assessing your incident response capabilities- utd · ©2017 crowe horwath llp analysis...

©2017 Crowe Horwath LLP

Assessing Your Incident Response Capabilities – Do You Have What it Takes?

March 31, 2017


Presenters

Tim L. Bryan, CPA/CFF/CITP, CISA, EnCE Director, Advisory Services Forensic Technology & Investigation Services Leader [email protected]

Kiel Murray, CISSP Manager, Technology Risk [email protected]


Agenda

2016 Incident Response Recap Investigative Process Review Capabilities Detection and Analysis Containment and Eradication Recovery Supportive

Impact on Fraud


2016 Incident Response Recap

Crowe Experience Spear Phishing & Macro Enabled Email

AttachmentsWatering Hole Attack Ransomware Attacks CEO Impersonation Wire-transfer Attack

Trends in IR Capabilities Looking Forward


IR Process Review

Post Incident Activity

Containment, Eradiation,

and Recovery

Detection and AnalysisPreparation

PreparationWhat are our cyber risks? Do our employees know their roles during an

incident? How will we identify a problem? How will we respond? Do we have the right tools – digital or

contractual Do we understand what “normal” looks like?


Capabilities

Why capabilities? Presented along side NIST 800-61 –

Incident Handling Guide Other frameworks include SANS Preparation, Identification, Containment,

Eradication and Recovery

©2017 Crowe Horwath LLP 77

Detection and Analysis


Detection and Analysis Capabilities

People Threat Intelligence Attacker tools, techniques

and reporting from other organizations Bad IP addresses and

domains Network and Endpoints Must have sensors on each

Logs Consolidated logging Log retention

Honeypots

Internet


Detective CapabilitiesHost Network Programs being

started/running Services installed Scheduled tasks Boot up programs Antivirus / File Integrity

Monitoring Powershell Authentication -

success and failure Active connections Open ports

Netflow DNS queries IPS alerts Firewall blocks Port up/down

notifications Unauthorized device

detection Vulnerability scan

results Packet captures


Analysis Capabilities

Decision: Does this incident have a chance to go to trial? Could influence personnel selection and

analysis techniques Prioritization Event, Incident, Breach

Disk and memory acquisition and processing Malware (unknown file) analysis Communication and status tracking Log pulling – Host and network Log Analysis – 1M logs, can you find the

needle?


Analysis Capabilities

Trial Considerations Chain of custody Verification of results Corroborating evidence with third-parties. Search Warrant Subpoena records


Containment and Eradication


Containment

Anticipate lateral movement and fortification within the environment Countermeasures: Applying patches Windows patches Third party applications Internally developed applications

Reset administrator passwords Further restrict network and

application access where possible Alerting on account creation and

addition into privileged groups


Containment

Enterprise wide searching for compromised machines Indicators of compromise Hashes, filenames, processes, active

connections Identification and Purging of malicious

emailsWho all just received an email with the subject

of “Invoice”


Eradication

Methodically remove the attacker’s access to network resources Rapid re-imaging of machines Backup restoration processes Careful not to restore compromised images

Mass password reset Users and Service accounts

IP address and domain blocking Critical decisions need to be made Will you take down and rebuild business-critical

servers?


Recovery


Recovery

Restoration of normal procedures You took good notes during the incident right?

External communication Public disclosures, announcements on home

page, formal press releases, etc. Lessons Learned Documentation


Strategic Actions for Future Incidents

Perform thorough security assessments and pen tests Know your network and potential avenues of attack to

be better prepared User mapping & device inventory IP/MAC/Hostname to employee Server or application to business unit or employee

Authorized list of hardware/software Secure physical storage Fast external contracting for capabilities not found

internally


Impact of IR on Fraud

Recent Examples:

Health System Breach – Tax Fraud / Data

Manufacturer – Wire Fraud

Mortgage Originator – IP Theft



Health System Breach – Tax Fraud / Data

Cloud based server compromised Account lockouts Administrator level of access Compromised server used for tax fraud ePHI located on compromised server



Manufacturer – Wire Fraud

Vendor sends emails to CFO re: advance Emails contained very specific information Scammer asks for bank information change CFO wires over $500k



Mortgage Originator – IP Theft

Online sales system compromised Leads are downloaded in mass Recent employee departures


Q&A

Tim L. Bryan, CPA/CFF/CITP, CISA, EnCE Director, Advisory Services Forensic Technology & Investigation Services Leader [email protected]

Kiel Murray, CISSP Manager, Technology Risk [email protected]

Crowe’s Cybersecurity Watch Bloghttps://www.crowehorwath.com/cybersecurity-watch/

Thank you for attending!

assessing your incident response capabilities- utd · ©2017 crowe horwath llp analysis...

Documents