The Evolution of Incident Response Intelligent Information Security By Kevin Mandia Agenda • Case Studies • Performing Incident Response • The Challenges to Incident Response • Emerging Trends Why are We Here? Conclusions • • • • Incident Response is not a Static Field, and It is Important to Sharpen our Swords. There is an Increasing Complexity and Sophistication of Computer Attacks. Incident Response Methodologies and Technologies Need to Evolve to Address Emerging Threats. Pre-Incident Preparation is as Critical as other Pro-active Security Measures. Business Sustaining Costs! Conclusions • Sophistication of Tools Requires Greater Skill Sets During Response. – Countless Specialized Utilities Exist that an Attacker/Suspect May Use. • • • • • Data W iping Encryption Date/Time Manipulation Metadata Manipulation Anti and/or Counter Forensic Software – Kernel Level Tools – Compressed/Encrypted Executables Case Studies The Last Ten Cases/Incidents in Review Intelligent Information Security By Kevin Mandia The Year in Review • And Now We Demonstrate and Discuss the Incidents We Have Responded to During the Past Year … Conclusions • The Threat is More Serious: – More Professionals. – Its all About Money. – Planted Insiders. – More Sophistication. • If You are Unarmed and Unprepared, Bad Things will Happen. • Weak Link Appears to be End Users. The Challenges to Incident Response Intelligent Information Security Pre-Incident Preparation Detection of Incidents Challenges Challenges 1. Defining What an Incident is to Your Organization. Initial Response Formulate Response Strategy 2. Obtaining High-Level Buy In on Developing/Improving/Maintaining an Incident Response Capability. Data Collection 3. Performing Asset Classification. Know what Matters To Your Business Operation before an Incident Occurs. Data Analysis 4. Awareness and Understanding of the Standards, Legislature, Regulations, and Industry Accepted Practices. Reporting Resolution 5. Assessing your Current Incident Response Capability. Challenges Solutions 1. Defining What an Incident is to Your Pre-Incident Preparation. Organization. Assess Resources, Match Business Units with Capabilities, Roles, Responsibilities. 2. Obtaining High-Level Buy In on Developing/Improving/Maintaining an Incident Response Capability. Discuss Sustaining Business, Applicable Standards, Legislature, and Industry Regulations that Compel you to Maintain IR Capabilities. 3. Performing Asset Classification. Know what Matters To Your Business Operation before an Incident Occurs. Interview Business Line Owners and Top Execs. 4. Awareness and Understanding of the Standards, Legislature, Regulations, and Industry Accepted Practices. Pre-Incident Preparation Review On-Line Sources. Assign General Counsel or Compliance Officer. 5. Assessing your Current Incident Response Capability. Pre-Incident Preparation. Develop a Skills Matrix and Review InHouse Capabilities. Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Data Collection Data Analysis Reporting Resolution Challenges Challenges 6. Determining the Appropriate Bar of Escalation for Your Organization. What is the Appropriate Trigger Mechanism to Commence your IR Procedures? 7. Ensuring Timely, Easy Method of Reporting Incidents. Get the Experts Involved as early as Possible. When do you Initiate your IR Mechanism? External IDS End Users Apply Escalation Criteria Help Desk Sys Admins Report/Document and Involve Experts in a Timely Fashion Security Transfer Control of Incident Human Resources Assemble the Computer Security Incident Response Team (CSIRT) Challenges Solution 6. Determining the Appropriate Bar of Escalation for Your Organization. What is the Appropriate Trigger Mechanism to Commence your IR Procedures? Pre-Incident Preparation. Create a Written Policy. Perform Continual Review and Update of the Policy. Ensure Asset Affected Dictates Level of Response. 7. Ensuring Timely, Easy Method of Reporting Incidents. Get the Experts Involved as early as Possible. Pre-Incident Preparation. Create or Revise IR Program and Train Appropriate Personnel to Understand Indicators of Computer Security Incidents. Pre-Incident Preparation Challenges Challenges Detection of Incidents Initial Response 8. Minimizing the Window from Detection of Incident to Confirmation of the Incident. Formulate Response Strategy 9. Accurately and Rapidly Determining the Scope/Breadth of the Incident. Data Collection 10. Determining Entities/People that Need to be Involved. Triage. Data Analysis Detection of Potential Incident Confirmation Reporting TIME Resolution Challenges Solution 8. Minimizing the Window from Detection of Incident to Confirmation of the Incident. Pre-Incident Preparation. Training and Pre-Existing or Pre-Deployed Toolkits. 9. Accurately and Rapidly Determining the Scope/Breadth of the Incident. Pre-Incident Preparation. Ensure Response Methodology and Infrastructure Includes Rapid Determination of Host and Network-Based Indicators of Incident. Pre-Incident Preparation. 10. Determining Entities/People that Need to be Involved. Create or Revise IR Program Development. Pre-Incident Preparation Challenges Detection of Incidents Initial Response Formulate Response Strategy Challenges 11. Determining Who Should Be Involved with the Decision Making Process. 12. Incident Ownership. Data Collection Data Analysis Reporting Resolution Challenges 11. Determining Who Should Be Involved with the Decision Making Process. 12. Incident Ownership. Solution Pre-Incident Preparation. Create or Revise IR Program. Pre-Incident Preparation. Create or Revise Program Development. Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Challenges Challenges 13. Methods to Gather Live Response Data are too Time Consuming and Operationally Cumbersome. May Even be Ineffective. 14. Methods to Perform Forensic Duplication of Computer Systems is Cumbersome. Data Collection Data Analysis Reporting Resolution 15. Sophistication of Tools and Counter Forensic Techniques. Challenges Solution 13. Methods to Gather Live Response Data are too Time Consuming and Operationally Cumbersome. May Even be Ineffective. Pre-Incident Preparation. Creation of Live Response Toolkits, Maintenance of Toolkits or Methods to Address Emerging Kernel Level Exploits, Use of Network-Based Forensic Tools, and Training. Pre-Incident Preparation. Have Techniques to Duplicate Live Systems. Training. Perhaps Preservation of Relevant Data Rather than All Data (CAUTION). Pre-Incident Preparation. Ability to Acquire and Review System and Process Memory. 14. Methods to Perform Forensic Duplication of Computer Systems is Cumbersome. 15. Sophistication of Tools and Counter Forensic Techniques. Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Data Collection Data Analysis Challenges Challenges 16. Sophistication of Tools and Counter Forensic Techniques. 17. Must have the Capability to Perform Rapid Forensic Analysis – Biggest Bang for the Buck. • Kernel Level Tools • Use of Wrappers (Encryption, Compression, Obfuscation) • Shiva, Burneye, UPX Reporting Resolution • Increased Knowledge of Perpetrators • Increased Understanding of Current Forensic Tools and Techniques Challenges 16. Sophistication of Tools and Counter Forensic Techniques. Solution Ability to Perform Tool Analysis. Understand How to Disassemble Tools and Decipher their Functionality. Know When to Cut Losses and Remediate Prior to Full Comprehension of Tool (CAUTION). 17. Must have the Capability to Perform Rapid Functionality Pre-Incident Training and Forensic Analysis – Biggest Bang for the Buck. Technology. Pre-Incident Preparation Challenges Detection of Incidents Initial Response Formulate Response Strategy Challenges 18. Failure to Document Steps Taken in a Timely Manner. 19. Inexperienced Personnel. Data Collection Data Analysis Reporting Resolution Challenges 18. Failure to Document Steps Taken in a Timely Manner. 19. Inexperienced Personnel. Solution Pre-Incident Preparation. Develop Report Pre-Incident Templates. Preparation Develop Report Templates. Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Data Collection Data Analysis Reporting Resolution Challenges Challenges 20. Resolution Almost Always Requires more Resources than Expected. 21. The “Run Out of Steam Factor” 22. Sense of Urgency Focuses Resources on Potential Premature Fixes. Remediate before Conclusion of Investigation. 23. Phased Approach to Recovery Usually Needs to be Implemented to Protect the Right Assets with the Right Countermeasures. Challenges Solution 20. Resolution Almost Always Requires more Resources than Expected. Proactive Security Program. 21. The “Run Out of Steam Factor” Phased Approach to Resolution. Apply Lessons Learned to Doctrine. 22. Sense of Urgency Focuses Resources on Potential Pre-mature Fixes. Remediate before conclusion of Investigation. Stay On Target… Continual, Documented Operations Plans. 23. Phased Approach to Recovery Usually Needs to be Implemented to Protect the Right Assets with the Right Countermeasures. Pre-Incident Preparation – Asset Classification. Emerging Trends in Incident Response A Look Into the Future of Incident Response Intelligent Information Security Emerging Trends in Incident Response • • • • A Focus on Pre-Incident Preparation A Focus on End-User Education Use of Enterprise Forensic Tools Concerns with Compliance – Regulations – Standards – Compliance Creation of an IR Program • Assess Current IR Program – Collect Documents – Perform Interviews • • • • • Identify Threats/Concerns • Determine Asset Classification • Assess Current Capability • Define Escalation/Notification Requirements Tailoring of Technology to Address Threats Training Dry Runs IR Program Roll-Out Kevin Mandia Kevin.Mandia@red-cliff.com 703-244-4488