Best Practices in Cyber Incident Response - Stay Safe Online · Over 2,000 workshop attendees Over...
Transcript of Best Practices in Cyber Incident Response - Stay Safe Online · Over 2,000 workshop attendees Over...
Best Practices in Cyber Incident Response
Webinar will begin promptly at 2pm Eastern*All speakers will remain muted until that time
Presented By:
@staysafeonline
www.staysafeonline.org @staysafeonline
Thanks to our National SponsorsSignature Sponsor Contributing Sponsor
Over 6,000 webinar attendees
Over 2,000 workshop attendees
Over 15,000 subscribers
Strategic Partner
Upcoming Events• September 17: CyberSecure My
Business workshop, Charlotte, NC
• September 24: CyberSecure My Business workshop, Madison, WI
• October: National Cybersecurity Awareness Month!
• October 22: CyberSecure My Business Workshop, Austin, TX
Register and view all events at: https://staysafeonline.org/events/
For more information: https://staysafeonline.org/ncsam/
How to Get Involved• Become a NCSAM Champion – sign up, take action and make a difference in online
safety and security. It’s free and simple to register.
• Post on social media using #CyberAware and #BeCyberSmart
• Promote NCSAM and link to staysafeonline.org/ncsam on your company website
• Submit your events to NCSA’s community calendar by emailing [email protected]
Research, Development, Innovation,Verizon Threat Research Advisory Center
https://enterprise.verizon.com/resources/reports/verizon-threat-research-advisory-center/
Global Managed Detection & Response (MDR) Manager
https://www.trendmicro.com/en_us/business.html
https://www.trendmicro.com/en_us/business.html
Global Managed Detection & Response (MDR) Manager
SVP Corporate Social Responsibility & Education
Incident Response PrimerJay Yaneza
© 2019 Trend Micro Inc.9
First and foremost: Incident Response?• First objective, always, is identifying and qualifying the threat for
the benefit of getting the business up and running. Mandatory.• Actual process should not take hours (vs forensics), everything is
real-time.• Naturally occurs when the preventive mechanisms protecting an
environment fails. Need to plug the leak in the ship.• Can be successful without ever identifying threat actors, no need
to prove a point or providing insights.• Nowadays evolved to ‘live response’: artifacts are being
discovered on live systems (un-dead) that had been touched by the adversary.
© 2019 Trend Micro Inc.10
What about Computer Forensics?• Classic definition: disk and memory imaging, coupled with
network pcaps – can take hours. Urgency is less of a priority –accuracy is.
• Doesn’t naturally occur, but may be required (law enforcement).– If and when it occurs, it comes after the fact
• Depth analysis, with the use of artifacts collected by incident response – and even more. Timelines.
• More concerned in finding and documenting activities.– Difference with live response? This is a dead machine – think autopsy.
• Mostly a luxury
© 2019 Trend Micro Inc.11
How does this differ with Malware Handling?• Get called upon when malware is used in an incident , but has little use
on other events (i.e., DDoS, physical theft, cases like child porn, etc.)• Should exhibit skills according to the time called upon: are you detecting
or analyzing?• Often interchanged with malware analysis, but should not be the case:
– In incident response, should support “putting out the fire”– In digital forensics, should support post-incident activities
• Even deeper: a malware analyst (a.k.a. reverse engineer) may need to determine capabilities are built into its code base. – Look into: malicious capabilities, understand its propagation characteristics, and
define signatures for detecting its presence (or IOCs).
© 2019 Trend Micro Inc.12
Differentiation* (guide only)
Malware Handling Incident Response Forensics
Role Called upon an event that an incident may involve malware.
Put out the incident, limit the damage and get the business running.
Determination of cause, entry, implications, future recommendations, etc.
Goals Identify/secure malware Quick containment or remediation
Accurate understanding of the incident
When are they engaged? Initial Initial On-going, post-incident
Who defines tasks? Undefined Defined by business Mostly by industry
Required by business Maybe limited Yes Depends
Data Requirements Symptom or malware file Classified Incident, short-term data of the incident
Everything possible, longer duration
Team/individual skills Individual: Malware hunting Team: Business process, OS/Platform/Network
Team: OS/Platform/ Network
Benefits Quick identification FLOD, Limit damage Eradication, security posture improvement
© 2019 Trend Micro Inc.13
Incident Handling: Two common pitfalls
© 2019 Trend Micro Inc.14
#1: serial handling of an incident
Note that it is impossible to accomplish everything in good time!!
Understand urgency 15 mins
Gather evidence 45 mins
Analyze file artifacts 60 mins
Analyze network artifacts 60 mins
Additional hunting 30 mins
Conference calls 30 mins
…. Wash, rinse, repeat …
Events happen serially, an approximately consumed 4 man-hours already.
The “one-nine” availability only allows 2.4 hours of downtime.
Understand urgency 15 mins
Gather evidence 45 mins
Analyze file artifacts 60 mins
Analyze network artifacts 60 mins
Additional hunting 30 mins
Conference calls 30 mins
…. Wash, rinse, repeat …
Events happen serially, an approximately consumed 4 man-hours already – but would only be 1.33~ hours in reality.
© 2019 Trend Micro Inc.15
#1: serial handling of an incident
Organization
Incident Response (proper)
Coordination and Communication
Roles and responsibilities should be identified. What to do when something happens (e.g., call the boss?)? How to handle media inquiries (if ever)? Is there a need to coordinate with law enforcement? Who documents the incident? Who holds all the evidence?
Who handles the incident internally? What are the tools needed to be executed first-hand (or do you want to do so)? What are the standard operating procedures of your security vendor? Do you stop the infection or keep it alive if the system needs to be alive?
Do you need to coordinate with your ISP? Do you have other organizations you need to communicate this to, like partner organizations? Who communicates to Law Enforcement? Who communicates to the security vendor?
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
© 2019 Trend Micro Inc.16
#2: undefined goals when an incident occurs
• These situations/questions should be classified:– Help, we have an outbreak!
– How did the hacker gain a foothold?
– Was an unknown or unpatched vulnerability exploited?
– What file or executable contained the attack?
– How many systems were impacted?
– What specifically was exfiltrated?
– What are the origin and motivation of the hackers?
– What was the dwell time of the attack?
© 2019 Trend Micro Inc.17
#2: undefined goals when an incident occurs– Help, we have an outbreak!
– What file or executable contained the attack? – How many systems were impacted?– Was an unknown or unpatched vulnerability
exploited?
– How did the hacker gain a foothold?– What specifically was exfiltrated?– What are the origin and motivation of the
hackers?– What was the dwell time of the attack?
1. What is the value of the host?
2. Are other systems of equal or higher importance vulnerable?
3. How was the host attacked?
4. Do we know if there was a breach?
5. What actions would prevent this in the future?
© 2019 Trend Micro Inc.18
“Super Hackers” are a myth ….
Initial compromise (T+0, Jan 2016):
RDASrv, PwnPOS, Dexter, Searcher.dll,
FGDump
(T+30 days):
via command-line FTP: NewPOSThings
(T+36 days):
via command-line FTP: Alina, Mimikatz
(T+43 days):
via command-line FTP:
NewPOSThings, Spygate
(T+58 days):
via command-line FTP: Netwire, Project Hook
(T+67 days, March 2016):
(Download)
NewPOSThings, FGDump (from
excluded location)
Data exfiltration Lateral Movement Persistence {New Tactics}
Point of Entry: Service
Vulnerability
© 2019 Trend Micro Inc.19
Only one clue to unravel the mystery
Unusual things to look out for: 1. IP addresses2. Access time3. User name/password violations4. Data transfer (in/out)
© 2019 Trend Micro Inc.20
File-less threats do exists, of course …
Multi-threat:1. Emotet – comes from email /
does injection2. Nymaim – often used to load
other threats3. Nozelsn – ransomware (fileless)Immediate
~5 days
~8 hours
© 2019 Trend Micro Inc.21
What can I do then? Effective Prevention!CIS Critical Security Controls for Effective Cyber Defense • a guideline of 20 key
actions that organizations should take to block or mitigate known attacks.
• https://www.cisecurity.org/controls/
Ask for the Top 5 • CSC 1: Inventory of Authorized
and Unauthorized Devices• CSC 2: Inventory of Authorized
and Unauthorized Software• CSC 3: Secure Configurations for
Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation
• CSC 5: Controlled Use of Administrative Privileges
© 2019 Trend Micro Inc.22
Summary
Incident Response is about getting the business back
up and running.
Could be as simple as restoring from backup.
Prepare the environment (via effective prevention), the business (ensure the
fastest recovery), know the processes involved.
Communicate what needs to be done internally, work with your security vendor / technology specialist early
on.
© 2019 Trend Micro Inc.23
References
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-part-2-tools-and-malware-used-and-how-to-detect-them/
https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-distributed-ransomware-loader-for-nozelesn-found-via-managed-detection-and-response/
Research, Development, Innovation,Verizon Threat Research Advisory Center
https://enterprise.verizon.com/resources/reports/verizon-threat-research-advisory-center/
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
State of the Data Breach
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
2019 Data Breach Investigations Report
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
This document and any attached materials are the sole property of Verizon and are not to be used by you other
than to evaluate Verizon's service.
This document and any attached materials are not to be disseminated, distributed or otherwise conveyed
throughout your organization to employees without a need for this information or to any third parties without the
express written permission of Verizon.
© 2019 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans identifying
Verizon's products and services are trademarks and service marks or registered trademarks and service marks of
Verizon Trademark Services LLC or its affiliates in the United States and/or other countries.
All other trademarks and service marks are the property of their respective owners.
Proprietary Statement
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
VTRAC | Investigative Response Team
• Verizon Threat Research Advisory Center
• Performs cybersecurity investigations for hundreds of commercial enterprises and government agencies worldwide.
• Conducts hundreds of proactive, incident response-related assessments and data breach simulation exercises
• Capabilities include endpoint forensics, network forensics, malware reverse engineering, threat intelligence, threat hunting, dark web research, mobile device forensics, complex data recovery, as well as breach simulations, IR capability assessments, and IR Plan / playbook development
• Created or contributed to the DBIR, Data Breach Digest, Insider Threat Report, Payment Security Report, and Verizon Incident Preparedness and Response (VIPR) Report
Endpoint Forensics Examiner
Network Forensics Specialist
Malware Reverse Engineer
Threat Intelligence Analyst
Threat Hunting Specialist
Dark Web Researcher
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 29
The time from the attacker’s first action in an event chain to the initial compromise of an asset is typically measured in minutes.
The time to discovery is more likely to be months; discovery time is very dependent on the type of attack in question.
Data Breach Timelines
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 30
Data Breaches – Summary of Findings
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Threat Actors
External threat actors are still the primary force behind breaches (69%) while insiders account for 34%.
Financial gain is still the most common (known) motive behind data breaches. One quarter of all breaches are associated with espionage.
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
In 2014, we identified nine incident patternsthat cover most of threats likely to be faced.
In 2019 report, 98.5% of security incidents and 88% of confirmed data breaches continue to fall into these across.
Pattern consistency allows security professionals to prioritize spend when investing in IT / OT / IoT security.
Incidents | Breaches per Pattern
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
State of Incident Preparedness
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Incident Preparedness and Response Report
Taming the Data BeastBreach
34
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 35
• LE notified victim that several foreign IP addresses were communicating with systems
• In-scope system examination revealed 'mimikatz', a clear text password and NTLM hash scraping tool
• Sys admin with engineering division domain controller access phished with email / PDF malicious attachment
• With sys admin credentials, threat actor moved laterally across domain controllers and engineering file servers
• Uploaded approx. 3,000 sensitive, proprietary CAD drawings, schematics, and designs to FTP site
Scenario #4: Cyber-Espionage –the 'Katz-Skratch Fever
Phase 4 – Collection and Analysis
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 36
Detection and Response
• Engage LE when time is right
• Engage third party investigators
• Collect and preserve evidence
• Leverage threat intelligence
Mitigation and Prevention
✓ Provide cybersecurity awareness training
✓ Make external emails standout
✓ Implement MFA
✓ Require remote connection VPN access
Countermeasure Recommendations
Scenario #4: Cyber-Espionage –the 'Katz-Skratch Fever
Phase 4 – Collection and Analysis
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 37
• The IR process provides a standardized, enterprise-wide workflow
• It is iterative and follows an overall cyclical flow from its beginning until its conclusion
• Typical IR Plans utilize 4-6 phases
Incident Response Process
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 38
Planning and preparing for cybersecurity incidents is crucial for an effective response
Key IR Plan Elements
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 39
Topping the list for overall IR Plan assessment recommendations:
1. [85%] defining tactical responder qualifications
2. [83%] providing data analysis guidance
3. [78%] citing external cybersecurity response governance and standards
4. [78%] databasing incident reports and lessons learned results
Plan Assessments
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Building an Effective Response
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 41
Plan Construction
• 79% had an IR Plan in-place• 48% had a logically constructed, efficient IR Plan✓ TA #1: Construct a logical, efficient IR Plan
• 40% explicitly specified periodical reviewing, testing, and updating IR Plans
✓ TA #3: Periodically review, test, and update the IR Plan• 22% cited no internal security policies or procedures• 38% cited no legal or regulatory requirements✓ TA #4: Cite external and internal cybersecurity and incident
response governance and standards
Plan Relevancy
Phase 1 – Planning and Preparation
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 42
Stakeholders
Phase 1 – Planning and Preparation
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 43
Internal IR Stakeholders
• 57% fully designated stakeholders• 52% fully described roles and responsibilities✓ TA #5: Define internal IR stakeholder roles and responsibilities
• 53% fully designated tactical responders• 47% fully described tactical responder roles and
responsibilities• 83% specified no, or only partial, tactical responder
qualifications✓ TA #7: Train and maintain skilled tactical responders
Tactical Responders
Phase 1 – Planning and Preparation
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 44
Incidents and Events
• 62% fully classified cybersecurity incident types• 67% fully defined severity levels✓ TA #10: Classify incidents by type and severity level
• 40% fully described non-technical detection sources• 31% fully described technical detection sources✓ TA #11: Describe technical and non-technical incident
detection sources
Detection Sources
Phase 2 – Detection and Validation
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 45
Escalating / Communicating
• 40% fully specified IR stakeholder escalation criteria• 45% fully specified IR stakeholder notification procedures✓ TA #13: Specify escalation and notification procedures
This matrix depends on pre-defined incidents (e.g., crimeware), assigned severity levels for each incident (e.g., high, medium, low), and identified IR stakeholders with need-to-know and need-to-be-informed status
Escalation Matrix
Phase 2 – Detection and Validation
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 46
Collecting and Analyzing
• 16% fully specified collection and analysis procedures• 9% fully specified collection and analysis tools✓ TA #15: Specify evidence collection and data analysis tools
and procedures
• 26% fully specified evidence handling procedures• 21% fully specified evidence submission and chain of custody
form use✓ TA #16: Specify evidence handling and submission procedures
Evidence Handling
Phase 4 – Collection and Analysis
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 47
Containing and Eradicating
• 52% fully specified containment measures• 50% specified eradication measures✓ TA #14: Provide containment and eradication measures
• 41% fully specified remediation measures• 45% fully specified recovery measures✓ TA #17: Provide remediation and recovery measures
Remediating and Recovering
Phase 5 – Remediation and RecoveryPhase 3 – Containment and Eradication
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Testing Your IR Plan
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 49
... and for breach simulation recommendations:
1. [30%] maintaining an up-to-date, unified IR Plan
2. [30%] creating IR Playbooks for specific incidents
3. [30%] establishing internal escalation protocols
4. [27%] defining internal IR stakeholder roles and responsibilities
Breach Simulations
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 50
Lessons Learned
• 76% fully required post-incident lessons learned activities• 60% fully required IR Plan updating (based on lessons learned)✓ TA #18: Feed post-incident lessons learned results back into
the IR Plan
• 24% fully required incident and response metrics tracking✓ TA #20: Track incident and incident response metrics
Measuring Success
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 51
1. Crypto-Jacking2. Insider Threat3. ICS Attack4. Cyber-Espionage5. Cloud Storming
Breach Simulation Kits
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 52
• LE notified victim of systems likely compromised due to connections with malicious IP address
• Network log review found two systems making connections; both systems contained intellectual property
• Investigation yielded active RAT; malware analysis revealed domain names resolving to malicious IP address
• Intel found RAT was associated with APT; threat actor associated with intellectual property theft and MSP breaches
• IoC scans found multiple systems infected with backdoor persistence tools and various compromised accounts
• Investigation determined MSP accounts leveraged for network access; dark web monitored following investigation
The Situation
Scenario #5: Cloud Storming –the Slivered Lining
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 53
Countermeasure Worksheet
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 54
Detection and Response
✓ Employ FIM solution
✓ Review internet-facing system and app logs
✓ Require service providers assist w/ collection
✓ Establish cloud data extraction process
Mitigation and Prevention
✓ Test security posture from all angles
✓ Enhance critical system security monitoring
✓ Manage / monitor third-party account access
Countermeasure Recommendations
Scenario #5: Cloud Storming –the Slivered Lining
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Key Takeaways
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 56
Top 20 key takeaways for building a solid IR Plan
Key Takeaways
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
... and Remember it Takes a Team
Chief Information Officer
Chief Information Security Officer
Legal Counsel
Human Resources
Corporate Communications
Incident Commander
Internal Investigator
Cybersecurity Manager
SOC Analyst
CERTResponder
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 58
DBIR | VIPR Report
https://enterprise.verizon.com/resources/reports/vipr/https://enterprise.verizon.com/resources/reports/dbir/
Thank you.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Verizon confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
National Cyber Security Alliance
www.staysafeonline.org/cybersecure-business
Signature Sponsor
@staysafeonline