Presentation is loading. Please wait.

Presentation is loading. Please wait.

OFFICE OF BUDGET AND FINANCE Information Security Office Taking Action and Taking Notes Using effective incident response to drive security improvements.

Published byDustin Hicks Modified over 9 years ago

Similar presentations

Presentation on theme: "OFFICE OF BUDGET AND FINANCE Information Security Office Taking Action and Taking Notes Using effective incident response to drive security improvements."— Presentation transcript:

1 OFFICE OF BUDGET AND FINANCE Information Security Office Taking Action and Taking Notes Using effective incident response to drive security improvements Presented by Jeff Reynolds

2 OFFICE OF BUDGET AND FINANCE Information Security Office “What are Incidents”? MALWARE EXPLOITS PHISHING

3 OFFICE OF BUDGET AND FINANCE Information Security Office https://www.cvedetails.com/browse-by-date.php “What are Incidents”?

4 OFFICE OF BUDGET AND FINANCE Information Security Office “For the overwhelming majority of attacks exploiting known vulnerabilities, the patch had been available for months prior to the breach [and 71% >1 year]." “What are Incidents”?

5 OFFICE OF BUDGET AND FINANCE Information Security Office “What are Incidents”?

6 OFFICE OF BUDGET AND FINANCE Information Security Office “What are Incidents”?

7 OFFICE OF BUDGET AND FINANCE Information Security Office “What are Incidents”? … a Constant

8 OFFICE OF BUDGET AND FINANCE Information Security Office Figure 3-1. Incident Response Life Cycle NIST SP 800-61 Revision 2 Computer Security Incident Handling Guide “What is Incident Response”?

9 OFFICE OF BUDGET AND FINANCE Information Security Office “What is Incident Response”? So what’s the problem? The problem is that it works.

10 OFFICE OF BUDGET AND FINANCE Information Security Office “What is Incident Response”? Attack strategies are being devised rapidly. Attackers do not need to evolve, but simply change tactics. We have to move forward, to keep from falling behind.

11 OFFICE OF BUDGET AND FINANCE Information Security Office “What is Incident Response”? Incident Response should be composed of Two Critical Loops

12 OFFICE OF BUDGET AND FINANCE Information Security Office OODA Loop (Observe, Orient, Decide, Act) “What is Incident Response”?

13 OFFICE OF BUDGET AND FINANCE Information Security Office “What is Incident Response”?

14 OFFICE OF BUDGET AND FINANCE Information Security Office OODA Loop “Decisions without action are pointless Actions without decisions are reckless” Col. John Boyd

15 OFFICE OF BUDGET AND FINANCE Information Security Office OODA Loop Observe Orient Decide Act

16 OFFICE OF BUDGET AND FINANCE Information Security Office How an Incident Should be Handled Gather all the information you can Process these details to “tell the story” Decide on a plan Act, and react appropriately OODA Loop

17 OFFICE OF BUDGET AND FINANCE Information Security Office Ingredients for Successful OODA Defined Incident Response Team Defined Incident Response Action Plans Established Collection and Detection Capabilities OODA Loop

18 OFFICE OF BUDGET AND FINANCE Information Security Office OODA - Observe Gather all the information you can.

19 OFFICE OF BUDGET AND FINANCE Information Security Office Actions Information Resources Detection Data OODA - Observe Attacker Attack Signature Attack Signature Evidence A username and password is stolen to send spam Large amount of sent e-mails Large amount of bounce backs Wordpress site is compromised to host malicious links Network logs Modified Files Third party notices A user visits a malicious page and malware is installed Computer is running slow Ransom note Sensor alerts

20 OFFICE OF BUDGET AND FINANCE Information Security Office 163.47.8.188 178.33.26.3 52.0.4.72 … Requests to multiple servers with User Agent “WPScan v2.8” Isolated The attacker is using TOR Process the details to tell a story. Intelligence Has Context Data Computer is running slow Ransom Note on share X Sensor Alerts Attacker is searching for vulnerable Wordpress installations Ransomware is installed on a machine where a user has access to share X OODA - Orient Tactical Analysis Raw, Unfiltered Processed, Sorted Not Actionable Actionable

21 OFFICE OF BUDGET AND FINANCE Information Security Office OODA - Orient

22 OFFICE OF BUDGET AND FINANCE Information Security Office OODA - Orient

23 OFFICE OF BUDGET AND FINANCE Information Security Office OODA - Orient

24 OFFICE OF BUDGET AND FINANCE Information Security Office OODA – Decide Intelligence PLAN Decide on a plan.

25 OFFICE OF BUDGET AND FINANCE Information Security Office Planning at this phase should resemble “picking a play”, not building one from scratch. OODA – Decide Intelligence PLAN

26 OFFICE OF BUDGET AND FINANCE Information Security Office Planning itself can offer an opportunity for peer review. OODA – Decide Intelligence PLAN

27 OFFICE OF BUDGET AND FINANCE Information Security Office Plans offer: Set course of actions Expected objectives Recourse to take OODA – Decide Intelligence PLAN

28 OFFICE OF BUDGET AND FINANCE Information Security Office OODA – Decide Going Further Attacker v. Automated Defense

29 OFFICE OF BUDGET AND FINANCE Information Security Office 11.11.11.11.34687 -> 99.99.99.99.80 CON POST /thumbs.php 99.99.99.99.80 ?> 11.11.11.11.34687 RST OODA – Decide Going Further

30 OFFICE OF BUDGET AND FINANCE Information Security Office 22.22.22.22.54632 -> 99.99.99.99.80 CON POST /thumbs.php 99.99.99.99.80 -> 22.22.22.22.54632 RST OODA – Decide Going Further

31 OFFICE OF BUDGET AND FINANCE Information Security Office 33.33.33.33.4614 -> 99.99.99.99.80 POST /thumbs.php 11.11.11.77.4693 -> 99.99.99.99.80 GET /image.php5 11.11.11.77.4693 -> 99.99.99.99.80 POST /image.php5?Nfiles=1 OODA – Decide Going Further

32 OFFICE OF BUDGET AND FINANCE Information Security Office OODA - Act Data Intelligence Plan Action Response Acting without context Acting without preparation Actions should always follow a plan.

33 OFFICE OF BUDGET AND FINANCE Information Security Office OODA - Act Nullify the Threat Block IP addresses / Hostnames / URLs Reset User / Service account passwords or disable an account Setup additional alerts to look for similar attacks Action

34 OFFICE OF BUDGET AND FINANCE Information Security Office Remediate Patch vulnerabilities Remove malicious files Restore from backups Initiate DRP / BCP OODA - Act Action

35 OFFICE OF BUDGET AND FINANCE Information Security Office OODA - Act … and Communicate Action

36 OFFICE OF BUDGET AND FINANCE Information Security Office Communication An extension of the Plan and Action phases of the OODA Loop Proper communication can be a legal obligation

37 OFFICE OF BUDGET AND FINANCE Information Security Office High Profile Device High Profile Device Communication BYOD Device Analyst Communication Plan: Notify User Communication Plan: Notify User Analyst Manager Verify Access Communication Plan: Notify Data Owner Communication Plan: Notify Data Owner CISO Communication Plan: Notify User Communication Plan: Notify User

38 OFFICE OF BUDGET AND FINANCE Information Security Office OODA Loop Observe Orient Decide Act

39 OFFICE OF BUDGET AND FINANCE Information Security Office Process Improvement Loop

40 OFFICE OF BUDGET AND FINANCE Information Security Office Continuous Depends on analysis from multiple sources Improves overall security posture, not just Incident Response Process Improvement Loop

41 OFFICE OF BUDGET AND FINANCE Information Security Office Response Detection Process Improvement Loop Attack Surface Collection Adversary External Sources Incident Artifacts Intelligence Internal Assessment Insight OODA Loop OODA Loop Incident Strengthen Enhance Discover

42 OFFICE OF BUDGET AND FINANCE Information Security Office Process Improvement Loop Three Improvement Vectors Discover Your Adversary Strengthen Your Attack Surface Enhance Your Capabilities

43 OFFICE OF BUDGET AND FINANCE Information Security Office Data Sources Incident Artifacts Type of Attack Adversary Tactics and Objectives Indicators of Compromise Impact Detection and Response Times

44 OFFICE OF BUDGET AND FINANCE Information Security Office Data Sources Internal Assessment Identification of critical resources Vulnerability scan results Network topology maps Detection and collection test cases Incident response drill results

45 OFFICE OF BUDGET AND FINANCE Information Security Office Data Sources External Sources Formal Reports Social Media and Research Sites Twitter / Pastebin Mailing lists

46 OFFICE OF BUDGET AND FINANCE Information Security Office Discover Your Adversaries What are we after? What’s useful for us to know?

47 OFFICE OF BUDGET AND FINANCE Information Security Office Discover Your Adversaries Clinton Barton performed a DDoS attack – Tuscaloosa, Alabama Natasha Romanova launched a phishing campaign – St. Petersburg, Russia

48 OFFICE OF BUDGET AND FINANCE Information Security Office Discover Your Adversaries

49 OFFICE OF BUDGET AND FINANCE Information Security Office It can be useful to classify attacker groups in terms of objectives and capabilities to establish risk. Discover Your Adversaries

50 OFFICE OF BUDGET AND FINANCE Information Security Office Discover Your Adversaries

51 OFFICE OF BUDGET AND FINANCE Information Security Office Discover Your Adversaries ”Pyramid of Pain” David Bianco

52 OFFICE OF BUDGET AND FINANCE Information Security Office Discover Your Adversaries

53 OFFICE OF BUDGET AND FINANCE Information Security Office “You have to have passion, because the guys on the other side of the keyboard are having a blast.” Discover Your Adversaries

54 OFFICE OF BUDGET AND FINANCE Information Security Office Strengthen Your Attack Surface Use intelligence to see what attacks affect your environment Plan ways to prevent them

55 OFFICE OF BUDGET AND FINANCE Information Security Office December 2014 33.33.33.33.54926 -> 99.99.99.99.80 POST /wp-admin/admin-ajax.php uk replica handbags replica watches replica handbags my replica watches any replica watches audemars piguet replica Strengthen Your Attack Surface

56 OFFICE OF BUDGET AND FINANCE Information Security Office March 2015 44.44.44.44.7890 -> 99.99.99.99.80 POST /wp-admin/admin-ajax.php Hacked By Moh Ooasiic Strengthen Your Attack Surface

57 OFFICE OF BUDGET AND FINANCE Information Security Office Strengthen Your Attack Surface New Policy Deny access to “wp-admin” directory from the Internet.

58 OFFICE OF BUDGET AND FINANCE Information Security Office Search results from Exploit DB: (www.exploit-db.com) Search for “wordpress” in Exploit Content 1,108 Results Search for “wp-admin” in Exploit Content 252 Results Strengthen Your Attack Surface

59 OFFICE OF BUDGET AND FINANCE Information Security Office Improve Your Capabilities “Buttercup4”“Argus” / “ISMeta1” Vs.

60 OFFICE OF BUDGET AND FINANCE Information Security Office Improve Your Capabilities

61 OFFICE OF BUDGET AND FINANCE Information Security Office Improve Your Capabilities

62 OFFICE OF BUDGET AND FINANCE Information Security Office Improve Your Capabilities A SANS Survey Written by Alissa Torres August 2014 Incident Response: How to Fight Back

63 OFFICE OF BUDGET AND FINANCE Information Security Office Improve Your Capabilities “The most cited obstacle to effective IR processes was lack of time to practice response procedures”

64 OFFICE OF BUDGET AND FINANCE Information Security Office Improve Your Capabilities “Lack of formal IR response plans and defined team structures were identified as detriments to efficient incident handling. ”

65 OFFICE OF BUDGET AND FINANCE Information Security Office Improve Your Capabilities Remember These? Established Collection and Detection Capabilities Defined Incident Response Team Pre-defined Incident Response Action Plans

66 OFFICE OF BUDGET AND FINANCE Information Security Office Improve Your Capabilities A “lack of budget for tools and technologies” was also identified as a primary issue.

67 OFFICE OF BUDGET AND FINANCE Information Security Office Decision Making Intelligence Insight Awareness Decisions Analyst Data Owner

68 OFFICE OF BUDGET AND FINANCE Information Security Office In Summary OODA Loop Process Improvement Keep Moving Forward

69 OFFICE OF BUDGET AND FINANCE Information Security Office Questions? jreynolds@utdallas.edu

70 OFFICE OF BUDGET AND FINANCE Information Security Office Many Thanks Frode Hommedal frodehommedal.no

Download ppt "OFFICE OF BUDGET AND FINANCE Information Security Office Taking Action and Taking Notes Using effective incident response to drive security improvements."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Ensuring Information Security

Ensuring Information Security
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.

Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Similar presentations

Ads by Google