The Evolution of Incident Response

advertisement
The Evolution of Incident
Response
Intelligent Information Security
By Kevin Mandia
Agenda
• Case Studies
• Performing Incident
Response
• The Challenges to
Incident Response
• Emerging Trends
Why are We Here?
Conclusions
•
•
•
•
Incident Response is not a Static Field, and It is
Important to Sharpen our Swords.
There is an Increasing Complexity and
Sophistication of Computer Attacks.
Incident Response Methodologies and
Technologies Need to Evolve to Address
Emerging Threats.
Pre-Incident Preparation is as Critical as other
Pro-active Security Measures. Business
Sustaining Costs!
Conclusions
• Sophistication of Tools Requires Greater Skill
Sets During Response.
– Countless Specialized Utilities Exist that an
Attacker/Suspect May Use.
•
•
•
•
•
Data W iping
Encryption
Date/Time Manipulation
Metadata Manipulation
Anti and/or Counter Forensic Software
– Kernel Level Tools
– Compressed/Encrypted Executables
Case Studies
The Last Ten Cases/Incidents in
Review
Intelligent Information Security
By Kevin Mandia
The Year in Review
• And Now We Demonstrate and Discuss
the Incidents We Have Responded to
During the Past Year …
Conclusions
• The Threat is More Serious:
– More Professionals.
– Its all About Money.
– Planted Insiders.
– More Sophistication.
• If You are Unarmed and Unprepared, Bad
Things will Happen.
• Weak Link Appears to be End Users.
The Challenges to Incident
Response
Intelligent Information Security
Pre-Incident
Preparation
Detection of
Incidents
Challenges
Challenges
1. Defining What an Incident is to Your Organization.
Initial Response
Formulate
Response Strategy
2. Obtaining High-Level Buy In on
Developing/Improving/Maintaining an Incident Response
Capability.
Data Collection
3. Performing Asset Classification. Know what Matters To
Your Business Operation before an Incident Occurs.
Data Analysis
4. Awareness and Understanding of the Standards,
Legislature, Regulations, and Industry Accepted Practices.
Reporting
Resolution
5. Assessing your Current Incident Response Capability.
Challenges
Solutions
1. Defining What an Incident is to Your Pre-Incident Preparation.
Organization.
Assess Resources, Match Business
Units with Capabilities, Roles,
Responsibilities.
2. Obtaining High-Level Buy In on
Developing/Improving/Maintaining an
Incident Response Capability.
Discuss Sustaining Business,
Applicable Standards, Legislature, and
Industry Regulations that Compel you
to Maintain IR Capabilities.
3. Performing Asset Classification.
Know what Matters To Your Business
Operation before an Incident Occurs.
Interview Business Line Owners and
Top Execs.
4. Awareness and Understanding of
the Standards, Legislature,
Regulations, and Industry Accepted
Practices.
Pre-Incident Preparation
Review On-Line Sources. Assign
General Counsel or Compliance
Officer.
5. Assessing your Current Incident
Response Capability.
Pre-Incident Preparation.
Develop a Skills Matrix and Review InHouse Capabilities.
Pre-Incident
Preparation
Detection of
Incidents
Initial Response
Formulate
Response Strategy
Data Collection
Data Analysis
Reporting
Resolution
Challenges
Challenges
6. Determining the Appropriate Bar of Escalation for Your
Organization. What is the Appropriate Trigger Mechanism to
Commence your IR Procedures?
7. Ensuring Timely, Easy Method of Reporting Incidents. Get
the Experts Involved as early as Possible.
When do you Initiate your IR Mechanism?
External
IDS
End Users
Apply Escalation
Criteria
Help Desk
Sys Admins
Report/Document
and Involve
Experts in a
Timely Fashion
Security
Transfer Control
of Incident
Human
Resources
Assemble the
Computer Security
Incident Response
Team
(CSIRT)
Challenges
Solution
6. Determining the Appropriate Bar
of Escalation for Your
Organization. What is the
Appropriate Trigger Mechanism to
Commence your IR Procedures?
Pre-Incident Preparation.
Create a Written Policy. Perform
Continual Review and Update of
the Policy. Ensure Asset Affected
Dictates Level of Response.
7. Ensuring Timely, Easy Method
of Reporting Incidents. Get the
Experts Involved as early as
Possible.
Pre-Incident Preparation.
Create or Revise IR Program and
Train Appropriate Personnel to
Understand Indicators of Computer
Security Incidents.
Pre-Incident
Preparation
Challenges
Challenges
Detection of
Incidents
Initial Response
8. Minimizing the Window from Detection of Incident to
Confirmation of the Incident.
Formulate
Response Strategy
9. Accurately and Rapidly Determining the Scope/Breadth
of the Incident.
Data Collection
10. Determining Entities/People that Need to be Involved.
Triage.
Data Analysis
Detection of
Potential Incident
Confirmation
Reporting
TIME
Resolution
Challenges
Solution
8. Minimizing the Window from Detection of
Incident to Confirmation of the Incident.
Pre-Incident Preparation.
Training and Pre-Existing or
Pre-Deployed Toolkits.
9. Accurately and Rapidly Determining the
Scope/Breadth of the Incident.
Pre-Incident Preparation.
Ensure Response
Methodology and
Infrastructure Includes Rapid
Determination of Host and
Network-Based Indicators of
Incident.
Pre-Incident Preparation.
10. Determining Entities/People that Need to
be Involved.
Create or Revise IR Program
Development.
Pre-Incident
Preparation
Challenges
Detection of
Incidents
Initial Response
Formulate
Response Strategy
Challenges
11. Determining Who Should Be Involved with the
Decision Making Process.
12. Incident Ownership.
Data Collection
Data Analysis
Reporting
Resolution
Challenges
11. Determining Who Should Be
Involved with the Decision Making
Process.
12. Incident Ownership.
Solution
Pre-Incident
Preparation.
Create or Revise IR
Program.
Pre-Incident
Preparation.
Create or Revise
Program
Development.
Pre-Incident
Preparation
Detection of
Incidents
Initial Response
Formulate
Response Strategy
Challenges
Challenges
13. Methods to Gather Live Response Data are too Time
Consuming and Operationally Cumbersome. May Even be
Ineffective.
14. Methods to Perform Forensic Duplication of Computer
Systems is Cumbersome.
Data Collection
Data Analysis
Reporting
Resolution
15. Sophistication of Tools and Counter Forensic
Techniques.
Challenges
Solution
13. Methods to Gather Live
Response Data are too Time
Consuming and
Operationally Cumbersome.
May Even be Ineffective.
Pre-Incident Preparation.
Creation of Live Response Toolkits, Maintenance
of Toolkits or Methods to Address Emerging
Kernel Level Exploits, Use of Network-Based
Forensic Tools, and Training.
Pre-Incident Preparation.
Have Techniques to Duplicate Live Systems.
Training. Perhaps Preservation of Relevant Data
Rather than All Data (CAUTION).
Pre-Incident Preparation.
Ability to Acquire and Review System and
Process Memory.
14. Methods to Perform
Forensic Duplication of
Computer Systems is
Cumbersome.
15. Sophistication of Tools
and Counter Forensic
Techniques.
Pre-Incident
Preparation
Detection of
Incidents
Initial Response
Formulate
Response Strategy
Data Collection
Data Analysis
Challenges
Challenges
16. Sophistication of Tools and Counter Forensic
Techniques.
17. Must have the Capability to Perform Rapid
Forensic Analysis – Biggest Bang for the Buck.
• Kernel Level Tools
• Use of Wrappers (Encryption, Compression,
Obfuscation)
• Shiva, Burneye, UPX
Reporting
Resolution
• Increased Knowledge of Perpetrators
• Increased Understanding of Current Forensic
Tools and Techniques
Challenges
16. Sophistication of Tools and Counter
Forensic Techniques.
Solution
Ability to Perform Tool
Analysis. Understand How
to Disassemble Tools and
Decipher their Functionality.
Know When to Cut Losses
and Remediate Prior to Full
Comprehension of Tool
(CAUTION).
17. Must have the Capability to Perform Rapid Functionality
Pre-Incident Training
and
Forensic Analysis – Biggest Bang for the Buck. Technology.
Pre-Incident
Preparation
Challenges
Detection of
Incidents
Initial Response
Formulate
Response Strategy
Challenges
18. Failure to Document Steps Taken in a Timely
Manner.
19. Inexperienced Personnel.
Data Collection
Data Analysis
Reporting
Resolution
Challenges
18. Failure to Document Steps
Taken in a Timely Manner.
19. Inexperienced Personnel.
Solution
Pre-Incident
Preparation.
Develop Report
Pre-Incident
Templates.
Preparation Develop
Report Templates.
Pre-Incident
Preparation
Detection of
Incidents
Initial Response
Formulate
Response Strategy
Data Collection
Data Analysis
Reporting
Resolution
Challenges
Challenges
20. Resolution Almost Always Requires more Resources
than Expected.
21. The “Run Out of Steam Factor”
22. Sense of Urgency Focuses Resources on Potential Premature Fixes. Remediate before Conclusion of Investigation.
23. Phased Approach to Recovery Usually Needs to be
Implemented to Protect the Right Assets with the Right
Countermeasures.
Challenges
Solution
20. Resolution Almost Always Requires more
Resources than Expected.
Proactive Security Program.
21. The “Run Out of Steam Factor”
Phased Approach to
Resolution. Apply Lessons
Learned to Doctrine.
22. Sense of Urgency Focuses Resources on
Potential Pre-mature Fixes. Remediate before
conclusion of Investigation.
Stay On Target… Continual,
Documented Operations
Plans.
23. Phased Approach to Recovery Usually
Needs to be Implemented to Protect the Right
Assets with the Right Countermeasures.
Pre-Incident Preparation –
Asset Classification.
Emerging Trends in Incident
Response
A Look Into the Future of Incident
Response
Intelligent Information Security
Emerging Trends in Incident
Response
•
•
•
•
A Focus on Pre-Incident Preparation
A Focus on End-User Education
Use of Enterprise Forensic Tools
Concerns with Compliance
– Regulations
– Standards
– Compliance
Creation of an IR Program
• Assess Current IR Program
– Collect Documents
– Perform Interviews
•
•
•
•
• Identify Threats/Concerns
• Determine Asset Classification
• Assess Current Capability
• Define Escalation/Notification
Requirements
Tailoring of Technology to Address Threats
Training
Dry Runs
IR Program Roll-Out
Kevin Mandia
Kevin.Mandia@red-cliff.com
703-244-4488
Download