OPERATIONALIZING INCIDENT RESPONSE - CDM Media › Kansas_City_Summit_RSA...Cultivate Threat Intelligence for remaining Threat Priorities. 3. Establish IR Plan around your Threat Priorities

1

OPERATIONALIZING INCIDENT RESPONSEDeveloping Threat Detection

and Response Capabilities

2

If you think technology can solve your security problems,

then you don't understand the problems and you don't

understand the technology. - Bruce Schneier

You can't defend. You can't prevent. The only thing you

can do is detect and respond.- Bruce Schneier

3

Hacking for profit

Profit at people’s expense

Focus on people- Shane Harsch

4

5

PICTURE, IF YOU WILL…

Security Patrol Broken Window Record & Assess Report & Escalate

Police

Investigate

Brief Leadership Follow Trail Schrodinger’s

Safe

Why Not Cyber?

6

AGENDA

▪ Business-Driven Security Lifecycle

▪ Operational Roles of Incident Response (IR)

▪ Why Hunting Matters

▪ Content

▪ How IR Differs from Security Operations

▪ Next Steps

Shane Harsch MBA, GCIA, GCIH, GCED, CTIA, CISSP

Field CTO, RSA Risk & Cybersecurity Practice

SANS Instructor

[email protected]

7

Certain factors decrease or increase cost of breach

• Cost is per capita per compromised record.

• Average breach cost is $141 per capita.

IR Program w/Analytics directly addresses three key factors

• Enables an Incident Response Team

• Provides comprehensive security analytics

• Mitigates the risk of notifying too quickly

• These three factors could reduce cost by $31.60 (22%)

IMPACT OF 20 FACTORS ON COST OF DATA BREACH2017 Cost of a Data Breach: Ponemon

8

Business Objectives

Risk Alignment

Threat Priorities

Content Intelligence

Analytics

Incident Response

Defense-in-Depth

Metrics

RSA BUSINESS-DRIVENSECURITY LIFECYCLE

Detection & Response

Measure Risk

Control Security Defense-in-Depth

Threat Intel

Packets

Endpoint Forensics

Logs

KPIs

Asset Criticality

Risk Register

Vulnerability Management

Patch Management

Perimeter Defense

Endpoint Protection

Network Segmentation

Identity (auth and governance)

Processes & Procedures

9

OPERATIONAL ROLES OF INCIDENT RESPONSE

Threats

What threats are of concern?

What data feeds provide necessary information?

Which threat records are valid?

Content

What is the logic necessary to identify threats?

Which tools are required to identify threats?

What are the rules/parsers/alerts required?

Playbook

Validate tuned alerts

Execute standard procedures

Escalate if Playbook does not identify remediation

Hunting

90% Proactive investigations

10% Playbook escalations

Inform Threat of new findings

Incident Response

Threat

Content

Playbooks

Hunting

10

1. Business Defines Risks

▪ Create Risk Register with Threats and Critical Assets.

2. Threat Intel Defines Controls and Priorities

▪ Align Controls to mitigate controllable Threats.

▪ Cultivate Threat Intelligence for remaining Threat Priorities.

3. Establish IR Plan around your Threat Priorities

▪ Develop Use Cases for your Threat Priorities.

4. Operationalize Incident Handling

▪ Combine your Use Cases into Playbooks.

5. Hunt for Anomalies that exist outside your Playbooks.

6. Commit to Continuous Improvement

▪ Review incidents quarterly and critical incidents directly.

▪ Exercise playbooks through Simulation/TTX for readiness.

▪ Assess resilience to threats with Gap Analysis.

PRINCIPLES OF

THREAT DETECTION

11

WHY HUNTING MATTERS

DWELL TIME

Active Threat

Critical Asset

Threat Hunting

DWELL TIMEDefense-

in-Depth

Prevented?

Security

Operations

NO

YES

Playbook

Detected?

Incident

Response

NO

YES

12

Victim Company

Recon Server

C2 Server

Perimeter

FW

ANATOMY OF A RANSOMWARE ATTACK

1313

HOW DO WE EVOLVE A SOC INTO AN ASOC?

CONTENTOF DOOM

But what kind of content?

14

Compliance OperationsDetection &

Response

Objective

Interface

Content

WHAT DATA DO WE NEEDCONTENTBY

BUSINESSCASE

In the ransomware

example, we

needed packets

and endpoint data

to detect the

attack.

Auditing

Reporting

Logs

Device Admin

Dashboards

Alerts

Security Logs

Netflow

Threat Hunting

Event DB

Queries

Context Logs

Netflow

Packets

Endpoint

1515

CRITICAL CONTENT: CORE ELEMENTS

Context from LogsWho, where, when, and which resources accessed.

Trajectory from NetflowNetflow maps an attack’s lateral movement in your environment.

Evidence from PacketsPackets show IoCs for delivery, c2, and patterns of activity.

Proof from EndpointsEndpoint data show IoCs for exploitation, installation, and actions.

Enterprise

Visibility

Critical: FW, DNS, DHCP, AD, Proxy, VPN

16

OPERATIONS AND RESPONSE

Preparation

Roles & Responsibilities

Communications Plan

IR Workflow

Detection & Analysis

Incident Classification

Use Case Methodology

▪ Incident Prioritization

▪ Response Procedures

Identify Remediation Plan

Containment, Eradication

& Recovery

Execute Remediation Plan

Evidence Handling

Execute Remediation Plan

Recovery

Post-Incident Activity

After Action Report & Lessons Learned

CIRTIncident Response

SOCSecurity Operations

IR and SOC share the effort

NIST 800-61r2 Incident Response Lifecycle

17

NEXT STEPS

HOW DO WE REALIZE THESE

OBJECTIVES…TOMORROW?

18

• Understand your key Business-drivers today

• Create a Risk Register and identify your Critical Assets

• Gather information to Prioritize Threats

• Use Business-Driven Security Lifecycle to map organization

• Review the Principles of Threat Detection and Response to

determine how you might add these capabilities today.

CONDUCT A SELF-ASSESSMENTCURRENT STATE

19

• Egress Filtering: deny dns except from internal DNS

• Force all internal DNS requests to your DNS servers

• Give your threat analysts the ability to add domains

• Automate Malware & c2 domain feeds

• Sinkhole malware and c2 domains to alert SOC (not CIRT)

*Research by Infoblox and BlueCat Networks

TAKE CONTROL OF DNSDNS

Around 95% of

malware families

use DNS for c2*

20

MALWARE & C2 DOMAIN FEEDS

• http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt

• http://www.malwaredomainlist.com/hostslist/hosts.txt

• http://malc0de.com/bl/ZONES

• http://mirror1.malwaredomains.com/files/justdomains

• https://isc.sans.edu/feeds/suspiciousdomains_High.txt

• http://osint.bambenekconsulting.com/feeds/dga-feed-high.csv

And many more…

http://osint.bambenekconsulting.com/feeds/dga-feed-high.csv

21

Business Objectives

Risk Alignment

Threat Priorities


Analytics

Incident Response

Defense-in-Depth

Metrics

STAFFING

Detect & Respond

Measure Risk

Control Security Defense-in-Depth

Threat Intel

Packets

Endpoint Forensics

Logs

KPIs

Asset Criticality

Risk Register

Vulnerability Management

Patch Management

Perimeter Defense

Endpoint Protection

Network Segmentation

Identity (auth and governance)

Processes & Procedures

CIRT

Incident Response

MDR

SOC

Security Administration

MSSP

22

Retainer

CIRT STAFF

Threats

What threats are of concern?

What data feeds provide necessary information?

Which threat records are valid?

Content

What is the logic necessary to identify threats?

Which tools are required to identify threats?

What are the rules/parsers/alerts required?

Playbooks/Triage

Validate tuned alerts

Execute standard procedures

Escalate if Playbook does not identify remediation

Hunting

90% Proactive investigations

10% Playbook escalations

Inform Threat of new findings

Incident Response

Threat Intel

Content

Playbooks/Triage

Hunting

1-2

1-2

24x7: 6-7

8x5: 2-3 but…

1-2

CIRT

Incident Response

MDR

23

DISRUPT THE KILL CHAINSTART HUNTING

The internet is hard

and so can you

• Hunt for common indicators

• Prioritize critical assets

• Map vulnerabilities to exploits

• Map your controls

• Understand your capabilities

24

• Gap Analysis and Roadmap

• Threat Intelligence Program Roadmap

• Incident Response Plan

• Tactical Playbook Development

• Incident Response Retainer

• Controlled Attack and Response Exercises

• Tabletop Exercises

WORK WITH SOMEONE WHO HAS DONE THIS BEFORE

GET HELP

Find the right combination of internal, MSSP, MDR, Retainer, and

ACD services that makes sense for you and your threat priorities.

25

Shane Harsch MBA, GCIA, GCIH, GCED, CISSP, CTIA


SANS Instructor

[email protected]

Thank You

mailto:[email protected]

26

WORKSHOP EXERCISES

27

S E C U R I T Y AR C H I T E C T U R E

▪ Log Analysis/Management

▪ Perimeter (FW, NIPS, Proxy, etc.)

▪ Network Monitoring (Malware, NIDS)

▪ Network Segmentation

▪ Host Monitoring (HIDS, Forensics)

▪ Host Protection (AV, Malware, HIPS)

▪ Vulnerability Scanning

▪ Patch Management

▪ Identity Management/Workflow Automation

▪ Encryption

UNDERSTAND YOUR CURRENT STATE

B U S I N E S S AL I G N M E N T & P R O C E S S E S

▪ Current IR Plan

▪ Relation to Business IR Plan

▪ Escalation Plan

▪ Incident Tracking

▪ Post-Incident Review

▪ 24x7 vs 8x5

▪ Metrics Requirements for IR

▪ Critical Asset Prioritization

▪ Alignment with eGRC

▪ Current Staffing for CIRT vs. SOC

▪ Number of Incidents per day/week

28

The analysis of an adversary's intent, opportunity, and capability to do harm is known as cyber threat intelligence.

- SANS

• What attacks are likely to target which critical assets?

• How might an attack succeed in your environment?

• What content contains key Indicators of Compromise (IoCs)?

• How do you analyze your content to detect these IoCs?

• How do you gather, store, handle, vet, and share threat intel?

• What sources of threat intel do you require?

• How is that intel parsed and normalized?

• How are your threat priorities integrated into controls, playbooks, and hunting?

WHAT IS THREAT INTELLIGENCE?THREAT INTEL

29

START WITH FIRST TWO STAGES OF IR

PREPARATION

▪Roles & Responsibilities

▪Communications Plan

▪ IR Workflow

DETECTION & ANALYSIS

▪ Incident Classification

▪Use Case Methodology− Incident Prioritization

− Response Procedures

▪ Identify Remediation PlanNIST 800-61r2 Incident Response Lifecycle

30

ROLES & RESPONSIBILITIES: RACI

R – Responsible: Person or role responsible for

actually doing or completing the item

A - Accountable : Person or role responsible for

ensuring that the item is completed

C – Consulted: Person or role whose subject

matter expertise is required in order to complete

the item

I – Informed: Person or role that needs to be kept

informed of the status of item completion

RACI Chart

Incident Response

Tasks

L1

Analyst

L2

Analyst

L3

Analyst

Security

Ops

Manager

End-UserHelp

Desk

Identify Potentially

Malicious Event R R C A

Malicious traffic

“Hunting”R A

Collect & Document

supporting logs R R A

Preliminary Validation R R A

Dispatch to Desktop

Support R R R A I I

Lessons learned and

reportingR R A

Analyze Network Traffic R

Analyze Malware

Sample R A

Analyze Host Machine R A

Document Investigation

Analysis I R A

Create/update L2

checklists I R A

KPI and Security

Operations Team

effectiveness

I C R

Remediation Execution I I A C R

Security Ops Team

Policy creation & reviewI C R

31

Define how you will communicate status and conclusion with an understanding of your

audience.

▪ Example Internal

− The IS Helpdesk currently performs end user notifications via email or phone call. The IR Team

performs as an advisory role to the IS Helpdesk team when end user notification regarding security

incidents or other security communications are required. If an incident involves a server compromise,

the IR Team may communicate with the respective team directly in order to expedite the containment

and remediation of the incident.

▪ Example External

− As determined on a case by case basis, the IR Team may work in an advisory role to the executive

team regarding external communication of security incidents. All external communications will be

performed by the team designated by the Executive Breach Response Plan during security incidents.

KEEP ALL STAKEHOLDERS INFORMED

COMMUNICATIONS PLAN

32

COMMUNICATIONS SECURITY PLAN

SAMPLE INTERNAL PLAN

• Non-confidential communication does not need to be encrypted.

• If confidential information is being sent internally (customer or otherwise), ensure that any attachments are encrypted and the email itself is encrypted if any confidential information is contained in the body of the email.

• Use an out-of-band form of communication to ensure that the recipient can open any attachments that were sent. Do not include any decryption keys/passwords in the body of the email, even if the email itself is encrypted. Out-of-band communications include:

• Text messages

• Voice calls

• Meeting in person

• In the event of a breach, communications should be assumed to be compromised. Internal email and internal chat communications should not be used to discuss the incident.

SAMPLE EXTERNAL PLAN

• Verify that the email address is the intended audience to receive the email.

• If an email is sent in error, immediately send an email to the unintended recipient informing them to delete the email.

• Never transmit confidential information unencrypted

• Never transmit confidential information to personal email addresses.

33

WORKFLOW – HIGH LEVEL

34

CONTAINMENT, ERADICATION, AND RECOVERY

IDENTIFY REMEDIATION PATH

▪ Document and close out incident for IR Team

WORKING WITH THE SOC

▪ Communicate to Operations Team for Remediation

− Understand and structure communications to provide information in the best format for consumption

▪ Operations Responsible/Accountable for Last Three Stages of IR

− Containment

− Eradication

− Recovery

If your hunters are working on containment, eradication, and recovery, they aren’t hunting.

35

FRAMEWORK FOR INCIDENT RESPONSE

Preparation

▪ Roles & Responsibilities

▪ Communications Plan

▪ Workflow

Detection & Analysis

▪ Incident Classification

▪ Use Case Methodology


▪ Incident Prioritization

▪ Identify Remediation Plan

Containment

▪ Execute Remediation Plan

▪ Evidence Handling

Eradication & Recovery

▪ Execute Remediation Plan

▪ Recovery

Post-Incident Review

▪ After Action Report & Lessons Learned

CIRTIncident Response

SOCSecurity Operations

Operationalizing the Framework is Critical

36

ADDITIONAL INFO

37

TYING IT ALL TOGETHER

38

RSA NETWITNESS PLATFORM

ACCELERATED THREAT

DETECTION FROM THE

ENDPOINT TO THE CLOUD

FORCE MULTIPLIER FOR SECURITY

ANALYSTS & INCIDENT RESPONDERS

A BUSINESS-DRIVEN SECURITY

APPROACH, PROVIDING BUSINESS

CONTEXT

INTELLIGENCE-DRIVEN SOC

39

ADVANCED CYBER DEFENSE

RAPID PROGRAM DEVELOPMENT

Cyber Gap Analysis

Incident Response Plan

Cyber Use Cases

Cyber Threat Intelligence

Roadmap

RSA IR Retainer

▪ Gap analysis with prioritized

roadmap recommendations

▪ IR Plan

▪ Incident Walkthrough Exercise

▪ Hunting Services and Retainer

▪ Review of current capabilities

▪ Roadmap of critical requirements

▪ Four levels (bronze, silver, gold, platinum)

▪ Live response capabale (with RSA NetWitness)

▪ Up to 3 hour SLA

Threat

Detection &

Response

Structured business-driven

solutions to quickly establish

strategy and operations.

Delivers business outcomes

to remediate Organizational

impact and deliver rapid

time-to-value

Customizable packaging with

tailored scope of effort

and accelerated access to

battle-tested security experts


AND

INCIDENT RESPONSE

▪ Technology agnostic

▪ Develop Monitoring Use Cases


40

RSA CONTROLLED ATTACK & RESPONSE EXERCISE (CARE)

• Capture the flag exercise

• Designed with customer input

• Simulates sophisticated actor

• Based on existing toolset/technical controls

Threat

Detection

Threat

Response

• Focused on the IR process & procedures

• Bonus points for accelerated response

• Based on existing IR Plan/operational model

41

• Review of up to 10 process documents and artifacts

• Conduct up to 6 interviews (1 hour)

• Observation of the incident response routine

• Develop 3 attack scenarios, including “capture flags”

• Execute the 3 attack scenarios over a 2 day period

• Assess capabilities throughout the incident handling lifecycle

• Conduct a basic Knowledge Transfer for recommendations

• Deliverables

• Design Report

• Findings Report

• Executive Presentation

RSA CONTROLLED ATTACK AND RESPONSE EXERCISE

ACD SERVICES

PS-BAS-CON-CARE

5 WEEKS( 3 T R I P S I N C L U D E D )

42

4-hour TTX for up to 10 executive participants,

with a scenario defined by the results of RSA’s CARE.

• Assess capabilities throughout the incident response

• Identify common response difficulties and areas for process

and communication improvement

• Conduct a basic Knowledge Transfer for recommendations

• Deliverables

• Findings Report

• Executive Presentation

RSA EXECUTIVE TABLETOP FOR CAREACD SERVICES

PS-BAS-CON-ACD10

2 WEEKS( 1 T R I P I N C L U D E D )

43

Business Objectives

Risk Alignment

Threat Priorities


Analytics

Incident Response

Defense-in-Depth

Metrics

RSA BUSINESS-DRIVEN SECURITYSOLUTIONS

Defense-in-Depth

44RSA CYBER ANALYTICS PLATFORM

RSA PORTFOLIO

45

RSA RISK AND CYBERSECURITY

PRACTICE

650+ C Y B E R S E C U R I T Y E X P E R T S

A C R O S S 24 C O U N T R I E S

R S A

L A B SR S A

A D V A N C E D

C Y B E R

D E F E N S E

P R A C T I C E

R S A

D E T E C T I O N

A N D

R E S P O N S E

P R A C T I C ER S A

I N C I D E N T

R E S P O N S E

P R A C T I C E

R S A R I S K

M A N A G E M E N T

P R A C T I C E

R S A R I S K

I D E N T I T Y

A S S U R A N C E

P R A C T I C E

R S A

U N I V E R S I T Y

R S A P R O D U C T

A N D C U S T O M E R

S U P P O R T

RSA CYBERSECURITY EXPERIENCE

46


RAPID PROGRAM ASSESSMENT

Cyber Gap Analysis

Executive Tabletop

Cyber Use Cases

Controlled Attack and

Response Exercise (CARE)

Expert-On-Demand

▪ Gap analysis with prioritized

roadmap recommendaitons

▪ Scenario driven by CARE results

▪ 4-hour executive-focused exercise

▪ Findings Report & Recommendations

▪ Technology agnostic

▪ Develop Monitoring Use Cases


▪ Assessment of live response process

▪ Assessment of live response tools

▪ Report card across multiple eval points

▪ Duration Based offer of 10, 20, 40 & 60 Days

▪ Flexible service offerings

Threat

Detection &

Response

Structured business-driven

solutions to quickly establish

strategy and operations.




time-to-value






AND

INCIDENT RESPONSE

47

NSA ACCREDITED

• One of 14 companies accredited by the NSA

−NSA Cyber Incident Response Accreditation

https://www.iad.gov/iad/library/reports/cira-accredited-companies.cfm

48

BENEFITS OF AN IR RETAINER - REAL-WORLD RESPONSE EFFORTS

Hour 0 – Customer Identified Potential Incident & contacted RSA IR Retainer

Hotline

Hour 1 – RSA IR familiarity w/ customer’s environment, capabilities, available

toolsets & data sources due to Retainer onboarding process. Immediate

assistance with Triage and Data Collection recommendations

Hour 3 – Preliminary Analysis completed, confirmation of targeted attack

against customer environment

Hour 16 – Ongoing analysis, 60% of Attacker Infrastructure identified

Hour 24 – Multiple RSA IR resources engaged to assist with targeted attack

Investigation

Confirmation of Incident and fully engaged within hours

*Expedited Investigative Timeline – Remediation completed within 2 weeks

Hour 0 – Customer Identified Potential Incident & contacted RSA

Incident Response via email

Hour 3 – Initial incident scoping call and discussion with RSA IR.

Contract discussion, recommendations for collection of preliminary

data analysis

Hour 24 – Customer coordinated availability of resources familiar

with environment for scoping of Endpoint & Network visibility

required for investigation. Availability of preliminary data for initial

review, inconclusive data sources

Hour 36 – Shipment of technology to support Incident Response

Effort

Hour 48 – Implementation of Instrumentation to provide necessary

Endpoint & Network visibility

Hour 72 – Multiple RSA IR resources engaged to assist with

investigation of potential incident

Retainer Customer Non-Retainer Customer

49

IR RETAINERS

Bronze Silver Gold PlatinumDuration 1 Year 1 Year 1 Year 1 Year

Effort Estimate (hrs.) 24 66 120 242

SLA: Initial Response 8 6 3 3

SLA: Initial Analysis 24 24 12 12

SLA: On-site Analysis 72 48 24 24

Use of unused hours N/A ✓ ✓ ✓

Deliverables Preliminary Analysis Report Preliminary Analysis Report Preliminary Analysis

Report

Preliminary Analysis Report

Incident Discovery Report

50

Addresses cyber security

operations challenges




time-to-value





THREAT DETECTION & RESPONSE

SERVICES PORTFOLIO

Design & ImplementationLogs & Packets Implementation | Endpoint Implementation |

Custom Log Parsers | Upgrade Planning & Execution

Custom Solution DevelopmentCustom Scripting | Custom Integrations | Custom Content |

Custom Packet Parsers | Event Source Onboarding

Ongoing Operational SupportNetWitness Residencies | Staff Augmentation |

Expert on Demand | Tuning & Optimization | Knowledge Transfer

THREAT DETECTION

& RESPONSE

Customizable service offerings

to fit unique organizational

needs and procurement models.

51






time-to-value





RISK MANAGEMENT

SERVICES PORTFOLIO

GRC Program StrategyRisk Management Maturity | GRC Program Strategy & Roadmap

Program Governance | Process Harmonization |

RSA Archer Suite StrategyImplementation Blueprint | Strategy & Roadmap

Optimization Assessment | Assessment Services

Hardware Sizing & Performance Health Check

Upgrade Readiness Assessment

RSA Archer Advanced Use Case Design Plan of Action & Milestone | Federal Continuous Monitoring

Federal Assessment & Authorization | Operational Risk Management

Security Incident Management | Security Operations & Breach Management

Advanced IntegrationsRSA Archer Suite API Design | RSA Ecosystem Integration




52






time-to-value





FRAUD AND RISK INTELLIGENCE

SERVICES PORTFOLIO

Fraud and Risk Analysis Management Program (AA)

Threat Analysis Program (WTD)Fraud Pattern Analysis| Fraud Incidence investigation | Rule Scripting

Rule Performance Optimization | Knowledge Transfer | Expert On Demand

Health check and Architecture Review

Web Threat Detection (WTD) System & Hardware Capacity Evaluation| System Performance Optimization

Resolution Design & Planning

Periodic System & Core Risk Engine Evaluation

Adaptive Authentication (AA)Deployment Review according to Best practice |

Environments Scaling | System Issues investigation |Risk Engine Performance Check

FRAUD & RISK

INTELLIGENCE




53





operations challenges around

Identity and Access

Management

Delivers an identity business

driven security strategy and

helps clients to identify their

risk and how to reduce it





IDENTITY ASSURANCE

SERVICES PORTFOLIOBusiness Driven Identity Journey (BDIJ)

Future State Design | Planning for an Identity Strategy

Identity Gap analysis | IAM roadmap | Identity Control Framework

Business Stakeholder meetings | Round Table sessions

IAM Strategy, Assessment & RoadmapRSA G&L specific | Business Driven Review of current deployment

Future state planning | Governance / Lifecycle roadmap

Use Case Development | IAM Plan Development

Identity Assurance Strategy, Assessment & RoadmapRSA SecurID specific | Business Driven Review of current deployment

Future state planning | SecurID roadmap

Use Case Development | Identity Assurance Plan Development

Security Readiness and StrategyCurrent State & Gap Analysis | Maturity Modeling

Various Roadmap Development

54

THANK YOU

Shane Harsch MBA, GCIA, GCIH, GCED, CTIA, CISSP


SANS Instructor

[email protected]

Documents

OPERATIONALIZING INCIDENT RESPONSE - CDM Media › Kansas_City_Summit_RSA...Cultivate Threat Intelligence for remaining Threat Priorities. 3. Establish IR Plan around your Threat Priorities