View
525
Download
2
Tags:
Embed Size (px)
Citation preview
CYBER SECURITY INCIDENT RESPONSE TEAM BY BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
About me Candan BÖLÜKBAŞ • about.me/bolukbas • METU Computer Eng. • CCNA, CCNP, CEH, ITIL, MCP • Enterprise Security Services Manager • 7-‐year .Net & Obj-‐C Developer • T.C. Cumhurbaşkanlığı Network & Security Admin • [email protected] • @candanbolukbas
BGA INFORMATION SECURITY & CONSULTING
Agenda • IntroducYon • Cyber AZack in the world
• CSIRT staYsYcs from USA & UK
• CSIRT efficiency measurement
• Best PracYces for CreaYng a CSIRT
• Conclusion & RecommendaYon
• QuesYons
BGA INFORMATION SECURITY & CONSULTING
Challenges that today’s security organizaEons have to deal with:
Malware campaigns launched by organized criminal groups who look to steal informaYon that can be sold on the black market
Increasingly powerful distributed denial-‐of-‐service (DDoS) aZacks that can take out large websites
State-‐sponsored espionage that can penetrate even well-‐defended networks.
BGA INFORMATION SECURITY & CONSULTING
As aIacks have become more sophisEcated, the need for Computer Security Incident Response Teams (CSIRTs) has grown.
Botnets Distributed denial-‐of-‐service (DDoS) aZacks
Insider threats Advanced persistent threats (APTs).
CSIRT
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
What Are the QuesEons? • What are the basic requirements for establishing a CSIRT? • What type of CSIRT will be needed? • What type of services should be offered? • How big should the CSIRT be? • Where should the CSIRT be located in the organizaYon?
• How much will it cost to implement and support a team? • What are the iniYal steps to follow to create a CSIRT?
BGA INFORMATION SECURITY & CONSULTING
What Are Some Best PracEces for CreaEng a CSIRT?
• Obtain management support and buy-‐in Step #1
• Determine the CSIRT strategic plan Step #2
• Gather relevant informaYon Step #3
• Design the CSIRT vision Step #4
• Communicate the CSIRT vision and operaYonal plan Step #5
• Begin CSIRT implementaYon Step #6
• Announce the operaYonal CSIRT Step #7
• Evaluate CSIRT effecYveness Step #8
BGA INFORMATION SECURITY & CONSULTING
Step 1: Obtain Management Support and Buy-‐In
• ExecuYve and business or department managers and their staffs commiong Yme to parYcipate in this planning process; their input is essenYal during the design effort.
• Along with obtaining management support for the planning and implementaYon process, it is equally important to get management commitment to sustain CSIRT operaYons and authority for the long term.
• It is important to elicit management's expectaYons and percepYons of the CSIRT's funcYon and responsibiliYes.
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
1%
2% 5%
11%
31%
50%
What percentage of your organiza8on’s security budget is allocated to incident response?
More than 50%
41% to 50%
31% to 40%
21% to 30%
10% to 20%
Less than 10%
BGA INFORMATION SECURITY & CONSULTING
Step 2: Determine the CSIRT Development Strategic Plan
• Are there specific Yme frames to be met? Are they realisYc, and if not, can they be changed?
• Is there a project group? Where do the group members come from? You want to ensure that all stakeholders are represented.
• How do you let the organizaYon know about the development of the CSIRT?
• If you have a project team, how do you record and communicate the informaYon you are collecYng, especially if the team is geographically dispersed?
BGA INFORMATION SECURITY & CONSULTING
Step 3: Gather Relevant InformaEon The stakeholders could include but are not limited to: • Business managers • RepresentaYves from IT • RepresentaYves from the legal department • RepresentaYves from human resources • RepresentaYves from public relaYons • Any exisYng security groups, including physical security • Audit and risk management specialists • General representaYves from the consYtuency
BGA INFORMATION SECURITY & CONSULTING
Step 4: Design Your CSIRT Vision
BGA INFORMATION SECURITY & CONSULTING
In creaYng your vision, you should idenYfy your consYtuency • Who does the CSIRT support and serve? • Define your CSIRT mission, goals, and objecYves. What does the CSIRT do for the idenYfied consYtuency? • Select the CSIRT services to provide to the consYtuency (or others). How does the CSIRT support its mission? • Determine the organizaYonal model. How is the CSIRT structured and organized? • IdenYfy required resources. What staff, equipment, and infrastructure are needed to operate the CSIRT? • Determine your CSIRT funding. How is the CSIRT funded for its iniYal startup and its long-‐term maintenance and growth?
Step 5: Communicate the CSIRT Vision • Communicate the CSIRT vision and operaYonal plan to management, your consYtuency, and others who need to know and understand its operaYons.
• Make adjustments to the plan based on their feedback.
• CommunicaYng your vision in advance can help idenYfy process or organizaYonal problems before implementaYon.
• It is a way to let people know what is coming and allow them to provide input into CSIRT development. This is a way to begin markeYng the CSIRT to the consYtuency and gaining the needed buy-‐in from all organizaYonal levels.
BGA INFORMATION SECURITY & CONSULTING
Step 6: Begin CSIRT ImplementaEon Once management and consYtuency buy-‐in is obtained for the vision, begin the implementaYon: • Hire and train iniYal CSIRT staff. • Buy equipment and build any necessary network infrastructure to support the team. • Develop the iniYal set of CSIRT policies and procedures to support your services. • Define the specificaYons for and build your incident-‐tracking system. • Develop incident-‐reporYng guidelines and forms for your consYtuency.
BGA INFORMATION SECURITY & CONSULTING
45%
28%
14%
11%
2%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
0
1
2-‐5
5-‐10
10+
How many team members are fully dedicated to CSIRT?
BGA INFORMATION SECURITY & CONSULTING
Step 7: Announce the CSIRT
• When the CSIRT is operaYonal, announce it broadly to the consYtuency or parent organizaYon.
• Include the contact informaYon and hours of operaYon for the CSIRT in the announcement.
• You may also want to develop informaYon to publicize the CSIRT, such as a simple flyer or brochure outlining the CSIRT mission and services.
BGA INFORMATION SECURITY & CONSULTING
Step 8: Evaluate the EffecEveness of the CSIRT InformaYon on effecYveness can be gathered through a variety of feedback mechanisms, including: • Benchmarking against other CSIRTs • General discussions with consYtuency representaYves • EvaluaYon surveys distributed to consYtuency members on a periodic basis • CreaYon of a set of criteria or quality parameters • Compare with ExpectaYons for Computer Security Incident Response (RFC 2350) • Remember that PaYence Can Be a Key!
BGA INFORMATION SECURITY & CONSULTING
How long it takes to respond Approximate average MTTI, MTTK, MTTF and MTTV experienced by organizaEons in recent incidents
• Mean Yme to verify
MTTV
• Mean Yme to fix
MTTF
• Mean Yme to know
MTTK
• Mean Yme to idenYfy
MTTI
BGA INFORMATION SECURITY & CONSULTING
80%
76%
67%
65%
56%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Most effec8ve security tools for detec8ng security breaches
An8-‐virus
IP reputa8on & threat feed services
Intrusion preven8on/detec8on systems
SIEM
Analysis of NetFlow or packet captures
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
Reac8ve Services Proac8ve Services Security Quality Management Services
Alerts and Warnings Announcements Risk Analysis
Incident Handling Technology Watch Business ConYnuity and Disaster Recovery Planning
• Incident analysis (Forensic & Tracking) • Incident response on site Security Audits or Assessments (Scan & Pentest) Security ConsulYng • Incident response support
• Incident response coordinaYon ConfiguraYon and Maintenance of Security Tools, ApplicaYons, and Infrastructures Awareness Building
Vulnerability Handling Development of Security Tools EducaYon/Training • Vulnerability analysis • Vulnerability response Intrusion DetecYon Services Product EvaluaYon or CerYficaYon • Vulnerability response coordinaYon
Security-‐Related InformaYon DisseminaYon
Ar8fact Handling • ArYfact analysis • ArYfact response • ArYfact response coordinaYon
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
Conclusion & RecommendaEons • Make it a priority to build an incident response team consisYng of experienced, full-‐Yme members
• Assess the readiness of incident response team members on an ongoing basis
• Create clearly defined rules of engagement for the incident response team
• Translate the results of these measures into user-‐friendly business communicaYons
• Involve mulY-‐disciplinary areas of the organizaYon in the incident response process
• Invest in technologies that support the collecYon of informaYon to idenYfy potenYal threats
• Consider sharing threat indicators with third-‐party organizaYons to foster collaboraYon • Have meaningful operaYonal metrics to gauge the overall effecYveness of incident response
BGA INFORMATION SECURITY & CONSULTING
References [1] West-‐Brown, Moira J.; SYkvoort, Don; & Kossakowski, Klaus-‐Peter. Handbook for Computer Security Incident Response Teams (CSIRTs) (CMU/SEI-‐98-‐HB-‐001). PiZsburgh, PA: So|ware Engineering InsYtute, Carnegie Mellon University, 1998. Note that this document was superceded by the 2nd ediYon (CMU/SEI-‐2003-‐HB-‐002), published in April 2003.
[2] Kossakowski, Klaus-‐Peter. InformaYon Technology Incident Response CapabiliYes. Hamburg: Books on Demand, 2001 (ISBN: 3-‐8311-‐0059-‐4).
[3] Kossakowski; Klaus-‐Peter & SYkvoort, Don. A Trusted CSIRT Introducer in Europe. Amersfoort, Netherlands: M&I/Stelvio, February, 2000.
[4] Exposing One of China’s Cyber Espionage Units hZp://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
[5] M-‐Trends® 2013: AZack the Security Gap hZp://pages.fireeye.com/MF0D0O0PDVp6y106k0TI0B3
[6] M-‐Trends® 2011: When PrevenYon Fails hZp://www.mandiant.com/assets/PDF_MTrends_2011.pdf
[7] M-‐Trends® 2012: An Evolving Threat hZp://www.mandiant.com/assets/PDF_MTrends_2012.pdf
[8] Cyber Security Incident Response 2014 hZp://www.lancope.com/files/documents/Industry-‐Reports/Lancope-‐Ponemon-‐Report-‐Cyber-‐Security-‐Incident-‐Response.pdf
[9] Create a CSIRT hZps://www.cert.org/incident-‐management/products-‐services/creaYng-‐a-‐csirt.cfm
[10] CSIRT Services list from CERT/CC hZps://www.enisa.europa.eu/acYviYes/cert/support/guide/appendix/csirt-‐services
BGA INFORMATION SECURITY & CONSULTING
QuesEons
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING