ybb-nw-distribution
TRANSCRIPT
YOU’VE BEEN BREACHEDNOW WHAT?
ARE YOU PREPARED?
MIKE SAUNDERS – CISSP, GCIH, GWAPT, GPEN
HARDWATER INFORMATION SECURITY, LLC
About MikeIn IT full-time since 1998
Entered IT Security in 2007
Certifications: CISSP, GCIH, GPEN, GWAPT
AgendaDefinition of a breach
Background statistics on breaches
Preparing your response plan
Putting your plan into action
Links to resources
Key AssumptionsSmall to medium-sized business (SMB)
◦ Typically fewer than 500 employees
Few IT resources, few or none dedicated to IT security
What Is a Breach?Breach means an intrusion into a computer system, i.e. hacking, or exposure of sensitive data
Causes of a breach:◦ mistakes
◦ crimes of opportunity
◦ targeted attacks
◦ viruses
◦ web-delivered malware
◦ malicious insiders
◦ unintentional disclosures
◦ Loss/theft of laptop or media
High Profile BreachesAnthem BCBS Premera Montana DPHHS
Target Home Depot Staples
Michaels eBAY Snapchat
SendGrid White Lodging (2x) Dairy Queen
Jimmy Johns Goodwill P.F. Chang’s
California DMV Sony Did I mention Sony?
Closer to HomeHornbachers (SUPERVALU)
ND University System
We’re Too Small to be a TargetVerizon 2015 DBIR – 2,122 incidents of confirmed data loss
◦ 573 in small business
2015 Symantec ISTR – 34% of spear phishing attacks directed at companies with fewer than 250 employees
44% of small businesses reported a breach◦ 2013 National Small Business Association Technology Survey
60% of all attacks targeted small and medium businesses◦ 2015 Symantec ISTR
Costs of a BreachVerizon estimates between $52k -$87k costs for 1000 records lost
Fines
Possible jail terms under HIPAA
Loss of customer and business partner confidence
Incident Response FrameworkP – Preparation
I – Identification
C – Containment
E – Eradication
R – Recovery
L – Lessons Learned
PreparationThere are no secrets to success. It is the result of preparation, hard work, and learning from failure. – Colin Powell
Preparation: Getting StartedGet management support and executive sponsor!
Define your incident handling team members◦ Not just IT! IT, Security, Legal, HR, PR, Management, external IT vendor
◦ Designate an incident leader. This person needs to be calm under fire
Preparation: The Crown JewelsDefine what’s important to your organization
◦ Online sales
◦ Data
◦ Proprietary information / trade secrets
Need to define to guide protection and monitoring efforts
http://de.wikipedia.org/wiki/Benutzer:MatthiasKabel
Preparation: BasicsCharter
◦ Executive level authorization to perform IR duties
Policies◦ Strong policies help enforce compliance and define roles and responsibilities
◦ Incident Handling policies provide legal authority to investigate, “sniff” network traffic, monitor activities
Procedures◦ Clear, thorough, tested procedures help reduce confusion when tensions are
high
◦ Checklists
◦ Notification procedures – legal, PR, law enforcement
Preparation: CommunicationsDefine a communications plan
◦ Email and phone may be down or compromised; make sure you have cell numbers
◦ Identify alternate contacts
◦ Don’t forget to include IT vendor, network provider, etc.
◦ Law enforcement
◦ Test your calling tree at least annually
◦ Keep paper copies and keep them up to date
Preparation: Testing and PracticePerform incident handlingtabletop exercises
◦ When problems are identified,be sure to update procedures
Perform live response exercise annually
Identification: SourcesLogs / SIEM
◦ When in doubt, err on excessive logging
◦ NSA – Spotting the adversary document
◦ Firewalls
◦ Authentication success & fail
◦ AV / IDS
◦ DHCP
◦ DNS
◦ Web servers
Helpdesk
3rd parties & business partners
Identification: AssessmentFirst priority is to determine if a security incident occurred
Document the following◦ Affected machine(s)
◦ Logged on users
◦ Open network connections
◦ Running processes
◦ How incident was identified◦ Who reported it
◦ When it was reported
◦ What was happening
ContainmentFocus is stopping the spread
Follow documented containment procedures
Isolate affected host(s)◦ Pull network cable / power down / firewall off
◦ Use attack signatures to build rules◦ email / web filtering / IPS
Image affected machines, store offline◦ Tested forensics procedures are essential
Continue documenting all activities
tumblr
Containment: NotificationFollow communications plan, notify internal parties as appropriate
If you’re going to contact law enforcement, now is the time
Contact legal counsel
EradicationFocus is removal and restoration of affected systems
Wipe / Rebuild / Restore
Apply missing patches
Scan for indicators of compromise
Apply mitigations – firewall / WAF / IDS / update AV
Change passwords
RecoveryGoal is to bring systems back online without causing another incident
Verify issue is resolved
Increase monitoring◦ Determine duration of increased monitoring
Mistakes HappenSuccess does not consist in never making mistakes, but in never making the same one a second time.
– George Bernard Shaw
Lessons LearnedBe sure to hold a lessons learned session after breach
◦ Hold within two weeks
◦ Identify what failed and why
◦ Implement fixes and update documentation
ExecutionDocument all steps in a notebook
◦ Helps to have one person working, another keeping notes
Measure twice, cut once… First, do no harm…◦ In other words, don’t be too hasty
Step back to see the forestfor the trees
SummaryAll sizes of organizations are being attacked
Effective incident response is about preparation and practice, not about tools!
Incident response plans are key to recovery and limiting liability
There is a vast array of resources available to help you build your plan
ResourcesLocal law enforcement, including FBI
Professional Security Organizations◦ ISSA
◦ https://sites.google.com/site/northdakotaissa/
◦ InfraGard
◦ http://infragard-nd.org
SANS◦ https://www.sans.org/
NOREX◦ https://www.norex.net/
ResourcesCreating a Computer Security Incident Response Team (CSIRT)
◦ http://www.cert.org/csirts/Creating-A-CSIRT.html
NIST SP800-61 Rev. 2: Computer Security Incident Handling Guide◦ http://crsc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
SANS Incident Handling Forms◦ http://www.sans.org/score/incidentforms/
Incident Handler’s Handbook◦ https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-
handbook-33901
Incident Handling Annual Testing and Training◦ https://www.sans.org/reading-room/whitepapers/incident/incident-handling-
annual-testing-training-34565
ResourcesSANS Policy Templates
◦ https://www.sans.org/security-resources/policies/
SANS Reading Room◦ http://www.sans.org/reading_room/
An Incident Handling Process for Small and Medium Businesses◦ http://www.sans.org/reading_room/whitepapers/incident/incident-handling-
process-small-medium-businesses_1791
Blue Team Handbook: Incident Response Edition◦ ISBN-13: 978-1500734756
◦ http://www.amazon.com/Blue-Team-Handbook-condensed-Responder/dp/1500734756/
ResourcesNSA – Spotting the Adversary With Windows Event Log Monitoring
◦ https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf
U.S. D.O.J Best Practices for Victim Response and Reporting◦ http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/cri
minal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf
Table Top Exercises for Incident Response◦ http://seanmason.com/2015/04/20/table-top-exercises-ttx/
When Breaches Happen: Top Five Questions to Prepare For◦ https://www.sans.org/reading-room/whitepapers/analyst/breaches-happen-top-
questions-prepare-35220
Corporate Incident Response – Why You Can’t Afford to Ignore It◦ http://www.mcafee.com/us/resources/white-papers/foundstone/wp-corp-incident-
response.pdf
ReferencesVerizon 2015 Data Breach Investigations Report
◦ http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015_en_xg.pdf
Symantec 2015 Internet Security Threat Report◦ https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-
security-threat-report-volume-20-2015-social_v2.pdf
2013 National Small Business Association Technology Survey◦ http://www.nsba.biz/wp-content/uploads/2013/09/Technology-Survey-2013.pdf
Questions?