intruder must apply substantial effort to compromise asset and exfiltrate sensitive data
Rating Description Response/Containment
Severity 0 Intruder has exfiltrated sensitive data or is currently inside network. DDOS that has impacted availability. Malware outbreak. 1 hour
Severity 1 Indicators show that an intruder is attempting to gain a foothold or has attained an initial foothold on the network. DDOS that
has the potential to impact availability. Malware causing disruption.
4 hours
Severity 2 Compromised machine (General Malware) 72 hours
• Simplified & Flexible
• Focus more on capability
Incident Severity Comm Rhythm Audience
Grave (KC7) Within 1hr – Conf. Call
2x Daily – Conf. Call
COB Daily – E-mail
• COO
• CSO
• CIO
• General Counsel
• Director of PR
• CISO
• Director of IR
• Chief Security Architect
Significant (KC6) Within 1hr – E-mail
COB Daily – E-mail
• CISO
• Director of IR
• Chief Security Architect
Benign (KC1-5) As needed or upon escalation • Director of IR
• Security Manager
• Communicate broadly, engage others
• Communication template, rhythm and formats
• Mobile technology and speed of information
INTERNAL COMMUNICATION — “Incidents are not an opportunity to compartmentalize information.”
Kill Chain Phase: If your org uses the KC, allows for a quick look at where the current incident is at.
Business(es) & Location(s) Impacted: If your org has different locations or business units, helps to narrow impact.
Summary: Executive level summary, no longer than a paragraph, on the current status.
Impact: Current actual business impact- exfil? Servers down?
Next Update: 06-11-2014 1600 EST
Incident Status: More details on what is currently happening during the incident.
Intelligence & Attribution Summary: If your org has an intelligence group, details would go here.
Host Status: Deeper details on affected accounts or hosts.
Action Items:
Note: Updated information is shaded in Green and completed actions are struck through.
Action Status Owner Est. Comp
Assemble Response Team Complete J. Smith 11 Jun 1200 EST
Review Network Architecture Diagrams Complete S. Johnson 11 Jun 1600 EST
Review Configuration Settings In Progress S. Johnson 13 Jun 1200 EST
Establish secure FTP site In Progress S. Johnson 13 Jun 1600 EST
Collect forensic evidence Pending R. White TBD
COMMUNICATIONS — “‘I don’t know’ is a valid answer, but qualify it with actions.”
• “Think Twitter” & the speed of information
• Have approved templates ready to go
• External, Internal, and Business Partners
• Test and ensure you can actually identify all parties
• Establish “easy-to-sign” NDA’s for use in the event of x-biz incidents
EXTERNAL COMMUNICATIONS
Poll
How long ago was your Incident Response plan and related information updated?
Technical Fundamentals
• Who can access the compromised devices?
CONTAINMENT — “Containment is arguably the most critical decision in IR”
• When do you contain?
• Who makes the containment call?
• What method(s) will you use?
• How will you track down the devices?
• Where are the logs? Do you aggregate logs?
• Does the team have access to the compromised logs & devices?
• Preserve forensic evidence
• Who is properly trained to do the forensics? Do they have tools?
HOST & NETWORK FORENSIC ANALYSIS
Vola
tilit
y
Poll
Do your Incident Responders have immediate access to logs and devices?
Staying Evergreen
• Paper Test – Ensure all documentation, templates, etc… are properly updated.
• Table Top Exercise – Verbally walking through a number of different IR scenarios.
• Simulated Incident – A more invasive test that leverages a Red Team to simulate an attack (or utilize existing malware samples). Allows for a more comprehensive test of the IRT, to include forensic work.
• Blind Test – Similar to Simulation testing, but leadership coordinates the attack unbeknownst to the IRT.
RECURRING TESTING – “You shouldn’t be inventing process during a crisis.”
• Architecture
• People
• Attacks/TTPs
• Infrastructure
• Regulations (HIPAA, PCI-DSS, DFARS)
ENVIRONMENTAL CHANGES
• DURING the incident- carve out cycles
• Carve out a process ahead of time
• Dissect every step of the attack
• Learn from others/external incidents
POST INCIDENT REVIEW
• Leverage the team for other hot issues such as:
• Heartbleed
• Insider cases
• Counterfeit gear
• Software piracy
• Acquisition evaluations
• Etc…
OUTSIDE OF IR…
Poll
Does your organization test your entire Incident Response plan on an ongoing basis?
• Ensure everything is auditable
FINAL THOUGHTS!
• Build-in a Contingency Budget
• Education ahead of time
• Establish a relationship with your local FBI office
• Think beyond IT- form allies in the business
• Don’t forget metrics
• Reward your Incident Responders after the battle
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“We’re doing IR in one-tenth of the time.”
DIRECTOR OF SECURITY & RISK, USA FUNDS
“It’s the best purchase we ever made.”
CSO, F500 HEATHCARE PROVIDER
Sean Mason
Executive Incident Response Leader
702-498-6615
@SeanAMason
www.csc.com/cybersecurity/IR
“One of the hottest products at RSA…”
NETWORK WORLD
“Co3 has done better than a home-run...it has
knocked one out of the park.”
SC MAGAZINE