ge incident response
play

GE Incident Response Insight Awareness Advantage Sean Mason - PowerPoint PPT Presentation

Aug 08, 2023 •185 likes •609 views

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

  1. GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

  2. Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management Compliance, controllership, IT management GE.com/InfoSec

  3. Fundamentals

  4. Evolution 2 IR 4 1 3 5

  5. Threats Threat type What Examples Highly visible attacks targeting • Anonymous Hack cktivism large corporations and government agencies Advance ced Organized and state funded groups • APT1 Persistent methodically infiltrating the enterprise Threat Organized crime rings targeting • RBN Cybercr crime individuals and corporations for financial gain

  6. Kill Chain (KC) KC1- Reco connaissance ce: Collecting information Reco connaissance ce and learning about the internal structure of the host organization KC2- Weaponization: How the attacker packages Weaponization the threat for delivery KC3- Delivery: The actual delivery of the threat (via Delivery email, web, USB, etc.) KC4- Exploitation: Once the host is compromised, the Exploit attacker can take advantage and conduct further attacks Installation KC5- Installation: Installing the actual malware, for example Command & & KC6- Command & & Control: Setting up controls so the attacker can have future access to the host’s network Control (C2) KC7- Act ctions on I Intent: The attacker meets his/her goal (e.g. Act ctions on Intent stealing information, gaining elevated privileges or damaging the host completely)

  7. Incident Response process (DCAR+I) Identify Scope Ticket management Tool Alerts • NSM • Contain Host • SIEM • Acquire Forensic Evidence • AV/HIPS Prioritize Risks Live Response status Network log data Detect Contain & Collect Intel Reporting Remediate Analyze Impact (data movement) • Actors • Rebuild host Indicators for new • Methods • Reset passwords signatures • Movement • Task Force • Accounts countermeasures

  8. IR measured cycle times • Event (Event Time) Event How fast did • Triage (Detect Time) Dwell Time Event we find it? Analysis (DWT) • Report (Report Time) Report How fast did • IR Actions (Contain Time) we respond Contain Time Contain (CNT) to it? • Remediation/Task Force Business Impact Time (Remediation Time) How fast did (BIT) Remediate we fix it? Strategic Remediate Time (SRT) DWT + CNT = Time of unauthorized access to asset

  9. Workflow & knowledge management

  10. Communication  Tailored audience based on KC  Standard communications rhythm (~1hr after declaration; COB daily)   More detailed PowerPoint RESTRICTED INFORMATION – LIMITED DISTRIBUTION; ENCRYPTED TRANSMISSION ONLY Note: Updated information is shaded in Green and completed  End of week actions are struck through. Kill Chain Phase:  Inclusive & transparent! Businesses & Locations Impacted: Summary: Impact: Incident Status: MM-DD-YYYY HHMM Host Status: Intelligence Summary: · Attribution Action Items: Next Update:

  11. Intel

  12. Intel Chemical Financial Services Commercial Open Source Associations Government Food & Agriculture Facilities Industry & Government Communications Facilities Trade Critical Healthcare & Manufacturing Public Health Information Dams Technology Nuclear Reactors, Defense Industrial Base Materials & Waste Transportation Emergency Services Systems Water & Wastewater Energy Systems Strong relationship with key stakeholders across all sectors

  13. Intel storage & analysis CRITs is a a MITRE applica cation provided to i industry peers (120+ members) for: – Indicator management – Malware triage – Advanced Intel analysis – Managing the “Sharing Problem” – Implementing threat sharing standards OSINT Sharing partners Antivirus vendors

  14. Structured indicator storage Summary details provide the default required values about an indicator

  15. Structured indicator storage Actions can be used to show tracking of an indicator to a detection deployment. Tickets can be used to relate indicators back to our tickets.

  16. Structured indicator storage Campaigns show the threat actor attribution from the Cyber Intelligence teams

  17. Structured indicator storage Relationships build out the larger picture of how various pieces of intelligence are linked

  18. Structured indicator storage Objects allow us to tag intelligence with context such as the Kill Chain or what role the intelligence plays

  19. Detect

  20. Intel driven, threat centric detection Intelligence ce Respond Detect ct Collect Analyze Disseminate Transform Develop Deploy Triage Respond Remediate Establish Extract ction Store Product ct Consume Development Product ction Event Formal IR Remediation on Requirements Deployment Analysis Enrich chment / / Distribute Quality Build Host Isolation Service ce Gather Analysis Check Signature Investigation Restoration Intelligence ce - Prioritization Pre- Monitoring Containment - Validation Detect ction deployment Feedback ck Root Cause - Categorization Manage Alignment Test Collect ct/ Live Collect ction Analysis (god/bad/infor Collect ction - Platform Aggregate Reporting mational) - Location Docu cument Forensics cs Arch chitect cture - Quality Check Store Raw Intel - Capacity Notify / - Frequency Reviews Present Communica cations Analysis Proce cess Alert Reporting Monitoring Improvement SIEM WAF HTTPRY IPS IDS Proxy AV NSM DLP

  21. Detection scenarios Weapon- Act ct on Reco con Delivery Exploitation Installation C2 C2 ization Object ctives Behavior File - Name File Code - Binary_Code Behavior Behavior Behavior File - Full Path File File - Path Win Process Signature Win Registry Key Win Registry Key File - Name URI - URL URI - URL Win Registry Key Win Process Win Service File - Name File HTTP - GET File - Full Path Win Registry Key File - Full Path File URI - URL HTTP - User Agent File - Name File File - Name URI – URL HTTP - POST String File URI - URL File URI - Domain Name Email Header - Subject URI - Domain Name File - Path HTTP - GET File - Path Hash - MD5 Email Header - X-Mailer Address - e-mail URI - URL HTTP - POST URI – URL Hash - SHA1 URI - Domain Name Address - ipv4-addr HTTP - GET HTTP - User Agent String URI - Domain Name Address - cidr Hash - MD5 HTTP - User Agent String URI - Domain Name Hash - MD5 Address - ipv4-addr Hash - SHA1 URI - Domain Name Hash - MD5 Hash - SHA1 Address - e-mail Hash - MD5 Address - e-mail Address - ipv4-addr Address - ipv4-addr Hash - SHA1 Address - ipv4-addr Hash - SSDEEP Address - e-mail Address - ipv4-addr

  22. Platform strengths (IPS+) Weapon- Act ct on Reco con Delivery Exploitation Installation C2 C2 ization Object ctives Behavior File - Name File Code - Binary_Code Behavior Behavior Behavior File - Full Path File File - Path Win Process Signature Win Registry Key Win Registry Key File - Name URI - URL URI - URL Win Registry Key Win Process Win Service File - Name File HTTP - GET File - Full Path Win Registry Key File - Full Path File URI - URL HTTP - User Agent File - Name File File - Name URI – URL HTTP - POST String File URI - URL File URI - Domain Name Email Header - Subject URI - Domain Name File - Path HTTP - GET File - Path Hash - MD5 Email Header - X-Mailer Address - e-mail URI - URL HTTP - POST URI - URL Hash - SHA1 URI - Domain Name Address - ipv4-addr HTTP - GET HTTP - User Agent String URI - Domain Name Address - cidr Hash - MD5 HTTP - User Agent String URI - Domain Name Hash - MD5 Address - ipv4-addr Hash - SHA1 URI - Domain Name Hash - MD5 Hash - SHA1 Address - e-mail Hash - MD5 Address - e-mail Address - ipv4-addr Address - ipv4-addr Hash - SHA1 Address - ipv4-addr Hash - SSDEEP Address - e-mail Address - ipv4-addr

  23. Detection visibility gaps Weapon- Act ct on Reco con Delivery Exploitation Installation C2 C2 ization Object ctives HTTP - User Agent File Email Header - Subject HTTP - User Agent String Address - ipv4-addr String File - Path Email Header - X-Mailer Address - ipv4-addr URI - URL Example data

  24. Detection gaps per actor Weapon- Act ct on Reco con Delivery Exploitation Installation C2 C2 ization Object ctives File File File Email Header - Subject Hash - MD5 URI - Domain Name Hash - MD5 Hash - MD5 Address - e-mail Address - ipv4-addr Example data

  25. Contain & Collect

  26. Outpost locations Outpost server Centralized Storage/Analysis Example locations

  27. Automated & centralized C&C Outpost(s) Manual Automated 1 Centralized Storage & Analysis 4 2 External SSH Suspect 3 Internal SSH

  28. Containment selection  Find host and system type  Identify operating system  Determine if the host is online or offline  Identify if the system is on VPN Example data

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT MIRG OOERATIONAL GUIDELINES The project developed the following operational guidelines: 1. Assessing the Safety Status of a Vessel

598 views • 16 slides
Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored By: Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Visit www.advisenltd.com at the end of this webinar to

498 views • 18 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance Operators 3 FillIn Motorist Assistance Operators from Maintenance 1 Work Zone Coordinator 2 MoDOT TMC Operators 1 City of Springfield

404 views • 24 slides
The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren After my graduation After my graduation Where I work Skill set What I do What I do Case study: incident response Incident Response for fictional

709 views • 39 slides
EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry

EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry

EVERY MINUTE COUNTS COORDINATING HEROKU'S INCIDENT RESPONSE / Blake Gentry @blakegentry PERSONAL BACKGROUND Lead Engineer at Heroku since 2011 Worked on nearly all parts of the platform In 2012, I led a project to overhaul Herokus Incident

1.03k views • 72 slides
A perspective to incident response or another set of recommendations for malware authors

A perspective to incident response or another set of recommendations for malware authors

A perspective to incident response or another set of recommendations for malware authors Alexandre Dulaunoy - TLP:WHITE alexandre.dulaunoy@circl.lu June 7, 2013 CIRCL, national CERT of Luxembourg CIRCL 1 is composed of 6 full-time incident

572 views • 21 slides
Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:> whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!) Focus & Interests: Malware Analysis, Threat Intel,

1.45k views • 115 slides
OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

DETECT . ANALYZE . REMEDIATE OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz +972-545444313 1 1 1 What People Think 2 True or False? Threat intelligence Nation-state actors Commercial threat

247 views • 24 slides
2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and

2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and

2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and why does it matter?) Who we are (and why does it matter?) So... 2013 2013 Significant Events Research Themes Future Themes ? References / Links

983 views • 71 slides
NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi and Davide Balzarotti Eurecom Symantec Research Labs Universit degli Studi di

695 views • 34 slides
Acute Variables Of Training The Process Of Designing Training Plans SBS Academy: Unit 2 Mo

Acute Variables Of Training The Process Of Designing Training Plans SBS Academy: Unit 2 Mo

Acute Variables Of Training The Process Of Designing Training Plans SBS Academy: Unit 2 Mo Module le 2. 2.8 Unit 2- Coaching For Physique Athletes Learning Objectives Understand the role of exercise selection in training for

282 views • 14 slides
ECE590 Computer and Information Security Fall 2018 Malware Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2018 Malware Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2018 Malware Tyler Bletsch Duke University [SOUP13] defines malware as: a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality,

766 views • 53 slides
The BigChaos Solution to the Netflix Prize Presented by: Chinfeng Wu 1 Saturday, April 10,

The BigChaos Solution to the Netflix Prize Presented by: Chinfeng Wu 1 Saturday, April 10,

The BigChaos Solution to the Netflix Prize Presented by: Chinfeng Wu 1 Saturday, April 10, 2010 Outline The Netflix Prize The team "BigChaos" Algorithms Details in selected algorithms End-Game

561 views • 32 slides
Viva, the NoSQL Postgres ! Oleg Bartunov Lomonosov Moscow University, Postgres Professional

Viva, the NoSQL Postgres ! Oleg Bartunov Lomonosov Moscow University, Postgres Professional

Viva, the NoSQL Postgres ! Oleg Bartunov Lomonosov Moscow University, Postgres Professional FOSDEM, Feb 4, 2018, Brussels, Belgium Oleg Bartunov M ajor PostgreSQL contributor CEO, Postgres Professional Research scientst at Lomonosov

551 views • 26 slides

More recommend