Best Practices in Cyber Incident Response - Stay Safe Online · Over 2,000 workshop attendees Over...

Best Practices in Cyber Incident Response

Webinar will begin promptly at 2pm Eastern*All speakers will remain muted until that time

Presented By:

@staysafeonline

www.staysafeonline.org @staysafeonline

http://www.staysafeonline.org/

Thanks to our National SponsorsSignature Sponsor Contributing Sponsor

Over 6,000 webinar attendees

Over 2,000 workshop attendees

Over 15,000 subscribers

Strategic Partner

Upcoming Events• September 17: CyberSecure My

Business workshop, Charlotte, NC

• September 24: CyberSecure My Business workshop, Madison, WI

• October: National Cybersecurity Awareness Month!

• October 22: CyberSecure My Business Workshop, Austin, TX

Register and view all events at: https://staysafeonline.org/events/

https://staysafeonline.org/events/

For more information: https://staysafeonline.org/ncsam/

How to Get Involved• Become a NCSAM Champion – sign up, take action and make a difference in online

safety and security. It’s free and simple to register.

• Post on social media using #CyberAware and #BeCyberSmart

• Promote NCSAM and link to staysafeonline.org/ncsam on your company website

• Submit your events to NCSA’s community calendar by emailing [email protected]

https://staysafeonline.org/ncsam/

mailto:[email protected]

Research, Development, Innovation,Verizon Threat Research Advisory Center

https://enterprise.verizon.com/resources/reports/verizon-threat-research-advisory-center/

Global Managed Detection & Response (MDR) Manager

https://www.trendmicro.com/en_us/business.html




Global Managed Detection & Response (MDR) Manager

SVP Corporate Social Responsibility & Education


Incident Response PrimerJay Yaneza

© 2019 Trend Micro Inc.9

First and foremost: Incident Response?• First objective, always, is identifying and qualifying the threat for

the benefit of getting the business up and running. Mandatory.• Actual process should not take hours (vs forensics), everything is

real-time.• Naturally occurs when the preventive mechanisms protecting an

environment fails. Need to plug the leak in the ship.• Can be successful without ever identifying threat actors, no need

to prove a point or providing insights.• Nowadays evolved to ‘live response’: artifacts are being

discovered on live systems (un-dead) that had been touched by the adversary.


What about Computer Forensics?• Classic definition: disk and memory imaging, coupled with

network pcaps – can take hours. Urgency is less of a priority –accuracy is.

• Doesn’t naturally occur, but may be required (law enforcement).– If and when it occurs, it comes after the fact

• Depth analysis, with the use of artifacts collected by incident response – and even more. Timelines.

• More concerned in finding and documenting activities.– Difference with live response? This is a dead machine – think autopsy.

• Mostly a luxury


How does this differ with Malware Handling?• Get called upon when malware is used in an incident , but has little use

on other events (i.e., DDoS, physical theft, cases like child porn, etc.)• Should exhibit skills according to the time called upon: are you detecting

or analyzing?• Often interchanged with malware analysis, but should not be the case:

– In incident response, should support “putting out the fire”– In digital forensics, should support post-incident activities

• Even deeper: a malware analyst (a.k.a. reverse engineer) may need to determine capabilities are built into its code base. – Look into: malicious capabilities, understand its propagation characteristics, and

define signatures for detecting its presence (or IOCs).


Differentiation* (guide only)

Malware Handling Incident Response Forensics

Role Called upon an event that an incident may involve malware.

Put out the incident, limit the damage and get the business running.

Determination of cause, entry, implications, future recommendations, etc.

Goals Identify/secure malware Quick containment or remediation

Accurate understanding of the incident

When are they engaged? Initial Initial On-going, post-incident

Who defines tasks? Undefined Defined by business Mostly by industry

Required by business Maybe limited Yes Depends

Data Requirements Symptom or malware file Classified Incident, short-term data of the incident

Everything possible, longer duration

Team/individual skills Individual: Malware hunting Team: Business process, OS/Platform/Network

Team: OS/Platform/ Network

Benefits Quick identification FLOD, Limit damage Eradication, security posture improvement


Incident Handling: Two common pitfalls


#1: serial handling of an incident

Note that it is impossible to accomplish everything in good time!!

Understand urgency 15 mins

Gather evidence 45 mins

Analyze file artifacts 60 mins

Analyze network artifacts 60 mins

Additional hunting 30 mins

Conference calls 30 mins

…. Wash, rinse, repeat …

Events happen serially, an approximately consumed 4 man-hours already.

The “one-nine” availability only allows 2.4 hours of downtime.

Understand urgency 15 mins

Gather evidence 45 mins

Analyze file artifacts 60 mins

Analyze network artifacts 60 mins

Additional hunting 30 mins

Conference calls 30 mins

…. Wash, rinse, repeat …

Events happen serially, an approximately consumed 4 man-hours already – but would only be 1.33~ hours in reality.


#1: serial handling of an incident

Organization

Incident Response (proper)

Coordination and Communication

Roles and responsibilities should be identified. What to do when something happens (e.g., call the boss?)? How to handle media inquiries (if ever)? Is there a need to coordinate with law enforcement? Who documents the incident? Who holds all the evidence?

Who handles the incident internally? What are the tools needed to be executed first-hand (or do you want to do so)? What are the standard operating procedures of your security vendor? Do you stop the infection or keep it alive if the system needs to be alive?

Do you need to coordinate with your ISP? Do you have other organizations you need to communicate this to, like partner organizations? Who communicates to Law Enforcement? Who communicates to the security vendor?

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf


#2: undefined goals when an incident occurs

• These situations/questions should be classified:– Help, we have an outbreak!

– How did the hacker gain a foothold?

– Was an unknown or unpatched vulnerability exploited?

– What file or executable contained the attack?

– How many systems were impacted?

– What specifically was exfiltrated?

– What are the origin and motivation of the hackers?

– What was the dwell time of the attack?


#2: undefined goals when an incident occurs– Help, we have an outbreak!

– What file or executable contained the attack? – How many systems were impacted?– Was an unknown or unpatched vulnerability

exploited?

– How did the hacker gain a foothold?– What specifically was exfiltrated?– What are the origin and motivation of the

hackers?– What was the dwell time of the attack?

1. What is the value of the host?

2. Are other systems of equal or higher importance vulnerable?

3. How was the host attacked?

4. Do we know if there was a breach?

5. What actions would prevent this in the future?


“Super Hackers” are a myth ….

Initial compromise (T+0, Jan 2016):

RDASrv, PwnPOS, Dexter, Searcher.dll,

FGDump

(T+30 days):

via command-line FTP: NewPOSThings

(T+36 days):

via command-line FTP: Alina, Mimikatz

(T+43 days):

via command-line FTP:

NewPOSThings, Spygate

(T+58 days):

via command-line FTP: Netwire, Project Hook

(T+67 days, March 2016):

(Download)

NewPOSThings, FGDump (from

excluded location)

Data exfiltration Lateral Movement Persistence {New Tactics}

Point of Entry: Service

Vulnerability


Only one clue to unravel the mystery

Unusual things to look out for: 1. IP addresses2. Access time3. User name/password violations4. Data transfer (in/out)


File-less threats do exists, of course …

Multi-threat:1. Emotet – comes from email /

does injection2. Nymaim – often used to load

other threats3. Nozelsn – ransomware (fileless)Immediate

~5 days

~8 hours


What can I do then? Effective Prevention!CIS Critical Security Controls for Effective Cyber Defense • a guideline of 20 key

actions that organizations should take to block or mitigate known attacks.

• https://www.cisecurity.org/controls/

Ask for the Top 5 • CSC 1: Inventory of Authorized

and Unauthorized Devices• CSC 2: Inventory of Authorized

and Unauthorized Software• CSC 3: Secure Configurations for

Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

• CSC 4: Continuous Vulnerability Assessment and Remediation

• CSC 5: Controlled Use of Administrative Privileges

https://www.cisecurity.org/controls/


Summary

Incident Response is about getting the business back

up and running.

Could be as simple as restoring from backup.

Prepare the environment (via effective prevention), the business (ensure the

fastest recovery), know the processes involved.

Communicate what needs to be done internally, work with your security vendor / technology specialist early

on.


References

https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/

https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-part-2-tools-and-malware-used-and-how-to-detect-them/

https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-distributed-ransomware-loader-for-nozelesn-found-via-managed-detection-and-response/

https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/

https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-part-2-tools-and-malware-used-and-how-to-detect-them/

https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-distributed-ransomware-loader-for-nozelesn-found-via-managed-detection-and-response/

Research, Development, Innovation,Verizon Threat Research Advisory Center



Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.

State of the Data Breach

Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

2019 Data Breach Investigations Report


This document and any attached materials are the sole property of Verizon and are not to be used by you other

than to evaluate Verizon's service.

This document and any attached materials are not to be disseminated, distributed or otherwise conveyed

throughout your organization to employees without a need for this information or to any third parties without the

express written permission of Verizon.

© 2019 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans identifying

Verizon's products and services are trademarks and service marks or registered trademarks and service marks of

Verizon Trademark Services LLC or its affiliates in the United States and/or other countries.

All other trademarks and service marks are the property of their respective owners.

Proprietary Statement


VTRAC | Investigative Response Team

• Verizon Threat Research Advisory Center

• Performs cybersecurity investigations for hundreds of commercial enterprises and government agencies worldwide.

• Conducts hundreds of proactive, incident response-related assessments and data breach simulation exercises

• Capabilities include endpoint forensics, network forensics, malware reverse engineering, threat intelligence, threat hunting, dark web research, mobile device forensics, complex data recovery, as well as breach simulations, IR capability assessments, and IR Plan / playbook development

• Created or contributed to the DBIR, Data Breach Digest, Insider Threat Report, Payment Security Report, and Verizon Incident Preparedness and Response (VIPR) Report

Endpoint Forensics Examiner

Network Forensics Specialist

Malware Reverse Engineer

Threat Intelligence Analyst

Threat Hunting Specialist

Dark Web Researcher

Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 29

The time from the attacker’s first action in an event chain to the initial compromise of an asset is typically measured in minutes.

The time to discovery is more likely to be months; discovery time is very dependent on the type of attack in question.

Data Breach Timelines


Data Breaches – Summary of Findings


Threat Actors

External threat actors are still the primary force behind breaches (69%) while insiders account for 34%.

Financial gain is still the most common (known) motive behind data breaches. One quarter of all breaches are associated with espionage.


In 2014, we identified nine incident patternsthat cover most of threats likely to be faced.

In 2019 report, 98.5% of security incidents and 88% of confirmed data breaches continue to fall into these across.

Pattern consistency allows security professionals to prioritize spend when investing in IT / OT / IoT security.

Incidents | Breaches per Pattern


State of Incident Preparedness


Incident Preparedness and Response Report

Taming the Data BeastBreach

34


• LE notified victim that several foreign IP addresses were communicating with systems

• In-scope system examination revealed 'mimikatz', a clear text password and NTLM hash scraping tool

• Sys admin with engineering division domain controller access phished with email / PDF malicious attachment

• With sys admin credentials, threat actor moved laterally across domain controllers and engineering file servers

• Uploaded approx. 3,000 sensitive, proprietary CAD drawings, schematics, and designs to FTP site

Scenario #4: Cyber-Espionage –the 'Katz-Skratch Fever

Phase 4 – Collection and Analysis


Detection and Response

• Engage LE when time is right

• Engage third party investigators

• Collect and preserve evidence

• Leverage threat intelligence

Mitigation and Prevention

✓ Provide cybersecurity awareness training

✓ Make external emails standout

✓ Implement MFA

✓ Require remote connection VPN access

Countermeasure Recommendations

Scenario #4: Cyber-Espionage –the 'Katz-Skratch Fever



• The IR process provides a standardized, enterprise-wide workflow

• It is iterative and follows an overall cyclical flow from its beginning until its conclusion

• Typical IR Plans utilize 4-6 phases

Incident Response Process


Planning and preparing for cybersecurity incidents is crucial for an effective response

Key IR Plan Elements


Topping the list for overall IR Plan assessment recommendations:

1. [85%] defining tactical responder qualifications

2. [83%] providing data analysis guidance

3. [78%] citing external cybersecurity response governance and standards

4. [78%] databasing incident reports and lessons learned results

Plan Assessments


Building an Effective Response


Plan Construction

• 79% had an IR Plan in-place• 48% had a logically constructed, efficient IR Plan✓ TA #1: Construct a logical, efficient IR Plan

• 40% explicitly specified periodical reviewing, testing, and updating IR Plans

✓ TA #3: Periodically review, test, and update the IR Plan• 22% cited no internal security policies or procedures• 38% cited no legal or regulatory requirements✓ TA #4: Cite external and internal cybersecurity and incident

response governance and standards

Plan Relevancy

Phase 1 – Planning and Preparation


Stakeholders



Internal IR Stakeholders

• 57% fully designated stakeholders• 52% fully described roles and responsibilities✓ TA #5: Define internal IR stakeholder roles and responsibilities

• 53% fully designated tactical responders• 47% fully described tactical responder roles and

responsibilities• 83% specified no, or only partial, tactical responder

qualifications✓ TA #7: Train and maintain skilled tactical responders

Tactical Responders



Incidents and Events

• 62% fully classified cybersecurity incident types• 67% fully defined severity levels✓ TA #10: Classify incidents by type and severity level

• 40% fully described non-technical detection sources• 31% fully described technical detection sources✓ TA #11: Describe technical and non-technical incident

detection sources

Detection Sources

Phase 2 – Detection and Validation


Escalating / Communicating

• 40% fully specified IR stakeholder escalation criteria• 45% fully specified IR stakeholder notification procedures✓ TA #13: Specify escalation and notification procedures

This matrix depends on pre-defined incidents (e.g., crimeware), assigned severity levels for each incident (e.g., high, medium, low), and identified IR stakeholders with need-to-know and need-to-be-informed status

Escalation Matrix

Phase 2 – Detection and Validation


Collecting and Analyzing

• 16% fully specified collection and analysis procedures• 9% fully specified collection and analysis tools✓ TA #15: Specify evidence collection and data analysis tools

and procedures

• 26% fully specified evidence handling procedures• 21% fully specified evidence submission and chain of custody

form use✓ TA #16: Specify evidence handling and submission procedures

Evidence Handling



Containing and Eradicating

• 52% fully specified containment measures• 50% specified eradication measures✓ TA #14: Provide containment and eradication measures

• 41% fully specified remediation measures• 45% fully specified recovery measures✓ TA #17: Provide remediation and recovery measures

Remediating and Recovering

Phase 5 – Remediation and RecoveryPhase 3 – Containment and Eradication


Testing Your IR Plan


... and for breach simulation recommendations:

1. [30%] maintaining an up-to-date, unified IR Plan

2. [30%] creating IR Playbooks for specific incidents

3. [30%] establishing internal escalation protocols

4. [27%] defining internal IR stakeholder roles and responsibilities

Breach Simulations


Lessons Learned

• 76% fully required post-incident lessons learned activities• 60% fully required IR Plan updating (based on lessons learned)✓ TA #18: Feed post-incident lessons learned results back into

the IR Plan

• 24% fully required incident and response metrics tracking✓ TA #20: Track incident and incident response metrics

Measuring Success


1. Crypto-Jacking2. Insider Threat3. ICS Attack4. Cyber-Espionage5. Cloud Storming

Breach Simulation Kits


• LE notified victim of systems likely compromised due to connections with malicious IP address

• Network log review found two systems making connections; both systems contained intellectual property

• Investigation yielded active RAT; malware analysis revealed domain names resolving to malicious IP address

• Intel found RAT was associated with APT; threat actor associated with intellectual property theft and MSP breaches

• IoC scans found multiple systems infected with backdoor persistence tools and various compromised accounts

• Investigation determined MSP accounts leveraged for network access; dark web monitored following investigation

The Situation

Scenario #5: Cloud Storming –the Slivered Lining


Countermeasure Worksheet


Detection and Response

✓ Employ FIM solution

✓ Review internet-facing system and app logs

✓ Require service providers assist w/ collection

✓ Establish cloud data extraction process

Mitigation and Prevention

✓ Test security posture from all angles

✓ Enhance critical system security monitoring

✓ Manage / monitor third-party account access

Countermeasure Recommendations

Scenario #5: Cloud Storming –the Slivered Lining


Key Takeaways


Top 20 key takeaways for building a solid IR Plan

Key Takeaways


... and Remember it Takes a Team

Chief Information Officer

Chief Information Security Officer

Legal Counsel

Human Resources

Corporate Communications

Incident Commander

Internal Investigator

Cybersecurity Manager

SOC Analyst

CERTResponder


DBIR | VIPR Report

https://enterprise.verizon.com/resources/reports/vipr/https://enterprise.verizon.com/resources/reports/dbir/

Thank you.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

National Cyber Security Alliance

www.staysafeonline.org/cybersecure-business

Signature Sponsor

@staysafeonline

http://www.staysafeonline.org/cybersecure-business

http://www.trendmicro.com/

https://www.infosecinstitute.com/

https://www.itspmagazine.com/

Best Practices in Cyber Incident Response - Stay Safe Online · Over 2,000 workshop attendees Over...

Documents

Transcript of Best Practices in Cyber Incident Response - Stay Safe Online · Over 2,000 workshop attendees Over...