www.pwc.com How to effectively respond to an information security incident
Agenda Analogy Plan Preparation Incident Handling Overview Collect & Triage Investigation Containment Eradication Recovery 2
Are you going in the water? 3
Initial incident response steps Gather documentation - Contact lists, network diagrams, etc Designate incident leads Notify proper contacts - Internal contact Legal, management, internal support leads - External contacts Legal, Vendor support, trusted third parties, law enforcement 4
Incident handling overview Based on NIST 800-61 Incident Handling - Detect and Analyze (Triage) - Containment - Collect, Preserve and Investigate - Eradication - Recovery (lessons learned) Recovery Detect and analyze Contain Eradicate Collect & Preserve 5
Detection and analysis 6
Do we have an incident? (Yes/No) How were we notified - Internal vs. External Deploy experienced people to determine if you have a real incident Is this a regulatory, legal or contractual issue? 7
Practical example ecommerce Site: - Client reported the server performance issue - Tech Support found the load too high - Developer examined the code Identified foreign code on the server, referred to security - Security began collecting data Contacted External Incident Response team 8
Practical example Incident Response Team - Examined the server - Recommended blocking IP addresses - Examined the server population - Provided a written report of the incident - Recommended Eradication - Recommended policy and procedure changes 9
Exfiltration 10
What to do next Incident Classification (DDoS, Malware, Unauthorized Access) Triage the problem follow the evidence What are my capabilities? What am I looking for? How will I accomplish what I need to do? 11
Collection and preservation 12
Evidence preservation Proper forensic collection and documentation - Collect what you need to answer the questions Malware analysis - What are we dealing with and what is it capable of? Data exfiltration Keylogger Sniffer Dumping memory 13
Data to collect Forensic images of the systems compromised Firewall Logs Web server logs Proxy server logs Netflow data Syslogs (Unix) Local Windows event logs Domain Controller event logs 14
Triage process flow Incident Handler Forensics Yes Compromised Host No Information Security Malware present No Yes Malware Analysts Hardening Monitoring 15
Containment 16
Initial containment 1-3 days Apply M&M approach (hard & crunchy on outside, soft & chewy on inside) Data characterization (add rings of security) Grab low hanging fruit - Update AV, Flag suspicious files, HIDS/HIPS, create IDS signatures, block traffic, change passwords, disable accounts - Change to manual procedures if necessary 17
What don t I know Where do I need increased visibility - Review logs, increase auditing/logging System, database, network device, etc - Process to secure, archive, collect,review logs - As the British say, Mind the gap! SQL Query logging example: 18
SQL query logging example Sophisticated attack on database - Cracked the PINS for banking cards - Used SQL injection to inject malicious executable into the database - Withdrawal limits on the cards are raised to maximize the amount that can be withdrawn - No SQL logging performed on the databases - Client using a SQL query recorder 19
Eradication & remediation 2-4 weeks Remove malware Re-image and/or rebuild systems - Consider legacy applications Delete/disable accounts System and Network device hardening Increase log monitoring 20
Longer term issues Data Flows Application Characteristics Server Characteristics Risk Factors Regulatory and Compliance Issues 21
Recovery Long term goals Implement a Information Security group with a CISO Integrate Information Security into all facets of the business Network Isolation and segmentation System hardening Annual security audits (include penetration testing) - Include 3 rd party connections Implement a Sensitive Data Program 22
Recommendations Ensure there is an incident response plan in place Know where your crown jewels are located Regular security assessments conducted by outside firm Have an incident response support team on speed dial 23
Questions Contact: Dave Nardoni 213-356-6308 Jef Dye 213-217-3976 24
2012 PricewaterhouseCoopers LLP. All rights reserved. refers to the United States member firm, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.