SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations
Download as PPTX, PDF7 likes5,540 views
The document outlines an incident response playbook highlighting the increasing sophistication of cyberattacks and the need for organizations to implement effective detection and response strategies. It discusses various incident types including data exposure, malware, insider threats, and web application attacks, providing operational steps and indicators for each. The playbook emphasizes the importance of preparation, the right tools and responses, and collaboration with relevant teams and services.
![Use What for What?
• Right Tool -> Right Job
• Right Job -> Right Skills
• Right Skills -> Right Response
• Right Response -> [right]
Incident
© 2014 The SANS™ Institute - www.sans.org
3](https://image.slidesharecdn.com/sans-alienvaultjuly2014v3-140730162413-phpapp02/85/SANS-Ask-the-Expert-An-Incident-Response-Playbook-From-Monitoring-to-Operations-3-320.jpg)
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations
- 1. An Incident Response Playbook: From Monitoring to Operations Dave Shackleford, Voodoo Security and SANS Joe Schreiber, AlienVault © 2014 The SANS™ Institute - www.sans.org
- 2. Introduction • The range and sophistication of today’s attacks are growing rapidly • More and more organizations are dedicating resources to detection and response tools and processes – Less effort and money is spent on purely “preventive” measures • We’ll explore a number of different types of incidents, as well as indicators and monitoring/response process considerations © 2014 The SANS™ Institute - www.sans.org 2
- 3. Use What for What? • Right Tool -> Right Job • Right Job -> Right Skills • Right Skills -> Right Response • Right Response -> [right] Incident © 2014 The SANS™ Institute - www.sans.org 3
- 4. How do I know which response? © 2014 The SANS™ Institute - www.sans.org 4
- 5. Make Plans. • Be prepared for an incident – Create several plans based on incident type – Have a contact methodology – Escalation Paths • So you have a plan? – What’s your backup? – Be Flexible • Time is against you • Outside Help – Pre-arrange services or consultants © 2014 The SANS™ Institute - www.sans.org 5
- 6. What if I’m missing something? • Use the Internet – IOCs – Threat Reputation – Malware Analyzers – Virus Scanners • Community Efforts – Open source tools – Message Boards © 2014 The SANS™ Institute - www.sans.org 6
- 7. Attack Types and Responses • Sensitive Data • Malware • Insider • Web Application © 2014 The SANS™ Institute - www.sans.org 7
- 8. Sensitive Data Exposure/Exfiltration • Data loss and exposure is one of the top concerns and incident types facing organizations today • In the 2014 Verizon DBIR, 1367 data loss incidents were investigated • Most security teams have been focused on data loss in some way since 2005-6. © 2014 The SANS™ Institute - www.sans.org 8
- 9. Indicators of sensitive data exposure • A number of leading indicators can lead to detection of exposure or exfiltration • Human-based: – Fraud alerts or identity theft – Notification from 3rd parties – Extortion attempts • Data indicators: – DLP alerts – Proxy logs – Firewall/IDS/IPS events © 2014 The SANS™ Institute - www.sans.org 9
- 10. Operations for Data Exposure Incidents • Specific operational steps to be considered for IR with data exposure: – First, unless directed by law enforcement, stop the leak! (if known how/where) – Determine who and what is affected then coordinate with HR/legal/PR – Leverage DLP or other monitoring tools to pattern match data types stored and in transit © 2014 The SANS™ Institute - www.sans.org 10
- 11. Advanced Malware Incidents • Not all malware incidents are advanced – Standard antivirus and host-based tools still catch many variants • Some malware is much more stealthy and sophisticated, however – Malware sandboxes, behavioral monitoring, and forensics techniques and tools may be needed © 2014 The SANS™ Institute - www.sans.org 11
- 12. Indicators of Advanced Malware • Advanced malware may be detected with a number of indicators: – Unusual processes or services on hosts – Known malicious registry keys and entries – File names or attributes – Network traffic signatures and patterns (ports, protocols, etc.) – Sandbox detonation events © 2014 The SANS™ Institute - www.sans.org 12
- 13. Operations for Advanced Malware Incidents • Response processes for advanced malware incidents should include: – Quarantine capabilities (host and network) – Volatile forensic data capture – Rapid development of IOC “fingerprints” to propagate to additional systems – Data leak response steps – Reverse engineering © 2014 The SANS™ Institute - www.sans.org 13
- 14. Insider Incidents • Insider incidents can be some of the most challenging to detect and respond to • Insider threats can lead to other types of incidents (data loss, destruction/availability, etc.) • Always coordinate with HR and legal teams for insider threat response • Many insider attacks are not that advanced…just hard to detect © 2014 The SANS™ Institute - www.sans.org 14
- 15. Indicators of Insider Incidents • Insider indicators may be more challenging to detect: – Disgruntled behavior – Unusual pattern of file/data access – Changes in working hours or behavior – Disregard for policies and procedures – Account logon failures and unusual patterns – Traffic from personal/work systems – Unusual system command use or attempts at privilege escalation © 2014 The SANS™ Institute - www.sans.org 15
- 16. Operations for Insider Incidents • Response processes for insider incidents should include: – Inclusion of law enforcement (maybe) and HR/legal (definitely) – Rapid root cause analysis • Was it accidental? A system hijack? Or deliberate? – Account monitoring – Privilege revocation (maybe) – Equipment seizure when possible – Forensic analysis – Risk analysis © 2014 The SANS™ Institute - www.sans.org 16
- 17. Web Application Incidents • Web app attacks are more common than ever • These attacks can lead to defacement and reputation impact, as well as data exposure • Application security often lags network and infrastructure controls • Many open source components, or products like CMS platforms, are notoriously vulnerable © 2014 The SANS™ Institute - www.sans.org 17
- 18. Indicators of Web Application Incidents • Web application attacks and breaches may exhibit the following indicators: – Unusual behavior or crashes in applications – Web and app server logs of repeated access attempts – Web and app server logs of SQL syntax and/or scripting characters – IDS/IPS events for known app attacks – High local resource utilization on Web and app servers – Web app firewall events for behavioral or signature-based attacks © 2014 The SANS™ Institute - www.sans.org 18
- 19. Operations for Web Application Incidents • Response processes for Web App incidents may include: – Coordination with server operations/admin teams and possibly development teams – Web app firewall or application filtering commands/rules – Load balancer and proxy redirection and traffic control – Correlation between presentation and persistent tier traffic and account data © 2014 The SANS™ Institute - www.sans.org 19
- 20. Conclusion • There are a lot of ways to detect and respond to incidents today • Many types of incidents have common tools and processes – Most have their own specific differences, however • Security monitoring and response teams can always enhance their capabilities with new events, correlation, and IOCs from inside and outside their networks © 2014 The SANS™ Institute - www.sans.org 20
- 21. Powered by AV Labs Threat Intelligence AlienVault USMTM ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring A Unified Approach SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response
- 22. Coordinated Analysis, Actionable Guidance • 200-350,000 IPs validated daily • 8,000 collection points • 140 countries Collaborative Threat Intelligence: AlienVault Open Threat ExchangeTM (OTX) Join OTX: www.alienvault.com/open-threat-exchange
- 23. Questions? Q@SANS.ORG Thank You! © 2014 The SANS™ Institute - www.sans.org 23 Three Ways to Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/ali envault-usm-live-demo