incident response requires superhumans

Incident Response Requires Superhumans

Presented by

Dinesh O Bareja

&

Vineet Kumar

Dubai, October 30, 2013


• How many CISOs

• How many IS Managers

• How many pure play Incident Managers

• How many CISO/ISM with IM responsibility ()

• Do you sleep well … • 2010 (base year)

• 2011

• 2012 ... NOW ?

Au

dien

ce Pro

filing


• Overview: InfoSec Evolution / History

• Exponentially Growing Expectations

• Superhumans in Enterprise and LEA

• Superhuman: why, how..

• Today’s Takeaway – Risks and being a SH


Technology advancement has brought about dramatic change

in life and work and continues it’s march of dynamic growth

It was an era of innocence and invention when computing

started upto the time when the internet was unveiled

Over the years it has metamorphosed into a force we are still

trying to understand and has brought with it ‘great

expectations’ from the human beings who are in charge!

Even a young man has to use a walking stick !


http://www.geeksaresexy.net/2013/04/26/the-evolution-of-essentials-comic/


Jokes apart, coming back to serious business..

To relive the past, we will (briefly) look at the

growth, maturity and metamorphoses of some

practices, solutions, strategies and technologies.


• Information Security yet to be discovered but phone phreaking was around

• Security meant securing areas where computers were housed

• System security meant administrator control on who could write – edit – delete data

• Data breach prevention was through controlled access to printer room

• Compliance was the accountants job


• Ides of March1992 – Michaelangelo virus

• Y2K

• 1994 ISACA (from earlier avatars of ’67, ‘69)

• Viruses to APTs

• Security lives are ruled by GRC, CIA Triad, PDCA Cycle, MM, ROSI, KPI

• Compliance means regulatory and internal policies and audit findings


• These all morph into professional art forms … Risk Management, Incident Management, Configuration Management, Problem… Patch… Access… Change…


Virus – Worm – Trojan - Malware – Rootkit –Backdoor - Botnets - APT

NMS – SIEM – Network Forensics

Simple Access Control – IDAM / SSO / Privilege User Management / Provisioning…

LAN, WAN, Virtualization, Fabric, Wireless, Cloud

dBase, Lotus, Access, Excel, MS SQL, MySQL, Oracle


http://movetheworld.wordpress.com/2008/01/16/evolution-of-information-security-technologies/

http://movetheworld.wordpress.com/2008/01/16/evolution-of-information-security-technologies/


• Illiterate Messengers deliver written messages so they cannot copy or read

• Cutting off a messenger’s tongue to disable gossip risk

• Da Vinci’s ‘cryptex’ device

• Shoot the messenger

• Encrypted messages, smoke signals

• Eunuchs to protect Harems

Incident Response Requires Superhumans© freedigitalphotos (royaltyfree, attribution)

systems

org growth

IT networks

business

all processes

enterprise finance

enterprise targets

people issues

gadgets

global events

sales

risks – tech / business

contribute ideas

compliance liabilities

email

background checks

onboarding /exits

flight timings

what phone to buy/gift

how to do a web checkin

…….


In fact the CISO is still a combined responsibility in a number of small / mid-sized organizations



•Exponentially Growing Expectations





• Standards : ISO27001, ITIL, ISO20000, ISO22301, OWASP Top 10, SOX, SSAE-16/SAS-70, HIPAA.. + regulatory requirements + policies

• SANS-CSC…. According to SANS ~73% respondents are aware of SANS-CSC and have adopted or are planning to… and the primary driver is to improve enterprise visibility and reduce security incidents


1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defenses

6. Application Software Security

7. Wireless Device Control

8. Data Recovery Capability

9. Security Skills Assessment and Appropriate Training to Fill Gaps

10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11. Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services

12. Critical Control 12: Controlled Use of Administrative Privileges

13. Critical Control 13: Boundary Defense

14. Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs

15. Critical Control 15: Controlled Access Based on the Need to Know

16. Critical Control 16: Account Monitoring and Control

17. Critical Control 17: Data Loss Prevention

18. Critical Control 18: Incident Response and Management

19. Critical Control 19: Secure Network Engineering

20. Critical Control 20: Penetration Tests and Red Team Exercises




•Superhumans in Enterprise and LEA




• Company Policies, DR

• Analytical Tools: RCA, SWOT etc

• Business Operations & Depts

• IT Operations

• Applicable Laws, Regulations

• Databases

• Applications

• Hardware

• Malware, APT

• Forensics investigation

• Forensic analysis

• Evidence collection, preservation..

• SIEM, DLP, IPS/IDS, UTM

• Log Analysis

• Phishing

• Windows, Linux (AIX, UX, MacOS)

• Android, iOS, Symbian, BB

• Mobile devices incl laptops

• Network devices – firewalls etc

• Configuration and hardening

• Know all patches from year 0 (BC)

• VAPT

• Web servers, AD, MS Exchange

• … more….


• Can Work under pressure

• Can go on without sleep, food or..

• Can walk in sleep

• Excellent communication skills

• Can win over and influence anyone

• Multi-lingual: geekspeak, normal-speak, baby-speak


• Life is a bummer

• One has to have all that the IM has…. Plus:

• Deep knowledge and understanding of Law (domestic/international) and statutes

• Criminal modus operandi

• ATM, Credit cards, financial fraud, email, internet banking, data breach, IP theft, espionage, social media crimes


• Traditional Policing • Cyber Intelligence, Social

Media Intel

• Security Researcher

• WhatsApp, Wechat, Viber

• Interception

• Excellent Presenter

• Trainer

• Participating in International & National Conferences

• CDR, Tower dump analysis, location mapping

• CCTV Camera recording recovery

+• Cyber Crime Investigation

• Cyber Security & Cyber Forensics

• Cyber Forensics (Network, Mobile, Cloud etc)

• Reverse Engineer & Troubleshooter

• Evidence Handling & presentation in the court of law


• Good Negotiator, Facilitator

• Can Pitch for Funds

• Prepare RFP’s

• Event Manager

• Response in a flash expected

• Good magician (cracking Symmetric, Asymmetric encryption, password hashes within seconds)

• Software Developer, Programmer

• And the list goes on……


PRE-INCIDENT PREPARATION RESPONSE

Policy Development

Governance and Awareness

CERT Enablement

Threat Intelligence

Tabletop TestingAdvanced Threat

Preparedness

Vendor Enablement

Communication Plan

Identify Legal, Regulatory Obligations

POST-INCIDENT

Contain, Restore, Quarantine

Evidence Collection

Identify Weaknesses

Forensic Response

Clean Up and Dispose

Root Cause Analysis

Recommend Changes

Update CMDB, Risk Register

Disciplinary Actions, Report to LEA


POST-INCIDENT

Chain of Custody

Evidence Integrity

Arrests and Case Filing

Departmental Report

Statistical Update

PREVENTIVE ACTIVITIES

Crime /Threat Intelligence

Response Team Training

Information Sharing

Advisories and Awareness

Citizen Outreach

TECHNOLOGY CRIME (INCIDENT) RESPONSE

International Vectors

Domestic Vectors

Complaint Registration

Categorization & Case Assignment

Crime Scene Visit, Evidence Collection

Data Extraction

Forensic Analysis

Technical Investigation

Forensic Investigation

Obtain Service Provider Evidence

Analysis and Report Preparation


• 6 complaints gets registered daily on our helplines

• 1.5 Crore Fraud

• Cyber Stalking – Big Boss Contestant, Aashka Garodia

• Email Threats – Anil Ambani

• Facebook Case ( Fake Profile, Confession Pages, Fraud Pages)

• Cases reported statewide

• Nigerian Scam

• Credit / Debit Card Frauds

• POS fraud – Car polish Scam

• Cyber Attacks: Botnet, DOS, DDOS


• Day to Day traditional crime control

• Crime investigation (Murder, Dacoity, Stalking, Threats etc)

• Raids

• Interrogation

• Intelligence Gathering

• Chain of custody

• Presentation in the court of law


• MS In Information & Cyber Forensics

• Well versed with the latest technologies and research

• Programmer

• Malware Researcher





•Superhuman: why, how..• Today’s Takeaway – Risks and being a SH


• Build threat intelligence capability

• Subscribe to mailing lists, attend conferences, read, get certified, write

• Automate network monitoring with NMS, DLP, SIEM, Network Forensics etc

• Risk Threats and Vulnerability Management

• Information Sharing

• Breach advisories and CERT bulletins


• The Incident Manager is informed about an incident and decides whether it is an incident or not before blowing the whistle !

• Sets Incident priority

• Triage

• Pray !


• Set up war room

• Mobilize cross functional IM team

• Rollout containment procedures

• Initiate Communication plan

• Mobilize vendors

• Follow up with recovery and eradication procedures

• Visit incident site, collect and save evidence


• Forensic Analysis

• Reporting to Authorities and Police

• Internal Root Cause Analysis

• Prepare Management Report

• Recommendations for improvement

• Obtain permissions and budget

• Update systems, policies and controls


• Phd/MS in Information Security

• Cyber Security Researcher

• Knowledge about 0 Days, APTs, Vulnerability Assessment, Penetration Testing, Source Code Auditing, Web

• Data Analytics

• BigData

• Cloud Computing

• Cyber Security

• Cyber Defence

• Cyber Forensics (Network, Mobile, Tablet, Satphones, Gogles)

• Cyber law Expert






•Today’s Takeaway – Risks and being a SH


• Capability and Capacity development in Private sector is slow and in Government sector it is slower

• Skills required are multi faceted and can ONLY be acquired by hard core practical on-the-job hands-on experience

• Institutes and training programs yet to be developed to impart some skills, or, show the path to aspirants

Incident Response Requires Superhumans© freedigitalphotos (royaltyfree, attribution)

systems

org growth

IT networks

business

all processes

enterprise finance

enterprise targets

people issues

gadgets

global events

sales

risks – tech / business

contribute ideas

compliance liabilities

email

background checks

onboarding /exits

flight timings

what phone to buy/gift

…….

…….


In the near future, a bigger challenge:

Internet of Things


http://www.intel.com/content/www/us/en/intelligent-systems/iot/internet-of-things-infographic.html


• Re-learn continuous learning … you did it passionately when you were junior, you did it to rise – then why did you stop!

• Recognize your skill and strength…. Information Security is not an apology. It is no longer a support function for a support function. It is an essential function and high time this is recognized by management


Information / Data Security is adynamic domain, constantlychanging hues and continuallyexciting.

Practitioners, researchers, hackers,auditors constantly face up tonew challenges


And we want to take this opportunity to present our unit – Cyber Defence Research Centre & Cyber Peace Foundation


CDRC is a joint initiative of the Government of the State of Jharkhand (India) and Jharkhand Police.

The unit is operational since January 2012.

It is the first of it’s kind organization in the country, and (probably) the ninth in the world


1

eSamadhanCitizen Outreach Tollfree

Helpline

eKavachCritical Infrastructure

Protection – Training,

Intel, Response and

Knowledge Sharing

eRakshaStatewide Security

Awareness program

for children,

citizens, industry

Cyber Patrol Intelligence Gathering,

Honeynets

CDR Analysis, IMS,

Cyber Lab, VA/PT,

AppSec, Digital

Forensics

DETECTION

INVESTIGATIONEDUCATION

JH CERT

PREVENTION

PROTECTION

Technology Research,

System Dev & Deployment

Incident Response,

Advisories,

Responsible Disclosure

LEA Training,

Capacity &

Capability

Building


Law Enforcement

Technical Services

Training

Public Outreach

Research

National Security

Jharkhand Secure

Investigation, Response, Evidence Gathering, Forensics, Cyber Policing

VA/PT, Application Security Testing, Technology Evaluation

State Police, Judiciary and Govt, CID, CBI, NPA, IB,

Awareness, Toll free helpline, eSamadhan, Cyber café controls, ATM security

Cyber Patrol, India Honeynetwork, SCADA and Spam Honeynets,

National Infrastructure Protection under CIIP, Responsible Disclosure

State Infrastructure Protection, Department al IT Security, State CERT


MARCHJharkhand Cyber Café Rules

sent to Home Dept

Development of cyber café

software and Cyber Café

guidelines for owners

ISO 27001 Audit of Police Data

Center

Internal team training

MAYATM, Cyber Café

statewide Threat

Survey

Wi-fi War driving

Team training for

forensics tools

AUGUSTIndia honeynetwork setup

with five sensors

CISF, RPF training

ATS interaction re cyber

security

APRILMoved into CDRC

Building, PHQ

Ranchi

Program Launches:

- Judiciary Training

- “eKavach” Critical

Infrastructure

Protection

- Online knowledge

base for Cyber café

owners re open

source

- Bi lingual safety

guidelines for

Government

employees, parents

and children

2012

09 JANUARYFormation Day

JULYeRaksha program

launched

Event Partner

c0c0n 2012 ,

Thiruvananthpuram

Case: Interstate

credit card fraudsters

interrogated

Disclosure – threat to

CBI central server

OCTOBERSCADA honeypot

development

Testing Vulnerability

disclosure system

JANUARYHigh profile cases –

Hazaribagh (Sonia

Gandhi email threat)

Team Augmentation

and orientation

NOVEMBERJoint Meeting – Home

Dept, SB Jharkhand

Police, All Banks

DECEMBERCitizen Helpline

Toll free number

activated

1800-3456-533

SEPTEMBERCyber Lab setup

plan at PTC

Development for

Responsible

Disclosure system

Training delivery at

NPA

FEBRUARYLaunch eSamadhan,

manual CDR analysis,

IMEI database, Lost

mobile cases

Establishment Planning

System Development:

Internet Monitoring

System and CDR +

Location Mapping

Analysis System

JUNEeKavach onsite

assessment at HEC

CID Training launch


Cyber Surveillance, Social Media Intelligence

Internet Monitoring, Social media Intelligence, Inputsfrom cyber patrol and threat intelligence, Intelligence from Social media (Orkut, Facebook, Linkedin, Twitter etc.)

Critical Infrastructure Protection

Inventory, response procedures and proactive security training

Responsible Disclosure and Threat Intelligence

Vulnerability disclosure and intelligence information to affected parties

Public Helpline Web based and toll free helpline

Research Indian Honeynet collection and malware analysis

Cyber Patrol Underground intelligence gathering activities


• Cyber Peace foundation, a NGO is founded by senior officials of Jharkhand Police & experts to promote information sharing between LEA across countries to promote the public and private partnership through it’s Public & Private Partnership(PPP) through it’s Cyber Bridge program

• Revealed for the first time today at ISACA Dubai

• Request all your support for this organization


ABOUT

US

CONTACT

INFORMATION


• Professional Positions

• Pyramid Cyber Security & Forensics (Principal Advisor)

• Jharkhand Police (Cyber Surveillance Advisor)

• Open Security Alliance (Principal and CEO)

• Bombay Stock Exchange (IGRC Technical Member)

• Indian Honeynet Project (Founder)

• Professional skills and special interest areas

• Govt & Enterprise - Security Consulting, Advisory, Strategy, Architecture, Analysis, Policy Development, Optimization

• Technologies - SOC, DLP, IRM, SIEM…

• Practices - Incident Response, SAM, Forensics, Regulatory guidance, Government

• Blogger, Occasional columnist, wannabe photographer, research & survey


Contact Information

Acknowledgements & Disclaimer

Various resources on the internet have been referred to, to contribute to the informationpresented here. Images have been acknowledged where possible and if we have infringedon your rights it is unintentional – we assure you the immediate removal on being notified, ofany infringing material. The use (if any) of company names, brand names, trade marks is onlyto facilitate understanding of the message being communicated - no claim is made toestablish any sort of relation (exclusive or otherwise) by the author(s), unless otherwisementioned. We apologize for any infraction, as this will be wholly unintentional, andobjections may please be communicated to us for remediation of the erroneous action(s).

E: [email protected] T: +91.9769890505

Twitter: @bizsprite Facebook: dineshobareja

L: http://in.linkedin.com/in/dineshbareja Also on Slideshare and Flickr

A newer version of this presentation will be uploaded to Slideshare (dineshobareja).


• Professional Positions

• Jharkhand Police – CTO & Head of CDRC• Cyber Peace Foundation – President (Honorary)• National Anti-Hacking Group (Founder)• Security Pulse – Honorary Advisor • Darnster – Honorary Advisor & Mentor• Attify – Honorary Advisor• Visiting Faculty for International & National Universities/Institutions

such as National Police Academy, Railway Staff College, College of Millitary Engineering, Railway Staff College, Indian Institute of Management, Indian Institute of Technology, Government of Gujarat

• Professional skills and special interest areas

• Ethical hacking, cybercrime, Cyber Intelligence, Cyber Forensics• Intelligence, Forensics, Cyber Security, Cyber Defence, Cyber Crime

Investigation, Cyber Peace


• Awards

6 International, 11 National and 15 state level awards & honors’

• Contact Information

• Email: [email protected]

• Phone: +91-9570000065

• L: http://in.linkedin.com/in/vineet707


• ENISA

• http://www.enisa.europa.eu/activities/cert/support/incident-management

• http://tvtropes.org/pmwiki/pmwiki.php/Main/GoalOrientedEvolution

• NIST

• http://www.intel.com/content/www/us/en/intelligent-systems/iot/internet-of-things-infographic.html

• Google, Bing