Module 10 - Incident Management and Control PDF

95-752 Introduction to Information Security Management Randy Trzeciak Heinz College Software Engineering Institute – CERT Division Module 10 – Incident Management 1 Module 9 ‐ Topics IMC Process and Concepts Events and Incidents Goals of IMC Incident Lifecycle, Response, Evidence, Learning, Implementation IMC Implementation CSIRTs and CSIRT Models IMC Standards Reference Materials 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 2 Incident Management and Control: Lifecycle 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 3 IMC – Incident Management and Control Establish processes to identify and analyze events, detect incidents, and determine and appropriate organization response 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 4 CERT Resilience Management Model Process Area Asset Definition and Management Access Management Communication Compliance Controls Management Environmental Control Enterprise Focus External Dependencies Management Financial Resources Management Human Resource Management Identity Management Incident Management and Control Knowledge and Information Management Measurement and Analysis Monitoring Organizational Process Definition Organizational Process Focus Organizational Training and Awareness People Management Risk Management Resilience Requirements Development Resilience Requirements Management Resilient Technical Solution Engineering Service Continuity Technology Management Vulnerability Analysis and Resolution 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 5 IMC Goals 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 6 NIST Cybersecurity Framework https://www.nist.gov/cyberframework https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 7 IMC Concepts Events, Incidents, and Crises Incident Life Cycle Incident Management Knowledge Base Incident Response Defined\Evident Forensics Incident Learning 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 8 Events, Incidents, and Crises ‐ 1 In CERT RMM, events, incidents and crises are different Event – one of more occurrences, possibly minor, that effect organizational assets, and have the potential to disrupt operations May or may not become an incident Needs to be evaluated against organizational criteria 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 9 Events, Incidents, and Crises ‐ 2 Incident – an event (or series of events) of higher magnitude that significantly affects organizational assets and requires action to limit impact May require further analysis, triage, and escalation 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 10 Defining an Incident An incident is an adverse event in a: Computing system Network Application Includes the threat of an adverse event “A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”1 NIST SP 800‐61 Revision 2 @2024 Carnegie Mellon University Who May be Involved? CSIRT: Computer Security Incident Response Team @2024 Carnegie Mellon University Events, Incidents, and Crises ‐ 3 Crisis – an incident where the impact is rapidly escalating or immediate Requires immediate action to limit damage 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 13 Incident Life Cycle ‐ 1 Focus of IMC is on managing the incident management and control life cycle Tracks an event / incident from discovery to declaration through analysis and response to closure All incidents, not matter the severity, follow the life cycle 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 14 Incident Life Cycle ‐ 2 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 15 Incident Life Cycle ‐ 3 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 16 Incident Management Knowledgebase A means for logging and tracking incidents through their life cycle Provides for all of the relevant information that stakeholders need to know in their role in managing incidents 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 17 Incident Management Knowledgebase Event Description Organization Assets, Services, Units Affected How the Event was Reported Analysis and Triage Costs Associated with the Event or Incident Relevant Dates Response Activities Lists of Corrective Actions Closure 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 18 Incident Management and Control: Response 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 19 Incident Management Goals Protect and restore the normal operating conditions of information systems System owners define tolerable impact Senior management approves risk appetite and tolerances Incident must be closed and affected systems, applications and data integrity and availability must be restored within an Acceptable Interruption Window (“AIW”), usually documented in a Service Level Agreement. @2024 Carnegie Mellon University Acceptable Interruption Window (?) Colonial Pipeline (May 7, 2021) suffered a ransomware cyberattack American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States Halted all of the pipeline's operations to contain the attack Paid the requested ransom (75 bitcoin or $4.4 million) within several hours after the attack Colonial Pipeline restarted the pipeline on May 12th On June 7, the Department of Justice announced that it had recovered 63.7 of the bitcoins (approximately $2.3 million) from the ransom payment What is an acceptable interruption window (“AIW”)? @2024 Carnegie Mellon University Acceptable Interruption Window Hollywood Presbyterian Medical Center Supposed to have 24x7x365 capabilities February 5th 2016 Ransomware attack Lost availability of EMR system for ten days Emergency patients were diverted to other hospitals Paid the $17,000 ransom to regain access to its EHR files ”HPMC has restored its electronic medical record ("EMR") system on Monday, February 15th.“ What is an acceptable interruption window (“AIW”)? @2024 Carnegie Mellon University Reminder 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 23 Incident Response ‐ 1 Means different things to different industries In CERT‐RMM, refers to the process of developing, implementing, and deploying actions to address an incident, including damage control 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 24 Incident Response ‐ 2 It may also refer to the coordination with public agencies during an incident The definitions are not incompatible – just describe the activity to a different level of detail 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 25 Goals of Incident Response ‐ 1 Operational Confirm or dispel whether an incident occurred Promote accumulation of accurate information Prevent a disjointed, non‐cohesive response Provide for rapid detection and containment Legal Establish control for proper retrieval and handling of evidence (evidence forensics) 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 26 Goals of Incident Response ‐ 2 Strategic Protect an organization’s reputation and assets Educate senior management Learn from the process Tactical Minimize disruption to business and network operations / mission 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 27 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 28 Incident Response & Business Continuity Planning Incident response management is a subset of business continuity management Both focus on critical business processes Both involve proactive and reactive controls Both require extensive planning and testing Incident response, identification can be a challenge Consider how AIW aligns with critical business systems and Recovery Point Objective (RPO) Recovery Time Objective (RTO) Do you document Business Impact Analysis for critical systems? @2024 Carnegie Mellon University Incident Response Plan ‐ 1 Prepare in advance of an incident Document and obtain sign‐off by management High‐level enough to be useful across a range of incidents: low‐ level enough to be directive and prescriptive when necessary Can be difficult to cover a wide range or incidents 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 30 Incident Response Plan ‐ 2 Common Elements: Goals / Mission Definitions and Categorizations Organizational Units / Personnel Involved Roles, Authorities, Responsibilities Policies, Procedures, Processes Communications Plan 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 31 Responses ‐ 1 Recovery Plan: Contain damage; recover to the extent that immediate damage / threat is past Shorter‐term; immediate Might be called Business Continuity or Disaster Recover (BC/DR) 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 32 Responses ‐ 2 Restoration or Remediation Plan : Restore the affected process / asset / services back to the condition it was in before the incident Longer‐term, may take weeks or months Might be called Remediation Plan or a Restore Plan, but is often conflated as 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 33 Incident Response Methodologies ‐ 1 NIST 800‐61 Computer Security Incident Handling Guide Establishing a response capability and team Establishing the services of the capability and the team Preparing to handle an incident Detecting an incident Analyzing an incident Containing an incident Eradicating and recovering from an incident Learning from an incident 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 34 Attack Model MITRE’s “Adversarial Tactics, Techniques, and Common Knowledge (“ATT&CK”) is a framework for describing the actions an adversary may take while operating within an enterprise network It details the tactics, techniques, and procedures (“TTP’s”) adversaries use to execute their objectives while operating inside a network If the adversary is using best practice for exploitation, is your organization using best practice for network defense? @2024 Carnegie Mellon University Critical Security Controls ‐ I Led by the Center for Internet Security (“CIS”) The CIS Critical Security Controls are informed by actual attacks and effective defenses Developed by an international, grass‐roots consortium that includes a broad range of companies, government agencies, institutions, and individuals Threat responders and analysts Technologists Vulnerability researchers Network defenders Auditors End users Represent community‐based consensus regarding “what should we all be doing” to improve security @2024 Carnegie Mellon University The Critical Security Controls ‐2 Version 8.1: Released 6.2024 Source: https://www.cisecurity.org/ @2024 Carnegie Mellon University Essential Technology Considerations All attacks and attackers leave traces, but can we find them? Baseline minimum tools VULN SCANNING TICKETING COMMUNICATION Next layer tool set THREAT MALWARE SIEM FORENSICS INTELLIGENCE ANALYSIS @2024 Carnegie Mellon University Useful IR Software Forensics tools: (Disk analysis: Autopsy/the Sleuth Kit; Image creation: FTK imager; Mobile forensics: Cellebrite UFED; Network analysis: Wireshark) Intrusion detection tools: (Snort, Surricata, Zeek, OSSEC) Security Information and Event Management, with case management functionality: (Splunk, OSSEC, Prelude, ELK, OSSIM SIEM Solution) IR workflow tools: (Remedy, Archer, Modulo, ServiceNow, Cybersponse, CyberCPR) SOAR: (Demisto, Swimlane, Rapid7) @2024 Carnegie Mellon University Intel Optimization Security Orchestration, Automation, and Response (“SOAR”) SOAR encompasses Security Orchestration ‐ Integrating disparate technologies, usually through workflows, so that they can function together Automation ‐ Automating unscalable manual processes to aid decision support, enhancing the analyst with intel/visibility not replacing them Incident management and response – The end‐to‐end understanding of incidents by security teams to create a more informed & intelligent response Dashboards and reports – Simplifying usability by providing data visualizations where incidents can be easily seen, correlated, triaged, documented, and measured. “…respond to low‐level security events without human assistance.” @2024 Carnegie Mellon University Personnel Generally, the ratio of people, process and technology, change during an incident Staff (Humans Needed) Initial Detection Tools Response & Notification @2024 Carnegie Mellon University Too Many Tools? Security teams often deal with approximately 175,000 alerts per week Only able to review ~ 12,000 of them The chief sources for alert fatigue are a proliferation of security tools and a shortage of experienced analysts (talent shortage) Results in high MTTR (Mean Time to Respond), an average of 4.35 days to resolve an incident Incidents begin to fall through the cracks @2024 Carnegie Mellon University Notional Incident Response Process Flow Detect Triage Respond System Users Provide additional Notice event information Possible event report If no response is needed Help Desk Closed report Receive Report Event report If no response is needed If response is complete Closed event Closed event Coordinate If technical response is needed CSIRT Triage Analyze Plan Execute Technical Event Technical Response Event Response report Categorized, prioritized, assigned event General Indicators Proactive Detect Event report Plan Execute IT Technical Technical Department Response Response If management or legal response is needed If response is complete Management Management Response Closed event External Experts and Organizations Provide advice and guidance @2024 Carnegie Mellon University Response Depends on the Role Technical response Legal response phone or email technical assistance investigative assistance on‐site assistance legal advice on liability data collection review of contracts, SLAs, and analysis of logs, files, or other data non‐disclosures development and dissemination of computer forensics patches, fixes, workarounds or contacting law enforcement other solutions prosecution advisories, alerts, and technical compliance reporting documentation contacting affected parties Management response reporting to government executive or upper management agencies actions Board response human resource actions management guidance and media relations actions oversight @2024 Carnegie Mellon University Incident Management and Control: Evidence 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 45 Evidence Forensics ‐ 1 Refers to the collection, documentation, and preservation of event / incident evidence Typically required by local, state, or federal rules, laws, and regulations Must be thought about beforehand – otherwise preservation may not occur 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 46 Evidence Forensics ‐ 2 May require the involvement of legal and law enforcement personnel (i.e. FBI, USSS, Local Law Enforcement) to avoid problems with evidence retention, destruction, and tampering 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 47 Law Enforcement Several levels of law enforcement are available to investigate incidents FBI US Secret Service DHS / US‐CERT Law enforcement in other countries For US Government agencies, this includes the Office of the Inspector General 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 48 Incident Reporting ‐ 1 Varies widely depending on organization and affiliations Federal agencies must report incident to a Country‐Specific (US‐)CERT and have a POC Does not replace the organization’s response team Augments the team as a focal point for coordination Analyzes agency information 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 49 Incident Reporting ‐ 2 For organizations that don’t have a CSIRT (Computer Security Incident Response Team), they can report to their sector’s Information Sharing and Analysis Center (ISAC) FS‐ISAC: Financial Services ISAC Share important sector‐specific information and coordinate incidents across organizations 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 50 https://www.nationalisacs.org/member‐isacs‐3 ISACs ‐ 2023 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 51 Incident Management and Control: Learning 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 52 Incident Learning ‐ 1 A process improvement component of the incident management life cycle Requires post‐incident review to determine root cause(s) Should link to the organization’s problem management process – means for identifying recurring problems as a means to prevent future, similar incidents 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 53 Incident Learning ‐ 2 Improves overall IMC strategy to meet two objectives Improve the overall IMC process Limit exposure to threats 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 54 Incident Closure Indicates that the incident and its effects have been completely addressed Knowledgebase is updated Any learning activities have been completed New processes / procedures / policies / roles have been implemented 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 55 Incident Management and Control: Implement 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 56 IMC Implementation In most organizations, carried out by CSIRT: Computer Security Incident Response Team Contract with a CERT – Typically different Roles / Levels 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 57 Type of CSIRTs Internal National Coordination Center (typically a “CERT”) Analysis Center (ISAC) Vendor Team 3rd Party Provider 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 58 CSIRT Staffing Employees Partially Outsourced Monitoring outsourced, but response is insourced Call on contractor for help in an incident Fully Outsourced Typically contractor is on‐site 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 59 CSIRT Reporting / Structure Can be dependent on or independent of the organization CSIRT can report to CIO, CISO, CP‐Audit, VP‐Compliance, VP‐ Risk … Funding can come from parent organization, fee‐for‐service, government, consortium … 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 60 CSIRT Services Proactive Intrusion detection, assessments, tool configuration Reactive to Incident or Event Alerts, incident handling, vulnerability handling, response coordination, artifact handling Involvement in Security Quality and Improvement BC/DR, risk analysis, training, product evaluation 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 61 CSIRT Internal Dependencies 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 62 CSIRT External Dependencies From NIST 800‐61 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 63 Building a CSIRT 1. Management Support 2. CSIRT Strategic Plan 3. Requirements / Roles / Responsibilities 4. Design 5. Operational Plan 6. CSIRT Implementation 7. Effectiveness Measurement 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 64 Incident Management and Control: Standards 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 65 Incident Management Standards NIST 800‐61 ‐ Computer Security Incident Handling Guide NFPA 1561 (National Fire Protection Association) Standard on Emergency Services Incident Management System and Command Safety NFPA 1600 ‐ Standard on Disaster/Emergency Management and Business Continuity Programs ISO 27035 ‐ Information security incident management ITIL ‐ set of practices for IT Service Management 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 66 Incident Management and Control: Exercise(s) https://www.cisa.gov/publication/cybersecurity‐scenarios 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 67 Carnegie Mellon University – Incident Response Plan ‐ 2023 https://www.cmu.edu/iso/governance/pro cedures/incidentresponseplanv1.6.pdf 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 68 References Handbook for Computer Security Incident Response Teams [CMU/SEI‐ 2003‐HB‐002] State of the practice of Computer Security Incident Response Teams, SEI/CERT, 2005 http://www.cert.org/archive/pdf/03tr001.pdf NIST Computer Security Incident Handling Guide SP 800‐61, Revision 2 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 69 End of Module 10 95‐752 Introduction to Information Security Management @2024 Carnegie Mellon University 70

Module 10 - Incident Management and Control PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue