![Page 1: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/1.jpg)
Agile Incident Management (AIM):
Making Incident Response Effective Again
Halifax, NS
07 November 2017
![Page 2: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/2.jpg)
Overview
• Incident response: current methodology
• Principles of Agile Incident Management, AIM
• Strategic approach to AIM
• Tactical elements of AIM
• Key operations of a successful response
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 2
![Page 3: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/3.jpg)
Data Security Incidents
Data security incident: the act of non-compliance with the corporate security policy or procedures, or any event that negatively impacts the confidentiality,
integrity and availability of your corporate data
(or violation of criminal/civil law or relevant regulations)
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 3
![Page 4: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/4.jpg)
Incident Response:
Current
Methodology
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 4
![Page 5: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/5.jpg)
The Threat Has Radically Evolved
• Asymmetric warfare
• Financial and/or ideological motives drive
improved skill level
• Multiple direct and indirect attack vectors –
physical and cyber
• Fast attacks, long-term persistence
• “Attacks” replaced by “campaigns”
Adopt a military perspective
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 5
![Page 6: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/6.jpg)
Implications of the Evolved Threat
• All organizations are under attack
• At some point, the security controls of each
organization will fail – there will be a security
incident
• You can’t control the failure
• You can only control your recovery
Fail gracefully, recover well
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 6
![Page 7: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/7.jpg)
Incident Response – State of the Art
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 7
![Page 8: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/8.jpg)
Incident Response – Work Effort
Preparation
Detection
Containment + Eradication
Post-Incident
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 8
![Page 9: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/9.jpg)
Why Incident Response Fails
Corporate
• Not supported by
business, execs
• Tactical approach
• Business vs. tech
• Failure to support
• Corporate secrecy
• No corporate memory
Technical
• Comms with execs
• Non-technical
response required
• Competing priorities
• Internal, privileged
attackers
• Lack training, tools
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 9
![Page 10: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/10.jpg)
The Single Greatest Failure
• When discovery of the attack starts your
response, you’ve lost the initiative
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 10
![Page 11: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/11.jpg)
Principles of Agile
Incident
Management, AIM
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 11
![Page 12: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/12.jpg)
Agile Incident Management, AIM ™
Agile Incident Management is the
totality of proactive and reactive
formal (documented, approved)
measures undertaken to help
prevent and manage data security
incidents across an organization
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 12
![Page 13: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/13.jpg)
Agile Incident Management ™ – The Essentials
• Agility = fast, focused, flexible
• Fast data collection, analysis
• Focused and appropriate response
• Focused formal documentation
• Flexible approach
• Push work effort to front; before the incident
• Adopt a military perspective (“campaign”)
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 13
![Page 14: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/14.jpg)
Incident Response - STOP
• STOP
• THINK
• OBSERVE
• PLAN
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 14
![Page 15: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/15.jpg)
Incident Response – The Goal
• It does not matter what has happened in the past
• It does not matter who or what failed
• This “point” (in time and space) is the start
• Identify the critical path between the start and resolution of the incident
• Incident response is the movement on the path towards resolution; ignore or remove all other distractions
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 15
![Page 16: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/16.jpg)
Agile Incident Management ™ - Framework
• Strategic approach
– Engage the board; risk-based
approach
– Incident response strategy
• Drive strategy to tactics, operations
– Incident response policy
– Playbook
– Table top exercises, other validation
– Cyber insurance
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 16
![Page 17: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/17.jpg)
Strategic Approach
to AIM
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 17
![Page 18: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/18.jpg)
General Principles
• IT exists to support the business
• An IT incident is a “business process”
• The business owns incident management; IT
provides support
• Management of an incident is change control
• Rely on your established business processes
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 18
![Page 19: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/19.jpg)
Strategy – Engage the Board
• Strategy originates here
• Attackers are focused on money; so is the Board
• Liability of Board members
• Issues of compliance and regulatory fines,
corporate liability
• Mandatory breach reporting = impact stock price
• Contracts and cyber insurance for defence
• Need for collaboration
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 19
![Page 20: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/20.jpg)
Strategy - Engage the Board ($$$)
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art542,00.html
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 20
![Page 21: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/21.jpg)
Risk-Based Approach
• Risk-based approach to incident management
• Risk / incident management is a business
process; business owns the process
• Each business deals with risks
differently (“risk appetite”)
• Documented (risk register)
• Consider all risks, including
business, technical, HR,
insider threat, etc.
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 21
![Page 22: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/22.jpg)
Strategic Incident Management Plan
• Active endorsement from Board, executives
• Must be fully aligned with existingbusiness strategy, BCP/DRP
• Supports compliance
• Statement of general principles
• Commitment of responsibility, resources
• Goals
• KPI to measure achievement
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 22
![Page 23: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/23.jpg)
Incident Response Policy
• Connects strategy to tactics,
operations
• Business and technical
• Definition of incident
• Who defines the incident
• Flexible incident response
• SOPs “plug into” policy
• Post-incident follow-up
• Keep them up to date
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 23
![Page 24: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/24.jpg)
Tactical Elements
of AIM
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 24
![Page 25: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/25.jpg)
SOPs – The Operational Response
• Formal process drives flexible response - irony!
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 25
![Page 26: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/26.jpg)
SOPs – Identify Likely Incidents and Workflow
• Lost, stolen device
• External attack
• Malicious insider
• Malicious software
• Physical intrusion
• Social engineering
or phishing
• Policy violation
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 26
![Page 27: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/27.jpg)
SOP - Documentation
SOP 01: Malicious Software
Item Action Date / Time
Signature
1 Receive notification from Help Desk
2 Isolated suspect system(s) from network –physically ensure network cables are removed. Contact duty system ([email protected]) administrator for all infected servers, network devices
3 Document identified malicious software in IR ticketing system
4 Identify AV present on infected system(s) using AV.bat
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 27
![Page 28: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/28.jpg)
Table Top Exercises
• Validate feasibility of strategy, IR policy, SOPs
• Business and technical participation
• Non-practical
• Scenario-based; must be realistic
• Walk through / act out the correct response to an
incident
• Debrief to identify success factors, gaps
• Most cost-effective approach
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 28
![Page 29: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/29.jpg)
Cyber Insurance
• Increasingly common
• Covers:
– Losses due to cybercrime
– Costs of remediation
– Liability
– Compliance penalties
– Legal costs
• May receive discounted insurance rates if
incident response program in place
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 29
![Page 30: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/30.jpg)
Key Operations of
a Successful
Response
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 30
![Page 31: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/31.jpg)
Key Operations
• Simplify communications
• Roles and responsibilities: business vs.
technical, role of legal counsel
• Provide proper training
• Validate existing controls
• Adopt new methodologies
• Data forensics are integral
• “Every man a rifleman”
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 31
![Page 32: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/32.jpg)
Simplify Communications
• The military requires brief, effective
communications – e.g.: “fire mission”
A. Enemy grid
B. Direction
C. Target
D. Ammo
E. Time, duration
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 32
![Page 33: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/33.jpg)
Simplify Communications – Mail Template
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 33
![Page 34: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/34.jpg)
Simplify Communications - Internal
• May or may not have a “war room”
• Have a phone bridges reserved for incident
management team
• Pre-defined times for management, technical
meetings
• Control the internal message (e.g. chat, twitter)
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 34
![Page 35: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/35.jpg)
Simplify Communications- External
• Define what information can be
shared, and with who (and how!)
• Encourage information sharing
• Collaborate with professional
organizations (government, FIRST),
other companies in your industry and
with vendors (software, hardware)
• Use trusted 3rd parties to provide
specialist support (alarm and
monitoring, legal, investigative,
technical, training)
"Fools you are . . . who say you like to learn from your mistakes ... I prefer to learn from the mistakes of others, and avoid the cost of my own.“ O. v Bismark
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 35
![Page 36: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/36.jpg)
Roles and Responsibilities – “Business” vs
“Technical”
• Teamwork - eliminate the business vs. technical bottleneck / warfare
• The incident response team lead is from the lineof business– Liaise with internal executive management
– Liaise with partners, media, third parties
– Make decisions that don’t involve IT (pay ransom?)
– Let managers manage … and tech folk work!
– (Role of the team lead is to keep other business managers away from the technical team)
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 36
![Page 37: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/37.jpg)
Assign Roles and Responsibilities
• Managers need clearly defined roles
– Who is responsible for declaring an incident?
– At what point do “recovery needs” outweigh
“investigative needs”?
• Responders need clearly defined roles
– Usually have full-time duties in addition to
their response role
– How will conflicts be resolved?
– How will burn-out be avoided?
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 37
![Page 38: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/38.jpg)
Provide Proper Training
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 38
![Page 39: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/39.jpg)
Provide Proper Training
• Train as you fight
• Adequate technical training
– Ethical hacking
– Indicators of compromise (logging, SIEM)
– Response and data forensics
• Training can exceed $20K / person; consider 3rd
party augmentation
• Employ scenario-based training
• Integrate business into IM training with structured walkthroughs, table top exercises
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 39
![Page 40: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/40.jpg)
Validate Existing Controls
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 40
Corporate Emphasis
![Page 41: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/41.jpg)
Validate Existing Controls - Governance
Framework
• Who supports and endorses security testing?
• Who signs the contract?
• Do you have an information security policy?
• Who is managing the testing process?
• What will be done with the results?
• Will there be a retest?
• How will you address the root cause(s) of vulnerabilities?
• How will you learn from the testing?
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 41
![Page 42: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/42.jpg)
Vulnerability Assessment and Penetration Testing
• Start = inventory + baseline
• Vulnerability assessment relies
largely on automated scanning
• Authenticated vs unauthenticated
• Penetration testing is interactive – additional
techniques (social engineering, phishing)
• Focus is on proving vulnerabilities by
demonstrating exploits
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 42
![Page 43: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/43.jpg)
Validate Existing Controls
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 43
![Page 44: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/44.jpg)
Purple Team Assessments
• Defender = blue
• Attacker = red
• The attacker and
defender will work together throughout the test:
– Attacker: “I’m about to send you an obsfucted
powershell macro embedded in a Word document”
– Defender: “Okay, we’re ready”
– Attacker: “It’s sent … did you detect it”
– Defender: “Uhhhh … nope …. Try again when we’ve
fixed the firewall rules”
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 44
![Page 45: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/45.jpg)
Post-Compromise Assessment
• A PCA is the “new penetration test”
• If I told you there was a 40% chance that your
network has an APT on it, right now … could you
find it?
• If I gave you the indicators of attack, could you
search your logs to find the infection point?
• If I gave you the indicators of compromise, could
you find all instances of the APT?
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 45
![Page 46: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/46.jpg)
Red Team Assessment
• Originated in military
• No scope: no-holds barred;
physical and logical attacks
• Long test cycle
(preparation + attack phase)
• Not integrated with blue
team activities
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 46
![Page 47: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/47.jpg)
Adopt New Monitoring Methodologies
• Traditional logging (what you’re not doing
enough of)
– What you log is set by policy, SOPs
– Monitor all activity (automated processes, employees,
privileged users)
– Establish a baseline (the “normal good”)
– Look for anomalies, exceptions – but keep a record of
legitimate and approved activities as well
• Most important – increase monitoring after a
security event occurs – it’s a “campaign”
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 47
![Page 48: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/48.jpg)
New Monitoring Methodologies -
Honeypots
• Case study: manufacturing
• Logging was difficult (old
devices, complex network, no
storage capabilities)
• Concerned with access to HR
and ICS devices
• Deployed monitored honeypots
• Identified 2 employees
attempting to access HR
systems within 5 days
Slide 48© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.
![Page 49: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/49.jpg)
Data Forensics are Integral
• Data forensics closely tied to IM process
• Design, construct and configure policies, SOPs, and data systems to support future forensics requirements
• Pre-emptive forensics
• Non-traditional forensics: “sniping”, live system analysis, memory analysis
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Slide 49
![Page 50: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/50.jpg)
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 50
![Page 51: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/51.jpg)
Your Employees are the “First Responders”
• Non-IT employees are the first to spot 70% of all security incidents
• They are usually closest to a system that is being attacked
• Employees can be taught basic response skills– Recognize an attack
– Disconnect the system from the network
– Don’t change anything
– Call the IT support number
• “Every employee a responder”
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 51
![Page 52: Agile Incident Management (AIM): Making Incident Response … · 2017-11-19 · Agile Incident Management ... Halifax, NS 07 November 2017. Overview • Incident response: current](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fbaa81688935132e06bd1cd/html5/thumbnails/52.jpg)
DigitalDefence (www.digitaldefence.ca)
• Specialize in
penetration testing,
incident response,
data forensics
• Training provider
Robert W. Beggs, CISSPConnect with: https://www.linkedin.com/in/robertbeggs
Check out: Canadian Information Security Professionals
© 2017 Digital Defence. All rights reserved. This document is for informational purposes
only. Digital Defence makes no warranties, express or implied, in this document.Page 52