Incident Response: How to Prepare

June 11, 2014

Intro

Process Fundamentals

Technical Fundamentals

AGENDA

Staying Evergreen

Leadership Challenges

• Ted Julian, CMO – Co3 Systems

• Sean Mason, Global Incident Response Leader - CSC

Introductions

AGILE WEB DEVELOPER

Sean A. Mason @SeanAMason

SEC ANALYST

SR. IT AUDITOR

SW DEV MANAGER

SUPPLY CHAIN DEVELOPER

IR LEADER

INFO SEC TEAM LEAD

PMP CISA CISSP CISM ISSMP CSSLP

DIRECTOR IR

’96-’00 ’01-’03 ’04-’06 ‘07 ’08-’10 ‘11 ’12-13 ’14-

BS MIS McKendree University

Technical School USAF

MBA Webster University

NMDC & AIMC GE Crotonville CCFP

EXEC IR LEADER

END-TO-END IR: BEFORE, DURING, AND AFTER

Prepare Improve Organizational

Readiness

• Appoint team members

• Fine tune response SOPs

• Link in legacy applications

• Run simulations (fire drills, table tops)

Mitigate Document Results

& Improve Performance

• Generate reports for management, auditors, and authorities

• Conduct post-mortem

• Update SOPs

• Track evidence

• Evaluate historical performance

• Educate the organization

Assess Identify and Evaluate Incidents

• Assign appropriate team members

• Evaulate precursors and indicators

• Track incidents, maintain logbook

• Automatically prioritize activities based on criticality

• Log evidence

• Generate assessment

Manage Contain, Eradicate and Recover

• Generate real-time IR plan

• Coordinate team response

• Choose appropriate containment strategy

• Isolate and remediate cause

• Instruct evidence gathering and handling

Recent incidents highlight

exposure to top brands

Leadership Challenges

• Credibility

LEADERSHIP

• Trust

• Rapport

• Consistency

Process Fundamentals

IR EVOLUTION

IR

END-TO-END IR: BEFORE, DURING, AND AFTER

•Movement

•Methods

•Accounts

•Actors

•Timelines

•Rebuild Host(s)

•Reset Password(s)

•Countermeasures

•Lessons Learned

•Contain Host(s)

•Reset Password(s)

•Acquire Evidence

• SIEM

• AV/HIPS

• Proxy

• ATD

• DLP

• Etc…

Detect Contain &

Collect

Analyze Remediate

Intel

• Wiki or other Platform

• Flexibility

• Track Changes

• “Open” Access

DOCUMENTATION — “A plan doesn’t need to be a single document anymore.”

• Who is needed for wing-to-wing IR? (think outside security)

• Who is on-call and when? (consider Holidays)

• Pre-built DL’s for e-mails and info

• Think through basics:

• Phones, chat rooms, conference lines, and remote access

PEOPLE

Name Role Phone #

Ray Incident Coordinator 555-2368

Danny Incident Coordinator 555-0840

Kate Network Team 606-0842

Jenny AD Team 867-5309

Alicia CISO 489-4608

Mike Incident Response 330-281-8004

Emily CIO 212-664-7665

Philip Legal Counsel 818-775-3993

Ramona Public Relations 212-664-7665

Business Leaders?

Law Enforcement?

• Clear expectations for returning phone calls

• Who does what? (think outside security)

• Set expectations

• Helps define process

RACI

• Define an incident severity model- one common lexicon

INCIDENT SEVERITIES — “Not all incidents are created equal.”

Rating Impact Description

Breach 1 1 Intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc.

Breach 2 2 Intruder has exfiltrated nonsensitive data or data that will facilitate access to sensitive data

Breach 3 3 Intruder has established command and control channel from asset with ready access to sensitive data

Cat 1 4 Intruder has compromised asset with ready access to sensitive data

Cat 2 5 Intruder has compromised asset with access to sensitive data but requires privilege escalation

Cat 3 6 Intruder is attempting to exploit asset with access to sensitive data

Cat 6 7 Intruder is conducting reconnaissance against asset with access to sensitive data

Vuln 1 8 Intruder must apply little effort to compromise asset and exfiltrate sensitive data

Vuln 2 9 Intruder must apply moderate effort to compromise asset and exfiltrate sensitive data

Vuln 3 10 Intruder must apply substantial effort to compromise asset and exfiltrate sensitive data

Rating Description Response/Containment

Severity 0 Intruder has exfiltrated sensitive data or is currently inside network. DDOS that has impacted availability. Malware outbreak. 1 hour

Severity 1 Indicators show that an intruder is attempting to gain a foothold or has attained an initial foothold on the network. DDOS that

has the potential to impact availability. Malware causing disruption.

4 hours

Severity 2 Compromised machine (General Malware) 72 hours

• Simplified & Flexible

• Focus more on capability

Incident Severity Comm Rhythm Audience

Grave (KC7) Within 1hr – Conf. Call

2x Daily – Conf. Call

COB Daily – E-mail

• COO

• CSO

• CIO

• General Counsel

• Director of PR

• CISO

• Director of IR

• Chief Security Architect

Significant (KC6) Within 1hr – E-mail

COB Daily – E-mail

• CISO

• Director of IR

• Chief Security Architect

Benign (KC1-5) As needed or upon escalation • Director of IR

• Security Manager

• Communicate broadly, engage others

• Communication template, rhythm and formats

• Mobile technology and speed of information

INTERNAL COMMUNICATION — “Incidents are not an opportunity to compartmentalize information.”

Kill Chain Phase: If your org uses the KC, allows for a quick look at where the current incident is at.

Business(es) & Location(s) Impacted: If your org has different locations or business units, helps to narrow impact.

Summary: Executive level summary, no longer than a paragraph, on the current status.

Impact: Current actual business impact- exfil? Servers down?

Next Update: 06-11-2014 1600 EST

Incident Status: More details on what is currently happening during the incident.

Intelligence & Attribution Summary: If your org has an intelligence group, details would go here.

Host Status: Deeper details on affected accounts or hosts.

Action Items:

Note: Updated information is shaded in Green and completed actions are struck through.

Action Status Owner Est. Comp

Assemble Response Team Complete J. Smith 11 Jun 1200 EST

Review Network Architecture Diagrams Complete S. Johnson 11 Jun 1600 EST

Review Configuration Settings In Progress S. Johnson 13 Jun 1200 EST

Establish secure FTP site In Progress S. Johnson 13 Jun 1600 EST

Collect forensic evidence Pending R. White TBD

COMMUNICATIONS — “‘I don’t know’ is a valid answer, but qualify it with actions.”

• “Think Twitter” & the speed of information

• Have approved templates ready to go

• External, Internal, and Business Partners

• Test and ensure you can actually identify all parties

• Establish “easy-to-sign” NDA’s for use in the event of x-biz incidents

EXTERNAL COMMUNICATIONS

Poll

How long ago was your Incident Response plan and related information updated?

Technical Fundamentals

• Who can access the compromised devices?

CONTAINMENT — “Containment is arguably the most critical decision in IR”

• When do you contain?

• Who makes the containment call?

• What method(s) will you use?

• How will you track down the devices?

• Where are the logs? Do you aggregate logs?

• Does the team have access to the compromised logs & devices?

• Preserve forensic evidence

• Who is properly trained to do the forensics? Do they have tools?

HOST & NETWORK FORENSIC ANALYSIS

Vola

tilit

y

Poll

Do your Incident Responders have immediate access to logs and devices?

Staying Evergreen

• Paper Test – Ensure all documentation, templates, etc… are properly updated.

• Table Top Exercise – Verbally walking through a number of different IR scenarios.

• Simulated Incident – A more invasive test that leverages a Red Team to simulate an attack (or utilize existing malware samples). Allows for a more comprehensive test of the IRT, to include forensic work.

• Blind Test – Similar to Simulation testing, but leadership coordinates the attack unbeknownst to the IRT.

RECURRING TESTING – “You shouldn’t be inventing process during a crisis.”

• Architecture

• People

• Attacks/TTPs

• Infrastructure

• Regulations (HIPAA, PCI-DSS, DFARS)

ENVIRONMENTAL CHANGES

• DURING the incident- carve out cycles

• Carve out a process ahead of time

• Dissect every step of the attack

• Learn from others/external incidents

POST INCIDENT REVIEW

• Leverage the team for other hot issues such as:

• Heartbleed

• Insider cases

• Counterfeit gear

• Software piracy

• Acquisition evaluations

• Etc…

OUTSIDE OF IR…

Poll

Does your organization test your entire Incident Response plan on an ongoing basis?

• Ensure everything is auditable

FINAL THOUGHTS!

• Build-in a Contingency Budget

• Education ahead of time

• Establish a relationship with your local FBI office

• Think beyond IT- form allies in the business

• Don’t forget metrics

• Reward your Incident Responders after the battle

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“We’re doing IR in one-tenth of the time.”

DIRECTOR OF SECURITY & RISK, USA FUNDS

“It’s the best purchase we ever made.”

CSO, F500 HEATHCARE PROVIDER

Sean Mason

Executive Incident Response Leader

smason33@csc.com

702-498-6615

@SeanAMason

www.csc.com/cybersecurity/IR

“One of the hottest products at RSA…”

NETWORK WORLD

“Co3 has done better than a home-run...it has

knocked one out of the park.”

SC MAGAZINE