Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proactive Incident Response

Published byCandace Cameron Modified over 7 years ago

Similar presentations

Presentation on theme: "Proactive Incident Response"— Presentation transcript:

1 Proactive Incident Response

2 What is an incident? Hacking attack Password theft Data theft
Denial of service There are many types of security incidents: Hacking attack Denial of service Virus attack Data theft Data deletion Password theft Leak of sensitive material We are looking at computer incidents in this training, and it does not include incidents caused by natural disaster. Virus attack Data deletion Leak of sensitive material Incident Response and Recover

3 Maturity Level 0 No incident response capability
Ad-hoc incident response Technology driven/Signature based Process driven Intelligence driven Predictive defense

4 Average Maturity

5 Ad-hoc incident response
Detection Users report to IT News Response No plan Googling Format, Re-install, Reboot Call vendor Risk awareness Very low

6 Technology Driven/Signature based
Detection Alerts by signature matching Response Standard incident response plan Processes based on tools used Risk awareness Low

7 Reactive Approaches Usually takes more investigation time and cost
Security controls is limited to notification, containment, and remediation capabilities Encourage cyber attacks Damage first, fix later Only capable of handling the known threats

8 Process Driven Use case hunting Threat modeling Correlation rules
Detection Use case hunting Threat modeling Correlation rules Response Specific incident response plan Service driven Process SLA Risk awareness Medium Initial risk management Selective sensor placement

9 Intelligence Driven Detection
Constantly transform use case to Correlation rules Security Operations Center Response Threat driven Vulnerability assessment Security intelligence networks Risk awareness High Intensive risk management Fully aware of asset values and protections

10 Predictive Defense Cyber Kill Chain Big data analytics
Detection Cyber Kill Chain Big data analytics Artificial Intelligence Response Very early in the chain Better kill 10 good people than let 1 bad guy in Risk awareness Extremely high Risk management is embedded into security operation

11 Risk awareness

12 Example: Targeted Attack
No full time IT security staffs Operate 8 x 5 There is a standard incident response plan Undefined security controls Firewalls, Anti-Virus Think about how you could handle the incident (with these capabilities) if it happens

13 Stage 1

14 Planning Phase Reconnaissance is an activity to gain information about something through observation or other detection methods Use Google, Shodan Public announcement, TOR,RFP Social media Objectives Look for vulnerabilities in people process and technology Attack surfaces

15 Preparation Phase Weaponization and Targeting includes modifying an otherwise harmless file, such as a document, for the purpose of enabling the adversary’s next step. PDFs, that have an exploit contained within them. Macros in Word documents. People target: Social engineering tactics Technical target: Network, VPN, etc.

16 Cyber Intrusion Phase Delivery and Exploit
Phishing, Fake calls, Bribery, Threatening Install Remote Access Trojan Modify PowerShell, Non-malware based

17 Management and Enablement Phase
With a successful cyber intrusion the adversary moves to the next phase, Management and Enablement. Here the actor will establish command and control (C2), using methods such as a connection to the previously installed capability or abusing trusted communications such as the VPN. Capable and persistent actors often establish multiple C2 paths to ensure connectivity is not interrupted if one is detected or removed

18 Sustainment, Entrenchment, Development, and Execution phase
discovery of new systems or data, lateral movement around the network, installation and execution of additional capabilities, launching of those capabilities, capturing transmitted communications such as user credentials, collection of desired data, exfiltration of that data out of the environment and anti-forensic techniques such as cleaning traces of the attack activity or defending his or her foothold when encountering defenders such as incident responders.

19 Stage 2 It is in Stage 2 that the attacker must use the knowledge gained in Stage 1 to specifically develop and test a capability that can meaningfully attack the ICS.

20 Attack Development and Tuning Phase
Attack Development and Tuning phase, in which the aggressor develops a new capability tailored to affect a specific ICS implementation and for the desired impact. They will mimic the system to test never test in the production environment. Stage 1 and 2 may be months or years lag.

21 Validation Phase Test and make sure that the attack will work in the first time. Attacker will need the same equipment as target to test therefore we can use this purchase as a trace to track down the attacker.

22 ICS attack Ultimately, the last phase is the ICS Attack, in which the adversary will deliver the capability, install it or modify existing system functionality, and then execute the attack. Usually fool the plant operator that everything is normal until too late to fix.

23 Find the gaps People Process Technology 24 x 7
Incident response plan that is specific to a Targeted attack SIEM SME Targeted attack use cases Monitoring technology

24 Plan for your expected maturity and stay Proactive!

25 THANK YOU

Download ppt "Proactive Incident Response"

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Thursday, January 23, 2014 10:00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.

Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.

1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

Similar presentations

Ads by Google