Presentation on theme: "Incident Management Evolution of Protection Implementing a Pro-Active Approach to Cybersecurity Benjamin Stephan, Director of Incident Management FishNet."— Presentation transcript:
Incident Management Evolution of Protection Implementing a Pro-Active Approach to Cybersecurity Benjamin Stephan, Director of Incident Management FishNet Security
P A G E 1 Introduction Todays Threat Landscape Incident Management Life Cycle Incident Management Framework Next Steps Agenda Statistics in this presentation provided by Ponemon Institute Annual Study on Cyber Crime Costs.
P A G E 2 …and they are highly motivated to take your data… State sponsored Crime syndicates Hacktivists …for a number of reasons Financial Gain Industrial Espionage IP Theft Political motivation Botnet Services Cybercrime has become a high stakes game…
P A G E 3 The top trends related to a breach: Negligence Lack of CISO leadership Lack of external consulting support First time offense Lost or stolen device Median annualized cost of cyber crime is $5.9 million per year, with a range of $1.5 million to $36.5 million each year. Increase of 56% over 2010 Average per capita cost was $284 per enterprise seat Varies by size of the organization with smaller firms incurring a greater per capita cost of $1,008 on average versus larger organizations Threat Trends of 2011 *Results provided by Ponemon study.
P A G E 4 Corporate Security Posture Related to Breach Cost * SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute. The higher the score the more effective an organization is at achieving security initiatives.
P A G E 5 Corporate Security Posture Related to Breach Cost * SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute. The higher the score the more effective an organization is at achieving security initiatives.
P A G E 6 Malicious traffic evading traditional perimeter security solutions Difficulty validating alerts and determining scope of incident Lack of endpoint visibility Lack of defined incident management and response processes Untested procedures and infrastructure Inability to respond to every alert Insufficient view of network traffic What Are Your Challenges?
P A G E 7 Difficult or impossible to truly understand and gauge risk Time to contain an event and return to a trusted state takes too long Overwhelmed with alerts Spend excessive time reducing false positives Incident response is time consuming, expensive and incomplete Potential loss of data No formalized operational procedures What Is The Impact?
P A G E 8 How can you defend against the unknown? How can your company benefit protect its critical assets? The Solution
P A G E 9 Solution: Incident Life Cycle, IMF, Incident Workflow
P A G E 10 Incident Management Lifecycle
P A G E 11 1.Operational Detect malicious traffic on the wire Identify symptoms of an attack via log analysis Confirm symptoms through automated and manual procedures Analyze 3 rd party threat feeds Engage legal counsel Capture relevant malware artifacts 2.Tactical Validate findings against endpoint data Triage live systems based on symptomatic evidence Determine scope, uncover additional information Work with critical business units to determine risk potential Deploy targeted analytic solutions to further quantify attack profile Control the threat to extend investigation time Incident Management Life Cycle
P A G E 12 3.Reaction Disconnect compromised systems or networks Cut C&C Communication, kill active processes Escalate drastic containment procedures for authorization Defend sensitive and critical assets Engage 3 rd party support as necessary Wipe all identified malware and related artifacts Schedule custom scans to mitigate secondary re-infection 4.Inoculation Update virus signatures where applicable Implement strong enterprise solutions Document findings and results Update policies and procedures to compensate for deficiencies Ensure management support of pro-active measures Incident Management Life Cycle
P A G E has been inundated with Cyber Warfare attacks from across the globe. The attackers have become more and more aggressive and sophisticated. In an effort to assist companies in defending against this onslaught of attacks; FishNet Security has architected an Incident Management Framework (IMF). The IMF is a security framework based on the best of breed incident response controls outlined in many known security frameworks. Such as ISO, ITIL, PCI, NIST, etc. Incident Management Framework (IMF)
P A G E 14 By providing companies with a baseline framework dedicated to incident management, an entity can: Minimize product costs through strategic enterprise solutions Mitigate risk exposure through effective operational controls Improve staff efficiency through better understanding of cyber threats Bridge the gap between legal and IT Implement advanced malware countermeasures to defend the corporate network Incident Management Framework (IMF)
P A G E 15 1.Communication Internal When an incident occurs there must be defined escalation protocols to ensure the right individuals are communicated with and kept in the loop Reporting an event can be one of the most important initial actions. There are laws that must be considered as well as public relation issues External Companies must have established relationship with third party entities and law enforcement, prior to an incident. 2.Collection Acquisition Electronically stored information (ESI) must be collected in a forensically sound manner. Chain of Custody Physical access to any collected information must be maintained at all times. Physical security controls must be implemented to ensure accurate accounting of physical access. Data Retention Policies must be defined as to how long ESI will be stored. Failure to define policies can lead to potential spoliation issues. Incident Management Framework (IMF)
P A G E 16 3.Analysis Technical On the Host: suspicious hosts must be analyzed for malicious content, rogue file execution, compromise of sensitive data, etc. On the Wire: data traversing the network must be collected and analyzed to determine migration of viruses, transmission of sensitive data, anomalous packets, etc. Operational One of the key aspects of investigating an incident is determining unauthorized versus authorized access. The majority of incidents will include illegitimate use of an authorized account. Example: help desk user account access HR file shares Logs play a key role in incident analysis. However, the quantity of information to be reviewed can be extremely large. A Security Information and Event Management (SIEM) system can help review the logs in a more efficient manor. Incident Management Framework (IMF)
P A G E 17 4.Containment Prepare action plans for known potential threats. The plans must cite the situation or incident and then outline how the response team will react. Example: Situation: a service account is compromised and is transferring sensitive information out of the network. Reaction: – Capture sensitive data traversing the network – Identify the role of the service account – Reset the password for the account or disable it – Disconnect infected devices from the network – Quantify the data exfiltrated from the network – Work with legal regarding notification processes – Execute analysis procedures – Execute cleanup procedures Incident Management Framework (IMF)
P A G E 18 5.Mitigation Remediation Analyze the results of an investigation to determine what is required to clean up the results of the infection. Use 3 rd party providers to identify vulnerabilities and help mitigate the risk of secondary infection. Prevention Conduct a post mortem analysis of all investigations. Learn what went wrong and how it can be prevented in the future. Create a robust and repeatable process for vulnerability management. Testing Develop and execute regular table top exercises to test the companys ability to respond to an incident. Leverage hot, warm, and cold testing procedures. Incident Management Framework (IMF)
P A G E 19 6.Legal Counsel Litigation Hold Ensure plans are in place to disseminate, execute, and validate litigation holds. Request for Discovery Preparing an ESI Profile will significantly help minimize the impact of fulfilling on requests for discovery. Liability Work with internal and external counsel to ensure: Notification laws are met Non-disclosure agreements are fulfilled Service level agreements are accurately defined 7.Immediate Response Active: ensure there are accurate and up to date procedures in place to react to an incident. Passive: engage third party entities to provide immediate incident response support where needed. Classify sensitive data to ensure critical information is protected. Incident Management Framework (IMF)
P A G E 20 8.Documentation Formal Plan All companies must have a formal Incident Management program in place. The program will outline the entitys strategy regarding incident response and prevention. The plan must have full support of top level management. Procedures There must be formal and documented procedures that outline how employees are to respond in an incident. Procedures must be reviewed at least annually and kept up to date and in line with actual practices. Roles and Responsibilities A formal emergency response team must be defined. The team must include both active players as well as key business stakeholders. Incident Management Framework (IMF)
P A G E 21 Incident Management Life Cycle + Incident Management Framework = Incident Management Workflow Incident Management Workflow
P A G E 22
P A G E 23 Attack Scenarios
P A G E 24 Scenario #1
P A G E 25 Web Server Compromise & Pivot Website Attacker Root Kit Uploaded using SQL injection
P A G E 26 Root Kit
P A G E 27 Reverse Proxy Installed on server Using Root Kit Attacker RDP Traffic
P A G E 28 Scenario #2
P A G E 29 Attacker Online Banking Fraud Website SQL injection Exploit to embed XSS code
P A G E 30 Online Banking Fraud Consumer Hacker Site Victimized Site Embedded XSS Keylogger
P A G E 31 Online Banking Fraud Attacker Consumer Consumers Online Banking Hacker logs into Online banking site and creates fraudulent transactions. Online banking credentials Sent to hacker
P A G E 32 Scenario #3
P A G E 33 POS Keylogger Back Office Processor Internet POS Server
P A G E 34 POS Keylogger Internet Back Office Hacker used global remote credentials to access environment Keylogger installed on each POS device. Card Swipe readers send PAN via standard keyboard I/O. Reseller / Integrator uses global accounts to provide Tech support. POS Server
P A G E 35 ROI on Cyber Defense 1 st Instance of threat SaturationDetectionContainment 1 st Instance of threat Detection Containment Early exposure of known unknown Rapid response Fewer required resources Rapid remediation Time/cost Uncompromised endpointsScope of compromise scope Time/cost Resources BEFORE AFTER
P A G E 36 From the point of detection to containment is referred to as the Return To Trusted State (RTTS) Average RTTS in 2011 was 18 days Increase of 4 days over 2010 Average cost of $413,784 per event or $22,896 per day Increase of 67% over 2010 The threats range in difficulty to contain (average RTTS): Malicious Insider = 45.5 days to contain Malicious Code = 41.6 days to contain Web-based attacks = 23.5 days to contain DOS/DDOS = 13.1 days to contain Stolen Devices = 10.7 days to contain ROI on Cyber Defense (Statistics)
P A G E 37 ROI on Cyber Defense (Statistics)
P A G E 38 What are your next steps? ACT NOW! Plan for an attack on your network. Implement enterprise grade products in your organization. Implement a strong security framework. DEFEND YOUR NETWORK! Defining YOUR Plan
P A G E 39 Questions
P A G E 40 Thank You Benjamin Stephan Director, Incident Management FishNet Security