Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detect and Respond… Steps to preparing and responding to a breach Detect and Respond… Steps to preparing and responding to a breach Jeff Lockwood, CISSP.

Published byAlaina Stewart Modified over 8 years ago

Similar presentations

Presentation on theme: "Detect and Respond… Steps to preparing and responding to a breach Detect and Respond… Steps to preparing and responding to a breach Jeff Lockwood, CISSP."— Presentation transcript:

1 Detect and Respond… Steps to preparing and responding to a breach Detect and Respond… Steps to preparing and responding to a breach Jeff Lockwood, CISSP Jeff Lockwood, CISSP

2 Purpose & Agenda Educate on what we have today –Tools for Fools- All the monitoring capabilities we would want –Skilled Security Resources –Board level awareness on Data Breaches We are still in a struggle Goal: Identify some steps and tools to assist in implementing Incident Response

3 Some statistics VzW Report Investigations Report -79,790 Security Incidents -2,122 Data Breaches 205- Average days Attackers had access to victims’ environments before they were discovered. 31% Target companies who discovered threat internally 69% of victims learn from a third party that they are compromised.

4 What about this year 1.1 million records 80 million records 850,000 records 1 Million emails 25 million records Proprietary data exposed

5 What are they after Hacker Pricing for Stolen Credentials (Dell SecureWorks’ Counter Threat Unit ) “Kitz” –verified health insurance, SSN, bank account info /logins (account & routing numbers, account type), driver’s license, full name, address, phone, etc. and counterfeit physical documents and hardware related to the identity data in the package (e.g. credit cards, driver’s license, insurance cards, etc.)—- ranging between $1200 – $1300 per Kitz. Add $100 – $500 for rush orders and other miscellaneous fees like wire transfer, escrow, etc. “Fullz” – If these records also include health insurance credentials for a US victim, then they were negotiated for about $500 each, based on what was included: full names, addresses, phone numbers, e-mail addresses (with passwords), dates of birth, SSN or EIN, one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs) Health Insurance Credentials – Health insurance credentials are $20 each. They include names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims). Note: when there is a dental, vision, or chiropractic plan associated with the health plan, each of those was an additional $20. 5

6 What are they after Fees for Additional Stolen Credentials US credit card with CVV Code– $1 – $2 Non-US credit card with CVV– $2 – $10 Credit card with full track 2 and PIN– $5 – $50 Prestige credit cards (include Platinum, Diamond, Black) with verified available balance– $20 – $400* Online bank account, < $10K— $250 – $1000* Compromised computer– $1 – $100 PayPal, verified balance– $20 – $200* Game accounts (Steam, Minecraft, WoW, PSN, XBOX Live/Microsoft)– $5 – $1000** Skype account (premium)– $1 – $10 * Some hackers’ prices are based on 4% – 12% of verified current balance ** Rare items are often “parted out’ or fenced separately 6

7 What do we do –Detailed, step-by-step Incident Response Plan –Analysis of insurance policies to determine coverage –Legal counsel and key service providers “on speed dial” –Government affairs/communications with regulators –Readiness exercises that simulate an actual attack –Business continuity planning –Security audits of key vendors –Litigation and regulatory preparedness

8 Mounting an Effective Response –Policy and Procedures –Communication Plan and Logistics –Visibility –Threat Intelligence –Incident Response –Metrics –Automations

9 Incident Response Process Sources: NIST SP800-61

10 Preparation What do we do based upon various types of incidents? (BIA helps. Start with a Policy) When is the incident management team called? How can governmental agencies or law enforcement help? When do we involve law enforcement? What resources do we need to handle an incident? What shall we do to prevent or discourage incidents from occurring? Where on-site & off-site shall we keep the IRP?

11 Detection & Analysis Organization must have sufficient detection & monitoring capabilities to detect incidents in a timely manner Proactive Detection includes: Network Intrusion Detection/Prevention System (NIDS/NIPS) Host Intrusion Detection/Prevention System (HIDS/HIPS) Antivirus, Endpoint Security Suite Security Information and Event Management (Logs) Vulnerability/audit testing System Baselines, Sniffer Centralized Incident Management System Input: Server, system logs Coordinates & co-relates logs from many systems Tracks status of incidents to closure. Get to Root Cause Reactive Detection: Reports of unusual or suspicious activity

12 Logs to Collect & Monitor Security Config Changes to sec. config. Changes to network device config. Change in privileges Change to files: system code/data Authent. Failures Unauthor-ized accesesNew Users Lockouts & expired passwd accts Network Irregularity Unusual packetsBlocked packets Transfer of sensitive data Outgoing IP Address Log Issues Deleted logsOverflowing log filesClear/ change log config

13 Containment, Eradication & Recovery Activate Incident Response Team to contain threat IT/security, public relations, mgmt, business Isolate the problem Disable server or network zone comm. Disable user access Change firewall configurations to halt connection Obtain & preserve evidence- Chain of Custody

14 Containment - Response Technical Collect data Analyze log files Obtain further technical assistance Deploy patches & workarounds Managerial Business impacts result in mgmt intervention, notification, escalation, approval Legal Issues related to: investigation, prosecution, liability, privacy, laws & regulation, nondisclosure

15 Eradication Determine how the attack occurred: who, when, how, and why? What is impact & threat? What damage occurred? Remove root cause: initial vulnerability(s) Rebuild System Talk to ISP to get more information Perform vulnerability analysis Improve defenses with enhanced protection techniques Discuss recovery with management, who must make decisions on handling affecting other areas of business

16 Analysis What happened? Who was involved? What was the reason for the attack? Where did attack originate from? When did the initial attack occur? How did it happen? What vulnerability enabled the attack?

17 Remove root cause If Admin or Root compromised, rebuild system Implement recent patches & recent antivirus Fortify defenses with enhanced security controls Change all passwords Retest with vulnerability analysis tools

18 Recovery Restore operations to normal Ensure that restore is fully tested and operational

19 Common Mistakes Incident Response Plan a checklist item. ( Needs to be tailored) Plans are not tested No authority for the incident response team- Need Senior Leadership ownership and buy-in Insufficient logging & Too much logging- Know what is real and what is not Improperly trained Incident Response Team- Skills Gap Analysis Lack of documentation –Before/During/After Getting containment confused with remediation –MTTI vs MTTR No one is really in charge NO AUTOMATION!!!!!!!

20 Questions

Download ppt "Detect and Respond… Steps to preparing and responding to a breach Detect and Respond… Steps to preparing and responding to a breach Jeff Lockwood, CISSP."

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Computer, Privacy, and Data Protection

Computer, Privacy, and Data Protection
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Network security policy: best practices

Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.

Similar presentations

Ads by Google