Security Incident Remediation - CRESTCon...The Eradication Event 25 The eradication event timing is...

Security Incident RemediationLessons Learned on the Front Lines Manfred Erjak & Jeff Hamm


Introduction

Jeff Hamm

▪ Technical Director EMEA

▪ Functional Lead - Incident Response and Remediation

▪ Adjunct Lecturer – Digital Forensics – NTNU (Norwegian College of Science and Technology.

▪ Co-Author Digital Forensics 2017

[email protected]

linkedin.com/in/jeffhamm/


Mandiant ConsultingPrevent, detect, & respond to advanced cyber-security events and protect your critical assets.

12017 Fortune list

4

Trusted by organizations

worldwide – Over 40% of

Fortune 100 companies1

14+ years responding to

and remediating

headline breaches

Mandiant DNA – Pioneers

in sophisticated incident

response

Portfolio of services to assess,

enhance and transform

security posture and upskill

internal security staff

Cutting-edge threat

intelligence informed by

frontline adversary exposure

Cyber security services

enabled by purpose-built

technology

Global workforce of over

300 consultants in 20+

countries


The Challenge

5

Cloud adoption &

interconnected devices are

dissolving the perimeter

Lack of

security expertise

creating a skills shortage

Increasing number

of endpoints creating

huge volumes of data

Rapid threat evolution

creating complex

and diverse threats


More then 500 IR engagements / year More then 200.000 IR hours / year


Customers assume large-scale breaches to look large …


... but they don‘t!


Customers believe they are armed and well prepared for such a scenario …


… but they aren‘t because they have not faced a targeted attack!


Targeted Attack

It’s a “who,”

not a “what”

There is a human at a

keyboard

Highly tailored and

customized attacks

Targeted specifically at you

Professional,

organized and

well funded

Escalate sophistication

of tactics as needed

Relentlessly focused on

their objective

If you kick them

out they will

return

They have specific objectives

Their goal is long-term

occupation

Persistence tools and tactics

ensure ongoing access


Remediating intrusions by targeted, persistent

adversaries requires a different approach


Effective Incident Response = Investigation + Remediation

Investigation

1. How did the attacker gain initial access to the environment?

2. How did the attacker maintain access to the environment?

3. What is the storyline of the attack?

4. What data was stolen from the environment?

Remediation

1. Contain and remediate the incident.

2. Make it more difficult for future attackers.

3. More rapidly detect future activity.

4. Analyze lessons learned and strengthen the security posture.

13


Mandiant’s Investigation Process

14

Initial scoping and review

leads

Deploy Mandiant

technology

Conduct initial scans of environment

Deep-dive analysis of identified systems, malware

Additional scans of

environment based on new leads

Eradication event (aka

"Remediation Weekend")

Remediation

Investigation

Posturing / Containment / Eradication Strategic

Improving the organization’s

security posture


Remediation Phases

1st Part - Remediate the current incident

1. Posturing - Provides investigative support and preparation for incident containment and eradication.

2. Containment - Take actions to disrupt attacker activities, harden or isolate a critical service, or remove the attacker from a sensitive system or network segment.

3. Eradication - Remove attacker from the environment and implement security improvements to inhibit the attacker from quickly regaining access to the environment.

2nd Part - Improve the organization’s security posture

4. Strategic Recommendations - Enhance security posture (e.g., implement two-factor authentication, re-architect environment)

15

Posturing

ContainmentEradication

Strategic Recommendations


Remediation Process

1. Form the remediation team.

2. Determine the timing of the remediation actions.

3. Develop and implement remediation posturing actions.

4. Develop and implement incident containment actions.

5. Develop the eradication plan.

6. Determine eradication event timing and implement the eradication plan.

7. Develop strategic recommendations.

8. Debrief about the Investigation and Remediation.

16


Remediation Team

17

RemediationOwner

InvestigationPassword & Accounts

Network Security Defensive ActionsSystem Rebuild &

ReplaceRemote Access/

PatchingVisibility

Lead IT Architect Remediation Lead

Legal* PMO*

Communications* Compliance*

* Optional: Depending on the size and complexity of the customer organization


Timing of the Remediation Actions

1. Immediate action

– Goal: Stop the incident from continuing

– Should be implemented when it is more important to stop the attacker’s activities than to continue the investigation ⇒ Risk: This will tip off the attacker – be careful!

2. Delayed action

– Investigation can conclude before any direct actions will be taken against the attacker

– Gives time to learn and understand the attackers tactics, techniques, and procedures (TTPs)

18

Tactics Techniques Procedures


Posturing

▪ Goal is to increase the security posture while the investigation is ongoing

▪ Instrument the environment to make it more “investigation-ready”

▪ Posturing actions should be nearly indiscernible from normal maintenance work ⇒ should not tip off the attacker

19


Posturing

▪ Enhance system and network monitoring, mitigate critical vulnerabilities:

– System, Application, Authentication, and network-specific logs

– Centralize log files and management

– Enhance alerting

– Patch third-party applications

– Implement multi-factor authentication

– Reduce locations where critical data “crown jewels” are stored

20


Containment

▪ Designed to disrupt attacker access to specific environments or sensitive data

▪ Is performed when the customer cannot continue to lose or risk losing critical data and is typically required when the attacker is stealing PII or PCI data

▪ Doesn’t remove the attacker from the environment!

▪ Only prevents the attacker from performing some action that cannot be tolerated.

21


Eradication

▪ Attack Lifecycle and the Remediation Planning Matrix build the basis of the comprehensive remediation plan.

▪ Remediation Planning Matrix enables to design a comprehensive remediation plan to:

– Protect against threats (prevention)

– Detect attacker activity (detection)

– Eradicate the threat from the environment (response)

▪ Remediation plans must be customized to reflect the organization’s unique operational complexities.

⇒ What worked well for one incident may not be advisable in another.

22


Remediation Planning Matrix

23


Remediation Planning Matrix - Example

24


The Eradication Event

25

The eradication event timing is critical to a successful remediation.

▪ Too early: Extent of compromise is unknown, attackers will change tactics, techniques, and procedures (TTPs)

▪ Too late: Attackers may change their TTPs or accomplish their mission

▪ Ideal time: for the eradication event as the “strike zone”

Need

To start

cycle

again

Time

Kn

ow

led

ge

of

Att

ac

k


The Eradication Event

26

Following conditions are good indicators that the investigation team has reached the “strike zone”:

▪ Investigation team have good visibility into the breached environment, and they understand the attacker’s TTPs.

▪ Number of compromised systems discovered per day (or other time period) has decreased significantly.

▪ Most of the compromised systems detected contain known IOCs.

▪ Remediation effort has been thoroughly planned.

Need

To start

cycle

again

Time

Kn

ow

led

ge

of

Att

ac

k

Common Mistakes

27


Common Mistakes

▪ Internal Factors (People/Process)

– Insufficient sense of urgency

– Lack of ownership, coordination, and clear direction for the remediation efforts

– Poor timing

– Remediation plan is too ambitious ⇒ “Boiling the ocean”

– Business leadership forces remediation to start prematurely

– Internal politics, differing opinions between business units

28


Common Mistakes

▪ Internal Factors (Technology)

– Users have excessive rights

– Critical countermeasures are not effectively implemented (and are not validated)

– Submitting malware to antivirus vendors prematurely

▪ External Factors

– Poor support from third-party service providers (outsourced IT)

– Connectivity to acquisitions with poor security posture

– Managed IT providers’ poor security posture

29


Summary

▪ Targeted, persistent threats require a different approach for remediation success.

▪ You must learn and understand the attackers tactics, techniques, and procedures (TTPs)

▪ Plan countermeasures that directly address the attack lifecycle to optimize chances of success.

▪ Fully understanding the scope enables complete eradication.

30


Contact Us

Email: [email protected]

US Phone: (866) 962 6342

International Numbers listed at:

https://www.fireeye.com/company/incident-response.html

Thank You

Security Incident Remediation - CRESTCon...The Eradication Event 25 The eradication event timing is...

Documents

Transcript of Security Incident Remediation - CRESTCon...The Eradication Event 25 The eradication event timing is...