Proactive Incident Response

What is an incident? Hacking attack Password theft Data theft Denial of service There are many types of security incidents: Hacking attack Denial of service Virus attack Data theft Data deletion Password theft Leak of sensitive material We are looking at computer incidents in this training, and it does not include incidents caused by natural disaster. Virus attack Data deletion Leak of sensitive material Incident Response and Recover

Maturity Level 0 No incident response capability Ad-hoc incident response Technology driven/Signature based Process driven Intelligence driven Predictive defense

Average Maturity

Ad-hoc incident response Detection Users report to IT News Response No plan Googling Format, Re-install, Reboot Call vendor Risk awareness Very low

Technology Driven/Signature based Detection Alerts by signature matching Response Standard incident response plan Processes based on tools used Risk awareness Low

Reactive Approaches Usually takes more investigation time and cost Security controls is limited to notification, containment, and remediation capabilities Encourage cyber attacks Damage first, fix later Only capable of handling the known threats

Process Driven Use case hunting Threat modeling Correlation rules Detection Use case hunting Threat modeling Correlation rules Response Specific incident response plan Service driven Process SLA Risk awareness Medium Initial risk management Selective sensor placement

Intelligence Driven Detection Constantly transform use case to Correlation rules Security Operations Center Response Threat driven Vulnerability assessment Security intelligence networks Risk awareness High Intensive risk management Fully aware of asset values and protections

Predictive Defense Cyber Kill Chain Big data analytics Detection Cyber Kill Chain Big data analytics Artificial Intelligence Response Very early in the chain Better kill 10 good people than let 1 bad guy in Risk awareness Extremely high Risk management is embedded into security operation

Risk awareness

Example: Targeted Attack No full time IT security staffs Operate 8 x 5 There is a standard incident response plan Undefined security controls Firewalls, Anti-Virus Think about how you could handle the incident (with these capabilities) if it happens

Stage 1

Planning Phase Reconnaissance is an activity to gain information about something through observation or other detection methods Use Google, Shodan Public announcement, TOR,RFP Social media Objectives Look for vulnerabilities in people process and technology Attack surfaces

Preparation Phase Weaponization and Targeting includes modifying an otherwise harmless file, such as a document, for the purpose of enabling the adversary’s next step. PDFs, that have an exploit contained within them. Macros in Word documents. People target: Social engineering tactics Technical target: Network, VPN, etc.

Cyber Intrusion Phase Delivery and Exploit Phishing, Fake calls, Bribery, Threatening Install Remote Access Trojan Modify PowerShell, Non-malware based

Management and Enablement Phase With a successful cyber intrusion the adversary moves to the next phase, Management and Enablement. Here the actor will establish command and control (C2), using methods such as a connection to the previously installed capability or abusing trusted communications such as the VPN. Capable and persistent actors often establish multiple C2 paths to ensure connectivity is not interrupted if one is detected or removed

Sustainment, Entrenchment, Development, and Execution phase discovery of new systems or data, lateral movement around the network, installation and execution of additional capabilities, launching of those capabilities, capturing transmitted communications such as user credentials, collection of desired data, exfiltration of that data out of the environment and anti-forensic techniques such as cleaning traces of the attack activity or defending his or her foothold when encountering defenders such as incident responders.

Stage 2 It is in Stage 2 that the attacker must use the knowledge gained in Stage 1 to specifically develop and test a capability that can meaningfully attack the ICS.

Attack Development and Tuning Phase Attack Development and Tuning phase, in which the aggressor develops a new capability tailored to affect a specific ICS implementation and for the desired impact. They will mimic the system to test never test in the production environment. Stage 1 and 2 may be months or years lag.

Validation Phase Test and make sure that the attack will work in the first time. Attacker will need the same equipment as target to test therefore we can use this purchase as a trace to track down the attacker.

ICS attack Ultimately, the last phase is the ICS Attack, in which the adversary will deliver the capability, install it or modify existing system functionality, and then execute the attack. Usually fool the plant operator that everything is normal until too late to fix.

Find the gaps People Process Technology 24 x 7 Incident response plan that is specific to a Targeted attack SIEM SME Targeted attack use cases Monitoring technology

Plan for your expected maturity and stay Proactive!

THANK YOU