story board ir methodology - sans · story board ir methodology deter, detect, defend ......
TRANSCRIPT
![Page 1: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/1.jpg)
Story Board IR MethodologyDeter, Detect, Defend & RespondMay 18, 2017
Gregg BrauntonNational DirectorCISSP, C|HFI, C¦EH, GCFA, CSFE, GSEC, MCP, (G2B2)Threat Management & Incident ResponseCatholic Health Initiatives
![Page 2: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/2.jpg)
Help | About
2Story Board IR Methodology (JUNE 2017)
![Page 3: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/3.jpg)
CHI “About Us”
3
CHI Organizational Profile:• 17 states • 104 hospitals, 4 academic health centers and major teaching hospitals as well as 30 critical-access
facilities• 100,000+ employees• 2,500+ clinics; community health-services organizations; home-health agencies; living communities;
and other facilities and services that span the inpatient and outpatient continuum of care
Story Board IR Methodology (JUNE 2017)
![Page 4: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/4.jpg)
Agenda
4
The Context – The critical need for a functional IR framework
Why Storyboarding? – linear vs visual
Case Study – Physicians Wireless Incident
Work Products – reporting, data points, and building the investigative file
Q & A
*Case Study – (Side Bar Bonus Material) WannaCry Global Ransomware Response
Story Board IR Methodology (JUNE 2017)
![Page 5: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/5.jpg)
Cyber Incident HITS your company HARD!
12 Servers, 2 Dozen PCs, Across 3 Data Centers
![Page 6: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/6.jpg)
SOC Extra Staffing : $25,000
![Page 7: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/7.jpg)
3rd party IR Team Parachute In : $250,000
![Page 8: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/8.jpg)
Host, DB, Mobile, Data Network Forensics : $750,000
![Page 9: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/9.jpg)
Media Management & Consultants : $250,000
![Page 10: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/10.jpg)
Customer Notification : $50,000
![Page 11: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/11.jpg)
Customer Info/Triage Helpdesk : $50,000
![Page 12: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/12.jpg)
Cyber Insurance Deductible: $1,500,000
![Page 13: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/13.jpg)
FREE IR Response Framework
PRICELESS
To Orchestrate, Investigate, Document &
Report on the Incident. . . . . .
![Page 14: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/14.jpg)
Context – an IR framework helps to be “Compromise ready”
14Story Board IR Methodology (JUNE 2017)
2017 BakerHostetler Data Security Incident Response Report
![Page 15: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/15.jpg)
Context – an IR framework helps to be “Compromise ready”
15
2017 BakerHostetler Data Security Incident Response Report
Story Board IR Methodology (JUNE 2017)
![Page 16: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/16.jpg)
Context – an IR framework helps to be “Compromise ready”
16Story Board IR Methodology (JUNE 2017)
2017 BakerHostetler Data Security Incident Response Report
![Page 17: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/17.jpg)
Context – an IR framework helps to be “Compromise ready”
17
2017 BakerHostetler Data Security Incident Response Report
Story Board IR Methodology (JUNE 2017)
![Page 18: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/18.jpg)
Context – an IR framework helps to be “Compromise ready”
18
2017 BakerHostetler Data Security Incident Response ReportStory Board IR Methodology (JUNE 2017)
![Page 19: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/19.jpg)
Story Board IR – Supporting the CSIRT Framework
19Story Board IR Methodology (JUNE 2017)
![Page 20: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/20.jpg)
The Context – The MOST IMPORTANT IR Component
20
DOCUMENTING and RETELLING the STORY
Initial Event Triage Analysis
ContainmentEradicationRecovery
Root CauseReportMetrics
Story Board IR Methodology (JUNE 2017)
![Page 21: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/21.jpg)
The Context – IR framework key functional components
21
(1) A CharterIR imperatives, Authority, Organization/Staffing, Roles and Responsibilities
(2) CSIRT FrameworkPeople, Process, Technology
(3) Investigative File
Story Board IR Methodology (JUNE 2017)
![Page 22: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/22.jpg)
Why Storyboarding – You’ll need a accurate story
22Story Board IR Methodology (JUNE 2017)
![Page 23: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/23.jpg)
Storyboarding – Tools Needed – KISS principle
23
• WebEx/Screen Share and conference line
• OneNote
• Visio
Story Board IR Methodology (JUNE 2017)
![Page 24: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/24.jpg)
Why Storyboarding – Synergy, Speed, Accuracy
24Story Board IR Methodology (JUNE 2017)
4 components, 3 tools of story boarding
(1) (Visio) Incident diagram - Establishing a common frame of reference using visualizations
• Relatable objects• Live view, Live feedback
(2) (WebEx & Conference Line) Interactive IR – fusion and synergya) Visually Interactive IR : Map out the problem setb) Visually Interactive IR : Walk the “problem set” visually annotating
remediation action items (RAIs)c) Synergy, Speed, Accuracy, (ALL TEAMS) Representation
(3) (OneNote) Combined, structured workflow and notes, investigative file and report work product
(4) (Visio) Incident Timeline – visual histogram
![Page 25: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/25.jpg)
Why Storyboarding – Synergy, Speed, Accuracy
25
“Humans are not ideally set up to understand logic; they are ideally set up to understand stories.” —Roger Schank
……a person’s brain is hardwired to recognize and make sense of visual information more efficiently, which is useful considering that 90 percent of all information that comes to the brain is visual.
Story Board IR Methodology (JUNE 2017)
![Page 26: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/26.jpg)
26Story Board IR Methodology (JUNE 2017)
Why Storyboarding – Visual vs Text – 3 second TEST
![Page 27: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/27.jpg)
27Story Board IR Methodology (JUNE 2017)
Why Storyboarding – Visual vs Text – 3 second TEST
![Page 28: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/28.jpg)
Why Storyboarding – Synergy, Speed, Accuracy
28
If you consider body language, traffic signs, maps, facial cues, advertisements, and the plethora of other forms of visual communication a person experiences everyday, it’s not hard to see why our brains might have adapted to discern visual concepts easier. For example, 40 percent of nerve fibers to the brain are connected to the retina.
Visuals have been found to improve LEARNING by up to 400 percent.
Story Board IR Methodology (JUNE 2017)
![Page 29: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/29.jpg)
Why Storyboarding – Synergy, Speed, Accuracy
29
Modern applications are already successfully experimenting with this information, with many mobile apps focusing on images, from Instagram and Snapchat to Pinterest and Vine. And it doesn’t seem to be a passing trend: Engagement per follower is 58 times higher on Instagram than on Facebook.
“Gone is the age of left brain dominance, the future belongs to storytellers.”—Daniel Pink
Story Board IR Methodology (JUNE 2017)
![Page 30: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/30.jpg)
Proving visualizations work – a brief exercise
30
Traditional IR – Linear
vs
Storyboard IR - Visual
Story Board IR Methodology (JUNE 2017)
![Page 31: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/31.jpg)
Proving visualizations work – text vs imagery
31Story Board IR Methodology (JUNE 2017)
![Page 32: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/32.jpg)
Traditional IR – mapping a web ecosystem
32
Main Portal hub: NEOCASE (Neocase), Employee Portal, “Web Portal Front End”https://chiep.neocaselive.com; local repository of policies, Live Chat / Case Mgmnt
Portal Pivots to Other HR related sites:LEARN/HEALTHSTREAM (HealthStream)INTERNALhttp://www.xxyylearn.com
MYHEATHLYSPIRIT (CHI Home Grown)INTERNALhttp://home.xxyy.net
WORKDAY (Workday)https://wd5.xxyy.com/:: HR data; self and team:: Manager Zone
FIDELITY (FIDELITY)https://abcd.xxyy.com:: 401K/403B/457 investment plan
KRONOS (KRONOS)INTERNALhttps://kronosnavigator.xxyy.net:: time and attendance
HEALTHEQUITY (Heath Equity)https://www.xxyy.com:: personal health care spending account:: medical claim payment portal
Story Board IR Methodology (JUNE 2017)
![Page 33: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/33.jpg)
Storyboard IR – mapping a web ecosystem
33
PORTAL
INSIDE CHI:: Links to HR/Payroll Connect
WORKDAY (Workday)https://wd5.xxyy.com/
:: HR data; self and team:: Manager Zone
Taleohttps://chi2.xxyy.net/
:: job postings
NEOCASE (Neocase)Employee Portal
Web Portal Front End https://chiep.neocaselive.com
:: local repository of policies:: Live Chat / Case Mgmnt
LEAVEPRO (Reed Group)https://chi.xxyy.com:: leave of absence
HEALTHEQUITY (Heath Equity)https://www.xxyy.com
:: personal health care spending account:: medical claim payment portal
FIDELITY (FIDELITY)https://abcd.xxyy.com
:: 401K/403B/457 investment plan
MYHEATHLYSPIRIT (CHI Home Grown)INTERNAL
http://home.xxyy.net
https://chituition.tap.xxyy.com:: tuition reimbursement
TALX (Equifax)https://secure.theworknumber.xxyy.com
AON HEWITThttps://lb32.resources.xxyy.com
LEARN/HEALTHSTREAM (HealthStream)INTERNAL
http://www.xxyylearn.com
KRONOS (KRONOS)INTERNAL
https://kronosnavigator.xxyy.net:: time and attendance
CLARITYINTERNAL
https://epmo.chi.xxyy.net:: project management time tracking
CHI
FTP Pivot ServerXx.xx.xx.xx
Story Board IR Methodology (JUNE 2017)
![Page 34: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/34.jpg)
34
Linear
Story Board IR Methodology (JUNE 2017)
![Page 35: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/35.jpg)
35
Visual
Story Board IR Methodology (JUNE 2017)
![Page 36: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/36.jpg)
The Context
36
Everyone Needs a Functional & Synergistic IR Framework
(1) Collaboration Space – common viewTechnical synergy – Webex, Phone, RecordingIR Handlers (Always 2 deep) synergy – OneNote
(2) Consistent Data Points and ArtifactsStart/Stop timeExecutive SummariesAt-the-time of incident risk and Residual riskRAIs – Remediation/Response/Recovery Action ItemsTime/Effort/Cost
(3) Investigative File (work product)The Story, visuals, diagrams, timelines (might need 2,12,24 months later)OneNote
Story Board IR Methodology (JUNE 2017)
![Page 37: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/37.jpg)
Storyboarding – Tools Needed – KISS principle
37
• WebEx/Screen Share and conference line
• OneNote
• Visio
Story Board IR Methodology (JUNE 2017)
![Page 38: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/38.jpg)
Case Study – physician wireless
38
Traditional IR – Conference Call– Individual notes
(Confusion, Different Stories)
vs
Storyboard IR – Visual– Conference Call– Live Visual, Interactive Diagramming– Shared OneNote notes
(Order, Synergistic Story)
Story Board IR Methodology (JUNE 2017)
![Page 39: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/39.jpg)
Traditional IR – initial IOC context
39
Initial IOC: CTI reports NATed address 66.76.4.188 hitting known sinkholes
Story Board IR Methodology (JUNE 2017)
![Page 40: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/40.jpg)
Story Board IR – initial IOC context
40
MS Sink holes· spynet2.microsoft.com
· spynetalt.microsoft.com
NATed Outbound
66.76.4.188
Story Board IR Methodology (JUNE 2017)
![Page 41: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/41.jpg)
Traditional IR – infected machine context
41
Initial IOC: CTI reports NATed address 66.76.4.188 hitting sinkholesSource system: physician laptop 10.30.30.33 on the physician wireless using NATedaddress FW logs show mapping to reported sinkhole
Story Board IR Methodology (JUNE 2017)
![Page 42: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/42.jpg)
Story Board IR – infected machine context
42
10.30.30.10Host: BYOD10
MS Blackholes· spynet2.microsoft.com
· spynetalt.microsoft.com
10.30.30.33Host: BYOD33
10.30.30.15Host: BYOD15
NATed Outbound
66.76.4.188
URL FilteringSIEM Logging
DLP
Story Board IR Methodology (JUNE 2017)
![Page 43: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/43.jpg)
Traditional IR – infected host system/data connection context, what is at risk?
43
Initial IOC: CTI reports NATed address 66.76.4.188 hitting sinkholesSource system: physician laptop 10.30.30.33 on the physician wireless using NATedaddress FW logs show mapping to reported sinkholeConnectivity and At Risk Systems: physicians use BYOD PCs on physician wireless which provides access via router to hospital bed management system. Doctors also connect to private clinic using RDP to access PT records in clinic EMR. ACLs on the router are not locked down, with ANY,ANY between interfaces connecting physician wireless to production network.
Story Board IR Methodology (JUNE 2017)
![Page 44: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/44.jpg)
Story Board IR – infected host system/data connection context, what is at risk?
44
10.30.30.10Host: BYOD10
MS Blackholes· spynet2.microsoft.com
· spynetalt.microsoft.com
10.30.30.33Host: BYOD33
10.30.30.15Host: BYOD15
NATed Outbound
66.76.4.188
Production LAN
Hospital
2 Way ACL/Static Route10.30.30/23 permit TCP to host 10.1.1.107 port ANY
10.1.1.107 permit TCP to 10.30.30/23 port ANY
Docs Private Office
RDP into Clinic EMR
Small Business ServerDC, File/Print, IIS, DBSharepoint, Exchange
URL FilteringSIEM Logging
DLP
Bed Mgmnt System AppHost: BEDAPP01
10.1.1.107Win2000
IIS, .ASP siteAD authentication to App
Story Board IR Methodology (JUNE 2017)
![Page 45: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/45.jpg)
Story Board IR – flushing out sources of data/logs/artifacts/IOC threads
45
Initial IOC: CTI reports NATed address 66.76.4.188 hitting sinkholesSource system: physician laptop 10.30.30.33 on the physician wireless using NATedaddress FW logs show mapping to reported sinkholeConnectivity and At Risk Systems: physicians use BYOD PCs on physician wireless which provides access via router to hospital bed management system. Docs also connect to private clinic using RDP to access PT records in clinic EMR.Other Connectivity : bed management system on the internal LAN, locally connected to other production systems on the backbone via router and ACLs. Other System Information : other systems on the network include a SIEM, AD controllers, MS Exchange server. There is a separate internal production egress point to the Internet protected by FW with URL filtering, DLP and logging to the SIEM.
Story Board IR Methodology (JUNE 2017)
![Page 46: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/46.jpg)
Story Board IR – flushing out sources of data/logs/artifacts/IOC threads
46Story Board IR Methodology (JUNE 2017)
St. Joseph Hospital, Solute, NC
3100 Main St, Solute, NC
Darby, NC
10.30.30.10Host: BYOD10
MS Blackholes· spynet2.microsoft.com
· spynetalt.microsoft.com
10.30.30.33Host: BYOD33
10.30.30.15Host: BYOD15
NATed Outbound
66.76.4.188
Production LAN
DatacenterDomain
ControllerSplunkSIEM
2 Way ACL/Static Route10.30.30/23 permit TCP to host 10.1.1.107 port ANY
10.1.1.107 permit TCP to 10.30.30/23 port ANY
Docs Private Office
RDP into Clinic EMR
Small Business ServerDC, File/Print, IIS, DBSharepoint, Exchange
URL FilteringSIEM Logging
DLP
Bed Mgmnt System AppHost: BEDAPP01
10.1.1.107Win2000 Server
IIS, .ASP siteAD authentication to App
Exchange 2010Server
OWA Internet access URL https//webmail.hospital.org
Router110.20.1.1
Router210.20.1.2
Logs
Logs
Logs
Logs
LogsLogs
DFIRdm
DFIRdm
DFIRdm
DFIRd
DFIRd
Logs
Logs
Logs
![Page 47: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/47.jpg)
Story Board IR – Timelining
47Story Board IR Methodology (JUNE 2017)
![Page 48: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/48.jpg)
Story Board IR – The Investigative File
48
Tour of OneNote IR Template
Story Board IR Methodology (JUNE 2017)
![Page 49: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/49.jpg)
Story Board IR – The Investigative File – RAIs Root
49Story Board IR Methodology (JUNE 2017)
I. Executive Summary
<< Executive high level summary of the event. Use common business language >>
Chain of Events (High Level):
<< Date:Time – brief sentence on the significant event. New line for each chain of event item >>
<< Date:Time – brief sentence on the significant event. New line for each chain of event item >>
II. Total Impact to Users and Systems
<< Intent here is to provide impact statements. Short, accurate, conveys impact to users and systems >>
III. Continued or Residual Risk to Systems and Data
<< The key determination - to discern if ePHI, PII or PCI data remains a risk of being viewed, accessed or
acquired (by unauthorized persons or not>>
IV. Remediation, Ongoing Tasks AND/OR Review and Action Plans. The following section details the
various remediation efforts and/or work assignments that took place as result of this incident.
V. Summary Analysis/Findings and Root Cause
Summary statement information speaking to root cause and remediation actions taken.
Root Cause: << root cause statement >>
Actions Items Completed During the Incident to Remediate: << one or more RAIs completed >>
Post Incident Recommended Remediation: << any further remediation recommendations >>
![Page 50: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/50.jpg)
50Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File – RAIs Root
![Page 51: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/51.jpg)
51Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File – RAIs Root
![Page 52: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/52.jpg)
52Story Board IR Methodology (JUNE 2017)
V. Summary Analysis/Findings and Root Cause
Summary statement information speaking to root cause and remediation actions taken. If there are multiple root
cause, an option is to break out each separate root cause in an individual paragraph. These root cause/findings will
be recorded and tracked in RSAM as a Corrective Action Plan (CAP). NOTE: once the RCA/Findings are entered
as a CAP in RSAM, return to this summary and post the RSAM CAP #s to this document.
Root Cause: Physician wireless segment is protected from production LAN using insecure ACLs.
Actions Items Completed During the Incident to Remediate: Router "path" to bed management system closed
down. Physicians redirected to Citrix based access to bed management system.
Post Incident Recommended Remediation: Ensure router configuration is decommissioned.
Root Cause: Bed Management System is a Windows 2000 server. Windows 2000 server is deprecated and should
not be used for any production system or for storing ePHI.
Actions Items Completed During the Incident to Remediate: Windows logs configured to dump to Splunk.
Post Incident Recommended Remediation: Business owner, vendor and IT teams to immediately being work to
stand up Win2012 R2 bed management system and decommission the Windows 2000 server. CAP 123456 created
and assigned to security compliance team.
Root Cause: Firewall, Router and Bed Management server not logging to Splunk.
Actions Items Completed During the Incident to Remediate: NA.
Post Incident Recommended Remediation: Configure Firewall, Router and Bed Management to log to Splunk
Root Cause: << root cause statement >>
Actions Items Completed During the Incident to Remediate: << one or more RAIs completed >>
Post Incident Recommended Remediation: << any further remediation recommended. These would result in a
longer term Correction Action Plan to be follow up on by the Security Compliance team >>
Story Board IR – The Investigative File – RAIs Root
![Page 53: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/53.jpg)
53Story Board IR Methodology (JUNE 2017)
ITS-CSIRT-PROC 07 Incident Findings and Recommended Action Items (RAI) Report.docx
Story Board IR – The Incident Report (NO REWRITE)
![Page 54: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/54.jpg)
Story Board IR – The Investigative File Timelining
54Story Board IR Methodology (JUNE 2017)
![Page 55: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/55.jpg)
55Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File Timelining
![Page 56: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/56.jpg)
56Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File – Story Board
![Page 57: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/57.jpg)
57Story Board IR Methodology (JUNE 2017)
Story Board IR – The Investigative File Timelining
![Page 58: Story Board IR Methodology - SANS · Story Board IR Methodology Deter, Detect, Defend ... Traditional IR –mapping a web ecosystem 32 ... ; local repository of policies](https://reader034.vdocuments.site/reader034/viewer/2022051800/5ad480c47f8b9a1a028bf4ba/html5/thumbnails/58.jpg)
Story Board IR – That’s the Story
58
Bonus Content – (side bar discussion) if time and interest• Ransomware Threat Profile Investigative file• OneNote in Action : CHI WannaCry Response Management
Story Board IR Methodology (JUNE 2017)