Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
OVERCOMING incident response ROADBLOCKSBenoît H. Dicaire & Serge Mélone
iQ7 2018 Annual Conference — October 26, 2018
AGENDA
Benoît H. Dicairewww.linkedin.com/in/bhdicaire514 718-0002
Security & Privacy StrategistBenoît design risk strategies to help companies create better products, and services.
Serge mélonewww.linkedin.com/in/smelone514 594-7346
Security & Technology Risk Manager Serge implement risk strategies to help companies create better products, and services.
FINANCIAL SYSTEMS
LARGE ENTERPRISES CONSUMER DEVICES
ENERGY EQUIPMENT AVIATION AUTOMOTIVE INDUSTRY
GOVERNMENT INDUSTRIAL EQUIPMENT
INTRODUCTIONEveryone is a target
INTRODUCTIONYour organization perspective…
WE CONDUCTED AN INTRUDER TEST.
The test should cover the entire infrastructure so that the company can quickly eliminate all discovered vulnerabilities.
WE’VE NEVER BEEN ATTACKED SO OUR SECURITY SYSTEM MUST BE GOOD.
Caution: threats continue to grow and become more complex.
WE’VE DESIGNED HIGH-END SECURITY TOOLS.
Security tools are only effective when properly configured, integrated and controlled within all security operations.
WE COMPLY WITH INDUSTRY REGULATIONS AND BEST PRACTICES.
Compliance requirements often only meet the minimum safety measurements and not all critical systems and information.
A THIRD PARTY PROVIDER RUNS OUR SECURITY.
Regardless of the competence and capabilities of the provider, the question is whether complex threats in a company will be taken seriously enough for a third party to sufficiently protect it.
WE’VE INVESTED IN STRICT SECURITY CONTROLS.
It is not enough to rely on standard IT security controls alone. Critical business elements should be above all protected.
OUR SECURITY IS MANAGED ADEQUATELY BY THE IT TEAM.
A threat can take over an entire business. Therefore, management should work closely with IT.
WE ONLY NEED TO SECURE OUR INTERNET APPLICATIONS.
One should also be equipped against internal threats and member/ staff abuse.
WE’VE COMPLETED OUR SECURITY PROJECT.
Security is an ongoing project that can never be completed.
WE AREN’T STATISTICALLY AT RISK.
Every company is at risk for a data breach and should be prepared.
INTRODUCTIONYour organization approach to cybersecurity…
Governance Body/ Board/ Audit Committee
Senior Management
REGULATOR
EXTERNAL AUDIT
3. Safety Barrier
Internal Audit
1. Safety Barrier
Internal Controlling Measures
Management Controlling
2. Safety Barrier
Security
Risk Management
Quality
Inspection
Compliance
Finance Controlling
1. Response planning2. Detection3. Containment4. Eradication5. Recovery6. Takeaways
AGENDAOVERCOMING incident response ROADBLOCKS
RESPONSE PLANNINGPrepare for the inevitable…
Your business must be prepared – an intrusion is inevitable for many organizations and preventative security measures will eventually fail. The question you must accept isn’t whether security incidents will occur, but rather how quickly they can be identified and resolved.
Rob McMilan, Sr Director Analyst — Gartner
RESPONSE PLANNINGAssume you will be compromised, if not already…
RESPONSE PLANNINGSecurity Incidents are just another type of incidents
RESPONSE PLANNINGMajor losses of productivity and of service availability are to be expected
Source: ENISA Business Continuity Process
RESPONSE PLANNINGCrisis are not too far…
Domino effect ON A MAJOR incident
Nega
tive s
ocia
l med
ia co
vera
ge
Loss of sales
Empl
oyee
s una
ble t
o acc
ess
syst
ems
Extr
eme p
ress
ure o
n op
erat
ions
Fore
nsic
inves
tigat
ions
Cost
of al
ertin
g cus
tome
rs
Nega
tive l
ocal
/ nat
ional
pres
s
Cont
ract
ual b
reac
hRe
gula
tory
inve
stiga
tions
Remed
iation co
sts
Loss of customers
Loss of jobs
Loss of organization/ business
DETECTIONHandling security incidents requires recognition of signs of an incident
VulnerabilityTargets
Assets
DETECTIONTAXONOMY
6. ASSETS:a. Datab. Systems that vary in
criticality
4. FOUR TYPES OF TARGET a. Public sectorb. Private enterprisec. Individualsd. Critical national infrastructure (CNI)
5. VULNERABILITY:Can be technical (lack of firewall) or human (employees being tricked)
1. FOUR GROUPS OF ATTACKERS:a. Governmentb. Enterprisesc. Cybercriminalsd. Cyberterrorists or hacktivists
2. CAPABILITY:The ability to hack, steal or damage
3. INCENTIVE:Different motives to attack
ATTACKERS
CAPABILITY
INCENTIVE
DETECTIONSometimes it’s just about precursors of compromise
is ca
rele
ss
with
han
dlin
g
bears
resp
onsib
ility f
or
bears responsibility for
is responsible for
applies
send
enab
le
enables
use
distributes
entices to install
contain
patc
hes
depends on is susceptible to
attack
uses
links
Distributed Denial of Service attacks
Botnets
SPAM
DRIVE-BY EXPLOITS
Apps
Vulnerabilities
Identity theftMalware
Targeted attacksUserManufacturer Social engineering
appli
es
DETECTIONAbnormal behaviour identification requires proper knowledge
Policy
Evaluation
Techniques
ProcessProductBusiness packageEcosystem
Vulnerabilities
Configurations
Behaviours (Users & Entities)
Log Management
Asset Management
Identity and Access Management (IAM)
Cyber threat hunting
Security Tools Operations (IDS, IPS, Anti-Virus, etc.)
Events Correlation
CONTAINMENTStop it before getting overwhelmed
CONTAINMENTAttackers Classification
ATTACKER OBJECTIVE MEANS APPROACH
STATE ACTORS, INTELLIGENCE
§ Information§ Espionage§ Combat crime§ Damage
§ Enormous financial possibilities§ Benefits more important than costs
§ Buy knowledge§ Training§ Inconspicuous attacks§ Sustainable
TERRORISTS § Damage§ Attention§ Political manipulation
§ Average financial means § Buying knowledge on the black market§ Physical and mental attacks
ORGANIZED CRIME § Money§ Business§ Earn money§ Focus: cost benefits
§ Existing gangs§ Organized specialists§ Blackmail
HACKTIVISTS, GROUPS§ Attention§ Damage§ Highlighting system vulnerabilities
§ Minimal means§ Huge bandwidth and coverage
§ Motivated amateurs & specialists§ Momentum
VANDALS, SCRIPT KIDDIES
§ Fame§ Reputation§ Attention
§ Minimal means§ Little knowledge
§ Applying available toolsOpportunistic
Aim
CONTAINMENTComplexity of Cyber Attack Capabilities are Growing
DATA IN SECURE BUSINESS SYSTEMS
§ Mainframe systems§ Internetworking § Emergence of open systems
INTERNET ACCESS AND HIGHLY CONNECTED SYSTEMS
§ Online access to citizen data§ Advances in internetworking§ Citizen self service
ACCESS ANYWHERE & ANYTIME
§ Integrated online eligibility systems
§ Big data§ Cloud§ Mobile
DATA EVERYWHERE; USER EXPERIENCE DRIVEN
§ Wearable technology§ Internet of things§ Smart devices§ Drones§ Artificial intelligence§ Mobile payment§ Etc.Low
THE ATTACK LIFECYCLE AKAKILL CHAIN :1. Recon
2. Weaponize
3. Deliver
4. Exploit
5. Control
6. Execute
7. Maintain
EVOLUTION OF TECHNOLOGY
Now2000s 2010-20141990s
High
Cyber terrorismInsecure codes
Cyber crime
Identity theft
HackersData breach
Network attacks
Malware
Critical infrastructure attacks
Foreign state sponsored cyber espionage
Cyber warfare
CONTAINMENTAdvanced Persistent Threat (APT)
Initial infection
Data espionage/ sabotaging systems
Obtaining further rights
Eliminating evidence
Continuous monitoring
Preparing for/ diverting attacks
Looking for victims
Spying on the network
Cyber-attack lifecycle
FOR ANAPT ATTACK
ERADICATIONBe nice or leave…
ERADICATIONPlay by your rules…
A playbook per specific threat§ Malware such as Cloudbleed
§ Ransomware such as WannaCry
§ Stolen or lost laptop
§ Stolen privileged user identity
§ Distributed Denial of Service
§ Etc.
ERADICATIONDo not expect all playbooks to have the same maturity level…
Example of improvement for threat and vulnerability management
Example of improvement for applications security
1. AD HOC OR INITIAL2. REPEATABLE
3. DEFINED4. MANAGED
5. OPTIMIZED
An improvement will increase cybersecurity applications maturity from level 2 to 3.
Only on a level 1 maturity in managing threats and vulnerabilities
The target state is set to level 4 for threat and vulnerability management
RECOVERYGet everything back to “normal”
RECOVERYAll stakeholders execute their contingency and recovery plans
OWNER
EMPLOYEE
MANAGEMENT
CUSTOMER
SUPPLIER PUBLIC
SHAREHOLDER
PARTNER
INTERNal STAKEHOLDER EXTERNAL STAKEHOLDER
TakeawaysUnlocking your incident response capability
TAKEAWAYSDon’t reinvent the wheel
TAKEAWAYSContinuous improvement with security and privacy inputs
Technicalmeasures
Validation andimprovement
Riskanalysis
Policies, organizational measures
3
4
1
2INCIDENT Management
Process
§ Computer Emergency Rescue Team (CERT)
– CERT (Carnergie Mellon University)
– CanCERT (EWA Canada)
– Canadian Cyber Incident Response Centre (Canada)
– OpenCert
– CertAQ (CSQPQ)
§ ISO/IEC 27035 Information security incident management
1. Principales of Incident Management
2. Guidelines to plan and prepare for incident response
3. Guidelines for incident response operations
§ ISO/IEC 27037:2012 Guidelines for identification, collection, acquisition and preservation of digital evidence
TAKEAWAYSReference materials
§ Computer Security Incident Handling Guide (NIST SP800-61 Rev. 2)
§ Create a Computer Security Incident Response Team (Carnergie Mellon University)
§ Good Practice Guide for Incident Management (ENISA)
– Study on CSIRT Maturity – Evaluation Process
– Security requirements for the procurement of products and services
§ Gestion des événements de cybersécurité (Canada)
§ Association of Chief Police Officers Good Practice Guide for Digital Evidence
§ Best Practices for Victim Response and Reporting of Cyber Incidents (US dept of Justice)
§ Data compromise procedure (Visa)