How to effectively respond to an information security incident

www.pwc.com

PwC

Agenda

Analogy

Plan Preparation

Incident Handling Overview

Collect & Triage

Investigation

Containment

Eradication

Recovery

2

PwC

Are you going in the water?

3

PwC

Initial incident response steps

• Gather documentation

- Contact lists, network diagrams, etc

• Designate incident leads

• Notify proper contacts

- Internal contact

◦ Legal, management, internal support leads

- External contacts

◦ Legal, Vendor support, trusted third parties, law enforcement

4

PwC

Incident handling overview

• Based on NIST 800-61 Incident Handling

- Detect and Analyze (Triage)

- Containment

- Collect, Preserve and Investigate

- Eradication

- Recovery (lessons learned)

5

Detect and

analyze

Contain

Collect & Preserve Eradicate

Recovery

PwC

Detection and analysis

6

PwC

Do we have an incident? (Yes/No)

• How were we notified

- Internal vs. External

• Deploy experienced people to determine if you have a real incident

• Is this a regulatory, legal or contractual issue?

7

PwC

Practical example

• eCommerce Site:

- Client reported the server performance issue

- Tech Support found the load too high

- Developer examined the code

◦ Identified foreign code on the server, referred to security

- Security began collecting data

◦ Contacted External Incident Response team

8

PwC

Practical example

• Incident Response Team

- Examined the server

- Recommended blocking IP addresses

- Examined the server population

- Provided a written report of the incident

- Recommended Eradication

- Recommended policy and procedure changes

9

PwC

Exfiltration

10

PwC

What to do next

• Incident Classification (DDoS, Malware, Unauthorized Access)

• Triage the problem – follow the evidence

• What are my capabilities?

• What am I looking for?

• How will I accomplish what I need to do?

11

PwC

Collection and preservation

12

PwC

Evidence preservation

• Proper forensic collection and documentation

- Collect what you need to answer the questions

• Malware analysis

- What are we dealing with and what is it capable of?

◦ Data exfiltration

◦ Keylogger

◦ Sniffer

◦ Dumping memory

13

PwC

Data to collect

• Forensic images of the systems compromised

• Firewall Logs

• Web server logs

• Proxy server logs

• Netflow data

• Syslogs (Unix)

• Local Windows event logs

• Domain Controller event logs

14

PwC

Triage process flow

15

Incident Handler

Malware present

Hardening Monitoring Malware Analysts

Forensics Compromi-sed Host Information Security

No

No

Yes

Yes

PwC

Containment

16

PwC

Initial containment 1-3 days

• Apply M&M approach (hard & crunchy on outside, soft & chewy on inside)

• Data characterization (add rings of security)

• Grab low hanging fruit

- Update AV, Flag suspicious files, HIDS/HIPS, create IDS signatures, block traffic, change passwords, disable accounts

- Change to manual procedures if necessary

17

PwC

What don’t I know

• Where do I need increased visibility

- Review logs, increase auditing/logging

◦ System, database, network device, etc

- Process to secure, archive, collect ,review logs

- As the British say, Mind the gap!

SQL Query logging example:

18

PwC

SQL query logging example

• Sophisticated attack on database

- Cracked the PINS for banking cards

- Used SQL injection to inject malicious executable into the database

- Withdrawal limits on the cards are raised to maximize the amount that can be withdrawn

- No SQL logging performed on the databases

- Client using a SQL query recorder

19

PwC

Eradication & remediation 2-4 weeks

• Remove malware

• Re-image and/or rebuild systems

- Consider legacy applications

• Delete/disable accounts

• System and Network device hardening

• Increase log monitoring

20

PwC

Longer term issues

• Data Flows

• Application Characteristics

• Server Characteristics

• Risk Factors

• Regulatory and Compliance Issues

21

PwC

Recovery – Long term goals

• Implement a Information Security group with a CISO

• Integrate Information Security into all facets of the business

• Network Isolation and segmentation

• System hardening

• Annual security audits (include penetration testing)

- Include 3rd party connections

• Implement a Sensitive Data Program

22

PwC

Recommendations

• Ensure there is an incident response plan in place

• Know where your crown jewels are located

• Regular security assessments conducted by outside firm

• Have an incident response support team on speed dial

23

PwC

Questions

Contact:

Dave Nardoni 213-356-6308

Jef Dye 213-217-3976

24

© 2012 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.