www.pwc.com
Agenda
Analogy
Plan Preparation
Incident Handling Overview
Collect & Triage
Investigation
Containment
Eradication
Recovery
PwC 2
PwC 3
Initial incident response steps
• Gather documentation
- Contact lists, network diagrams, etc
• Designate incident leads
• Notify proper contacts
- Internal contact
◦ Legal, management, internal support leads
- External contacts
◦ Legal, Vendor support, trusted third parties, law enforcement
PwC 4
Incident handling overview
• Based on NIST 800-61 Incident Handling
- Detect and Analyze (Triage)
- Containment
- Collect, Preserve and Investigate
- Eradication
- Recovery (lessons learned)
Recovery
Detect and analyze
Contain
Eradicate
Collect &
Preserve
PwC 5
PwC 6
Do we have an incident? (Yes/No)
• How were we notified
- Internal vs. External
• Deploy experienced people to determine if you have a real incident
• Is this a regulatory, legal or contractual issue?
PwC 7
Practical example
• eCommerce Site:
- Client reported the server performance issue
- Tech Support found the load too high
- Developer examined the code
◦ Identified foreign code on the server, referred to security
- Security began collecting data
◦ Contacted External Incident Response team
PwC 8
Practical example
• Incident Response Team
- Examined the server
- Recommended blocking IP addresses
- Examined the server population
- Provided a written report of the incident
- Recommended Eradication
- Recommended policy and procedure changes
PwC 9
Exfiltration
PwC 10
What to do next
• Incident Classification (DDoS, Malware, Unauthorized Access)
• Triage the problem – follow the evidence
• What are my capabilities?
• What am I looking for?
• How will I accomplish what I need to do?
PwC 11
PwC 12
Evidence preservation
• Proper forensic collection and documentation
- Collect what you need to answer the questions
• Malware analysis
- What are we dealing with and what is it capable of?
◦ Data exfiltration
◦ Keylogger
◦ Sniffer
◦ Dumping memory
PwC 13
Data to collect
• Forensic images of the systems compromised
• Firewall Logs
• Web server logs
• Proxy server logs
• Netflow data
• Syslogs (Unix)
• Local Windows event logs
• Domain Controller event logs
PwC 14
Triage process flow
Incident Handler
Forensics
Yes
Compromised Host
No
Information Security
Malware present
Yes
Malware Analysts
No
Hardening Monitoring
PwC 15
PwC 16
Initial containment 1-3 days
• Apply M&M approach (hard & crunchy on outside, soft & chewy on inside)
• Data characterization (add rings of security)
• Grab low hanging fruit
- Update AV, Flag suspicious files, HIDS/HIPS, create IDS signatures, block traffic, change passwords, disable accounts
- Change to manual procedures if necessary
PwC 17
What don’t I know
• Where do I need increased visibility
- Review logs, increase auditing/logging
◦ System, database, network device, etc
- Process to secure, archive, collect ,review logs
- As the British say, Mind the gap!
SQL Query logging example:
PwC 18
SQL query logging example
• Sophisticated attack on database
- Cracked the PINS for banking cards
- Used SQL injection to inject malicious executable into the database
- Withdrawal limits on the cards are raised to maximize the amount that can be withdrawn
- No SQL logging performed on the databases
- Client using a SQL query recorder
PwC 19
Eradication & remediation 2-4 weeks
• Remove malware
• Re-image and/or rebuild systems
- Consider legacy applications
• Delete/disable accounts
• System and Network device hardening
• Increase log monitoring
PwC 20
Longer term issues
• Data Flows
• Application Characteristics
• Server Characteristics
• Risk Factors
• Regulatory and Compliance Issues
PwC 21
Recovery – Long term goals
• Implement a Information Security group with a CISO
• Integrate Information Security into all facets of the business
• Network Isolation and segmentation
• System hardening
• Annual security audits (include penetration testing)
- Include 3 rd party connections
• Implement a Sensitive Data Program
PwC 22
Recommendations
• Ensure there is an incident response plan in place
• Know where your crown jewels are located
• Regular security assessments conducted by outside firm
• Have an incident response support team on speed dial
PwC 23
Questions
Contact:
Dave Nardoni 213-356-6308
Jef Dye 213-217-3976
PwC 24
© 2012 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.