Upload
byron-joseph
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Incident Response…Be prepared for “not if” but “when” it happens.
James Campbell
www.pwc.co.uk
PwC 2
Agenda
Threat Recap
1Reality and Models
2Response Components
3 Practical Defence
4
PwC 3
Who is attacking?
Espionage Hacktivism
Organised Crime
Terrorism/Sabotage
Tools and
TechniquesInsiders
PwC
Reality Check
4
PwC
IR Models
NIST 800-61
5
PwC
IR Models
ISO/IEC 27035:2011 Information technology Security techniques — Information security incident management
• Plan and prepare: • establish an information security incident management policy, form an
Incident Response Team; • Detection and reporting:
• someone has to spot and report “events” that might be or turn into incidents;• Assessment and decision:
• someone must assess the situation to determine whether it is in fact an incident;
• Responses:• contain, eradicate, recover from and forensically analyse the incident, where
appropriate;• Lessons learnt:
• make systematic improvements to the organisation’s management of information security risks as a consequence of incidents experienced.
6
PwC
Mitigation•Tactical and Strategic mitigations•Long term or short term•Accessibility and actions required•Mitigation Vs Isolation Vs Business Impact•Mitigation Deployment Plan•Resource Coordination•Mitigation verification
IR Models
7
Detection•Intrusion Detection, Analysis and Discovery•Network Monitoring•Host Monitoring•Centralised Log File Analysis•Physical Factors•Signature Development
Triage•Making sense of alerts•Prioritisation•Visibility of External and Internal Influences•Business Operations Visibility•Further analysis needed?•Data Enrichment
Response•Communications Plan•Response Coordination•Response Escalation plan•Forensic Response and Readiness•Initial Reporting and Awareness •Investigation
Threat Intelligence•Threats Against an Organisation•Threat Actor Knowledge•APT, Hacktivists, Crime, •Insider, Corporate Espionage•Tools Techniques and Procedures•Messaging and Education
PwC
Triage, Risk and Scope
8
Triage, what are you trying to answer…Key Questions
•How was the incident identified?
• Is it an incident?
•When did the incident occur?
•What is compromised?
•Who is compromised?
•How did the compromise happen?
•Who is the suspected threat actor?
• Internal, APT, Terrorism, Hacktivism, Crime
•Was it targeted or non targeted?
•Has anyone taken initial steps or actions?
? ?
?
??
? ?
PwC
Triage, Risk and Scope…
9
Understand the risks, key questions…
• What are the critical elements and systems required to stay operational?
• What are the critical information assets?
• What are your worst fears?
Scoping, in order to scope you need to know your organisation in detail.
• What do your operational systems look like?
• What does your network look like?
• How geographically disperse are you?
• Are there data privacy considerations, or evidential considerations?
• What in house resources do you have, technology and or people?
• What is the appetite to monitor vs mitigate?
PwC 10
Communications, Coordination
Coordination•Roles and Responsibilities •Set and agree objectives and goals early on•Ensure you have access to the necessary resources…
Beyond the typical incident• Crisis management, legal, media monitoring• Alerting and or reporting obligations to regulators and
law enforcement• Alerting stakeholders, such as customers or business
partnerships
PwC 11
Communications, Coordination
Communications•Agreed communications methods, out of band options?•Agreed escalation paths, in/out of hours•Communications frequency•Communication audience (what and when to communicate)
Poor Communication = Failure
PwC 12
Effective Incident Response
Du
rati
on
of
com
pro
mis
e
Rolling Remediation
Surgical Strike
• What wave of compromise are you in?
• How long have the attackers been in your environment?
• How regularly do they access it?
• How deeply are they entrenched?
• How have you been communicating about remediation?
• Has data already been exfiltrated?
Day
Week
Month
Year High Risk
High Risk
PwC 13
Lets go Tactical Detection, Isolation and Mitigation vs Business Impact
Detection•What don’t we know, how can we find out?•What don’t we have visibility of, and how we can improve this?•Increased host based logging (event logs run out quickly!)•Central logging and capture host/network
Isolation•Isolate critical systems and or information•Segregation and security enhancement
Mitigation (quick wins, but only after consideration)•Initial blocking of C2•Resetting passwords•Deploying updated AV signatures, covering malware family
Detection
Isolation
Mitigation
PwC 14
Time to Investigate
PwC 15
Going Strategic
• Enhance network visibility; consolidate egress points where cost and performance benefits can be realised.
• Continue to identify any remaining vulnerabilities through internal and external penetration testing.
• Conduct a forensic and crisis readiness review• Consider implementing application whitelisting across the entire
network• Further centralise and enhance logging capability• Subscribe to threat intelligence services• Consider segmentation of sensitive areas• Executive and user education and awareness campaign• Further technical controls
PwC
Bring it all together now…Prepare, Test and Repeat!
16
Forensic and crisis readiness
Incidentpolicy & playbook development
Incident
Pre incident
IncidentComponents
PwC
Bring it all together now…Incident Response KPI’s
17
EVENT Threat actor establishes access to environment.
REPORTINGDocument facts and containment approach,
DETECTION Triage alert & confirm incident
CONTAINMENTRemoving access and actor
REMEDIATIONFully address the root cause of the issue.
Dwell time Containment time
Remediation time
Practical defence, prevention is better than cure…
Build incident response ‘muscle-memory’ and prepare
Use what’s free to limit exploits and unauthorised execution
Limit privileges
Leverage your endpoints
Increase your visibility
Harden your domain controllers
Questions…
[email protected]@SomeIRguy
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.