how to effectively respond to an information security incident · initial incident response steps...
Post on 13-May-2018
224 Views
Preview:
TRANSCRIPT
How to effectively respond to an information security incident
www.pwc.com
PwC
Agenda
Analogy
Plan Preparation
Incident Handling Overview
Collect & Triage
Investigation
Containment
Eradication
Recovery
2
PwC
Are you going in the water?
3
PwC
Initial incident response steps
• Gather documentation
- Contact lists, network diagrams, etc
• Designate incident leads
• Notify proper contacts
- Internal contact
◦ Legal, management, internal support leads
- External contacts
◦ Legal, Vendor support, trusted third parties, law enforcement
4
PwC
Incident handling overview
• Based on NIST 800-61 Incident Handling
- Detect and Analyze (Triage)
- Containment
- Collect, Preserve and Investigate
- Eradication
- Recovery (lessons learned)
5
Detect and
analyze
Contain
Collect & Preserve Eradicate
Recovery
PwC
Detection and analysis
6
PwC
Do we have an incident? (Yes/No)
• How were we notified
- Internal vs. External
• Deploy experienced people to determine if you have a real incident
• Is this a regulatory, legal or contractual issue?
7
PwC
Practical example
• eCommerce Site:
- Client reported the server performance issue
- Tech Support found the load too high
- Developer examined the code
◦ Identified foreign code on the server, referred to security
- Security began collecting data
◦ Contacted External Incident Response team
8
PwC
Practical example
• Incident Response Team
- Examined the server
- Recommended blocking IP addresses
- Examined the server population
- Provided a written report of the incident
- Recommended Eradication
- Recommended policy and procedure changes
9
PwC
Exfiltration
10
PwC
What to do next
• Incident Classification (DDoS, Malware, Unauthorized Access)
• Triage the problem – follow the evidence
• What are my capabilities?
• What am I looking for?
• How will I accomplish what I need to do?
11
PwC
Collection and preservation
12
PwC
Evidence preservation
• Proper forensic collection and documentation
- Collect what you need to answer the questions
• Malware analysis
- What are we dealing with and what is it capable of?
◦ Data exfiltration
◦ Keylogger
◦ Sniffer
◦ Dumping memory
13
PwC
Data to collect
• Forensic images of the systems compromised
• Firewall Logs
• Web server logs
• Proxy server logs
• Netflow data
• Syslogs (Unix)
• Local Windows event logs
• Domain Controller event logs
14
PwC
Triage process flow
15
Incident Handler
Malware present
Hardening Monitoring Malware Analysts
Forensics Compromi-sed Host Information Security
No
No
Yes
Yes
PwC
Containment
16
PwC
Initial containment 1-3 days
• Apply M&M approach (hard & crunchy on outside, soft & chewy on inside)
• Data characterization (add rings of security)
• Grab low hanging fruit
- Update AV, Flag suspicious files, HIDS/HIPS, create IDS signatures, block traffic, change passwords, disable accounts
- Change to manual procedures if necessary
17
PwC
What don’t I know
• Where do I need increased visibility
- Review logs, increase auditing/logging
◦ System, database, network device, etc
- Process to secure, archive, collect ,review logs
- As the British say, Mind the gap!
SQL Query logging example:
18
PwC
SQL query logging example
• Sophisticated attack on database
- Cracked the PINS for banking cards
- Used SQL injection to inject malicious executable into the database
- Withdrawal limits on the cards are raised to maximize the amount that can be withdrawn
- No SQL logging performed on the databases
- Client using a SQL query recorder
19
PwC
Eradication & remediation 2-4 weeks
• Remove malware
• Re-image and/or rebuild systems
- Consider legacy applications
• Delete/disable accounts
• System and Network device hardening
• Increase log monitoring
20
PwC
Longer term issues
• Data Flows
• Application Characteristics
• Server Characteristics
• Risk Factors
• Regulatory and Compliance Issues
21
PwC
Recovery – Long term goals
• Implement a Information Security group with a CISO
• Integrate Information Security into all facets of the business
• Network Isolation and segmentation
• System hardening
• Annual security audits (include penetration testing)
- Include 3rd party connections
• Implement a Sensitive Data Program
22
PwC
Recommendations
• Ensure there is an incident response plan in place
• Know where your crown jewels are located
• Regular security assessments conducted by outside firm
• Have an incident response support team on speed dial
23
PwC
Questions
Contact:
Dave Nardoni 213-356-6308
Jef Dye 213-217-3976
24
© 2012 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
top related