Upload
trinhbao
View
227
Download
0
Embed Size (px)
Citation preview
SecureWorks
Incident Response Preparedness: Best Practices
Larry Crocker, PCI QSA
Sr. Incident Response Consultant, Incident Response & Digital Forensics
SecureWorks
Agenda • Framework for Defense and Goals of a Response
• Cost of a Breach • Common Pitfalls • Real-World Incident Response • 5 Items to Help Prevent a
Breach • 5 Items to Help Respond to a
Breach • Models to Consider
3
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Framework for Defense and Goals of Response
3 Confidential 10/13/2014
4
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Your best defense
Each element fuels the others,
maximizing your chance of thwarting
the adversary
Successful defense against advanced threats requires integrated threat intelligence, security operations and incident response.
Security operations
Incident response
Threat intelligence
Know your adversaries
and their methods
Detect threat activity
earlier in the kill chain
Disrupt the kill chain
and stop the attack
Eradicate actor
presence and remove the threat
5
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Incident Response “Battle Rhythm”
Identification
Analysis
Notification
Containment
Eradication
Recovery
Post-Incident Activities
Normal Operating Conditions
Sub-optimal Operating Conditions
Detection
Time
Sta
te o
f O
pe
rati
on
s
6
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Cost of a Breach
6 Confidential 10/13/2014
7
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Average Cost of a Data Breach (2013)
• German companies had the most costly data breaches – $188 and $199 dollars per record respectively
• The highest cost breaches were deliberately malicious and criminal attacks – $277 per record in the United States
• Average records breached per incident – 23,647
• Average cost of a breach (US) – >$4.4M
• Average breach notification cost (US) – >$500,000
Ponemon Institute, LLC, “Cost of Data Breach Study : Global Analysis”
8
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Average Cost of a Data Breach (2013) (cont.)
• Your industry matters, the following verticals had the highest data breach costs:
– Healthcare
– Financial
– Pharma
• Factors used to calculate cost: – Detection/Discovery Costs
– Escalation Costs
– Notification Cost
– Ex-post Response Cost
– Customer Turnover
– Diminished Brand Value
• “US companies received the greatest reduction in data breach costs by having a strong security posture, incident response plan, CISO appointment, and from the engagement of consultants to support data breach remediation.”
Ponemon Institute, LLC, “Cost of Data Breach Study : Global Analysis”
9
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Common Pitfalls
9 Confidential 10/13/2014
10
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
General observations
• Most struggle with an IT architecture designed for delivery, not security
• Poor asset visibility and network access control
• Security Operations Centers have SIEMS, but no analytics
• No Structured Approach for Security Incident Tracking
– Difficult to spot trends and relevant threats sooner rather than later
– No clear picture on detection and containment metrics
• Most focus on compliance monitoring instead of Security Monitoring
– Implementation and process immaturity for security investigation use
cases
• Most customers have an incident response plan
– Few exercise it regularly, Many are outdated
• Most customers don’t have forensic capabilities their staffs
11
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Commodity Threat Observations
• Attackers leveraging vulnerabilities (zero-days/published) for exploit
kits with advanced functionality and agile maintenance cycles
• Commodity/criminal threat actors are becoming more sophisticated
– Drive-by attacks enumerating platforms and vulnerabilities
– Polymorphic malware
• Key characteristics are an aggressive style of attack to compromise
many victims as fast as possible for financial gain before exploit kit
malware is removed
12
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Real-World Incident Response
12 Confidential 10/13/2014
13
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Incident Case Example Provided by the Incident Response and Digital Forensics team
The Event
The Entity: Small Banking Entity
Response - The responding consultant guided the customer in artifact collection, ensuring that the evidence gathered was collected in
a sound and usable way.
- The customer provided memory dumps, enterprise AV logs, various security architecture logs, and a disk image of one
system. Additional artifacts were collected via the SOC.
- Analysis of artifacts yielded the following results:
- Initial attempts by the attacker to get malware into their environment occurred two months prior to SOC
detection. The customer’s Anti-Virus application halted any infection.
- Malware was finally able to be installed one month prior to detection without being detected. It is likely that the
attacker did not try to establish communications until the following month. The iSensor eventually alerted to the
suspect communication based on a flag for a known Blacole IP address.
- Systems with Personally Identifiable Information (PII) were infected with the Blacole commodity Trojan.
- Log and system analysis determined that PII was likely not accessed by the attacker
- Analysis determined that the system was likely compromised by either a Java or Adobe vulnerability.
A financial institution received multiple alerts over several weeks from the Dell SecureWorks Security Operations Center (SOC) in regards to potential malicious code that was attempting to communicate to external IP addresses. After repeated attempts to remediate the issue internally, the company engaged the Dell SecureWorks Incident Response team to assist. The company needed to know the nature of the threat on the system, and whether any sensitive data had been compromised and/or exfiltrated.
14
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Incident Case Example Provided by the Incident Response and Digital Forensics team
The Event
The Entity: Credit Union in the West
Response
· The company had become infected with the W32.Changeup worm and spent several weeks trying to
eradicate it. Despite attempts to eradicate, they were affected by secondary infections
· Two systems were provided for in-depth forensic analysis. Initially the customer simply wanted to know
what malware was found on the systems.
o It was determined that the systems were compromised using a Java exploit.
· The responding consultant found multiple pieces of malware, including bloodhound and Zbot (a Zeus
variant) on one of the systems.
o Malware was analyzed by CTU to determine Command and Control communication paths.
· The Consultant explained the capabilities of the malware, one of which is data exfiltration. As a result
the company asked that SecureWorks determine if any sensitive information was found on the system.
· The consultant found completed tax returns on the system, but was able to verify through timestamp
analysis that the files were not accessed after the system was compromised.
· The Incident Response engagement ended with the customer’s questions fully answered.
The company was affected by a malware outbreak with the W32.Changeup
variant. Knowing that this variant could be leveraged by other pieces of malware
to siphon data, the company’s IT Security staff were concerned that the systems
directly affected by the malware had been involved in data loss. The customer
leveraged their Retainer and called in Dell SecureWorks Incident Response to
determine if there were secondary compromises they needed to take action on.
15
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
5 Items to Help Prevent a Breach
15 Confidential 10/13/2014
16
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
• Two-Factor Authentication
• Privileged Account Control
• Persistent Web Application Testing
• Data Loss Prevention Solution
• Controlled Paranoia
Best Practices
17
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
5 Items to Help Respond to a Breach
17 Confidential 10/13/2014
18
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
• Have a Plan
• Train Constantly
• Implement Logging Intelligently
• Investigate as Much as Possible
• Well-Defined Roles and Responsibilities
Best Practices
19
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Models to Consider
19 Confidential 10/13/2014
20
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Information Security models to consider
100% outsource your Response Team • Advantage: Turn key solution, allows an IT Service team to focus
on delivery, optimal for small staffs with no security personnel • Disadvantage: Most Costly; You Maintain no Staff Expertise
Insource your Incident Management, out-source perishable and high-dollar Forensics skills • Advantage: Maintain the leadership/responsibility within the
organization • Disadvantage: Full team not together except during a live incident
and rehearsals; External Resource Cost
100% insource your Response Team • Advantage: Most Responsive; Lower Cost in Money • Disadvantage: Currency of Talent; Diversity of Response
21
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
SecureWorks
Thank you.
Contact Dell SecureWorks at: US - (877) 838-7947 UK +44 131 718 0700 Or, email us at [email protected]