Contenu connexe Similaire à SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations (20) SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations1. An Incident Response
Playbook: From
Monitoring to
Operations
Dave Shackleford, Voodoo Security and SANS
Joe Schreiber, AlienVault
© 2014 The SANS™ Institute - www.sans.org
2. Introduction
• The range and sophistication of
today’s attacks are growing
rapidly
• More and more organizations are
dedicating resources to detection
and response tools and processes
– Less effort and money is spent on
purely “preventive” measures
• We’ll explore a number of
different types of incidents, as
well as indicators and
monitoring/response process
considerations
© 2014 The SANS™ Institute - www.sans.org
2
3. Use What for What?
• Right Tool -> Right Job
• Right Job -> Right Skills
• Right Skills -> Right Response
• Right Response -> [right]
Incident
© 2014 The SANS™ Institute - www.sans.org
3
4. How do I know which response?
© 2014 The SANS™ Institute - www.sans.org
4
5. Make Plans.
• Be prepared for an incident
– Create several plans based on
incident type
– Have a contact methodology
– Escalation Paths
• So you have a plan?
– What’s your backup?
– Be Flexible
• Time is against you
• Outside Help
– Pre-arrange services or consultants
© 2014 The SANS™ Institute - www.sans.org
5
6. What if I’m missing something?
• Use the Internet
– IOCs
– Threat Reputation
– Malware Analyzers
– Virus Scanners
• Community Efforts
– Open source tools
– Message Boards
© 2014 The SANS™ Institute - www.sans.org
6
7. Attack Types and Responses
• Sensitive Data
• Malware
• Insider
• Web Application
© 2014 The SANS™ Institute - www.sans.org
7
8. Sensitive Data Exposure/Exfiltration
• Data loss and exposure is one of
the top concerns and incident
types facing organizations today
• In the 2014 Verizon DBIR, 1367
data loss incidents were
investigated
• Most security
teams have
been focused
on data loss in
some way
since 2005-6.
© 2014 The SANS™ Institute - www.sans.org
8
9. Indicators of sensitive data
exposure
• A number of leading indicators
can lead to detection of exposure
or exfiltration
• Human-based:
– Fraud alerts or identity theft
– Notification from 3rd parties
– Extortion attempts
• Data indicators:
– DLP alerts
– Proxy logs
– Firewall/IDS/IPS events
© 2014 The SANS™ Institute - www.sans.org
9
10. Operations for Data Exposure
Incidents
• Specific operational steps to be
considered for IR with data
exposure:
– First, unless directed by law
enforcement, stop the leak! (if
known how/where)
– Determine who and what is
affected then coordinate with
HR/legal/PR
– Leverage DLP or other monitoring
tools to pattern match data types
stored and in transit
© 2014 The SANS™ Institute - www.sans.org
10
11. Advanced Malware Incidents
• Not all malware incidents are
advanced
– Standard antivirus and host-based
tools still catch many variants
• Some malware is much more
stealthy and sophisticated,
however
– Malware sandboxes, behavioral
monitoring, and forensics
techniques and tools may be
needed
© 2014 The SANS™ Institute - www.sans.org
11
12. Indicators of Advanced Malware
• Advanced malware may be
detected with a number of
indicators:
– Unusual processes or services on
hosts
– Known malicious registry keys and
entries
– File names or attributes
– Network traffic signatures and
patterns (ports, protocols, etc.)
– Sandbox detonation events
© 2014 The SANS™ Institute - www.sans.org
12
13. Operations for Advanced Malware
Incidents
• Response processes for advanced
malware incidents should include:
– Quarantine capabilities (host and
network)
– Volatile forensic data capture
– Rapid development of IOC
“fingerprints” to propagate to
additional systems
– Data leak response steps
– Reverse engineering
© 2014 The SANS™ Institute - www.sans.org
13
14. Insider Incidents
• Insider incidents can be some of
the most challenging to detect
and respond to
• Insider threats can lead to other
types of incidents (data loss,
destruction/availability, etc.)
• Always coordinate with
HR and legal teams for
insider threat response
• Many insider attacks are
not that advanced…just
hard to detect
© 2014 The SANS™ Institute - www.sans.org
14
15. Indicators of Insider Incidents
• Insider indicators may be more
challenging to detect:
– Disgruntled behavior
– Unusual pattern of file/data access
– Changes in working hours or behavior
– Disregard for policies and procedures
– Account logon failures and unusual
patterns
– Traffic from personal/work systems
– Unusual system command use or
attempts at privilege escalation
© 2014 The SANS™ Institute - www.sans.org
15
16. Operations for Insider Incidents
• Response processes for insider
incidents should include:
– Inclusion of law enforcement (maybe) and
HR/legal (definitely)
– Rapid root cause analysis
• Was it accidental? A system hijack? Or
deliberate?
– Account monitoring
– Privilege revocation (maybe)
– Equipment seizure when possible
– Forensic analysis
– Risk analysis
© 2014 The SANS™ Institute - www.sans.org
16
17. Web Application Incidents
• Web app attacks are more
common than ever
• These attacks can lead to
defacement and reputation
impact, as well as data exposure
• Application security often lags
network and infrastructure
controls
• Many open source components, or
products like CMS platforms, are
notoriously vulnerable
© 2014 The SANS™ Institute - www.sans.org
17
18. Indicators of Web
Application Incidents
• Web application attacks and
breaches may exhibit the following
indicators:
– Unusual behavior or crashes in
applications
– Web and app server logs of repeated
access attempts
– Web and app server logs of SQL
syntax and/or scripting characters
– IDS/IPS events for known app attacks
– High local resource utilization on Web
and app servers
– Web app firewall events for behavioral
or signature-based attacks
© 2014 The SANS™ Institute - www.sans.org
18
19. Operations for Web
Application Incidents
• Response processes for Web App
incidents may include:
– Coordination with server
operations/admin teams and
possibly development teams
– Web app firewall or application
filtering commands/rules
– Load balancer and proxy redirection
and traffic control
– Correlation between presentation
and persistent tier traffic and
account data
© 2014 The SANS™ Institute - www.sans.org
19
20. Conclusion
• There are a lot of ways to detect
and respond to incidents today
• Many types of incidents have
common tools and processes
– Most have their own specific
differences, however
• Security monitoring and response
teams can always enhance their
capabilities with new events,
correlation, and IOCs from inside
and outside their networks
© 2014 The SANS™ Institute - www.sans.org
20
21. Powered by
AV Labs Threat
Intelligence
AlienVault
USMTM
ASSET DISCOVERY
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software
Inventory
VULNERABILITY ASSESSMENT
• Continuous
Vulnerability Monitoring
• Authenticated /
Unauthenticated Active
Scanning
BEHAVIORAL MONITORING
• Log Collection
• Netflow Analysis
• Service Availability
Monitoring
THREAT DETECTION
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
A Unified Approach
SECURITY INTELLIGENCE
• SIEM Event Correlation
• Incident Response
22. Coordinated Analysis, Actionable Guidance
• 200-350,000 IPs validated daily
• 8,000 collection points
• 140 countries
Collaborative Threat Intelligence:
AlienVault Open Threat ExchangeTM
(OTX)
Join OTX: www.alienvault.com/open-threat-exchange
23. Questions?
Q@SANS.ORG
Thank You!
© 2014 The SANS™ Institute - www.sans.org
23
Three Ways to Test Drive
AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/ali
envault-usm-live-demo