A collection point
...and some of my own.
This is an abstraction from a document in circulation from Guidance Software....
Our network will be breached. This is a stark reality of the world in which we operate and do business. Each week brings new threats and reports of compromised networks and lost data. Like it or not, it is a simple fact that no organization is immune. Consider this -- the 2013 Data Breach Investigations Report, conducted by Verizon, found the following commonalities across 47,000 security incidents and 621 data breaches reported in 2012:
Our team’s ability to quickly identify the breach, stop the exfiltration of data and classified material, and remediate real threats can have an enormous impact on our organization’s risk, cost, and exposure, but when dealing with today’s threats, staying on top of network security becomes increasingly challenging and putting in place best practices for managing cyber breaches can be the difference between containing an attack and not. The changing landscape of cyber security has brought new challenges to information security teams, including the undeniable facts that: Perimeter defense is insufficient. With new technologies come new exploits. Advanced threats like rootkits, morphing malware, zero-days, and insider threats are rarely caught by perimeter security solutions that rely on signature-based algorithms to detect known threats. But when the threat is constantly changing, brand new, or simply unknown to our perimeter security frontline, it goes undetected, much like when the infiltration is caused by an insider whose credentials give them access to our network or sensitive data. Today’s cyber attackers will not be stopped at the perimeter. Many of them are already past our firewall, whether we have found them yet or not. Attacks are becoming increasingly targeted. At first, hacking was merely a pastime for computer-savvy individuals seeking to challenge their skill sets and knowledge, but those days are long over. While the majority of attacks are considered opportunistic – meaning the attacker did not intentionally target the victim -- nowadays, financial, espionage, and activism motives are driving the majority of targeted attacks. Malware is being custom-designed for specific targets, and hacking has even become “productized.” Attack nets are not cast that widely anymore – instead, they have become increasingly targeted at people in certain roles, such as high-access executives with tablets and laptops, or at organizations for their involvement or support of debated principles. Threats are becoming harder to eradicate. Cyber-attacks involving polymorphic malware or advanced persistent threats (APTs) are often extremely sophisticated due to the use of stealthy techniques, making it substantially more difficult to eliminate or remediate. Clearly, time is of the essence when such attacks take place. It could be weeks or months before we know that any of these threats has turned into a successful breach. …and then there is the incident response time... …so what do we do? Preparation The more prepared we are to act immediately the better. Since the first part of preparation is always training of team membersand some part of that should be done for all employees—make that “job one” and be sure that training covers: • Incident response process planning • Tools and trends • Security awareness Many government agencies and enterprise organizations take security-awareness training seriously. For example, unsatisfied with a 95% compliance rate, in 2012 the Veterans Administration created a policy that temporarily “unplugged” from the network those employees and contractors who skip their yearly cyber security refresher courses. Test Our Processes To prepare our processes and train our team, we map out fie or six different scenarios involving different variants of methods by which our network could be breached. These are called “tabletop exercises.” Bring in key people from human resources (HR), communications, system administration, information security, legal, compliance and auditing, and network communications and discuss how their different business units come into play when we go through each scenario. The widely varying responses to the question of what each is supposed to do can be surprising. System administrators will often say, “Well, we’ll just format the box.” In some cases that is the right answer, but in others, that may not be the best solution because our legal team, HR department, and possibly the FBI could request that the infected system be put in a quarantined containment zone for observation of malware behavior. This can be instructive in learning where the malware is connecting or “phoning home” to so that a “wiretap” can be placed on that “number”. The time to meet with our team to discuss how we are going to handle a breach should never be when our first big breach has already taken place. Advance planning and training are critical. Perform a Proactive Sensitive-Data Audit Know where sensitive data resides as early as possible and come up with a data protection strategy. These measures can save countless hours of inventory that would have to be done in the heat of the moment after a cyber-attack. Perform a complete inventory of all sensitive data in the organization, including: • Personally identifying information such as Social Security or credit-card data • Intellectual property • Classified materials • Any data under regulatory or compliance control Process Maintenance To make sure that our team is always ready and up-to-date, we should: • Understand sensitive data location and use • Keep systems patched and up-to-date • Conduct ongoing vulnerability testing • Implement full incident response process • Continually test and refine the process with regular “fire drills.” Detect and Expose It is estimated that over half a million attacks are aimed at government agencies and Fortune 500companies on a daily basis. Unfortunately, no SIEM system is ever tuned to such a fine degree of precision that only the critical situations that need attention are immediately presented to the incident response team. Two ways to proactively and effectively validate cyber threats are endpoint security analytics and security automation. Endpoint Security Analytics Leveraging data from across all our servers and end-user devices – including running processes, connections, machine names and IP addresses, and other valuable data – endpoint security analytics give complete visibility of our network’s activities, allowing us to detect anomalous behavior, risks areas, and security threats before damage can be done. Triage Once we have identified that we have a problem, our next steps are to: • Scope the threat to understand the extent of the compromise and its ongoing capabilities • Zero in on the biggest threats fist, and • Determine whether personal health information, (PHI) personally identifying information (PII) and / or intellectual property (IP) was compromised. This is where our proactive sensitive data auditing against a predefined baseline of where our data is and should be stored can save us significant time. With the data map in hand, we are two giant steps closer to knowing which data was the likely target of the malware. The ability to scope the threat is also a tremendous advantage. Many companies make crucial mistakes in this area by overestimating the degree of exposure of the breach to the organization. This can result in negative customer or brand impact that can be completely avoidable. For example, under PCI DSS (Payment Card Industry Data Security Standards) regulations, if an organization accepts credit-card payments and is the victim of a breach, they are required to notify federal authorities about the incident. But if an analysis of the breach reflects that internal credit-card numbers stored on the network were not compromised, the company is not required to issue a public statement for state and federal agencies which could have otherwise damaged the company’s reputation as well as its patronage from customers. Understanding what has happened, which and how much sensitive data has been exposed, what the issues are, and how to remediate quickly are indispensable capabilities. Classify and Contain During this stage the focus should be on enabling both short-term and long-term containment of the threats progress into our enterprise environment. At this point, we will typically bring in a forensics team – in-house or outsourced – that can handle malware with reverse-engineering capabilities. The major goal of the containment phase is to determine how to eradicate malware of the network. Many incident response teams create a sandbox to observe the malware and understand what it does and how it behaves, which will help in determining the best way to contain it. As part of the analysis, the forensics team will: • Remotely collect malware and relevant data with network-enabled forensic tools • Collect and preserve volatile data as potential evidence • Capture the crucial malware and artifacts • Determine whether it is polymorphic or metamorphic • Discover hash values and registry values • Recommend remediation steps. Remediate Now that we have come closer to identifying what the malware is, what it does, its characteristics and hash values, as well as which and how much sensitive data has been breached, it is time to remediate. The incident response team can begin remediating systems by deleting all malicious or unauthorized code (if appropriate), both on the identified or target systems, and then proactively, network-wide. At this time, they should also conduct a post-attack sensitive-data audit of the affected machines to ensure data resides only where it safely belongs in our network. Once the incident has been remediated, continuous monitoring of our network’s activities will be instrumental in determining whether or not the remediation steps taken were sufficient to successfully return systems to their original, optimal state. Report and Post-Mortem At this point, our incident response team should consult relevant data breach-notification regulations and policies for each of the business segments in which we do business. Our legal, IT, public relations, and executive teams should have a breach-notification plan in place and be ready to take the appropriate steps when we present our incident report to them. Our report will be vital to all concerned with business reputation, viability, and operations. It is highly advisable to be as clear and non-technical as possible in our reporting. If our report cannot be understood by key stakeholders, the value we are contributing will not be recognized. Be sure to include a sunset or post-mortem report, which is a list of lessons learned from the incident, including: • What the organization intended or planned to do • What went right. • What went wrong. • What can be improved upon. Consider modifying existing incident response plans and/or company policies to reflect any lessons learned from each cyber breach. Conclusion Information security breaches are inevitable, and the sooner we adopt a posture based on this assumption, the more prepared we will be to contain and remediate the damage they may cause. The speed at which we identify the breach, halt progress of infectious malware, stop access and exfiltration of sensitive data, and remediate the threat will make significant difference in controlling risk, costs, and exposure during an incident.
Redirect to SMB Vulnerability: 18 year old flaw morphs into a huge threat to Windows machines4/17/2015 http://securityintelligence.com/news/redirect-to-smb-vulnerability-18-year-old-flaw-morphs-into-huge-threat-to-windows-machines/#.VTD4fvnF_0c
'Mystique-like' malware killed off
Polymorphic malware that changes its identity up to 19 times a day to avoid detection while taking control of users' computers has been deactivated. Read more: http://www.bbc.co.uk/news/technology-32218381 Fascinating analysis. http://wpengine.com/unmasked/
The future of secure applications and true portability could be containerization. Check out Docker https://www.docker.com/ Spoon https://spoon.net/ or Dx Enterprise http://dh2i.com/product-tour-and-free-trial/ Doing your tax returns? read this: http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/ Probably one of the best site for illustrating origin and destination of cyber attacks in real time: http://map.ipviking.com/ Even your Uber account is at risk: http://www.theregister.co.uk/2015/03/30/unlimited_uber_accounts_flogged_for_5/ Please be careful with the free Hotel Wifi: "We will soon have sensors that monitor almost every aspect of our body's functioning, inside and out. They will be packaged in watches, Band-Aids, clothing and contact lenses. They will be in our toothbrushes, toilets and showers. They will be embedded in smart pills that we swallow." ...and I hope they all rely on two factor authentication..... http://www.huffingtonpost.com/vivek-wadhwa/apple-clinical-tr… |
Linking the world
Sharing is caring Archives
May 2024
Categories |