© 2015 Lancope, Inc. All rights reserved. The Seven Deadly Sins of Incident Response Brandon Tansey Security Researcher Javvad Malik Senior Analyst, Enterprise Security Practice
Jul 17, 2015
© 2015 Lancope, Inc. All rights reserved.
The Seven Deadly Sins of Incident Response
Brandon TanseySecurity Researcher
Javvad MalikSenior Analyst, Enterprise Security Practice
© 2015 Lancope, Inc. All rights reserved. 2
The origin of [incident response] sin…
© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.
1. Not understanding your environment due to a lack of visibility
3
© 2015 Lancope, Inc. All rights reserved. 4
© 2015 Lancope, Inc. All rights reserved. 5
© 2015 Lancope, Inc. All rights reserved. 6
Developer PCs
Other PCs
Domain Controllers
DNS Servers
Mail Servers
Code Repositories
FTP Servers
Web Servers
Internet Hosts
Developer PCs
Other PCs
Domain Controllers
DNS Servers
Mail Servers
Code Repositories
FTP Servers
Web Servers
Internet Hosts
© 2015 Lancope, Inc. All rights reserved. 7
Developer PCs
Other PCs
Domain Controllers
DNS Servers
Mail Servers
Code Repositories
FTP Servers
Web Servers
Internet Hosts
Developer PCs
Other PCs
Domain Controllers
DNS Servers
Mail Servers
Code Repositories
FTP Servers
Web Servers
Internet Hosts
© 2015 Lancope, Inc. All rights reserved. 8
Developer PCs
Other PCs
Domain Controllers
DNS Servers
Mail Servers
Code Repositories
FTP Servers
Web Servers
Internet Hosts
Developer PCs
Other PCs
Domain Controllers
DNS Servers
Mail Servers
Code Repositories
FTP Servers
Web Servers
Internet Hosts
© 2015 Lancope, Inc. All rights reserved. 9
Network
Services
Hosts
© 2015 Lancope, Inc. All rights reserved.
Regardless of the type of information…
• Are you just logging information or are you also collecting it?
• Are you saving only ‘special’ log lines, or everything?
• Do you have a standard retention period in policy?• Does the budget control the period, or the period the budget?
• If you have end-user managed hosts, are they subject to the same logging policies?
10
© 2015 Lancope, Inc. All rights reserved. 11
© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.
• 2. Not having the right staff
12
© 2015 Lancope, Inc. All rights reserved. 13
12%
16%
44%
23%
5%
0% 10% 20% 30% 40% 50%
None
One
2 to 5
6 to 10
More than 10
Number of team members in
CSIRT
45%
28%
14%
11%
2%
0% 10% 20% 30% 40% 50%
None
One
2 to 5
6 to 10
More than 10
Number of team members
fully dedicated to CSIRT
Or any staff…
Source: Lancope / Ponemon Institute Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. 14
Collection
Analysis
Action / Realizing Value
© 2015 Lancope, Inc. All rights reserved.
Not having the right staff
• Technical skills
• Knowledge transfer
• Appropriate to type of company
15
© 2015 Lancope, Inc. All rights reserved. 16
79%
14%
10%
36%
45%
47%
43%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
IT Management
Executive Management
Board of Directors
Risk management
Legal
Compliance
HR
What functions or departments are
involved in the incident response
process?
Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.
3. Lack of budget(a.k.a. Not being able to speak the
language of the business)
17
© 2015 Lancope, Inc. All rights reserved.
Lack of budget
• Communicating technical issues in technical terms to the business
• Not helping to sell more ‘widgets’
• Ineffective allocation of budget
18
Source: 451 Research
© 2015 Lancope, Inc. All rights reserved. 19
Source: 451 Research
© 2015 Lancope, Inc. All rights reserved.
How much of your security budget goes towards an incident response program?
20
50%
31%
11%
5% 2% 1%
Less than 10% 10% to 20% 21% to 30% 31% to 40% 41% to 50% More than 50%
Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. 21
46%
50%
4%
Yes No Unsure
Does your organization have meaningful operational metrics to measure the overall effectiveness of incident response activities?
42%
55%
3%
Yes No Unsure
Does your organization have meaningful operational metrics to measure the speed at which incidents are being detected and contained?
Source: Lancope / Ponemon InstituteSource: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. 22
91%
64%
51%
50%
49%
24%
20%
12%
0% 20% 40% 60% 80% 100%
IT Management
Compliance / Audit
Legal
HR
Risk Management
Broadly throughout org.
Executive Management
Board of Directors
Frequency of cyber threat briefings to
various functions within the organization(Very frequently and frequently responses combined)
Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.
4. Becoming a headless
chicken when IT hits the fan
(a.k.a. not having a plan)
23
© 2015 Lancope, Inc. All rights reserved.
Becoming a headless chicken when IT hits the fan
• Undefined roles and reporting lines
• Knee-jerk reactions and decisions
• Lack of change management
24
© 2015 Lancope, Inc. All rights reserved.
Vince Lombardi, sort of
“When you get into [an incident investigation], act like you've been
there before.”
25
© 2015 Lancope, Inc. All rights reserved.
Things to ask ahead of time
• Who can approve what actions?• Does the type of incident affect the answer?
• If an appropriate person cannot be reached, can the incident responder act on their own after a given amount of time?
(and get in writing)
26
© 2015 Lancope, Inc. All rights reserved.
Things to ask ahead of time
• What are end-users’ responsibilities in the incident response process?• Are they required to turn over machines to the CSIRT?
• In the event of a compromise resulting in a wipe, do users get access to their files? Which ones?
• What happens when a user needs something that the CSIRT has blocked?
• Who handles exceptions?
(and get in writing)
27
© 2015 Lancope, Inc. All rights reserved.
Things to ask ahead of time
• What are your external (legal, compliance, contractual) obligations?• At what point has there been a “breach”?
• Is this the point when other teams (legal, etc) are notified?
• If any, what are your external notification requirements?
(and get in writing)
28
© 2015 Lancope, Inc. All rights reserved.
Things to ask ahead of time
• Can your CSIRT participate in information and indicator sharing groups?
• Can your CSIRT run malware live on the internet?• What are safe handling requirements?
• Can your CSIRT interact with malicious hosts for the purpose of intelligence gathering?• From the corporate LAN? An unattributed network?
(and get in writing)
29
© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.
5. Using generic response processes
that aren’t specific to your organization
30
© 2015 Lancope, Inc. All rights reserved.
Using generic response processes that aren’t specific to your organization
• ‘Monkeys in a cage’ mentality
• Not tailoring processes to your company
• Lack of risk assessment and measurement
31
© 2015 Lancope, Inc. All rights reserved. 32
Note: All of the ‘questions’ in the last section
were just that, questions.
© 2015 Lancope, Inc. All rights reserved. 33
You need to know (or figure out) what is best for
your own organization, and that’s not just a
technical decision.
© 2015 Lancope, Inc. All rights reserved. 34
Should your CSIRT make decisions or
recommendations?
© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.
6. Improper threat modelling
(a.k.a missing the big picture)
35
© 2015 Lancope, Inc. All rights reserved.
Improper threat modelling
• Missing the big picture
• Emotion-based decisions making
• Defending against all possible threats all the time
36
© 2015 Lancope, Inc. All rights reserved. 37
© 2015 Lancope, Inc. All rights reserved. 38
The safest network is one with nothing
connected. Go ahead and make that your
policy.*
* Don’t do this.
© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved.
7. Not considering your environment and
capabilities when tuning devices
39
© 2015 Lancope, Inc. All rights reserved.
Not considering your environment and capabilities when tuning devices
• Unable to separate the news from the noise
• Settings defaults and forgetting
• Monitoring quality of alerts vs. counting stats
• Shelfware
40
© 2015 Lancope, Inc. All rights reserved. 41
© 2015 Lancope, Inc. All rights reserved.
Things to ask think about when tuning
• Tuning is an iterative process
Dealing with quantity and sensitivity
42
© 2015 Lancope, Inc. All rights reserved.
Things to ask think about when tuning
• Tuning is an iterative process
• What type of setup are you working to?• A bat-signal to summon the part-time CSIRT employee?
• A set of ‘suspicious’ things for analysts to investigate?
Dealing with quantity and sensitivity
43
© 2015 Lancope, Inc. All rights reserved.
Things to ask think about when tuning
• Tuning is an iterative process
• What type of setup are you working to?• A bat-signal to summon the part-time CSIRT employee?
• A set of ‘suspicious’ things for analysts to investigate?
• Using detection tools to supplement your knowledge• Context
• Someone on the Internet port scans hosts in your DMZ? Meh.
• A host on your LAN begins scanning internal ranges? Hrm…
Dealing with quantity and sensitivity
44
© 2015 Lancope, Inc. All rights reserved.
Things to ask think about when tuning
• Tuning is an iterative process
• What type of setup are you working to?• A bat-signal to summon the part-time CSIRT employee?
• A set of ‘suspicious’ things for analysts to investigate?
• Using detection tools to supplement your knowledge• Context
• Someone on the Internet port scans hosts in your DMZ? Meh.
• A host on your LAN begins scanning internal ranges? Hrm…
• Familiarize yourself with the rules/events/alarms you turn on• The best rule/event/alarm is one that you wrote yourself
• Know how it works, when it doesn’t, what it means, and what to do…
• Learn which events are your ‘money’ events, figure out why the others aren’t in that bucket
Dealing with quantity and sensitivity
45
© 2015 Lancope, Inc. All rights reserved.
Recap!
• 1. Not understanding your environment due to a lack of visibility
• 2. Not having the right staff
• 3. Lack of budget
• 4. Becoming a headless chicken when IT hits the fan
• 5. Using generic response processes that aren’t specific to your organization
• 6. Improper threat modelling
• 7. Not considering your environment and capabilities when tuning devices
46
© 2015 Lancope, Inc. All rights reserved. © 2015 Lancope, Inc. All rights reserved. 47
8. Not taking advantage of the fruits of an incident
investigation
© 2015 Lancope, Inc. All rights reserved. 48
80%
76%
67%
65%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
NetFlow / Pcap
SIEM
IDS / IPS
Threat Feeds
What type of tools are most effective in
helping to detect breaches?
Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. 49
43%
54%
3%
0% 10% 20% 30% 40% 50% 60%
Yes
No
Unsure
Do your organization's incident
investigations result in threat indicators
which are used to defend the
organization from future attacks?
Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved.
Recap!
• 1. Not understanding your environment due to a lack of visibility
• 2. Not having the right staff
• 3. Lack of budget
• 4. Becoming a headless chicken when IT hits the fan
• 5. Using generic response processes that aren’t specific to your organization
• 6. Improper threat modelling
• 7. Not considering your environment and capabilities when tuning devices
• 8. Not taking advantage of the fruits of an incident investigation
50
© 2015 Lancope, Inc. All rights reserved.
Thank you!
51
@Lancope
https://www.facebook.com/Lancope
http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about
https://plus.google.com/u/0/103996520487697388791/posts
http://feeds.feedblitz.com/netflowninjas