Needs of a Modern Incident Response Program Tom Cross Director of Security Research, Lancope Brandon Tansey Security Researcher, Lancope © 2014 Lancope, Inc. All rights reserved. 1
Jan 15, 2015
Needs of a Modern Incident Response Program
Tom Cross Director of Security Research, Lancope Brandon Tansey Security Researcher, Lancope
© 2014 Lancope, Inc. All rights reserved. 1
2
What advantages do a8ackers have?
Asymmetry “The defender has to cover every vulnerability but the aGacker only has to find one.”
© 2014 Lancope, Inc. All rights reserved.
A8ackers Can O>en Evade Defenses
© 2014 Lancope, Inc. All rights reserved. 3
Perimeter Security
• Much of the pracMce of computer security has to do with making sure the doors are locked. – When we have incidents we spend more money on prevenMon. – We tend to assume that if the bad guys are in, its game over.
• We’re focusing our energy where aGackers have the most strength
4 © 2014 Lancope, Inc. All rights reserved. 4
What advantages do defenders have?
Home Court Advantage • Defenders create the network environment that
aGackers are trying to compromise
• Defenders • Know what is on the network • Have visibility into the network
• AGackers have to discover the environment through reconnaissance
• Defenders can exploit the aGacker’s lack of knowledge of the environment in order to detect aGackers and waste their Mme
© 2014 Lancope, Inc. All rights reserved. 5
• A sophisMcated aGack on a network involves a series of steps • TradiMonal thinking views any system compromise as a successful breach • Any successful acMon taken to stop an infecMon prior to data exfiltraMon can be considered a
win • This is the Kill Chain concept introduced by Mike Cloppert at Lockheed • Controls should be put in place at each stage of the chain
© 2014 Lancope, Inc. All rights reserved.
A Four Dimensional View of A8acker Behavior
Recon Exploitation
Initial Infection
Internal Pivot
Data Preparation &
Exfiltration
Command and Control
6
Factors driving the change: • The persistent nature of the threat
• Other organizaMons aren’t necessarily experiencing the same aGacks
• The desire to collect threat intelligence that can be used to detect future incidents
• A sophisMcated aGack on a network involves a series of steps
© 2014 Lancope, Inc. All rights reserved.
Toward ConJnuous Incident Response
Detect
Respond Analyze
Distill Intel
7
Sample Response Freq Pct%
Sampling frame 20,446 100% Total returns 793 3.9% Rejected & screened surveys 119 0.6% Final sample 674 3.3%
A scientific sampling frame of 20,446 experienced IT and IT security
practitioners located in all regions of the United States and United Kingdom were selected as participants to this survey.
Ponemon Research Report: 2014 Cyber Security Incident Response
© 2014 Lancope, Inc. All rights reserved. 8
68%
62%
44%
36%
29%
0% 10% 20% 30% 40% 50% 60% 70% 80%
BeGer incident response capabiliMes
Threat Intelligence or IP reputaMon services
Improved vulnerability audits and assessments
Improved patch management process
Higher quality professional staffing
How can your organizaMon most effecMvely miMgate future security breaches?
© 2014 Lancope, Inc. All rights reserved. 9
34%
18%
45%
3%
How did this percentage change over the past 24 months?
Increased
Decreased
Stayed the same
Cannot determine
© 2014 Lancope, Inc. All rights reserved.
50%
31%
11%
5%
2% 1%
Percentage of security budget spent on Incident Response
Less than 10%
10% to 20%
21% to 30%
31% to 40%
41% to 50%
More than 50%
Incident Response Budgets
10
© 2014 Lancope, Inc. All rights reserved. 11
© 2014 Lancope, Inc. All rights reserved. 12
© 2014 Lancope, Inc. All rights reserved. 13
© 2014 Lancope, Inc. All rights reserved.
80%
76%
67%
65%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
NetFlow / Pcap
SIEM
IDS / IPS
Threat Feeds
What type of tools are most effecMve in helping to detect breaches?
14
© 2014 Lancope, Inc. All rights reserved. 15
© 2014 Lancope, Inc. All rights reserved. 16
© 2014 Lancope, Inc. All rights reserved.
Network
Services
Hosts 17
© 2014 Lancope, Inc. All rights reserved. 18
NetFlow vs and Packet Capture
© 2014 Lancope, Inc. All rights reserved. 19
• NetFlow – Lots of breadth, less depth – Lower disk space requirements
• Full Packet Capture – Deep but not broad – Expensive – High disk space requirements
© 2014 Lancope, Inc. All rights reserved. 20
© 2014 Lancope, Inc. All rights reserved. 21
Service Logs
© 2014 Lancope, Inc. All rights reserved. 22
Services (as targets)
© 2014 Lancope, Inc. All rights reserved. 23
Services (as supplementary informaMon)
© 2014 Lancope, Inc. All rights reserved. 24
Host Logs
© 2014 Lancope, Inc. All rights reserved. 25
© 2014 Lancope, Inc. All rights reserved.
61%
52%
48%
36%
31%
34%
0% 10% 20% 30% 40% 50% 60% 70%
Network Security Devices
All Client PCs
All ApplicaMon Servers
All IdenMty Management Infrastructure
All Network Infrastructure
We Don't
From where do you send informaMon to your SIEM?
26
• Are you just logging informaMon or are you also collecMng it? • Are you saving only ‘special’ log lines, or everything? • Do you have a standard retenMon period in policy?
– Does the budget control the period, or the period the budget? • If you have end-‐user managed hosts, are they subject to the
same logging policies?
© 2014 Lancope, Inc. All rights reserved.
Regardless of the informaJon source…
27
© 2014 Lancope, Inc. All rights reserved.
Backups -‐ the stakes have been raised!
28
© 2014 Lancope, Inc. All rights reserved. 29
© 2014 Lancope, Inc. All rights reserved.
43%
54%
3%
0% 10% 20% 30% 40% 50% 60%
Yes
No
Unsure
Do your organizaMon's incident invesMgaMons result in threat indicators which are used to defend the organizaMon from future aGacks?
30
Security Analyst Network Forensics Analyst Hard Drive Forensic Analyst
Malware Analyst Threat Intelligence Analyst
Security [OperaJons] Engineer OperaMons Engineer Sonware Engineer
Roles in a Modern Incident Response Team
© 2014 Lancope, Inc. All rights reserved. 31
Staffing
12%
16%
44%
23%
5%
0% 10% 20% 30% 40% 50%
None
One
2 to 5
6 to 10
More than 10
Number of team members in CSIRT
45%
28%
14%
11%
2%
0% 10% 20% 30% 40% 50%
None
One
2 to 5
6 to 10
More than 10
Number of team members fully dedicated to CSIRT
© 2014 Lancope, Inc. All rights reserved. 32
© 2014 Lancope, Inc. All rights reserved.
21%
14%
6%
12%
29%
18%
0% 5% 10% 15% 20% 25% 30% 35%
On an ongoing basis
On a quarterly basis
On a semi-‐annual basis
On an annual basis
Not on a regular schedule
Readiness is not assessed
How frequently do you assess the readiness of your Incident Response team?
33
• Firewall • Web Gateway • Mail Gateway • IPS / IDS • SIEM
© 2014 Lancope, Inc. All rights reserved.
Use of Indicators
34
© 2014 Lancope, Inc. All rights reserved.
45%
26%
23%
15%
12%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
InformaMon is neither received nor shared
InformaMon is received from sharing partners but not shared with them
InformaMon is shared with law enforcement or other government agencies
InformaMon is shared with various CERTs
InformaMon is shared with industry peers
Are you sharing threat intelligence?
35
© 2014 Lancope, Inc. All rights reserved. 36
© 2014 Lancope, Inc. All rights reserved.
23%
75%
2%
Do you have a PR and Analyst RelaMons plan in place in the event of a breach?
Yes No Unsure
37
© 2014 Lancope, Inc. All rights reserved.
79%
14%
10%
36%
45%
47%
43%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
IT Management
ExecuMve Management
Board of Directors
Risk management
Legal
Compliance
HR
What funcMons or departments are involved in the incident response process?
38
© 2014 Lancope, Inc. All rights reserved.
91%
64%
51%
50%
49%
24%
20%
12%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
IT management
Compliance / Audit
Legal
HR
Risk management
Broadly within the organizaMon
ExecuMve management
Board of directors
Frequency of cyber threat breifings to various funcMons
39
Should your CSIRT make decisions or recommendaMons?
© 2014 Lancope, Inc. All rights reserved. 40
• Who can approve what acMons? – Does the type of incident affect the answer? – If an appropriate person cannot be reached, can the incident
responder act on their own aner a given amount of Mme?
© 2014 Lancope, Inc. All rights reserved.
Things to get in wriJng
41
• What are end-‐users’ responsibiliMes in the incident response process? – Are they required to turn over machines to the CSIRT? – In the event of a compromise resulMng in a wipe, do users get
access to their files? Which ones? – What happens when a user needs something that the CSIRT has
blocked? – Who handles excepMons?
© 2014 Lancope, Inc. All rights reserved.
Things to get in wriJng
42
• Can your CSIRT parMcipate in informaMon and indicator sharing groups?
• Can your CSIRT run malware live on the internet? – What are safe handling requirements?
• Can your CSIRT interact with malicious hosts for the purpose of intelligence gathering? – From the corporate LAN? An unaGributed network?
© 2014 Lancope, Inc. All rights reserved.
Things to get in wriJng
43
© 2014 Lancope, Inc. All rights reserved. 44
§ Ponemon Research Report: 2014 Cyber Security Incident Response
http://www.lancope.com/ponemon-incident-response
§ The Forum of Incident Response & Security
Teams www.first.org
§ CERT Division of the Software Engineering
Institute (SEI) www.cert.org/incident-management/
Resources
© 2014 Lancope, Inc. All rights reserved. 45
Q/A
© 2014 Lancope, Inc. All rights reserved. 46