CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC



Similar documents
Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Protecting Your Organisation from Targeted Cyber Intrusion

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Defending Against Data Beaches: Internal Controls for Cybersecurity

GFI White Paper PCI-DSS compliance and GFI Software products

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

End-user Security Analytics Strengthens Protection with ArcSight

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Cisco Advanced Services for Network Security

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

How To Manage Security On A Networked Computer System

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

SANS Top 20 Critical Controls for Effective Cyber Defense

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Data Management Policies. Sage ERP Online

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

THE TOP 4 CONTROLS.

Foundstone ERS remediation System

Practical Steps To Securing Process Control Networks

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Best Practices for Building a Security Operations Center

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Extreme Networks Security Analytics G2 Vulnerability Manager

Seven Things To Consider When Evaluating Privileged Account Security Solutions

NERC CIP VERSION 5 COMPLIANCE

How To Prevent Hacker Attacks With Network Behavior Analysis

Guideline on Auditing and Log Management

Chapter 9 Firewalls and Intrusion Prevention Systems

Defending Against Cyber Attacks with SessionLevel Network Security

All Information is derived from Mandiant consulting in a non-classified environment.

How To Secure Your Store Data With Fortinet

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Critical Security Controls

The SIEM Evaluator s Guide

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

INCIDENT RESPONSE CHECKLIST

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

How To Audit The Mint'S Information Technology

PCI Requirements Coverage Summary Table

Avoiding the Top 5 Vulnerability Management Mistakes

Concierge SIEM Reporting Overview

FormFire Application and IT Security. White Paper

A Decision Maker s Guide to Securing an IT Infrastructure

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

N-Dimension Solutions Cyber Security for Utilities

Network Segmentation

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

I D C A N A L Y S T C O N N E C T I O N

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Networking for Caribbean Development

Vulnerability Management

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Penetration Test Report

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Agenda , Palo Alto Networks. Confidential and Proprietary.

How To Protect A Network From Attack From A Hacker (Hbss)

IBM Advanced Threat Protection Solution

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Architecture Overview

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Verve Security Center

MALWARE THREATS AND TRENDS. Chris Blow, Director Dustin Hutchison, Director

Host-based Intrusion Prevention System (HIPS)

IBM Security QRadar Vulnerability Manager

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Technical Testing. Network Testing DATA SHEET

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Network Instruments white paper

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

PENETRATION TESTING GUIDE. 1

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Ovation Security Center Data Sheet

Best Practices For Department Server and Enterprise System Checklist

Penetration Testing Report Client: Business Solutions June 15 th 2015

Network/Cyber Security

Overcoming PCI Compliance Challenges

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Automate PCI Compliance Monitoring, Investigation & Reporting

Transcription:

: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1

FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations and recommendations which were consistent across these incidents. Additionally, NTT Group compared these results to information available from highly publicized breaches. This analysis helped identify a set of control areas which suffer from a lack of both basic and mature detection, investigation and mitigation capabilities in many organizations. As a result, we recommend organizations evaluate the effectiveness of these five control areas in their environments. These recommendations describe basic controls which should be implemented as a foundational part of an organization s network and security infrastructure. NTT Group analysis identified that many organizations continue to struggle implementing these control areas in an effective manner. CONTROL AREA 1: NETWORK SEGMENTATION Many of the investigated breaches originated in one segment of the network and propagated across the internal network as the attack progressed. Attackers compromise laterally throughout organizations in attempts to find strategically valuable systems, targets of opportunity, or systems which aid the attacker in maintaining a persistent presence. NTT Group continues to observe organizational network infrastructures which are internally flat (non-hierarchical). These networks do not adequately define different functional areas of the environment. Different network areas can have unique data requirements or access requirements, which have not been recognized or enforced. Internal network segmentation should ensure that data 2

flowing between segments is appropriately scrutinized. For example, employees in a call center environment may not need access to development environments, hence this activity should be restricted via access control lists (ACL) and administrative segregation of functions between environments. As well as segmenting networks using router access control lists and Virtual Local Area Networks (VLANs), organizations should implement detective and preventive controls via firewalls, along with Intrusion Detection and Prevention Systems (IDS/IPS). These enhance the organization s ability to provide a detective and defensive capability which can help identify potentially malicious network traffic, including attempts to bypass segregation controls. In addition to network segmentation, organizations must ensure that system administration functions are conducted from specific subnets and segregated networks. This allows more granular control of who may perform administrative activities, and from which network segment they are authorized to be conducted. Additionally, such controls will significantly impact the tempo of an attack, making network penetration slower, noisier, and more difficult to accomplish. This is especially true if attackers are forced to repeat the reconnaissance, attack and compromise process every time they wish to extend their reach within an environment. Many security and compliance initiatives can be easier to achieve by properly segregating networks, data and processes. An important part of this is ensuring proper documentation of controls, network topology and data transmission paths. Some key considerations and recommendations for network segmentation include: Identify key segments containing critical data, processes and systems Define security zones which effectively segment critical areas based on sensitivity of data and access requirements 3

Segregate and apply access control lists to and from zones which support administrative functions for the organization s systems Continuously validate that segregation controls are meeting defined goals as the network environment grows and changes CONTROL AREA 2: MALWARE DETECTION AND PREVENTION CONTROLS Malware is often used as an initial attack capability to penetrate a network, leveraging a combination of both technical and human vulnerabilities. Unfortunately, based on instances NTT Group has seen over the past few years, NTT Group observed about a 46 percent detection rate while host-based anti-virus solutions catch, at researching malware for the best, about half of the viruses in the wild. 2014 GTIR. In fact, NTT Group observed about a 46 percent detection rate while researching malware for the 2014 GTIR. A significant number of incident response engagements supported by NTT Group identified malware installed on systems, which had outdated or no antivirus software installed. Malware often disables anti-virus solutions to help increase its survivability. Relying solely on host-based security is not a good strategy for managing malware threats and organizations must consider technologies which also scrutinize network and email communications for signs of malicious activity related to malware. Some fundamental recommendations for deploying malware detection/ prevention controls include: 4

Define your organization s malware mitigation strategy and ensure your controls include multiple points of detection and visibility Invest in host-based as well as network-based detection and quarantine capabilities Collect logs from malware product consoles and ensure they are part of your log monitoring SIEM/MSSP solution Develop policies and procedures for how malware incidents are handled Validate malware controls are operating as defined and make adjustments as required It is important to understand that to benefit from even 50 percent protection, host-based anti-virus solutions must be installed on servers and end points, must be regularly updated, and must scan for viruses constantly. Network and host-based anti-virus solutions should be continuously monitored to ensure the solution is providing maximum value. CONTROL AREA 3: PATCHING AND CONFIGURATION MANAGEMENT Most breaches analyzed by NTT Group in 2014 included the compromise of unpatched or poorly configured systems. In many cases the compromises were directly related to third-party application vulnerabilities. Malicious attackers seek out systems with unpatched vulnerabilities as a means of gaining an initial foothold into a system or network. Many exploit kits are built with the understanding that attackers can automate exploits faster than target organizations can patch newly discovered vulnerabilities. NTT Group has discovered, as described in last year s GTIR, on average, it takes organizations who do not have a vulnerability management program, nearly 200 days to patch vulnerabilities with a CVSS score of 4.0 and higher. 5

Old, unpatched vulnerabilities can be a relatively easy exploit path for most attackers. During 2014, 76 percent of the vulnerabilities identified in client systems by NTT vulnerability scanning and management services were from 2012 or earlier, making them more than two years old. Almost 9 percent of those vulnerabilities identified by NTT group in 2014 were more than 10 years old. DETECTED VULNERABILITIES BY YEAR OF RELEASE 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 0% 2% 4% 6% 8% 10% 12% 14% Caption: Many new vulnerabilities in 2014 but some from as far back as 1999. Although configuration and patch management are not new concepts, qualitative analysis of vulnerability scanning data illustrates it is something most organizations are still doing poorly. Many organizations still focus attention on patching critical and public facing servers; however, most attacks today are focused on the end user and third-party applications. To mitigate potential losses due to configuration management and patch management issues, organizations should: 6

Document configuration and change control policies and procedures Document patch management policies and procedures for operating systems, network devices and third-party applications Implement solutions which can expedite configuration and patch management processes, and document related activities Ensure that the organization has visibility and awareness of the status of vulnerabilities across all technologies in the environment. Implement processes for emergency escalation of patches especially in situations where vulnerabilities which are being actively exploited in the wild exist on organizational devices. Develop test plans and validate which controls and processes are working as anticipated Configuration and patch management can be tedious and difficult, especially when managing a variety of end-user devices in a highly distributed, heterogeneous environment. Implementing an active, aggressive patch management program can remove common vulnerabilities from both servers and end-user systems, minimizing the effectiveness of newer exploits and common exploit kits. CONTROL AREA 4: MONITORING Some of the breaches analyzed by NTT Group in 2014 had been in process for quite some time. Organizations discovered some of the breaches months after the initial compromises occurred and after data had already been lost. Attackers often gain a foothold in an organization s network and conduct a patient attack campaign, extending their control through the victim s environment while avoiding detection. Some of these breaches had even been reported by malware and IDS systems but ignored. Many breaches included compromise of multiple systems distributed across the organization s internal network. These compromised systems were often 7

involved in communications related to the compromise (downloading of malware, exfiltration of data) for an extended period of time. This included unauthorized communication between internal servers as well as communications with both internal and external command and control (C&C) servers. Truly effective monitoring includes not only system logs and alerts, but also behavioral analysis of an organization s baseline environment. Behavioral monitoring can detect anomalous activity in an environment. For example: Systems which had never communicated are suddenly exchanging large amounts of information Multiple distributed systems are suddenly talking with a few centralized systems Or more obviously, but often still not detected by many organizations, previously quiet internal systems are suddenly talking to external systems To ensure organizations get the most out of their monitoring investment, NTT Group recommends: Understand your environment, knowing that not all logs are created equal. Security engineers can help your organization identify the logs, devices and systems which provide the most value and context. Most environments with strong monitoring are the result of years of maturity and constant planning and improvement. Define your tactical and strategic plans for monitoring and then work your plan. Your monitoring plan determines how well you can identify activities which occur during breaches, but can also help your organization meet compliance requirements. Maximize the value of monitoring by applying it to multiple use cases. Monitoring, like many other security controls, achieves its maximum value when layered. Log at the network layer and the application layer. 8

Log externally facing IDS/IPS, firewalls, WAFs, but also consider directory services, anti-virus, file monitoring, databases, web applications, proxies and DLP. Consider monitoring key devices at the source as opposed to relying on identifying malicious activity as it traverses other devices. CONTROL AREA 5: ACTIVE INCIDENT RESPONSE During 2014, about 74 percent of organizations which used NTT Group incident response services had no functional incident response plan. An incident response plan is only effective if it enables the organization to respond to an incident in an actionable and coordinated manner. For the incidents analyzed, NTT Group observed many organizations asking themselves the same questions: Did the alerts actually constitute a breach? Was the organization actually under attack? Who from the organization should respond? Is the organization primarily interested in retaining evidence of the breach, restoring service, protecting data, or is there another priority? What systems and/or data should receive the highest response priority? Who are the organization s third-party vendors (e.g., their ISP) and who are the contacts (and what are their contact phone numbers) at those organizations? 9

These are exactly the types of questions which a mature incident response plan would identify during development, coordination, review and test. During an attack, it will be hard enough to respond to the incident in a planned manner. This failure will extend the duration and losses associated with an attack. The response process is even more complicated if the organization tries to figure out what their incident response should be amidst the chaos of an ongoing breach. An effective incident response plan will define the following activities before an attack occurs: Define the incident response team, along with their roles and responsibilities Document contact information for relevant vendors and third-parties, such as ISP tech support, and define how they fit in the process Define any required skill sets which do not exist within the organization, and how they will be obtained and utilized Define processes to communicate effectively during incidents Define criteria to declare when an incident has started, as well as when an incident has ended This is a drastic simplification of a real incident response plan, which would still have to be implemented effectively, and include procedures which would be clearly communicated to all responsible individuals. Unfortunately, NTT Group analysis of incidents in 2014 shows that these simple concepts are often overlooked by even the most mature organizations. 10

CONCLUSION Not every compromise is a result of missing the fundamental controls discussed in this section. However, if every breached organization had implemented truly effective controls in these areas, those organizations would have been more resilient and better prepared to respond to an attack. Effective implementation of these five control areas can have an immediate, positive impact on the security of any organization. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information