Scribd Logo
Upload

Welcome to Scribd!

  • 85 views

    BH Us 04 Mandia PDF

    Uploaded by

    vxla
    The document discusses the evolution of incident response over time. It notes that incident response is not static and must evolve to address emerging threats. Specifically, it outlines challenges to effective incident response, such as determining appropriate escalation procedures, minimizing detection to confirmation time, and countering sophisticated tools used by attackers. The document emphasizes that thorough pre-incident preparation, such as defining incident criteria, assessing capabilities, and developing response methodologies, is critical to overcoming these challenges.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    BH Us 04 Mandia PDF

    Uploaded by

    vxla
    85 views30 pages
    The document discusses the evolution of incident response over time. It notes that incident response is not static and must evolve to address emerging threats. Specifically, it outlines challenges to effective incident response, such as determining appropriate escalation procedures, minimizing detection to confirmation time, and countering sophisticated tools used by attackers. The document emphasizes that thorough pre-incident preparation, such as defining incident criteria, assessing capabilities, and developing response methodologies, is critical to overcoming these challenges.

    Original Description:

    Original Title

    bh-us-04-mandia.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses the evolution of incident response over time. It notes that incident response is not static and must evolve to address emerging threats. Specifically, it outlines challenges to effective incident response, such as determining appropriate escalation procedures, minimizing detection to confirmation time, and countering sophisticated tools used by attackers. The document emphasizes that thorough pre-incident preparation, such as defining incident criteria, assessing capabilities, and developing response methodologies, is critical to overcoming these challenges.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    85 views30 pages

    BH Us 04 Mandia PDF

    Uploaded by

    vxla
    The document discusses the evolution of incident response over time. It notes that incident response is not static and must evolve to address emerging threats. Specifically, it outlines challenges to effective incident response, such as determining appropriate escalation procedures, minimizing detection to confirmation time, and countering sophisticated tools used by attackers. The document emphasizes that thorough pre-incident preparation, such as defining incident criteria, assessing capabilities, and developing response methodologies, is critical to overcoming these challenges.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 30

    The Evolution of Incident

    Response

    Intelligent Information Security By Kevin Mandia


    Agenda
    • Case Studies
    • Performing Incident
    Response
    • The Challenges to
    Incident Response
    • Emerging Trends
    Why are We Here?
    Conclusions
    • Incident Response is not a Static Field, and It is
    Important to Sharpen our Swords.
    • There is an Increasing Complexity and
    Sophistication of Computer Attacks.
    • Incident Response Methodologies and
    Technologies Need to Evolve to Address
    Emerging Threats.
    • Pre-Incident Preparation is as Critical as other
    Pro-active Security Measures. Business
    Sustaining Costs!
    Conclusions

    • Sophistication of Tools Requires Greater Skill


    Sets During Response.
    – Countless Specialized Utilities Exist that an
    Attacker/Suspect May Use.
    • Data W iping
    • Encryption
    • Date/Time Manipulation
    • Metadata Manipulation
    • Anti and/or Counter Forensic Software
    – Kernel Level Tools
    – Compressed/Encrypted Executables
    Case Studies

    The Last Ten Cases/Incidents in


    Review

    Intelligent Information Security By Kevin Mandia


    The Year in Review
    • And Now We Demonstrate and Discuss
    the Incidents We Have Responded to
    During the Past Year …
    Conclusions
    • The Threat is More Serious:
    – More Professionals.
    – Its all About Money.
    – Planted Insiders.
    – More Sophistication.
    • If You are Unarmed and Unprepared, Bad
    Things will Happen.
    • Weak Link Appears to be End Users.
    The Challenges to Incident
    Response

    Intelligent Information Security


    Pre-Incident
    Preparation
    Challenges
    Detection of Challenges
    Incidents
    1. Defining What an Incident is to Your Organization.
    Initial Response

    2. Obtaining High-Level Buy In on


    Formulate Developing/Improving/Maintaining an Incident Response
    Response Strategy
    Capability.
    3. Performing Asset Classification. Know what Matters To
    Data Collection
    Your Business Operation before an Incident Occurs.

    Data Analysis
    4. Awareness and Understanding of the Standards,
    Legislature, Regulations, and Industry Accepted Practices.

    Reporting 5. Assessing your Current Incident Response Capability.

    Resolution
    Challenges Solutions
    1. Defining What an Incident is to Your Pre-Incident Preparation.
    Organization. Assess Resources, Match Business
    Units with Capabilities, Roles,
    Responsibilities.
    2. Obtaining High-Level Buy In on Discuss Sustaining Business,
    Developing/Improving/Maintaining an Applicable Standards, Legislature, and
    Incident Response Capability. Industry Regulations that Compel you
    to Maintain IR Capabilities.
    3. Performing Asset Classification. Interview Business Line Owners and
    Know what Matters To Your Business Top Execs.
    Operation before an Incident Occurs.
    4. Awareness and Understanding of Pre-Incident Preparation
    the Standards, Legislature, Review On-Line Sources. Assign
    Regulations, and Industry Accepted General Counsel or Compliance
    Practices. Officer.
    5. Assessing your Current Incident Pre-Incident Preparation.
    Response Capability. Develop a Skills Matrix and Review In-
    House Capabilities.
    Pre-Incident
    Preparation Challenges
    Detection of
    Incidents
    Challenges
    Initial Response 6. Determining the Appropriate Bar of Escalation for Your
    Organization. What is the Appropriate Trigger Mechanism to
    Formulate
    Commence your IR Procedures?
    Response Strategy 7. Ensuring Timely, Easy Method of Reporting Incidents. Get
    the Experts Involved as early as Possible.
    Data Collection

    Data Analysis

    Reporting

    Resolution
    When do you Initiate your IR Mechanism?
    External

    IDS

    End Users Apply Escalation


    Criteria
    Assemble the
    Help Desk Report/Document
    Computer Security
    and Involve
    Incident Response
    Experts in a
    Team
    Sys Admins Timely Fashion
    (CSIRT)
    Transfer Control
    Security of Incident

    Human
    Resources
    Challenges Solution
    6. Determining the Appropriate Bar Pre-Incident Preparation.
    of Escalation for Your Create a Written Policy. Perform
    Organization. What is the Continual Review and Update of
    Appropriate Trigger Mechanism to the Policy. Ensure Asset Affected
    Commence your IR Procedures? Dictates Level of Response.

    7. Ensuring Timely, Easy Method Pre-Incident Preparation.


    of Reporting Incidents. Get the Create or Revise IR Program and
    Experts Involved as early as Train Appropriate Personnel to
    Possible. Understand Indicators of Computer
    Security Incidents.
    Pre-Incident
    Preparation
    Challenges
    Detection of
    Incidents Challenges
    8. Minimizing the Window from Detection of Incident to
    Initial Response Confirmation of the Incident.

    Formulate 9. Accurately and Rapidly Determining the Scope/Breadth


    Response Strategy of the Incident.

    Data Collection
    10. Determining Entities/People that Need to be Involved.
    Triage.

    Data Analysis
    Detection of
    Potential Incident Confirmation
    Reporting
    TIME

    Resolution
    Challenges Solution
    8. Minimizing the Window from Detection of Pre-Incident Preparation.
    Incident to Confirmation of the Incident. Training and Pre-Existing or
    Pre-Deployed Toolkits.

    9. Accurately and Rapidly Determining the Pre-Incident Preparation.


    Scope/Breadth of the Incident. Ensure Response
    Methodology and
    Infrastructure Includes Rapid
    Determination of Host and
    Network-Based Indicators of
    10. Determining Entities/People that Need to Incident.
    Pre-Incident Preparation.
    be Involved. Create or Revise IR Program
    Development.
    Pre-Incident
    Preparation
    Challenges
    Detection of
    Incidents

    Initial Response
    Challenges
    11. Determining Who Should Be Involved with the
    Formulate Decision Making Process.
    Response Strategy

    12. Incident Ownership.


    Data Collection

    Data Analysis

    Reporting

    Resolution
    Challenges Solution
    11. Determining Who Should Be Pre-Incident
    Involved with the Decision Making Preparation.
    Process. Create or Revise IR
    12. Incident Ownership. Program.
    Pre-Incident
    Preparation.
    Create or Revise
    Program
    Development.
    Pre-Incident
    Preparation
    Challenges
    Detection of
    Incidents Challenges
    Initial Response 13. Methods to Gather Live Response Data are too Time
    Consuming and Operationally Cumbersome. May Even be
    Ineffective.
    Formulate
    Response Strategy 14. Methods to Perform Forensic Duplication of Computer
    Systems is Cumbersome.
    Data Collection

    15. Sophistication of Tools and Counter Forensic


    Techniques.
    Data Analysis

    Reporting

    Resolution
    Challenges Solution
    13. Methods to Gather Live Pre-Incident Preparation.
    Response Data are too Time Creation of Live Response Toolkits, Maintenance
    Consuming and of Toolkits or Methods to Address Emerging
    Operationally Cumbersome. Kernel Level Exploits, Use of Network-Based
    May Even be Ineffective. Forensic Tools, and Training.
    14. Methods to Perform Pre-Incident Preparation.
    Forensic Duplication of Have Techniques to Duplicate Live Systems.
    Computer Systems is Training. Perhaps Preservation of Relevant Data
    Cumbersome. Rather than All Data (CAUTION).
    15. Sophistication of Tools Pre-Incident Preparation.
    and Counter Forensic Ability to Acquire and Review System and
    Techniques. Process Memory.
    Pre-Incident
    Preparation
    Challenges
    Detection of
    Incidents Challenges
    16. Sophistication of Tools and Counter Forensic
    Initial Response Techniques.

    Formulate 17. Must have the Capability to Perform Rapid


    Response Strategy Forensic Analysis – Biggest Bang for the Buck.

    Data Collection
    • Kernel Level Tools
    • Use of Wrappers (Encryption, Compression,
    Data Analysis Obfuscation)
    • Shiva, Burneye, UPX
    Reporting
    • Increased Knowledge of Perpetrators
    • Increased Understanding of Current Forensic
    Resolution Tools and Techniques
    Challenges Solution
    16. Sophistication of Tools and Counter Ability to Perform Tool
    Forensic Techniques. Analysis. Understand How
    to Disassemble Tools and
    Decipher their Functionality.
    Know When to Cut Losses
    and Remediate Prior to Full
    Comprehension of Tool
    17. Must have the Capability to Perform Rapid Functionality (CAUTION).
    Pre-Incident Training and
    Forensic Analysis – Biggest Bang for the Buck. Technology.
    Pre-Incident
    Preparation
    Challenges
    Detection of
    Incidents

    Initial Response
    Challenges
    18. Failure to Document Steps Taken in a Timely
    Formulate Manner.
    Response Strategy

    19. Inexperienced Personnel.


    Data Collection

    Data Analysis

    Reporting

    Resolution
    Challenges Solution
    18. Failure to Document Steps Pre-Incident
    Taken in a Timely Manner. Preparation.
    Develop Report
    19. Inexperienced Personnel. Pre-Incident
    Templates.
    Preparation Develop
    Report Templates.
    Pre-Incident
    Preparation Challenges
    Detection of
    Incidents
    Challenges
    20. Resolution Almost Always Requires more Resources
    Initial Response than Expected.

    21. The “Run Out of Steam Factor”


    Formulate
    Response Strategy

    22. Sense of Urgency Focuses Resources on Potential Pre-


    Data Collection
    mature Fixes. Remediate before Conclusion of Investigation.

    Data Analysis
    23. Phased Approach to Recovery Usually Needs to be
    Implemented to Protect the Right Assets with the Right
    Countermeasures.
    Reporting

    Resolution
    Challenges Solution
    20. Resolution Almost Always Requires more Proactive Security Program.
    Resources than Expected.

    21. The “Run Out of Steam Factor” Phased Approach to


    Resolution. Apply Lessons
    Learned to Doctrine.

    22. Sense of Urgency Focuses Resources on Stay On Target… Continual,


    Potential Pre-mature Fixes. Remediate before Documented Operations
    conclusion of Investigation. Plans.

    23. Phased Approach to Recovery Usually Pre-Incident Preparation –


    Needs to be Implemented to Protect the Right Asset Classification.
    Assets with the Right Countermeasures.
    Emerging Trends in Incident
    Response
    A Look Into the Future of Incident
    Response

    Intelligent Information Security


    Emerging Trends in Incident
    Response
    • A Focus on Pre-Incident Preparation
    • A Focus on End-User Education
    • Use of Enterprise Forensic Tools
    • Concerns with Compliance
    – Regulations
    – Standards
    – Compliance
    Creation of an IR Program
    • Assess Current IR Program
    – Collect Documents • Identify Threats/Concerns
    • Determine Asset Classification
    – Perform Interviews
    • Assess Current Capability
    • Define Escalation/Notification
    Requirements

    • Tailoring of Technology to Address Threats


    • Training
    • Dry Runs
    • IR Program Roll-Out
    Kevin Mandia
    Kevin.Mandia@red-cliff.com
    703-244-4488

    You might also like