Enterprise Incident Response

VŠE, PraguePetr Špiřík, 18. 4. 2017

PwC

Agenda90 minutes together ahead

Topics

Security incident in the enterprise context

Frameworks and methodology

Lifecycle of the security incident

Future challenges & evolution

Rules of the game

Mutual respect

There are no stupid questions – ask!

Petr Špiřík (PwC EMEA CSIRT Lead)

12+ years of professional experience

Network security & SOC background

Former PwC CEE CISO

Major interests

• Incident response

• Cyber threat intelligence

• Active defense

• Education of cyber security

PwC

Key TermsLeveling the field

Process capabilities

Procedures, protocols & methodology

Communication & escalation paths

Decision making

Technical capabilities

Architecture (AV, FW, IPS)

Detection (SIEM, IDS)

Response & Triage tools

Alert vs Incident vs Breach

Suspicion vs Assurance vs Damage

False positive & negatives

Risk appetite & sensitivity

Operations vs Security incident

Means, motive & opportunity

Different objectives

Intentional vs accidental

PwC

Security IncidentWhat is this, anyway?

Operations incident

Network is down (power outage)

Computer freezes (misconfiguration)

Data is lost (corrupt backups)

Objectives

Become operational ASAP

Return back to normal

ITIL based

Security incident

Network is DDoSed

Environment is compromised

Data is exfiltrated

Objectives

Stop the bleeding

Understand the threat (Potential impact)

Competing interests (Business, CSIRT, Threat Intelligence)

PwC

Enterprise AspectDifference between SMB & Enterprise

Scalability & Complexity

30 minutes per machine is great …

… if you don’t have 10 000 machines

Manpower is the limiting factor

Automation is the way to go

Standards are necessary

Documentation is vital

Processes & governance enables the enterprise incident management

Speed of the enterprise

It is a business decision to turn off the server…

… but who is the business owner?

Complexity is not only technical

Global vs. local

Cost of action vs. cost of inaction

Interaction with Risk management

Enterprise has the agility of an iceberg and the consensus of a group of cats

PwC

Cost of SecurityHow secure you want to be?

Enterprise wants to …

Make profit!

Do business

Be agile

Not be blocked by security

Enterprise wants to be as secure as possible for as little cost as possible

Learn to answer the tough question in the educated way

Security wants to …

Spend resources

Limit access & operations

Have formal procedures & standards

Have control

Security in enterprise is always a cost, never profit

Learn to make a business case & accept the business decisions

PwC

Standards & FrameworksMaking our lives easier

NIST (800-61)

US-centric

800-X family

Detailed, ready to use

No formal certification

ISO (27001:2013)

EU-centric

High level

Process oriented

Certifiable by independent body

Adoption

Do not invent the wheel

Cost-benefit analysis

Multiple standards implementation

Scope is critical

Customization

Understand your own enterprise

Pick wisely

Involve business

Make sure you understand the framework

PwC

Information Security Incident LifecycleNIST 800-61

PwC

PreparationTechnical

Enterprise

Architecture (segmentation, access control)

Hardening (scans, patches, configuration)

Logging & reporting

Visibility & control

Segregation of duties

Ticketing & knowledge management system

Take control over your environment first, before you try to fight the incidents

Security team

Logging & monitoring capabilities

Tools for incident response

Forensic/Malware lab (nice to have)

Secured area

Control over key chokepoints

Skilled team

Time invested in preparation phase will save you during the incident

PwC

PreparationProcess

Enterprise

Contact with other functions (IT, business, Risk management, PR & Communication)

Change management

Incident management in wider sense

Crisis management

Awareness & education

Leadership buy-in

Not only you, but your whole enterprise needs to act accordingly

Security team

Reporting an incident – identify inputs & tracking tools interaction

Communication plan

Ownership & governance

Policies & procedures

Templates

Incident response plans

Time invested in preparation phase will save you during the incident

PwC

DetectionTechnical

Logging

Continuous activity

Ingestion of log from identified sources

Storage only (compliance)

Necessary first step

No output!

Reporting

Regular & automated

Defined KPIs & metrics

Strong for spotting trends and anomalies

Good for predicting future issues

Easy quick win – good cost:benefit ratio

Output is static report, consumed by security team or leadership

Monitoring / Alerting

Real time

Defined use cases to monitor (as opposed to “everything”)

Threshold based, complex rules, function of time

Sensitivity is critical factor (False positives)

Output is dynamic alerting via console, SMS, emails to analysts

PwC

DetectionProcess

Enterprise

End users

“My computer behaves in a strange way.”

Human resources

“We fired this guy and we suspect he might try to damage the company.”

Administrators

“This is not how my domain controller is supposed to respond.”

3rd parties (Clients, law enforcement, public)

Security team

Eyes on the glass

“How many analysts do I assign to security monitoring?”

Threat hunting

“I always assume compromise. And in such case –what evidence would give the attacker away?”

Investigation result

“This computer was not only infected by commodity malware! There is more!”

PwC

AnalysisTriage

Is it security incident?

Analyst driven, never certain for 100%

If it is an incident, is it also a breach?

Who initiates the incident response?

What to do in uncertainty?

This is Yes or No question

What can be automated should be automated as absolute priority.

Is it major?

Major or crisis management needed

Human well-being, company existence at risk

Wider, cross-functional IR team needed

Different rules, protocols – but also prepared

Potential links to Business Continuity

Major incidents are more sensitive to process management than to technical response.

PwC

AnalysisPreparation for response

Information gathering

Even negative information has value

Systems checked and artifacts gathered

Focus on actionable evidence

Narrowing scope is critical – the final judgement does not need to happen now

This is going to incident response. The time is definitely a factor. There is the whole enterprise waiting to crush you.

Audit trail

Timestamps and non-repudiation

Documentation for legal consequences

Knowledge management

Project/team management in case of scale explosion

If you are moving too fast to document your actions – you are moving too fast.

PwC

ContainmentStop the bleeding!

Stopping the attack

Primary objective is to stop further damage

Isolation & service reduction

Time is the critical factor

Involve business stakeholders

Follow the procedures

During containment phase, the primary imperative is to stop the attack from getting worse …

Intelligence gathering

Preserve the chain of custody

Watch & learn

Look for additional compromise

Know your enemy

Take notes

… however, you also want to learn as much as you can without alerting the attacker or giving him what he wants

PwC

ContainmentDeeper dive

Disconnect the network!

Not always best idea, not always applicable

Is the incident insider? APT? External breach? Malware outbreak? Phishing campaign?

Prepared scenarios to the rescue

Isolate the incident in its domain (physical, network, human resources)

Factor in the time & scale

Focus on breach escalation prevention

The initial containment vary from shutting down system to doing nothing

Major incidents

Communication plan

Governance of the IR team

Regular updates & reassessments

Project plan to remediate

Don’t expect this will be over soon

Scale and complexity are your enemies

In major incident scenario, you are most likely already in damage control mode

PwC

Eradication

Remove all artifacts

Clean the compromised assets

Remove all entry points

Restore clean data from backups

Patch the vulnerabilities

Close the attacker’s way in

This is the latest stage when the attacker learns you are after him. In military terms, you are “operating in contested environment”.

Project management

To know what to do is not that important

To carry out the plan is

Multiple team coordination

Shared responsibilities

Timelines & change windows

In enterprise environment, the project manager can make or break the outcome. Cooperation & execution is key.

PwC

Recovery

Back to production

Business wants to get back operational ASAP

Incident needs be declared over

All compromised assets are clean

Partial recovery for large scale incidents

It is business decision to get back online. Make sure this decision is informed!

Continuous monitoring

Attackers do not give up easily

Be prepared for counter-attacks

Set up temporary more sensitive alerting

Go back to analysis if needed

The attacker spent resources to get in. They will try to reclaim what they once had.

Did you really eradicate every artifact?

PwC

Post-Incident ActivityImmediate & short term

Harden the environment

Cooperate with IT

Follow the change management

Use the knowledge you gained

Plug all the holes

Every incident is an opportunity to improve

Improve your detection systems!

It is no shame to fall victim to an attack. Is IS a shame to fall victim to the same attack repeatedly.

Metrics & KPIs

How do you measure success?

Is number of incidents good metric?

What is not measured does not exist

Metrics & KPIs are double edged sword

Useful vs. useless metrics

Long term, well established KPI monitoring will improve your security posture

Good metrics can motivate team and give you access to the resources needed. Bad will put you into uphill battle.

PwC

Post-Incident ActivityKnowledge management

Lessons learned

Debriefing after an incident

All parties involved

Review procedures & templates

Plan for changes for the future

Blame is lame

The objective of post-incident activity is to improve for the future, not to find scapegoat.

Active defense

Profile the attackers

Profile your organization

Assume compromise

Hunt for the adversaries

Set up traps for the future

Every incident is a lesson – the result is your threat intelligence

PwC

Enterprise MaturityDon’t try to run if you can’t walk

COBIT maturity levels

Level 1 – Initial

Level 2 – Repeatable

Level 3 – Defined

Level 4 – Managed

Level 5 – Optimized

Be honest with yourself. Work up through the stack, one step at time. Do not go for shortcuts. It does not work.

Expectation management

New buzzword every year

Applicability to your organization

Effect of diminishing returns

Build on solid foundation

Going step by step is cost effective

Do not set up incident response team, if you don’t know your own infrastructure. Do not buy threat intelligence, if you cannot consume it.

PwC

Future ChallengesI got it! What’s next?

Hunting

Assume compromise

Set up your hunter team

Let them loose

Special mindset is required.

Clear boundaries need to be set!

Threat intelligence

Know your enemy

Share the information

Profile your organization

Automate & automate

It is not the threat intel, but how you apply it.

Build your own threat intelligence!

Active defense

Sinkholing & tarpitting

Active reconfiguration

Profile the attackers

Dynamic environment

Focus on your own environment.

Be sure to stay on the legal side!

PwC

SummaryThank you!

Questions & answers

Ask your questions now…

… or reach out to me after

Thank you all!

Contacts

petr.spirik@gmail.com

petr.spirik@cz.pwc.com

NIST Security (look for 800-61)

csrc.nist.gov

This presentation

https://www.slideshare.net/zapp0/enterprise-incident-response-2017