7sinsofincidentresponse-compressed1-150311123610-conversion-gate01

© 2015 Lancope, Inc. All rights reserved.

The Seven Deadly Sins of Incident Response

Brandon TanseySecurity Researcher

Javvad MalikSenior Analyst, Enterprise Security Practice

© 2015 Lancope, Inc. All rights reserved. 2

The origin of [incident response] sin…

© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.

1. Not understanding your environment due to a lack of visibility

3

© 2015 Lancope, Inc. All rights reserved. 4

© 2015 Lancope, Inc. All rights reserved. 5

© 2015 Lancope, Inc. All rights reserved. 6

Developer PCs

Other PCs

Domain Controllers

DNS Servers

Mail Servers

Code Repositories

FTP Servers

Web Servers

Internet Hosts

Developer PCs

Other PCs

Domain Controllers

DNS Servers

Mail Servers

Code Repositories

FTP Servers

Web Servers

Internet Hosts

© 2015 Lancope, Inc. All rights reserved. 7

Developer PCs

Other PCs

Domain Controllers

DNS Servers

Mail Servers

Code Repositories

FTP Servers

Web Servers

Internet Hosts

Developer PCs

Other PCs

Domain Controllers

DNS Servers

Mail Servers

Code Repositories

FTP Servers

Web Servers

Internet Hosts

© 2015 Lancope, Inc. All rights reserved. 8

Developer PCs

Other PCs

Domain Controllers

DNS Servers

Mail Servers

Code Repositories

FTP Servers

Web Servers

Internet Hosts

Developer PCs

Other PCs

Domain Controllers

DNS Servers

Mail Servers

Code Repositories

FTP Servers

Web Servers

Internet Hosts

© 2015 Lancope, Inc. All rights reserved. 9

Network

Services

Hosts

© 2015 Lancope, Inc. All rights reserved.

Regardless of the type of information…

• Are you just logging information or are you also collecting it?

• Are you saving only ‘special’ log lines, or everything?

• Do you have a standard retention period in policy?• Does the budget control the period, or the period the budget?

• If you have end-user managed hosts, are they subject to the same logging policies?

10

© 2015 Lancope, Inc. All rights reserved. 11

© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.

• 2. Not having the right staff

12

© 2015 Lancope, Inc. All rights reserved. 13

12%

16%

44%

23%

5%

0% 10% 20% 30% 40% 50%

None

One

2 to 5

6 to 10

More than 10

Number of team members in

CSIRT

45%

28%

14%

11%

2%

0% 10% 20% 30% 40% 50%

None

One

2 to 5

6 to 10

More than 10

Number of team members

fully dedicated to CSIRT

Or any staff…

Source: Lancope / Ponemon Institute Source: Lancope / Ponemon Institute

© 2015 Lancope, Inc. All rights reserved. 14

Collection

Analysis

Action / Realizing Value

© 2015 Lancope, Inc. All rights reserved.

Not having the right staff

• Technical skills

• Knowledge transfer

• Appropriate to type of company

15

© 2015 Lancope, Inc. All rights reserved. 16

79%

14%

10%

36%

45%

47%

43%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

IT Management

Executive Management

Board of Directors

Risk management

Legal

Compliance

HR

What functions or departments are

involved in the incident response

process?

Source: Lancope / Ponemon Institute

© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.

3. Lack of budget(a.k.a. Not being able to speak the

language of the business)

17

© 2015 Lancope, Inc. All rights reserved.

Lack of budget

• Communicating technical issues in technical terms to the business

• Not helping to sell more ‘widgets’

• Ineffective allocation of budget

18

Source: 451 Research

© 2015 Lancope, Inc. All rights reserved. 19

Source: 451 Research

© 2015 Lancope, Inc. All rights reserved.

How much of your security budget goes towards an incident response program?

20

50%

31%

11%

5% 2% 1%

Less than 10% 10% to 20% 21% to 30% 31% to 40% 41% to 50% More than 50%

Source: Lancope / Ponemon Institute

© 2015 Lancope, Inc. All rights reserved. 21

46%

50%

4%

Yes No Unsure

Does your organization have meaningful operational metrics to measure the overall effectiveness of incident response activities?

42%

55%

3%

Yes No Unsure

Does your organization have meaningful operational metrics to measure the speed at which incidents are being detected and contained?

Source: Lancope / Ponemon InstituteSource: Lancope / Ponemon Institute

© 2015 Lancope, Inc. All rights reserved. 22

91%

64%

51%

50%

49%

24%

20%

12%

0% 20% 40% 60% 80% 100%

IT Management

Compliance / Audit

Legal

HR

Risk Management

Broadly throughout org.

Executive Management

Board of Directors

Frequency of cyber threat briefings to

various functions within the organization(Very frequently and frequently responses combined)

Source: Lancope / Ponemon Institute

© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.

4. Becoming a headless

chicken when IT hits the fan

(a.k.a. not having a plan)

23

© 2015 Lancope, Inc. All rights reserved.

Becoming a headless chicken when IT hits the fan

• Undefined roles and reporting lines

• Knee-jerk reactions and decisions

• Lack of change management

24

© 2015 Lancope, Inc. All rights reserved.

Vince Lombardi, sort of

“When you get into [an incident investigation], act like you've been

there before.”

25

© 2015 Lancope, Inc. All rights reserved.

Things to ask ahead of time

• Who can approve what actions?• Does the type of incident affect the answer?

• If an appropriate person cannot be reached, can the incident responder act on their own after a given amount of time?

(and get in writing)

26

© 2015 Lancope, Inc. All rights reserved.

Things to ask ahead of time

• What are end-users’ responsibilities in the incident response process?• Are they required to turn over machines to the CSIRT?

• In the event of a compromise resulting in a wipe, do users get access to their files? Which ones?

• What happens when a user needs something that the CSIRT has blocked?

• Who handles exceptions?

(and get in writing)

27

© 2015 Lancope, Inc. All rights reserved.

Things to ask ahead of time

• What are your external (legal, compliance, contractual) obligations?• At what point has there been a “breach”?

• Is this the point when other teams (legal, etc) are notified?

• If any, what are your external notification requirements?

(and get in writing)

28

© 2015 Lancope, Inc. All rights reserved.

Things to ask ahead of time

• Can your CSIRT participate in information and indicator sharing groups?

• Can your CSIRT run malware live on the internet?• What are safe handling requirements?

• Can your CSIRT interact with malicious hosts for the purpose of intelligence gathering?• From the corporate LAN? An unattributed network?

(and get in writing)

29

© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.

5. Using generic response processes

that aren’t specific to your organization

30

© 2015 Lancope, Inc. All rights reserved.

Using generic response processes that aren’t specific to your organization

• ‘Monkeys in a cage’ mentality

• Not tailoring processes to your company

• Lack of risk assessment and measurement

31

© 2015 Lancope, Inc. All rights reserved. 32

Note: All of the ‘questions’ in the last section

were just that, questions.

© 2015 Lancope, Inc. All rights reserved. 33

You need to know (or figure out) what is best for

your own organization, and that’s not just a

technical decision.

© 2015 Lancope, Inc. All rights reserved. 34

Should your CSIRT make decisions or

recommendations?

© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.

6. Improper threat modelling

(a.k.a missing the big picture)

35

© 2015 Lancope, Inc. All rights reserved.

Improper threat modelling

• Missing the big picture

• Emotion-based decisions making

• Defending against all possible threats all the time

36

© 2015 Lancope, Inc. All rights reserved. 37

© 2015 Lancope, Inc. All rights reserved. 38

The safest network is one with nothing

connected. Go ahead and make that your

policy.*

* Don’t do this.

© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.

7. Not considering your environment and

capabilities when tuning devices

39

© 2015 Lancope, Inc. All rights reserved.

Not considering your environment and capabilities when tuning devices

• Unable to separate the news from the noise

• Settings defaults and forgetting

• Monitoring quality of alerts vs. counting stats

• Shelfware

40

© 2015 Lancope, Inc. All rights reserved. 41

© 2015 Lancope, Inc. All rights reserved.

Things to ask think about when tuning

• Tuning is an iterative process

Dealing with quantity and sensitivity

42

© 2015 Lancope, Inc. All rights reserved.

Things to ask think about when tuning

• Tuning is an iterative process

• What type of setup are you working to?• A bat-signal to summon the part-time CSIRT employee?

• A set of ‘suspicious’ things for analysts to investigate?

Dealing with quantity and sensitivity

43

© 2015 Lancope, Inc. All rights reserved.

Things to ask think about when tuning

• Tuning is an iterative process

• What type of setup are you working to?• A bat-signal to summon the part-time CSIRT employee?

• A set of ‘suspicious’ things for analysts to investigate?

• Using detection tools to supplement your knowledge• Context

• Someone on the Internet port scans hosts in your DMZ? Meh.

• A host on your LAN begins scanning internal ranges? Hrm…

Dealing with quantity and sensitivity

44

© 2015 Lancope, Inc. All rights reserved.

Things to ask think about when tuning

• Tuning is an iterative process

• What type of setup are you working to?• A bat-signal to summon the part-time CSIRT employee?

• A set of ‘suspicious’ things for analysts to investigate?

• Using detection tools to supplement your knowledge• Context

• Someone on the Internet port scans hosts in your DMZ? Meh.

• A host on your LAN begins scanning internal ranges? Hrm…

• Familiarize yourself with the rules/events/alarms you turn on• The best rule/event/alarm is one that you wrote yourself

• Know how it works, when it doesn’t, what it means, and what to do…

• Learn which events are your ‘money’ events, figure out why the others aren’t in that bucket

Dealing with quantity and sensitivity

45

© 2015 Lancope, Inc. All rights reserved.

Recap!

• 1. Not understanding your environment due to a lack of visibility

• 2. Not having the right staff

• 3. Lack of budget

• 4. Becoming a headless chicken when IT hits the fan

• 5. Using generic response processes that aren’t specific to your organization

• 6. Improper threat modelling

• 7. Not considering your environment and capabilities when tuning devices

46

© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved. 47

8. Not taking advantage of the fruits of an incident

investigation

© 2015 Lancope, Inc. All rights reserved. 48

80%

76%

67%

65%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

NetFlow / Pcap

SIEM

IDS / IPS

Threat Feeds

What type of tools are most effective in

helping to detect breaches?

Source: Lancope / Ponemon Institute

© 2015 Lancope, Inc. All rights reserved. 49

43%

54%

3%

0% 10% 20% 30% 40% 50% 60%

Yes

No

Unsure

Do your organization's incident

investigations result in threat indicators

which are used to defend the

organization from future attacks?

Source: Lancope / Ponemon Institute

© 2015 Lancope, Inc. All rights reserved.

Recap!

• 1. Not understanding your environment due to a lack of visibility

• 2. Not having the right staff

• 3. Lack of budget

• 4. Becoming a headless chicken when IT hits the fan

• 5. Using generic response processes that aren’t specific to your organization

• 6. Improper threat modelling

• 7. Not considering your environment and capabilities when tuning devices

• 8. Not taking advantage of the fruits of an incident investigation

50

© 2015 Lancope, Inc. All rights reserved.

Thank you!

51

@Lancope

https://www.facebook.com/Lancope

http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about

https://plus.google.com/u/0/103996520487697388791/posts

http://feeds.feedblitz.com/netflowninjas