An Incident Response Playbook: From Monitoring to Operations Dave Shackleford, Voodoo Security and SANS Joe Schreiber, AlienVault © 2014 The SANS™ Institute - www.sans.org
Sep 08, 2014
An Incident Response Playbook: From Monitoring to
Operations
Dave Shackleford, Voodoo Security and SANSJoe Schreiber, AlienVault
© 2014 The SANS™ Institute - www.sans.org
Introduction
• The range and sophistication of today’s attacks are growing rapidly
• More and more organizations are dedicating resources to detection and response tools and processes– Less effort and money is spent on
purely “preventive” measures• We’ll explore a number of different
types of incidents, as well as indicators and monitoring/response process considerations
© 2014 The SANS™ Institute - www.sans.org 2
Use What for What?
• Right Tool -> Right Job• Right Job -> Right Skills• Right Skills -> Right Response• Right Response -> [right] Incident
© 2014 The SANS™ Institute - www.sans.org 3
How do I know which response?
© 2014 The SANS™ Institute - www.sans.org 4
Make Plans.
• Be prepared for an incident– Create several plans based on
incident type– Have a contact methodology– Escalation Paths
• So you have a plan?– What’s your backup?– Be Flexible
• Time is against you• Outside Help
– Pre-arrange services or consultants
© 2014 The SANS™ Institute - www.sans.org 5
What if I’m missing something?
• Use the Internet– IOCs– Threat Reputation– Malware Analyzers– Virus Scanners
• Community Efforts– Open source tools– Message Boards
© 2014 The SANS™ Institute - www.sans.org 6
Attack Types and Responses
• Sensitive Data• Malware• Insider• Web Application
© 2014 The SANS™ Institute - www.sans.org 7
Sensitive Data Exposure/Exfiltration
• Data loss and exposure is one of the top concerns and incident types facing organizations today
• In the 2014 Verizon DBIR, 1367 data loss incidents were investigated
• Most securityteams have been focusedon data loss insome way since 2005-6.
© 2014 The SANS™ Institute - www.sans.org 8
Indicators of sensitive data exposure
• A number of leading indicators can lead to detection of exposure or exfiltration
• Human-based:– Fraud alerts or identity theft– Notification from 3rd parties– Extortion attempts
• Data indicators:– DLP alerts– Proxy logs– Firewall/IDS/IPS events
© 2014 The SANS™ Institute - www.sans.org 9
Operations for Data Exposure Incidents
• Specific operational steps to be considered for IR with data exposure:– First, unless directed by law
enforcement, stop the leak! (if known how/where)
– Determine who and what is affected then coordinate with HR/legal/PR
– Leverage DLP or other monitoring tools to pattern match data types stored and in transit
© 2014 The SANS™ Institute - www.sans.org 10
Advanced Malware Incidents
• Not all malware incidents are advanced– Standard antivirus and host-based
tools still catch many variants• Some malware is much more
stealthy and sophisticated, however– Malware sandboxes, behavioral
monitoring, and forensics techniques and tools may be needed
© 2014 The SANS™ Institute - www.sans.org 11
Indicators of Advanced Malware
• Advanced malware may be detected with a number of indicators:– Unusual processes or services on
hosts– Known malicious registry keys and
entries– File names or attributes– Network traffic signatures and
patterns (ports, protocols, etc.)– Sandbox detonation events
© 2014 The SANS™ Institute - www.sans.org 12
Operations for Advanced Malware Incidents
• Response processes for advanced malware incidents should include:– Quarantine capabilities (host and
network)– Volatile forensic data capture– Rapid development of IOC
“fingerprints” to propagate to additional systems
– Data leak response steps– Reverse engineering
© 2014 The SANS™ Institute - www.sans.org 13
Insider Incidents
• Insider incidents can be some of the most challenging to detect and respond to
• Insider threats can lead to other types of incidents (data loss, destruction/availability, etc.)
• Always coordinate with HR and legal teams forinsider threat response
• Many insider attacks arenot that advanced…justhard to detect
© 2014 The SANS™ Institute - www.sans.org 14
Indicators of Insider Incidents
• Insider indicators may be more challenging to detect:– Disgruntled behavior– Unusual pattern of file/data access– Changes in working hours or behavior– Disregard for policies and procedures– Account logon failures and unusual
patterns– Traffic from personal/work systems– Unusual system command use or
attempts at privilege escalation
© 2014 The SANS™ Institute - www.sans.org 15
Operations for Insider Incidents
• Response processes for insider incidents should include:– Inclusion of law enforcement (maybe) and
HR/legal (definitely)– Rapid root cause analysis
• Was it accidental? A system hijack? Or deliberate?
– Account monitoring– Privilege revocation (maybe)– Equipment seizure when possible– Forensic analysis– Risk analysis
© 2014 The SANS™ Institute - www.sans.org 16
© 2014 The SANS™ Institute - www.sans.org 17
Web Application Incidents
• Web app attacks are more common than ever
• These attacks can lead to defacement and reputation impact, as well as data exposure
• Application security often lags network and infrastructure controls
• Many open source components, or products like CMS platforms, are notoriously vulnerable
Indicators of Web Application Incidents
• Web application attacks and breaches may exhibit the following indicators:– Unusual behavior or crashes in
applications– Web and app server logs of repeated
access attempts– Web and app server logs of SQL syntax
and/or scripting characters– IDS/IPS events for known app attacks– High local resource utilization on Web and
app servers– Web app firewall events for behavioral or
signature-based attacks
© 2014 The SANS™ Institute - www.sans.org 18
Operations for Web Application Incidents
• Response processes for Web App incidents may include:– Coordination with server
operations/admin teams and possibly development teams
– Web app firewall or application filtering commands/rules
– Load balancer and proxy redirection and traffic control
– Correlation between presentation and persistent tier traffic and account data
© 2014 The SANS™ Institute - www.sans.org 19
Conclusion
• There are a lot of ways to detect and respond to incidents today
• Many types of incidents have common tools and processes– Most have their own specific
differences, however• Security monitoring and response
teams can always enhance their capabilities with new events, correlation, and IOCs from inside and outside their networks
© 2014 The SANS™ Institute - www.sans.org 20
Powered by
AV Labs Threat
Intelligence
AlienVault
USMTM
ASSET DISCOVERY
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software
Inventory
VULNERABILITY ASSESSMENT
• Continuous
Vulnerability Monitoring
• Authenticated / Unauthenticated Active Scanning
BEHAVIORAL MONITORING
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
THREAT DETECTION
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
A Unified Approach
SECURITY INTELLIGENCE
• SIEM Event Correlation
• Incident Response
Coordinated Analysis, Actionable Guidance
• 200-350,000 IPs validated daily
• 8,000 collection points
• 140 countries
Collaborative Threat Intelligence: AlienVault Open Threat ExchangeTM (OTX)
Join OTX: www.alienvault.com/open-threat-exchange
Questions?
Thank You!
© 2014 The SANS™ Institute - www.sans.org 23
Three Ways to Test Drive AlienVault
USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/alienvault-usm-live-
demo