What To Do When (Not If) Data Breaches Occur

Presented by Michael Santos, CISSP | Andrey Zelenskiy |Matthew Curtin, CISSP

June 11, 2014

Thank you for being here today

Presenter:

Michael Santos Director of IT Architecture and Security, Cooley LLP

Michael Santos

Preparation “There are no secrets to success. It is the result of preparation, hard work, and learning from failure.” Colin Powell

1. Have a plan.

2. Have a team.

3. Have practice.

4. Look and listen.

Have a plan. “A good plan violently executed now is better than a perfect plan executed next week.” – George S. Patton

1. Start now. Don’t wait.

• Get it on paper.

• Start simple and add.

• Use the internet.

2. Roles & Responsibilities

3. Categorization of Incidents

4. Appropriate Response

5. Understandable

6. Communications Plan

NIST SP 800-61 http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf ISO/IEC 27035 http://www.iso.org/iso/catalogue_detail?csnumber=44379 SANS Institute Incident Handler’s Handbook http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

Have a team. “Finding good players is easy. Getting them to play as a team is another story.” – Casey Stengel

1. Don’t pick your squad

during game time.

2. Choose wisely.

3. Not everyone has to

be on the team.

4. Numbers matter.

SANS Institute “Computer Incident Response Team” http://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641 • Management • Information Security • Information Technology • IT Auditor • Physical Security • Legal • Human Resources • Public Relations/Marketing • Finance

Have practice. “An ounce of practice is worth more than tons of preaching.” – Mahatma Gandhi

1. Practice the plan.

2. Training.

3. Table top.

4. Schedule.

Look and Listen. “See no evil, hear no evil, speak no evil.” Then you will never find evil.

1. Turning a blind eye is not an

option

2. Metrics and alert

3. Risk, Threats, Vulnerabilities

4. Monitor

5. Build relationships in the

community

Tools • E-mail Alerts • System Dashboards • Security Information & Event Monitoring • Vulnerability Scanners • Daily, Weekly, Monthly Reports Communities • ILTA LegalSEC

FBI InfraGard • US-CERT • International Information Systems Security Certification

Consortium (ISC)2 • Information Security Systems Association (ISSA) • Vendor Alerts

June 11, 2014

Thank you for being here today

Presenter:

Andrey Zelenskiy Information Security, Dentons US, LLP

Andrey

Zelenskiy

Threat Landscape Today: - Enterprises are attacked on average once every 1.5 seconds. In 2012, we reported malware attacks occurred once every three seconds. The increased frequency of use highlights the bigger role malware is playing in cyber attacks. - Malware attack servers, command and control (CnC) infrastructure have been placed in 206 countries and territories, up from 184 in 2012. The U.S., Germany, South Korea, China, Netherlands, United Kingdom, and Russia were home to the most CnC servers.

Threat Landscape Today (Cont’d): - The top ten countries that were most frequently targeted by APTs in 2013: United States, South Korea, Canada, Japan, United Kingdom, Switzerland, Taiwan, Saudi Arabia, Israel - The following verticals were targeted by the highest number of unique malware families: Government, Services/consulting, Technology, Financial services, Telecommunications, Education, Aerospace/Defense, Government (State/Local), Financial services, Chemicals, Energy Source: FireEye Advanced Threat Report 2013 (http://www2.fireeye.com/advanced-threat-report-2013.html)

New Security Model: - Network - Endpoint - Mobile - Virtual - Cloud

Incident Identification According to SANS Incident Handler's Handbook: “This phase deals with the detection and determination of whether a deviation from normal operations within an organization is an incident, and its scope assuming that the deviation is indeed an incident. “ http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

Where does the information come from? - End Users - Help Desk - System Administrators - Systems (IDS/IPS, Antivirus, Antimalware) - Human Resources

Indicators: - “My computer behaves strange” - AV detections (how likely is that???) - Ransomware (encrypted files on local drives and network shares) - Unfamiliar files, executables, processes - New program installed that is not part of a “standard” build - Systems connecting to hosts in the countries that you do not do business with - New accounts created in AD - New account privileges granted

Questions, Questions: - Who? - What? - When? - Where? - How?

Tools: - SIEM - Log aggregation and management - Endpoint protection - Network protection

Containment “The primary purpose of this phase is to limit the damage and prevent any further damage from happening” (SANS Incident Handler's Handbook)

Containment Phases: - Short–term containment(limit the damage as soon as possible) - System backup - Long-term containment

What We Have Leant from the Target Attack: Missed Alarms and 40 Million Stolen Credit Card Numbers http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

“Real Life” Approach Using Cisco Sourcefire AMP Technology

Cisco Sourcefire FireAMP ”Sourcefire’s Advanced Malware Protection solutions utilize big data analytics to continuously aggregate data and events across the extended network - networks, endpoints, mobile devices and virtual environments - to deliver visibility and control against malware and persistent threats across the full attack continuum – before, during and after an attack.”

Most Recent Events Navigating to the Events tab by clicking on a threat, IP address, or computer name in the Dashboard tab provides different filtered views.

File Analysis File Analysis allows a user to upload an executable into a sandbox environment where it is placed in a queue to be executed and analyzed automatically. The results are then made available to all FireAMP users.

File Analysis (cont’d) The File Analysis page also allows to search for the SHA-256 of an executable to find out if the file has been analyzed already. If the file has been analyzed already, then the analysis report is available and can be viewed by the user.

Captured Screenshots When analyzing malware a series of screenshots are also collected. These screenshots can be used to observe the visual impact that the malware has on the desktop of a victim. The screenshots can be used in user education campaigns, in the case of an outbreak, the security analyst can send screenshots of behavior of this threat to network users and warn them of symptoms.

Network Capture You can download the entire network capture that was collected while analyzing the binary. This feature can be used to create an IDS signature to detect or block activity that is associated with this threat.

Trajectory Visibility and File Details

Trajectory (Cont’d) “Created by…”

Trajectory (Cont’d) “Executed by…”

Trajectory (Cont’d) “Moved by…”

Trajectory (Cont’d) “It Created…”

Eradicate

1. Remove the problem.

2. Be swift, efficient, thorough.

3. Don’t forget the user.

4. Don’t forget use appropriate

response.

5. Be prepared to restore data.

6. Is there more?

7. Tune your defenses.

People • Someone needs to visit the machine – at least remotely. Process • Imaging checklists • Server build checklists • Change Management Tools • Antivirus • Rootkit & Registry Cleaners • Scripts • Imaging software • Backup software • USB drives

January 1, 2014

Thank you for being here today

Presenter:

C. Matthew Curtin, CISSP Founder and CEO, Interhack Corporation

Matt Curtin

RECOVERYYou can get the

monkey off your back, but the circus never leaves town.

In recovery, administrators

restore systems to normal

operation, confirm that the

systems are functioning

normally, and (if applicable)

remediate vulnerabilities to

prevent similar incidents. (NIST

SP800-61rev2)

RESTORE NORMAL OPERATIONS“Does anyone remember where this wire goes?”

RESTORE NORMAL OPERATIONS“Does anyone remember where this wire goes?”

Confirm systems are functioning normally Remediate vulnerabilities Restore from clean backups? Rebuild from scratch? Replace compromised systems? Install patches? Change passwords? Adjust other controls? What’s next?

FOLLOW-UPNot following

up is like filling up your bathtub without first putting the stopper in the drain.

One of the most

important parts of

incident response is

also the most often

omitted: learning

and

improving.

(NIST SP800-61rev2)

LESSONS LEARNED

What do we know now that we didn’t know then?

LESSONS LEARNED

What do we know now that we didn’t know then?

Build a timeline: what happened, and when? How did the team perform? Using procedures? Procedures adequate? What inhibited recovery? What can prevent similar future incidents? What can detect similar future incidents? Writing the report.

USING COLLECTED INCIDENT DATAWhat is actionable?

Resources: time, people, money. Incident type. (Curtin, Ayres. “Using Science to Combat Data Loss”) Think about the collection of reports, metrics available: ● Number of incidents handled ● Time per incident

What should we have for the future?

EVIDENCE RETENTIONHow long do we keep the evidence?

How do you decide how long to keep the results? Prosecution Retention policies Cost

We’ll now open it up for questions

Questions

Thank You