Computer Security Incident Handling Detec6on and Analysis

Similar documents
Session 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

Splunk and Big Data for Insider Threats

Welcome. HITRUST 2014 Conference April 22, 2014 HITRUST. Health Information Trust Alliance

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

The University of Tennessee Chattanooga Incident Response Plan

Cybersecurity and internal audit. August 15, 2014

Defending Against Data Beaches: Internal Controls for Cybersecurity

DTCC Data Quality Survey Industry Report

Main Research Gaps in Cyber Security

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

How To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook

Incident Response. Proactive Incident Management. Sean Curran Director

Pu?ng B2B Research to the Legal Test

How To Use Splunk For Android (Windows) With A Mobile App On A Microsoft Tablet (Windows 8) For Free (Windows 7) For A Limited Time (Windows 10) For $99.99) For Two Years (Windows 9

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Data Security Incident Response Plan. [Insert Organization Name]

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

CSIRT Introduction to Security Incident Handling

How To Protect Virtualized Data From Security Threats

Guideline on Auditing and Log Management

UNCLASSIFIED. General Enquiries. Incidents Incidents

Gyrus: A Framework for User- Intent Monitoring of Text- Based Networked ApplicaAons

Information Security Incident Management Guidelines

Disrup've Innova'ons Track

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

Gyrus: A Framework for User- Intent Monitoring of Text- Based Networked ApplicaAons

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

NCCIC CYBER INCIDENT SCORING SYSTEM OVERVIEW

HIPAA Breaches, Security Risk Analysis, and Audits

SIEM Implementation Approach Discussion. April 2012

Information Security Services

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Data Management & Protection: Common Definitions

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

DNS Traffic Monitoring. Dave Piscitello VP Security and ICT Coordina;on, ICANN

Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Into the cybersecurity breach

Information Technology Policy

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Network & Information Security Policy

Overcoming PCI Compliance Challenges

IPv6 and DDoS Protec0on: Securing Carrier Grade NAT Infrastructure

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Anatomy of a Cloud Computing Data Breach

Protecting Your Organisation from Targeted Cyber Intrusion

UAB Cyber Security Ini1a1ve

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Security Policy for External Customers

White Paper. Information Security -- Network Assessment

Bank of America Security by Design. Derrick Barksdale Jason Gillam

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Healthcare in the Crosshairs for Data Breaches. April 22, Deborah Hiser (512)

The Value of Vulnerability Management*

Incident Response Plan for PCI-DSS Compliance

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Information Security and Risk Management

Security and Privacy

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

CMPT 471 Networking II

Ed McMurray, CISA, CISSP, CTGA CoNetrix

IT Security Incident Management Policies and Practices

Use of The Information Services Active Directory Service (AD) Code of Practice

Cyber Risks and Insurance Solutions Malaysia, November 2013

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Reference Architecture: Enterprise Security For The Cloud

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Utica College. Information Security Plan

Network Security Policy

California State University, Chico. Information Security Incident Management Plan

ISO COMPLIANCE WITH OBSERVEIT

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Legacy Archiving How many lights do you leave on? September 14 th, 2015

Italy. EY s Global Information Security Survey 2013

Computer Security Incident Response Team

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Transcription:

Computer Security Incident Handling Detec6on and Analysis Jeff Roth, CISSP- ISSEP, CISA, CGEIT Senior IT Security Consultant 1 Coalfire Confiden+al

Agenda 2 SECURITY INCIDENT CONTEXT TERMINOLOGY DETECTION AND ANALYSIS ATTACK VECTORS SIGNS OF AN INCIDENT SOURCES OF PRECURSORS AND INDICATORS INCIDENT ANALYSIS INCIDENT DOCUMENTATION INCIDENT PRIORITIZATION INCIDENT NOTIFICATION EXAMPLE OF AN INCIDENT HANDLING CHECKLIST

Security Incident Context Events verses Incidents 1 o Events An event is any observable occurrence in a system or network. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. 1 National Institute of Science and Technology Special Publication 800-61 v2, COMPUTER SECURITY INCIDENT HANDLING GUIDE, August 2012

Incident Response Context Events verses Incidents 1 o Incident - A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices 1 National Institute of Science and Technology Special Publication 800-61 v2, COMPUTER SECURITY INCIDENT HANDLING GUIDE, August 2012

Incident Response Context Incident Response Life Cycle 1 1 National Institute of Science and Technology Special Publication 800-61 v2, COMPUTER SECURITY INCIDENT HANDLING GUIDE, August 2012

Security Incident Context Organiza6onal Structures Incident Response Team Structure o Central Incident Response Team. A single incident response team handles incidents throughout the organization (small organizations and for organizations with minimal geographic diversity) o Distributed Incident Response Teams-multiple incident response teams, each responsible for a particular logical or physical segment of the organization (large organizations and major computing resources at distant locations). However, the teams should be part of a single coordinated entity

Terminology Threat: The poten+al source of an adverse event. Common threat planes: o Human Interac+on Email (received and sent) Web pages visited Social sites Blogs o Architectural Network interfaces (External and internal) Severs and running services and applica+ons Vulnerability: A weakness in a system, applica+on, or network that is subject to exploita+on or misuse.

Terminology - Con6nued AKack Vectors: These are the means used by the amackers to exploit vulnerabili+es. Examples are: o External/Removable Media o AMri+on: An amack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services o Web o Email o Social Engineering o Improper Usage Precursor: A sign that an amacker may be preparing to cause an incident. Indicator: A sign that an incident may have occurred or may be currently occurring.

Detec6on and Analysis First of all let s level set with the current state of Cyber amacks. o Many of the high profile amacks over the past few years are sophis+cated in nature o The Threat actors are persistent and come from many areas of the world driven by a variety of mo+va+ons Money and Data thev are primary goals o Neither of the above are uncommon nor can these be used as an excuse for inac+on

Detec6on and Analysis - Signs of an Incident Automated detec+on capabili+es include network- based and host- based IDPSs, an+virus sovware, and log analyzers. Manual means, such as problems reported by users (watch trouble +cket and work order systems). Some incidents have overt signs that can be easily detected, whereas others are almost impossible to detect.

Detec6on and Analysis - Signs of an Incident We remember Signs of an incident come in two categories - precursors and indicators. Good News- If we detect precursors we have an opportunity to prevent the incident Bad News - Most amacks do not have any iden+fiable or detectable precursors

Detec6on and Analysis - Signs of an Incident So what detec+ve and predic+ve controls should we have in place: o Profile Networks and Systems- measuring the characteris+cs of expected ac+vity so that changes to it can be more easily iden+fied o Understand Normal Behaviors. Incident response team members need to have system specific knowledge regarding networks, systems, and applica+ons (normal behavior is readily known so that abnormal behavior is recognized quickly)

Detec6on and Analysis - Signs of an Incident So what detec+ve and predic+ve controls should we have in place: o Create a Log Reten+on Policy (firewall, IDPS, OS and applica+on logs). Remember that older log entries may show key clues such as reconnaissance ac+vity previous instances of similar amacks o Remember many +mes the incident may not be discovered un+l days, weeks, or even months later no log reten+on no evidence

Detec6on and Analysis - Signs of an Incident So what detec+ve and predic+ve controls should we have in place: o Protect the logs All log need to write to a separate log server (write once only media preferred) o Perform Event Correla+on. Firewall log may have the source IP address Applica+on log may contain a username. Network IDPS may detect that an amack was launched against a par+cular host

Detec6on and Analysis - Signs of an Incident So what detec+ve and predic+ve controls should we have in place: o Keep All Host Clocks Synchronized from an authorita+ve NTP server o Use exis+ng trouble +cket/work order systems along with incident knowledge base to bemer perform predic+ve analy+cs

Detec6on and Analysis - Incident Documenta6on The issue tracking system should contain informa6on on the following: o The current status of the incident (new, in progress, forwarded for inves+ga+on, resolved, etc.) o A summary of the incident o Indicators related to the incident o Other incidents related to this incident o Ac+ons taken by all incident handlers on this incident o Chain of custody, if applicable

Detec6on and Analysis - Incident Documenta6on The issue tracking system should contain informa6on on the following: (con6nued) o Impact assessments related to the incident o Contact informa+on for other involved par+es (e.g., system owners, system administrators) o A list of evidence gathered during the incident inves+ga+on o Comments from incident handlers o Next steps to be taken (e.g., rebuild the host, upgrade an applica+on).

Incident Priori6za6on Functional Impact Categories Category None Low Medium High Definition No effect to the organization s ability to provide all services to all users Minimal effect; the organization can still provide all critical services to all users but has lost efficiency Organization has lost the ability to provide a critical service to a subset of system users Organization is no longer able to provide some critical services to any users

Priori6za6on of the Incident Information Impact Categories Category None Privacy Breach Proprietary Breach Integrity Loss Definition No information was exfiltrated, changed, deleted, or otherwise compromised Sensitive personally identifiable information (PII), Card Holder Data, electronic-personal Health Information of customers, taxpayers, employees, beneficiaries, etc. was accessed or exfiltrated Proprietary information, such as protected critical infrastructure information (PCII), company formulas, plans, engineering data, etc. was accessed or exfiltrated Sensitive or proprietary information was changed or deleted

Priori6za6on of the Incident Recoverability Effort Categories Category Regular Supplemented Extended Definition Time to recovery is predictable with existing resources Time to recovery is predictable with additional resources Time to recovery is unpredictable; additional resources and outside help are needed Not Recoverable Recovery from the incident is not possible (e.g., sensitive data exfiltrated and posted publicly); launch investigation

Detec6on and Analysis - No6fica6on Once we have iden+fied, analyzed and priori+zed an incident, the incident response team will ac+vate the no+fica+on processes based on the nature and severity of the incident o Call lists must be current, accurate and accessible by authorized personnel o No+fica+on trees should be developed and clearly aligned with the documented escala+on plan

Detec6on and Analysis - No6fica6on Non- IT Roles o CEO, COO, CFO, CRO o Human resources o Public affairs o Legal department o Board of Directors o US- CERT (required for Federal agencies and systems operated on behalf of the Federal government) o Law enforcement (if appropriate)

Detec6on and Analysis - No6fica6on IT Specific Roles o CIO o System owner o Head of informa+on security o Local informa+on security officer o Other incident response teams within the organiza+on (includes subcontractors, service providers, business partners, etc.) o External incident response teams (if appropriate)

Detec6on and Analysis - No6fica6on No6fica6on Effec6veness o Based on priori+za+on, the no+fica+on call list will escalate based on: Severity and size of the incident Regulatory and contractual and func+onal impact o No+fica+on can take the many forms concurrently to provide completeness, accuracy, speed and redundancy o For incidents involving regulatory and contractual impacts, both legal and public affairs will play a significant role as to incident inves+ga+on and informa+on release respec+vely

Detec6on and Analysis Do Loop Based on the subsequent steps within the incident response process, the Detec6on and Analysis processes may be revisited un6l incident has been closed Why? o During containment, eradica+on and recovery addi+onal data is required o New amacks may con+nue as the containment and eradica+on correc+ve controls are in place. The detec+on and analysis will provide indicators that containment is successful

Detec6on and Analysis Do Loop Why? (Con6nued) o Informa+on from Detec+on and Analysis will be reviewed for the final incident report and lessons learned o Enters into the organiza+on knowledge base and training of the incident response team members

Ques6ons? Thank you For further informa6on contact Jeff.Roth@Coalfire.com 321-795- 0391 Ron.FrecheKe@Coalfire.com 303-554- 6333 x7826 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information