Maturing and Specializing: Incident Response Capabilities ...malicious events from nonevents, and 45% cited lack of visibility into events across a variety of systems and domains as
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A SANS SurveyWritten by Alissa Torres
Advisor: Jake Williams
August 2015
Sponsored by AlienVault, Arbor Networks, Bit9 + Carbon Black,
Hewlett-Packard, McAfee/Intel Security, and Rapid7
Maturing and Specializing: Incident Response Capabilities Needed
Key Elements for Successful Incident Response (CONTINUED)
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed11
Remediation Practices
Without proper investigative skills or resources, the number of compromised systems
and accounts—and the amount of data stolen—is not properly quantified. In these
instances, detection to remediation is achieved quickly with a simple wipe and reimage.
Yet, best industry response practices also include signaturing malware and attacker
behavior based on the initial system(s) identified. Once these unique signatures, known
as indicators of compromise, are created, they are used to scan other systems in the
enterprise. In this way, all systems with active malware or similar artifacts of attacker
activity will be identified. In our survey, 88% of our respondents stated they were
conducting this type of identification and follow-up either manually or in an automated
fashion (see Table 3).
For all the practices listed here, respondents did more manually than through
automated processes. The critical thing to remember is that manual practices take more
time and are usually much less accurate than automated procedures.
Table 3. Remediation Practices What practices do you have in place for remediating incidents?
Indicate whether the process is conducted manually, through automated systems that are integrated, or a combination of both. Choose only those that apply to your organization.
Answer Options
Quarantine affected hosts
Shut down system and take it offline
Kill rogue processes
Remove rogue files
Reimage/Restore compromised machines from gold baseline image
Isolate infected machines from the network while remediation is performed
Block command and control to malicious IP addresses
Reboot system to recovery media
Identify similar systems that are affected
Remotely deploy custom content or signatures from security vendor
Update policies and rules based on IOC findings and lessons learned
Removing file and registry keys related to the compromise without rebuilding or reinstalling the entire machine
Boot from removable media and repair system remotely
Other
Manual
44.8%
67.0%
52.1%
43.4%
60.4%
63.2%
38.5%
64.2%
49.7%
33.7%
59.4%
52.4%
58.7%
6.3%
Automated
22.2%
7.6%
11.1%
12.5%
11.1%
8.7%
18.8%
7.3%
10.8%
21.2%
7.3%
8.3%
6.9%
2.8%
Both
29.9%
20.5%
31.6%
38.2%
22.2%
21.5%
35.8%
18.4%
27.8%
33.0%
18.4%
23.3%
16.7%
5.2%
Total Response
96.9%
95.1%
94.8%
94.1%
93.8%
93.4%
93.1%
89.9%
88.2%
87.8%
85.1%
84.0%
82.3%
14.2%
TAKEAWAY:
Automating remediation
processes will speed time to
remediation and reduce the
workload assigned to IR staff.
Key Elements for Successful Incident Response (CONTINUED)
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed12
What Works
Organizations are still automating what they can in their processes, which SANS defines
as integrating functions across ecosystems. Traditional anti-malware/edge protection,
logs and behavior-based scanning are the most integrated, according to results.
Detection
The three most popular detection technologies, as indicated by being either fully or
partially integrated into respondents’ IR capabilities, are IPS/IDS/firewall and unified
Third-party tools specific for legal digital forensics
Other
Total Integrated
88.5%
81.4%
81.0%
78.0%
75.9%
74.9%
74.2%
69.5%
69.5%
67.1%
65.8%
65.4%
61.0%
58.0%
55.9%
50.8%
49.5%
8.5%
Partially Integrated
32.9%
41.0%
34.2%
38.0%
40.7%
32.5%
38.6%
35.9%
41.7%
32.2%
38.3%
32.5%
33.9%
36.6%
29.5%
27.5%
26.8%
4.1%
Highly Integrated
55.6%
40.3%
46.8%
40.0%
35.3%
42.4%
35.6%
33.6%
27.8%
34.9%
27.5%
32.9%
27.1%
21.4%
26.4%
23.4%
22.7%
4.4%
Key Elements for Successful Incident Response (CONTINUED)
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed13
There is a strong correlation with the top three automated capabilities between our
2015 and 2014 surveys (although the questions were worded differently in 2014). In our
2015 survey, IPS/IDS/Firewall and UTM alerts were integrated by 89% of respondents,
81% integrated log analysis in their response practices, and 81% integrated network-
based scanning agents for signatures and detected behavior. These categories were also
among the most highly used processes in 2014—whether automated, manual or both.
IPS/IDS/Firewall and UTM alerts were used by 91%, log analysis by 85%, and network-
based scanning agents for signatures and detected behavior by 96%.
Most respondents (44%) felt their SOCs were immature and unable to respond well
to events, with 25% believing their SOCS were maturing, 14% feeling their SOCs were
mature and the rest unsure of their status.
In correlating the maturity of IR capabilities within an organization with the technologies
and resources deployed, mature SOCs had the greatest integration of technologies
such as endpoint-detection-and-response (EDR) capabilities, network packet capture
implementation, and SIEM correlation and analysis.
Intelligence
The incorporation of cyberthreat intelligence (CTI) and analytics tools and services was
also more prevalent in organizations with mature SOCs. By correlating threat intelligence
and analytics, IR teams can detect and respond to threats based on past incidents and
those included in CTI feeds. In fact, in the 2015 SANS Cyberthreat Intelligence Survey,11
75% of respondents cited CTI as important to security. Yet only 66% of respondents
to this 2015 survey on IR report high or partial integration of intelligence with their IR
processes. They do, however, use intelligence provided either internally or through third-
party sources. Specifically, respondents use intelligence in the following ways:
• 96% tie intelligence to IP addresses. This was the most commonly implemented
type of CTI data when including internal and third-party sources.
• 93% tie traffic to known suspicious IPs.
• 91% track endpoint security data and logs.
• 91% incorporate signatures and heuristics from previous events.
11 “Who’s Using Cyberthreat Intelligence and How?” www.sans.org/reading-room/whitepapers/analyst/who-039-s-cyberthreat-intelligence-how-35767
Key Elements for Successful Incident Response (CONTINUED)
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed14
For the full breakdown of in-house and third-party capabilities for IR processes, see
Figure 6.
As indicated earlier, most of the respondents to this survey work internally for their organizations, so it makes sense that the primary outsourced functions include heuristics, reputation data and adversary/attacker data attributes. Tor node IP addresses would fit into the reputation and attacker data categories as well. Many organizations will not expect to receive legitimate traffic from Tor exit nodes, but because the exit nodes change frequently, they need automated processes to effectively block attacks from Tor exit nodes.
It’s clear that significant security implementations are present within our respondents’ networks. However, their full functionality cannot be achieved without automation in analysis, correlation and reporting. A notable 42% of respondents have fully integrated, and 33% have partially integrated SIEMs into their IR ecosystems for analytics during response. Some may also be relying on their CTI tools or services to do the analytics for them, with 26% fully integrating and 28% partially integrating CTI within their functions. The 13% of organizations not currently integrating analytics, such as a SIEM, into their response should consider this a top priority to mature their SOC and IR processes.
What kind of threat intelligence are you using? Please indicate what is being delivered through third parties and what is developed internally?
Select only those that apply.
Susp
icio
us fi
les,
host
flow
an
d ex
ecut
able
s
Net
wor
k hi
stor
y da
ta
Endp
oint
dat
a an
d lo
gs
IP a
ddre
sses
/Nod
es
Adve
rsar
y/A
ttac
ker a
ttrib
utio
n
Une
xecu
ted
or u
ndet
onat
ed
mal
icio
us fi
les
Oth
er
Heu
ristic
s/Si
gnat
ures
fr
om p
revi
ous
even
ts
Com
mun
icat
ions
bet
wee
n sy
stem
s an
d m
alic
ious
IP a
ddre
sses
Dom
ain
data
Tor N
ode
IP a
ddre
sses
Repu
tatio
n da
ta
Hos
t and
net
wor
k in
dica
tors
of
com
prom
ise
(IOCs
)
Figure 6. Type of Intelligence Used
100%
80%
60%
40%
20%
0%
Provided by Third Party Internal Discovery Both
The full functionality
of security
implementations
cannot be achieved
without automation
in analysis,
correlation and
reporting.
Key Elements for Successful Incident Response (CONTINUED)
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed15
What’s Not Working: Impediments to Response
Despite improvements in technology, IR processes and their analytics capabilities,
organizations still face obstacles that impede effective IR. Leading the list is staffing
and skills shortages, flagged by 66% of survey respondents as one of the top obstacles
to effective IR. The third top problem reported is lack of visibility, indicating that for as
much automation and integration respondents are attempting, they still do not have the
full-picture view across systems they need for fast, accurate response. See Figure 7.
This lack of visibility is making it difficult for 37% of respondents to distinguish between
real malicious events and nonevents. Lack of budget for tools and technology, cited
by 54% of respondents is only contributing to this lack of visibility, and staffing issues
account for lack of procedural reviews and practice (41%).
Top 10 Impediments to Effective IR
Staffing and skills shortage
Budgetary shortages for tools and technology
Inability to distinguish malicious events versus nonevents
Lack of comprehensive automated tools available to investigate new technologies,
such as BYOD, IoT, and cloud-based IT
Not enough visibility into events happening across different systems or domains
Organizational silos between IR and other groups or between data sources or tasks
Integration issues with our other security and monitoring tools
Lack of procedural reviews and practice
Too much time to detect and remediate
Difficulties in detecting sophisticated attackers and removing their traces
Figure 7. Impediments to Investigations
0% 20% 60%40%
Key Elements for Successful Incident Response (CONTINUED)
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed16
Let’s first tackle the people issue: In many instances, the cause of understaffing is not due to a lack of funding, but to a lack of available skilled professionals to fill open positions. Based on a 2014 survey conducted by Enterprise Strategy Group (ESG), 28% of organizations say they have a “problematic shortage” of IT security skills.12 One recommendation to aid in recruitment is to consider filling positions with remote workers.
According to the SANS 2015 IR surveys, 73% of organizations use a dedicated team, 70% are drawing team members from their internal staff assigned to other functions, while 32% are drawing from third-party services. For surge team augmentation, 61% used a dedicated internal surge team in both 2014 and 2015, 63% draw additional surge staff from internal resources and 28% (27% in 2014) use outsourced services. See Figure 8.
Location is also important to staffing. According to the U.S. Bureau of Labor Statistics, the highest concentration of information security professionals is in the Washington, D.C. metropolitan area. In comparing the highest and lowest concentrations of InfoSec professionals by metropolitan areas, 9,070 workers were identified in the DC area, whereas only 430 were located in Albuquerque, New Mexico, the area with the lowest concentration of InfoSec.13 Options for companies looking to hire skilled technical professionals outside of major metropolitan areas include enticing a potential employee to relocate or building a remote IR team. This second option is becoming more feasible as infrastructure to support telecommuting is now commonplace in most organizations. One of the obstacles that may exist to employing remote workers, admittedly, is the difference in the cost of living and salary requirements associated with different areas.
Core Versus Surge Staffing
Other
Outsourced services (e.g., MSSP-managed services security provider) with dedicated IR
services (alerts, response)
Drawn from other internal staff (security group, operational/administrative IT resources)
Dedicated internal IR team
Figure 8. Resources Used in Incidents
0% 20% 60% 80%40%
Core team Surge
Key Elements for Successful Incident Response (CONTINUED)
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed17
Diversity of Investigations
More platforms are involved in today’s investigations, driving the need for more
specialized skills. More virtualized and cloud-based systems are being supported by
in-house IR capabilities since last year, for example. Last year, data center servers hosted
in the public cloud (e.g., Azure or Amazon EC2) were investigated in-house by only
37% of our respondents, compared with 61% in 2015. Other notable changes include
employee-owned systems. Last year, only 58% of respondents investigated employee-
owned equipment, whereas 69% do this year. This supports the growing prevalence of
employees bringing their own devices, whether laptops, tablets or smartphone devices,
and connecting them to the organization’s network resources. See Figure 9.
We included a new category of “employee social media accounts” as an area of possible
investigation for IR teams because this medium is being used effectively by sophisticated
attackers for targeted reconnaissance. Just 59% of respondents cite including this
element in their in-house investigations.
What business processes and systems are involved in your investigations? Check only those that apply. Please indicate whether your capabilities for these investigations
exist in-house, are outsourced or both.
Embe
dded
, or n
on-P
C de
vice
s, su
ch a
s m
edia
and
ent
erta
inm
ent b
oxes
, prin
ters
, sm
art c
ars,
conn
ecte
d co
ntro
l sys
tem
s, et
c.
Empl
oyee
soc
ial m
edia
acc
ount
s
Busi
ness
app
licat
ions
and
ser
vice
s (e
.g.,
emai
l, fil
e sh
arin
g) in
the
clou
d
Corp
orat
e-ow
ned
lapt
ops,
smar
tpho
nes,
tabl
ets
and
othe
r mob
ile d
evic
es
Corp
orat
e-ow
ned
soci
al m
edia
acc
ount
s
Third
-par
ty s
ocia
l med
ia a
ccou
nts
or p
latf
orm
s
Inte
rnal
net
wor
k (o
n-pr
emis
es) d
evic
es
and
syst
ems
Dat
a ce
nter
ser
vers
hos
ted
loca
lly
Empl
oyee
-ow
ned
com
pute
rs, l
apto
ps,
tabl
ets
and
smar
tpho
nes
(BYO
D)
Oth
er
Web
app
licat
ions
Dat
a ce
nter
ser
vers
hos
ted
in th
e pu
blic
cl
oud
(e.g
., A
zure
or A
maz
on E
C2)
Figure 9. Investigated Media, Platforms and Apps
100%
80%
60%
40%
20%
0%
In-house Outsourced Both
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed18
Key Elements for Successful Incident Response (CONTINUED)
Visibility
How do you achieve visibility across these systems for a full picture view of actual events
in progress versus nonevents? This is not the only SANS survey to indicate a lack of
visibility as being among the top three inhibitors of effective detection and response. As
we showed earlier, respondents are integrating across some platforms and using SIEM to
analyze the data.
More than 64% of respondents identified the need for better security analytics and
correlation across affected systems, making it the top target area for improvement. This
is an important milestone because respondents can acknowledge weaknesses and point
to reasons why detection is failing. See Figure 10.
Figure 10. Planned Improvements in Next 12 Months
[Begin figure content]
TAKEAWAY:
Focus on key areas to achieve
integration of security
information into automated
policy where possible and
reduce reliance on specialized
workers to “catch things” and
seek out infected systems
manually.
What improvements in IR is your organization planning to make in the next 12 months? Select all that apply.
Bett
er s
ecur
ity a
naly
tics
and
corr
elat
ion
acro
ss e
vent
type
s an
d im
pact
ed s
yste
ms
Full
auto
mat
ion
of d
etec
tion,
re
med
iatio
n an
d fo
llow
-up
wor
kflow
s
Mor
e au
tom
ated
repo
rtin
g an
d an
alys
is
thro
ugh
secu
rity
info
rmat
ion
and
even
t m
anag
emen
t (SI
EM) i
nteg
ratio
n
Addi
tiona
l tra
inin
g/ce
rtifi
catio
n of
sta
ff
Oth
er
Bett
er re
spon
se ti
me
Impr
oved
vis
ibili
ty in
to th
reat
s an
d as
soci
ated
vul
nera
bilit
ies
as th
ey a
pply
to
the
envi
ronm
ent
Mor
e in
tegr
ated
thre
at in
telli
genc
e fe
eds
to a
id in
ear
ly d
etec
tion
70%
60%
50%
40%
30%
20%
10%
0%
Figure 10. Planned Improvements in Next 12 Months
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed19
Key Elements for Successful Incident Response (CONTINUED)
Additional training and certification will be big next year, with 57% of respondents
adding training and certification for their IR staff. This is a reoccurring theme in this
year’s survey results, with staffing and skills shortages ranked as one of the top five
impediments to effective IR by 66% of respondents.
The other top targeted areas for improvement include improved visibility into threats
and vulnerabilities, as well as more automated reporting and analysis via SIEM
integration. Many of these areas of improvement have a symbiotic nature—one
depending on an improvement in another to truly benefit an organization. Clearly, an
improvement in visibility (gaining more insight into endpoint and network traffic) will
result in more collected data, which will require automated analysis.
TAKEAWAY:
Organizations that take the
initiative to “grow their own”
in-house skills will increase the
efficiency of their IR process
and improve effectiveness of
security implementations and
technology.
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed20
Conclusion
Although automation was the most commonly cited area for future IR improvement in
last year’s survey, only a little progress has been made in increasing visibility through
automation of endpoint and network data collection and analytics, or remediation.
This continues to be a key factor in improving IR process efficiency. As the amount of
data collected from endpoints and network traffic grows, teams must move toward
automation to conduct analysis and data correlation with the goal of shortening the
time needed to detect and remediate incidents.
Our survey results also suggest the need for more specialized IR skills. By reducing false
positive alerts and baselining endpoint and network traffic to better detect anomalies,
understaffed teams will have more actionable alerts. The shortage of skilled technical
staff may not have an immediate solution, but organizations can maximize the actions
of existing IR team members by moving to automated detection and remediation
processes.
Reports of data destruction and denial of service attacks have been covered in the
media recently, and the responses from our survey participants substantiate the growing
frequency of such adversary tactics. IR teams, frequently overworked and charged
with constantly putting out fires, rarely have time to craft a new playbook for attacks
requiring different IR processes and containment procedures. Current trends, as seen in
the Sony and Las Vegas Sands Casino attacks, foreshadow what today’s IR teams will be
faced with in future attacks. Anticipate, plan, test and validate response procedures for
the worst attacks—because, inevitably, they are coming.
Alissa Torres is a SANS analyst and certified SANS instructor specializing in advanced computer
forensics and incident response (IR). She has extensive experience in information security in the
government, academic and corporate environments. Alissa has served as an incident handler and
as a digital forensic investigator on an internal security team. She has taught at the Defense Cyber
Investigations Training Academy (DCITA), delivering IR and network basics to security professionals
entering the forensics community. A GIAC Certified Forensic Analyst (GCFA), Alissa holds the GCFE,
GPEN, CISSP, EnCE, CFCE, MCT and CTT+ certifications.
Jake Williams is a SANS analyst, certified SANS instructor, course author and designer of several
NetWars challenges for use in SANS’ popular, “gamified” information security training suite. Jake
spent more than a decade in information security roles at several government agencies, developing
specialties in offensive forensics, malware development and digital counterespionage. Jake is the
founder of Rendition InfoSec, which provides penetration testing, digital forensics and incident
response, expertise in cloud data exfiltration, and the tools and guidance to secure client data against
sophisticated, persistent attack on-premises and in the cloud.
SANS ANALYST PROGRAMMaturing and Specializing: Incident Response Capabilities Needed21