you will be breached
TRANSCRIPT
YOU WILL BE BREACHED
ARE YOU PREPARED?
MIKE SAUNDERS – CISSP, GCIH, GWAPT, GPEN
HARDWATER INFORMATION SECURITY, LLC
About Mike In IT full-time since 1998
Entered IT Security in 2007
Agenda Definition of a breach
Background statistics on breaches
Preparing your response plan
Putting your plan into action
Links to resources
Key Assumptions Small to medium-sized business (SMB)
◦ Typically fewer than 500 employees
Few IT resources, few or none dedicated to IT security
Incident Response IS NOT about tools!
What Is a Breach? Breach means an intrusion into a computer system, i.e. hacking, or exposure of sensitive data
Causes of a breach:◦ crimes of opportunity◦ targeted attacks◦ viruses◦ web-delivered malware◦ malicious insiders◦ mistakes / unintentional disclosure◦ Loss/theft of laptop or media
Lots of BreachesAnthem BCBS Premera CareFirst
OPM Target Home Depot
Staples eBAY Snapchat
SendGrid White Lodging (2x) Dairy Queen
Jimmy Johns Goodwill SUPERVALU
California DMV Sony Did I mention Sony?
The list goes on, and on, and on…
We’re Too Small to be a Target
Verizon 2015 DBIR – 2,122 incidents of confirmed data loss◦ 573 in small business
2015 Symantec ISTR – 34% of spear phishing attacks directed at companies with fewer than 250 employees
60% of all attacks targeted small and medium businesses◦ 2015 Symantec ISTR
44% of small businesses reported a breach◦ 2013 National Small Business Association Technology Survey
Costs of a Breach Verizon estimates between $52k - $87k costs for 1000 records lost
Fines
Possible jail terms under HIPAA
Loss of customer and business partner confidence
Incident Response Framework
P – Preparation
I – Identification
C – Containment
E – Eradication
R – Recovery
L – Lessons Learned
Preparation There are no secrets to success. It is the result of preparation, hard work, and learning from failure. – Colin Powell
Preparation: Getting Started
Get management support and executive sponsor!
Define your incident handling team members◦ Not just IT! IT, Security, Legal, HR, PR, Management, external IT vendor◦ Designate an incident leader. This person needs to be calm under fire
Preparation: The Crown Jewels
Need to define what’s important to your organization to guide protection / monitoring
◦ Email◦ Online sales◦ Data◦ Proprietary information / trade secrets
Preparation: Basics Charter
◦ Executive level authorization to perform IR duties
Policies◦ Strong policies help enforce compliance and define roles and responsibilities◦ Incident Handling policies provide legal authority to investigate, “sniff”
network traffic, monitor activities
Procedures◦ Clear, thorough, tested procedures help reduce confusion when tensions are
high◦ Checklists◦ Notification procedures – legal, PR, law enforcement
Preparation: Communications
Define a communications plan◦ Email and phone may be down or compromised; make sure you have cell
numbers◦ Identify alternate contacts◦ Don’t forget to include IT vendor, network provider, etc.◦ Law enforcement◦ Test your calling tree at least annually◦ Keep paper copies and keep them up to date
Preparation: Testing and Practice
Perform incident handlingtabletop exercises
◦ When problems are identified,be sure to update procedures
Perform live response exercise annually
Identification: Sources Logs / SIEM
◦ When in doubt, err on excessive logging◦ NSA – Spotting the adversary document◦ Firewalls◦ Authentication success & fail◦ AV / IDS ◦ DHCP◦ DNS◦ Web servers
Helpdesk
3rd parties & business partners
Identification: Assessment
First priority is to determine if a security incident occurred
Document the following◦ Affected machine(s)
◦ Logged on users◦ Open network connections◦ Running processes
◦ How incident was identified◦ Who reported it◦ When it was reported◦ What was happening
Containment Focus is stopping the spread
Follow documented containment procedures
Isolate affected host(s)◦ Pull network cable / power down / firewall off◦ Use attack signatures to build rules
◦ email / web filtering / IPS
Image affected machines, store offline◦ Tested forensics procedures are essential
Continue documenting all activities
tumblr
Containment: Notification
Now is the time to activate the incident response team
Follow communications plan, notify internal parties as appropriate
If you’re going to contact law enforcement, now is the time
Contact legal counsel
Eradication Focus is removal and restoration of affected systems
Wipe / Rebuild / Restore
Apply missing patches
Scan for indicators of compromise
Apply mitigations – firewall / WAF / IDS / update AV
Change passwords
Recovery Goal is to bring systems back online without causing another incident
Verify issue is resolved
Increase monitoring◦ Determine duration of increased monitoring
Mistakes Happen Success does not consist in never making mistakes, but in never making the same one a second time.
– George Bernard Shaw
Lessons Learned Be sure to hold a lessons learned session after breach
◦ Hold within two weeks◦ Identify what failed and why◦ Implement fixes and update documentation
Execution Document all steps in a notebook
◦ Helps to have one person working, another keeping notes
Measure twice, cut once… First, do no harm…◦ In other words, don’t be too hasty
Step back to see the forestfor the trees
Summary All sizes of organizations are being attacked
Effective incident response is about preparation and practice, not about tools!
Incident response plans are key to recovery and limiting lossses
There is a vast array of resources available to help you build your plan
Resources Local law enforcement, including FBI
Professional Security Organizations◦ ISSA◦ InfraGard
SANS◦ https://www.sans.org/
NOREX◦ https://www.norex.net/
Resources Creating a Computer Security Incident Response Team (CSIRT)
◦ http://www.cert.org/csirts/Creating-A-CSIRT.html
NIST SP800-61 Rev. 2: Computer Security Incident Handling Guide◦ http://crsc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
SANS Incident Handling Forms◦ http://www.sans.org/score/incidentforms/
Incident Handler’s Handbook◦ https://www.sans.org/reading-room/whitepapers/incident/incident-handler
s-handbook-33901
Incident Handling Annual Testing and Training◦ https://www.sans.org/reading-room/whitepapers/incident/incident-handlin
g-annual-testing-training-34565
Resources SANS Policy Templates
◦ https://www.sans.org/security-resources/policies/
SANS Reading Room◦ http://www.sans.org/reading_room/
An Incident Handling Process for Small and Medium Businesses◦ http://www.sans.org/reading_room/whitepapers/incident/incident-handling-pro
cess-small-medium-businesses_1791
Blue Team Handbook: Incident Response Edition◦ ISBN-13: 978-1500734756◦ http://www.amazon.com/Blue-Team-Handbook-condensed-Responder/dp/1500
734756/
Resources NSA – Spotting the Adversary With Windows Event Log Monitoring
◦ https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf
U.S. D.O.J Best Practices for Victim Response and Reporting◦ http://
www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf
Table Top Exercises for Incident Response◦ http://seanmason.com/2015/04/20/table-top-exercises-ttx/
When Breaches Happen: Top Five Questions to Prepare For◦ https://www.sans.org/reading-room/whitepapers/analyst/breaches-happen-top
-questions-prepare-35220
Corporate Incident Response – Why You Can’t Afford to Ignore It◦ http://www.mcafee.com/us/resources/white-papers/foundstone/wp-corp-incid
ent-response.pdf
References Verizon 2015 Data Breach Investigations Report
◦ http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015_en_xg.pdf
Symantec 2015 Internet Security Threat Report◦ https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-secur
ity-threat-report-volume-20-2015-social_v2.pdf
2013 National Small Business Association Technology Survey◦ http://www.nsba.biz/wp-content/uploads/2013/09/Technology-Survey-2013.pdf
Questions?