CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Transcription

1 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1

2 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations and recommendations which were consistent across these incidents. Additionally, NTT Group compared these results to information available from highly publicized breaches. This analysis helped identify a set of control areas which suffer from a lack of both basic and mature detection, investigation and mitigation capabilities in many organizations. As a result, we recommend organizations evaluate the effectiveness of these five control areas in their environments. These recommendations describe basic controls which should be implemented as a foundational part of an organization s network and security infrastructure. NTT Group analysis identified that many organizations continue to struggle implementing these control areas in an effective manner. CONTROL AREA 1: NETWORK SEGMENTATION Many of the investigated breaches originated in one segment of the network and propagated across the internal network as the attack progressed. Attackers compromise laterally throughout organizations in attempts to find strategically valuable systems, targets of opportunity, or systems which aid the attacker in maintaining a persistent presence. NTT Group continues to observe organizational network infrastructures which are internally flat (non-hierarchical). These networks do not adequately define different functional areas of the environment. Different network areas can have unique data requirements or access requirements, which have not been recognized or enforced. Internal network segmentation should ensure that data 2

3 flowing between segments is appropriately scrutinized. For example, employees in a call center environment may not need access to development environments, hence this activity should be restricted via access control lists (ACL) and administrative segregation of functions between environments. As well as segmenting networks using router access control lists and Virtual Local Area Networks (VLANs), organizations should implement detective and preventive controls via firewalls, along with Intrusion Detection and Prevention Systems (IDS/IPS). These enhance the organization s ability to provide a detective and defensive capability which can help identify potentially malicious network traffic, including attempts to bypass segregation controls. In addition to network segmentation, organizations must ensure that system administration functions are conducted from specific subnets and segregated networks. This allows more granular control of who may perform administrative activities, and from which network segment they are authorized to be conducted. Additionally, such controls will significantly impact the tempo of an attack, making network penetration slower, noisier, and more difficult to accomplish. This is especially true if attackers are forced to repeat the reconnaissance, attack and compromise process every time they wish to extend their reach within an environment. Many security and compliance initiatives can be easier to achieve by properly segregating networks, data and processes. An important part of this is ensuring proper documentation of controls, network topology and data transmission paths. Some key considerations and recommendations for network segmentation include: Identify key segments containing critical data, processes and systems Define security zones which effectively segment critical areas based on sensitivity of data and access requirements 3

4 Segregate and apply access control lists to and from zones which support administrative functions for the organization s systems Continuously validate that segregation controls are meeting defined goals as the network environment grows and changes CONTROL AREA 2: MALWARE DETECTION AND PREVENTION CONTROLS Malware is often used as an initial attack capability to penetrate a network, leveraging a combination of both technical and human vulnerabilities. Unfortunately, based on instances NTT Group has seen over the past few years, NTT Group observed about a 46 percent detection rate while host-based anti-virus solutions catch, at researching malware for the best, about half of the viruses in the wild GTIR. In fact, NTT Group observed about a 46 percent detection rate while researching malware for the 2014 GTIR. A significant number of incident response engagements supported by NTT Group identified malware installed on systems, which had outdated or no antivirus software installed. Malware often disables anti-virus solutions to help increase its survivability. Relying solely on host-based security is not a good strategy for managing malware threats and organizations must consider technologies which also scrutinize network and communications for signs of malicious activity related to malware. Some fundamental recommendations for deploying malware detection/ prevention controls include: 4

5 Define your organization s malware mitigation strategy and ensure your controls include multiple points of detection and visibility Invest in host-based as well as network-based detection and quarantine capabilities Collect logs from malware product consoles and ensure they are part of your log monitoring SIEM/MSSP solution Develop policies and procedures for how malware incidents are handled Validate malware controls are operating as defined and make adjustments as required It is important to understand that to benefit from even 50 percent protection, host-based anti-virus solutions must be installed on servers and end points, must be regularly updated, and must scan for viruses constantly. Network and host-based anti-virus solutions should be continuously monitored to ensure the solution is providing maximum value. CONTROL AREA 3: PATCHING AND CONFIGURATION MANAGEMENT Most breaches analyzed by NTT Group in 2014 included the compromise of unpatched or poorly configured systems. In many cases the compromises were directly related to third-party application vulnerabilities. Malicious attackers seek out systems with unpatched vulnerabilities as a means of gaining an initial foothold into a system or network. Many exploit kits are built with the understanding that attackers can automate exploits faster than target organizations can patch newly discovered vulnerabilities. NTT Group has discovered, as described in last year s GTIR, on average, it takes organizations who do not have a vulnerability management program, nearly 200 days to patch vulnerabilities with a CVSS score of 4.0 and higher. 5

6 Old, unpatched vulnerabilities can be a relatively easy exploit path for most attackers. During 2014, 76 percent of the vulnerabilities identified in client systems by NTT vulnerability scanning and management services were from 2012 or earlier, making them more than two years old. Almost 9 percent of those vulnerabilities identified by NTT group in 2014 were more than 10 years old. DETECTED VULNERABILITIES BY YEAR OF RELEASE % 2% 4% 6% 8% 10% 12% 14% Caption: Many new vulnerabilities in 2014 but some from as far back as Although configuration and patch management are not new concepts, qualitative analysis of vulnerability scanning data illustrates it is something most organizations are still doing poorly. Many organizations still focus attention on patching critical and public facing servers; however, most attacks today are focused on the end user and third-party applications. To mitigate potential losses due to configuration management and patch management issues, organizations should: 6

7 Document configuration and change control policies and procedures Document patch management policies and procedures for operating systems, network devices and third-party applications Implement solutions which can expedite configuration and patch management processes, and document related activities Ensure that the organization has visibility and awareness of the status of vulnerabilities across all technologies in the environment. Implement processes for emergency escalation of patches especially in situations where vulnerabilities which are being actively exploited in the wild exist on organizational devices. Develop test plans and validate which controls and processes are working as anticipated Configuration and patch management can be tedious and difficult, especially when managing a variety of end-user devices in a highly distributed, heterogeneous environment. Implementing an active, aggressive patch management program can remove common vulnerabilities from both servers and end-user systems, minimizing the effectiveness of newer exploits and common exploit kits. CONTROL AREA 4: MONITORING Some of the breaches analyzed by NTT Group in 2014 had been in process for quite some time. Organizations discovered some of the breaches months after the initial compromises occurred and after data had already been lost. Attackers often gain a foothold in an organization s network and conduct a patient attack campaign, extending their control through the victim s environment while avoiding detection. Some of these breaches had even been reported by malware and IDS systems but ignored. Many breaches included compromise of multiple systems distributed across the organization s internal network. These compromised systems were often 7

8 involved in communications related to the compromise (downloading of malware, exfiltration of data) for an extended period of time. This included unauthorized communication between internal servers as well as communications with both internal and external command and control (C&C) servers. Truly effective monitoring includes not only system logs and alerts, but also behavioral analysis of an organization s baseline environment. Behavioral monitoring can detect anomalous activity in an environment. For example: Systems which had never communicated are suddenly exchanging large amounts of information Multiple distributed systems are suddenly talking with a few centralized systems Or more obviously, but often still not detected by many organizations, previously quiet internal systems are suddenly talking to external systems To ensure organizations get the most out of their monitoring investment, NTT Group recommends: Understand your environment, knowing that not all logs are created equal. Security engineers can help your organization identify the logs, devices and systems which provide the most value and context. Most environments with strong monitoring are the result of years of maturity and constant planning and improvement. Define your tactical and strategic plans for monitoring and then work your plan. Your monitoring plan determines how well you can identify activities which occur during breaches, but can also help your organization meet compliance requirements. Maximize the value of monitoring by applying it to multiple use cases. Monitoring, like many other security controls, achieves its maximum value when layered. Log at the network layer and the application layer. 8

9 Log externally facing IDS/IPS, firewalls, WAFs, but also consider directory services, anti-virus, file monitoring, databases, web applications, proxies and DLP. Consider monitoring key devices at the source as opposed to relying on identifying malicious activity as it traverses other devices. CONTROL AREA 5: ACTIVE INCIDENT RESPONSE During 2014, about 74 percent of organizations which used NTT Group incident response services had no functional incident response plan. An incident response plan is only effective if it enables the organization to respond to an incident in an actionable and coordinated manner. For the incidents analyzed, NTT Group observed many organizations asking themselves the same questions: Did the alerts actually constitute a breach? Was the organization actually under attack? Who from the organization should respond? Is the organization primarily interested in retaining evidence of the breach, restoring service, protecting data, or is there another priority? What systems and/or data should receive the highest response priority? Who are the organization s third-party vendors (e.g., their ISP) and who are the contacts (and what are their contact phone numbers) at those organizations? 9

10 These are exactly the types of questions which a mature incident response plan would identify during development, coordination, review and test. During an attack, it will be hard enough to respond to the incident in a planned manner. This failure will extend the duration and losses associated with an attack. The response process is even more complicated if the organization tries to figure out what their incident response should be amidst the chaos of an ongoing breach. An effective incident response plan will define the following activities before an attack occurs: Define the incident response team, along with their roles and responsibilities Document contact information for relevant vendors and third-parties, such as ISP tech support, and define how they fit in the process Define any required skill sets which do not exist within the organization, and how they will be obtained and utilized Define processes to communicate effectively during incidents Define criteria to declare when an incident has started, as well as when an incident has ended This is a drastic simplification of a real incident response plan, which would still have to be implemented effectively, and include procedures which would be clearly communicated to all responsible individuals. Unfortunately, NTT Group analysis of incidents in 2014 shows that these simple concepts are often overlooked by even the most mature organizations. 10

11 CONCLUSION Not every compromise is a result of missing the fundamental controls discussed in this section. However, if every breached organization had implemented truly effective controls in these areas, those organizations would have been more resilient and better prepared to respond to an attack. Effective implementation of these five control areas can have an immediate, positive impact on the security of any organization. 11