Managing an Active Incident Response Case. Paul Underwood, COO

Similar documents
ANATOMY OF AN ATTACK!

How Breaches Really Happen

Cyber Security Stress Test SUMMARY REPORT

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1

Take Risks in Life, Not with Your Security

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Advanced Endpoint Protection

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

RSA NetWitness Suite Respond in Minutes, Not Months

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

CyberArk Privileged Threat Analytics

Reducing the Cost of Incident Response

Cybersecurity The Evolving Landscape

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Security+ SY0-501 Study Guide Table of Contents

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

to Enhance Your Cyber Security Needs

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Building Resilience in a Digital Enterprise

PrecisionAccess Trusted Access Control

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Traditional Security Solutions Have Reached Their Limit

Evolution Of Cyber Threats & Defense Approaches

Cybersecurity in Government

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Cyber Security. Building and assuring defence in depth

Cybersecurity Today Avoid Becoming a News Headline

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Endpoint Protection : Last line of defense?

Automated Threat Management - in Real Time. Vectra Networks

hidden vulnerabilities

New World, New IT, New Security

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Secure Access & SWIFT Customer Security Controls Framework

Cyber Threat Intelligence Standards - A high-level overview

SECURITY TESTING. Towards a safer web world

Securing Industrial Control Systems

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Cyber Security. Our part of the journey

with Advanced Protection

Secure Design Guidelines. John Slankas CSC 515

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

NEXT GENERATION SECURITY OPERATIONS CENTER

Best Practices for Scoping Infections and Disrupting Breaches

the SWIFT Customer Security

Cyber Security Program

ArcSight Activate Framework

Table of Content Security Trend

CYBER RESILIENCE & INCIDENT RESPONSE

Cyber Security Guide. For Politicians and Political Parties

Department of Management Services REQUEST FOR INFORMATION

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

QUICK WINS: Why You Must Get Defensive About Application Security

Cyber Security Audit & Roadmap Business Process and

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Business continuity management and cyber resiliency

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Nebraska CERT Conference

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Keys to a more secure data environment

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

CASE STUDY: REGIONAL BANK

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Information Technology General Control Review

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

Novetta Cyber Analytics

Carbon Black PCI Compliance Mapping Checklist

Art of Performing Risk Assessments

SHARE Session Protecting Critical Data on a z/os Mainframe: A New Attitude

The Cyber War on Small Business

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

The prevent of advanced persistent threat

Teradata and Protegrity High-Value Protection for High-Value Data

Vulnerability Assessments and Penetration Testing

Evolution of Cyber Attacks

THE EVOLUTION OF SIEM

Security & Phishing

Governance Ideas Exchange

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Automating the Top 20 CIS Critical Security Controls

Nine Steps to Smart Security for Small Businesses

A YEAR OF PURPLE. By Ryan Shepherd

CND Exam Blueprint v2.0

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event.

Transcription:

Managing an Active Incident Response Case Paul Underwood, COO

2 About Us Paul Underwood - COO Emagined Security is a leading professional services firm for Information Security, Privacy & Compliance solutions. Our commercial clients cover a wide range of U.S. and global Fortune 1000 organizations, including the financial services, energy, healthcare, high tech, manufacturing, & insurance industries. We empower our clients to help them effectively manage IT risk in today s dynamic business environments while also providing our clients with the ability to scale quickly and efficiently to provide the rapid response required by best-inclass organizations. Our deep industry and domain expertise, proven track record, and well-known and respected employees from the Information Security community make us an invaluable resource to our clients.

Who s Behind Data Breaches Global Study of almost 2,000 Data Breaches 3 *Verizon 2017

Motives Behind Cyberattacks Global Study of Organizations that were Victims to a Cyberattacks 4 *Radware 2017 Why hackers hack https://www.emagined.com/news-notes/2018/7/17/why-hackers-hack

5 Industries Attacked & Method THE THREAT Food Services Manufacturing Healthcare Education Denial of Service Point of Sale Web App Espionage Privilege Misuse Finance & Insurance No industry is immune We will remove from the world wide web the site belonging to YOUR COMPANY and in addition we will Black Fax and E-Mail Bomb every inbox at YOUR COMPANY. This cyber action by Anonymous will be accompanied by a protest on the ground tomorrow. -Anonymous

How Hackers Hack 6 A High Level Attack Anatomy of the Kill Chain Passive and Active recon allows for the harvesting of email addresses or other information deemed valuable. Attackers create a blueprint of the target and search for vulnerabilities. Attacker determines the plan of attack, weaponizes payloads and chooses the delivery mechanisms. Once delivered, payloads are installed. Attacker looks to maintain persistence, while obtaining command and control. Maintain Access Covering Tracks Attacker has established control Recon Escalation of Privileges privileges on multiple hosts or devices, and works to move silently between networks and systems to Copyright Emagined Security Gain Access Attacker looks to progress access levels obtained to other systems (e.g. pivoting) or devices within the environment. Ultimate goal is to maintain access to the environment should a single compromised host fail. find and extract sensitive or desired data. Attacker may modify logs and/or misdirect security events making it more difficult to determine attack origins and reproduce a viable attack traffic flow.

7 Anatomy of an Attack Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Continued Persistence STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5 STAGE 6 EXAMPLE TACTICS, TECHNIQUES, AND ATTACK VECTORS 1. Gather E-mail addresses and User Info. 2. Create Phishing Campaigns 3. Verify Target(s) 4. Develop Delivery Mechanisms 5. Develop Exploits (browser, MS Office, etc.) 6. Develop Blended Attack Vectors 7. Deliver the payloads to target 8. Run the exploits (scripts, code, binaries) 9. Use PW Hash, file, Registry or OS Services to own the local system 10. Establish C2 from the compromised host(s) 11. Identify weak passwords or known OS exploits to escalate privileges 12. Obtain tokens and/or credentials 13. Perform additional recon through port scanning, sniffing or probing 14. Collect Authentication credentials (Kerberos tickets, OS Services, file share) for access across the network 15. Exploit groups, passwords, and domain trusts 16. Access sensitive data via mail, files, financial systems, databases 17. #Winning *Follows Industry Standard Stages documented in Lockheed Martin Cyber Kill Chain

8 Preparing for an Attack Think Like A Hacker Reconnaissance Weaponization Delivery STAGE 1 STAGE 2 Reconnaissance (Defense) Weaponization (Defense) Delivery (Defense) Do reconnaissance on yourself: 1. Web & Other Services 2. What is on your web services 3. Test and remove as you can 4. Find what you don t know 5. Remove what is not necessary from attackers prying hacks. 6. Know you re your audience Get your own toolset 1. Wireshark 2. Logging 3. Monitoring 4. Online monitoring chatter 5. Contact ISP- Make sure the don t shut you down. Secure and Fortify the points of entry: 1. Firewall 2. IPS 3. AntiVirus 4. WebContent Filters 5. AntiSpam

What to do During the Attack & After You re prepared for this 9 Slow the Flow Track & Capture Document Analyze Limit Connections Shut down unnecessary services. Rethink what is public Size, Speed, Ports/connections per second Block the bad and let the good roam free Deny lists and their benefits. Shadow Sites Where did everyone go? Capture Capture traffic for future use. Honeypots and where they help. Automated Scans Script Kiddies Set Signatures Block & Protect Weather the storm Document Document what you do and how you do it. Document everything for the post mortem. Analysis Validate what is happening Analyze attacks v. normal traffic (SIEM devices) Revisit the attack after it has ended What went wrong what went right. Were there any outages What needs to change? Where did you have problems.

Challenges 10 Personnel and OT management Recognizing abnormal traffic which connections to drop and block Managing multiple connections to the outside and multiple stakeholders Correlating 100,000 events an hour Keeping track of large amounts of code and configuration changes done by multiple staff Keeping City personnel aware and involved Changing Firewall, router, switch and IPS configuration on the fly

The Making of an Incident Response Program 11 THE PROGRAM Target (self) Analysis Attacker Analysis Defense Methodology Best Practices

12 Documentation Incident Response Program Contacts for : ISP Proper Authorities (FBI, Local PD) Media Management Forensics Program & Equipment Security Awareness Program

13 Gene Shultz Top 15 List of Mistakes in IR Neglecting to establish an incident response effort in the first place Lack of a well-defined charter Failure to set up a management infrastructure for incident response Neglecting to acquire necessary forensic and incident response hardware and software in advance Not taking advantage of Security Information and Event Managers (SIEM) type technology to identify incidents in realtime Failing to understand your intrusion detection capability Failure to respond to incidents in a systematic manner Neglecting to adequately test procedures Failure to work cooperatively with other groups/organizations when incidents occur

14 Gene Shultz Top 15 List of Mistakes in IR (2) Communication deficiencies (Internal and external) Lack of top-level management support Lack of technical expertise Lack of forensics training Failure to integrate efforts sufficiently with business continuity/disaster recovery efforts Failure to automate

Conclusion 15 In many respects, proficiently responding to incidents is the ultimate information security challenge There is a lot more to incident response than meets the eye Careful planning and justification of needed resources are critical The number of potential serious mistakes is enormous we have gone over just a few of the worst ones Good news most of the mistakes discussed in this presentation are not that difficult to correct Whatever you do, be sure to keep a proactive focus

16 Thank You! Emagined Security San Carlos, California 801-294-2917 @emagined @emaginedsec paulunderwood@emagined.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback