Incident response to a breach: Right of boom you find...
Transcript of Incident response to a breach: Right of boom you find...
Incidentresponsetoabreach:Rightofboomyou
findashesDr.SamuelLileshttp://selil.com
Opinions,orotherinformationexpressedarepresentersanddonotreflectcurrent, former,future,orunaffiliatedemployersopinionsorpolicies.
Agenda
• Scope• Cybery thoughts• Throughthelensofrisk• Threats• Vulnerabilities• Frameworks• NCIRP• Attribution• Future
Randomimageofftehwebz
4/18/16 2
Scope,asinassumptions• Youcanhavetheweeds,thefield,orthestadium.Choose1.
• You’reinagraduatecoursesoyoualreadyknowhowtomowthe lawnandtakecareoftheweeds.
• Goalistoanswerwhattheheckhappens inamajorcyberincident.
• Everyincident isdifferentbuteveryincident followsapattern.
• Everystadiumhasadifferentteambuteverysporthasrules.
• Bewaryofplayinggolfwiththehockeyteam.• Lotsofpeople arecomfortablepullingweeds.• Youcan’tpullweedsfastenoughtowinthegame.
Source:http://www.blu-ray.com/mov ies/Happy-Gilmore- Blu-ray /1677 1/
4/18/16 3
Justbecause….Cyber.
• Lotsofdefinitions• Umbrella termforactivitiestoincrease coordination,collaboration, andunderstanding<break ricebowls>
• Mydefinition:Theterm“cyber”itselfdenotesahumancognitivecentricconceptthatdealswiththedisintermediationoftechnologycenteredwithinhumanactivity.
Randomimageofftehwebz
4/18/16 4
4/18/16 5
CopyrightswithcaveatsSamuelLiles©
4/18/16 6
CopyrightswithcaveatsSamuelLiles©
Threat?
4/18/16 7
Source:EnergySectorSpecificPlanhttps://www.dhs.gov/xlibrary/assets/nipp-ssp-energy-2010.pdf
Vulnerability?
4/18/16 8
CopyrightswithcaveatsSamuelLiles©4/18/16 9
CopyrightswithcaveatsSamuelLiles©
Boom
PersistencePrivilegeEscalation
DefenseEvasion
CredentialAccess
HostEnumeratio
n
LateralMovement
Execution C2 Exfiltration
CommandandControlInstallationExploitation
Reconnaissance Weaponization Delivery
Actions onObjective
PreparationEngagemen
tPresence Effect/Cons
equencesDNIFramework
Cyber Kill Chain
MITREATT&CK
NSATAO Reconnaissance Initial Exploitation Establish Persistence Install ToolsMoveLaterally
Collect
Exfil
Exploit
CopyrightswithcaveatsSamuelLiles©
4/18/16 10
ISO/IEC27035:2011providesastructuredandplannedapproachto:1.detect,reportandassessinformationsecurityincidents;2.respondtoandmanageinformationsecurityincidents;3.detect,assessandmanageinformationsecurityvulnerabilities;and4.continuouslyimproveinformationsecurityandincidentmanagementasaresultofmanaginginformationsecurityincidentsandvulnerabilities.
Preparation, identification, containment, eradication, recovery, and lessons learned.
Incident triage, incident coordination, incident resolution
ISO/IEC27035:2011:InformationSecurityIncidentManagement
SANS:CreatingandManaginganIncidentResponseTeam
RFC2350:ExpectationsforComputerSecurityIncidentResponse
CERT: Handbook for Computer Security Incident Response Teams (CSIRTs)
NIST800-61:ComputerSecurityIncidentHandlingGuide
4/18/16 11
Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf
4/18/16 12
Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf
Dr.Andy Ozment
4/18/16 13
Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf
Mr.John Felkerhttps://www.dhs.gov/national-cybersecurity-and-communications-integration-center
Mr.BradNixhttps://www.us-cert.gov
Mr.MartyEdwardshttps://ics-cert.us-cert.gov
4/18/16 14
https://www.us-cert.gov/nccic/ncc-watch https://www.dhs.gov/office-intelligence-and-analysis
Whoisincharge?TheexactcompositionoftheCyberUnifiedCoordinationGroup(UCG)IncidentManagementTeam(IMT)willbedetermined bytheAssistantSecretary forCyberSecurityandCommunications (CS&C)basedonthenatureandscopeoftheincident,andwillalwaysinclude• ASeniorDefense Official• ASeniorFederalLawEnforcement Official• ASenior IntelligenceCommunity(IC)Official• SeniorPrivateSectorOfficial(s) (chosenbasedonthespecificnatureoftheincident)
• OtherCyberUnifiedCoordinationGroup(UCG)SeniorOfficialswithprimarystatutoryorjurisdictional responsibilityandsignificantoperational responsibilitychosenbasedonthenatureoftheincident;
• SeniorOfficialsmaybechosen fromdepartments, agencies, andorganizationswithcapabilities,authorities, andresponsibilities relevanttotheincident.
Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf
Senior =SES orGO
4/18/16 15
Whatdotheydo?
TheAssistantSecretary forCyber SecurityandCommunications(CS&C),withthesupportoftheNationalCybersecurity andCommunications IntegrationCenter (NCCIC)andinconcertwiththeCyberUnifiedCoordinationGroup(UCG)IncidentManagementTeam (IMT),isresponsible for—
• Establishingtheincidentactionplan• EnsuringoverallcoordinationofSignificantCyberIncidentmanagementandresource
• allocationactivities• Facilitatinginteragencyconflictresolutionorelevatingmatters,asnecessary
• Coordinatingresponsebetweenmultiplecyberincidentswhenapplicable
• EnsuringtheNationalOperationsCenter(NOC)andNationalInfrastructureCoordinationCenter(NICC)receivetimelyupdatesonthestatusofresponseactivities
• Coordinatingexternalaffairsactivities.Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf
4/18/16 16
Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf
4/18/16 17
Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf
TheNCCIC, asthenational focalpoint forcyberincidentmanagementandcoordination during cyber-specificincidents,isthepointofintegrationforallinformation fromFederal departments and agencies, StateLocal,Tribal, andTerritorialgovernments, andtheprivate sectorrelatedtosituationalawareness,vulnerabilities, intrusions,incidents,andmitigation activities
This roledoes not changeexisting departments’ andagencies’ authorities ormissions; however, DHS,through theNCCIC,will coordinatewithallpartners, including lawenforcement agencies leading thenational efforttoinvestigateandprosecutecybercrime; theICregardingthreats,intelligence, andattribution;DODelementsregardingintelligence andinformationsharing,military operations todefend thehomeland; StateandLocal governments; andtheprivate sectortoensure common operational situational awareness isbeing leveragedbyallresponse organizations astheyexecutetheirindividual authorities andmissions.
4/18/16 18
Political
Technical
Forensic
EvidenceRequired
TimetoLevelofAttribution
EventHappens
Possible
Probable
Provable
Motive,means,opportunity
IOCs:IP,Hash,URL,method,time, etc.
Crypto,non-repudiation,multi-modesensing,direct
observation
CopyrightswithcaveatsSamuelLiles©
Future
• NCIRPisbeingupdatedhttp://www.afcea.org/content/?q=Blog-when-will-united-states-have-national-cyber-incident-response-plan
• Newcybersecuritypresidentialpanelappointedhttp://www.theverge.com/2016/4/13/11427182/president-obama-cybersecurity-panel-uber-microsoft-mastercard-nsa
• NPPD/NCCICistransforminghttp://www.emergencymgmt.com/safety/Phyllis-Schneck-
Interview.html
• FederalCISOmaybeappointed(interviewshappeningnow)http://www.federaltimes.com/story/government/cybersecurity/2016/02/09/obama-federal-
ciso/80032796/
4/18/16 20
Questions?
4/18/16 21