Incident Response in a Zero Trust World

All rights reserved. #AsiaCACS Norval West Information Security Manager • Information Security Manager for a leading multinational Business Process Outsourcing (BPO) company • 25 years experience working in IT, across multiple industries: including Banking/Finance, Manufacturing/Distribution, Government, Power Utilities, Business Process Outsourcing • Last 9 years specializing in Information Security • Fascinated with Digital Forensics and Incident Response • Qualifications: BSc, MBA, CISSP, CDPSE, GCIH, GCFA, and GPEN

All rights reserved. #AsiaCACS Introduction Every major technology change, has introduced new risks. We have simply updated the security controls, to mitigate each new risk. This presentation does a historical review of incident management, leading to the concept of Zero Trust, which is a security approach that supports remote work and the cloud.

#AsiaCACS Copyright © 2020 Information Systems Audit and Control Association,
Inc. All rights reserved. Agenda • Historical Review of Incident Response • Adoption of Zero Trust Security • Incident Response Playbook

All rights reserved. #AsiaCACS Attack of the Punch Cards Legendary Kevin Mitnick • In 1975, at age 12, Mitnick found a way to bypass the punch card system used in Los Angeles Bus System, using social engineer and dumpster diving. • He convinced a bus driver to tell him where he could buy his own ticket punch for "a school project“. • Retrieved unused transfer slips he found in the garbage dump, next to the bus company garage. • With the ticket punch and unused transfer slips, he was able to ride any bus in the greater LA area. • Identification: Discarded/stolen punch cards being reused • Containment/Eradication: Seize punch cards, and notify authorities • Recovery: N/A • Lesson: Secure/shred unused punch card

All rights reserved. #AsiaCACS Early PC Viruses Stoned Virus (origin: New Zealand) • Overview: Boot Sector Virus, created in 1987 • Identification: • The phrase “Your PC is now Stoned!“ can be found in the following locations ü boot sectors of floppy disks ü master boot records of hard drive ü Screen of 1/8 of infected computers • Containment: • Isolate infected disks • Eradication: • Restore from backups • Recovery: Verify systems, return operations • Lessons: Complete report and security improvements Concept Virus • Overview: MS Word Virus, rampant in 1995-97 • Identification • Small dialog box that contains the number "1" and an "OK" button. • Containment • Identify all word documents • Isolate computers that shared infected files • Eradication • Run antivirus on systems, such as F-Secure • Restore from backups • Reinstall Word • Recovery: Verify systems, return operations • Lessons: Complete report and security improvements

All rights reserved. #AsiaCACS Network-based Incidents Morris Worm • Overview: Network worm that infected 10% of the Internet in 1988, within 24 hours • Identification: • DDoS attack that caused infected Unix servers to slow to a stop • Containment: • Disconnect computers from the network • Some institutions wiped systems suspected of being infected • Eradication: • Restore from backups • Recovery: • Verify systems, return operations • Lessons: • Complete report and security improvements WannaCry Ransomware • Overview: Ransomware/worm that spread in 24 hours after detection on May 12th, 2017 • Preparation: • Maintain backups of all systems, and critical data • Build IR team, and security controls • Identification: • Employees report Ransomware warning on their PC or server screens • Containment: • Isolate infected computers • Eradication: • Restore from backups • Deploy the Microsoft patches • Turn off SMBv1 • Recovery: • Verify systems, return operations • Lesson: • Complete report and security improvements

All rights reserved. #AsiaCACS Cloud and Mobile Incidents Equifax • Overview: 145 million customer records stolen, due to a vulnerable website • Identification: • Equifax detected the intruders 76 days after being compromised • Breach was due to an Apache Struts vulnerability on their website • Breach occurred on May 13 • Containment: • Reported to have cut off access to intruders on July 29 • Eradication: • Patch vulnerabilities • Remove intruder software and artifacts (reinstall or restore backup) • Recovery: • Verify systems, return operations • Lessons: Implement a new system for vulnerability updates… Host closeout meeting, and complete incident report. Jeff Bezos WhatsApp • Overview: Phone hacked via a malicious WhatsApp message • Identification: • Observe suspicious behaviour of apps on mobile phone • Suspicious text message in November, with pic of his close friend • Investigative findings from FTI Consulting cybersecurity firm • Containment: • Gather relevant forensic evidence, for legal case if required • Eradication: • Likely a factory reset of the phone, or destroy/replace phone • Recovery: • Verify mobile phone is operational • Lessons: Educate staff on the risks from unsolicited message attachments, regardless of source

All rights reserved. #AsiaCACS IOT Security Incidents • Identification: • Researchers discovered the MongoDB database on Shodan • Containment: • Secure MongoDB database from further data leakage • Notify customers to change passwords • Eradication: • Audit IT infrastructure for any additional security gaps • Recovery: • Verify systems, return operations • Lessons: • Complete report and security improvements. Washington D.C. Surveillance Camera • Overview: Romanian hackers took over D.C. surveillance cameras just before President Trump’s inauguration. • Identification: • DC police observed several cameras were malfunctioning • Secret service assessed the associated computers, and found non-police users, sending spam infected with ransomware. • Affected 123 of 187 network video recorders in a closed-circuit TV system • Containment: • Cameras systems taken offline for 4 days • Eradication: • Removed software and restarted camera devices • Reinstalled affected computers • Recovery: • Verify systems, return operations • Lessons: • Complete report and security improvements. CloudPets IoT Teddy Bear • Overview: In late 2016, 800,000 customer credentials and 2 million messages were left exposed, in a MongoDB database. The teddy bear could also be hacked, to allow remote spying.

Inc. All rights reserved. Perimeter Security vs. Zero Trust Security Traditional Perimeter Zero Trust Focused on systems and network Data Centric Focus Trust, but verify Never trust, always verify Internal network access is trusted Internal network is always hostile External network access is not trusted Internal and external threats are always present Require employees to connect to VPN, for secure access Authentication required for every user, device, and network connection Segmentation using subnets Log and inspect all network traffic Not ideal for work-from-home Ideal for work-from-home

Inc. All rights reserved. Traditional Perimeter-based Security Cloud SaaS Apps VPN Remote User On-Prem Applications L DAP / AD SQL Database On-premise User On-prem Webserver 1 2 1 1 Courtesy of CISCO Netherlands

Inc. All rights reserved. Zero Trust Security Cloud SaaS Apps Reverse Proxy Remote User On-Prem Applications L DAP / AD SQL Database On-premise User On-prem Webserver 4 4 4 1 3 3 Single Signon Gateway (SSO) Cloud L DAP / AD 2 2 Courtesy of CISCO Netherlands

Inc. All rights reserved. Security Controls List Network Host Data Physical Network Firewalls Host-based Firewall File Encryption Perimeter Walls Network Intrusion Detection System Host-based Intrusion Detection Systems File Integrity Monitoring Doors Web Filter Vulnerability Assessments Backup and Data Recovery Door Swipe / Keys Email Security Anti-Virus Software Data Protection CCTV Camera Surveillance Wireless Access Control Application Whitelisting Database encryption Privacy screen / frosted windows Control of network ports/ protocols/ services Control of Admin Privileges Encrypted communication protocols Security Guards Network Segmentation Log Monitoring Data/File Access Authorization Human or Automated monitoring of CCTV Data Loss Prevention Account Monitoring/ Control Logbooks Identity Management Data Loss Prevention

All rights reserved. #AsiaCACS Authenticate every user, device, and network connection? Client Authentication certificates, for accessing websites Windows domain isolation Network Device Authentication

Inc. All rights reserved. Back to Basics Event – A thing that happens or takes place Examples of events: A system crash due to a known system driver issue (may be expected). User in the marketing department accesses the latest customer survey on the internal website Degraded network performance, due to the transfer of database backup files Incident – An adverse event in a computer system or network Example of incidents Employee sharing confidential data with unauthorized third parties Unauthorized third party remotely accessing internal company servers Execution of malicious software

Inc. All rights reserved. Preparation Goal: Get the incident response team ready to handle incidents Security Awareness Training Develop IR Policy and Procedures Connect with peers & law enforcement Obtain Management Support Build Team Emergency Communication Plan Incident Response Tool Bag

All rights reserved. #AsiaCACS Preparation - Incident Response Drills Practice makes perfect • Reduce IT Costs related to the incident • Errors can be costly • Better Decision Making • Become Proficient • Everyone must know their responsibility • Proactive Monitoring for documented scenarios • Increased Compliance (e.g. Data Privacy Laws) • Better Third-Party Management (if outsourced)

Inc. All rights reserved. Preparation: Work-From-Home Considerations Known Challenges • No separation of workarea from unauthorized persons • Possible shoulder surfing, or unauthorized system users • Computers are not readily accessible for forensic imaging • Not always practical to require VPN usage Possible Solutions • Implement AI-driven webcam monitoring • Periodic audit of randomly selected remote worker systems • Endpoint detection and response solution • Enterprise Forensic Solution, with remote imaging solution

Inc. All rights reserved. Identification Goal: Determine if an event should be declared as an Incident. Correlate Information Assign Handlers Control Information Flow Communication Channels Network Detection Host Detection Application Detection

Inc. All rights reserved. Containment Goal: Stop the attack from spreading further in an affected systems, and from moving to other systems. • Short-term • Analysis • Long-term Step 2 Step 3 Forensics Collaborate Assess Categorize Notify Preserve Long- term Mitigation Step 1

Inc. All rights reserved. Lessons Goal: Document the incident, and improvements • Schedule Closeout Meeting • Review Incident Report • Finalize Management Summary • Apply Fixes (people, process, technology)

All rights reserved. #AsiaCACS Sample - APT Incident Handling Plan Responding to actors that have gained unauthorized access to systems and networks Preparation: 1. Develop and test Incident Response Plans 2. Communication Plan 3. Deploy security controls 4. Aggregate data from all relevant sources Identification: 1. Multiple sources of identification 2. Internal Notification Containment: 1. Disconnect systems, or Watch and Learn 2. Characteristics of threat actor 3. What is stolen? 4. Legal Ramifications Eradication: 1. Collect and image affected computers 2. Close all vectors of exfiltration and reinfection Recovery: 1. Deploy security controls, to prevent re-infection 2. Audit access control to critical data 3. Engage employee/third-parties who caused the breach Lessons: 1. Educate staff of various attack vectors that led to breach 2. Prepare final executive report 3. Identify opportunities for improving APT detection and response

All rights reserved. #AsiaCACS Conclusion Important takeaways • Every major technology change introduces a new layer of risks, and new security controls. • Zero Trust provides greater control and visibility of endpoints, including those used by remote workers. • Incident response continues to follow the standard PICERL process, in a Zero Trust environment. • Create Incident Response Plans for each type of incident, and tailored for your company.

Incident Response in a Zero Trust World

Incident Response in a Zero Trust World

More Decks by Norval West

Other Decks in Technology

Featured

Transcript