Incident Response Preparedness: Best Practices - lba.org Crocker - Incident Response - Are... · Sr. Incident Response Consultant, Incident Response & Digital Forensics . SecureWorks

SecureWorks

Incident Response Preparedness: Best Practices

Larry Crocker, PCI QSA

Sr. Incident Response Consultant, Incident Response & Digital Forensics

SecureWorks

Agenda • Framework for Defense and Goals of a Response

• Cost of a Breach • Common Pitfalls • Real-World Incident Response • 5 Items to Help Prevent a

Breach • 5 Items to Help Respond to a

Breach • Models to Consider

3

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

SecureWorks

Framework for Defense and Goals of Response

3 Confidential 10/13/2014

4


SecureWorks

Your best defense

Each element fuels the others,

maximizing your chance of thwarting

the adversary

Successful defense against advanced threats requires integrated threat intelligence, security operations and incident response.

Security operations

Incident response

Threat intelligence

Know your adversaries

and their methods

Detect threat activity

earlier in the kill chain

Disrupt the kill chain

and stop the attack

Eradicate actor

presence and remove the threat

5


SecureWorks

Incident Response “Battle Rhythm”

Identification

Analysis

Notification

Containment

Eradication

Recovery

Post-Incident Activities

Normal Operating Conditions

Sub-optimal Operating Conditions

Detection

Time

Sta

te o

f O

pe

rati

on

s

6


SecureWorks

Cost of a Breach


7


SecureWorks

Average Cost of a Data Breach (2013)

• German companies had the most costly data breaches – $188 and $199 dollars per record respectively

• The highest cost breaches were deliberately malicious and criminal attacks – $277 per record in the United States

• Average records breached per incident – 23,647

• Average cost of a breach (US) – >$4.4M

• Average breach notification cost (US) – >$500,000

Ponemon Institute, LLC, “Cost of Data Breach Study : Global Analysis”

8


SecureWorks

Average Cost of a Data Breach (2013) (cont.)

• Your industry matters, the following verticals had the highest data breach costs:

– Healthcare

– Financial

– Pharma

• Factors used to calculate cost: – Detection/Discovery Costs

– Escalation Costs

– Notification Cost

– Ex-post Response Cost

– Customer Turnover

– Diminished Brand Value

• “US companies received the greatest reduction in data breach costs by having a strong security posture, incident response plan, CISO appointment, and from the engagement of consultants to support data breach remediation.”

Ponemon Institute, LLC, “Cost of Data Breach Study : Global Analysis”

9


SecureWorks

Common Pitfalls


10


SecureWorks

General observations

• Most struggle with an IT architecture designed for delivery, not security

• Poor asset visibility and network access control

• Security Operations Centers have SIEMS, but no analytics

• No Structured Approach for Security Incident Tracking

– Difficult to spot trends and relevant threats sooner rather than later

– No clear picture on detection and containment metrics

• Most focus on compliance monitoring instead of Security Monitoring

– Implementation and process immaturity for security investigation use

cases

• Most customers have an incident response plan

– Few exercise it regularly, Many are outdated

• Most customers don’t have forensic capabilities their staffs

11


SecureWorks

Commodity Threat Observations

• Attackers leveraging vulnerabilities (zero-days/published) for exploit

kits with advanced functionality and agile maintenance cycles

• Commodity/criminal threat actors are becoming more sophisticated

– Drive-by attacks enumerating platforms and vulnerabilities

– Polymorphic malware

• Key characteristics are an aggressive style of attack to compromise

many victims as fast as possible for financial gain before exploit kit

malware is removed

12


SecureWorks

Real-World Incident Response


13


SecureWorks

Incident Case Example Provided by the Incident Response and Digital Forensics team

The Event

The Entity: Small Banking Entity

Response - The responding consultant guided the customer in artifact collection, ensuring that the evidence gathered was collected in

a sound and usable way.

- The customer provided memory dumps, enterprise AV logs, various security architecture logs, and a disk image of one

system. Additional artifacts were collected via the SOC.

- Analysis of artifacts yielded the following results:

- Initial attempts by the attacker to get malware into their environment occurred two months prior to SOC

detection. The customer’s Anti-Virus application halted any infection.

- Malware was finally able to be installed one month prior to detection without being detected. It is likely that the

attacker did not try to establish communications until the following month. The iSensor eventually alerted to the

suspect communication based on a flag for a known Blacole IP address.

- Systems with Personally Identifiable Information (PII) were infected with the Blacole commodity Trojan.

- Log and system analysis determined that PII was likely not accessed by the attacker

- Analysis determined that the system was likely compromised by either a Java or Adobe vulnerability.

A financial institution received multiple alerts over several weeks from the Dell SecureWorks Security Operations Center (SOC) in regards to potential malicious code that was attempting to communicate to external IP addresses. After repeated attempts to remediate the issue internally, the company engaged the Dell SecureWorks Incident Response team to assist. The company needed to know the nature of the threat on the system, and whether any sensitive data had been compromised and/or exfiltrated.

14


SecureWorks

Incident Case Example Provided by the Incident Response and Digital Forensics team

The Event

The Entity: Credit Union in the West

Response

· The company had become infected with the W32.Changeup worm and spent several weeks trying to

eradicate it. Despite attempts to eradicate, they were affected by secondary infections

· Two systems were provided for in-depth forensic analysis. Initially the customer simply wanted to know

what malware was found on the systems.

o It was determined that the systems were compromised using a Java exploit.

· The responding consultant found multiple pieces of malware, including bloodhound and Zbot (a Zeus

variant) on one of the systems.

o Malware was analyzed by CTU to determine Command and Control communication paths.

· The Consultant explained the capabilities of the malware, one of which is data exfiltration. As a result

the company asked that SecureWorks determine if any sensitive information was found on the system.

· The consultant found completed tax returns on the system, but was able to verify through timestamp

analysis that the files were not accessed after the system was compromised.

· The Incident Response engagement ended with the customer’s questions fully answered.

The company was affected by a malware outbreak with the W32.Changeup

variant. Knowing that this variant could be leveraged by other pieces of malware

to siphon data, the company’s IT Security staff were concerned that the systems

directly affected by the malware had been involved in data loss. The customer

leveraged their Retainer and called in Dell SecureWorks Incident Response to

determine if there were secondary compromises they needed to take action on.

15


SecureWorks

5 Items to Help Prevent a Breach


16


SecureWorks

• Two-Factor Authentication

• Privileged Account Control

• Persistent Web Application Testing

• Data Loss Prevention Solution

• Controlled Paranoia

Best Practices

17


SecureWorks

5 Items to Help Respond to a Breach


18


SecureWorks

• Have a Plan

• Train Constantly

• Implement Logging Intelligently

• Investigate as Much as Possible

• Well-Defined Roles and Responsibilities

Best Practices

19


SecureWorks

Models to Consider


20


SecureWorks

Information Security models to consider

100% outsource your Response Team • Advantage: Turn key solution, allows an IT Service team to focus

on delivery, optimal for small staffs with no security personnel • Disadvantage: Most Costly; You Maintain no Staff Expertise

Insource your Incident Management, out-source perishable and high-dollar Forensics skills • Advantage: Maintain the leadership/responsibility within the

organization • Disadvantage: Full team not together except during a live incident

and rehearsals; External Resource Cost

100% insource your Response Team • Advantage: Most Responsive; Lower Cost in Money • Disadvantage: Currency of Talent; Diversity of Response

21


SecureWorks

Thank you.

Contact Dell SecureWorks at: US - (877) 838-7947 UK +44 131 718 0700 Or, email us at [email protected]

mailto:[email protected]

Documents

Incident Response Preparedness: Best Practices - lba.org Crocker - Incident Response - Are... · Sr. Incident Response Consultant, Incident Response & Digital Forensics . SecureWorks