intrusion detection mis.5213.011 alter 0a234 lecture 11
TRANSCRIPT
Intrusion Detection MIS.5213.011 ALTER 0A234
Lecture 11
Remediation Process
Declaration of an incident.
Form the remediation Team
Determine remediation Timing
Hybrid Action(Containment &
posturing Action)
Hybrid Action(Containment &
posturing Action)
Hybrid Action(Containment &
posturing Action)
Remediation Process - Cont
Remediation Complete
Develop Eradication Plan
Execute Eradication Plan
Develop Strategic Recommendations
Document Lessons Learned
Remediation Process
1) Form the Remediation TeamRemediation team is similar to the CIRT team. It may consists of
the same members or members with similar skill sets
2) Determine the timing of the remediation actionsWhat activities can be started or what needs to wait until the
investigation is completed
Remediation Process
3) Develop and implement remediation posturing actionsThese actions occur while the incident is still ongoing ie: password resets, patch application, vulnerability remediation,
etc.
4) Develop and implement incident containment actionsThese actions are designed to restrict access to sensitive areas.
Remediation Process
5) Develop an eradication planthe goal is to remove attacker’s access to the environment
6) Determine eradication event timing and implement the planOnce the investigative team determines that all possible
breaches, tools, techniques have been identified and no new infections are occurring. It is determined that a steady state for the environment has been reached. At this point eradication plan may be implemented to began the clean up.
Remediation Process
7) Develop Strategic RecommendationsThese are long term observations that need to be implemented.
It is generally done as a long term plan for remediation
8) Document the lessons learned.This is a result of identifying all of the things that worked or did
not worked during an incident crisis situation. These lessons learned need to be stored in a secure location.
Critical Factors for Remediation EffortsIncident Severity
Remediation TimingThis will serve as a guide to what needs to happen when and everyone needs to
agree. This is critical to the success of the remediation.
Remediation Team(Size, Skill, Support)
Critical Factors for Remediation EffortsTechnology
All technology used during an incident should be tested and familiar so that during the incident you are not learning new technologies.
Budget
Management Support
Public Scrutiny Be aware of what information is release to the public and when. Revisions may prove
more embarrassing.
Remediation Owner
Some one who is a strong senior technical manager who will negotiate all aspects of the remediation effort.
5 Qualities of a Remediation OwnerIn-Depth understanding of IT and Security
Focus on Execution
Understanding of Internal Politics
Proven Track record of building support of Initiatives
Ability to Communicate with technical and nontechnical personnel.
Posturing Actions
Enhancing LoggingEnhance AlertingPatching 3rd party applicationsImplement – multifactor authenticationReduce the locations where critical data is storedStrengthen Password Requirements
Posturing Actions
Things to be wary off Alerting the attackerresults in changed tactics and behavior by the attacker.
Attacker Becomes dormant – results in additional compromised machine that become silent, impacting the trusted state of the environment.
Attacker becomes destructive
Attacker become more active and attempts to infect more machines, resulting an active war between the attacker and the incident response team.
Containment Plan Actions
Change all of the passwords for all users and accountsSplit responsibilities, Some users that can create while others are used to authorize.Improved ACLs.
Eradication Action Plan
Ie:Completely disconnect the Victim organization from the InternetBlock Malicious IpsChange All account passwordsImplement Network SegmentationMitigate all vulnerabilities ..especially the original one that
allowed the attack in the first placeRebuild compromised systems
Strategic Recommendations
Ie:• Period review of Firewall ACLs and other Network device
configurations• Period code reviews• Implement IDS to monitor network traffic at all critical network
points and services.• Proper network segmentations• Allow only multifactor authentication for remote access• Outsource DMZ monitor to MSSP (Managed Security Service
Providers)
OUTSOURCING SECURITY
MSSP – Managed Security Service Providers
MSSP
OutsourcingWhat is outsourcing?
Act of outsourcing involves contracting out for goods or services to a provider either domestic or foreign in place of internal sourcing.
What is outsourced?Software Development, Help Desk Services, Call Center, Medical Billing, etc..
Managed Security Services ProvidersOptions:
Managed firewall servicesmanaged intrusion detection servicesmanaged VPN services
MSSP – Pros and Cons
MSSP
Pros:• Costs: Running an in-house security team means hiring and paying salaries and benefits, creating office
space and overall operational costs. By outsourcing security, you pay for services only. It’s up to the MSSP to handle their employee’s needs.
• Superior Technology and Expertise: When outsourcing security, you hire a company whose sole business is securing other businesses. This means, managed security service providers have the best hardware and software and skilled personnel. Buying such technology or hiring skilled personnel would be expensive and counterproductive for businesses that don’t specialize in security.
• Support: Security is a sensitive area and so all managed security service providers offer support all-day, all year as long as the contract is valid. Your business is secured always and time it takes to resolve security issues is minimal.
MSSP
Cons:• Risk: For instance, being a sensitive subject, trusting a different company with your intellectual property, can
be hard. Most managed security service providers have well-known reputation and track record.
• oss of Control: When you hand over security to another company, it means you will have to accept the terms they propose. For example, when outsourcing I.T security, the provider decides the security software and hardware to run in your company. Changing such software would be breaching contract with the managed security service provider.
• Loss of Quality: Although rare, hiring managed security service providers known to compromise quality for profits is a security risk. To prevent this, researching before signing a contract and asking for service level agreements is advisable.
MSSP
SLAWhat should SLA’s cover
Time to detection
Speed on response after an incident occurs
What if the third party does not detect incidents
How many incidents are being detected by the third party
How many are not being detected by them
MSSP
SLALack of standards and tools
Lack of skills, training and/or certification on proper methodology
Lack of communication
Lack of established policy
Repudiation of responsibility from the third party
MSSP
Choosing the right MSSP
Reputation
Financial Stability
Expertise
Employee Turnover Rate
etc..
MSSP
Additional Concerns:How different organizations perform incident management?
What is covered and required under Service Contracts?
Is the outsourcing service provider obligated to keep the information secured and Security levels current?
How are the roles and responsibilities clarified?
What level of expertise does the company providing services have with Incident Management? What level of contracts do they have?
How would the outsourcing organization be evaluated
How would the organization know if the third party is doing its job
What kind of incidents are expected to be identified by the third party
What kind of reporting and notification is expected from the third party