Needs of a Modern Incident Response Program

Needs of a Modern Incident Response Program

Tom Cross Director of Security Research, Lancope Brandon Tansey Security Researcher, Lancope

© 2014 Lancope, Inc. All rights reserved. 1

2

What advantages do a8ackers have?

Asymmetry “The defender has to cover every vulnerability but the aGacker only has to find one.”

© 2014 Lancope, Inc. All rights reserved.

A8ackers Can O>en Evade Defenses


Perimeter Security

•  Much of the pracMce of computer security has to do with making sure the doors are locked. –  When we have incidents we spend more money on prevenMon. –  We tend to assume that if the bad guys are in, its game over.

•  We’re focusing our energy where aGackers have the most strength

4 © 2014 Lancope, Inc. All rights reserved. 4

What advantages do defenders have?

Home Court Advantage •  Defenders create the network environment that

aGackers are trying to compromise

•  Defenders •  Know what is on the network •  Have visibility into the network

•  AGackers have to discover the environment through reconnaissance

•  Defenders can exploit the aGacker’s lack of knowledge of the environment in order to detect aGackers and waste their Mme


•  A sophisMcated aGack on a network involves a series of steps •  TradiMonal thinking views any system compromise as a successful breach •  Any successful acMon taken to stop an infecMon prior to data exfiltraMon can be considered a

win •  This is the Kill Chain concept introduced by Mike Cloppert at Lockheed •  Controls should be put in place at each stage of the chain


A Four Dimensional View of A8acker Behavior

Recon Exploitation

Initial Infection

Internal Pivot

Data Preparation &

Exfiltration

Command and Control

6

Factors driving the change: •  The persistent nature of the threat

•  Other organizaMons aren’t necessarily experiencing the same aGacks

•  The desire to collect threat intelligence that can be used to detect future incidents

•  A sophisMcated aGack on a network involves a series of steps


Toward ConJnuous Incident Response

Detect

Respond Analyze

Distill Intel

7

Sample Response Freq Pct%

Sampling frame 20,446 100% Total returns 793 3.9% Rejected & screened surveys 119 0.6% Final sample 674 3.3%

A scientific sampling frame of 20,446 experienced IT and IT security

practitioners located in all regions of the United States and United Kingdom were selected as participants to this survey.

Ponemon Research Report: 2014 Cyber Security Incident Response


68%

62%

44%

36%

29%

0% 10% 20% 30% 40% 50% 60% 70% 80%

BeGer incident response capabiliMes

Threat Intelligence or IP reputaMon services

Improved vulnerability audits and assessments

Improved patch management process

Higher quality professional staffing

How can your organizaMon most effecMvely miMgate future security breaches?


34%

18%

45%

3%

How did this percentage change over the past 24 months?

Increased

Decreased

Stayed the same

Cannot determine


50%

31%

11%

5%

2% 1%

Percentage of security budget spent on Incident Response

Less than 10%

10% to 20%

21% to 30%

31% to 40%

41% to 50%

More than 50%

Incident Response Budgets

10





80%

76%

67%

65%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

NetFlow / Pcap

SIEM

IDS / IPS

Threat Feeds

What type of tools are most effecMve in helping to detect breaches?

14




Network

Services

Hosts 17


NetFlow vs and Packet Capture


•  NetFlow –  Lots of breadth, less depth –  Lower disk space requirements

•  Full Packet Capture –  Deep but not broad –  Expensive –  High disk space requirements



Service Logs


Services (as targets)


Services (as supplementary informaMon)


Host Logs



61%

52%

48%

36%

31%

34%

0% 10% 20% 30% 40% 50% 60% 70%

Network Security Devices

All Client PCs

All ApplicaMon Servers

All IdenMty Management Infrastructure

All Network Infrastructure

We Don't

From where do you send informaMon to your SIEM?

26

•  Are you just logging informaMon or are you also collecMng it? •  Are you saving only ‘special’ log lines, or everything? •  Do you have a standard retenMon period in policy?

–  Does the budget control the period, or the period the budget? •  If you have end-‐user managed hosts, are they subject to the

same logging policies?


Regardless of the informaJon source…

27


Backups -‐ the stakes have been raised!

28



43%

54%

3%

0% 10% 20% 30% 40% 50% 60%

Yes

No

Unsure

Do your organizaMon's incident invesMgaMons result in threat indicators which are used to defend the organizaMon from future aGacks?

30

Security Analyst Network Forensics Analyst Hard Drive Forensic Analyst

Malware Analyst Threat Intelligence Analyst

Security [OperaJons] Engineer OperaMons Engineer Sonware Engineer

Roles in a Modern Incident Response Team


Staffing

12%

16%

44%

23%

5%

0% 10% 20% 30% 40% 50%

None

One

2 to 5

6 to 10

More than 10

Number of team members in CSIRT

45%

28%

14%

11%

2%

0% 10% 20% 30% 40% 50%

None

One

2 to 5

6 to 10

More than 10

Number of team members fully dedicated to CSIRT



21%

14%

6%

12%

29%

18%

0% 5% 10% 15% 20% 25% 30% 35%

On an ongoing basis

On a quarterly basis

On a semi-‐annual basis

On an annual basis

Not on a regular schedule

Readiness is not assessed

How frequently do you assess the readiness of your Incident Response team?

33

•  Firewall •  Web Gateway •  Mail Gateway •  IPS / IDS •  SIEM


Use of Indicators

34


45%

26%

23%

15%

12%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

InformaMon is neither received nor shared

InformaMon is received from sharing partners but not shared with them

InformaMon is shared with law enforcement or other government agencies

InformaMon is shared with various CERTs

InformaMon is shared with industry peers

Are you sharing threat intelligence?

35



23%

75%

2%

Do you have a PR and Analyst RelaMons plan in place in the event of a breach?

Yes No Unsure

37


79%

14%

10%

36%

45%

47%

43%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

IT Management

ExecuMve Management

Board of Directors

Risk management

Legal

Compliance

HR

What funcMons or departments are involved in the incident response process?

38


91%

64%

51%

50%

49%

24%

20%

12%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IT management

Compliance / Audit

Legal

HR

Risk management

Broadly within the organizaMon

ExecuMve management

Board of directors

Frequency of cyber threat breifings to various funcMons

39

Should your CSIRT make decisions or recommendaMons?


•  Who can approve what acMons? –  Does the type of incident affect the answer? –  If an appropriate person cannot be reached, can the incident

responder act on their own aner a given amount of Mme?


Things to get in wriJng

41

•  What are end-‐users’ responsibiliMes in the incident response process? –  Are they required to turn over machines to the CSIRT? –  In the event of a compromise resulMng in a wipe, do users get

access to their files? Which ones? –  What happens when a user needs something that the CSIRT has

blocked? –  Who handles excepMons?



42

•  Can your CSIRT parMcipate in informaMon and indicator sharing groups?

•  Can your CSIRT run malware live on the internet? –  What are safe handling requirements?

•  Can your CSIRT interact with malicious hosts for the purpose of intelligence gathering? –  From the corporate LAN? An unaGributed network?



43


§  Ponemon Research Report: 2014 Cyber Security Incident Response

http://www.lancope.com/ponemon-incident-response

§  The Forum of Incident Response & Security

Teams www.first.org

§  CERT Division of the Software Engineering

Institute (SEI) www.cert.org/incident-management/

Resources


Q/A


Needs of a Modern Incident Response Program

Technology

services astargets

scientific sampling

network services hosts

sample response freq

final sample

united kingdom

united states

netflow lotsofbreadth