incident response requires superhumans
DESCRIPTION
Incident management and response is a highly specialized job requiring the information Security professional to have multifaceted skills in technology, business, finance, HR and more. In fact the Incident Response professional needs to know so much in terms of technology, people skills or reaction time that he/she might as well be a superhuman!TRANSCRIPT
Incident Response Requires Superhumans
Presented by
Dinesh O Bareja
&
Vineet Kumar
Dubai, October 30, 2013
Incident Response Requires Superhumans
• How many CISOs
• How many IS Managers
• How many pure play Incident Managers
• How many CISO/ISM with IM responsibility ()
• Do you sleep well … • 2010 (base year)
• 2011
• 2012 ... NOW ?
Au
dien
ce Pro
filing
Incident Response Requires Superhumans
• Overview: InfoSec Evolution / History
• Exponentially Growing Expectations
• Superhumans in Enterprise and LEA
• Superhuman: why, how..
• Today’s Takeaway – Risks and being a SH
Incident Response Requires Superhumans
Technology advancement has brought about dramatic change
in life and work and continues it’s march of dynamic growth
It was an era of innocence and invention when computing
started upto the time when the internet was unveiled
Over the years it has metamorphosed into a force we are still
trying to understand and has brought with it ‘great
expectations’ from the human beings who are in charge!
Even a young man has to use a walking stick !
Incident Response Requires Superhumans
http://www.geeksaresexy.net/2013/04/26/the-evolution-of-essentials-comic/
Incident Response Requires Superhumans
http://www.geeksaresexy.net/2013/04/26/the-evolution-of-essentials-comic/
Incident Response Requires Superhumans
Jokes apart, coming back to serious business..
To relive the past, we will (briefly) look at the
growth, maturity and metamorphoses of some
practices, solutions, strategies and technologies.
Incident Response Requires Superhumans
• Information Security yet to be discovered but phone phreaking was around
• Security meant securing areas where computers were housed
• System security meant administrator control on who could write – edit – delete data
• Data breach prevention was through controlled access to printer room
• Compliance was the accountants job
Incident Response Requires Superhumans
• Ides of March1992 – Michaelangelo virus
• Y2K
• 1994 ISACA (from earlier avatars of ’67, ‘69)
• Viruses to APTs
• Security lives are ruled by GRC, CIA Triad, PDCA Cycle, MM, ROSI, KPI
• Compliance means regulatory and internal policies and audit findings
Incident Response Requires Superhumans
• These all morph into professional art forms … Risk Management, Incident Management, Configuration Management, Problem… Patch… Access… Change…
Incident Response Requires Superhumans
Virus – Worm – Trojan - Malware – Rootkit –Backdoor - Botnets - APT
NMS – SIEM – Network Forensics
Simple Access Control – IDAM / SSO / Privilege User Management / Provisioning…
LAN, WAN, Virtualization, Fabric, Wireless, Cloud
dBase, Lotus, Access, Excel, MS SQL, MySQL, Oracle
Incident Response Requires Superhumans
http://movetheworld.wordpress.com/2008/01/16/evolution-of-information-security-technologies/
Incident Response Requires Superhumans
• Illiterate Messengers deliver written messages so they cannot copy or read
• Cutting off a messenger’s tongue to disable gossip risk
• Da Vinci’s ‘cryptex’ device
• Shoot the messenger
• Encrypted messages, smoke signals
• Eunuchs to protect Harems
Incident Response Requires Superhumans
Incident Response Requires Superhumans© freedigitalphotos (royaltyfree, attribution)
systems
org growth
IT networks
business
all processes
enterprise finance
enterprise targets
people issues
gadgets
global events
sales
risks – tech / business
contribute ideas
compliance liabilities
background checks
onboarding /exits
flight timings
what phone to buy/gift
how to do a web checkin
…….
Incident Response Requires Superhumans
In fact the CISO is still a combined responsibility in a number of small / mid-sized organizations
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
• Overview: InfoSec Evolution / History
•Exponentially Growing Expectations
• Superhumans in Enterprise and LEA
• Superhuman: why, how..
• Today’s Takeaway – Risks and being a SH
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
• Standards : ISO27001, ITIL, ISO20000, ISO22301, OWASP Top 10, SOX, SSAE-16/SAS-70, HIPAA.. + regulatory requirements + policies
• SANS-CSC…. According to SANS ~73% respondents are aware of SANS-CSC and have adopted or are planning to… and the primary driver is to improve enterprise visibility and reduce security incidents
Incident Response Requires Superhumans
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11. Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
12. Critical Control 12: Controlled Use of Administrative Privileges
13. Critical Control 13: Boundary Defense
14. Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
15. Critical Control 15: Controlled Access Based on the Need to Know
16. Critical Control 16: Account Monitoring and Control
17. Critical Control 17: Data Loss Prevention
18. Critical Control 18: Incident Response and Management
19. Critical Control 19: Secure Network Engineering
20. Critical Control 20: Penetration Tests and Red Team Exercises
Incident Response Requires Superhumans
• Overview: InfoSec Evolution / History
• Exponentially Growing Expectations
•Superhumans in Enterprise and LEA
• Superhuman: why, how..
• Today’s Takeaway – Risks and being a SH
Incident Response Requires Superhumans
Incident Response Requires Superhumans
• Company Policies, DR
• Analytical Tools: RCA, SWOT etc
• Business Operations & Depts
• IT Operations
• Applicable Laws, Regulations
• Databases
• Applications
• Hardware
• Malware, APT
• Forensics investigation
• Forensic analysis
• Evidence collection, preservation..
• SIEM, DLP, IPS/IDS, UTM
• Log Analysis
• Phishing
• Windows, Linux (AIX, UX, MacOS)
• Android, iOS, Symbian, BB
• Mobile devices incl laptops
• Network devices – firewalls etc
• Configuration and hardening
• Know all patches from year 0 (BC)
• VAPT
• Web servers, AD, MS Exchange
• … more….
Incident Response Requires Superhumans
• Can Work under pressure
• Can go on without sleep, food or..
• Can walk in sleep
• Excellent communication skills
• Can win over and influence anyone
• Multi-lingual: geekspeak, normal-speak, baby-speak
Incident Response Requires Superhumans
• Life is a bummer
• One has to have all that the IM has…. Plus:
• Deep knowledge and understanding of Law (domestic/international) and statutes
• Criminal modus operandi
• ATM, Credit cards, financial fraud, email, internet banking, data breach, IP theft, espionage, social media crimes
Incident Response Requires Superhumans
• Traditional Policing • Cyber Intelligence, Social
Media Intel
• Security Researcher
• WhatsApp, Wechat, Viber
• Interception
• Excellent Presenter
• Trainer
• Participating in International & National Conferences
• CDR, Tower dump analysis, location mapping
• CCTV Camera recording recovery
+• Cyber Crime Investigation
• Cyber Security & Cyber Forensics
• Cyber Forensics (Network, Mobile, Cloud etc)
• Reverse Engineer & Troubleshooter
• Evidence Handling & presentation in the court of law
Incident Response Requires Superhumans
• Good Negotiator, Facilitator
• Can Pitch for Funds
• Prepare RFP’s
• Event Manager
• Response in a flash expected
• Good magician (cracking Symmetric, Asymmetric encryption, password hashes within seconds)
• Software Developer, Programmer
• And the list goes on……
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
PRE-INCIDENT PREPARATION RESPONSE
Policy Development
Governance and Awareness
CERT Enablement
Threat Intelligence
Tabletop TestingAdvanced Threat
Preparedness
Vendor Enablement
Communication Plan
Identify Legal, Regulatory Obligations
POST-INCIDENT
Contain, Restore, Quarantine
Evidence Collection
Identify Weaknesses
Forensic Response
Clean Up and Dispose
Root Cause Analysis
Recommend Changes
Update CMDB, Risk Register
Disciplinary Actions, Report to LEA
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
POST-INCIDENT
Chain of Custody
Evidence Integrity
Arrests and Case Filing
Departmental Report
Statistical Update
PREVENTIVE ACTIVITIES
Crime /Threat Intelligence
Response Team Training
Information Sharing
Advisories and Awareness
Citizen Outreach
TECHNOLOGY CRIME (INCIDENT) RESPONSE
International Vectors
Domestic Vectors
Complaint Registration
Categorization & Case Assignment
Crime Scene Visit, Evidence Collection
Data Extraction
Forensic Analysis
Technical Investigation
Forensic Investigation
Obtain Service Provider Evidence
Analysis and Report Preparation
Incident Response Requires Superhumans
• 6 complaints gets registered daily on our helplines
• 1.5 Crore Fraud
• Cyber Stalking – Big Boss Contestant, Aashka Garodia
• Email Threats – Anil Ambani
• Facebook Case ( Fake Profile, Confession Pages, Fraud Pages)
• Cases reported statewide
• Nigerian Scam
• Credit / Debit Card Frauds
• POS fraud – Car polish Scam
• Cyber Attacks: Botnet, DOS, DDOS
Incident Response Requires Superhumans
• Day to Day traditional crime control
• Crime investigation (Murder, Dacoity, Stalking, Threats etc)
• Raids
• Interrogation
• Intelligence Gathering
• Chain of custody
• Presentation in the court of law
Incident Response Requires Superhumans
• MS In Information & Cyber Forensics
• Well versed with the latest technologies and research
• Programmer
• Malware Researcher
Incident Response Requires Superhumans
• Overview: InfoSec Evolution / History
• Exponentially Growing Expectations
• Superhumans in Enterprise and LEA
•Superhuman: why, how..• Today’s Takeaway – Risks and being a SH
Incident Response Requires Superhumans
Incident Response Requires Superhumans
• Build threat intelligence capability
• Subscribe to mailing lists, attend conferences, read, get certified, write
• Automate network monitoring with NMS, DLP, SIEM, Network Forensics etc
• Risk Threats and Vulnerability Management
• Information Sharing
• Breach advisories and CERT bulletins
Incident Response Requires Superhumans
• The Incident Manager is informed about an incident and decides whether it is an incident or not before blowing the whistle !
• Sets Incident priority
• Triage
• Pray !
Incident Response Requires Superhumans
• Set up war room
• Mobilize cross functional IM team
• Rollout containment procedures
• Initiate Communication plan
• Mobilize vendors
• Follow up with recovery and eradication procedures
• Visit incident site, collect and save evidence
Incident Response Requires Superhumans
• Forensic Analysis
• Reporting to Authorities and Police
• Internal Root Cause Analysis
• Prepare Management Report
• Recommendations for improvement
• Obtain permissions and budget
• Update systems, policies and controls
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
Incident Response Requires Superhumans
• Phd/MS in Information Security
• Cyber Security Researcher
• Knowledge about 0 Days, APTs, Vulnerability Assessment, Penetration Testing, Source Code Auditing, Web
• Data Analytics
• BigData
• Cloud Computing
• Cyber Security
• Cyber Defence
• Cyber Forensics (Network, Mobile, Tablet, Satphones, Gogles)
• Cyber law Expert
Incident Response Requires Superhumans
• Overview: InfoSec Evolution / History
• Exponentially Growing Expectations
• Superhumans in Enterprise and LEA
• Superhuman: why, how..
•Today’s Takeaway – Risks and being a SH
Incident Response Requires Superhumans
• Capability and Capacity development in Private sector is slow and in Government sector it is slower
• Skills required are multi faceted and can ONLY be acquired by hard core practical on-the-job hands-on experience
• Institutes and training programs yet to be developed to impart some skills, or, show the path to aspirants
Incident Response Requires Superhumans© freedigitalphotos (royaltyfree, attribution)
systems
org growth
IT networks
business
all processes
enterprise finance
enterprise targets
people issues
gadgets
global events
sales
risks – tech / business
contribute ideas
compliance liabilities
background checks
onboarding /exits
flight timings
what phone to buy/gift
…….
…….
Incident Response Requires Superhumans
In the near future, a bigger challenge:
Internet of Things
Incident Response Requires Superhumans
Incident Response Requires Superhumans
http://www.intel.com/content/www/us/en/intelligent-systems/iot/internet-of-things-infographic.html
Incident Response Requires Superhumans
• Re-learn continuous learning … you did it passionately when you were junior, you did it to rise – then why did you stop!
• Recognize your skill and strength…. Information Security is not an apology. It is no longer a support function for a support function. It is an essential function and high time this is recognized by management
Incident Response Requires Superhumans
Information / Data Security is adynamic domain, constantlychanging hues and continuallyexciting.
Practitioners, researchers, hackers,auditors constantly face up tonew challenges
Incident Response Requires Superhumans
And we want to take this opportunity to present our unit – Cyber Defence Research Centre & Cyber Peace Foundation
Incident Response Requires Superhumans
CDRC is a joint initiative of the Government of the State of Jharkhand (India) and Jharkhand Police.
The unit is operational since January 2012.
It is the first of it’s kind organization in the country, and (probably) the ninth in the world
Incident Response Requires Superhumans
Incident Response Requires Superhumans
1
eSamadhanCitizen Outreach Tollfree
Helpline
eKavachCritical Infrastructure
Protection – Training,
Intel, Response and
Knowledge Sharing
eRakshaStatewide Security
Awareness program
for children,
citizens, industry
Cyber Patrol Intelligence Gathering,
Honeynets
CDR Analysis, IMS,
Cyber Lab, VA/PT,
AppSec, Digital
Forensics
DETECTION
INVESTIGATIONEDUCATION
JH CERT
PREVENTION
PROTECTION
Technology Research,
System Dev & Deployment
Incident Response,
Advisories,
Responsible Disclosure
LEA Training,
Capacity &
Capability
Building
Incident Response Requires Superhumans
Law Enforcement
Technical Services
Training
Public Outreach
Research
National Security
Jharkhand Secure
Investigation, Response, Evidence Gathering, Forensics, Cyber Policing
VA/PT, Application Security Testing, Technology Evaluation
State Police, Judiciary and Govt, CID, CBI, NPA, IB,
Awareness, Toll free helpline, eSamadhan, Cyber café controls, ATM security
Cyber Patrol, India Honeynetwork, SCADA and Spam Honeynets,
National Infrastructure Protection under CIIP, Responsible Disclosure
State Infrastructure Protection, Department al IT Security, State CERT
Incident Response Requires Superhumans
MARCHJharkhand Cyber Café Rules
sent to Home Dept
Development of cyber café
software and Cyber Café
guidelines for owners
ISO 27001 Audit of Police Data
Center
Internal team training
MAYATM, Cyber Café
statewide Threat
Survey
Wi-fi War driving
Team training for
forensics tools
AUGUSTIndia honeynetwork setup
with five sensors
CISF, RPF training
ATS interaction re cyber
security
APRILMoved into CDRC
Building, PHQ
Ranchi
Program Launches:
- Judiciary Training
- “eKavach” Critical
Infrastructure
Protection
- Online knowledge
base for Cyber café
owners re open
source
- Bi lingual safety
guidelines for
Government
employees, parents
and children
2012
09 JANUARYFormation Day
JULYeRaksha program
launched
Event Partner
c0c0n 2012 ,
Thiruvananthpuram
Case: Interstate
credit card fraudsters
interrogated
Disclosure – threat to
CBI central server
OCTOBERSCADA honeypot
development
Testing Vulnerability
disclosure system
JANUARYHigh profile cases –
Hazaribagh (Sonia
Gandhi email threat)
Team Augmentation
and orientation
NOVEMBERJoint Meeting – Home
Dept, SB Jharkhand
Police, All Banks
DECEMBERCitizen Helpline
Toll free number
activated
1800-3456-533
SEPTEMBERCyber Lab setup
plan at PTC
Development for
Responsible
Disclosure system
Training delivery at
NPA
FEBRUARYLaunch eSamadhan,
manual CDR analysis,
IMEI database, Lost
mobile cases
Establishment Planning
System Development:
Internet Monitoring
System and CDR +
Location Mapping
Analysis System
JUNEeKavach onsite
assessment at HEC
CID Training launch
Incident Response Requires Superhumans
Cyber Surveillance, Social Media Intelligence
Internet Monitoring, Social media Intelligence, Inputsfrom cyber patrol and threat intelligence, Intelligence from Social media (Orkut, Facebook, Linkedin, Twitter etc.)
Critical Infrastructure Protection
Inventory, response procedures and proactive security training
Responsible Disclosure and Threat Intelligence
Vulnerability disclosure and intelligence information to affected parties
Public Helpline Web based and toll free helpline
Research Indian Honeynet collection and malware analysis
Cyber Patrol Underground intelligence gathering activities
Incident Response Requires Superhumans
Incident Response Requires Superhumans
• Cyber Peace foundation, a NGO is founded by senior officials of Jharkhand Police & experts to promote information sharing between LEA across countries to promote the public and private partnership through it’s Public & Private Partnership(PPP) through it’s Cyber Bridge program
• Revealed for the first time today at ISACA Dubai
• Request all your support for this organization
Incident Response Requires Superhumans
ABOUT
US
CONTACT
INFORMATION
Incident Response Requires Superhumans
• Professional Positions
• Pyramid Cyber Security & Forensics (Principal Advisor)
• Jharkhand Police (Cyber Surveillance Advisor)
• Open Security Alliance (Principal and CEO)
• Bombay Stock Exchange (IGRC Technical Member)
• Indian Honeynet Project (Founder)
• Professional skills and special interest areas
• Govt & Enterprise - Security Consulting, Advisory, Strategy, Architecture, Analysis, Policy Development, Optimization
• Technologies - SOC, DLP, IRM, SIEM…
• Practices - Incident Response, SAM, Forensics, Regulatory guidance, Government
• Blogger, Occasional columnist, wannabe photographer, research & survey
Incident Response Requires Superhumans
Contact Information
Acknowledgements & Disclaimer
Various resources on the internet have been referred to, to contribute to the informationpresented here. Images have been acknowledged where possible and if we have infringedon your rights it is unintentional – we assure you the immediate removal on being notified, ofany infringing material. The use (if any) of company names, brand names, trade marks is onlyto facilitate understanding of the message being communicated - no claim is made toestablish any sort of relation (exclusive or otherwise) by the author(s), unless otherwisementioned. We apologize for any infraction, as this will be wholly unintentional, andobjections may please be communicated to us for remediation of the erroneous action(s).
E: [email protected] T: +91.9769890505
Twitter: @bizsprite Facebook: dineshobareja
L: http://in.linkedin.com/in/dineshbareja Also on Slideshare and Flickr
A newer version of this presentation will be uploaded to Slideshare (dineshobareja).
Incident Response Requires Superhumans
• Professional Positions
• Jharkhand Police – CTO & Head of CDRC• Cyber Peace Foundation – President (Honorary)• National Anti-Hacking Group (Founder)• Security Pulse – Honorary Advisor • Darnster – Honorary Advisor & Mentor• Attify – Honorary Advisor• Visiting Faculty for International & National Universities/Institutions
such as National Police Academy, Railway Staff College, College of Millitary Engineering, Railway Staff College, Indian Institute of Management, Indian Institute of Technology, Government of Gujarat
• Professional skills and special interest areas
• Ethical hacking, cybercrime, Cyber Intelligence, Cyber Forensics• Intelligence, Forensics, Cyber Security, Cyber Defence, Cyber Crime
Investigation, Cyber Peace
Incident Response Requires Superhumans
• Awards
6 International, 11 National and 15 state level awards & honors’
• Contact Information
• Email: [email protected]
• Phone: +91-9570000065
• L: http://in.linkedin.com/in/vineet707
Incident Response Requires Superhumans
• ENISA
• http://www.enisa.europa.eu/activities/cert/support/incident-management
• http://tvtropes.org/pmwiki/pmwiki.php/Main/GoalOrientedEvolution
• NIST
• http://www.intel.com/content/www/us/en/intelligent-systems/iot/internet-of-things-infographic.html
• Google, Bing
Incident Response Requires Superhumans