cybersecurity incident response strategies and tactics - rims 2017 - eric vanderburg

© 2017 Technology Concepts & Design, Inc. All Rights Reserved.

Cybersecurity Incident Response Strategies and Tactics

TIMOTHY OPSITNICKE X E C U T I V E V I C E P R E S I D E N T & G E N E R A L C O U N S E L

ERIC VANDERBURGV I C E P R E S I D E N T, C Y B E R S E C U R I T Y

RIMS 2017 Northeast Ohio Regional Conference

October 5, 2017


About UsTCDI founded in 1988

Microsoft Certified Partner since 2003

Services include:◦ Digital forensics

◦ Cybersecurity

◦ eDiscovery

Minority owned enterprise

http://www.youtube.com/watch?feature=player_embedded&v=5xaks8A5mcs

http://www.youtube.com/watch?feature=player_embedded&v=5xaks8A5mcs


Over 40 certifications

Published author

Licensed private investigator

Expert witness and thought leader

18 years in cybersecurity

Specializations include:

Risk management

Governance and compliance

Security strategy

TIMOTHY OPSITNICK

E X E C U T I V E V I C E P R E S I D E N T A N D G E N E R A L C O U N S E L

ERIC VANDERBURG

V I C E P R E S I D E N T, C Y B E R S E C U R I T Y

E-Discovery special master

Expert witness

Advisory board member for the Georgetown University Law Center’s CLE and the American College of e-Neutrals

Numerous publications and legal education seminars

Member of the Sedona Conference Working Group


Introduction


Impact of Cybersecurity IncidentsLoss of Valuable Information

Direct Financial Loss

Unfavorable Media Exposure/Damage to Reputation

Outages and Disruption

Data breach

Notification

Lawsuits


Statistics◦ 87% responded to at least one incident in the past year

◦ 20% responded to at least 100 incidents

◦ 68% identified malware as the root cause of incidents

◦ 50% reported employee personal information (ex. SSN) was prioritized

*The Show Must Go On! The 2017 SANS Incident Response Survey

87% reported incidents

identified malware as cause

◦ 82% reported that remediation activities took place within one month of containment

◦ 33% take place within 24 hours68%


Pre Response PlanningIdentify data types and locationsIdentify legal obligations◦Regulatory

◦Contractual

Create and implement security policies ◦ Incident Response Plan

◦Other Policies


Analysis of legal obligations

National laws and directives

GDPR / EU directives

State / province laws

Civil liabilities

Legally-advisable practices


Business value of IRProtects proprietary / classified information

Reduces impact to business operations

Minimizes public relations damages

Reduces costs of response

Ensures data is collected for evidentiary purposes


Incident Response Planning


The Team

IT Compliance PrivacyHuman

Resources

Security / Risk Management

Third-party Cyber Security

teamLegal

Public Relations

Physical Security

Senior management

Law Enforcement

Liaison


Counsel and PrivilegeEarly involvement affects whether communications will be considered privileged◦Early assessments are frank

◦Privilege law is complex

Law in area developing

Regulatory and legal requirements complex, e.g. notice


Activating the team and the plan Initial scoping, typically IT

Trigger◦Confidentiality or privacy of information effected/or in care

◦ Integrity of systems or data

◦Availability of systems or data


Incident Response Readiness


Scenario planning◦Document procedures for likely incidents

◦Document steps for a non-specific incident

◦ Is geographic diversity needed?

◦Determine notification procedure

©2017 Technology Concepts & Design, Inc. All Rights Reserved.

Employee theft of intellectual property and misconduct

An employee removes internal client information for sale to a competitor

A disgruntled employee destroys data critical to business success

An employee downloads illegal software containing a backdoor


Data breach

Large upload of files to unknown destination

Confidential information on public sources

Files mistakenly sent to the wrong customer


Malware or ransomware

Ransomware encrypts central data repository

Botnet causes company email and domain to be blacklisted due to spam and searches

Malware makes hundreds of machines unusable

Company receives notices of Denial of Service (DoS) attacks originating from the corporate network.


Lost or stolen device

Employee loses an encrypted laptop while on vacation.

Backup tapes are stolen from an employee’s vehicle while they are in a restaurant.

The phone of the CEO’s assistant is stolen at a coffee shop and the phone was unlocked at the time.


Key system failure

Power outage in the server room in the middle of the day.

Non-redundant firewall failure


Data loss or corruption

Multiple hard drives fail in the main database server.

Administrator accidentally deletes the wrong virtual machine.

A restore overwrites production data rather than going to an alternate location.

Encryption keys expire


Social engineering

Company instructed to change payment information.

Fake CEO emails instruct AR to make payments to an account.

Employees divulge passwords to a person claiming to be from IT.


Table top exercises

PROCESS◦ IR team assembles◦Facilitator describes scenario

◦Plans are invoked and tested◦ Review actions◦ Completion and Success criteria◦ Notification methods and

messages

VALUE

◦New Insight gained

◦Plans updated

◦Team more comfortable with the process


Security testing

Penetration testing

Vulnerability management

Red teaming


Locking systems down

Configuration audits and System hardening

Hardening Zone PurposeUser Configuration Least privilege, secondary logonNetwork Configuration IP4 vs IP6, encryption, static/dynamicFeatures and Roles Configuration Add what you need, remove what you don't. GUI?Update Installation Address vendor-addressed vulnerabilitiesNTP Configuration Clock synchronizationFirewall Configuration Minimize your external footprint.Remote Access Configuration Authorization, types (RDP, SSH, admin tools)Service Configuration Minimize your attack surface.Logging and Monitoring Know what's happening on your system.


Improving detection capability

SIEM

Anomaly detection

End user training

Motivation and Accountability


Vendor or third party coordination and planning

Identify required third-parties

Establish expectations and contractual agreements

Make vendors aware of internal procedures

Solicit feedback


Awareness training

Acceptable use◦Email, Internet, Social

Passwords

Incident indicators

Malware

Social engineering

Data handling

Other policy elements


Process and system implementationPreservation

Log management and retention

Business continuity

Auditing

Prepare resources◦Human◦Technical


Incident Response Execution


Incident response phasesIdentification

Containment

Investigation

Eradication

Recovery

Reflection


Identification

◦Use of dormant accounts◦Log alteration◦Presence of malicious code◦Notification by partner or peer◦Notification by hacker

◦Loss of availability◦Corrupt files◦Data breach◦Violation of policy◦Violation of law

Report Incident indicators (Employees or automated systems)

Validate indicators

Indicators


Containment

Assemble the IR team

Quarantine◦Disable accounts, disconnect from network, isolate VM

Preserve Evidence

Expand IR resources as necessary


Investigation

Interviewing

Analysis◦ Logs

◦ Memory

◦ Forensic images

◦ Public data

Documentation◦ IP address of compromised

system

◦ Time frame

◦ Malicious ports

◦ Flow records


EradicationResolution◦ List action items

◦ Rank in terms of risk level and time required

◦ Prioritize

◦ Coordinate and track remediation to completion

Validation◦ Confirm measures successfully remediated the incident


RecoveryRemediate vulnerabilities

Restore services

Restore data (Ensure that backups are clean)

Follow notification procedures in IRP

Restore confidence


Reflection

Refine plans and processes

Create new IRPs

Debrief


Reflection (continued)

Debrief (After-action review)◦Rankless discussion◦Goals◦Were goals achievable?◦Successes

◦Pitfalls◦Lessons learned◦Action items and responsibilities

◦Positive summary


Key Issues


Preserving chain of custody and evidenceAs soon as the team begins its work, must start and maintain a strict chain of custody

Chain of custody documents that evidence was under strict control and that no unauthorized person was given the opportunity to corrupt the evidence


When and if to engage Law enforcementNature of data compromised

Nature of incident (theft vs. external hacking vs. employee misconduct)

Regulatory scheme or statute applies to data or operations

Country or residence of persons involved in compromise or persons whose information implicated

Your industry

Specific benefit

Policy of Good Corporate Citizen

Prior relationship established


Communications

Alternate

In person


Engaging vendors

Pre selected

Experience

New entries in market


Notice

Insurance carriers

Impacted individuals

Regulators

Credit reporting agencies


Questions?