cybersecurity incident response strategies and tactics - rims 2017 - eric vanderburg
TRANSCRIPT
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Cybersecurity Incident Response Strategies and Tactics
TIMOTHY OPSITNICKE X E C U T I V E V I C E P R E S I D E N T & G E N E R A L C O U N S E L
ERIC VANDERBURGV I C E P R E S I D E N T, C Y B E R S E C U R I T Y
RIMS 2017 Northeast Ohio Regional Conference
October 5, 2017
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
About UsTCDI founded in 1988
Microsoft Certified Partner since 2003
Services include:◦ Digital forensics
◦ Cybersecurity
◦ eDiscovery
Minority owned enterprise
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Over 40 certifications
Published author
Licensed private investigator
Expert witness and thought leader
18 years in cybersecurity
Specializations include:
Risk management
Governance and compliance
Security strategy
TIMOTHY OPSITNICK
E X E C U T I V E V I C E P R E S I D E N T A N D G E N E R A L C O U N S E L
ERIC VANDERBURG
V I C E P R E S I D E N T, C Y B E R S E C U R I T Y
E-Discovery special master
Expert witness
Advisory board member for the Georgetown University Law Center’s CLE and the American College of e-Neutrals
Numerous publications and legal education seminars
Member of the Sedona Conference Working Group
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Introduction
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Impact of Cybersecurity IncidentsLoss of Valuable Information
Direct Financial Loss
Unfavorable Media Exposure/Damage to Reputation
Outages and Disruption
Data breach
Notification
Lawsuits
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Statistics◦ 87% responded to at least one incident in the past year
◦ 20% responded to at least 100 incidents
◦ 68% identified malware as the root cause of incidents
◦ 50% reported employee personal information (ex. SSN) was prioritized
*The Show Must Go On! The 2017 SANS Incident Response Survey
87% reported incidents
identified malware as cause
◦ 82% reported that remediation activities took place within one month of containment
◦ 33% take place within 24 hours68%
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Pre Response PlanningIdentify data types and locationsIdentify legal obligations◦Regulatory
◦Contractual
Create and implement security policies ◦ Incident Response Plan
◦Other Policies
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Analysis of legal obligations
National laws and directives
GDPR / EU directives
State / province laws
Civil liabilities
Legally-advisable practices
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Business value of IRProtects proprietary / classified information
Reduces impact to business operations
Minimizes public relations damages
Reduces costs of response
Ensures data is collected for evidentiary purposes
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident Response Planning
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
The Team
IT Compliance PrivacyHuman
Resources
Security / Risk Management
Third-party Cyber Security
teamLegal
Public Relations
Physical Security
Senior management
Law Enforcement
Liaison
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Counsel and PrivilegeEarly involvement affects whether communications will be considered privileged◦Early assessments are frank
◦Privilege law is complex
Law in area developing
Regulatory and legal requirements complex, e.g. notice
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Activating the team and the plan Initial scoping, typically IT
Trigger◦Confidentiality or privacy of information effected/or in care
◦ Integrity of systems or data
◦Availability of systems or data
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident Response Readiness
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Scenario planning◦Document procedures for likely incidents
◦Document steps for a non-specific incident
◦ Is geographic diversity needed?
◦Determine notification procedure
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Employee theft of intellectual property and misconduct
An employee removes internal client information for sale to a competitor
A disgruntled employee destroys data critical to business success
An employee downloads illegal software containing a backdoor
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Data breach
Large upload of files to unknown destination
Confidential information on public sources
Files mistakenly sent to the wrong customer
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Malware or ransomware
Ransomware encrypts central data repository
Botnet causes company email and domain to be blacklisted due to spam and searches
Malware makes hundreds of machines unusable
Company receives notices of Denial of Service (DoS) attacks originating from the corporate network.
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Lost or stolen device
Employee loses an encrypted laptop while on vacation.
Backup tapes are stolen from an employee’s vehicle while they are in a restaurant.
The phone of the CEO’s assistant is stolen at a coffee shop and the phone was unlocked at the time.
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Key system failure
Power outage in the server room in the middle of the day.
Non-redundant firewall failure
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Data loss or corruption
Multiple hard drives fail in the main database server.
Administrator accidentally deletes the wrong virtual machine.
A restore overwrites production data rather than going to an alternate location.
Encryption keys expire
©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Social engineering
Company instructed to change payment information.
Fake CEO emails instruct AR to make payments to an account.
Employees divulge passwords to a person claiming to be from IT.
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Table top exercises
PROCESS◦ IR team assembles◦Facilitator describes scenario
◦Plans are invoked and tested◦ Review actions◦ Completion and Success criteria◦ Notification methods and
messages
VALUE
◦New Insight gained
◦Plans updated
◦Team more comfortable with the process
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Security testing
Penetration testing
Vulnerability management
Red teaming
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Locking systems down
Configuration audits and System hardening
Hardening Zone PurposeUser Configuration Least privilege, secondary logonNetwork Configuration IP4 vs IP6, encryption, static/dynamicFeatures and Roles Configuration Add what you need, remove what you don't. GUI?Update Installation Address vendor-addressed vulnerabilitiesNTP Configuration Clock synchronizationFirewall Configuration Minimize your external footprint.Remote Access Configuration Authorization, types (RDP, SSH, admin tools)Service Configuration Minimize your attack surface.Logging and Monitoring Know what's happening on your system.
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Improving detection capability
SIEM
Anomaly detection
End user training
Motivation and Accountability
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Vendor or third party coordination and planning
Identify required third-parties
Establish expectations and contractual agreements
Make vendors aware of internal procedures
Solicit feedback
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Awareness training
Acceptable use◦Email, Internet, Social
Passwords
Incident indicators
Malware
Social engineering
Data handling
Other policy elements
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Process and system implementationPreservation
Log management and retention
Business continuity
Auditing
Prepare resources◦Human◦Technical
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident Response Execution
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident response phasesIdentification
Containment
Investigation
Eradication
Recovery
Reflection
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Identification
◦Use of dormant accounts◦Log alteration◦Presence of malicious code◦Notification by partner or peer◦Notification by hacker
◦Loss of availability◦Corrupt files◦Data breach◦Violation of policy◦Violation of law
Report Incident indicators (Employees or automated systems)
Validate indicators
Indicators
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Containment
Assemble the IR team
Quarantine◦Disable accounts, disconnect from network, isolate VM
Preserve Evidence
Expand IR resources as necessary
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Investigation
Interviewing
Analysis◦ Logs
◦ Memory
◦ Forensic images
◦ Public data
Documentation◦ IP address of compromised
system
◦ Time frame
◦ Malicious ports
◦ Flow records
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
EradicationResolution◦ List action items
◦ Rank in terms of risk level and time required
◦ Prioritize
◦ Coordinate and track remediation to completion
Validation◦ Confirm measures successfully remediated the incident
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
RecoveryRemediate vulnerabilities
Restore services
Restore data (Ensure that backups are clean)
Follow notification procedures in IRP
Restore confidence
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Reflection
Refine plans and processes
Create new IRPs
Debrief
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Reflection (continued)
Debrief (After-action review)◦Rankless discussion◦Goals◦Were goals achievable?◦Successes
◦Pitfalls◦Lessons learned◦Action items and responsibilities
◦Positive summary
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Key Issues
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Preserving chain of custody and evidenceAs soon as the team begins its work, must start and maintain a strict chain of custody
Chain of custody documents that evidence was under strict control and that no unauthorized person was given the opportunity to corrupt the evidence
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
When and if to engage Law enforcementNature of data compromised
Nature of incident (theft vs. external hacking vs. employee misconduct)
Regulatory scheme or statute applies to data or operations
Country or residence of persons involved in compromise or persons whose information implicated
Your industry
Specific benefit
Policy of Good Corporate Citizen
Prior relationship established
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Communications
Alternate
In person
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Engaging vendors
Pre selected
Experience
New entries in market
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Notice
Insurance carriers
Impacted individuals
Regulators
Credit reporting agencies
© 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Questions?