real-world practices for incident response - isaca.org practices for incident response ... scenarios...

Real-world Practices for Incident Response

Feb 2017

Keyaan Williams– Sr. Consultant

2

Agenda

The Presentation

• Beginning with the end.

• Terminology

• Putting it into Action

Additional resources and information

• Framework/foundations

• Building Effective Incident Response

• Testing of the incident response plans and team members

• Case Study

Beginning with the

End in Mind

1National Institute of Science and Technology Special Publication 800-61 v2, COMPUTER SECURITY INCIDENT HANDLING GUIDE, August 2012

Beginning with the End: Adopt a Framework

NIST SP 800-61r2

Beginning with the End:

Understand what you

are responding to!

Define things!

6

Beginning with the End:

Have a process

At least use a checklist!

7

Step Action Completed

Detection and analysis

1. Determine whether an incident has occurred.

1.1 Analyze the precursors and indicators

1.2 Look for correlating information

1.3 Perform research

1.4

As soon as the handler believes an incident has occurred,

begin documenting the investigation and gathering

evidence.

2. Prioritize handling the incident based on relevant factors.

3.Report the incident to the appropriate internal personnel

and external organizations

8


Containment, Eradication, and Recovery

4. Acquire, preserve, secure, and document evidence.

5. Contain the incident

6. Eradicate the incident

6.1. Identify and mitigate all vulnerabilities that were exploited.

6.2.Remove malware, inappropriate materials, and other

components.

6.3.

If more affected hosts are discovered (e.g., new malware

infections), repeat the Detection and Analysis steps (1.1., 1.2) to

identify all other affected hosts, then contain (5) and eradicate

(6) the incident for them.

9


Containment, Eradication, and Recovery

7. Recover the incident

7.1. Return affected systems to an operationally ready state.

7.2. Confirm that the affected systems are functioning normally.

7.3.If necessary, implement additional monitoring to look for future

related activity.

10


Post-incident Activity

8. Create a follow-up report

9.Hold a lessons learned meeting (mandatory for major incident,

optional otherwise).

Post incident activities are important to ensure the

organization understands how the incident occurred

and ensure the organization takes steps to prevent the

same type of incidents from occurring again.

Terminology

12

TerminologyEvents verses Incidents1

Events

An event is any observable occurrence in a system or network.

Adverse events are events with a negative consequence, such as system

crashes, packet floods, unauthorized use of system privileges, unauthorized

access to sensitive data, and execution of malware that destroys data.

Incident

A computer security incident is a violation or imminent threat of violation of

computer security policies, acceptable use policies, or standard security

practices

1 National Institute of Science and Technology Special Publication 800-61 v2, COMPUTER SECURITY INCIDENT HANDLING GUIDE, August 2012

13

TerminologyThreat: The potential source of an adverse event. Common threat

surface:

• Human Interaction

• Email (received and sent)

• Web pages visited

• Social sites

• Blogs

• Architectural

• Network interfaces (External and Internal)

• Severs and running services and applications

Vulnerability: A weakness in a system, application, or network that is

subject to exploitation or misuse.

National Institute of Science and Technology Special Publication 800-61 v2, COMPUTER SECURITY INCIDENT HANDLING GUIDE, August 2012

14

TerminologyAttack Vectors: These are the means used by the attackers to exploit

vulnerabilities. Examples are:

• External/Removable Media

• Attrition: An attack that employs brute force methods to

compromise, degrade, or destroy systems, networks, or services

• Web

• Email

• Social Engineering

• Improper Usage

Precursor: A sign that an attacker may be preparing to cause an

incident.

Indicator: A sign that an incident may have occurred or may be

currently occurring.


Putting it into Action: Implementing this at your organization

16

Putting it into Action

Evaluate your organization to ensure that threat

modeling activities occur and the threat environment

receives continuous monitoring.

17


Based on the threat modeling processes, ensure

your organization is aware of the likely threat

scenarios from the Top down.

18


Develop a real commitment and engagement from

management. Effectiveness requires appropriate

authority, budget and capabilities to accomplish

incident response goals.

19


Implement incident response processes to address

your reality based on real threats to your business.

Are BIA, CP, DRP, etc. in place, relevant, and

adequate to support the incident response program?

20


Test, Test and retest…”Prefect Practice make

Perfect Performance”

Thank YouKeyaan Williams

[email protected]

Framework

Foundations

1National Institute of Science and Technology Special Publication 800-61 v2, COMPUTER SECURITY INCIDENT HANDLING GUIDE, August 2012

Framework/Foundations 1

24

Agile and Responsive Framework/Foundations

• Incident Response Policy and Program defined

• Incident Response Plan is drive by up-to-date information

• Threat Intelligence

• Business Impact Assessments that are current and accurate

• Asset Identification – Data, Technologies, People and Processes

• Critical contracts, customers and business partners are part of the plan

• Supported from the top down and are fully integrated within Policies, Programs

and Plans

25


• Defined roles and responsibilities

• Based on need-to-know and value add (lean and effective)

• Built in fail-over for critical roles so there are no single failure points

• Specific Response member playbooks that are tailored to their roles and

responsibilities

• Required tools, services and documentation processes are in place for use in

near real-time

26


• Incident Response Team Structure

• Central Incident Response Team - A single incident response team handles

incidents throughout the organization (small organizations and for

organizations with minimal geographic diversity)

• Distributed Incident Response Teams - multiple incident response teams,

each responsible for a particular logical or physical segment of the

organization (large organizations and major computing resources at distant

locations).

However, the teams should be part of a single coordinated team


27

Understanding the Interaction of People - Organizational

Structures• Incident Response Team Structure

• Think of how we can detect both the precursors and actual incidents with a

focus on agility and responsiveness

• Helpdesk trouble calls (Our service tickets and activity type and volume)

• Network Operations Center (Anomalous Network Traffic and Log Events)

• Platform administrators (Changes in Files Permissions, Software

programs and application code)

• Physical Security personnel and intrusion detection and surveillance

(Eyes and Ears)

• System Security teams – Threat Intelligence

• End Users – (System Performance, Unusual Application Operations and

Changes)

• Vendors, Service Providers, Business Partners and Customers

Incident Response program must integrate near real-time information gathering and

analysis from all probable sources

28


Structures• Incident Response Team Interaction

• Make response activities repeatable and checklist drive for ease of use

• Playbook for each group of responders –

• Provide overview in each section for the “Kill-Chain” for each type of

category of incident

• Tailor each group’s playbook to their roles and responsibilities – KISS

Principle

• Make simple decision trees and use Graphics to depict if possible for

ease of use – Yes there are multi-surface attacks, but you follow the

kill chain based on triage

• Forms in place for complete and accurate documentation of each

team members activities step by step from initial to Report

29


Structures• Incident Response Team Interaction

• Make response activities repeatable and checklist drive for ease of use

• Playbook for each group of responders – (continued)

• Color coded sections for types of incidents based on decision tree –

pull the cards your need and follow the process

• Have only those numbers in each playbook that are applicable to the

team members roles and responsibilities (to include fail-over)

• Keep it current

Building Effective

Incident Response

31

Construct of Effective and Streamlined IR programs

• Supported from the Boardroom down

• Threat modeling is presented to the Board in clear concise presentation

• Risk framing and appetite clearly defined for most likely scenarios and receive

Board level acceptance

• Board directs Senior managers to develop, implement and test incident

response program(s), policies and processes and provide status reporting as

part of normal Cybersecurity briefing processes

• Senior management appoints a responsible person who has both the authority,

budgetary means and clearly defined responsibilities to enable the IR processes to

be executed in near real-time across all business groups within the organization

• Senior management ensures that ALL organization across the enterprise MUST

support the IR processes.

• The IR Executive establishes a cross functional IR command structure based on

the accepted scenarios, BIAs and related CP and DRPs

32


• Contracts are in place for all required services – Should be documented in the BIA

and required coordination with procurement team to ensure these lists are current

and accurate

• Forensics support contracts

• Software Escrow in support of “Trusted Recovery”

• External Legal Counsel

• Recovery services – Logical, Physical, Temporary Staffing (look at your

scenarios and this should drive criticality of these resources

• Hosting, cloud and other managed service providers

• Business partners agreements clearly define response clause responsibilities and

direct that they support your IR processes if applicable to include documentation

and document production requests

• Speaking of documentation….

33


• Well defined documentation and artifact gathering, retention and protected storage

processes

• Well defined methods and techniques to ensure Chain-of-Custody of all

evidentiary material in any form they could be obtained

• Document repository is identified and maintained to protect against

unauthorized access or alteration

• Use of tools such as SharePoint and/or other document management

systems

• Multifactor authentication and defined role based access control

• Securely accessible from remote locations by incident response team

members

• Public affairs and legal counsel provide rule of engagement with media,

friends and family for all employees, contractors and other affected third

parties

34


35


Testing Incident

Response

37

Testing of the Incident Response Plans

• Consider your Audience

• How do you work a test with Executive Management’s schedule?

• For progressive involved management this can be done as an overall

integrated test

• For a diverse senior management team on the move – Yes that is most of

us, try working tabletop scenarios that can be securely worked over

remote connections - Cell phones (voice and SMS) and email

• Use threat intelligence/modeling to develop test scenarios that are most likely

to occur from each category in the playbook (data breach, malware outbreak,

logical and physical intrusions, etc.)

• Tabletop scenarios that need to be completed with one hour per scenario

using full escalation as per decision trees to accurately simulate and evaluate

responses of each team member and the processes within the playbooks

38


• Consider your Audience

• How do you work a test with Executive Management’s schedule?

• For progressive involved management this can be done as an overall

integrated test

• For a diverse senior management team on the move – Yes that is most of

us, try working tabletop scenarios that can be securely worked over

remote connections - Cell phones (voice and SMS) and email

• Use threat intelligence/modeling to develop test scenarios that are most likely

to occur from each category in the playbook (data breach, malware outbreak,

logical and physical intrusions, etc.)

• Tabletop scenarios that need to be completed with one hour per scenario

using full escalation as per decision trees to accurately simulate and evaluate

responses of each team member and the processes within the playbooks

39


• Consider your Training and Testing Tools

• Where do you house the testing

• War Room

• Out-location conference rooms

• Test environments for simulation to include help desk (depends on level of

realism desired or within budget)

• How can you record electronic and person to person exchanges during testing

to evaluate effectiveness of these exchanges of information during the incident

• SMS, emails, faxes

• An employee assigned as a recorder of all minutes during testing

• Collection of manually and electronically completed incident response

forms, notes and artifacts

40


• Consider your Other Interrelated Plans

• Business Continuity and Disaster recover teams

• Standing up VMs to simulate recovery and test capabilities

• Third parties (based on highest criticality for each scenario) integrated with

the response plans, i.e. off site backups, recovery vendors, critical

business partners, managed service providers

• Travel and other expenses are planned for and simulated for the

deployment of critical personnel

Case Study

42

Case Study – KISS in Action

University Hospital has been receiving calls to the Help Desk electronic health

records files can not be accessed by physicians within several departments.

• Detection is being made by the Help Desk – How does the Hospital determine

they have an incident?

• By definition this is a indicator due to the volume of call?

• By definition this is an event that is causing impact to availability

• By definition after looking a production schedules there is no indication that

these systems or servers holding these data have outages that would cause

this issue - INCIDENT detected!

Is it this Simple? No not all the time but it can be just as Streamlined

Users and Help Desk personnel are “Tip of the Spear” and a great Barometers of what is

taking place within your enterprise

43

Case Study for Ease of Use

• Identification and Analysis is being made by the integrated IT and Security team –

How?

• Following their checklists they review the detailed information that the Help

Desk documented within the trouble ticket and identify:

• Current affected system, files, departments etc.

• Time first report of the events that lead to the incident being detected

• Interview of affected personnel indicates files are all inaccessible due to

being encrypted

• One states that they

• Notifications now follow escalation process for Malware Incidents

• By definition - INCIDENT identified and being Analyzed! – Who, What, Where

and a portion of how?

44

Case Study for Ease of UseCriteria for Escalation and Response


45



Criteria for Escalation and Response

46



Criteria for Escalation and Response

47

Case Study for Ease of use

• Containment, Eradication and Recovery is being made by the integrated IT,

Security, Malware SMEs, CEO, CFO, CIO, Legal Counsel, Privacy Officer, head of

Medical Operations, Public Affairs, Third party Forensics, Law Enforcement,

appropriate government agencies

• Following their checklists they each apply TTPs per their discipline to:

• Contain the spread of Ransomware

• Eradicate Ransomware and based on Management risk based direction

pay ransom or recover and re-enter data

• Initiate disaster recovery and business continuity plans for affected

systems processes concurrent with incident response (concurrent with

above bullets) – Do you have software escrow in place? Trusted recovery

images?

48


• Containment, Eradication and Recovery is being made by the integrated IT,

Security, Malware SMEs, CEO, CFO, CIO, Legal Counsel, Privacy Officer, head of

Medical Operations, Public Affairs, Third party Forensics, Law Enforcement,

appropriate government agencies

• Following their checklists they each apply TTPs per their discipline to:

(continued)

• Address legal and reporting requirements

• Prepare and deliver public and private communications to stakeholders

49


• Post Incident Activities

• Documentation and reports from detection through recovery from all team

members are collected along with relevant artifacts from all parties involved

• Incident Response Team Owner and/or program team review what went right

and wrong and efficiencies and effectiveness throughout the response process

• Based on the analysis document lessons learned, they make

recommendations for updating:

• Policies, procedures, playbooks

• Organizational alignment for response

• Specific Tools, Techniques and Procedures

• Identification and removal of bottlenecks

• Update training for failures noted pre, during and post incident

real-world practices for incident response - isaca.org practices for incident response ... scenarios...

Documents