Incident Response Putting your tools to work › dcvta86296 › attachments... · 2017-11-16 · Getting the systems back to normal operations, might be a considerable length of time

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Incident Response Putting your tools to work Clarke Cummings September 2013

Copyright © 2013 Deloitte Development LLC. All rights reserved. 2

Agenda

• Overview • Low-tech variety • Existing tools • Security Information and Event Management (SIEM) technologies • Intelligence sources • Network data captures • Forensic investigations • Still room for old school tools • Pull it all together • The most critical element • Wrap up

Overview


Attacks will happen • In our experience, many big companies have

had incidents; some significant • Targeted attacks – your organization may do

things certain people don’t like or has things people want (like money)

• Opportunity attacks – an attacker’s random scan might show a vulnerability on your Web site

• “You just made the news!” attacks – good and bad news can draw your attention to attackers (deny someone what Anonymous thinks should be human rights and see what happens)

• Just because – you might just randomly win the draw and get to be a target…

Formal response capability allows … • People to know their jobs and then they can

react quickly and appropriately during issues • Improved response effectiveness because a

formal capability means you aren’t deciding during attacks who is responsible for handling the incident

• Building confidence in handling incidents because the organization planned to address incidents before they happened

Read the news lately? Why is Incident Response (IR) so critical?

An ounce of prevention…


• There is a very likely probability that your organization will have a computer security incident at some point in time.

• Operate under the mindset that every user or the network has already been compromised, with this in mind, how do we put effective controls in place to actualize policy and support the business.

• Responding appropriately to an incident is a very complex task.

• Planning for such an event is essential.

Why do we need incident response? And what is it?

4. Eradication Address the incident and remove malware or other traces of the attack

5. Recovery Getting the systems back to normal operations, might be a considerable length of time

6. Lesson Learned What can we do better, where were we strongest/weakest during the response, and what other takeaways can we learn from the incident

1. Preparation Getting systems and teams ready to handle the response capability, defining policies and procedures, etc.

2. Identification Finding the incidents as they happen (and hopefully before they are major issues)

3. Containment Keep the incident from spreading


Identification • Tools give visibility into what

is happening in the environment and can provide automated notification and response; HP ArcSight is an example of a critical tool for identification

Containment • Here tools are used for

investigation and stopping the incident from getting worse; HP ArcSight helps track spreading and HP EnterpriseView for tracking remediation

Eradication • The final clean up tools are

important, and HP ArcSight can track if eradication has happened, and HP EnterpriseView tracks the remediation effort

How tools help incident response Aids teams in all stages of incident response, but especially useful for…

Tools don’t make the team, but they certainly do help The right tool for the right situation… Having solid surrounding processes in place is key!

Low-Tech Variety


Not every tool is an expensive, shiny toy Low tech tools

Low tech uses what most organizations should have

anyway

Network maps

Documented policies, standards, procedures

Team practices

Flow diagrams

Critical system lists

Call trees

Contingency plans (what happens during incidents and emergencies)

Incident write ups

• Your favorite office suite is your friend – documentation is critical

• CISSP Security Architecture & Design domain prepares the organization for many situations, including incident response

• Helps in Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned

Existing Tools


Existing tools Use what you already have in place already

Helps with all six stages of incident response

These tools likely already exist in most environments:

OS Logs • Same history

view of the environment as application logs

Firewalls • Stops attacks

and also provides details about traffic flow at egress/ingress points

Routers/Switches • The traffic

cops of the organization and have a key role in incidents

Application Logs • Provides the

history of the environment and that is critical to security incident tracking from discovery through remediation

IDS/IPS • Targeted

views into the environment and potentially dangerous traffic combined with the ability to stop malicious traffic

SIEM Technologies


Security information and event management

Historical repository of event data for trending

Event correlation for incident discovery • Simple events: system A

trying to reach known C&C sites, virus detected, usually individual events

• Trend related events: increase or decrease in events of type X, baselines vary over minutes, hours, days, etc.

• Advanced correlation: if event X on system A and event Y on system B, then…

Multiple notification of events: email, text, console alerts, SNMP, third-party integration, others

Robust reporting capabilities

Combination of two critical functionalities: • Information

Management • Event Management

Consolidates event data from disparate systems

Flexibility for different event source types

One pane of glass for view across multiple systems event data


HP ArcSight – something for everyone

HP ArcSight

HP ArcSight Express – An all-in-one SIEM solution for SMBs

HP ArcSight Connector – Allows collection of more than 350+ log types

HP ArcSight ESM – Analysis and correlation engine

HP ArcSight Threat Detector – Detects threats through visualization and analysis

HP ArcSight Logger – Log collection, storage, and analysis

HP ArcSight Threat Response Manager – Provides threat mitigation and management from ESM or Express

HP ArcSight IdentityView – Ties SIEM capabilities to IAM solutions


Keys to Successful SIEMing

Examine business reasons for having a SIEM

• Incident response • Compliance • Operational effectiveness • Increase security posture of

the firm …. And design monitoring use cases in a purposeful manner.

Integrate into appropriate processes

• Computer incident response teams

• Network/Security operations centers

• Auditors and compliance officers

• System administrators • Help/Service desks • Legal and Human Resource

(HR)

For IR, you may need additional data sources

• Business context data • Threat intelligence • Think about attacker

motivation: who might attack me and how?

• Not capturing the lab systems because they are not allowed to connect to the internet does little good when the network administrator bypasses the controls to download patches…

Without a careful design process, the SIEM can easily get bogged down from a data storage and performance perspective.


• Don’t boil the ocean – start with use cases designed to protect the most critical assets

• Develop SIEM iteratively, and carefully tune each use case over time to filter out noise

• You may need to integrate threat intelligence data, and a range of non-IT data to provide context relevant to your organization (asset data, HR data, transaction thresholds, etc.)

• Take full advantage of ArcSight’s Threat Model, including its ability to prioritize alerts based on asset criticality and vulnerability correlation

• Incorporate workflow that maps to well-designed incident handling processes, using ArcSight Case Management or external systems

SIEM – Slow and steady can win the race

Iterative Cycle for designing and building use cases


A Day in the Life – Incident Handling Leveraging ArcSight

SOC Analyst

Email notification to SOC

Notify

False Positive?

No

Yes

Platform/ System Owner or Business Unit

Investigate

Resolution

Recovery

Incident Closed

Close Incident

Consolidated Security Report

Post Incident Analysis

Incident Created in Task Triage queue

Incident Triggered

Task Triage Analyst Queue

Contain

Brute Force attack

Gather Information

logs

Feedback to

Content Dev

process to dynamically adapt and improve

Intelligence sources


Some cyber-security intelligence sites

Open Source/Free Intel • Internet Storm Center

• SANS

• Bit9 File Advisor

• Luminary security blogs

• CERT

• Security Focus

• AV vendors’ free sites

• Security bulletin news lists (Microsoft, Cisco, other vendors in your environment)

• Vendor security briefs (Mandiant, Verizon, RSA, other vendors)

• Hacker sites

• And many others…

Pay Intel • McAfee Global Threat Intelligence

• RSA NetWitness Live, Fraud Action, eFraud Network, Cybercrime Intelligence

• Symantec DeepSight Security Intelligence

• Mandiant Intelligence Center

• ThreatGRID

• Verisign iDefense Security Intelligence

• Vigilant by Deloitte Collective Threat Intelligence – designed specifically for ArcSight integration, comes with a purpose-built set of ArcSight use cases

• Just to name a few…

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

http://www.deloitte.com/us/about

Network Data Captures


Network Intelligence/Insight

• It doesn’t matter if it is infected email, C&C communication, or other

• Many networks more open than they should be

• Disparate networks, complex segmentation make visibility difficult

Attacks start as 0s and 1s going over the wire

IPS solutions provide value • New advanced IPS more effective with

advanced threats (HP TippingPoint)

Relatively new security NBADs

provide new visibility

Radware DefensePro FireEye Malware Protection System

Damballa Failsafe

RSA Security Analytics (formerly NetWtness)

Solera DeepSee

Next-Gen Firewalls provide value • Visibility through all seven layers of the OSI

model

Forensics Investigations


Forensic Investigations Once something’s happened, you need to understand what it was

Forensic investigation to dig into the

details

Software available: • Guidance Software EnCase • Spector CNE Investigator

(ultimate big brother) • AccessData FTK (Forensics

Toolkit) • The Coroner’s Toolkit • Autopsy/The SleuthKit • HP ArcSight Logger

Outsourced investigations: • Guidance Software PS • Mandiant • RSA PS • Deloitte

Make sure the legal department is involved in investigations. Investigations should be done under attorney client privilege when possible

And don’t forget mobile devices…

Still Room for Old School Tools


New toys are nice, but the old stuff still works

Keep using your favorite tools

Sometimes the most effective way to get what you need is to use what you know

• Sed/grep/awk • Vi/TextPad/Notepad

• Original log files • Wireshark • Find/Search • nmap • Snort

• Find/Search

Old School is Still Good

Put It All Together


• A global view of the environment can be extremely helpful – SIEM is a great start

• Governance, Risk, & Compliance through HP EnterpriseView provides a common framework and glue for many different systems and types of data

GRC pulls data from multiple systems and provides a valuable aid Pull It All Together

• Provides an easily understandable dashboard for executives and business unit visibility into the team’s activities

• Broad and integrated with your security policies, regulatory compliance, security framework architecture, security configurations, etc.

• Provides automated workflow that can integrated multiple tools

• Need to transition your incident response over to a DR or BCP effort? GRC can help

• Business-centric and risk-based view of the infrastructure

Provides many benefits:

The Most Critical Element


• Practice with test exercises – Work through test scenarios in the lab

• Training on integrated solutions – helps learning and understand how the tools fit together to form the response capability

• Practice with tabletop drills – Valuable learning experience and a time for the team to ‘experiment’ with new tactics or techniques

• Practice with ‘live’ exercises – Working within the production environment provide

• Training on individual tools – if you don’t know how to use HP ArcSight or your Guidance Software enCase, your response capability may be degraded

To be successful with incident response, your team needs:

Having the tools doesn’t mean you know how to use them Training and Practice

• Having the tools available is only part of the equation to an effective incident response team

• Need to have the knowledge of how each one is properly used individually and how

they all fit together to solve the incident response challenge.


Your PEOPLE

Treat them well

Respect the team

Train them

Give them the resources to succeed

Most Important Tool

Wrap Up


• Tools are useful, but you still need to build policies, processes, and procedures around your incident response capability (usually before you pick your tools)

• Think what an incident might look like and what result you want to accomplish, then design your IR capability to get your desired outcome

• You absolutely need strong management and C-level support for an IR program to be effective

• Ask yourself tough questions Is our organization able to handle large incidents alone? Are we prepared for outside vendors to help if you can’t meet the needs alone?

• Match your tools to your policies and procedures If you’re going to outsource parts, then don’t get those tools

• Integrate IR into your organizational policies and practices Leverage existing tools when possible

• Make sure you are prepared

• Testing, testing, and more testing

To Sum It Up…


Questions?

Clarke Cummings Manager | Audit & Enterprise Risk Services/Security & Privacy Deloitte & Touche LLP [email protected] | www.deloitte.com

mailto:[email protected]

http://www.deloitte.com/

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

Product names mentioned in this document are the trademarks or registered trademarks of their respective owners and are mentioned for identification purposes only.

Copyright © 2013 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security for the new reality

Documents

Incident Response Putting your tools to work › dcvta86296 › attachments... · 2017-11-16 · Getting the systems back to normal operations, might be a considerable length of time