Embed Size (px)
Citation preview
INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
Ron Pelletier, CISSP, CBCP, CISA, QSAVP and Executive Manager
A SERIES OF LESSONS LEARNED
THE INCIDENT RESPONSE PROCESS
INCIDENT RESPONSE – A SERIES OF LESSONS LEARNEDPONDURANCE 2
AGENDA
• Setting Stage for Incident Response – LifeCycle Approach
• Real World Attack Scenarios Prompt Incident Response
• Accumulating the Lessons Learned
• Applying the Lessons Learned
INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
INCIDENT RESPONSE LIFE CYCLE
Identification Containment Eradication Recovery
Establish monitoring to
recognize, identify, & detect
an incident as soon as possible
Establish programmatic
methods to stop the incident from
propagating or extending its
impact
Establish procedures, tools and know-how to
eliminate the source and
prevent recurrence
Establish communications
with stakeholders and procedures to continue normal
operations
INCIDENT RESPONSE – A SERIES OF LESSONS LEARNEDPONDURANCE 4
REAL WORLD ATTACK SCENARIOS PROMPT INCIDENT RESPONSE
Situation 2: A compromise of email credentials (phishing attack possible) leads to social engineering and transfer of more than one hundred thousand dollars
Situation 1: A phishing attack (leveraging Dyre Trojan) leads to an unauthorized transfer of hundreds of thousands of dollars
Situation 3: A phishing attack leads to the compromise of end user credentials and potential exposure of a number of sensitive records
Situation 4: A phishing attack (most probable cause) leads to the compromise of admin credentials and millions of sensitive records
Pondurance Provided Direct Assistance to these 3
INCIDENT RESPONSE – A SERIES OF LESSONS LEARNEDPONDURANCE 5
ACCUMULATING THE LESSONS LEARNED
Prepare
Do I know where my sensitive data lives?
Am I prepared to defend against attacks? Phishing attacks?
Is my helpdesk prepared to correlate attacks, attack patterns?
Does my retention schedule work against me?
What is my exposure to SSO, or passwords in multi use?
By Three Key Phases
Execute
Do I have a favorable and flexible risk assessment process?
Do I have a timely and tested response capability?
Can I parameterize the discovery process to limit my exposure?
Do I know how my systems are configured for discovery?
LearnDo I know my legal and regulatory obligations for reporting?
Am I capable of aggregating and confirming discovery results?
Have I pre-contracted the expertise to investigate/report?
The Challenging Questions to Consider
INCIDENT RESPONSE – A SERIES OF LESSONS LEARNEDPONDURANCE 6
Prepare
APPLYING THE LESSONS LEARNED
• Discourage use of Email as a personal “database”
• Conduct Incident Response AND eDiscovery exercises to target potential data exposure
• Ensure defense-in-depth including additional capabilities for advanced detection (dynamic egress/ingress monitoring)
• Establish correlative reporting for service desks, other reporting intake functions
• Evaluate retention for unintended exposure (e.g., Email “deleted” folders)
• Ensure Incident Response Team personnel represent all parts of the organization, are properly trained
• Ensure end users are properly trained on retention and disposition of data (think about common data stores like Email)
• Analyze the potential reuse of network passwords for external portals such as OWA, VPN, external data stores/portals, etc.
• Develop meaningful Policies and /Procedures, including those that target investigation and discovery
Key Take-Away:
Prepare during a period of calm…
…don’t wait until adversity is at your
doorstep
INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
APPLYING THE LESSONS LEARNED
PONDURANCE
7
• Incident Response is not a linear process, may require dynamic alerting to, and collaboration with, various risk management functions (legal, DR/BCP, compliance, IT, etc.)
• Additional threat management capabilities may provide evidence to leverage and assess exposure and reporting liability
• The risk management process should consider proper evaluation of threat actors, attack methods BEFORE move to reporting
• Consider leveraging Incident Response process, eDiscovery methods and risk assessment-at-incident with penetration tests
• Evaluate “mapped” drives as well as public and private folders within OWA for potential exposure
• A PST file does not always provide same view as OWA, discovery may require caveats/parameterization (assess accordingly)
• Establish a timeframe related to incident, provide search terms to discovery analysts and KNOW what is a true exposure and what is not, or not likely to be
Key Take-Away:
The average IQ goes to zero during an emergency…
…use your plan, but
build in some flexibility
Execute
INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
APPLYING THE LESSONS LEARNED
PONDURANCE
8
• Exercise your plans as often as tolerated by the organization, but no less than once per year
• Involve management in response plans and exercises, or be prepared for management to deviate and execute untested procedures at time of incident
• Develop organizational clarity by classifying data (and for heaven’s sake find out where it lives!)
• Regarding eDiscovery, the “de-duplication” process is difficult, particularly when tens of thousands of records are involved…know what you are looking for ahead of time
• Develop consistency among independent entities that may operate under a shared services model, limit top-level liability
• Pre-arrange for services that provide competency and flexibility, attempt to limit “unknown” or surprise costs…but plan accordingly
• Share the wealth in lessons learned
Key Take-Away:
If you do not exercise your incident response plan and procedures…
…you have denied yourself invaluable knowledge
through controlled failure
Learn
INCIDENT RESPONSE – A SERIES OF LESSONS LEARNED
Ron Pelletier, CISSP, CBCP, CISA, QSAVP and Executive Manager
QUESTIONS?
THE INCIDENT RESPONSE PROCESS
