Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Transcription

1 Threat Intelligence: An Essential Component of Cyber Incident Response Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

2 What are we going to cover? Setting the Stage Why is Incident Response Critical? Cyber Threat in Health Care Technology Challenges Incident Response models Maturing Incident Response Threat Intelligence in IR Quality Measures and Metrics

3 What is Incident Management & Response? Incident Management and Response defined as the: capability to effectively manage unexpected disruptive events with the objective of minimalizing impacts and maintaining or restoring normal operations within defined time limits. Objective: Move from a REACTIVE to a PROACTIVE posture in incident response. ISACA, Certified Information Security Manager (CISM) Review Manual 2012

4 Setting the Stage Evolving threats Advanced, Persistent, Sophisticated Gartner: Malware is Already Inside Your Organization; Deal With It Recommends adopting a continuous response culture..must assume they are compromised, and, therefore invest in detective capabilities that provide continuous monitoring for patterns and behaviors indicative of malicious intent. Perfect Prevention is impossible (Gartner) Signature based detection is no longer effective Gartner G February 2014

5 Medical Identity Theft 2.32 million Americans who have been victims of medical identity theft, almost 500,000 were in 2014 alone. The distinction between medical identity theft and other types of identity theft like consumer financial information or credit cards is important for many reasons. The direct out-of-pocket costs to victims of medical identity theft are significant. While the financial liability for consumer credit cards is often limited to $50 (and the card itself can be easily cancelled and replaced) the Ponemon study suggests that 65% of medical identity theft victims had to pay an average of $13,500 to resolve the crime. Unlike credit card theft, medical identity theft victims are rarely informed by a healthcare entity about suspicious and potentially fraudulent activity for health services. Source: Ponemon Study

6 More on Medical Identity Theft Unlike credit card theft, medical identity theft victims are rarely informed by a healthcare entity about suspicious and potentially fraudulent activity for health services. On average, medical identity victims typically learn of the fraudulent activity more than three months after a crime has been committed and 30% do not know when they became a victim. Of those who found an error in their Explanation of Benefits, about half didn t know who to report the claim to. Full resolution of medical identity theft is hard to achieve and the Ponemon research suggests that only 10% of respondents reported achieving a completely satisfactory conclusion.

7 Health Care Records Breached

8 How Prevalent Is It?

9 2015 THE Year of the Data Breach Some of you thought 2014, 2013 was the year of the data breach! According to a recent survey by Ponemon Institute, 17% of senior executives are unaware of whether their organization had suffered a data breach in the last year. We re just over half way through 2015

10 Cyber Threats Intentional Cyber crime (financially motivated) Hacktivists Espionage Economic espionage and Intellectual Property (IP) Disgruntled employees/insiders Unintentional Employees, contractors, business partners, researchers Almost ALL cyber breaches involve a malware component and a human component

11 APT Attack Lifecycle Detection built in at every phase

12 Game Changers IoT 26 Billion Internet connected devices by 2020 BYOIT Bring Your Own IT (Gartner) Wearable devices healthcare, fitness, etc. PCI - imminent adoption requirement for EMV "chip and PIN" technology in the U.S. in October 2015 window may be closing for hackers Legislation expect more prescriptive legislation in coming year

13 Incident Management Incident Response program the heart of Security program A thermometer to indicate how well controls are working An early warning system A necessary component for even the smallest of businesses

14 Incident Response & Governance Appropriate management support and stakeholder engagement it critical to any incident response program Senior leadership buy-in and funding Public relations, communications, emergency management, Privacy, Office of General Counsel, human resources IT Staff Business units/ partners

15 Incident Response Service Models Classic Incident Response ITIL model Coordinated Incident Response Model

16 Classic Incident Response Phase Activities Planning & Preparation Detection & Analysis Creating policies, IR plan, communications plan developing user awareness, building a response capability Checklists, tools Defining events /notification, validating incidents, triage /prioritization, IDS, SIEM, audit/log data feeds and analysis Containment, Eradication & Recovery Post Incident Activity Execute containment strategy for incident type, forensic analysis, execute recovery procedures in line with BCP/ DRP if applicable, determine source of incident (initial vector) Conduct after action review, document lessons learned, collect IR metrics, determine corrective actions (continuous improvement), communicate metrics/reports

17 ITIL Incident Response Services Reactive Services Alerts and Warnings Incident Handling Incident analysis Incident response on site Incident response support Incident response coordination Vulnerability Handling Vulnerability analysis Vulnerability response coordination Artifact Handling Artifact analysis Artifact Response Artifact response coordination Proactive Services Announcements Technology Watch Security Audit or Assessments Configuration & Maint of Sec Tools, Apps and Infrastructure Development of Security Tools Intrusion Detection Services Security Related Information Dissemination Security Quality Management Services Risk Analysis Business Continuity & Disaster Recovery Planning Security Consulting Awareness building Education / Training Product evaluation or Certification

18 ITIL Model Pros & Cons Pros: Concise Focus on return to operational service, reducing down time Cons: Metrics focus on customer satisfaction Value of intelligence gathering may be minimalized

19 Coordinated Incident Response Preparation Detection & Analysis Containment, Eradication, & Recovery Post- Incident Activity Incident Handling Process Identify Report Report Identify Coordinate Inform Monitor Respond Respond Monitor Top Level Coordinated Incident Handling Process IEEE 2011, Daley, Millar, Osorno

20 Coordinated IR Model Pros & Cons Pros: Integrated approach ensures information sharing and the value proposition of situational awareness Quality of information know more about what is normal and what is anomaly among partners Value of Cyber Threat Intelligence higher fidelity Cons: Requires trust with business partners Sharing information can tip off the attacker

21 Maturing Incident Response Finding a way to develop and mature Incident Management program Measurable CNDSP, CMM Computer Network Defense Service Provider (CNDSP) developed at Carnegie Mellon Provides certification and accreditation metrics Quantitative and Quality measures Geared for government but has some value in assessing capabilities and maturity

22 IR Maturity Model Phases Level 1 Ad Hoc - Processes Unpredictable, poorly controlled and Reactive Level 2 Managed - Processes Characterized for Projects, and is often reactive Level 3 Defined Processes Characterized for the Organization, and is Proactive Level 4 Quantitatively Managed - Processes Measured and Controlled Level 5 Optimizing Focus on Process Improvement

23 Incident Management a Work in Progress Incident management programs require care and feeding continuous development and enhancement to capabilities Evaluate new commercial capabilities Continuous improvement implement changes based on root cause issues identified during Post mortem review

24 Incident Response Planning Incident Response Plan Well defined roles and responsibilities Improved decision making Internal and External Coordination and Communication Minimize Damage

25 Key Elements in an Incident Response Plan Roles and Responsibilities Incident Taxonomy Data Classification Identification of Critical Assets Response Team Operating Model Coordination and Communication Designated Incident Lead Key Tools for Incident Response Threat Intelligence how it will be used Escalation Thresholds

26 Incident Response Service Model ITIL service model for Cyber Incident Response Not to be confused with ITIL Incident Primary metric is time to return to service Secondary metric usually involves customer satisfaction (based on survey) PROS simple and primary metric is quantifiable CONS Customer satisfaction scores are difficult Weighing risk of continued operation versus containment

27 Cyber Threat Intelligence What is it? Gartner has defined threat intelligence as: evidence based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject s response to that menace or hazard. Intelligence Lifecycle: plan, collect, process, produce and disseminate information The key difference is that it s focused on identifying threats. This information must be matched against an organization to determine if the threat intelligence is valuable to that organization. Timely, Actionable, Accurate Threat stream subscription services ISACs, ISAOs, Commercial

28 Threat Intelligence - continued Automation enabled through a myriad of data standards, including: STIX, TAXII, CybOX, MAEC, HTML, RSS, Open IOC SIM/SIEM value proposition Internal Forensic Analysis IOCs from internal analysis can be an often overlooked valuable source of threat intelligence Definition IOC Indicator of Compromise, includes IP addresses, domain names, file names, hashes, and a myriad of other indicators

29 Threat Intelligence Management What is it and why do we care? Threat intelligence management Commercial solutions Build vs. buy Must be able to: Ingest structured/un-structured data PDF, doc, csv, xls, doc, etc. Including information from SIM/SIEM Perform data normalization and de-dup data Visualization an important capability when managing massive amounts of threat intelligence

30 Example of Finished Analytic Product

31 Consumption of Threat Intelligence Finished Intelligence reports PDF Requires analysis - labor intensive and can result in reduced effectiveness (timeliness) Analyst must review, prioritize and investigate Automation to enhance efficiency using standards (STIX, TAXII) Subscription services efficient, effectiveness? Effectiveness depends on a variety of factors

32 Threat Intelligence & Information Sharing Trusted information sharing Build relationships and partnerships with peer organizations NH-ISAC approximately 120 member organizations, services for members Some threat sharing management systems enable circles of trust to facilitate different levels of sharing

33 Data Sources and Feeds No such thing as too much data. Or is there? Automated threat ingestion via standards Requires standards such as STIX/TAXII Threat management system Log data common sources: Syslog, IDS/IPS, DNS, DHCP, F/W, Proxy, Active Directory, Web, NetFlow, pcap, application logs Asset management CMDB, other? Classify assets based on the sensitivity of the information they process Critical assets tagged with meta data to facilitate triage in incident response

34 Quality Measures & Metrics Computer Network Defense Service Provider (CNDSP) certification and accreditation metrics Metrics some considerations Dwell time Mean time to incident recovery restoration (ITIL) Mean time to incident discovery Number of incidents

35 Summary Malware is inside your network Deal with it! Adopt a continuous detection posture Capabilities exist to enhance rapid detection Threat Intelligence is a vital component to a cyber incident response program

36 Questions?

37 Resources NH-ISAC US-CERT Traffic Light Protocol