Week 9 Incident Response COM3017 PDF

Summary

This document covers information security management, detailing incident response procedures, and contingency planning. It includes examples from real-world incidents, such as the Blackbaud and Solarwinds breaches, and emphasizes the importance of incident response.

Full Transcript

Week 9
Incident Response
COM3017
Information Security Management

Acknowledgement: with thanks to Matthew Trump from QMUL
for the detailed insights and contribution to the slides
Contingency Planning (CP)
The overall planning for unexpected adverse events is
called contingency planning.
Overall planning for CP is made up of four major
components: the data collection and documentation
process known as the business impact analysis (BIA),
the incident response (IR) plan, the disaster recovery
(DR) plan, and the business continuity (BC) plan.
Organizations can either create and develop the three
planning elements of the CP process (the IR, DR, and BC
plans) as one unified plan, or they can create the three
elements separately in conjunction with a set of
interlocking procedures that enable continuity.
Overview
1. What do you do when there is a cyber incident?

2. What standards do you use when developing a response
plan?
3. How do you define the scope of a plan?
4. What are the processes you need to put in place in order
to test the plan and how do you engage with the stake
holders when evaluating the effectiveness of the plan?
And also…
Will help you to start thinking – none of this is
definitive, there is no template or ‘right answer’
There is no such thing as a ‘final’ plan
References provide a good starting point for research
Largely theoretical as every organisation is unique
Size
Sector
Risk appetite
Management / Governance
Regulations
BC / DR
Key takeaways: Have a plan and test it regularly
Why is this important?
Nothing is 100% secure
Regulatory requirements (GDPR)
PCI DSS
Implement an incident response plan. Be
prepared to respond immediately to a system
breach.(12.10.1)
Real world examples
Blackbaud
Fireeye
Solarwinds
Indication of senior management
commitment to cyber security
Business plans driven by the business
Prepare the plan - NIST Guidelines
NIST.SP.800-61r2.pdf
“Plans are nothing, planning is everything”
President Dwight D Eisenhower
Preparation
Policy
Statement of management commitment
Purpose and objectives of the policy
Scope of the policy
Definition of computer security incidents and related
terms
Prioritisation or severity ratings of incidents
Organisational structure and definition of roles,
responsibilities, and levels of authority
Preparation
What to plan for?
Talk to management
UK National risk register
BCI Horizon Scan
Organisational risk register
Current events (e.g. ransomware)
Future predictions (Vendors)
Preparation
Plans
Senior management approval
Organisational approach to incident response
How the incident response team will communicate
with the rest of the organisation and with other
organisations
Team structures / comms / locations
Metrics for measuring the incident response
capability and its effectiveness

Develop procedures – store / disseminate / invoke
Comms example: Fireeye
The blog post they never wanted to make…
…but had written ready
Complete loss of IP
Countermeasures released

https://www.fireeye.com/blog/threat-
research/2020/12/unauthorized-access-of-fireeye-
red-team-tools.html
Example: Blackbaud (CRM)
The US-based company's systems were hacked in Feb 2020
Not discovered until May 2020
Criticised for not disclosing this externally until July 2020
and for having paid the hackers an undisclosed ransom.
Denied sensitive / financial details had been lost until a SEC
filing in September 2020

Blackbaud is defending multiple class action lawsuits in the
United States
https://www.bbc.co.uk/news/technology-53516413
https://therecord.media/ftc-settles-with-blackbaud-over-
data-handling-breach
Detection and analysis
Ideal: automatically detected and shutdown
Alert from SOC / SIEM tool – is it too late?
Internal notification to servicedesk
Do staff know what to report?
External notification (top tip: make it easy)
Law enforcement
Security researchers
RFC2350
Security.txt
Detection and analysis
Precursor
Indicator

MITRE ATT&CK framework
Containment, eradication and recovery
Will depend on incident
Stop incident spreading or causing more damage
Buys time for eradication
shut down a system
disconnect it from a network
disable certain functions

Needs to be part of the procedure
Preserving evidence?
Containment, eradication and recovery
Eliminate components of the incident, such as
deleting malware and disabling breached user
accounts – rebuild?
Identifying and mitigating all vulnerabilities that
were exploited
During eradication, it is important to identify all
affected hosts within the organisation so that
they can be remediated
For some incidents, eradication is either not
necessary or is performed during recovery
Containment, eradication and recovery
Administrators restore systems to normal operation
Backup
Rebuild
Restore known good configs
Higher levels of system logging or network
monitoring?
Repeat attacks
Large scale could take months – e.g
https://www.cybersecurity-insiders.com/cyber-
attack-hits-maersk-group-again/
Example: Solarwinds / DHS
Affected agencies shall immediately disconnect or power
down SolarWinds Orion products, versions 2019.4 through
2020.2.1 HF1, from their network. Until such time as CISA
directs affected entities to rebuild the Windows operating
system and reinstall the SolarWinds software package,
agencies are prohibited from (re)joining the Windows host
OS to the enterprise domain. Affected entities should expect
further communications from CISA and await guidance before
rebuilding from trusted sources utilizing the latest version of
the product available. Additionally:
Block all traffic to and from hosts, external to the enterprise,
where any version of SolarWinds Orion software has been
installed.
Identify and remove all threat actor-controlled accounts and
identified persistence mechanisms.
Example: Solarwinds / DHS
After (and only after) all threat actor-controlled accounts
and identified persistence mechanisms have been removed:
a. Treat all hosts monitored by the SolarWinds Orion
monitoring software as compromised by threat actors and
assume that further persistence mechanisms have been
deployed.
b. Rebuild hosts monitored by the SolarWinds Orion
monitoring software using trusted sources.
c. Reset all credentials used by or stored in SolarWinds
software. Such credentials should be considered
compromised.
d. Take actions to remediate kerberoasting, including, as
necessary or appropriate, engaging with a 3rd party with
experience eradicating APTs from enterprise networks.
Post incident activity
Exactly what happened, and at what times?
How well did staff and management perform in dealing with the
incident?
Were the documented procedures followed?
Were they adequate?
What information was needed sooner?
Were any steps or actions taken that might have inhibited the recovery?
What would the staff and management do differently the next time a
similar incident occurs?
How could information sharing with other organisations have been
improved?
What corrective actions can prevent similar incidents in the future?
What precursors or indicators should be watched for in the future to
detect similar incidents?
What additional tools or resources are needed to detect, analyse, and
mitigate future incidents?
Lessons learned or lessons identified?
Testing the plans (regularly)
Management commitment (time)
Ongoing review and updates (quarterly?)
Internally run or external consultants
Paper tests
Tabletop exercises
Simulated attack
Real deal: “The Facebook data center team regularly shuts down entire
sites to see how its application will behave and to learn what
improvements can be made.”
https://www.cpomagazine.com/cyber-security/trial-before-the-fire-how
-to-test-your-incident-response-plan-to-ensure-consistency-and-
repeatability/
https://www.datacenterknowledge.com/archives/2016/08/31/facebook
-learned-regularly-shutting-entire-data-centers
Testing the plan – who?
Executive simulation
Incident co-ordination
Response team simulation
Finance Team for PCIDSS
Testing the plan – how?
The CISA Tabletop Exercise Package (CTEP) is
designed to assist critical infrastructure owners and
operators in developing their own tabletop
exercises
NCSC Exercise in a Box
Tailored plan
Testing the plan – why?
At the conclusion of your incident response plan
test, you should conduct a debrief
Identify the key areas for improvement in your
incident response plan
Feedback for all levels of personnel and
management involved in your incident response
plan
Refine the plan and adjust any incident response
processes that need to be addressed.
Two key takeaways
1. Have a plan
2. Test it regularly
References
https://www.gov.uk/data-protection
https://www.bsigroup.com/en-GB/iso-22301-business-continuity/BCI-Horizon-Scan-Report/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
https://www.cisa.gov/sites/default/files/publications/2%20-
%20CTEP%20Exercise%20Planner%20Handbook%20%282020%29%20FINAL_508.pdf
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
https://tools.ietf.org/html/rfc2350
https://securitytxt.org/
https://www.pcisecuritystandards.org/
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/61934/national_ris
k_register.pdf
https://investor.blackbaud.com/static-files/bba71e4b-81f9-4be8-92d0-b8b749cb306b
https://cyber.dhs.gov/ed/21-01/
https://attack.mitre.org/
https://www.cpomagazine.com/cyber-security/trial-before-the-fire-how-to-test-your-incident-response-plan-to-ensure-
consistency-and-repeatability/
https://www.datacenterknowledge.com/archives/2016/08/31/facebook-learned-regularly-shutting-entire-data-centers
https://blog.rsisecurity.com/best-practices-for-testing-your-cyber-incident-response-plan/