story board ir methodology - sans.org · why storyboarding –synergy, speed, accuracy story board...

Story Board IR MethodologyDeter, Detect, Defend & RespondMay 18, 2017

Gregg BrauntonNational DirectorCISSP, C|HFI, C¦EH, GCFA, CSFE, GSEC, MCP, (G2B2)Threat Management & Incident ResponseCatholic Health Initiatives

Help | About

2Story Board IR Methodology (JUNE 2017)

CHI “About Us”

3

CHI Organizational Profile:• 17 states • 104 hospitals, 4 academic health centers and major teaching hospitals as well as 30 critical-access

facilities• 100,000+ employees• 2,500+ clinics; community health-services organizations; home-health agencies; living communities;

and other facilities and services that span the inpatient and outpatient continuum of care

Story Board IR Methodology (JUNE 2017)

Agenda

4

The Context – The critical need for a functional IR framework

Why Storyboarding? – linear vs visual

Case Study – Physicians Wireless Incident

Work Products – reporting, data points, and building the investigative file

Q & A

*Case Study – (Side Bar Bonus Material) WannaCry Global Ransomware Response


Cyber Incident HITS your company HARD!

12 Servers, 2 Dozen PCs, Across 3 Data Centers

SOC Extra Staffing : $25,000

3rd party IR Team Parachute In : $250,000

Host, DB, Mobile, Data Network Forensics : $750,000

Media Management & Consultants : $250,000

Customer Notification : $50,000

Customer Info/Triage Helpdesk : $50,000

Cyber Insurance Deductible: $1,500,000

FREE IR Response Framework

PRICELESS

To Orchestrate, Investigate, Document &

Report on the Incident. . . . . .

Context – an IR framework helps to be “Compromise ready”


2017 BakerHostetler Data Security Incident Response Report


15




17




18

2017 BakerHostetler Data Security Incident Response ReportStory Board IR Methodology (JUNE 2017)

Story Board IR – Supporting the CSIRT Framework


The Context – The MOST IMPORTANT IR Component

20

DOCUMENTING and RETELLING the STORY

Initial Event Triage Analysis

ContainmentEradicationRecovery

Root CauseReportMetrics


The Context – IR framework key functional components

21

(1) A CharterIR imperatives, Authority, Organization/Staffing, Roles and Responsibilities

(2) CSIRT FrameworkPeople, Process, Technology

(3) Investigative File


Why Storyboarding – You’ll need a accurate story


Storyboarding – Tools Needed – KISS principle

23

• WebEx/Screen Share and conference line

• OneNote

• Visio


Why Storyboarding – Synergy, Speed, Accuracy


4 components, 3 tools of story boarding

(1) (Visio) Incident diagram - Establishing a common frame of reference using visualizations

• Relatable objects• Live view, Live feedback

(2) (WebEx & Conference Line) Interactive IR – fusion and synergya) Visually Interactive IR : Map out the problem setb) Visually Interactive IR : Walk the “problem set” visually annotating

remediation action items (RAIs)c) Synergy, Speed, Accuracy, (ALL TEAMS) Representation

(3) (OneNote) Combined, structured workflow and notes, investigative file and report work product

(4) (Visio) Incident Timeline – visual histogram


25

“Humans are not ideally set up to understand logic; they are ideally set up to understand stories.” —Roger Schank

……a person’s brain is hardwired to recognize and make sense of visual information more efficiently, which is useful considering that 90 percent of all information that comes to the brain is visual.



Why Storyboarding – Visual vs Text – 3 second TEST


28

If you consider body language, traffic signs, maps, facial cues, advertisements, and the plethora of other forms of visual communication a person experiences everyday, it’s not hard to see why our brains might have adapted to discern visual concepts easier. For example, 40 percent of nerve fibers to the brain are connected to the retina.

Visuals have been found to improve LEARNING by up to 400 percent.



29

Modern applications are already successfully experimenting with this information, with many mobile apps focusing on images, from Instagram and Snapchat to Pinterest and Vine. And it doesn’t seem to be a passing trend: Engagement per follower is 58 times higher on Instagram than on Facebook.

“Gone is the age of left brain dominance, the future belongs to storytellers.”—Daniel Pink


Proving visualizations work – a brief exercise

30

Traditional IR – Linear

vs

Storyboard IR - Visual


Proving visualizations work – text vs imagery


Traditional IR – mapping a web ecosystem

32

Main Portal hub: NEOCASE (Neocase), Employee Portal, “Web Portal Front End”https://chiep.neocaselive.com; local repository of policies, Live Chat / Case Mgmnt

Portal Pivots to Other HR related sites:LEARN/HEALTHSTREAM (HealthStream)INTERNALhttp://www.xxyylearn.com

MYHEATHLYSPIRIT (CHI Home Grown)INTERNALhttp://home.xxyy.net

WORKDAY (Workday)https://wd5.xxyy.com/:: HR data; self and team:: Manager Zone

FIDELITY (FIDELITY)https://abcd.xxyy.com:: 401K/403B/457 investment plan

KRONOS (KRONOS)INTERNALhttps://kronosnavigator.xxyy.net:: time and attendance

HEALTHEQUITY (Heath Equity)https://www.xxyy.com:: personal health care spending account:: medical claim payment portal


http://www.xxyylearn.com/

http://home.xxyy.net/

Storyboard IR – mapping a web ecosystem

33

PORTAL

INSIDE CHI:: Links to HR/Payroll Connect

WORKDAY (Workday)https://wd5.xxyy.com/

:: HR data; self and team:: Manager Zone

Taleohttps://chi2.xxyy.net/

:: job postings

NEOCASE (Neocase)Employee Portal

Web Portal Front End https://chiep.neocaselive.com

:: local repository of policies:: Live Chat / Case Mgmnt

LEAVEPRO (Reed Group)https://chi.xxyy.com:: leave of absence

HEALTHEQUITY (Heath Equity)https://www.xxyy.com

:: personal health care spending account:: medical claim payment portal

FIDELITY (FIDELITY)https://abcd.xxyy.com

:: 401K/403B/457 investment plan

MYHEATHLYSPIRIT (CHI Home Grown)INTERNAL

http://home.xxyy.net

https://chituition.tap.xxyy.com:: tuition reimbursement

TALX (Equifax)https://secure.theworknumber.xxyy.com

AON HEWITThttps://lb32.resources.xxyy.com

LEARN/HEALTHSTREAM (HealthStream)INTERNAL

http://www.xxyylearn.com

KRONOS (KRONOS)INTERNAL

https://kronosnavigator.xxyy.net:: time and attendance

CLARITYINTERNAL

https://epmo.chi.xxyy.net:: project management time tracking

CHI

FTP Pivot ServerXx.xx.xx.xx


34

Linear


35

Visual


The Context

36

Everyone Needs a Functional & Synergistic IR Framework

(1) Collaboration Space – common viewTechnical synergy – Webex, Phone, RecordingIR Handlers (Always 2 deep) synergy – OneNote

(2) Consistent Data Points and ArtifactsStart/Stop timeExecutive SummariesAt-the-time of incident risk and Residual riskRAIs – Remediation/Response/Recovery Action ItemsTime/Effort/Cost

(3) Investigative File (work product)The Story, visuals, diagrams, timelines (might need 2,12,24 months later)OneNote


Storyboarding – Tools Needed – KISS principle

37

• WebEx/Screen Share and conference line

• OneNote

• Visio


Case Study – physician wireless

38

Traditional IR – Conference Call– Individual notes

(Confusion, Different Stories)

vs

Storyboard IR – Visual– Conference Call– Live Visual, Interactive Diagramming– Shared OneNote notes

(Order, Synergistic Story)


Traditional IR – initial IOC context

39

Initial IOC: CTI reports NATed address 66.76.4.188 hitting known sinkholes


Story Board IR – initial IOC context

40

MS Sink holes· spynet2.microsoft.com

· spynetalt.microsoft.com

NATed Outbound

66.76.4.188


Traditional IR – infected machine context

41

Initial IOC: CTI reports NATed address 66.76.4.188 hitting sinkholesSource system: physician laptop 10.30.30.33 on the physician wireless using NATedaddress FW logs show mapping to reported sinkhole


Story Board IR – infected machine context

42

10.30.30.10Host: BYOD10

MS Blackholes· spynet2.microsoft.com


10.30.30.33Host: BYOD33

10.30.30.15Host: BYOD15

NATed Outbound

66.76.4.188

URL FilteringSIEM Logging

DLP


Traditional IR – infected host system/data connection context, what is at risk?

43

Initial IOC: CTI reports NATed address 66.76.4.188 hitting sinkholesSource system: physician laptop 10.30.30.33 on the physician wireless using NATedaddress FW logs show mapping to reported sinkholeConnectivity and At Risk Systems: physicians use BYOD PCs on physician wireless which provides access via router to hospital bed management system. Doctors also connect to private clinic using RDP to access PT records in clinic EMR. ACLs on the router are not locked down, with ANY,ANY between interfaces connecting physician wireless to production network.


Story Board IR – infected host system/data connection context, what is at risk?

44

10.30.30.10Host: BYOD10



10.30.30.33Host: BYOD33

10.30.30.15Host: BYOD15

NATed Outbound

66.76.4.188

Production LAN

Hospital

2 Way ACL/Static Route10.30.30/23 permit TCP to host 10.1.1.107 port ANY

10.1.1.107 permit TCP to 10.30.30/23 port ANY

Docs Private Office

RDP into Clinic EMR

Small Business ServerDC, File/Print, IIS, DBSharepoint, Exchange


DLP

Bed Mgmnt System AppHost: BEDAPP01

10.1.1.107Win2000

IIS, .ASP siteAD authentication to App


Story Board IR – flushing out sources of data/logs/artifacts/IOC threads

45

Initial IOC: CTI reports NATed address 66.76.4.188 hitting sinkholesSource system: physician laptop 10.30.30.33 on the physician wireless using NATedaddress FW logs show mapping to reported sinkholeConnectivity and At Risk Systems: physicians use BYOD PCs on physician wireless which provides access via router to hospital bed management system. Docs also connect to private clinic using RDP to access PT records in clinic EMR.Other Connectivity : bed management system on the internal LAN, locally connected to other production systems on the backbone via router and ACLs. Other System Information : other systems on the network include a SIEM, AD controllers, MS Exchange server. There is a separate internal production egress point to the Internet protected by FW with URL filtering, DLP and logging to the SIEM.


Story Board IR – flushing out sources of data/logs/artifacts/IOC threads


St. Joseph Hospital, Solute, NC

3100 Main St, Solute, NC

Darby, NC

10.30.30.10Host: BYOD10



10.30.30.33Host: BYOD33

10.30.30.15Host: BYOD15

NATed Outbound

66.76.4.188

Production LAN

DatacenterDomain

ControllerSplunkSIEM

2 Way ACL/Static Route10.30.30/23 permit TCP to host 10.1.1.107 port ANY

10.1.1.107 permit TCP to 10.30.30/23 port ANY

Docs Private Office

RDP into Clinic EMR

Small Business ServerDC, File/Print, IIS, DBSharepoint, Exchange


DLP

Bed Mgmnt System AppHost: BEDAPP01

10.1.1.107Win2000 Server

IIS, .ASP siteAD authentication to App

Exchange 2010Server

OWA Internet access URL https//webmail.hospital.org

Router110.20.1.1

Router210.20.1.2

Logs

Logs

Logs

Logs

LogsLogs

DFIRdm

DFIRdm

DFIRdm

DFIRd

DFIRd

Logs

Logs

Logs

Story Board IR – Timelining


Story Board IR – The Investigative File

48

Tour of OneNote IR Template


Story Board IR – The Investigative File – RAIs Root


I. Executive Summary

<< Executive high level summary of the event. Use common business language >>

Chain of Events (High Level):

<< Date:Time – brief sentence on the significant event. New line for each chain of event item >>

<< Date:Time – brief sentence on the significant event. New line for each chain of event item >>

II. Total Impact to Users and Systems

<< Intent here is to provide impact statements. Short, accurate, conveys impact to users and systems >>

III. Continued or Residual Risk to Systems and Data

<< The key determination - to discern if ePHI, PII or PCI data remains a risk of being viewed, accessed or

acquired (by unauthorized persons or not>>

IV. Remediation, Ongoing Tasks AND/OR Review and Action Plans. The following section details the

various remediation efforts and/or work assignments that took place as result of this incident.

V. Summary Analysis/Findings and Root Cause

Summary statement information speaking to root cause and remediation actions taken.

Root Cause: << root cause statement >>

Actions Items Completed During the Incident to Remediate: << one or more RAIs completed >>

Post Incident Recommended Remediation: << any further remediation recommendations >>


V. Summary Analysis/Findings and Root Cause

Summary statement information speaking to root cause and remediation actions taken. If there are multiple root

cause, an option is to break out each separate root cause in an individual paragraph. These root cause/findings will

be recorded and tracked in RSAM as a Corrective Action Plan (CAP). NOTE: once the RCA/Findings are entered

as a CAP in RSAM, return to this summary and post the RSAM CAP #s to this document.

Root Cause: Physician wireless segment is protected from production LAN using insecure ACLs.

Actions Items Completed During the Incident to Remediate: Router "path" to bed management system closed

down. Physicians redirected to Citrix based access to bed management system.

Post Incident Recommended Remediation: Ensure router configuration is decommissioned.

Root Cause: Bed Management System is a Windows 2000 server. Windows 2000 server is deprecated and should

not be used for any production system or for storing ePHI.

Actions Items Completed During the Incident to Remediate: Windows logs configured to dump to Splunk.

Post Incident Recommended Remediation: Business owner, vendor and IT teams to immediately being work to

stand up Win2012 R2 bed management system and decommission the Windows 2000 server. CAP 123456 created

and assigned to security compliance team.

Root Cause: Firewall, Router and Bed Management server not logging to Splunk.

Actions Items Completed During the Incident to Remediate: NA.

Post Incident Recommended Remediation: Configure Firewall, Router and Bed Management to log to Splunk

Root Cause: << root cause statement >>

Actions Items Completed During the Incident to Remediate: << one or more RAIs completed >>

Post Incident Recommended Remediation: << any further remediation recommended. These would result in a

longer term Correction Action Plan to be follow up on by the Security Compliance team >>



ITS-CSIRT-PROC 07 Incident Findings and Recommended Action Items (RAI) Report.docx

Story Board IR – The Incident Report (NO REWRITE)

Story Board IR – The Investigative File Timelining



Story Board IR – The Investigative File – Story Board

Story Board IR – That’s the Story

58

Bonus Content – (side bar discussion) if time and interest• Ransomware Threat Profile Investigative file• OneNote in Action : CHI WannaCry Response Management


story board ir methodology - sans.org · why storyboarding –synergy, speed, accuracy story board...

Documents