Assessing Your Incident Response Capabilities Do You Have What it Takes?

Transcription

1 Assessing Your Incident Response Capabilities Do You Have What it Takes? March 31, 2017

2 Presenters Tim L. Bryan, CPA/CFF/CITP, CISA, EnCE Director, Advisory Services Forensic Technology & Investigation Services Leader Kiel Murray, CISSP Manager, Technology Risk

3 Agenda 2016 Incident Response Recap Investigative Process Review Capabilities Detection and Analysis Containment and Eradication Recovery Supportive Impact on Fraud

4 2016 Incident Response Recap Crowe Experience Spear Phishing & Macro Enabled Attachments Watering Hole Attack Ransomware Attacks CEO Impersonation Wire-transfer Attack Trends in IR Capabilities Looking Forward

5 IR Process Review Preparation Preparation What are our cyber risks? Detection and Analysis Containment, Eradiation, and Recovery Do our employees know their roles during an incident? How will we identify a problem? How will we respond? Do we have the right tools digital or contractual Do we understand what normal looks like? Post Incident Activity

6 Capabilities Why capabilities? Presented along side NIST Incident Handling Guide Other frameworks include SANS Preparation, Identification, Containment, Eradication and Recovery

7 Detection and Analysis 7

8 Detection and Analysis Capabilities People Threat Intelligence Attacker tools, techniques and reporting from other organizations Bad IP addresses and domains Network and Endpoints Must have sensors on each Logs Consolidated logging Log retention Honeypots Internet

9 Detective Capabilities Host Programs being started/running Services installed Scheduled tasks Boot up programs Antivirus / File Integrity Monitoring Powershell Authentication - success and failure Active connections Open ports Network Netflow DNS queries IPS alerts Firewall blocks Port up/down notifications Unauthorized device detection Vulnerability scan results Packet captures

10 Analysis Capabilities Decision: Does this incident have a chance to go to trial? Could influence personnel selection and analysis techniques Prioritization Event, Incident, Breach Disk and memory acquisition and processing Malware (unknown file) analysis Communication and status tracking Log pulling Host and network Log Analysis 1M logs, can you find the needle?

11 Analysis Capabilities Trial Considerations Chain of custody Verification of results Corroborating evidence with third-parties. Search Warrant Subpoena records

12 Containment and Eradication 12

13 Containment Anticipate lateral movement and fortification within the environment Countermeasures: Applying patches Windows patches Third party applications Internally developed applications Reset administrator passwords Further restrict network and application access where possible Alerting on account creation and addition into privileged groups

14 Containment Enterprise wide searching for compromised machines Indicators of compromise Hashes, filenames, processes, active connections Identification and Purging of malicious s Who all just received an with the subject of Invoice

15 Eradication Methodically remove the attacker s access to network resources Rapid re-imaging of machines Backup restoration processes Careful not to restore compromised images Mass password reset Users and Service accounts IP address and domain blocking Critical decisions need to be made Will you take down and rebuild business-critical servers?

16 Recovery 16

17 Recovery Restoration of normal procedures You took good notes during the incident right? External communication Public disclosures, announcements on home page, formal press releases, etc. Lessons Learned Documentation

18 Strategic Actions for Future Incidents Perform thorough security assessments and pen tests Know your network and potential avenues of attack to be better prepared User mapping & device inventory IP/MAC/Hostname to employee Server or application to business unit or employee Authorized list of hardware/software Secure physical storage Fast external contracting for capabilities not found internally

19 Impact of IR on Fraud Recent Examples: Health System Breach Tax Fraud / Data Manufacturer Wire Fraud Mortgage Originator IP Theft

20 Impact of IR on Fraud Health System Breach Tax Fraud / Data Cloud based server compromised Account lockouts Administrator level of access Compromised server used for tax fraud ephi located on compromised server

21 Impact of IR on Fraud Manufacturer Wire Fraud Vendor sends s to CFO re: advance s contained very specific information Scammer asks for bank information change CFO wires over $500k

22 Impact of IR on Fraud Mortgage Originator IP Theft Online sales system compromised Leads are downloaded in mass Recent employee departures

23 Q&A Tim L. Bryan, CPA/CFF/CITP, CISA, EnCE Director, Advisory Services Forensic Technology & Investigation Services Leader Kiel Murray, CISSP Manager, Technology Risk Crowe s Cybersecurity Watch Blog Thank you for attending!