Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
What To Do When (Not If) Data Breaches Occur
Presented by Michael Santos, CISSP | Andrey Zelenskiy |Matthew Curtin, CISSP
June 11, 2014
Thank you for being here today
Presenter:
Michael Santos Director of IT Architecture and Security, Cooley LLP
Michael Santos
Preparation “There are no secrets to success. It is the result of preparation, hard work, and learning from failure.” Colin Powell
1. Have a plan.
2. Have a team.
3. Have practice.
4. Look and listen.
Have a plan. “A good plan violently executed now is better than a perfect plan executed next week.” – George S. Patton
1. Start now. Don’t wait.
• Get it on paper.
• Start simple and add.
• Use the internet.
2. Roles & Responsibilities
3. Categorization of Incidents
4. Appropriate Response
5. Understandable
6. Communications Plan
NIST SP 800-61 http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf ISO/IEC 27035 http://www.iso.org/iso/catalogue_detail?csnumber=44379 SANS Institute Incident Handler’s Handbook http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Have a team. “Finding good players is easy. Getting them to play as a team is another story.” – Casey Stengel
1. Don’t pick your squad
during game time.
2. Choose wisely.
3. Not everyone has to
be on the team.
4. Numbers matter.
SANS Institute “Computer Incident Response Team” http://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641 • Management • Information Security • Information Technology • IT Auditor • Physical Security • Legal • Human Resources • Public Relations/Marketing • Finance
Have practice. “An ounce of practice is worth more than tons of preaching.” – Mahatma Gandhi
1. Practice the plan.
2. Training.
3. Table top.
4. Schedule.
Look and Listen. “See no evil, hear no evil, speak no evil.” Then you will never find evil.
1. Turning a blind eye is not an
option
2. Metrics and alert
3. Risk, Threats, Vulnerabilities
4. Monitor
5. Build relationships in the
community
Tools • E-mail Alerts • System Dashboards • Security Information & Event Monitoring • Vulnerability Scanners • Daily, Weekly, Monthly Reports Communities • ILTA LegalSEC
FBI InfraGard • US-CERT • International Information Systems Security Certification
Consortium (ISC)2 • Information Security Systems Association (ISSA) • Vendor Alerts
June 11, 2014
Thank you for being here today
Presenter:
Andrey Zelenskiy Information Security, Dentons US, LLP
Andrey
Zelenskiy
Threat Landscape Today: - Enterprises are attacked on average once every 1.5 seconds. In 2012, we reported malware attacks occurred once every three seconds. The increased frequency of use highlights the bigger role malware is playing in cyber attacks. - Malware attack servers, command and control (CnC) infrastructure have been placed in 206 countries and territories, up from 184 in 2012. The U.S., Germany, South Korea, China, Netherlands, United Kingdom, and Russia were home to the most CnC servers.
Threat Landscape Today (Cont’d): - The top ten countries that were most frequently targeted by APTs in 2013: United States, South Korea, Canada, Japan, United Kingdom, Switzerland, Taiwan, Saudi Arabia, Israel - The following verticals were targeted by the highest number of unique malware families: Government, Services/consulting, Technology, Financial services, Telecommunications, Education, Aerospace/Defense, Government (State/Local), Financial services, Chemicals, Energy Source: FireEye Advanced Threat Report 2013 (http://www2.fireeye.com/advanced-threat-report-2013.html)
New Security Model: - Network - Endpoint - Mobile - Virtual - Cloud
Incident Identification According to SANS Incident Handler's Handbook: “This phase deals with the detection and determination of whether a deviation from normal operations within an organization is an incident, and its scope assuming that the deviation is indeed an incident. “ http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Where does the information come from? - End Users - Help Desk - System Administrators - Systems (IDS/IPS, Antivirus, Antimalware) - Human Resources
Indicators: - “My computer behaves strange” - AV detections (how likely is that???) - Ransomware (encrypted files on local drives and network shares) - Unfamiliar files, executables, processes - New program installed that is not part of a “standard” build - Systems connecting to hosts in the countries that you do not do business with - New accounts created in AD - New account privileges granted
Questions, Questions: - Who? - What? - When? - Where? - How?
Tools: - SIEM - Log aggregation and management - Endpoint protection - Network protection
Containment “The primary purpose of this phase is to limit the damage and prevent any further damage from happening” (SANS Incident Handler's Handbook)
Containment Phases: - Short–term containment(limit the damage as soon as possible) - System backup - Long-term containment
What We Have Leant from the Target Attack: Missed Alarms and 40 Million Stolen Credit Card Numbers http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
“Real Life” Approach Using Cisco Sourcefire AMP Technology
Cisco Sourcefire FireAMP ”Sourcefire’s Advanced Malware Protection solutions utilize big data analytics to continuously aggregate data and events across the extended network - networks, endpoints, mobile devices and virtual environments - to deliver visibility and control against malware and persistent threats across the full attack continuum – before, during and after an attack.”
Most Recent Events Navigating to the Events tab by clicking on a threat, IP address, or computer name in the Dashboard tab provides different filtered views.
File Analysis File Analysis allows a user to upload an executable into a sandbox environment where it is placed in a queue to be executed and analyzed automatically. The results are then made available to all FireAMP users.
File Analysis (cont’d) The File Analysis page also allows to search for the SHA-256 of an executable to find out if the file has been analyzed already. If the file has been analyzed already, then the analysis report is available and can be viewed by the user.
Captured Screenshots When analyzing malware a series of screenshots are also collected. These screenshots can be used to observe the visual impact that the malware has on the desktop of a victim. The screenshots can be used in user education campaigns, in the case of an outbreak, the security analyst can send screenshots of behavior of this threat to network users and warn them of symptoms.
Network Capture You can download the entire network capture that was collected while analyzing the binary. This feature can be used to create an IDS signature to detect or block activity that is associated with this threat.
Trajectory Visibility and File Details
Trajectory (Cont’d) “Created by…”
Trajectory (Cont’d) “Executed by…”
Trajectory (Cont’d) “Moved by…”
Trajectory (Cont’d) “It Created…”
Eradicate
1. Remove the problem.
2. Be swift, efficient, thorough.
3. Don’t forget the user.
4. Don’t forget use appropriate
response.
5. Be prepared to restore data.
6. Is there more?
7. Tune your defenses.
People • Someone needs to visit the machine – at least remotely. Process • Imaging checklists • Server build checklists • Change Management Tools • Antivirus • Rootkit & Registry Cleaners • Scripts • Imaging software • Backup software • USB drives
January 1, 2014
Thank you for being here today
Presenter:
C. Matthew Curtin, CISSP Founder and CEO, Interhack Corporation
Matt Curtin
RECOVERYYou can get the
monkey off your back, but the circus never leaves town.
In recovery, administrators
restore systems to normal
operation, confirm that the
systems are functioning
normally, and (if applicable)
remediate vulnerabilities to
prevent similar incidents. (NIST
SP800-61rev2)
RESTORE NORMAL OPERATIONS“Does anyone remember where this wire goes?”
RESTORE NORMAL OPERATIONS“Does anyone remember where this wire goes?”
Confirm systems are functioning normally Remediate vulnerabilities Restore from clean backups? Rebuild from scratch? Replace compromised systems? Install patches? Change passwords? Adjust other controls? What’s next?
FOLLOW-UPNot following
up is like filling up your bathtub without first putting the stopper in the drain.
One of the most
important parts of
incident response is
also the most often
omitted: learning
and
improving.
(NIST SP800-61rev2)
LESSONS LEARNED
What do we know now that we didn’t know then?
LESSONS LEARNED
What do we know now that we didn’t know then?
Build a timeline: what happened, and when? How did the team perform? Using procedures? Procedures adequate? What inhibited recovery? What can prevent similar future incidents? What can detect similar future incidents? Writing the report.
USING COLLECTED INCIDENT DATAWhat is actionable?
Resources: time, people, money. Incident type. (Curtin, Ayres. “Using Science to Combat Data Loss”) Think about the collection of reports, metrics available: ● Number of incidents handled ● Time per incident
What should we have for the future?
EVIDENCE RETENTIONHow long do we keep the evidence?
How do you decide how long to keep the results? Prosecution Retention policies Cost
We’ll now open it up for questions
Questions
Thank You