SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations

An Incident Response Playbook: From Monitoring to

Operations

Dave Shackleford, Voodoo Security and SANSJoe Schreiber, AlienVault

© 2014 The SANS™ Institute - www.sans.org

Introduction

• The range and sophistication of today’s attacks are growing rapidly

• More and more organizations are dedicating resources to detection and response tools and processes– Less effort and money is spent on

purely “preventive” measures• We’ll explore a number of different

types of incidents, as well as indicators and monitoring/response process considerations

© 2014 The SANS™ Institute - www.sans.org 2

Use What for What?

• Right Tool -> Right Job• Right Job -> Right Skills• Right Skills -> Right Response• Right Response -> [right] Incident

© 2014 The SANS™ Institute - www.sans.org 3

How do I know which response?

© 2014 The SANS™ Institute - www.sans.org 4

Make Plans.

• Be prepared for an incident– Create several plans based on

incident type– Have a contact methodology– Escalation Paths

• So you have a plan?– What’s your backup?– Be Flexible

• Time is against you• Outside Help

– Pre-arrange services or consultants

© 2014 The SANS™ Institute - www.sans.org 5

What if I’m missing something?

• Use the Internet– IOCs– Threat Reputation– Malware Analyzers– Virus Scanners

• Community Efforts– Open source tools– Message Boards

© 2014 The SANS™ Institute - www.sans.org 6

Attack Types and Responses

• Sensitive Data• Malware• Insider• Web Application

© 2014 The SANS™ Institute - www.sans.org 7

Sensitive Data Exposure/Exfiltration

• Data loss and exposure is one of the top concerns and incident types facing organizations today

• In the 2014 Verizon DBIR, 1367 data loss incidents were investigated

• Most securityteams have been focusedon data loss insome way since 2005-6.

© 2014 The SANS™ Institute - www.sans.org 8

Indicators of sensitive data exposure

• A number of leading indicators can lead to detection of exposure or exfiltration

• Human-based:– Fraud alerts or identity theft– Notification from 3rd parties– Extortion attempts

• Data indicators:– DLP alerts– Proxy logs– Firewall/IDS/IPS events

© 2014 The SANS™ Institute - www.sans.org 9

Operations for Data Exposure Incidents

• Specific operational steps to be considered for IR with data exposure:– First, unless directed by law

enforcement, stop the leak! (if known how/where)

– Determine who and what is affected then coordinate with HR/legal/PR

– Leverage DLP or other monitoring tools to pattern match data types stored and in transit

© 2014 The SANS™ Institute - www.sans.org 10

Advanced Malware Incidents

• Not all malware incidents are advanced– Standard antivirus and host-based

tools still catch many variants• Some malware is much more

stealthy and sophisticated, however– Malware sandboxes, behavioral

monitoring, and forensics techniques and tools may be needed

© 2014 The SANS™ Institute - www.sans.org 11

Indicators of Advanced Malware

• Advanced malware may be detected with a number of indicators:– Unusual processes or services on

hosts– Known malicious registry keys and

entries– File names or attributes– Network traffic signatures and

patterns (ports, protocols, etc.)– Sandbox detonation events

© 2014 The SANS™ Institute - www.sans.org 12

Operations for Advanced Malware Incidents

• Response processes for advanced malware incidents should include:– Quarantine capabilities (host and

network)– Volatile forensic data capture– Rapid development of IOC

“fingerprints” to propagate to additional systems

– Data leak response steps– Reverse engineering

© 2014 The SANS™ Institute - www.sans.org 13

Insider Incidents

• Insider incidents can be some of the most challenging to detect and respond to

• Insider threats can lead to other types of incidents (data loss, destruction/availability, etc.)

• Always coordinate with HR and legal teams forinsider threat response

• Many insider attacks arenot that advanced…justhard to detect

© 2014 The SANS™ Institute - www.sans.org 14

Indicators of Insider Incidents

• Insider indicators may be more challenging to detect:– Disgruntled behavior– Unusual pattern of file/data access– Changes in working hours or behavior– Disregard for policies and procedures– Account logon failures and unusual

patterns– Traffic from personal/work systems– Unusual system command use or

attempts at privilege escalation

© 2014 The SANS™ Institute - www.sans.org 15

Operations for Insider Incidents

• Response processes for insider incidents should include:– Inclusion of law enforcement (maybe) and

HR/legal (definitely)– Rapid root cause analysis

• Was it accidental? A system hijack? Or deliberate?

– Account monitoring– Privilege revocation (maybe)– Equipment seizure when possible– Forensic analysis– Risk analysis

© 2014 The SANS™ Institute - www.sans.org 16

© 2014 The SANS™ Institute - www.sans.org 17

Web Application Incidents

• Web app attacks are more common than ever

• These attacks can lead to defacement and reputation impact, as well as data exposure

• Application security often lags network and infrastructure controls

• Many open source components, or products like CMS platforms, are notoriously vulnerable

Indicators of Web Application Incidents

• Web application attacks and breaches may exhibit the following indicators:– Unusual behavior or crashes in

applications– Web and app server logs of repeated

access attempts– Web and app server logs of SQL syntax

and/or scripting characters– IDS/IPS events for known app attacks– High local resource utilization on Web and

app servers– Web app firewall events for behavioral or

signature-based attacks

© 2014 The SANS™ Institute - www.sans.org 18

Operations for Web Application Incidents

• Response processes for Web App incidents may include:– Coordination with server

operations/admin teams and possibly development teams

– Web app firewall or application filtering commands/rules

– Load balancer and proxy redirection and traffic control

– Correlation between presentation and persistent tier traffic and account data

© 2014 The SANS™ Institute - www.sans.org 19

Conclusion

• There are a lot of ways to detect and respond to incidents today

• Many types of incidents have common tools and processes– Most have their own specific

differences, however• Security monitoring and response

teams can always enhance their capabilities with new events, correlation, and IOCs from inside and outside their networks

© 2014 The SANS™ Institute - www.sans.org 20

Powered by

AV Labs Threat

Intelligence

AlienVault

USMTM

ASSET DISCOVERY

• Active Network Scanning

• Passive Network Scanning

• Asset Inventory

• Host-based Software

Inventory

VULNERABILITY ASSESSMENT

• Continuous

Vulnerability Monitoring

• Authenticated / Unauthenticated Active Scanning

BEHAVIORAL MONITORING

• Log Collection

• Netflow Analysis

• Service Availability Monitoring

THREAT DETECTION

• Network IDS

• Host IDS

• Wireless IDS

• File Integrity Monitoring

A Unified Approach

SECURITY INTELLIGENCE

• SIEM Event Correlation

• Incident Response

Coordinated Analysis, Actionable Guidance

• 200-350,000 IPs validated daily

• 8,000 collection points

• 140 countries

Collaborative Threat Intelligence: AlienVault Open Threat ExchangeTM (OTX)

Join OTX: www.alienvault.com/open-threat-exchange

Questions?

[email protected]

Thank You!

© 2014 The SANS™ Institute - www.sans.org 23

Three Ways to Test Drive AlienVault

USM

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo

http://www.alienvault.com/live-demo-site

Join us for a LIVE Demo!

http://www.alienvault.com/marketing/alienvault-usm-live-

demo