Revisiting Your Incident

Response Program

Michael J. Assante

Chief Executive Officer

National Board of Information

Security Examiners

Agenda

• Importance of skilled people

• New response model & roles

• Shaping your defenses through incident

analysis

Incident Response:

People and Technology

Ever-changing threats: Automated systems

will always be a step behind

Must develop front-line defenders

Highly-complex issues require

professionals with a demonstrated level of

hands-on competence, performance, and

intuition

Learning from past incidents has shifted

values toward different & hard to acquire

skills (e.g. reverse engineering)

Enhancing Our Workforce

“During the past year, several Fortune

100 companies saw advanced,

persistent attacks on their

infrastructures. While these companies

invest millions of dollars in protections,

they don't necessarily have the

personnel to defend against that level of

threat.”Tim McKnight, the Chief Information Security Officer at Northrup

Grumman Corporation (McKnight, 2011)

Organizations should identify and

develop security professionals who

perform reliably under pressure,

think together creatively, regroup

adaptively, adjust swiftly to changing

tactical conditions, and learn quickly

from mistakes and failures

Intrusion Analysts & Responders

CSO Challenges

• Attracting talent and competence

• Integrating new people & skills

– Transferring knowledge of the existing system

(design challenges, system operations, risks

and recovery)

• Developing your workforce to be successful

and accelerate skill building & performance

– Lack of simulation tools

– Keeping up with change

– Hope to best develop methods and systems

that can accelerate learning curves enabling

young, inexperienced talent to transform their

knowledge into skill

DemandConventional &

Hydro Generation

Demand Response

NuclearEnergy Efficiency

Plug-In Hybrid Electric

Vehicles / Storage

Rooftop Solar / Local

Wind Development

Wind & Variable

Generation

“smart grid”

cyber security

reliability

Cyber security is one of the most important concerns for the 21st century grid and must be central to design,

engineering, operations, policy and strategy. The challenge flows from generator to meter

Driving change

Smart Grid’s Mid-life Crisis?

Workforce Opportunity

• To become integral to the the delivery of our service

• Core aspect of the business

• Sourcing for professionals

• Redefine approaches and models

Generation Transmission Distribution

5,000 plants 160,000 miles Over 1,000,000 miles

65% of monthly bill5% of average customer

monthly bill

30% of average customer

monthly bill

Employs approx. 120,000

people nationwide

Employs approx. 15,000

people nationwide

Employs approx. 400,000

people nationwide

Markets

OTC

Narrow

Broad

Knowledge(understanding of

strategy or procedure)

Inconsistent

Consistent

Shallow Deep

Skills (consistency of

performance)

Ability(transfer

across

domains)

= Master= Apprentice = Journeyman= Novice

Building Competency

Skill Measurement & Development

• Highly resourced attackers can assemble people capable of collaborating, planning on how to deal with system variances, anticipate security controls, target individuals, and field new exploits

• Our defensive thinking has been shaped by the more frequent and less directed threats of the past

• New defense models are emerging

Intrusion Analysts & Responders

Emerging Incident Response Roles

• The existing frameworks are inclusive, but

newer models proving to be more effective

have combined certain roles or put a

sharper focus on specialization

– Host-based reverse engineer/intrusion analyst

– Network-based reverse engineer/intrusion

analyst

– Malware reverse engineer/analyst

– Intelligence analyst

Healthy View of the Contest Before Us

“What loses wars is not the inevitable mistakes but the failure to correct them in time – and the degree to which defeatism and depression (because errors occurred at all) are allowed to erode morale”

Victor Davis Hanson 2010, “The Father of Us All”

Goals of Incident Response

① To return to normal operations as soon

as possible

② To gather intelligence

② Learn from every incident and

inform/shape your defenses

Attacker free time

Time

Attack

Begins

System

Intrusion

Attacker Surveillance

Cover-up

Complete

Access

Probe

Leap Frog

Attacks

Complete

Target

Analysis

Time

Attack

Set-upDiscovery /

Persistence

Maintain foothold

Cover-up

Starts

Attack

Forecast

Physical SecurityContainment &

eradication

System

Reaction

Damage Identification

Recovery

Defender discovery

Monitoring & Controls

Impact

Analysis

Response

Threat Analysis

Attack

Identified

Incident

Reporting

Analysis to determine indicators

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)

Leveling the Playing Field

Network Firewalls – IPs change constantlyDNS – new domains all the time

IDS/IPS No signatures for 0 Days AND can't decode emails and links on the fly - base 64, embedded EXEs, XORed EXEs in emails

Virus Protection No signatures for 0 Days

Server Hardening Attacks are against the application layer

Application & Data

Availability & functionality always win

Static Defenses Are Failing

The Importance of Analysis

• Mining the data that is already being

collected

• Identify important indicators

• Your infrastructure/systems can be the

best source of intelligence

• Intrusion analyst traditionally react

– Must operate in a continual cycle with the

goal of being proactive

• Develop an adaptive understanding of

the threat environment based on

incorporating analyses of actual events

Take a Play from NCIS LA

• An intrusion analysis case study

NCIS LA Version

www.cbs.com

Our Reality

http://blink.ucsd.edu/technology/security/CIRT/index.html

Situation Briefing

• 19:45 in a location near Los Angeles

• Your cyber defense team receives SMS

message from Anti-virus services

running in your e-mail gateway

• They politely excuse themselves from

their nightclub party and race back in

their expensive undercover sports cars

sound-decisions.ca by © tracyxox

Malicious E-mail Targeting An

Employee Detected

• Easy/automated response

• Log it & call the case closed

• Time to relax?

http://www.bscreview.com/2009/10/ncis-los-

angeles-predator-review/

http://www.switched.com/2010/12/08/why-do-you-play-

games/

Determining Indicators

• Simple review of the header indicates the e-mail was

spoofed from an IP outside the domain’s network blocks

[Indicator #1]

• Research the sender to determine if it was a valid

account or spoofed [Indicator #2]

• Open source search the targeted recipient and find

minutes from an industry meeting with their contact info

[Indicator #3]

• E-mail has unique content type/boundary [Indicator #4]

• E-mail has a specific encoding type [Indicator #5]

• Analyze the attached malware and pull out the command

& control to a specific URL [Indicator #6]

• Further analysis of the C&C provides a unique HTTP

User-Agent string [Indicator #7]

• Identify the files the Malware drops on your system

[Indicator #8]

Final Analysis

• You identify that the employee being targeted works with

sensitive company information

• You search the mail logs for emails from the spoofed

sender and find they have targeted numerous employees

from the same work group

• You search your proxy logs and find out the attacker has

visited your web site collecting information

• You pull your IDS and firewall logs and find out the same

originating IP has slowly scanned your networks

• You are able to classify the incident as one case in a

larger highly targeted attack

• Awareness material needs to be updated

Shaping Your Defense

• Take the indicators and feed them into your IDS,

firewall block, DNS blackhole, proxy block, etc.

• Search your network using SMS or similar for the

dropped *.exe and .dll files

• The next attack– A new unpatched Adobe PDF vulnerability is discovered. An

exploit is quick to follow

– The same adversary targets more employees with the new attack

– This time there is no alert. The vulnerability slips by your

defenses because there is no patch or detection capability

available

– Unless you took the above steps:• The attack is most likely mitigated through several informed defenses, firewall

block of C&C IP, proxy block of URL, IPS/IDS detect on suspicious user-agent

strings, content type/boundary, email encoding, DNS blackhole of domain name

or DNS servers, email dropped from suspicious mail relay etc.

www.critical-intelligence.com

Truth About NCIS

• The NCIS Agent was the guy that would

hide in my work space when underway

before their next port pre-visit

• More times than not they might

investigate a crime involving missing

tools

• They did get to research off-limits areas

ahead of task force liberty calls

Final Outcome

CSO

Compass

Awards 2012

Photo credit:

http://ncislosangelesfan.com/photos/

Thank You!

Michael J. Assante

CEO

National Board of Information Security Examiners

Michael.assante@nbise.org

208-557-8026