Post on 11-Feb-2017
Developing A Cyber Security Incident Response Program
Boğaziçi University - Istanbul @2015
Ozan UÇAR• Co-Founder at BGA Bilgi Güvenliği A.Ş • Senior Security Consultant
blog.bga.com.trwww.cehturkiye.com
ozan.ucar@bga.com.trwww.twitter.com/ucarozan
About Me
About BGA
Know How & Know WhyThis presentation will let you know why
you should do …... before the “cyber attacks are happened” but won’t let you know how you can do that.
Type of Cyber Attacks• Denial Of Service - DOS/DDOS• Client-Side Attack Vectors – Browser/File Format
Exploitation• Social Engineering - Phishing/Vishing• Web App. Attacks• Data Theft• Backdoor• Physical Security
ADOBE
600M
SONY400M
Ashley Madiso
n200M
RSA120M
Total$2
Billion
Evernote
80M
Gov40M
Reality
Realitywww.shodan.io
Realitywww.zoomeye.org
Open source intelligence (OSINT)
Social media
Search engines
Blogs and user generated content
Activist forums
User groups
Chat rooms
Data leakage
• E-mail harvesting
• People search
• Password search
• Access user account
• Mass / Spear phishing
• Fraudulent domain
• Malware
• Data theft
Reality
Have I been Hacked ? • theharvaster• haveibeenpwned.com• hacked-emails.com
Just do it !• Zero Trust• Security Operation Center (SecOps)• Simulation of Cyber Attacks and Anomalies• Advanced Persistent Threat (APT)• Continuous Security Scan (CSS)• Cyber Threat Intelligence (CTI)
watch it if you need motivation https://www.youtube.com/watch?v=ZXsQAXx_ao0
Zero Trust• On February 12, 2013, President Obama signed Executive Order 13636,
“Improving Critical Infrastructure Cybersecurity.” The Executive Order is designed to increase the level of core capabilities for our critical infrastructure to manage cyber risk.
• It does this by focusing on three key areas: 1. information sharing2. privacy3. the adoption of cybersecurity practices.
• https
://www.whitehouse.gov/issues/foreign-policy/cybersecurity/eo-13636
Why we need “Security Operation Center / SecOps”
• Establishing 360 degrees of field dominance• Catching (capturing) successful cyber attacks• Identifying unnormal (or unexpected) issues of our
network in advance• Measuring damage of possible successful security
risks (!)• Minimize loss of the valuable data
What we need for “Security Operation Center / SecOps”
• Incident response team• Log correlation (SIEM)• Netflow / Sflow collection• Full packet capture• Anomaly detection mechanism• Effective communication with ..
1. Local CSIRT Teams (usom.gov.tr)2. Nation CSIRT Teams (trusted-introducer.org)3. Internet Service Providers (Turktelekom, Superonline etc.)4. and BGA as a strong company : ))
Why should we do “Simulation of Cyber Attacks and Anomalies”
Example Case for Simulation of Cyber Attacks and Anomalies
Advanced Persistent Threat (APT)
Data Leakage Monitoring
Social Network Monitoring
DeepWeb / DarkWeb Digging
Fraudulent Domain Tracking
Brand Watch
Smart Intelligence
Botnet Control
Fraudulent Mobile App Monitoring
Phishing Web Site Monitoring
DNS / Domain Whois Monitoring
Passive Vulnerability Scanning
Paste Site Monitoring
Cyber Intelligence
Management Portal
Your Assets
Admin/Analysts
Notifications
Customers/Clients
Effective Vulnerability Management !http://www.slideshare.net/bgasecurity/stsec-2015-norm-shield-why
Vulnerability Management
Solution: Vulnerability Management & Cyber Threat
Intelligent