researchsoc.iu.edu Thank you for attending. The webinar will begin - - PowerPoint PPT Presentation

researchsoc iu edu thank you for attending the webinar
SMART_READER_LITE
LIVE PREVIEW

researchsoc.iu.edu Thank you for attending. The webinar will begin - - PowerPoint PPT Presentation

Jul 04, 2023 190 likes •462 views

researchsoc.iu.edu Thank you for attending. The webinar will begin shortly. JUNE 25, 2020 Strategies for Better Incident Response ResearchSOC Webinar Series Research Security Operations Center The NSF Collaborative Security Response Center

slide-1
SLIDE 1

researchsoc.iu.edu Thank you for attending. The webinar will begin shortly.

slide-2
SLIDE 2

Strategies for Better Incident Response

ResearchSOC Webinar Series

Research Security Operations Center The NSF Collaborative Security Response Center

JUNE 25, 2020

slide-3
SLIDE 3

Housekeeping

  • All participants are on mute.
  • Ask your questions via the Q&A feature.
  • We will record this webinar and

provide a link.

  • Slides will also be made available.
slide-4
SLIDE 4

Who is ResearchSOC?

Training for Higher Ed infosec Vulnerability scanning STINGAR decoy computers (honeypots) Project liaison Project leadership Virtual Security Teams* REN-ISAC Threat intelligence OmniSOC 24x7x365 Eyes on Glass SOC

slide-5
SLIDE 5

Strategies for Better Incident Response

Joshua Drake

Senior Security Analyst IU Center for Applied Cybersecurity Research

JUNE 25, 2020

slide-6
SLIDE 6

Security Incidents and Response

Defining an incident

  • Series of events resulting in compromise or threat
  • f compromise to your physical or digital assets

Functions of incident response

  • Minimize the negative impact
  • Gather and protect information
  • Communicate and coordinate with stakeholders
  • Maintain or recover operational availability
slide-7
SLIDE 7

Elements of effective incident response

Prepared Systematic Iterative

Define in advance methods for:

  • assigning roles and responsibilities
  • documenting the incident and the response actions
  • communicating information to stakeholders
  • validating an incident has occured
  • containing malicious behaviors
  • maintaining operational security
slide-8
SLIDE 8

Elements of effective incident response

Prepared Systematic Iterative

Covers response across many areas crucial to your

  • rganizational objectives
  • aligns with organizational objectives
  • prioritizes the most important response functions:
  • Minimize the negative impact
  • Gather and protect information
  • Communicate and coordinate with stakeholders
  • Maintain or recover operational availability
slide-9
SLIDE 9

Elements of effective incident response

Prepared Systematic Iterative

Response procedures should be tested and updated regularly

  • easy to find for all stakeholders
  • easy to read
  • frequently referenced
  • continually refined
slide-10
SLIDE 10

A Little Preparation

Incident Response Checklist

Define organizational objectives

Define roles and responsibilities

Maintain inventory of assets and risks ❏ Create a MISPP ❏ Create an Incident Response Policy

Key responsibilities

Who can declare an incident?

Who can form an incident response team?

Who can communicate with external stakeholders? ❏ Who can close an incident?

slide-11
SLIDE 11

A Little Preparation

Incident Response Checklist

Define organizational objectives

Define roles and responsibilities

Maintain inventory of assets/liabilities ❏ Create a MISPP ❏ Create an Incident Response Policy

Key responsibilities

Who can declare an incident?

Who can form an incident response team?

Who can communicate with external stakeholders?

Who can close an incident?

slide-12
SLIDE 12

Poll Questions

  • Q1. Do you have a Master Information

Security Policy in place today?

  • Q2. Do you have an incident response

policy in place today?

TrustedCI.org/guide

MISPP and Incident Response Templates

slide-13
SLIDE 13

Response Workflow- Filling out the framework

slide-14
SLIDE 14

Response Workflow- Identification

Strategies for identification

❏ Train and educate staff on reporting indicators of compromise (IoC) ❏ Make IoC easy to report ❏ Have adequate controls in place ❏ Conduct regular security exercises ❏ Have effective threat intelligence

Who

all staff and stakeholders Tools

security controls - antivirus, IDS/IPS

system Logs and reports

human reporting of unusual activity Actions

capture and review log data (automation!)

gather relevant information for analysis

triage and Escalate potential events

slide-15
SLIDE 15

Response Workflow- Documentation

Effective documentation strategies

❏ Take analog notes if possible ❏ Record date and time for all discoveries and actions taken ❏ Backup documentation ❏ Conduct interview/note taking asap ❏ Continue to document during all steps

  • f response

Who

help desk, analysts, incident response team Tools

notebooks, paper and pens

collaborative note taking software

cold storage Actions

record the timeline of events

capture images of affected machines

protect evidence by maintaining chain of custody

slide-16
SLIDE 16

Response Workflow- Escalation

Strategies for effective escalation

❏ Clearly define how to escalate a potential incident in IR policy ❏ Assign the responsibility for declaring an incident in IR policy ❏ Test escalation channels with security exercises

Who

CISO, help desk, analysts, incident response team Tools

information security policies - MISPP, IRP

predefined escalation channels

predefined thresholds for declaring an incident Actions

report and escalate incidents

validate if an incident has occured

declare the incident and form the incident response team

slide-17
SLIDE 17

Response Workflow- Containment

Strategies for effective containment

❏ Halt the breach but don’t destroy crucial information ❏ Maintain operational security as defined in your IR policy ❏ Document all actions taken with timestamps ❏ Gather as much info as possible from affected systems

Who

incident response team, IT Tools

network and system management

sandbox environment(s)

backup/imaging software Actions

identify affected systems and isolate them from the rest of your resources

backup or image affected systems for later investigation

disable accounts and services

slide-18
SLIDE 18

Response Workflow- Recovery

Strategies for effective recovery

❏ Assign resources according to

  • bjectives

❏ Assess risk of restoring vs rebuilding compromised systems ❏ Carefully consider if you will involve

  • utside resources in response

❏ Have a communication strategy ❏ Define a role to handle communications in response team

Who

incident response team, IT Tools

policies

  • rganizational objectives

Actions

determine the extent of incident

classify the severity of the incident

identify impact to operations and obligations to develop a recovery strategy

assign adequate resources to execute recovery plan

slide-19
SLIDE 19

Response Workflow- Eradication

Strategies for effective eradication

❏ Catalog evidence gathered ❏ Carefully remediate all sources of compromise after RCA ❏ Evaluate and improve security controls based on findings ❏ Carefully test and monitor affected systems after the incident

Who

incident response team, IT, management, outside agencies Tools

incident documentation

security controls Actions

verify no indicators of compromise remain

perform root cause analysis

remove sources of compromise

verify integrity of recovered systems

slide-20
SLIDE 20

Response Workflow- Final Steps

Strategies for effective maturation

❏ Assess what worked and what didn’t with the existing plan ❏ Have your final report vetted by management and/or legal ❏ Review, revise, and add security policies as you use them in the field ❏ Keep track of vulnerabilities and rough spots in process to test in future security exercise

Who

incident response team, management, security team, legal team Tools

post-mortem

policy review Actions

write narrative report based on final documentation

determine if further legal/criminal action is needed

distribute report to stakeholders and community as required and desired

slide-21
SLIDE 21

Takeaways

Most incidents are not high severity

Practice and experience are your most effective tools and practicing calm and organized response

Security is a process, not a product, start building momentum today

Build your own template and start maturing it

TrustedCI.org/guide

MISPP and Incident Response Templates

slide-22
SLIDE 22

Poll Questions

  • Q3. Have you or your organization

responded to an incident in the last 90 days?

ResearchSOC Webinars

More information on:

  • security exercises
  • security metrics
  • crisis management
slide-23
SLIDE 23

Joshua Drake, Senior Security Analyst drakejc@iu.edu researchsoc.iu.edu

@

Thank you

slide-24
SLIDE 24

@

Contact us

The ResearchSOC is supported by the National Science Foundation under Grant 1840034. The views expressed do not necessarily reflect the views of the National Science Foundation or any other organization.

researchsoc.iu.edu rsoc@iu.edu

slide-25
SLIDE 25
slide-26
SLIDE 26

Strategies for Better Incident Response

ResearchSOC Webinar Series - June 2020 Joshua Drake

Senior Security Analyst, Indiana University Center for Applied Cybersecurity Research