Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Vanderburg

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Cybersecurity Incident Response Strategies and Tactics

TIMOTHY OPSITNICKE X E C U T I V E V I C E P R E S I D E N T & G E N E R A L C O U N S E L

ERIC VANDERBURGV I C E P R E S I D E N T, C Y B E R S E C U R I T Y

RIMS 2017 Northeast Ohio Regional Conference

October 5, 2017

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

About UsTCDI founded in 1988

Microsoft Certified Partner since 2003

Services include:◦ Digital forensics

◦ Cybersecurity

◦ eDiscovery

Minority owned enterprise

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Over 40 certifications

Published author

Licensed private investigator

Expert witness and thought leader

18 years in cybersecurity

Specializations include:

Risk management

Governance and compliance

Security strategy

TIMOTHY OPSITNICK

E X E C U T I V E V I C E P R E S I D E N T A N D G E N E R A L C O U N S E L

ERIC VANDERBURG

V I C E P R E S I D E N T, C Y B E R S E C U R I T Y

E-Discovery special master

Expert witness

Advisory board member for the Georgetown University Law Center’s CLE and the American College of e-Neutrals

Numerous publications and legal education seminars

Member of the Sedona Conference Working Group

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Introduction

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Impact of Cybersecurity IncidentsLoss of Valuable Information

Direct Financial Loss

Unfavorable Media Exposure/Damage to Reputation

Outages and Disruption

Data breach

Notification

Lawsuits

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Statistics◦ 87% responded to at least one incident in the past year

◦ 20% responded to at least 100 incidents

◦ 68% identified malware as the root cause of incidents

◦ 50% reported employee personal information (ex. SSN) was prioritized

*The Show Must Go On! The 2017 SANS Incident Response Survey

87% reported incidents

identified malware as cause

◦ 82% reported that remediation activities took place within one month of containment

◦ 33% take place within 24 hours68%

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Pre Response PlanningIdentify data types and locationsIdentify legal obligations◦Regulatory

◦Contractual

Create and implement security policies ◦ Incident Response Plan

◦Other Policies

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Analysis of legal obligations

National laws and directives

GDPR / EU directives

State / province laws

Civil liabilities

Legally-advisable practices

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Business value of IRProtects proprietary / classified information

Reduces impact to business operations

Minimizes public relations damages

Reduces costs of response

Ensures data is collected for evidentiary purposes

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Incident Response Planning

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

The Team

IT Compliance PrivacyHuman

Resources

Security / Risk Management

Third-party Cyber Security

teamLegal

Public Relations

Physical Security

Senior management

Law Enforcement

Liaison

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Counsel and PrivilegeEarly involvement affects whether communications will be considered privileged◦Early assessments are frank

◦Privilege law is complex

Law in area developing

Regulatory and legal requirements complex, e.g. notice

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Activating the team and the plan Initial scoping, typically IT

Trigger◦Confidentiality or privacy of information effected/or in care

◦ Integrity of systems or data

◦Availability of systems or data

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Incident Response Readiness

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Scenario planning◦Document procedures for likely incidents

◦Document steps for a non-specific incident

◦ Is geographic diversity needed?

◦Determine notification procedure

©2017 Technology Concepts & Design, Inc. All Rights Reserved.

Employee theft of intellectual property and misconduct

An employee removes internal client information for sale to a competitor

A disgruntled employee destroys data critical to business success

An employee downloads illegal software containing a backdoor

©2017 Technology Concepts & Design, Inc. All Rights Reserved.

Data breach

Large upload of files to unknown destination

Confidential information on public sources

Files mistakenly sent to the wrong customer

©2017 Technology Concepts & Design, Inc. All Rights Reserved.

Malware or ransomware

Ransomware encrypts central data repository

Botnet causes company email and domain to be blacklisted due to spam and searches

Malware makes hundreds of machines unusable

Company receives notices of Denial of Service (DoS) attacks originating from the corporate network.

©2017 Technology Concepts & Design, Inc. All Rights Reserved.

Lost or stolen device

Employee loses an encrypted laptop while on vacation.

Backup tapes are stolen from an employee’s vehicle while they are in a restaurant.

The phone of the CEO’s assistant is stolen at a coffee shop and the phone was unlocked at the time.

©2017 Technology Concepts & Design, Inc. All Rights Reserved.

Key system failure

Power outage in the server room in the middle of the day.

Non-redundant firewall failure

©2017 Technology Concepts & Design, Inc. All Rights Reserved.

Data loss or corruption

Multiple hard drives fail in the main database server.

Administrator accidentally deletes the wrong virtual machine.

A restore overwrites production data rather than going to an alternate location.

Encryption keys expire

©2017 Technology Concepts & Design, Inc. All Rights Reserved.

Social engineering

Company instructed to change payment information.

Fake CEO emails instruct AR to make payments to an account.

Employees divulge passwords to a person claiming to be from IT.

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Table top exercises

PROCESS◦ IR team assembles◦Facilitator describes scenario

◦Plans are invoked and tested◦ Review actions◦ Completion and Success criteria◦ Notification methods and

messages

VALUE

◦New Insight gained

◦Plans updated

◦Team more comfortable with the process

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Security testing

Penetration testing

Vulnerability management

Red teaming

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Locking systems down

Configuration audits and System hardening

Hardening Zone PurposeUser Configuration Least privilege, secondary logonNetwork Configuration IP4 vs IP6, encryption, static/dynamicFeatures and Roles Configuration Add what you need, remove what you don't. GUI?Update Installation Address vendor-addressed vulnerabilitiesNTP Configuration Clock synchronizationFirewall Configuration Minimize your external footprint.Remote Access Configuration Authorization, types (RDP, SSH, admin tools)Service Configuration Minimize your attack surface.Logging and Monitoring Know what's happening on your system.

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Improving detection capability

SIEM

Anomaly detection

End user training

Motivation and Accountability

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Vendor or third party coordination and planning

Identify required third-parties

Establish expectations and contractual agreements

Make vendors aware of internal procedures

Solicit feedback

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Awareness training

Acceptable use◦Email, Internet, Social

Passwords

Incident indicators

Malware

Social engineering

Data handling

Other policy elements

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Process and system implementationPreservation

Log management and retention

Business continuity

Auditing

Prepare resources◦Human◦Technical

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Incident Response Execution

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Incident response phasesIdentification

Containment

Investigation

Eradication

Recovery

Reflection

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Identification

◦Use of dormant accounts◦Log alteration◦Presence of malicious code◦Notification by partner or peer◦Notification by hacker

◦Loss of availability◦Corrupt files◦Data breach◦Violation of policy◦Violation of law

Report Incident indicators (Employees or automated systems)

Validate indicators

Indicators

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Containment

Assemble the IR team

Quarantine◦Disable accounts, disconnect from network, isolate VM

Preserve Evidence

Expand IR resources as necessary

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Investigation

Interviewing

Analysis◦ Logs

◦ Memory

◦ Forensic images

◦ Public data

Documentation◦ IP address of compromised

system

◦ Time frame

◦ Malicious ports

◦ Flow records

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

EradicationResolution◦ List action items

◦ Rank in terms of risk level and time required

◦ Prioritize

◦ Coordinate and track remediation to completion

Validation◦ Confirm measures successfully remediated the incident

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

RecoveryRemediate vulnerabilities

Restore services

Restore data (Ensure that backups are clean)

Follow notification procedures in IRP

Restore confidence

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Reflection

Refine plans and processes

Create new IRPs

Debrief

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Reflection (continued)

Debrief (After-action review)◦Rankless discussion◦Goals◦Were goals achievable?◦Successes

◦Pitfalls◦Lessons learned◦Action items and responsibilities

◦Positive summary

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Key Issues

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Preserving chain of custody and evidenceAs soon as the team begins its work, must start and maintain a strict chain of custody

Chain of custody documents that evidence was under strict control and that no unauthorized person was given the opportunity to corrupt the evidence

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

When and if to engage Law enforcementNature of data compromised

Nature of incident (theft vs. external hacking vs. employee misconduct)

Regulatory scheme or statute applies to data or operations

Country or residence of persons involved in compromise or persons whose information implicated

Your industry

Specific benefit

Policy of Good Corporate Citizen

Prior relationship established

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Communications

Alternate

In person

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Engaging vendors

Pre selected

Experience

New entries in market

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Notice

Insurance carriers

Impacted individuals

Regulators

Credit reporting agencies

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Questions?