Intrusion Detection
MIS.5213.011
ALTER 0A234
Lecture 11
Remediation Process
Declaration of an
incident.
Form the
remediation Team
Hybrid Action
(Containment &
posturing Action)
Determine
remediation Timing
Hybrid Action
(Containment &
posturing Action)
Hybrid Action
(Containment &
posturing Action)
Remediation Process - Cont
Develop Eradication
Plan
Execute Eradication
Plan
Develop Strategic
Recommendations
Document Lessons
Learned
Remediation
Complete
Remediation Process
1) Form the Remediation Team
Remediation team is similar to the CIRT team. It may consists of
the same members or members with similar skill sets
2) Determine the timing of the remediation actions
What activities can be started or what needs to wait until the
investigation is completed
Remediation Process
3) Develop and implement remediation posturing actions
These actions occur while the incident is still ongoing
ie: password resets, patch application, vulnerability remediation,
etc.
4) Develop and implement incident containment actions
These actions are designed to restrict access to sensitive areas.
Remediation Process
5) Develop an eradication plan
the goal is to remove attacker’s access to the environment
6) Determine eradication event timing and implement the plan
Once the investigative team determines that all possible
breaches, tools, techniques have been identified and no new infections
are occurring. It is determined that a steady state for the environment
has been reached. At this point eradication plan may be implemented
to began the clean up.
Remediation Process
7) Develop Strategic Recommendations
These are long term observations that need to be implemented.
It is generally done as a long term plan for remediation
8) Document the lessons learned.
This is a result of identifying all of the things that worked or did
not worked during an incident crisis situation. These lessons learned
need to be stored in a secure location.
Critical Factors
for Remediation Efforts
Incident Severity
Remediation Timing
This will serve as a guide to what needs to happen when and everyone needs to
agree. This is critical to the success of the remediation.
Remediation Team
(Size, Skill, Support)
Critical Factors
for Remediation Efforts
Technology
All technology used during an incident should be tested and familiar so that during the
incident you are not learning new technologies.
Budget
Management Support
Public Scrutiny
Be aware of what information is release to the public and when. Revisions may prove
more embarrassing.
Remediation Owner
Some one who is a strong senior technical manager who will negotiate
all aspects of the remediation effort.
5 Qualities of a Remediation Owner
In-Depth understanding of IT and Security
Focus on Execution
Understanding of Internal Politics
Proven Track record of building support of Initiatives
Ability to Communicate with technical and nontechnical personnel.
Posturing Actions
Enhancing Logging
Enhance Alerting
Patching 3rd party applications
Implement – multifactor authentication
Reduce the locations where critical data is stored
Strengthen Password Requirements
Posturing Actions
Things to be wary off Alerting the attacker
results in changed tactics and behavior by the attacker.
Attacker Becomes dormant – results in additional compromised
machine that become silent, impacting the trusted state of the
environment.
Attacker becomes destructive
Attacker become more active and attempts to infect more
machines, resulting an active war between the attacker and the
incident response team.
Containment Plan Actions
Change all of the passwords for all users and accounts
Split responsibilities, Some users that can create while others are used
to authorize.
Improved ACLs.
Eradication Action Plan
Ie:
Completely disconnect the Victim organization from the Internet
Block Malicious Ips
Change All account passwords
Implement Network Segmentation
Mitigate all vulnerabilities ..especially the original one that
allowed the attack in the first place
Rebuild compromised systems
Strategic Recommendations
Ie:
•
Period review of Firewall ACLs and other Network device
configurations
•
Period code reviews
•
Implement IDS to monitor network traffic at all critical network
points and services.
•
Proper network segmentations
•
Allow only multifactor authentication for remote access
•
Outsource DMZ monitor to MSSP (Managed Security Service
Providers)
OUTSOURCING SECURITY
MSSP – Managed Security Service Providers
MSSP
Outsourcing
What is outsourcing?
Act of outsourcing involves contracting out for goods or services to a provider either domestic or
foreign in place of internal sourcing.
What is outsourced?
Software Development, Help Desk Services, Call Center, Medical Billing, etc..
Managed Security Services Providers
Options:
Managed firewall services
managed intrusion detection services
managed VPN services
MSSP – Pros and Cons
MSSP
Pros:
• Costs: Running an in-house security team means hiring and paying salaries and benefits, creating office
space and overall operational costs. By outsourcing security, you pay for services only. It’s up to the MSSP to
handle their employee’s needs.
• Superior Technology and Expertise: When outsourcing security, you hire a company whose sole business is
securing other businesses. This means, managed security service providers have the best hardware and
software and skilled personnel. Buying such technology or hiring skilled personnel would be expensive and
counterproductive for businesses that don’t specialize in security.
• Support: Security is a sensitive area and so all managed security service providers offer support all-day, all
year as long as the contract is valid. Your business is secured always and time it takes to resolve security
issues is minimal.
MSSP
Cons:
• Risk: For instance, being a sensitive subject, trusting a different company with your intellectual property, can
be hard. Most managed security service providers have well-known reputation and track record.
• oss of Control: When you hand over security to another company, it means you will have to accept the
terms they propose. For example, when outsourcing I.T security, the provider decides the security software
and hardware to run in your company. Changing such software would be breaching contract with the
managed security service provider.
• Loss of Quality: Although rare, hiring managed security service providers known to compromise quality for
profits is a security risk. To prevent this, researching before signing a contract and asking for service level
agreements is advisable.
MSSP
SLA
What should SLA’s cover
Time to detection
Speed on response after an incident occurs
What if the third party does not detect incidents
How many incidents are being detected by the third party
How many are not being detected by them
MSSP
SLA
Lack of standards and tools
Lack of skills, training and/or certification on proper methodology
Lack of communication
Lack of established policy
Repudiation of responsibility from the third party
MSSP
Choosing the right MSSP
Reputation
Financial Stability
Expertise
Employee Turnover Rate
etc..
MSSP
Additional Concerns:
How different organizations perform incident management?
What is covered and required under Service Contracts?
Is the outsourcing service provider obligated to keep the information secured and Security levels current?
How are the roles and responsibilities clarified?
What level of expertise does the company providing services have with Incident Management? What level of
contracts do they have?
How would the outsourcing organization be evaluated
How would the organization know if the third party is doing its job
What kind of incidents are expected to be identified by the third party
What kind of reporting and notification is expected from the third party