Incident Response Teams Why Your Organization Needs One – Now! Page 1 © 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Incident Response TeamsWhy Your Organization Needs One – Now!
Page 1© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Take-Aways
• Nature of attacks has changed• Law enforcement, judiciary not
prepared• Failure of traditional incident
response• Agile incident management• Computer Security and
Incident Response Teams, CSIRTs – moving to SMEs
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 2
"Fools you are . . . who say you like to learn from your mistakes ... I prefer to learn from the mistakes of others, and avoid the cost of my own.“ O. v Bismark
The Threat Has Changed
• Attackers financially motivated – skills are rewarded; “business competitors” are hacking
• “Trickle down effect” – powerful, easy to use tools are widely available
• Opportunistic, automated attacks• Targeted (social engineering; HBGary,
Government)• Persistent agents
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 3
Law Enforcement …
• 61,000 police officers in Canada• 245 specialize in cybercrime (0.4%)• Overall, lack budget and training• Still developing legal infrastructure to
support criminal investigations (lawfulintercept legislation)
• In short, an effective response is generally up to the victim
• Are you ready? …
Page 4© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Data Security Incidents
Non-compliance with the corporate security policy or procedures, or any
event that negatively impacts the confidentiality, integrity and availability
of your corporate data
Page 5© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
“Traditional” Incident Response
• Event-triggered: you have lost the initiative• Competing priorities – technical (investigation)
versus business (recovery) • Mistakes are frequent
Page 6© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
The Failure of Traditional IR - 1
Corporate• Tactical, short-term perspective• Competing priorities – business
versus technology• Poorly defined roles and responsibilities• Failure to support technical personnel• Corporate secrecy (external entities)• Failure to learn from previous incidents; no
formal method to create a corporate memory (internal)
Page 7© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
The Failure of Traditional IR - 2Technical• Technical staff lack contacts,
communications skills for dealing with management, externals
• Failure to provide comprehensive response (legal, HR, etc)
• Focus on the technology; can lose sight of the business
• Difficult to deal with privileged users (system administrators, database admins)
• Difficult to deal with internal attackersPage 8© 2010 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.
The Failure of Traditional IR - 3Technical• Unable to keep up with methodology
and tools of attackers (encryption, anti-forensics, live response)
• Lack of “appropriate” training (scenario-based technical training, current attacks, soft skills)
• Lack tools for effective incident response• Not all problems have a technical solution!
Page 9© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 10© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Agile Incident Management
Incident management is the totality of proactive and reactive measures
undertaken to help prevent and manage data security incidents
across an organization
Page 11© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Agile Incident Management
ProactiveStrategic Plan
Risk AssessmentPolicy and SOPs
Roles, ResponsibilitiesActivity Monitoring
Pro-Active Data ForensicsEnd-User Education
Integrate with 3rd Parties
ReactiveFast, Focused, Flexible
PreservationLive System Forensics
Static ForensicsNetwork Forensics
Training, “Memory”
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 12
CSIRT
Computer Security and Incident Response Teams, CSIRTs• Types:
– National-level– Specific verticals (critical infrastructure)– Universities– Vendors– Businesses
• Multi-dimensional team focused on responding to all possible security incidents – (IT, security, HR, PR, physical security,
business owners, legal …)Page 13
Computer Security and Incident Response Teams, CSIRTs• Formal teams
– 5 – 10 members– 24x7 availability– Well trained – High-stress roles,
burn-out is common
• Require committed support of large organizations to gain benefits
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 14
Moving the CSIRT “Down the Chain”
• Bring CSIRT to SMEs• Change perspective:
– “First responders” are the end users
– CSIRT responds to incidents (“triage”)
– Collect and preserve evidence– Manage internal, external relationships– Maintain corporate memory
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 15
Agile CSIRTs – Reliance on 3rd Parties
• 3rd parties (“partner sourcing”)• Technology audits, assessments, evaluation,
certification• Alerts, warnings• Repository of documentation, tools, techniques• Post-event analysis – the “post mortem” • Education and training• Metrics and benchmarking• External validation of team and
processes© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 16
Agile CSIRTS – Key Success Factors• What are your core CSIRT functions?• Defined and documented roles, responsibilities• Business and technical functions represented• Access to tools
– Open source, proprietary • Access to information
– Similar organizations– Security warnings, briefings, CSIRTS– Law enforcement
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 17
Agile CSIRTs – Key Success Factors
• Training– Seminar, boot-camp– Scenario-based
• Risk assessment based – what do you need?– Ethical hacking– Incident response techniques– Malware analysis– Data forensics (live systems, static forensics)– Criminal and intellectual property law
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 18
References
• CERT (www.cert.org)
• DigitalDefence (www.digitaldefence.ca)– Free access to Canadian CSIRT community!– Online repository of whitepapers, documents,
tools– Contact [email protected]
© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.
Page 19
Contact Me
Page 20© 2010 Digital Defence. All rights reserved. This document is for informational purposes only. Digital Defence makes no warranties, express or implied, in this document.