Embed Size (px)
Citation preview
Adapting Incident Response to Meet the Threat
Jeff Schilling Director, Global Incident Response and Digital Forensics
SecureWorks
Agenda
• Why change your approach?• Do you really know your environment?• Do You really know/understand your threat?• Where to focus your efforts to respond?• Measuring success
My Press Box View
My view as the Director of the Army’s
Global Network Security Team
My view as the Director of the Dell
SecureWorks Incident Response Practice
The Dell SecureWorks Incident Response Practice• 300+ projects last year
42% of our engagements were with Medium-sized business 58% were large enterprise customers 70% of our engagements were active Incident Response 30% were proactive engagements 20% of our projects involved Advance Persistent Threat
(Targeted Threat)
• Our observations from 2012 engagements: End users still the primary targets (51% of the time) Servers and applications running second (39% of the time) 20% of our engagements involved insider threat activity
Do I need to change my approach?
Getting to “yes”• Do you rarely see the same activity on
your networks with the same success?• Do you conduct trend analysis of your
security incidents?• Have you analyzed the things you can
control and the things you can’t? People Processes Technology
• For the things you can’t control, have you calculated the risks or outcomes?
• Have you insured or transferred that risk?• Do you make adjustments to your security
controls based on trends?• Do you have a plan or playbook to
address your most common Incidents?• Do you rehearse and update these plans?
Do you really know your environment?
Which picture best describes your network?
• Do you have an updated/accurate network diagram? Are you a part of the change management process so you know when it changes?
• Have you studied your network flow to know what ports and protocols to accept and ones to deny?
• Do you validate with Pen Tests, Vulnerability Scans, Netflow Monitoring?• Do you have defined network boundaries with the Internet? • Do you Leverage Active Directory to assign risk and controls to Organizational Units?• Is “white listing” embraced in your organization?• Do you have a standard, secure image/baseline for hosts and servers?• Do you centralize your event log monitoring?• Do you limit workstation to workstation communication?
OR
Do you really know your enemy?
Categories of threat
• Phishing with Dynamite• Automated control for scale• Can be defended with good
Signature based controls• Buys trade craft• Can be sophisticated and
polymorphic• Favorite vectors
Server compromises Non-targeted phishing Web drive bys
• Smash and grab
• Playing chess• Human controlled (just for you)• Custom trade craft• Favorite vectors
Highly targeted phishing Water holing web drive bys Some server compromises
• Highly targeted efforts• Attempts to cover their tracks• Will compromise partners to get
to you• Goal is to log on, become an insider
• Fly on the wall• Hardest to detect, tries to hide
in normal activity
• Usually has elevated privileges• In most cases, assumes not
beingmonitored
• Rarely uses tradecraft: when they do, normally crawlers
• Usually has access to data that does not pertain to their job, that is what they take
• May use “close access” techniques
• Attempts to cover their tracks• Managers/HR usually not
surprised when insider is caught
May be some overlap in APT and Insider threat detection
Commodity
Threat
Categories of Intent/Motive
• Disrupt• Destroy• Deny• Revenge• Embarrass• Intimidate
• Competitive advantage • Fill in an innovation gap• Nation-state level espionage
• Steal your Money• Steal your clients
money• Identity Theft• Fraud
Hacktivists/RevengeCyber Warfare Intellectual Property Theft Crime
Pulling it all together
Threat Actor
Categories
Threat Actor
Motives
Targeted Assets Impacts Vectors Security
controls
• Commodity• Advanced
Persistent Threat
• Insider
• Crime• Hacktivism• Revenge• Intellectual
property theft• Cyber Warfare
• Cardholder Data/PII/Identity
• Core Business Processes
• Critical Infrastructure
• Intellectual Property
• Web applications
• Financial data/processes
• Executive communication
• Monetary loss• Availability• Confidentiality• Integrity• Personal harm• Reputation
• Botnets• Server
compromise• DoS• Malicious code• Web infection• Phishing• Physical
Theft/Loss/Damage
• Targeted Attacks
• Worms/Trojans
• IPS/IDS• Firewall/Web
app FW• DDOS filtering • Web/mail
Proxy• VM inspection• Host level
controls• SIEM/Log
monitoring• Vulnerability
mgt• Access control• DLP• DRM• User actions• Policy
What should an IR plan look like?
• Base document (Policy and Guidelines, does not change very often)– Roles and responsibilities– Description of the overall process– Identification of Incident Types– Work flows– Identification of third party providers
• Playbooks/Appendix/Run Books (Procedures, constantly updated) – One for each Incident Type
› Criteria for declaring an incident › Checklist driven actions› Point of Contact Lists
– Key players on the Security team– Key players on the IT staff (if separate from the Security team)– Key decision makers outside of Security and IT– Third party providers (ISP, outside consulting, etc)
Threat Intelligence Maturity Model
Data Collection
Data Collection
Data Collection
Analysis Investigation
Synthesis
Decision Making and
Action
Analysis Investigation Synthesis
Decision Making and
Action
Decision Making and Action
Analysis Investigation
SynthesisTim
e
MaturityEnhanced from “BI Capability Maturity Model”
Feedback loop
How do you apply intelligence?
Hostile actor ID
Actor motivations
Attacker tactics Incid
en
t R
esp
on
se
Hiring practices
Data protection Bu
sin
ess
Op
era
tion
s
What does it mean?How to resist?What is the next action?
Threat Intelligence Database
Physical security
Con
text
an
d c
ou
nte
rmeasu
res
Hostile actor ID
Material threats IT S
ecu
rityIntel on tradecraft
Where to focus your Response Efforts?
Do you live on OODA Loop?
Observe Orient Decide Act
Vulnerabilities
Adversaries
YourAssets
Analysis & Classification
Counter Measure
Control and Efficacy
Malware
Risk Assessment
Counter-measure
Plan
Develop & Deploy
Counter-measures
Apply Threat Intel to control
Detect SOC Ops
Incident ResponseContain/Eradicate
The “Broken Windows” approachAnswers• Identify your “broken windows” • Establish network visibility• Segment to protect critical assets,
create security zones• Layered defensive strategy
Intelligence informed SIEM Network detection/prevention Host level detection/prevention Virtual machine detonation
• Get control of your elevated privileges, if you can
• Protect and leverage your Active Directory structure
• Whitelist your servers, protocols and ports
• Focus on SMTP and Web traffic • Talk to managers and HR about high
risk employees with elevated privileges
Questions• Where is my most important data?• Where are most of my incidents
happening?• Where am I most vulnerable?• What is (are) the worst possible
thing(s) that could happen?• Can I detect where I am most
vulnerable?• Can contain where I am most
vulnerable?• Can I see the insider threat?
How do you measure success?
Success, Failure and False metrics
Indications of Failing Trends• Increase of recurring
incidents• Increased in dwell time• Increase # of incidents
reportedby the user v. detected by SOC
• Increased number of root leveland domain compromise
• Increase number of compromised servers/web applications
• Increase in the number ofincidents involving CVE’s
• Increase of business impact ofIncident
• Increase of incidents closed where root cause is indeterminate
Indication of Successful Trends• Decrease in time between
detection and containment• Decrease in the number of
successful commodity infections
• Decrease in number of incidents that spread to multiple host
• Increase in the number of APT and Insider threat detection
• Decrease in third party reporting of incidents (FBI, USSS, partners)
• Reduction in successful Phishing
False Metrics• Increase or decrease in number of incidents• Increase or decrease in number of detections• Investment on security technology
!
Conclusion
• Analyze your environment; Know your strengths and weaknesses
• Ensure you understand the threat’s capabilities, intent and vectors
• Focus your response on your “broken windows”• Ensure you are achieving success and not reinforcing
failure in your Incident Response processes
Resources
• Dell SecureWorks Incident Response http://go.secureworks.com/incident-response
• SANS Incident Response Traininghttp://www.sans.org/course/advanced-computer-forensic-analysis-incident-response
• White Paper - Accelerating Incident Response: How Integrated Services Reduce Risk and the Impact of a Security Breach
• http://www.secureworks.com/resources/articles/featured_articles/accelerating-incident-response-reducing-risk-and-impact
• NIST Computer Security Incident Handling Guidehttp://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
If you suspect a security breach, contact the Dell SecureWorks Incident Response team at 877-884-1110.
Questions?
