Download - Revisiting Your Incident Response Program
Revisiting Your Incident
Response Program
Michael J. Assante
Chief Executive Officer
National Board of Information
Security Examiners
Agenda
• Importance of skilled people
• New response model & roles
• Shaping your defenses through incident
analysis
Incident Response:
People and Technology
Ever-changing threats: Automated systems
will always be a step behind
Must develop front-line defenders
Highly-complex issues require
professionals with a demonstrated level of
hands-on competence, performance, and
intuition
Learning from past incidents has shifted
values toward different & hard to acquire
skills (e.g. reverse engineering)
Enhancing Our Workforce
“During the past year, several Fortune
100 companies saw advanced,
persistent attacks on their
infrastructures. While these companies
invest millions of dollars in protections,
they don't necessarily have the
personnel to defend against that level of
threat.”Tim McKnight, the Chief Information Security Officer at Northrup
Grumman Corporation (McKnight, 2011)
Organizations should identify and
develop security professionals who
perform reliably under pressure,
think together creatively, regroup
adaptively, adjust swiftly to changing
tactical conditions, and learn quickly
from mistakes and failures
Intrusion Analysts & Responders
CSO Challenges
• Attracting talent and competence
• Integrating new people & skills
– Transferring knowledge of the existing system
(design challenges, system operations, risks
and recovery)
• Developing your workforce to be successful
and accelerate skill building & performance
– Lack of simulation tools
– Keeping up with change
– Hope to best develop methods and systems
that can accelerate learning curves enabling
young, inexperienced talent to transform their
knowledge into skill
DemandConventional &
Hydro Generation
Demand Response
NuclearEnergy Efficiency
Plug-In Hybrid Electric
Vehicles / Storage
Rooftop Solar / Local
Wind Development
Wind & Variable
Generation
“smart grid”
cyber security
reliability
Cyber security is one of the most important concerns for the 21st century grid and must be central to design,
engineering, operations, policy and strategy. The challenge flows from generator to meter
Driving change
Smart Grid’s Mid-life Crisis?
Workforce Opportunity
• To become integral to the the delivery of our service
• Core aspect of the business
• Sourcing for professionals
• Redefine approaches and models
Generation Transmission Distribution
5,000 plants 160,000 miles Over 1,000,000 miles
65% of monthly bill5% of average customer
monthly bill
30% of average customer
monthly bill
Employs approx. 120,000
people nationwide
Employs approx. 15,000
people nationwide
Employs approx. 400,000
people nationwide
Markets
OTC
Narrow
Broad
Knowledge(understanding of
strategy or procedure)
Inconsistent
Consistent
Shallow Deep
Skills (consistency of
performance)
Ability(transfer
across
domains)
= Master= Apprentice = Journeyman= Novice
Building Competency
• Highly resourced attackers can assemble people capable of collaborating, planning on how to deal with system variances, anticipate security controls, target individuals, and field new exploits
• Our defensive thinking has been shaped by the more frequent and less directed threats of the past
• New defense models are emerging
Intrusion Analysts & Responders
Emerging Incident Response Roles
• The existing frameworks are inclusive, but
newer models proving to be more effective
have combined certain roles or put a
sharper focus on specialization
– Host-based reverse engineer/intrusion analyst
– Network-based reverse engineer/intrusion
analyst
– Malware reverse engineer/analyst
– Intelligence analyst
Healthy View of the Contest Before Us
“What loses wars is not the inevitable mistakes but the failure to correct them in time – and the degree to which defeatism and depression (because errors occurred at all) are allowed to erode morale”
Victor Davis Hanson 2010, “The Father of Us All”
Goals of Incident Response
① To return to normal operations as soon
as possible
② To gather intelligence
② Learn from every incident and
inform/shape your defenses
Attacker free time
Time
Attack
Begins
System
Intrusion
Attacker Surveillance
Cover-up
Complete
Access
Probe
Leap Frog
Attacks
Complete
Target
Analysis
Time
Attack
Set-upDiscovery /
Persistence
Maintain foothold
Cover-up
Starts
Attack
Forecast
Physical SecurityContainment &
eradication
System
Reaction
Damage Identification
Recovery
Defender discovery
Monitoring & Controls
Impact
Analysis
Response
Threat Analysis
Attack
Identified
Incident
Reporting
Analysis to determine indicators
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
Leveling the Playing Field
Network Firewalls – IPs change constantlyDNS – new domains all the time
IDS/IPS No signatures for 0 Days AND can't decode emails and links on the fly - base 64, embedded EXEs, XORed EXEs in emails
Virus Protection No signatures for 0 Days
Server Hardening Attacks are against the application layer
Application & Data
Availability & functionality always win
Static Defenses Are Failing
The Importance of Analysis
• Mining the data that is already being
collected
• Identify important indicators
• Your infrastructure/systems can be the
best source of intelligence
• Intrusion analyst traditionally react
– Must operate in a continual cycle with the
goal of being proactive
• Develop an adaptive understanding of
the threat environment based on
incorporating analyses of actual events
Take a Play from NCIS LA
• An intrusion analysis case study
NCIS LA Version
www.cbs.com
Our Reality
http://blink.ucsd.edu/technology/security/CIRT/index.html
Situation Briefing
• 19:45 in a location near Los Angeles
• Your cyber defense team receives SMS
message from Anti-virus services
running in your e-mail gateway
• They politely excuse themselves from
their nightclub party and race back in
their expensive undercover sports cars
sound-decisions.ca by © tracyxox
Malicious E-mail Targeting An
Employee Detected
• Easy/automated response
• Log it & call the case closed
• Time to relax?
http://www.bscreview.com/2009/10/ncis-los-
angeles-predator-review/
http://www.switched.com/2010/12/08/why-do-you-play-
games/
Determining Indicators
• Simple review of the header indicates the e-mail was
spoofed from an IP outside the domain’s network blocks
[Indicator #1]
• Research the sender to determine if it was a valid
account or spoofed [Indicator #2]
• Open source search the targeted recipient and find
minutes from an industry meeting with their contact info
[Indicator #3]
• E-mail has unique content type/boundary [Indicator #4]
• E-mail has a specific encoding type [Indicator #5]
• Analyze the attached malware and pull out the command
& control to a specific URL [Indicator #6]
• Further analysis of the C&C provides a unique HTTP
User-Agent string [Indicator #7]
• Identify the files the Malware drops on your system
[Indicator #8]
Final Analysis
• You identify that the employee being targeted works with
sensitive company information
• You search the mail logs for emails from the spoofed
sender and find they have targeted numerous employees
from the same work group
• You search your proxy logs and find out the attacker has
visited your web site collecting information
• You pull your IDS and firewall logs and find out the same
originating IP has slowly scanned your networks
• You are able to classify the incident as one case in a
larger highly targeted attack
• Awareness material needs to be updated
Shaping Your Defense
• Take the indicators and feed them into your IDS,
firewall block, DNS blackhole, proxy block, etc.
• Search your network using SMS or similar for the
dropped *.exe and .dll files
• The next attack– A new unpatched Adobe PDF vulnerability is discovered. An
exploit is quick to follow
– The same adversary targets more employees with the new attack
– This time there is no alert. The vulnerability slips by your
defenses because there is no patch or detection capability
available
– Unless you took the above steps:• The attack is most likely mitigated through several informed defenses, firewall
block of C&C IP, proxy block of URL, IPS/IDS detect on suspicious user-agent
strings, content type/boundary, email encoding, DNS blackhole of domain name
or DNS servers, email dropped from suspicious mail relay etc.
Truth About NCIS
• The NCIS Agent was the guy that would
hide in my work space when underway
before their next port pre-visit
• More times than not they might
investigate a crime involving missing
tools
• They did get to research off-limits areas
ahead of task force liberty calls
Thank You!
Michael J. Assante
CEO
National Board of Information Security Examiners
208-557-8026