what to do when (not if) data breaches occurilta.personifycloud.com/webfiles/productfiles/... ·...
TRANSCRIPT
![Page 1: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/1.jpg)
What To Do When (Not If) Data Breaches Occur
Presented by Michael Santos, CISSP | Andrey Zelenskiy |Matthew Curtin, CISSP
![Page 2: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/2.jpg)
June 11, 2014
Thank you for being here today
Presenter:
Michael Santos Director of IT Architecture and Security, Cooley LLP
Michael Santos
![Page 3: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/3.jpg)
Preparation “There are no secrets to success. It is the result of preparation, hard work, and learning from failure.” Colin Powell
1. Have a plan.
2. Have a team.
3. Have practice.
4. Look and listen.
![Page 4: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/4.jpg)
Have a plan. “A good plan violently executed now is better than a perfect plan executed next week.” – George S. Patton
1. Start now. Don’t wait.
• Get it on paper.
• Start simple and add.
• Use the internet.
2. Roles & Responsibilities
3. Categorization of Incidents
4. Appropriate Response
5. Understandable
6. Communications Plan
NIST SP 800-61 http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf ISO/IEC 27035 http://www.iso.org/iso/catalogue_detail?csnumber=44379 SANS Institute Incident Handler’s Handbook http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
![Page 5: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/5.jpg)
Have a team. “Finding good players is easy. Getting them to play as a team is another story.” – Casey Stengel
1. Don’t pick your squad
during game time.
2. Choose wisely.
3. Not everyone has to
be on the team.
4. Numbers matter.
SANS Institute “Computer Incident Response Team” http://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641 • Management • Information Security • Information Technology • IT Auditor • Physical Security • Legal • Human Resources • Public Relations/Marketing • Finance
![Page 6: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/6.jpg)
Have practice. “An ounce of practice is worth more than tons of preaching.” – Mahatma Gandhi
1. Practice the plan.
2. Training.
3. Table top.
4. Schedule.
![Page 7: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/7.jpg)
Look and Listen. “See no evil, hear no evil, speak no evil.” Then you will never find evil.
1. Turning a blind eye is not an
option
2. Metrics and alert
3. Risk, Threats, Vulnerabilities
4. Monitor
5. Build relationships in the
community
Tools • E-mail Alerts • System Dashboards • Security Information & Event Monitoring • Vulnerability Scanners • Daily, Weekly, Monthly Reports Communities • ILTA LegalSEC
FBI InfraGard • US-CERT • International Information Systems Security Certification
Consortium (ISC)2 • Information Security Systems Association (ISSA) • Vendor Alerts
![Page 8: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/8.jpg)
June 11, 2014
Thank you for being here today
Presenter:
Andrey Zelenskiy Information Security, Dentons US, LLP
Andrey
Zelenskiy
![Page 9: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/9.jpg)
Threat Landscape Today: - Enterprises are attacked on average once every 1.5 seconds. In 2012, we reported malware attacks occurred once every three seconds. The increased frequency of use highlights the bigger role malware is playing in cyber attacks. - Malware attack servers, command and control (CnC) infrastructure have been placed in 206 countries and territories, up from 184 in 2012. The U.S., Germany, South Korea, China, Netherlands, United Kingdom, and Russia were home to the most CnC servers.
![Page 10: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/10.jpg)
Threat Landscape Today (Cont’d): - The top ten countries that were most frequently targeted by APTs in 2013: United States, South Korea, Canada, Japan, United Kingdom, Switzerland, Taiwan, Saudi Arabia, Israel - The following verticals were targeted by the highest number of unique malware families: Government, Services/consulting, Technology, Financial services, Telecommunications, Education, Aerospace/Defense, Government (State/Local), Financial services, Chemicals, Energy Source: FireEye Advanced Threat Report 2013 (http://www2.fireeye.com/advanced-threat-report-2013.html)
![Page 11: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/11.jpg)
New Security Model: - Network - Endpoint - Mobile - Virtual - Cloud
![Page 12: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/12.jpg)
Incident Identification According to SANS Incident Handler's Handbook: “This phase deals with the detection and determination of whether a deviation from normal operations within an organization is an incident, and its scope assuming that the deviation is indeed an incident. “ http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
![Page 13: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/13.jpg)
Where does the information come from? - End Users - Help Desk - System Administrators - Systems (IDS/IPS, Antivirus, Antimalware) - Human Resources
![Page 14: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/14.jpg)
Indicators: - “My computer behaves strange” - AV detections (how likely is that???) - Ransomware (encrypted files on local drives and network shares) - Unfamiliar files, executables, processes - New program installed that is not part of a “standard” build - Systems connecting to hosts in the countries that you do not do business with - New accounts created in AD - New account privileges granted
![Page 15: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/15.jpg)
Questions, Questions: - Who? - What? - When? - Where? - How?
![Page 16: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/16.jpg)
Tools: - SIEM - Log aggregation and management - Endpoint protection - Network protection
![Page 17: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/17.jpg)
Containment “The primary purpose of this phase is to limit the damage and prevent any further damage from happening” (SANS Incident Handler's Handbook)
![Page 18: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/18.jpg)
Containment Phases: - Short–term containment(limit the damage as soon as possible) - System backup - Long-term containment
![Page 19: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/19.jpg)
What We Have Leant from the Target Attack: Missed Alarms and 40 Million Stolen Credit Card Numbers http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
![Page 20: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/20.jpg)
“Real Life” Approach Using Cisco Sourcefire AMP Technology
![Page 21: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/21.jpg)
Cisco Sourcefire FireAMP ”Sourcefire’s Advanced Malware Protection solutions utilize big data analytics to continuously aggregate data and events across the extended network - networks, endpoints, mobile devices and virtual environments - to deliver visibility and control against malware and persistent threats across the full attack continuum – before, during and after an attack.”
![Page 22: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/22.jpg)
Most Recent Events Navigating to the Events tab by clicking on a threat, IP address, or computer name in the Dashboard tab provides different filtered views.
![Page 23: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/23.jpg)
File Analysis File Analysis allows a user to upload an executable into a sandbox environment where it is placed in a queue to be executed and analyzed automatically. The results are then made available to all FireAMP users.
![Page 24: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/24.jpg)
File Analysis (cont’d) The File Analysis page also allows to search for the SHA-256 of an executable to find out if the file has been analyzed already. If the file has been analyzed already, then the analysis report is available and can be viewed by the user.
![Page 25: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/25.jpg)
Captured Screenshots When analyzing malware a series of screenshots are also collected. These screenshots can be used to observe the visual impact that the malware has on the desktop of a victim. The screenshots can be used in user education campaigns, in the case of an outbreak, the security analyst can send screenshots of behavior of this threat to network users and warn them of symptoms.
![Page 26: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/26.jpg)
Network Capture You can download the entire network capture that was collected while analyzing the binary. This feature can be used to create an IDS signature to detect or block activity that is associated with this threat.
![Page 27: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/27.jpg)
Trajectory Visibility and File Details
![Page 28: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/28.jpg)
Trajectory (Cont’d) “Created by…”
![Page 29: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/29.jpg)
Trajectory (Cont’d) “Executed by…”
![Page 30: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/30.jpg)
Trajectory (Cont’d) “Moved by…”
![Page 31: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/31.jpg)
Trajectory (Cont’d) “It Created…”
![Page 32: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/32.jpg)
Eradicate
1. Remove the problem.
2. Be swift, efficient, thorough.
3. Don’t forget the user.
4. Don’t forget use appropriate
response.
5. Be prepared to restore data.
6. Is there more?
7. Tune your defenses.
People • Someone needs to visit the machine – at least remotely. Process • Imaging checklists • Server build checklists • Change Management Tools • Antivirus • Rootkit & Registry Cleaners • Scripts • Imaging software • Backup software • USB drives
![Page 33: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/33.jpg)
January 1, 2014
Thank you for being here today
Presenter:
C. Matthew Curtin, CISSP Founder and CEO, Interhack Corporation
Matt Curtin
![Page 34: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/34.jpg)
RECOVERYYou can get the
monkey off your back, but the circus never leaves town.
In recovery, administrators
restore systems to normal
operation, confirm that the
systems are functioning
normally, and (if applicable)
remediate vulnerabilities to
prevent similar incidents. (NIST
SP800-61rev2)
![Page 35: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/35.jpg)
RESTORE NORMAL OPERATIONS“Does anyone remember where this wire goes?”
![Page 36: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/36.jpg)
RESTORE NORMAL OPERATIONS“Does anyone remember where this wire goes?”
Confirm systems are functioning normally Remediate vulnerabilities Restore from clean backups? Rebuild from scratch? Replace compromised systems? Install patches? Change passwords? Adjust other controls? What’s next?
![Page 37: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/37.jpg)
FOLLOW-UPNot following
up is like filling up your bathtub without first putting the stopper in the drain.
One of the most
important parts of
incident response is
also the most often
omitted: learning
and
improving.
(NIST SP800-61rev2)
![Page 38: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/38.jpg)
LESSONS LEARNED
What do we know now that we didn’t know then?
![Page 39: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/39.jpg)
LESSONS LEARNED
What do we know now that we didn’t know then?
Build a timeline: what happened, and when? How did the team perform? Using procedures? Procedures adequate? What inhibited recovery? What can prevent similar future incidents? What can detect similar future incidents? Writing the report.
![Page 40: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/40.jpg)
USING COLLECTED INCIDENT DATAWhat is actionable?
Resources: time, people, money. Incident type. (Curtin, Ayres. “Using Science to Combat Data Loss”) Think about the collection of reports, metrics available: ● Number of incidents handled ● Time per incident
What should we have for the future?
![Page 41: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/41.jpg)
EVIDENCE RETENTIONHow long do we keep the evidence?
How do you decide how long to keep the results? Prosecution Retention policies Cost
![Page 42: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/42.jpg)
We’ll now open it up for questions
Questions
![Page 43: What To Do When (Not If) Data Breaches Occurilta.personifycloud.com/webfiles/productfiles/... · “See no evil, hear no evil, speak no evil.” Then you will never find evil. 1](https://reader034.vdocuments.mx/reader034/viewer/2022050608/5faee74f06df5d42901e54be/html5/thumbnails/43.jpg)
Thank You