8 ocak 2015 some etkinligi - bga cyber security incident response team

CYBER SECURITY INCIDENT RESPONSE TEAM BY BGA INFORMATION SECURITY & CONSULTING

BGA INFORMATION SECURITY & CONSULTING

About me  Candan BÖLÜKBAŞ •  about.me/bolukbas •  METU Computer Eng. •  CCNA, CCNP, CEH, ITIL, MCP •  Enterprise Security Services Manager •  7-‐year .Net & Obj-‐C Developer •  T.C. Cumhurbaşkanlığı Network & Security Admin •  [email protected] •  @candanbolukbas


Agenda •  IntroducYon •  Cyber AZack in the world

•  CSIRT staYsYcs from USA & UK

•  CSIRT efficiency measurement

•  Best PracYces for CreaYng a CSIRT

•  Conclusion & RecommendaYon

•  QuesYons


Challenges that today’s security organizaEons have to deal with:

Malware campaigns launched by organized criminal groups who look to steal informaYon that can be sold on the black market

Increasingly powerful distributed denial-‐of-‐service (DDoS) aZacks that can take out large websites

State-‐sponsored espionage that can penetrate even well-‐defended networks.


As aIacks have become more sophisEcated, the need for Computer Security Incident Response Teams (CSIRTs) has grown.

Botnets Distributed denial-‐of-‐service (DDoS) aZacks

Insider threats Advanced persistent threats (APTs).

CSIRT


What Are the QuesEons? •  What are the basic requirements for establishing a CSIRT? •  What type of CSIRT will be needed? •  What type of services should be offered? •  How big should the CSIRT be? •  Where should the CSIRT be located in the organizaYon?

•  How much will it cost to implement and support a team? •  What are the iniYal steps to follow to create a CSIRT?


What Are Some Best PracEces for CreaEng a CSIRT?

• Obtain management support and buy-‐in Step #1

• Determine the CSIRT strategic plan Step #2

• Gather relevant informaYon Step #3

• Design the CSIRT vision Step #4

• Communicate the CSIRT vision and operaYonal plan Step #5

• Begin CSIRT implementaYon Step #6

• Announce the operaYonal CSIRT Step #7

• Evaluate CSIRT effecYveness Step #8


Step 1: Obtain Management Support and Buy-‐In

•  ExecuYve and business or department managers and their staffs commiong Yme to parYcipate in this planning process; their input is essenYal during the design effort.

•  Along with obtaining management support for the planning and implementaYon process, it is equally important to get management commitment to sustain CSIRT operaYons and authority for the long term.

•  It is important to elicit management's expectaYons and percepYons of the CSIRT's funcYon and responsibiliYes.


1%

2% 5%

11%

31%

50%

What percentage of your organiza8on’s security budget is allocated to incident response?

More than 50%

41% to 50%

31% to 40%

21% to 30%

10% to 20%

Less than 10%


Step 2: Determine the CSIRT Development Strategic Plan

•  Are there specific Yme frames to be met? Are they realisYc, and if not, can they be changed?

•  Is there a project group? Where do the group members come from? You want to ensure that all stakeholders are represented.

•  How do you let the organizaYon know about the development of the CSIRT?

•  If you have a project team, how do you record and communicate the informaYon you are collecYng, especially if the team is geographically dispersed?


Step 3: Gather Relevant InformaEon The stakeholders could include but are not limited to: • Business managers • RepresentaYves from IT • RepresentaYves from the legal department • RepresentaYves from human resources • RepresentaYves from public relaYons • Any exisYng security groups, including physical security • Audit and risk management specialists • General representaYves from the consYtuency


Step 4: Design Your CSIRT Vision


In creaYng your vision, you should idenYfy your consYtuency • Who does the CSIRT support and serve? • Define your CSIRT mission, goals, and objecYves. What does the CSIRT do for the idenYfied consYtuency? •  Select the CSIRT services to provide to the consYtuency (or others). How does the CSIRT support its mission? • Determine the organizaYonal model. How is the CSIRT structured and organized? •  IdenYfy required resources. What staff, equipment, and infrastructure are needed to operate the CSIRT? • Determine your CSIRT funding. How is the CSIRT funded for its iniYal startup and its long-‐term maintenance and growth?

Step 5: Communicate the CSIRT Vision •  Communicate the CSIRT vision and operaYonal plan to management, your consYtuency, and others who need to know and understand its operaYons.

•  Make adjustments to the plan based on their feedback.

•  CommunicaYng your vision in advance can help idenYfy process or organizaYonal problems before implementaYon.

•  It is a way to let people know what is coming and allow them to provide input into CSIRT development. This is a way to begin markeYng the CSIRT to the consYtuency and gaining the needed buy-‐in from all organizaYonal levels.


Step 6: Begin CSIRT ImplementaEon Once management and consYtuency buy-‐in is obtained for the vision, begin the implementaYon: • Hire and train iniYal CSIRT staff. • Buy equipment and build any necessary network infrastructure to support the team. • Develop the iniYal set of CSIRT policies and procedures to support your services. • Define the specificaYons for and build your incident-‐tracking system. • Develop incident-‐reporYng guidelines and forms for your consYtuency.


45%

28%

14%

11%

2%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

0

1

2-‐5

5-‐10

10+

How many team members are fully dedicated to CSIRT?


Step 7: Announce the CSIRT

•  When the CSIRT is operaYonal, announce it broadly to the consYtuency or parent organizaYon.

•  Include the contact informaYon and hours of operaYon for the CSIRT in the announcement.

•  You may also want to develop informaYon to publicize the CSIRT, such as a simple flyer or brochure outlining the CSIRT mission and services.


Step 8: Evaluate the EffecEveness of the CSIRT InformaYon on effecYveness can be gathered through a variety of feedback mechanisms, including: • Benchmarking against other CSIRTs • General discussions with consYtuency representaYves • EvaluaYon surveys distributed to consYtuency members on a periodic basis • CreaYon of a set of criteria or quality parameters • Compare with ExpectaYons for Computer Security Incident Response (RFC 2350) • Remember that PaYence Can Be a Key!


How long it takes to respond Approximate average MTTI, MTTK, MTTF and MTTV experienced by organizaEons in recent incidents

• Mean Yme to verify

MTTV

• Mean Yme to fix

MTTF

• Mean Yme to know

MTTK

• Mean Yme to idenYfy

MTTI


80%

76%

67%

65%

56%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Most effec8ve security tools for detec8ng security breaches

An8-‐virus

IP reputa8on & threat feed services

Intrusion preven8on/detec8on systems

SIEM

Analysis of NetFlow or packet captures


Reac8ve Services Proac8ve Services Security Quality Management Services

Alerts and Warnings Announcements Risk Analysis

Incident Handling Technology Watch Business ConYnuity and Disaster Recovery Planning

•  Incident analysis (Forensic & Tracking) •  Incident response on site Security Audits or Assessments (Scan & Pentest) Security ConsulYng •  Incident response support

•  Incident response coordinaYon ConfiguraYon and Maintenance of Security Tools, ApplicaYons, and Infrastructures Awareness Building

Vulnerability Handling Development of Security Tools EducaYon/Training •  Vulnerability analysis •  Vulnerability response Intrusion DetecYon Services Product EvaluaYon or CerYficaYon •  Vulnerability response coordinaYon

Security-‐Related InformaYon DisseminaYon

Ar8fact Handling •  ArYfact analysis •  ArYfact response •  ArYfact response coordinaYon


Conclusion & RecommendaEons  • Make it a priority to build an incident response team consisYng of experienced, full-‐Yme members

 • Assess the readiness of incident response team members on an ongoing basis

 • Create clearly defined rules of engagement for the incident response team

 • Translate the results of these measures into user-‐friendly business communicaYons

 • Involve mulY-‐disciplinary areas of the organizaYon in the incident response process

 • Invest in technologies that support the collecYon of informaYon to idenYfy potenYal threats

 • Consider sharing threat indicators with third-‐party organizaYons to foster collaboraYon  • Have meaningful operaYonal metrics to gauge the overall effecYveness of incident response


References [1] West-‐Brown, Moira J.; SYkvoort, Don; & Kossakowski, Klaus-‐Peter. Handbook for Computer Security Incident Response Teams (CSIRTs) (CMU/SEI-‐98-‐HB-‐001). PiZsburgh, PA: So|ware Engineering InsYtute, Carnegie Mellon University, 1998. Note that this document was superceded by the 2nd ediYon (CMU/SEI-‐2003-‐HB-‐002), published in April 2003.

[2] Kossakowski, Klaus-‐Peter. InformaYon Technology Incident Response CapabiliYes. Hamburg: Books on Demand, 2001 (ISBN: 3-‐8311-‐0059-‐4).

[3] Kossakowski; Klaus-‐Peter & SYkvoort, Don. A Trusted CSIRT Introducer in Europe. Amersfoort, Netherlands: M&I/Stelvio, February, 2000.

[4] Exposing One of China’s Cyber Espionage Units hZp://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

[5] M-‐Trends® 2013: AZack the Security Gap hZp://pages.fireeye.com/MF0D0O0PDVp6y106k0TI0B3

[6] M-‐Trends® 2011: When PrevenYon Fails hZp://www.mandiant.com/assets/PDF_MTrends_2011.pdf

[7] M-‐Trends® 2012: An Evolving Threat hZp://www.mandiant.com/assets/PDF_MTrends_2012.pdf

[8] Cyber Security Incident Response 2014 hZp://www.lancope.com/files/documents/Industry-‐Reports/Lancope-‐Ponemon-‐Report-‐Cyber-‐Security-‐Incident-‐Response.pdf

[9] Create a CSIRT hZps://www.cert.org/incident-‐management/products-‐services/creaYng-‐a-‐csirt.cfm

[10] CSIRT Services list from CERT/CC hZps://www.enisa.europa.eu/acYviYes/cert/support/guide/appendix/csirt-‐services


QuesEons


8 ocak 2015 some etkinligi - bga cyber security incident response team

Technology

csirt implementayon

operayonal csirt step

csirt vision step

type of csirt

csirt eecyveness step

csirt operayons

csirt strategic plan

todays security organizaeons