Advice from the Trenches: Preparing for the Challenges and Pressures of a Security Incident Investigation

Transcription

1 Advice from the Trenches: Preparing for the Challenges and Pressures of a Security Incident Investigation Marshall Heilman Managing Director Craig A. Hoffman Partner Who we are Marshall Heilman Craig Hoffman 2

2 Expectations & Landscape Past tipping point for Boards of Directors and executives recognizing security as a top challenge CISOs business leader or post-breach scapegoat? 3 Challenges Faced by CISO s Security Threats Targeted Malware & APTs Data Loss, Theft & Breaches Phishing & Social Engineering Zero-Day Vulnerabilities Viruses and Worms Operational Challenges Technical vs. non-technical Advanced Security Threats Adoption of Emerging Technologies Security Product Complexity Big Data Social Media Emerging Technologies Cloud Computing Mobile Applications Bring-Your-Own-Device ( BYOD ) Budgetary Challenges New Capital Outlays Monthly Operational Expenses Headcount Audits 4

3 Can you answer these basic questions? How do you answer questions from management about preparedness? Who is responsible for managing incident response? Do you have an incident response plan? Is it tested? Who is on your external team? Who will manage external messaging? How do you forecast potential financial consequences and obtain appropriate insurance coverage? How will you prevent your team from burning out? During the incident During the remediation efforts that follows 5 A Simplified View of a Data Breach Discovery of a Data Breach Evaluation of the Data Breach Managing the Short-Term Crisis Handling the Long-Term Consequences Class-Action Lawsuits Unauthorized access to personal information or intellectual property, whether at the company or its vendor Incident response Notification and Credit Monitoring Regulatory Fines, Penalties, and Consumer Redress Reputational Damage Public Relations Income Loss 6

4 Costs of a Breach Incident response Notification costs Credit monitoring Call center Crisis response Legal fees Defense costs/settlement expenses PCI fines/assessments, HIPAA fines, & regulatory fines 7 At the outset of an investigation can you answer these basic questions? Do you have an accurate network diagram? What logs do you have? What hostname belongs to an IP address? Which system(s) did an account authenticate to? Which system(s) communicated with an IP address on the Internet? Which system performed a DNS query? On which system(s) does an Indicator of Compromise (IOC) appear? 8

5 Preparing for an Incident - Management Mentality shift no more excuses Critical assets & data flows Business impact analysis studies Incident communication plan Realistic table top exercises External legal and IR firm relationship Insurance coverage 9 Preparing for an Incident - Technical Build a compromise ready environment What hostname belongs to an IP address? Which system(s) did an account authenticate to? Which system(s) communicated with an IP address on the Internet? Which system performed a DNS query? On which system(s) does an Indicator of Compromise (IOC) appear? 10

6 Preparing for an Incident - Technical Accurate network diagrams Adequate logging Access to tools & systems Understand software deployment & hardware installation capabilities/limitations Get involved with industry groups start sharing intelligence Focus on Security Preparing for an Incident - Technical Comprehensive Incident Response plan Develop IR use cases specific to your environment Measured mean time to remediate Learn how to execute 12

7 Best Practices During an Incident Do not over react Assign an incident owner (executive & technical) Engage [the right] external expertise Legal Incident response Public relations Get ahead of potential legal requirements Privilege International, Federal, and State requirements Evidence preservation 13 Best Practices During an Incident React quickly Be prepared to make difficult decisions Contain vs. remediate Forensic evidence should drive the decision making Dedicate appropriate staff Difference between important & critical Be reasonable with your requirements Meetings vs. work 14

8 Best Practices During an Incident Involve the C-Suite Be guarded, consistent, and honest in communications Prepare for the negative public/customer reaction Document analysis and activities Involve law enforcement Avoid vendor overload Listen to your external experts 15 Best Practices Post-Incident Ensure comprehensive documentation exists Be mindful of the hard work your team just put in Be wary of boiling the ocean Critical exploitation areas Be prepared to spend more money Focus spend in areas that make sense Do not bow to public pressure or trends Understand whether or not to expect to be immediately re-attacked 16

9 Are you prepared? Backdoor variants VPN subversion Sleeper malware Maintain Presence Move Laterally Net use commands Reverse shell access Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission Social engineering Spear phishing with custom malware Custom malware Command and Control 3 rd- party application exploitation Credential theft Password cracking Pass-the-hash Critical system recon System, active directory & user enumeration Staging servers Data consolidation Data theft 17 Thank you 18