Proactive Incident Response
What is an incident?
Hacking attack
Password theft
Data theft
Denial of service
Virus attack
Data deletion
Leak of sensitive material
2
Maturity Level
0
1
2
3
4
5
No incident response capability
Ad-hoc incident response
Technology driven/Signature based
Process driven
Intelligence driven
Predictive defense
3
Average Maturity
4
Ad-hoc incident response
Detection
• Users
report to IT
• News
Response
• No plan
• Googling
• Format, Reinstall,
Reboot
• Call vendor
Risk awareness
• Very low
5
Technology Driven/Signature based
Detection
• Alerts by
signature
matching
Response
• Standard
incident
response
plan
• Processes
based on
tools used
Risk awareness
• Low
6
Reactive Approaches
• Usually takes more investigation time and cost
• Security controls is limited to notification, containment, and
remediation capabilities
• Encourage cyber attacks
• Damage first, fix later
• Only capable of handling the known threats
7
Process Driven
Detection
• Use case
hunting
• Threat
modeling
• Correlation
rules
Response
• Specific
incident
response
plan
• Service
driven
Process
• SLA
Risk awareness
• Medium
• Initial risk
management
• Selective
sensor
placement
8
Intelligence Driven
Detection
• Constantly
transform
use case to
Correlation
rules
• Security
Operations
Center
Response
• Threat
driven
• Vulnerability
assessment
• Security
intelligence
networks
Risk
awareness
• High
• Intensive risk
management
• Fully aware of
asset values
and
protections
9
Predictive Defense
Detection
• Cyber Kill
Chain
• Big data
analytics
• Artificial
Intelligence
Response
• Very early
in the chain
• Better kill
10 good
people
than let 1
bad guy in
Risk awareness
• Extremely
high
• Risk
management
is embedded
into security
operation
10
Risk awareness
11
Example: Targeted Attack
• No full time IT security staffs
• Operate 8 x 5
• There is a standard incident response plan
• Undefined security controls
• Firewalls, Anti-Virus
Think about how you could handle the incident (with these
capabilities) if it happens
12
Stage 1
Planning Phase
Reconnaissance is an activity to gain information about something
through observation or other detection methods
• Use Google, Shodan
• Public announcement, TOR,RFP
• Social media
Objectives
• Look for vulnerabilities in people process and technology
• Attack surfaces
Preparation Phase
Weaponization and Targeting includes modifying an otherwise
harmless file, such as a document, for the purpose of enabling the
adversary’s next step.
• PDFs, that have an exploit contained within them.
• Macros in Word documents.
• People target: Social engineering tactics
• Technical target: Network, VPN, etc.
Cyber Intrusion Phase
Delivery and Exploit
• Phishing, Fake calls, Bribery, Threatening
• Install Remote Access Trojan
• Modify PowerShell, Non-malware based
Management and Enablement Phase
• With a successful cyber intrusion the adversary moves to the next
phase, Management and Enablement. Here the actor will establish
command and control (C2), using methods such
as a connection to the previously installed capability or abusing
trusted communications such as the VPN. Capable and persistent
actors often establish multiple C2 paths to ensure connectivity is not
interrupted if one is detected or removed
Sustainment, Entrenchment, Development,
and Execution phase
• discovery of new systems or data, lateral movement around the
network, installation and execution of additional capabilities,
launching of those capabilities, capturing transmitted
communications such as user credentials, collection of desired data,
exfiltration of that data out of the environment and anti-forensic
techniques such as cleaning traces of the attack activity or defending
his or her foothold when encountering defenders such as incident
responders.
Stage 2
It is in Stage 2 that the
attacker must use the
knowledge gained in
Stage 1 to specifically
develop and test a
capability that can
meaningfully attack the
ICS.
Attack Development and Tuning Phase
• Attack Development and Tuning phase, in which the aggressor
develops a new capability tailored to affect a specific ICS
implementation and for the desired impact.
• They will mimic the system to test never test in the production environment.
• Stage 1 and 2 may be months or years lag.
Validation Phase
• Test and make sure that the attack will work in the first time.
• Attacker will need the same equipment as target to test therefore we can use
this purchase as a trace to track down the attacker.
ICS attack
• Ultimately, the last phase is the ICS Attack, in which the adversary will
deliver the capability, install it or modify existing system functionality,
and then execute the attack.
• Usually fool the plant operator that everything is normal until too late to fix.
Find the gaps
People
24 x 7
SME
Process
Technology
Incident response plan SIEM
that is specific to a
Targeted attack
Targeted attack use
Monitoring technology
cases
23
Plan for your expected maturity and stay
Proactive!
24
THANK YOU
25