Robert beggs incident response teams - atlseccon2011

Incident Response TeamsWhy Your Organization Needs One – Now!

Page 1© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.

Take-Aways

• Nature of attacks has changed• Law enforcement, judiciary not

prepared• Failure of traditional incident

response• Agile incident management• Computer Security and

Incident Response Teams, CSIRTs – moving to SMEs

© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.

Page 2

"Fools you are . . . who say you like to learn from your mistakes ... I prefer to learn from the mistakes of others, and avoid the cost of my own.“ O. v Bismark

The Threat Has Changed

• Attackers financially motivated – skills are rewarded; “business competitors” are hacking

• “Trickle down effect” – powerful, easy to use tools are widely available

• Opportunistic, automated attacks• Targeted (social engineering; HBGary,

Government)• Persistent agents


Page 3

Law Enforcement …

• 61,000 police officers in Canada• 245 specialize in cybercrime (0.4%)• Overall, lack budget and training• Still developing legal infrastructure to

support criminal investigations (lawfulintercept legislation)

• In short, an effective response is generally up to the victim

• Are you ready? …


Data Security Incidents

Non-compliance with the corporate security policy or procedures, or any

event that negatively impacts the confidentiality, integrity and availability

of your corporate data


“Traditional” Incident Response

• Event-triggered: you have lost the initiative• Competing priorities – technical (investigation)

versus business (recovery) • Mistakes are frequent


The Failure of Traditional IR - 1

Corporate• Tactical, short-term perspective• Competing priorities – business

versus technology• Poorly defined roles and responsibilities• Failure to support technical personnel• Corporate secrecy (external entities)• Failure to learn from previous incidents; no

formal method to create a corporate memory (internal)


The Failure of Traditional IR - 2Technical• Technical staff lack contacts,

communications skills for dealing with management, externals

• Failure to provide comprehensive response (legal, HR, etc)

• Focus on the technology; can lose sight of the business

• Difficult to deal with privileged users (system administrators, database admins)

• Difficult to deal with internal attackersPage 8© 2010 Digital Defence. All rights reserved. This document is for informational purposes

only. Digital Defence makes no warranties, express or implied, in this document.

The Failure of Traditional IR - 3Technical• Unable to keep up with methodology

and tools of attackers (encryption, anti-forensics, live response)

• Lack of “appropriate” training (scenario-based technical training, current attacks, soft skills)

• Lack tools for effective incident response• Not all problems have a technical solution!



Agile Incident Management

Incident management is the totality of proactive and reactive measures

undertaken to help prevent and manage data security incidents

across an organization


Agile Incident Management

ProactiveStrategic Plan

Risk AssessmentPolicy and SOPs

Roles, ResponsibilitiesActivity Monitoring

Pro-Active Data ForensicsEnd-User Education

Integrate with 3rd Parties

ReactiveFast, Focused, Flexible

PreservationLive System Forensics

Static ForensicsNetwork Forensics

Training, “Memory”


Page 12

CSIRT

Computer Security and Incident Response Teams, CSIRTs• Types:

– National-level– Specific verticals (critical infrastructure)– Universities– Vendors– Businesses

• Multi-dimensional team focused on responding to all possible security incidents – (IT, security, HR, PR, physical security,

business owners, legal …)Page 13

Computer Security and Incident Response Teams, CSIRTs• Formal teams

– 5 – 10 members– 24x7 availability– Well trained – High-stress roles,

burn-out is common

• Require committed support of large organizations to gain benefits


Page 14

Moving the CSIRT “Down the Chain”

• Bring CSIRT to SMEs• Change perspective:

– “First responders” are the end users

– CSIRT responds to incidents (“triage”)

– Collect and preserve evidence– Manage internal, external relationships– Maintain corporate memory


Page 15

Agile CSIRTs – Reliance on 3rd Parties

• 3rd parties (“partner sourcing”)• Technology audits, assessments, evaluation,

certification• Alerts, warnings• Repository of documentation, tools, techniques• Post-event analysis – the “post mortem” • Education and training• Metrics and benchmarking• External validation of team and

processes© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.

Page 16

Agile CSIRTS – Key Success Factors• What are your core CSIRT functions?• Defined and documented roles, responsibilities• Business and technical functions represented• Access to tools

– Open source, proprietary • Access to information

– Similar organizations– Security warnings, briefings, CSIRTS– Law enforcement


Page 17

Agile CSIRTs – Key Success Factors

• Training– Seminar, boot-camp– Scenario-based

• Risk assessment based – what do you need?– Ethical hacking– Incident response techniques– Malware analysis– Data forensics (live systems, static forensics)– Criminal and intellectual property law


Page 18

References

• CERT (www.cert.org)

• DigitalDefence (www.digitaldefence.ca)– Free access to Canadian CSIRT community!– Online repository of whitepapers, documents,

tools– Contact [email protected]


Page 19

http://www.cert.org/�

http://www.digitaldefence.ca/�

mailto:[email protected]�

Contact Me
