Professional incident response

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Professional Incident ResponseBrooks Garrett / October 16, 2014

Overview


Brooks Garrett• Operations Architect, HP Fortify on Demand, 3 years

– CISSP• Volunteer Firefighter, Georgia, 5 years

– Firefighter I National Professional Qualification– Hazardous Materials Awareness– Emergency Medical Responder

• Husband and father• Rugby, programming, and tinkering


HP Fortify on Demand• Cloud based Application Security as a Service

– Static– Dynamic– Mobile

• Globally distributed deployments– 8 environments– 3 teams– 5 countries

• Coordination when responding isn’t trivial– Language– Culture– Time zones

Incident Response


“Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).”

Margaret Rouse, WhatIs.com Editorial Director


What is an incident?• A single virus on a single computer• A million viruses on a single computer• A single worm on all the computers• A single worm on all the computers on 3 continents• Your database anywhere it shouldn’t be• Heartland, Target, TJX


Incident Response Program• 5 phases of incident response • Framework for managing incidents and resources• Framework for improving incident response• System of reporting on incidents• Incident Response Plan

Building by copying


Incident response is hard• Framework must scale

– One member team– 20 teams of 5 members each– One virus– All the viruses

• Organizations that have plans ignore them until “The Big One”– Too little, too late


Who can we copy?Firefighters

Click icon to add picture


Professional Responders

Fire Rescue Medical


Diverse incidents

Small Large Chaotic


Sound familiar?• Very little information at start of incident• Incidents occur at random intervals• Incidents can be small (cat up a tree, single virus) or massive (Texas fertilizer plant, Target)• Car crash?

– Crashing daemons.• Building on fire?

– Servers on fire.


2

3

Preparation

Response

Recovery

1

Incident Response


Preparation• Largest portion of time is in preparation

– 100’s of hours preparing for 10 minutes of chaos• Training and Certification

– GIAC GCIH– FEMA ICS– Know the plan (or at least where the plan is located)

• Pre-incident planning– Your chance for mulligans– Build a plan of action for broadly defined events

• Rehearsal– Dry run pre-incident plans– Tabletop simulation of attacks– It’s like role playing, just nerdier


2

3

Preparation

Response

Recovery

1

Incident Response


• Training• Planning• Rehearsal

Response Phases – Fire / Rescue

Dispatch Size up Operations

•Alerting•Monitoring

•Isolation•Attack plan•Initial response

•Elimination•Overhaul•Collection of

evidence

•Return to normal operation

•After action report

Preparation Return to Service

Response


• Training• Planning• Rehearsal

Response Phases - IT

Identification Containment Eradication

•Alerting•Monitoring

•Isolation•Initial response

•Elimination•Collection of

evidence

•Return to normal operation

•After action report

Preparation Recovery

Response


Identification• Must have “incident” defined• Dispatch is a must• First alert must be uniform for all events, incidents, and disasters• Provides a central place where all information is collected and dispensed

– SOC– SIEM– Grepping Syslog– EMail


Incident Command System (ICS)• Hierarchal structure providing a clear chain of command• Framework providing clear procedures for management of command and delegation of

responsibilities• We can steal this and get free training


Incident Command System


Role: Incident Command• Ultimate authority during an incident• Also ultimate responsibility for incident response• Must be able to coordinate resources, delegate responsibility, and manage the overall

response• 10K foot view


Role: Information Officer• The information officer is critical• One voice to both internal and external parties• One simple rule: Are you the Information Officer?

– YES, I can talk to people about this incident as authorized by command– NO, I can’t talk to people


Role: Section• Each section is responsible for their assigned area• Receives delegated responsibilities from command• Operates at ground level


Adapting ICS• First responder is “Command” and controls the incident• Command can be transferred to other resources as they respond• Who has command isn’t about rank

– Can be anyone at anytime– Should be based on who is most capable of managing the incident– Transfer of command must be communicated to all resources

• Freelancing gets people killed, don’t do it– Not even once


Adapting ICS• We don’t need a safety officer

– Unless you have systems that sustain, protect, or threaten human life• We don’t need a liason officer

– Unless you will be interfacing with law enforcement, banks, etc.• Add or remove roles as incident size and organizational goals/requirements demand


Scaling response within ICS• One person can be all roles for small incidents• Assign officers as needed

– Breach of PII data? You may want a Finance Officer (credit monitoring is expensive)• Roles may be added an removed during the incident as the situation demands


2

3

Preparation

Response

Recovery

1

Incident Response


After action reports• Consistency is key• Incident Report

– Incident ID– Date– Type– Assets involved– Resources involved– Narrative

• Response Report– What worked– What needs improvement– Should include the Incident ID for cross reference


Reporting Templates• US CERT• National Incident Management System – ICS Forms Booklet


Thank you

Brooks GarrettE: [email protected]: http://www.brooksgarrett.comT: @brooksgarrett


Credits• Title slide image

– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/ul4owW

• Slide 12 image– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/jxjvz5

• Slide 13 – Fire– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/hVMFcr

• Slide 13 - Rescue– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/CEXxxoHP

• Slide 13 - Medical– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/CEXxxoHP

• Slide 14 - Small– Accessed: 6 Oct 2014– Pixabay– http://v.gd/XvUDvt

• Slide 14 - Large– Accessed: 6 Oct 2014– Reuters– http://v.gd/ChtCxm

• Slide 14 - Chaotic– Accessed: 6 Oct 2014– Getty Images– http://v.gd/xrtAJt

• Slide 12 - Rescue– Accessed: 6 Oct 2014– WikiMedia Commons– http://v.gd/CEXxxoHP


Resources• SANS Incident Handler

Handbook– Accessed: 6 Oct 2014– http://v.gd/u9UVvG

• FEMA ICS Training– Accessed: 16 Oct 2014– http://v.gd/TqNdUl

Professional incident response

Technology

Transcript of Professional incident response