Incident Management Evolution of Protection

Implementing a Pro-Active

Approach to CybersecurityBenjamin Stephan, Director of Incident Management

FishNet Security

P A G E 2

Introduction

Today’s Threat Landscape

Incident Management Life Cycle

Incident Management Framework

Next Steps

Agenda

Statistics in this presentation provided by Ponemon Institute Annual Study on Cyber Crime Costs.

P A G E 3

…and they are highly motivated to take your data… State sponsored Crime syndicates Hacktivists

…for a number of reasons Financial Gain Industrial Espionage IP Theft Political motivation Botnet Services

Cybercrime has become a high stakes game…

P A G E 4

The top trends related to a breach: Negligence Lack of CISO leadership Lack of external consulting support First time offense Lost or stolen device

Median annualized cost of cyber crime is $5.9 million per year, with a range of $1.5 million to $36.5 million each year. Increase of 56% over 2010

Average per capita cost was $284 per enterprise seat Varies by size of the organization with smaller firms incurring a greater per

capita cost of $1,008 on average versus larger organizations

Threat Trends of 2011

*Results provided by Ponemon study.

P A G E 5Corporate Security Posture Related to Breach Cost

*SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute. The higher the score the more effective an organization is at achieving

security initiatives.

P A G E 6Corporate Security Posture Related to Breach Cost

*SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute. The higher the score the more effective an organization is at achieving

security initiatives.

P A G E 7

Malicious traffic evading traditional perimeter security solutions

Difficulty validating alerts and determining scope of incident

Lack of endpoint visibility

Lack of defined incident management

and response processes

Untested procedures and infrastructure

Inability to respond to every alert

Insufficient view of network traffic

What Are Your Challenges?

P A G E 8

Difficult or impossible to truly understand and gauge risk

Time to contain an event and return to a trusted state takes too long

Overwhelmed with alerts

Spend excessive time reducing false

positives

Incident response is time consuming,

expensive and incomplete

Potential loss of data

No formalized operational procedures

What Is The Impact?

P A G E 9

How can you defend against the unknown?

How can your company benefit protect it’s critical assets?

The Solution

P A G E 10

Click icon to add picture

Solution: Incident Life Cycle, IMF, Incident Workflow

P A G E 11Incident Management Lifecycle

Inoculation

Reaction

Tactical

Operational

Detect

Confirm

Triage

Contain

Remediate

Improve

P A G E 12

1. Operational Detect malicious traffic ‘on the wire’ Identify symptoms of an attack via log analysis Confirm symptoms through automated and manual procedures Analyze 3rd party threat feeds Engage legal counsel Capture relevant malware artifacts

2. Tactical Validate findings against endpoint data Triage live systems based on symptomatic evidence Determine scope, uncover additional information Work with critical business units to determine risk potential Deploy targeted analytic solutions to further quantify attack profile Control the threat to extend investigation time

Incident Management Life Cycle

P A G E 13

3. Reaction Disconnect compromised systems or networks Cut C&C Communication, kill active processes Escalate drastic containment procedures for authorization Defend sensitive and critical assets Engage 3rd party support as necessary Wipe all identified malware and related artifacts Schedule custom scans to mitigate secondary re-infection

4. Inoculation Update virus signatures where applicable Implement strong enterprise solutions Document findings and results Update policies and procedures to compensate for deficiencies Ensure management support of pro-active measures

Incident Management Life Cycle

P A G E 14

2011 has been inundated with Cyber Warfare attacks from across the globe.

The attackers have become more and more aggressive and sophisticated.

In an effort to assist companies in defending against this onslaught of attacks; FishNet Security has architected an Incident Management Framework (IMF).

The IMF is a security framework based on the “best of breed” incident response controls outlined in many known security frameworks. Such as ISO, ITIL, PCI, NIST, etc.

Incident Management Framework (IMF)

P A G E 15

By providing companies with a baseline framework dedicated to incident management, an entity can: Minimize product costs through strategic enterprise solutions Mitigate risk exposure through effective operational controls Improve staff efficiency through better understanding of cyber

threats Bridge the “gap” between “legal” and “IT” Implement advanced malware countermeasures to defend the

corporate network

Incident Management Framework (IMF)

P A G E 16

1. Communication Internal

When an incident occurs there must be defined escalation protocols to ensure the right individuals are communicated with and “kept in the loop”

Reporting an event can be one of the most important initial actions. There are laws that must be considered as well as public relation issues

External Companies must have established relationship with third party entities and law enforcement,

prior to an incident.

2. Collection Acquisition

Electronically stored information (ESI) must be collected in a forensically sound manner.

Chain of Custody Physical access to any collected information must be maintained at all times. Physical security controls must be implemented to ensure accurate accounting of physical

access.

Data Retention Policies must be defined as to how long ESI will be stored.

Failure to define policies can lead to potential spoliation issues.

Incident Management Framework (IMF)

P A G E 17

3. Analysis Technical

On the Host: suspicious hosts must be analyzed for malicious content, rogue file execution, compromise of sensitive data, etc.

On the Wire: data traversing the network must be collected and analyzed to determine migration of viruses, transmission of sensitive data, anomalous packets, etc.

Operational One of the key aspects of investigating an incident is determining

unauthorized versus authorized access. The majority of incidents will include illegitimate use of an authorized account. Example: help desk user account access HR file shares

Logs play a key role in incident analysis. However, the quantity of information to be reviewed can be extremely large. A Security Information and Event Management (SIEM) system can help review the logs in a more efficient manor.

Incident Management Framework (IMF)

P A G E 18

4. Containment Prepare action plans for known “potential” threats.

The plans must cite the situation or incident and then outline how the response team will react.

Example: Situation: a service account is compromised and is transferring sensitive

information out of the network. Reaction:

– Capture sensitive data traversing the network– Identify the role of the service account– Reset the password for the account or disable it– Disconnect infected devices from the network– Quantify the data exfiltrated from the network– Work with legal regarding notification processes– Execute analysis procedures– Execute cleanup procedures

Incident Management Framework (IMF)

P A G E 19

5. Mitigation Remediation

Analyze the results of an investigation to determine what is required to clean up the results of the infection.

Use 3rd party providers to identify vulnerabilities and help mitigate the risk of secondary infection.

Prevention Conduct a “post mortem analysis” of all investigations. Learn what went wrong and how it can be prevented in the future. Create a robust and repeatable process for vulnerability management.

Testing Develop and execute regular “table top” exercises to test the company’s

ability to respond to an incident. Leverage hot, warm, and cold testing procedures.

Incident Management Framework (IMF)

P A G E 20

6. Legal Counsel Litigation Hold

Ensure plans are in place to disseminate, execute, and validate litigation holds.

Request for Discovery Preparing an “ESI Profile” will significantly help minimize the impact of fulfilling on

requests for discovery.

Liability Work with internal and external counsel to ensure:

Notification laws are met Non-disclosure agreements are fulfilled Service level agreements are accurately defined

7. Immediate Response Active: ensure there are accurate and up to date procedures in place to react

to an incident. Passive: engage third party entities to provide immediate incident response

support where needed. Classify sensitive data to ensure critical information is protected.

Incident Management Framework (IMF)

P A G E 21

8. Documentation Formal Plan

All companies must have a formal Incident Management program in place. The program will outline the entity’s strategy regarding incident response and prevention.

The plan must have full support of top level management.

Procedures There must be formal and documented procedures that outline how

employees are to respond in an incident. Procedures must be reviewed at least annually and kept up to date and in

line with actual practices.

Roles and Responsibilities A formal emergency response team must be defined. The team must

include both active players as well as key business stakeholders.

Incident Management Framework (IMF)

P A G E 22

Incident Management Life Cycle + Incident Management Framework = Incident Management Workflow

Incident Management Workflow

P A G E 23

Incident Response Workflow

Operational Tactical Reaction Innoculation

Tick

etin

g S

olut

ion

Pos

t Eve

ntM

itiga

tion

Inve

stig

atio

nE

vide

nce

of

Con

trol

Val

idat

ion

Ass

ignm

ent

Det

ectio

n

Event is assigned to

C-SIRT Investigator

Contact C-SIRT Management

Analysis

Litigation Request Occurs

Collection of Evidence

Review Reported Event

Create Chain of Custody

Event Validated

SIEM Event, Help Desk, System Alert, User

Complaint, Fireeye Alert

Legal Counsel is Consultted

Triage SuspectedDevices

Event Contained

False Positive

Additional Devices Identified

Infected Devices Cleaned

Create Targeted Rescan

Document Analysis Results

Conduct Random Sample to Validate

Containment

Creation of Ticket Assignment to C-SIRT

Upgrade Security Controls

Document Containment Measures

Present Results to

Legal

Assignment to C-SIRT Investigator

Initiate Containment Tickets

Finalize Incident Ticket with Results of Investigation

Post Mortem C-SIRT Meeting

P A G E 24

Attack Scenarios

P A G E 25

Scenario #1

P A G E 26

Web Server Compromise & PivotWebsite

AttackerRoot Kit

Uploaded using

SQL injection

P A G E 27

Root Kit

P A G E 28

Reverse Proxy

Reverse Proxy

Installed on server

Using Root KitAttacker RDP Traffic

P A G E 29

Scenario #2

P A G E 30

Attacker

Online Banking Fraud

WebsiteSQL injection

Exploit to embed

XSS code

P A G E 31

Online Banking Fraud

Consumer

Consumer

Consumer

Consumer

Hacker Site

Victimized Site

Embedded

XSS

Keylogger

P A G E 32

Online Banking Fraud

Attacker

ConsumerConsumers

Online Banking

Hacker logs into

Online banking site and creates fraudulent transactions.

Online banking credentials

Sent to hacker

P A G E 33

Scenario #3

P A G E 34

POS Keylogger

Back Office

Processor

Internet

POS Server

POS Server

P A G E 35

POS Keylogger

Internet

Back Office

Hacker used global remote credentials to access environment

Keylogger installed on each POS device. Card Swipe readers send PAN via standard keyboard I/O.

Reseller / Integrator uses global accounts to provide Tech support.

POS Server

P A G E 36ROI on Cyber Defense

1st

Instance

of threat

Saturation Detection Containment

1st

Instance

of threat

Detection

Containment

• Early exposure of known unknown

• Rapid response

• Fewer required resources

• Rapid remediation

Time/cost

Uncompromised endpoints Scope of compromise

scop

esc

ope

Time/cost

Resources

BE

FO

RE

AF

TE

R

P A G E 37

From the point of detection to containment is referred to as the “Return To Trusted State” (RTTS) Average RTTS in 2011 was 18 days

Increase of 4 days over 2010

Average cost of $413,784 per event or $22,896 per day Increase of 67% over 2010

The threats range in difficulty to contain (average RTTS): Malicious Insider = 45.5 days to contain Malicious Code = 41.6 days to contain Web-based attacks = 23.5 days to contain DOS/DDOS = 13.1 days to contain Stolen Devices = 10.7 days to contain

ROI on Cyber Defense (Statistics)

P A G E 38ROI on Cyber Defense (Statistics)

P A G E 39

What are your next steps?

ACT NOW! Plan for an attack on your network. Implement enterprise grade products in

your organization. Implement a strong security framework.

DEFEND YOUR NETWORK!

Defining YOUR Plan

P A G E 40

Questions

P A G E 41Thank You

Benjamin Stephan

Director, Incident Management

FishNet Security

Benjamin.Stephan@FishNetSecurity.com