how to effectively respond to an information security incident · initial incident response steps...
TRANSCRIPT
![Page 1: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/1.jpg)
How to effectively respond to an information security incident
www.pwc.com
![Page 2: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/2.jpg)
PwC
Agenda
Analogy
Plan Preparation
Incident Handling Overview
Collect & Triage
Investigation
Containment
Eradication
Recovery
2
![Page 3: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/3.jpg)
PwC
Are you going in the water?
3
![Page 4: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/4.jpg)
PwC
Initial incident response steps
• Gather documentation
- Contact lists, network diagrams, etc
• Designate incident leads
• Notify proper contacts
- Internal contact
◦ Legal, management, internal support leads
- External contacts
◦ Legal, Vendor support, trusted third parties, law enforcement
4
![Page 5: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/5.jpg)
PwC
Incident handling overview
• Based on NIST 800-61 Incident Handling
- Detect and Analyze (Triage)
- Containment
- Collect, Preserve and Investigate
- Eradication
- Recovery (lessons learned)
5
Detect and
analyze
Contain
Collect & Preserve Eradicate
Recovery
![Page 6: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/6.jpg)
PwC
Detection and analysis
6
![Page 7: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/7.jpg)
PwC
Do we have an incident? (Yes/No)
• How were we notified
- Internal vs. External
• Deploy experienced people to determine if you have a real incident
• Is this a regulatory, legal or contractual issue?
7
![Page 8: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/8.jpg)
PwC
Practical example
• eCommerce Site:
- Client reported the server performance issue
- Tech Support found the load too high
- Developer examined the code
◦ Identified foreign code on the server, referred to security
- Security began collecting data
◦ Contacted External Incident Response team
8
![Page 9: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/9.jpg)
PwC
Practical example
• Incident Response Team
- Examined the server
- Recommended blocking IP addresses
- Examined the server population
- Provided a written report of the incident
- Recommended Eradication
- Recommended policy and procedure changes
9
![Page 10: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/10.jpg)
PwC
Exfiltration
10
![Page 11: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/11.jpg)
PwC
What to do next
• Incident Classification (DDoS, Malware, Unauthorized Access)
• Triage the problem – follow the evidence
• What are my capabilities?
• What am I looking for?
• How will I accomplish what I need to do?
11
![Page 12: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/12.jpg)
PwC
Collection and preservation
12
![Page 13: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/13.jpg)
PwC
Evidence preservation
• Proper forensic collection and documentation
- Collect what you need to answer the questions
• Malware analysis
- What are we dealing with and what is it capable of?
◦ Data exfiltration
◦ Keylogger
◦ Sniffer
◦ Dumping memory
13
![Page 14: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/14.jpg)
PwC
Data to collect
• Forensic images of the systems compromised
• Firewall Logs
• Web server logs
• Proxy server logs
• Netflow data
• Syslogs (Unix)
• Local Windows event logs
• Domain Controller event logs
14
![Page 15: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/15.jpg)
PwC
Triage process flow
15
Incident Handler
Malware present
Hardening Monitoring Malware Analysts
Forensics Compromi-sed Host Information Security
No
No
Yes
Yes
![Page 16: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/16.jpg)
PwC
Containment
16
![Page 17: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/17.jpg)
PwC
Initial containment 1-3 days
• Apply M&M approach (hard & crunchy on outside, soft & chewy on inside)
• Data characterization (add rings of security)
• Grab low hanging fruit
- Update AV, Flag suspicious files, HIDS/HIPS, create IDS signatures, block traffic, change passwords, disable accounts
- Change to manual procedures if necessary
17
![Page 18: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/18.jpg)
PwC
What don’t I know
• Where do I need increased visibility
- Review logs, increase auditing/logging
◦ System, database, network device, etc
- Process to secure, archive, collect ,review logs
- As the British say, Mind the gap!
SQL Query logging example:
18
![Page 19: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/19.jpg)
PwC
SQL query logging example
• Sophisticated attack on database
- Cracked the PINS for banking cards
- Used SQL injection to inject malicious executable into the database
- Withdrawal limits on the cards are raised to maximize the amount that can be withdrawn
- No SQL logging performed on the databases
- Client using a SQL query recorder
19
![Page 20: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/20.jpg)
PwC
Eradication & remediation 2-4 weeks
• Remove malware
• Re-image and/or rebuild systems
- Consider legacy applications
• Delete/disable accounts
• System and Network device hardening
• Increase log monitoring
20
![Page 21: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/21.jpg)
PwC
Longer term issues
• Data Flows
• Application Characteristics
• Server Characteristics
• Risk Factors
• Regulatory and Compliance Issues
21
![Page 22: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/22.jpg)
PwC
Recovery – Long term goals
• Implement a Information Security group with a CISO
• Integrate Information Security into all facets of the business
• Network Isolation and segmentation
• System hardening
• Annual security audits (include penetration testing)
- Include 3rd party connections
• Implement a Sensitive Data Program
22
![Page 23: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/23.jpg)
PwC
Recommendations
• Ensure there is an incident response plan in place
• Know where your crown jewels are located
• Regular security assessments conducted by outside firm
• Have an incident response support team on speed dial
23
![Page 24: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/24.jpg)
PwC
Questions
Contact:
Dave Nardoni 213-356-6308
Jef Dye 213-217-3976
24
![Page 25: How to effectively respond to an information security incident · Initial incident response steps • Gather documentation - Contact lists, network diagrams, ... • Annual security](https://reader034.vdocument.in/reader034/viewer/2022051407/5af78a647f8b9ae948904190/html5/thumbnails/25.jpg)
© 2012 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.