assessing your incident response capabilities- utd · ©2017 crowe horwath llp analysis...
TRANSCRIPT
©2017 Crowe Horwath LLP
Assessing Your Incident Response Capabilities – Do You Have What it Takes?
March 31, 2017
©2017 Crowe Horwath LLP
Presenters
Tim L. Bryan, CPA/CFF/CITP, CISA, EnCE Director, Advisory Services Forensic Technology & Investigation Services Leader [email protected]
Kiel Murray, CISSP Manager, Technology Risk [email protected]
©2017 Crowe Horwath LLP
Agenda
2016 Incident Response Recap Investigative Process Review Capabilities Detection and Analysis Containment and Eradication Recovery Supportive
Impact on Fraud
©2017 Crowe Horwath LLP
2016 Incident Response Recap
Crowe Experience Spear Phishing & Macro Enabled Email
AttachmentsWatering Hole Attack Ransomware Attacks CEO Impersonation Wire-transfer Attack
Trends in IR Capabilities Looking Forward
©2017 Crowe Horwath LLP
IR Process Review
Post Incident Activity
Containment, Eradiation,
and Recovery
Detection and AnalysisPreparation
PreparationWhat are our cyber risks? Do our employees know their roles during an
incident? How will we identify a problem? How will we respond? Do we have the right tools – digital or
contractual Do we understand what “normal” looks like?
©2017 Crowe Horwath LLP
Capabilities
Why capabilities? Presented along side NIST 800-61 –
Incident Handling Guide Other frameworks include SANS Preparation, Identification, Containment,
Eradication and Recovery
©2017 Crowe Horwath LLP 77
Detection and Analysis
©2017 Crowe Horwath LLP
Detection and Analysis Capabilities
People Threat Intelligence Attacker tools, techniques
and reporting from other organizations Bad IP addresses and
domains Network and Endpoints Must have sensors on each
Logs Consolidated logging Log retention
Honeypots
Internet
©2017 Crowe Horwath LLP
Detective CapabilitiesHost Network Programs being
started/running Services installed Scheduled tasks Boot up programs Antivirus / File Integrity
Monitoring Powershell Authentication -
success and failure Active connections Open ports
Netflow DNS queries IPS alerts Firewall blocks Port up/down
notifications Unauthorized device
detection Vulnerability scan
results Packet captures
©2017 Crowe Horwath LLP
Analysis Capabilities
Decision: Does this incident have a chance to go to trial? Could influence personnel selection and
analysis techniques Prioritization Event, Incident, Breach
Disk and memory acquisition and processing Malware (unknown file) analysis Communication and status tracking Log pulling – Host and network Log Analysis – 1M logs, can you find the
needle?
©2017 Crowe Horwath LLP
Analysis Capabilities
Trial Considerations Chain of custody Verification of results Corroborating evidence with third-parties. Search Warrant Subpoena records
©2017 Crowe Horwath LLP 1212
Containment and Eradication
©2017 Crowe Horwath LLP
Containment
Anticipate lateral movement and fortification within the environment Countermeasures: Applying patches Windows patches Third party applications Internally developed applications
Reset administrator passwords Further restrict network and
application access where possible Alerting on account creation and
addition into privileged groups
©2017 Crowe Horwath LLP
Containment
Enterprise wide searching for compromised machines Indicators of compromise Hashes, filenames, processes, active
connections Identification and Purging of malicious
emailsWho all just received an email with the subject
of “Invoice”
©2017 Crowe Horwath LLP
Eradication
Methodically remove the attacker’s access to network resources Rapid re-imaging of machines Backup restoration processes Careful not to restore compromised images
Mass password reset Users and Service accounts
IP address and domain blocking Critical decisions need to be made Will you take down and rebuild business-critical
servers?
©2017 Crowe Horwath LLP 1616
Recovery
©2017 Crowe Horwath LLP
Recovery
Restoration of normal procedures You took good notes during the incident right?
External communication Public disclosures, announcements on home
page, formal press releases, etc. Lessons Learned Documentation
©2017 Crowe Horwath LLP
Strategic Actions for Future Incidents
Perform thorough security assessments and pen tests Know your network and potential avenues of attack to
be better prepared User mapping & device inventory IP/MAC/Hostname to employee Server or application to business unit or employee
Authorized list of hardware/software Secure physical storage Fast external contracting for capabilities not found
internally
©2017 Crowe Horwath LLP
Impact of IR on Fraud
Recent Examples:
Health System Breach – Tax Fraud / Data
Manufacturer – Wire Fraud
Mortgage Originator – IP Theft
©2017 Crowe Horwath LLP
Impact of IR on Fraud
Health System Breach – Tax Fraud / Data
Cloud based server compromised Account lockouts Administrator level of access Compromised server used for tax fraud ePHI located on compromised server
©2017 Crowe Horwath LLP
Impact of IR on Fraud
Manufacturer – Wire Fraud
Vendor sends emails to CFO re: advance Emails contained very specific information Scammer asks for bank information change CFO wires over $500k
©2017 Crowe Horwath LLP
Impact of IR on Fraud
Mortgage Originator – IP Theft
Online sales system compromised Leads are downloaded in mass Recent employee departures
©2017 Crowe Horwath LLP
Q&A
Tim L. Bryan, CPA/CFF/CITP, CISA, EnCE Director, Advisory Services Forensic Technology & Investigation Services Leader [email protected]
Kiel Murray, CISSP Manager, Technology Risk [email protected]
Crowe’s Cybersecurity Watch Bloghttps://www.crowehorwath.com/cybersecurity-watch/
Thank you for attending!