Incident Response 101: You ve been hacked, now what?
|
|
|
- Fay Bell
- 8 years ago
- Views:
Transcription
1 Incident Response 101: You ve been hacked, now what? Gary Perkins, MBA, CISSP Chief Information Security Officer (CISO) Information Security Branch Government of British Columbia
2 Agenda: threat landscape threat actors attack vectors incident response preparation identification containment eradication recovery lessons learned next steps
3 Threat Landscape: Attacks are more frequent targeted well-resourced financially motivated persistent undetected livingsocial 145 million records stolen due to weak employee credentials 70 million records stolen due to weakness in supply chain security 152 million passwords exposed due to poor security practices 50 million user s personal information compromised
4
5 Threat Actors: insiders states cyberterrorists executives hacktivists script kiddies partners competitors fraudsters organized crime intelligence agencies dinosaurs political parties employees (intentional) exemployees nation- employees (unintentional) students contractors
6
7 My greatest fear is that, rather than having a cyber-pearl Harbor event, we will instead have this death of a thousand cuts.
8
9 Attack Vectors/Methods: zero day exploits cross-site scripting malformed packets social media weak passwords malware SQL injection buffer overflows SYN floods vulnerabilities botnets phishing social engineering DNS poisoning misconfiguration escalation of privileges wireless executive spearphishing backdoors waterholing mobile apps removable media, USB supply chain, partners malvertising distributed denial of service (DDoS) web apps
10 Attacks for Hire: Distributed Denial of Service (DDoS) volumetric attack exceeds bandwidth disrupts service
11
12
13 Recent Phishing Example: South Korea
14 Attack Scenario: Internet A-Team B-Team Stage 0: Infection Stage 1: Intermediates Stage 2: Relays Stage 3: Exfiltration Enterprise Network
15 There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don t know it. Gartner, Inc., 2012 Organizations face an evolving threat scenario that they are ill-prepared to deal with. Gartner. Best Practices for Mitigating Advanced Persistent Threats. January 2012.
16
17 PICERL Preparation Identification Containment Eradication Recovery Lessons Learned
18 No battle plan survives contact with the enemy - Colin Napoleon Helmuth George Powell Patton von Moltke
19 Preparation build a security incident response plan establish mandate, executive buy-in identify roles and responsibilities incorporate job aids and templates build a security incident response team dedicated, virtual, outsourced invest in the team, training and other career development acquire necessary tools to be successful test the plan, team, and tools table top, drills, minor events engage and communicated with other stakeholder teams as needed
20 Preparation (con t) roles and responsibilities incident commander note-taking communications law enforcement, intelligence communities legal privacy forensics vendors
21 Preparation (con t) jump bag/kit documentation contact lists camera, memo recorder media USB, hard drive blank media write-blocker live CDs, software tools hardware toolkit cables, dongles, adapters spare batteries
22 Identification capture definition of incidents in incident response plan event: any observable occurrence in a system or network incident: an adverse event in an information system, and/or network, or the threat of the occurrence of such an event. Incident implies harm, or the intent to do harm determines severity level, business impact, and drives proportionate response ensure common understanding, engage stakeholders, manage misinformation
23 Identification (con t) types of incidents: a) violation of explicit or implied security policy b) unauthorized access c) denial of service d) unauthorized or inappropriate use e) changes without owner s knowledge, instruction, or consent f) malicious code
24 Containment prevent additional damage short-term containment, isolation if required forensic copy of affected systems determine if system will remain online temporarily patch system and remove attack vector allow normal business to continue limit spread of malware and risk of other systems being compromised
25 Eradication removal and restoration of affected systems thorough, systematic steps taken to mitigate risk further understand attack vector review all logs scan systems in environment look for other symptoms of compromise permanently remove traces clean up remnants ensure cannot re-infect environment cleaning is not enough flatten the system nuke and pave
26 Recovery return systems to normal operation re-image affected machines from known good copy ensure systems no longer vulnerable test, monitor, and validate as each system returned to production environment carefully re-introduce each element so as to avoid re-infection business decision when to execute recovery plan
27 Lessons Learned hold meeting within 2 weeks of incident complete remaining documentation valuable training material for new members walk through and review play-by-play of incident report when and how incident detected and by whom scope and severity of incident methods used in containment and eradication identify areas of strength - improve system security identify opportunity areas - not about blame
28 Next Steps: verify the existence of your security incident response plan and that it is up to date buy your security incident response team members a coffee support the development of team members and acquisition of key tools ensure plan and team members perform regular drills table top exercises, war games, attack simulations, cybersecurity drills, actual events don t forget to capitalize on lessons learned
29 Questions Gary Perkins, MBA, CISSP Exec Director & Chief Information Security Officer Information Security Branch Office of the Chief Information Officer