Post on 27-Mar-2018
Incident Response 101: You’ve been hacked, now what?
Gary Perkins, MBA, CISSP
Chief Information Security Officer (CISO) Information Security Branch Government of British Columbia
threat landscape threat actors attack vectors
incident response
preparation identification containment eradication recovery lessons learned
next steps
Agenda:
Attacks are more
frequent
targeted
well-resourced
financially motivated
persistent
undetected
Threat Landscape:
145 million records stolen due to weak employee credentials
70 million records stolen due to weakness in supply chain security
152 million passwords exposed due to poor security practices
livingsocial
50 million user’s personal information compromised
Threat Actors:
students
competitors
employees (intentional)
ex-employees
intelligence agencies
political parties
contractors
dinosaurs
executives
employees (unintentional) fraudsters
script kiddies
partners
insiders
hacktivists
nation-states
organized crime
cyber-terrorists
“My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts.”
Attack Vectors/Methods:
social engineering
phishing
botnets
web apps
distributed denial of service (DDoS)
malvertising
supply chain, partners
removable media, USB
mobile apps
waterholing
backdoors
executive spearphishing
wireless
escalation of privileges
misconfiguration
DNS poisoning
vulnerabilities
SYN floods
buffer overflows
SQL injection
malware
weak passwords
social media
malformed packets
cross-site scripting
zero day exploits
Attacks for Hire:
Distributed Denial of Service (DDoS)
volumetric attack exceeds bandwidth disrupts service
Recent Phishing Example:
South Korea
Attack Scenario:
Stage 0: Infection
Stage 1: Intermediates
Stage 2: Relays
Stage 3: Exfiltration
Internet
Enterprise Network
A-Team B-Team
“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it.” – Gartner, Inc., 2012
“Organizations face an evolving threat scenario that they are ill-prepared to deal with.” – Gartner.
“Best Practices for Mitigating Advanced Persistent Threats.” January 2012.
Preparation Identification Containment Eradication Recovery Lessons Learned
PICERL
No battle plan survives contact with the enemy - Colin Powell - Napoleon - George Patton - Helmuth von Moltke
build a security incident response plan establish mandate, executive buy-in identify roles and responsibilities incorporate job aids and templates
build a security incident response team dedicated, virtual, outsourced invest in the team, training and other
career development
acquire necessary tools to be successful test the plan, team, and tools
table top, drills, minor events
engage and communicated with other stakeholder teams as needed
Preparation
roles and responsibilities incident commander note-taking communications law enforcement, intelligence communities legal privacy forensics vendors
Preparation (con’t)
jump bag/kit documentation contact lists camera, memo recorder media
USB, hard drive blank media
write-blocker live CDs, software tools hardware toolkit cables, dongles, adapters spare batteries
Preparation (con’t)
capture definition of incidents in incident response plan
event: any observable occurrence in a system or network
incident: an adverse event in an information system, and/or
network, or the threat of the occurrence of such an event. Incident implies harm, or the intent to do harm
determines severity level, business impact, and drives proportionate response
ensure common understanding, engage stakeholders, manage misinformation
Identification
types of incidents: a) violation of explicit or implied security policy b) unauthorized access c) denial of service d) unauthorized or inappropriate use e) changes without owner’s knowledge, instruction, or consent f) malicious code
Identification (con’t)
prevent additional damage short-term containment, isolation if required forensic copy of affected systems determine if system will remain online
temporarily patch system and remove attack vector allow normal business to continue
limit spread of malware and risk of other systems being compromised
Containment
removal and restoration of affected systems thorough, systematic steps taken to mitigate risk
further understand attack vector review all logs scan systems in environment look for other symptoms of compromise
permanently remove traces clean up remnants ensure cannot re-infect environment
cleaning is not enough flatten the system “nuke and pave”
Eradication
return systems to normal operation re-image affected machines from known good copy
ensure systems no longer vulnerable
test, monitor, and validate as each system returned to production environment carefully re-introduce each element so as to
avoid re-infection
business decision when to execute recovery plan
Recovery
hold meeting within 2 weeks of incident complete remaining documentation
valuable training material for new members
walk through and review play-by-play of incident report when and how incident detected and by whom scope and severity of incident methods used in containment and eradication
identify areas of strength - improve system security
identify opportunity areas - not about blame
Lessons Learned
verify the existence of your security incident response plan and that it is up to date
buy your security incident response team members a coffee
support the development of team members and acquisition of key tools
ensure plan and team members perform regular drills table top exercises, war games, attack simulations,
cybersecurity drills, actual events
don’t forget to capitalize on lessons learned
“Always costs less to avoid a breach than to suffer one…”
Next Steps:
Questions
Gary Perkins, MBA, CISSP
Exec Director & Chief Information Security Officer Information Security Branch Office of the Chief Information Officer