Presentation on theme: "Adapting Incident Response to Meet the Threat"— Presentation transcript:
1Adapting Incident Response to Meet the Threat SecureWorksAdapting Incident Response to Meet the ThreatJeff Schilling Director, Global Incident Response and Digital Forensics
2Agenda Why change your approach? Do you really know your environment? Do You really know/understand your threat?Where to focus your efforts to respond?Measuring success
3My Press Box View My view as the Director of the Army’s Global Network Security TeamMy view as the Director of the DellSecureWorks Incident Response Practice
4The Dell SecureWorks Incident Response Practice 300+ projects last year42% of our engagements were with Medium-sized business58% were large enterprise customers70% of our engagements were active Incident Response30% were proactive engagements20% of our projects involved Advance Persistent Threat (Targeted Threat)Our observations from 2012 engagements:End users still the primary targets (51% of the time)Servers and applications running second (39% of the time)20% of our engagements involved insider threat activity
6Getting to “yes”Do you rarely see the same activity on your networks with the same success?Do you conduct trend analysis of your security incidents?Have you analyzed the things you can control and the things you can’t?PeopleProcessesTechnologyFor the things you can’t control, have you calculated the risks or outcomes?Have you insured or transferred that risk?Do you make adjustments to your security controls based on trends?Do you have a plan or playbook to address your most common Incidents?Do you rehearse and update these plans?
8Which picture best describes your network? Do you have an updated/accurate network diagram? Are you a part of the change management process so you know when it changes?Have you studied your network flow to know what ports and protocols to accept and ones to deny?Do you validate with Pen Tests, Vulnerability Scans, Netflow Monitoring?Do you have defined network boundaries with the Internet?Do you Leverage Active Directory to assign risk and controls to Organizational Units?Is “white listing” embraced in your organization?Do you have a standard, secure image/baseline for hosts and servers?Do you centralize your event log monitoring?Do you limit workstation to workstation communication?
10May be some overlap in APT and Insider threat detection Categories of threatMay be some overlap in APT and Insider threat detectionCommodityThreatPhishing with DynamiteAutomated control for scaleCan be defended with good Signature based controlsBuys trade craftCan be sophisticated and polymorphicFavorite vectorsServer compromisesNon-targeted phishingWeb drive bysSmash and grabPlaying chessHuman controlled (just for you)Custom trade craftFavorite vectorsHighly targeted phishingWater holing web drive bysSome server compromisesHighly targeted effortsAttempts to cover their tracksWill compromise partners to get to youGoal is to log on, become an insiderFly on the wallHardest to detect, tries to hide in normal activityUsually has elevated privilegesIn most cases, assumes not being monitoredRarely uses tradecraft: when they do, normally crawlersUsually has access to data that does not pertain to their job, that is what they takeMay use “close access” techniquesAttempts to cover their tracksManagers/HR usually not surprised when insider is caught
11Categories of Intent/Motive Hacktivists/RevengeCyber WarfareIntellectual Property TheftCrimeDisruptDestroyDenyRevengeEmbarrassIntimidateCompetitive advantageFill in an innovation gapNation-state level espionageSteal your MoneySteal your clients moneyIdentity TheftFraud
12Pulling it all together Threat Actor CategoriesThreat Actor MotivesTargeted AssetsImpactsVectorsSecurity controlsCommodityAdvanced Persistent ThreatInsiderCrimeHacktivismRevengeIntellectual property theftCyber WarfareCardholder Data/PII/IdentityCore Business ProcessesCritical InfrastructureIntellectual PropertyWeb applicationsFinancial data/processesExecutive communicationMonetary lossAvailabilityConfidentialityIntegrityPersonal harmReputationBotnetsServer compromiseDoSMalicious codeWeb infectionPhishingPhysical Theft/Loss/ DamageTargeted AttacksWorms/TrojansIPS/IDSFirewall/Web app FWDDOS filteringWeb/mail ProxyVM inspectionHost level controlsSIEM/Log monitoringVulnerability mgtAccess controlDLPDRMUser actionsPolicy
13What should an IR plan look like? Base document (Policy and Guidelines, does not change very often)Roles and responsibilitiesDescription of the overall processIdentification of Incident TypesWork flowsIdentification of third party providersPlaybooks/Appendix/Run Books (Procedures, constantly updated)One for each Incident TypeCriteria for declaring an incidentChecklist driven actionsPoint of Contact ListsKey players on the Security teamKey players on the IT staff (if separate from the Security team)Key decision makers outside of Security and ITThird party providers (ISP, outside consulting, etc)
14Threat Intelligence Maturity Model Data CollectionAnalysis Investigation SynthesisDecision Making and ActionAnalysis Investigation SynthesisDecision Making and ActionTimeMaturityEnhanced from “BI Capability Maturity Model”When establishing a Threat Intelligence capability [whether insourced, outsourced or a mix], the bottom line is that you are working to get to a point where TI is fueling stronger, more accurate decision making and action on the part of your team and across your overall business operations as you will see later.
15How do you apply intelligence? Intel on tradecraftWhat does it mean?How to resist?What is the next action?IT SecurityHostile actor IDMaterial threatsHostile actor IDActor motivationsAttacker tacticsIncident ResponseThreat Intelligence DatabaseContext and countermeasuresPhysical securityBusiness OperationsHiring practicesData protectionFeedback loop
17Analysis & Classification Do you live on OODA Loop?ObserveOrientDecideActMalwareAnalysis & ClassificationCounter-measure PlanDevelop & Deploy Counter-measuresVulnerabilitiesRisk AssessmentApply Threat Intel to controlAdversariesCounter Measure Control and EfficacyDetect SOC OpsYourAssetsIncident ResponseContain/ Eradicate
18The “Broken Windows” approach QuestionsWhere is my most important data?Where are most of my incidents happening?Where am I most vulnerable?What is (are) the worst possible thing(s) that could happen?Can I detect where I am most vulnerable?Can contain where I am most vulnerable?Can I see the insider threat?AnswersIdentify your “broken windows”Establish network visibilitySegment to protect critical assets, create security zonesLayered defensive strategyIntelligence informed SIEMNetwork detection/preventionHost level detection/preventionVirtual machine detonationGet control of your elevated privileges, if you canProtect and leverage your Active Directory structureWhitelist your servers, protocols and portsFocus on SMTP and Web trafficTalk to managers and HR about high risk employees with elevated privileges
20Success, Failure and False metrics Indications of Failing TrendsIncrease of recurring incidentsIncreased in dwell timeIncrease # of incidents reported by the user v. detected by SOCIncreased number of root level and domain compromiseIncrease number of compromised servers/web applicationsIncrease in the number of incidents involving CVE’sIncrease of business impact of IncidentIncrease of incidents closed where root cause is indeterminateIndication of Successful TrendsDecrease in time between detection and containmentDecrease in the number of successful commodity infectionsDecrease in number of incidents that spread to multiple hostIncrease in the number of APT and Insider threat detectionDecrease in third party reporting of incidents (FBI, USSS, partners)Reduction in successful PhishingFalse MetricsIncrease or decrease in number of incidentsIncrease or decrease in number of detectionsInvestment on security technology!
21ConclusionAnalyze your environment; Know your strengths and weaknessesEnsure you understand the threat’s capabilities, intent and vectorsFocus your response on your “broken windows”Ensure you are achieving success and not reinforcing failure in your Incident Response processes
22ResourcesDell SecureWorks Incident ResponseSANS Incident Response Training responseWhite Paper - Accelerating Incident Response: How Integrated Services Reduce Risk and the Impact of a Security Breachincident-response-reducing-risk-and-impactNIST Computer Security Incident Handling GuideIf you suspect a security breach, contact the Dell SecureWorks Incident Response team at