Poverty Eradication and Restructuring of Society Poverty Eradication ...
Security Incident Remediation - CRESTCon...The Eradication Event 25 The eradication event timing is...
Transcript of Security Incident Remediation - CRESTCon...The Eradication Event 25 The eradication event timing is...
©2018 FireEye | Private & Confidential
Introduction
Manfred Erjak
▪ Principal Consultant
▪ Functional Lead - Incident Remediation
▪ GCFA | GNFA | PCI-QSA | CISSP | CISM | CCIE#9439 Emeritus
▪ linkedin.com/in/itsecuritysolutions
©2018 FireEye | Private & Confidential
Introduction
Jeff Hamm
▪ Technical Director EMEA
▪ Functional Lead - Incident Response and Remediation
▪ Adjunct Lecturer – Digital Forensics – NTNU (Norwegian College of Science and Technology.
▪ Co-Author Digital Forensics 2017
linkedin.com/in/jeffhamm/
©2018 FireEye | Private & Confidential
Mandiant ConsultingPrevent, detect, & respond to advanced cyber-security events and protect your critical assets.
12017 Fortune list
4
Trusted by organizations
worldwide – Over 40% of
Fortune 100 companies1
14+ years responding to
and remediating
headline breaches
Mandiant DNA – Pioneers
in sophisticated incident
response
Portfolio of services to assess,
enhance and transform
security posture and upskill
internal security staff
Cutting-edge threat
intelligence informed by
frontline adversary exposure
Cyber security services
enabled by purpose-built
technology
Global workforce of over
300 consultants in 20+
countries
©2018 FireEye | Private & Confidential
The Challenge
5
Cloud adoption &
interconnected devices are
dissolving the perimeter
Lack of
security expertise
creating a skills shortage
Increasing number
of endpoints creating
huge volumes of data
Rapid threat evolution
creating complex
and diverse threats
©2018 FireEye | Private & Confidential
More then 500 IR engagements / year More then 200.000 IR hours / year
©2018 FireEye | Private & Confidential
Customers believe they are armed and well prepared for such a scenario …
©2018 FireEye | Private & Confidential
… but they aren‘t because they have not faced a targeted attack!
©2018 FireEye | Private & Confidential
Targeted Attack
It’s a “who,”
not a “what”
There is a human at a
keyboard
Highly tailored and
customized attacks
Targeted specifically at you
Professional,
organized and
well funded
Escalate sophistication
of tactics as needed
Relentlessly focused on
their objective
If you kick them
out they will
return
They have specific objectives
Their goal is long-term
occupation
Persistence tools and tactics
ensure ongoing access
©2018 FireEye | Private & Confidential
Remediating intrusions by targeted, persistent
adversaries requires a different approach
©2018 FireEye | Private & Confidential
Effective Incident Response = Investigation + Remediation
Investigation
1. How did the attacker gain initial access to the environment?
2. How did the attacker maintain access to the environment?
3. What is the storyline of the attack?
4. What data was stolen from the environment?
Remediation
1. Contain and remediate the incident.
2. Make it more difficult for future attackers.
3. More rapidly detect future activity.
4. Analyze lessons learned and strengthen the security posture.
13
©2018 FireEye | Private & Confidential
Mandiant’s Investigation Process
14
Initial scoping and review
leads
Deploy Mandiant
technology
Conduct initial scans of environment
Deep-dive analysis of identified systems, malware
Additional scans of
environment based on new leads
Eradication event (aka
"Remediation Weekend")
Remediation
Investigation
Posturing / Containment / Eradication Strategic
Improving the organization’s
security posture
©2018 FireEye | Private & Confidential
Remediation Phases
1st Part - Remediate the current incident
1. Posturing - Provides investigative support and preparation for incident containment and eradication.
2. Containment - Take actions to disrupt attacker activities, harden or isolate a critical service, or remove the attacker from a sensitive system or network segment.
3. Eradication - Remove attacker from the environment and implement security improvements to inhibit the attacker from quickly regaining access to the environment.
2nd Part - Improve the organization’s security posture
4. Strategic Recommendations - Enhance security posture (e.g., implement two-factor authentication, re-architect environment)
15
Posturing
ContainmentEradication
Strategic Recommendations
©2018 FireEye | Private & Confidential
Remediation Process
1. Form the remediation team.
2. Determine the timing of the remediation actions.
3. Develop and implement remediation posturing actions.
4. Develop and implement incident containment actions.
5. Develop the eradication plan.
6. Determine eradication event timing and implement the eradication plan.
7. Develop strategic recommendations.
8. Debrief about the Investigation and Remediation.
16
©2018 FireEye | Private & Confidential
Remediation Team
17
RemediationOwner
InvestigationPassword & Accounts
Network Security Defensive ActionsSystem Rebuild &
ReplaceRemote Access/
PatchingVisibility
Lead IT Architect Remediation Lead
Legal* PMO*
Communications* Compliance*
* Optional: Depending on the size and complexity of the customer organization
©2018 FireEye | Private & Confidential
Timing of the Remediation Actions
1. Immediate action
– Goal: Stop the incident from continuing
– Should be implemented when it is more important to stop the attacker’s activities than to continue the investigation ⇒ Risk: This will tip off the attacker – be careful!
2. Delayed action
– Investigation can conclude before any direct actions will be taken against the attacker
– Gives time to learn and understand the attackers tactics, techniques, and procedures (TTPs)
18
Tactics Techniques Procedures
©2018 FireEye | Private & Confidential
Posturing
▪ Goal is to increase the security posture while the investigation is ongoing
▪ Instrument the environment to make it more “investigation-ready”
▪ Posturing actions should be nearly indiscernible from normal maintenance work ⇒ should not tip off the attacker
19
©2018 FireEye | Private & Confidential
Posturing
▪ Enhance system and network monitoring, mitigate critical vulnerabilities:
– System, Application, Authentication, and network-specific logs
– Centralize log files and management
– Enhance alerting
– Patch third-party applications
– Implement multi-factor authentication
– Reduce locations where critical data “crown jewels” are stored
20
©2018 FireEye | Private & Confidential
Containment
▪ Designed to disrupt attacker access to specific environments or sensitive data
▪ Is performed when the customer cannot continue to lose or risk losing critical data and is typically required when the attacker is stealing PII or PCI data
▪ Doesn’t remove the attacker from the environment!
▪ Only prevents the attacker from performing some action that cannot be tolerated.
21
©2018 FireEye | Private & Confidential
Eradication
▪ Attack Lifecycle and the Remediation Planning Matrix build the basis of the comprehensive remediation plan.
▪ Remediation Planning Matrix enables to design a comprehensive remediation plan to:
– Protect against threats (prevention)
– Detect attacker activity (detection)
– Eradicate the threat from the environment (response)
▪ Remediation plans must be customized to reflect the organization’s unique operational complexities.
⇒ What worked well for one incident may not be advisable in another.
22
©2018 FireEye | Private & Confidential
The Eradication Event
25
The eradication event timing is critical to a successful remediation.
▪ Too early: Extent of compromise is unknown, attackers will change tactics, techniques, and procedures (TTPs)
▪ Too late: Attackers may change their TTPs or accomplish their mission
▪ Ideal time: for the eradication event as the “strike zone”
Need
To start
cycle
again
Time
Kn
ow
led
ge
of
Att
ac
k
©2018 FireEye | Private & Confidential
The Eradication Event
26
Following conditions are good indicators that the investigation team has reached the “strike zone”:
▪ Investigation team have good visibility into the breached environment, and they understand the attacker’s TTPs.
▪ Number of compromised systems discovered per day (or other time period) has decreased significantly.
▪ Most of the compromised systems detected contain known IOCs.
▪ Remediation effort has been thoroughly planned.
Need
To start
cycle
again
Time
Kn
ow
led
ge
of
Att
ac
k
©2018 FireEye | Private & Confidential
Common Mistakes
▪ Internal Factors (People/Process)
– Insufficient sense of urgency
– Lack of ownership, coordination, and clear direction for the remediation efforts
– Poor timing
– Remediation plan is too ambitious ⇒ “Boiling the ocean”
– Business leadership forces remediation to start prematurely
– Internal politics, differing opinions between business units
28
©2018 FireEye | Private & Confidential
Common Mistakes
▪ Internal Factors (Technology)
– Users have excessive rights
– Critical countermeasures are not effectively implemented (and are not validated)
– Submitting malware to antivirus vendors prematurely
▪ External Factors
– Poor support from third-party service providers (outsourced IT)
– Connectivity to acquisitions with poor security posture
– Managed IT providers’ poor security posture
29
©2018 FireEye | Private & Confidential
Summary
▪ Targeted, persistent threats require a different approach for remediation success.
▪ You must learn and understand the attackers tactics, techniques, and procedures (TTPs)
▪ Plan countermeasures that directly address the attack lifecycle to optimize chances of success.
▪ Fully understanding the scope enables complete eradication.
30
©2018 FireEye | Private & Confidential
Contact Us
Email: [email protected]
US Phone: (866) 962 6342
International Numbers listed at:
https://www.fireeye.com/company/incident-response.html