Prepare for Remote Incident Response

© 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
Emergency Response:
How to Identify and
Resolve Security Risks
John Cloonan, Program Director, X-Force Strategy and
Product Management
Robert Lewlewski, Engagement Lead, Emergency
Response Services

IBM X-Force
is the foundation for
advanced security and
threat research across
the IBM Security
Framework.

Coverage
20,000+ devices
under contract
3,700+ managed
clients worldwide
15B+ events
managed per day
133 monitored
countries (MSS)
1,000+ security
related patents
100M+ customers
protected from
fraudulent transactions
Depth
22B analyzed
web pages & images
7M spam &
phishing attacks daily
73K documented
vulnerabilities
860K malicious IP
addresses
1000+ malware samples
collected daily
Millions of unique
malware samples
IBM X-Force monitors and analyzes the changing threat
landscape.

We are in an era of continuous breaches.
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014
Operational
Sophistication
IBM X-Force declared
Year of the
Security Breach
Near Daily Leaks
of Sensitive Data
40% increase
in reported data
breaches and incidents
Relentless Use
of Multiple Methods
500,000,000+ records
were leaked, while the future
shows no sign of change
2011 2012 2013
SQL
injection
Spear
phishing
DDoS Third-party
software
Physical
access
Malware XSS Watering
hole
Undisclosed
Attack types
Note: Size of circle estimates relative impact of incident in terms of cost to business.

Attackers exploit application vulnerabilities to access sensitive
data.
 Not testing puts the
organization at risk of
exposing valuable assets
 Broken authentication can
result in take over of
banking session and
funds transfer as if the
attacker were the
legitimate user.
 OpenSSL bug put a huge
number of websites at risk
for data leakage of private
and critical information.
 Mitigating potential
damages of breached
user credentials, SSL
certificates, and other
sensitive information
made cleanup a
challenge.
of organizations underestimate the number of
web applications they have deployed50%
 If your incident
response is built
around planning for
the known situations,
you're at a loss.
Contents of random
access memory
(RAM) are now fair
game, like data stored
on the disk.
Test and Remediate
AppVulns
Protect Web
Servers
Expect the
Unexpected

Underestimating web applications is not uncommon.
Broken authentication and CSRF
occurred in 23% of the 900+
dynamic web app scans tested

Client requests to perform large-scale, ongoing scanning of
live sites has increased.

Spam continues to be a main channel of malware into
company networks.
In March 2014, we saw the highest levels of spam measured
during the last two and a half years.

Attackers are recycling old image-spam techniques to test
detection and exploit email inboxes.

Attackers look for creative ways to evade spam filters - again.

Attackers are using doctor and medic .ru domains in these
attacks.
Since the beginning of February 2014, spammers have used
the domains they have purchased for other, non-image based
types of spam.

Spam bot infections are higher in locations still reliant on
Windows XP.
In 16 of 20 countries researched for spambot infection, usage of
Windows XP is significantly higher than the WW average. In
some cases, usage is more than 30%.

13© 2014 IBM Corporation
When the Worst
Happens…

Incident Response teams must be prepared.
 Energy, Transportation are great examples
 Must be ready to respond to incidents where your normal
incident response toolkits are not available.
 Prepare for the inevitable—and for worst-case scenarios
Incidents may occur that are in far away areas…
What are the extra
precautions to prepare for in
extremely remote incident
response situations?

Bandwidth is king.
Bandwidth limitations can mean
eliminating larger system artifacts
which leads to:
• Increased time to provide
findings
• Less certainty in findings
• Increased costs

RAM may be off limits.
External drives may not be available for
storing RAM dump files:
• RAM files sizes may be very large,
and transfers can be unacceptable
slow or even file given bandwidth
limitations and reliability issues.
• External dump location like USB
devices, may not be available.

Overnight mail may not exist.
Shipping forensic data and
impacted systems can be
difficult:
• May not be logistically feasible
to ship a system or file from
remote locations
• Customs holds may delay
processing systems to
destination

Working hours may impact schedules.
Time-zone differences can
impact work schedules:
• Central contacts, like system
administrators, may not be
available during the response
teams’ work day in differing
time zones.
• Response times are
increased.
• Requests from response team
are aggregated and can de-
prioritize important requests.

Skill sets may be lacking.
System administrators may not
be trained in incident response.
• Incident responders must be
aware of this limitation and
ensure instructions and
questions are extremely
specific
• Having a knowledgeable SME
in basic first-responder
investigatory methodologies
can make the different
between resolution in weeks or
days.

21
Connect with IBM X-Force Research & Development and
IBM Managed Security Services
IBM X-Force Security Insights blog at
www.SecurityIntelligence.com/topics/x-force
Follow us at @ibmsecurity
and @ibmxforce
Find out more about IBM Managed
Security Services
http://www.ibm.com/services/us/en/it
-services/security-services/
Download IBM X-Force Threat
Intelligence Quarterly Reports
http://www.ibm.com/security/xforce/

22
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Prepare for Remote Incident Response

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (19)

Similar a Prepare for Remote Incident Response

Similar a Prepare for Remote Incident Response (20)

Más de IBM Security

Más de IBM Security (20)

Último

Último (20)

Prepare for Remote Incident Response