NIST Standards. October 14, 2016 Steve Konecny

Transcription

1 NIST Standards October 14, 2016 Steve Konecny

2 Overview Function Category Subcategory RS.AN 1: Notifications from detection systems are investigated RESPOND (RS) Analysis (RS.AN) Analysis is conducted to ensure adequate response and support recovery activities. Mitigation (RS.MI) Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Improvements (RS.IM) Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. RS.AN 2: The impact of the incident is understood RS.AN 3: Forensics are performed RS.AN 4: Incidents are categorized consistent with response plans RS.MI 1: Incidents are contained RS.MI 2: Incidents are mitigated RS.MI 3: Newly identified vulnerabilities are mitigated or documented as accepted risks RS.IM 1: Response plans incorporate lessons learned RS.IM 2: Response strategies are updated 2

3 What is an Incident? Understand Incidents Perpetrators Incident commitments Detection methods to develop better controls. 3

4 Security Incident A violation of an explicit or implied security policy according to NIST Special Publication

5 AN 4: Incidents are categorized consistent with Response Plans Insider Malware Breach Interruption Employee misuse, malicious intent Unintentional acts e.g. server misconfig. Phishing Ransomware Mandatory notification req. by state & federal laws Safe harbor Distributed Denial of Service (DDoS) 5

6 AN 4: Incidents are categorized consistent with Response Plans Not all incidents involve hackers 6

7 Our Goal Quickly Identify.. Potentially Affected Nodes.. Suspicious Activity Affected Data Respond to Incident.. 7

8 AN 1: Notifications from detection systems are investigated AU 6 Audit Review, Analysis, & Reporting Reviews and analyzes information system audit records at frequency looking for suspicious activity and reports to. CA 7 Continuous Monitoring Develops a continuous monitoring strategy and implements a continuous monitoring program that includes: metrics, frequency, reporting. IR 4 Incident Handling Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery IR 5 Incident Monitoring The organization tracks and documents information system security incidents. PE 6 Monitoring Physical Access Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents; SI 4 Information System Monitoring Monitors the information system to detect attacks, indicators of, unauthorized use, protects information from modification, deletion and unauthorized access 8

9 9

10 10

11 Available Detection Methods Log Files Law Enforcement IDS Anti Virus Third Party End point Monitoring End point monitoring 3 rd Party Log files/siems Other Anti Virus 11

12 Detection of Breaches Breach discovery methods over time (n=6,133) Law Enforcement Fraud Detection Third Party Internal 2016 Data Breach Investigations Report. Verizon. 12

13 Detection of Breaches External Internal 2013 Data Breach Investigations Report. Verizon. 13

14 AN 2: The impact of the incident is understood CP 2 Contingency Plan Develops a contingency plan for the information system that; IR 4 Incident Handling Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery 14

15 Business Costs of an Incident Detection, Escalation, & Notification $1.32 M Total Average Cost $7.01 M Post Breach Costs $1.72 M Customer turnover Increase customer acquisition cost Reputation Goodwill Lost Business $3.97 M Remediation activities Special investigations Help desk activities Identity protection Product discounts Legal fees The Top 5 CyberCrimes. AICPE. October

16 What to do if Breached 1. Stop the bleeding Identify points of entry Collect data across enterprise Close door 2. Investigate Length of breach Identify compromised info 3. Notify 16

17 Determining the Impact of Incident Which computers were accessed? Which files or programs were accessed? What activities were performed? 17

18 Where to start? 18

19 Documenting Initial Facts What predication led to the incident? How the incident was discovered? Who reported the incident? What systems are effected? Is the activity still ongoing? There is policy, then there is reality. 19

20 AN 3: Forensics are performed AU 7 Audit Reduction And Report Generation Supports on demand audit review, analysis, and reporting requirements and after the fact investigations of security incidents; and Does not alter the original content or time ordering of audit records. IR 4 Incident Handling Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery 20

21 Where do we Start?? Network Tap Collect Logs Netflow Live Analysis Image Memory Live Image Dead Image 21

22 Order of Information Volatility Transit CPU cache & registers ARP cache, routing tables Network traffic Memory System memory Swap & page files Temp files Media Fixed disk Removable media Archives & backups 22

23 Forensic Collection Event Log Files Anti Virus Running Processes Memory Analysis Persistance Recently Executed Timeline Analysis Memory Image Computer Image 23

24 Live Response Collections Local Remote Hybrid Google s GRR Fireeye s Redline FastIR BriMoor s Alisaurous 24

25 Suspicious Activity Strange Processes or Services Running Log Activity Persistence Mechanism Unusual Network Activity System Artifacts

26 Log File Analysis 26

27 Identify Rogue Processes??? svchost.exe k bthsvcs

28 Rogue Processes Unsigned Processes Misspelled Wrong Arguments Running in Wrong Location Packed Processes

29 Examine Further Processes Signatures Modules Memory Virus Check Process Hacker Process Explorer us/sysinternals

30 Check Persistence Autoruns Scheduled Tasks Triggers Events Autoruns us/sysinternals

31 You Run Compare

32 The Reality MASSIVE RESOURCE SAVER

33 When & Where Rebuilding the Timeline messages Created time, sent time, date received Message header has time every server was touched Printed time, last accessed time Log files System log in, out, attempts, alerts Journal: Office documents, tasks, s CD/DVD Burns Internet: accessed, modified, checked, expiration Recycle Bin File systems File creation, modification, last access Fragments in unallocated space Temp files Files File creation (original date), last printed, modification, Autosave, temp files Fragments in unallocated space System memory Processes started Executables and startup files All the above 33

34 When & Where messages Log files File systems Files System memory 1.5 MILLION date time records 1 COMPUTER 34

35 TimeLine Tools Fireeye s Redline Plaso LastActivityView Fireeye s Redline Plaso forensics.sans.org/community/downloads 35

36 Executed Programs 36

37 Identifying Sensitive Information Account Theft: Cancelations Credit Monitoring PII Information: Notification required + Cost of remediation 37

38 Searching for PII Visa (16) Mastercard (16) Amex (15) Diners/Carte Blanche (14) Discover (16) 6011 Enroute (15) JCB (16)

39 Searching for PII ACCT: ACCOUNT#: ACCOUNT: PATIENT ID PATIENT W/2 NUMBER RECORD W/2 NUMBER INSURANCE ID POLICY ID MEMBER ID ### ## #### DL########

40 Pre Incident Tips Staff and employee training and awareness education for most likely incidents Test your incident response plans and train your incident responders Frequent tabletop exercises Good communication plan 40

41 Incident Response Plan Where to start? NIST Rev2 Computer Security Incident Handling Guide NIST SP Guide to Malware Incident Prevention & Handling Include: Detailed response procedures Compromise indicators 41

42 Baselines Baseline your systems Set schedule Network baseline Server and endpoint baseline Data flow mapping 42

43 Baseline Systems Running Processes us/sysinternals Scheduled Tasks System Startup User Accounts us/sysinternals Memory download/digital forensics/ftk imager lite version Registry Drivers 43

44 What NOT To Do Do not: Look through computer content Use untrained internal IT staff Destroy evidence! Do: Secure computer or device If it is off, leave it off If it is on, seek expert advice One misstep could destroy valuable evidence. 44

45 Comments & Questions Steven Konecny CFE, CIRA, CEH, CRISC (916) (213)