SlideShare una empresa de Scribd logo

CSIRT_16_Jun

Candan BOLUKBAS
Candan BOLUKBAS
1 de 54
Descargar para leer sin conexión
CYBER SECURITY INCIDENT RESPONSE TEAM (CSIRT) and CYBER SECURITY OPERATION CENTER (SOC) BY BGA INFORMATION SECURITY & CONSULTING THX TO MITRE.ORG BGA INFORMATION SECURITY & CONSULTING
About me Candan BÖLÜKBAŞ • about.me/bolukbas • METU Computer Eng. • CCNA, CCNP, CEH, CHFI, ITIL, MCP, ECSP, ECIH • Enterprise Security Services Manager @BGA • 7-year Developer, 6-year Security Admin • Ex T.C. Cumhurbaşkanlığı Network & Security Admin • candan.bolukbas@bga.com.tr • @candanbolukbas BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
Agenda • Introduction • Cyber Attack in the world • CSIRT statistics from the world • CSIRT efficiency measurement • Best Practices for Creating a CSIRT • What is SOC? • SOC Best Practices • SIEM & SOC & CSIRT Relation • Questions BGA INFORMATION SECURITY & CONSULTING
Challenges that today’s security organizations have to deal with: Malware campaigns launched by organized criminal groups who look to steal information that can be sold on the black market Increasingly powerful distributed denial-of-service (DDoS) attacks that can take out large websites State-sponsored espionage that can penetrate even well-defended networks. BGA INFORMATION SECURITY & CONSULTING
As attacks have become more sophisticated, the need for Computer Security Incident Response Teams (CSIRTs) has grown. Botnets Distributed denial-of- service (DDoS) attacks Insider threats Advanced persistent threats (APTs). CSIRT BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
What Are Some Best Practices for Creating a CSIRT? • Obtain management supportStep #1 • Determine the CSIRT strategic planStep #2 • Design the CSIRT visionStep #3 • Begin CSIRT implementationStep #4 • Evaluate CSIRT effectivenessStep #5 BGA INFORMATION SECURITY & CONSULTING
Step 1: Obtain Management Support and Buy-In • Executive and business or department managers and their staffs committing time to participate in this planning process; their input is essential during the design effort. • Along with obtaining management support for the planning and implementation process, it is equally important to get management commitment to sustain CSIRT operations and authority for the long term. • It is important to elicit management's expectations and perceptions of the CSIRT's function and responsibilities. BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
1% 2% 5% 11% 31% 50% What percentage of your organization’s security budget is allocated to incident response? More than 50% 41% to 50% 31% to 40% 21% to 30% 10% to 20% Less than 10% BGA INFORMATION SECURITY & CONSULTING
Step 2: Determine the CSIRT Development Strategic Plan • Are there specific time frames to be met? Are they realistic, and if not, can they be changed? • Is there a project group? Where do the group members come from? You want to ensure that all stakeholders are represented. • How do you let the organization know about the development of the CSIRT? • If you have a project team, how do you record and communicate the information you are collecting, especially if the team is geographically dispersed? BGA INFORMATION SECURITY & CONSULTING
Step 3: Design Your CSIRT Vision BGA INFORMATION SECURITY & CONSULTING In creating your vision, you should identify your constituency • Who does the CSIRT support and serve? • Define your CSIRT mission, goals, and objectives. What does the CSIRT do for the identified constituency? • Select the CSIRT services to provide to the constituency (or others). How does the CSIRT support its mission? • Determine the organizational model. How is the CSIRT structured and organized? • Identify required resources. What staff, equipment, and infrastructure are needed to operate the CSIRT? • Determine your CSIRT funding. How is the CSIRT funded for its initial startup and its long-term maintenance and growth?
Step 4: Begin CSIRT Implementation Once management and constituency buy-in is obtained for the vision, begin the implementation: • Hire and train initial CSIRT staff. • Buy equipment and build any necessary network infrastructure to support the team. • Develop the initial set of CSIRT policies and procedures to support your services. • Define the specifications for and build your incident-tracking system. • Develop incident-reporting guidelines and forms for your constituency. BGA INFORMATION SECURITY & CONSULTING
45% 28% 14% 11% 2% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 0 1 2-5 5-10 10+ How many team members are fully dedicated to CSIRT? BGA INFORMATION SECURITY & CONSULTING
Step 5: Evaluate the Effectiveness of the CSIRT Information on effectiveness can be gathered through a variety of feedback mechanisms, including: • Benchmarking against other CSIRTs • General discussions with constituency representatives • Evaluation surveys distributed to constituency members on a periodic basis • Creation of a set of criteria or quality parameters • Compare with Expectations for Computer Security Incident Response (RFC 2350) • Remember that Patience Can Be a Key! BGA INFORMATION SECURITY & CONSULTING
How long it takes to respond Approximate average MTTI, MTTK, MTTF and MTTV experienced by organizations in an APT • Mean time to verify MTTV • Mean time to fix MTTF • Mean time to know MTTK • Mean time to identify MTTI BGA INFORMATION SECURITY & CONSULTING
80% 76% 67% 65% 56% 0% 20% 40% 60% 80% 100% Most effective security tools for detecting security breaches Anti-virus IP reputation & threat feed services Intrusion prevention/detection systems SIEM Analysis of NetFlow or packet captures BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
Reactive Services Proactive Services Security Quality Management Services Alerts and Warnings Border Protection Device O&M Risk Analysis SOC Infrastructure O&M Incident Handling Custom Signature Creation Business Continuity and Disaster Recovery Planning • Incident analysis (Forensic & Tracking) Tool Research and Development • Incident response on site Security Audits or Assessments (Scan & Pentest) Security Consulting • Incident response support Tool Engineering and Deployment • Incident response coordination Configuration and Maintenance of Security Tools, Applications, and Infrastructures Awareness Building Vulnerability Handling Audit Data Collection and Distribution Education/Training • Vulnerability analysis • Vulnerability response Intrusion Detection Services Product Evaluation or Certification • Vulnerability response coordination Security-Related Information Dissemination Artifact Handling • Artifact analysis • Artifact response • Artifact response coordination BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING APT
BGA INFORMATION SECURITY & CONSULTING
DEMO BGA INFORMATION SECURITY & CONSULTING
What Is a SOC? The practice of defense against unauthorized activity within computer networks, including monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities. It includes: ◦ Computer Security Incident Response Team (CSIRT) ◦ Computer Incident Response Team (CIRT) ◦ Computer Incident Response Center (or Capability) (CIRC) ◦ Computer Security Incident Response Center (or Capability) (CSIRC) ◦ Security Operations Center (SOC) ◦ Cybersecurity Operations Center (CSOC) ◦ Computer Emergency Response Team (CERT) BGA INFORMATION SECURITY & CONSULTING
SOC’s mission statement typically includes the following elements: 1. Prevention of cybersecurity incidents through proactive: a. Continuous threat analysis b. Network and host scanning for vulnerabilities c. Countermeasure deployment coordination d. Security policy and architecture consulting. 2. Monitoring, detection, and analysis of potential intrusions in real time and through historical trending on security-relevant data sources 3. Response to confirmed incidents, by coordinating resources and directing use of timely and appropriate countermeasures 4. Providing situational awareness and reporting on cybersecurity status, incidents, and trends in adversary behavior to appropriate organizations 5. Engineering and operating CND technologies such as IDSes and data collection/analysis systems. BGA INFORMATION SECURITY & CONSULTING
Get Started 1. Founding: 0 to 6 Months 2. Build-Out: 6 to 12 Months 3. Initial Operating Capability: 12–18 Months 4. Full Operating Capability: 18 Months and More The best way to test a SOC is to measure the SOC’s performance in response to an actual Red Team penetration of constituency assets. BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING SOC Roles and Incident Escalation
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
Reactive Services Proactive Services Security Quality Management Services Alerts and Warnings Border Protection Device O&M Risk Analysis SOC Infrastructure O&M Incident Handling Custom Signature Creation Business Continuity and Disaster Recovery Planning • Incident analysis (Forensic & Tracking) Tool Research and Development • Incident response on site Security Audits or Assessments (Scan & Pentest) Security Consulting • Incident response support Tool Engineering and Deployment • Incident response coordination Configuration and Maintenance of Security Tools, Applications, and Infrastructures Awareness Building Vulnerability Handling Audit Data Collection and Distribution Education/Training • Vulnerability analysis • Vulnerability response Intrusion Detection Services Product Evaluation or Certification • Vulnerability response coordination Security-Related Information Dissemination Artifact Handling • Artifact analysis • Artifact response • Artifact response coordination BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING Typical SOC Tool Architecture Context to Tip-offs: Full- Spectrum CND Data
The most prominent challenge for any monitoring system - particularly IDSes- is to achieve a high true positive rate. BGA INFORMATION SECURITY & CONSULTING
No matter how good the tool or analyst, overzealous efforts to generate and aggregate huge amounts data into one place diminish the value of good data because it is lost in the noise of worthless data. Monitoring systems such as IDS and SIEM are not “fire and forget”—they require regular care and feeding. BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING SIEM Overview • Perimeter network monitoring • Insider threat and audit • APT detection • Configuration monitoring. • Workflow and escalation • Incident analysis and network forensics • Incident analysis and network forensics • Policy compliance
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING Overlap Between SIEM, Network Management System, and LM
Observations and Tips for Success ◦ Security and network management tools are not interchangeable. ◦ The best SIEMs were built from the ground up as SIEMs. ◦ Consider the whole package. ◦ A day to install; a year to operationalize. ◦ Each part of the SOC will use SIEM differently. ◦ A SIEM is only as good as the data you feed it. ◦ Automated response capabilities present the same challenges as IPS. BGA INFORMATION SECURITY & CONSULTING
Let’s consider some dos and don’ts when we think the SOC has found something bad: ◦ Follow your SOPs. ◦ Don’t panic. ◦ Don’t jump to conclusions. ◦ Be careful about attribution. ◦ Assess the full extent of the intrusion. ◦ Understand the “so what?” ◦ Follow rules of evidence collection and documentation, when appropriate. ◦ Provide measured updates at measured times. ◦ Carefully assess the impact of countermeasures and response actions. ◦ Ensure the entire SOC is working toward the same goal. ◦ Don’t be afraid to ask for help. BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING
References [1] West-Brown, Moira J.; Stikvoort, Don; & Kossakowski, Klaus-Peter. Handbook for Computer Security Incident Response Teams (CSIRTs) (CMU/SEI-98-HB-001). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1998. Note that this document was superceded by the 2nd edition (CMU/SEI-2003-HB-002), published in April 2003. [2] Kossakowski, Klaus-Peter. Information Technology Incident Response Capabilities. Hamburg: Books on Demand, 2001 (ISBN: 3-8311-0059-4). [3] Kossakowski; Klaus-Peter & Stikvoort, Don. A Trusted CSIRT Introducer in Europe. Amersfoort, Netherlands: M&I/Stelvio, February, 2000. [4] Exposing One of China’s Cyber Espionage Units http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf [5] M-Trends® 2013: Attack the Security Gap http://pages.fireeye.com/MF0D0O0PDVp6y106k0TI0B3 [6] M-Trends® 2011: When Prevention Fails http://www.mandiant.com/assets/PDF_MTrends_2011.pdf [7] M-Trends® 2012: An Evolving Threat http://www.mandiant.com/assets/PDF_MTrends_2012.pdf [8] Cyber Security Incident Response 2014 http://www.lancope.com/files/documents/Industry-Reports/Lancope- Ponemon-Report-Cyber-Security-Incident-Response.pdf [9] Create a CSIRT https://www.cert.org/incident-management/products-services/creating-a-csirt.cfm [10] CSIRT Services list from CERT/CC https://www.enisa.europa.eu/activities/cert/support/guide/appendix/csirt-services BGA INFORMATION SECURITY & CONSULTING
References [1] Wikimedia Foundation, Inc., “Advanced Persistent Threat,” 3 Feb 2014. [Online]. Available: http://en.wikipedia.org/wiki/Advanced_persistent_threat. [Accessed 13 Feb 2014]. [2] R. G. Bace, Intrusion Detection, Indianapolis: Macmillan Technical Publishing, 2000. [3] G. Killcrece, K.-P. Kossakowski, R. Ruefle and M. Zajicek, “State of the Practice of Computer Security Incident Response Teams (CSIRTs),” October 2003. [Online]. Available: http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6571. [Accessed 13 Feb 2014]. [4] Killcrece, Georgia; Kossakowski, Klaus-Peter; Ruegle, Robin; Zajicek, Mark, “Organizational Models for Computer Security Incident Response Teams,” December 2003. [Online]. Available: www.cert.org/archive/pdf/03hb001.pdf. [Accessed 13 Feb 2014]. [5] S. Northcutt, Network Intrusion Detection (3rd Edition), Indianapolis: New Riders Publishing, 2002. [6] T. Parker, E. Shaw, E. Stroz, M. G. Devost and M. H. Sachs, Cyber Adversary Characterization: Auditing the Hacker Mind, Rockland, MA: Syngress Publishing, Inc., 2004. [7] L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley Professional, 2002. [8] M. J. West-Brown, D. Stikvoort, K.-P. Kossakowski, G. Killcrece, R. Ruefle and M. Zajicekm, “Handbook for Computer Security Incident Response Teams (CSIRTs),” April 2003. [Online]. Available: http://resources.sei.cmu.edu/library/asset- view.cfm?assetid=6305. [Accessed 13 Feb 2014]. BGA INFORMATION SECURITY & CONSULTING
Questions BGA INFORMATION SECURITY & CONSULTING
BGA INFORMATION SECURITY & CONSULTING

Recomendados

Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Third-Party Risk Management
Third-Party Risk ManagementThird-Party Risk Management
Third-Party Risk Management
Mark Scales
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_Security
WillianMachadoFonsec
 

Recomendados

Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Third-Party Risk Management
Third-Party Risk ManagementThird-Party Risk Management
Third-Party Risk Management
Mark Scales
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_Security
WillianMachadoFonsec
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
PECB
 
Incident Response
Incident ResponseIncident Response
Incident Response
MichaelRodriguesdosS1
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
EmilyGladstoneCole
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
Muhammad Mazhar
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
WAJAHAT IQBAL
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
IT Governance Ltd
 
EvasionTechniques
EvasionTechniquesEvasionTechniques
EvasionTechniques
Candan BOLUKBAS
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 

Más contenido relacionado

La actualidad más candente

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 

La actualidad más candente (20)

PCI DSS
PCI DSSPCI DSS
PCI DSS
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 

Destacado

Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Emulex Corporation
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
Nicholas Davis
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 

Destacado (20)

EvasionTechniques
EvasionTechniquesEvasionTechniques
EvasionTechniques
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
Csirt
CsirtCsirt
Csirt
 
Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Applying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
 
Generic attack detection engine
Generic attack detection engineGeneric attack detection engine
Generic attack detection engine
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
Obfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in Perl
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Endpoint Security Evasion
Endpoint Security EvasionEndpoint Security Evasion
Endpoint Security Evasion
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
 

Similar a CSIRT_16_Jun

CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
SidneyGiovanniSimas1
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Doeren Mayhew
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 

Similar a CSIRT_16_Jun (20)

BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
5548 isaca for-students
5548 isaca for-students5548 isaca for-students
5548 isaca for-students
 

CSIRT_16_Jun

  • 1. CYBER SECURITY INCIDENT RESPONSE TEAM (CSIRT) and CYBER SECURITY OPERATION CENTER (SOC) BY BGA INFORMATION SECURITY & CONSULTING THX TO MITRE.ORG BGA INFORMATION SECURITY & CONSULTING
  • 2. About me Candan BÖLÜKBAŞ • about.me/bolukbas • METU Computer Eng. • CCNA, CCNP, CEH, CHFI, ITIL, MCP, ECSP, ECIH • Enterprise Security Services Manager @BGA • 7-year Developer, 6-year Security Admin • Ex T.C. Cumhurbaşkanlığı Network & Security Admin • candan.bolukbas@bga.com.tr • @candanbolukbas BGA INFORMATION SECURITY & CONSULTING
  • 4. Agenda • Introduction • Cyber Attack in the world • CSIRT statistics from the world • CSIRT efficiency measurement • Best Practices for Creating a CSIRT • What is SOC? • SOC Best Practices • SIEM & SOC & CSIRT Relation • Questions BGA INFORMATION SECURITY & CONSULTING
  • 5. Challenges that today’s security organizations have to deal with: Malware campaigns launched by organized criminal groups who look to steal information that can be sold on the black market Increasingly powerful distributed denial-of-service (DDoS) attacks that can take out large websites State-sponsored espionage that can penetrate even well-defended networks. BGA INFORMATION SECURITY & CONSULTING
  • 6. As attacks have become more sophisticated, the need for Computer Security Incident Response Teams (CSIRTs) has grown. Botnets Distributed denial-of- service (DDoS) attacks Insider threats Advanced persistent threats (APTs). CSIRT BGA INFORMATION SECURITY & CONSULTING
  • 10. What Are Some Best Practices for Creating a CSIRT? • Obtain management supportStep #1 • Determine the CSIRT strategic planStep #2 • Design the CSIRT visionStep #3 • Begin CSIRT implementationStep #4 • Evaluate CSIRT effectivenessStep #5 BGA INFORMATION SECURITY & CONSULTING
  • 11. Step 1: Obtain Management Support and Buy-In • Executive and business or department managers and their staffs committing time to participate in this planning process; their input is essential during the design effort. • Along with obtaining management support for the planning and implementation process, it is equally important to get management commitment to sustain CSIRT operations and authority for the long term. • It is important to elicit management's expectations and perceptions of the CSIRT's function and responsibilities. BGA INFORMATION SECURITY & CONSULTING
  • 12. BGA INFORMATION SECURITY & CONSULTING
  • 13. 1% 2% 5% 11% 31% 50% What percentage of your organization’s security budget is allocated to incident response? More than 50% 41% to 50% 31% to 40% 21% to 30% 10% to 20% Less than 10% BGA INFORMATION SECURITY & CONSULTING
  • 14. Step 2: Determine the CSIRT Development Strategic Plan • Are there specific time frames to be met? Are they realistic, and if not, can they be changed? • Is there a project group? Where do the group members come from? You want to ensure that all stakeholders are represented. • How do you let the organization know about the development of the CSIRT? • If you have a project team, how do you record and communicate the information you are collecting, especially if the team is geographically dispersed? BGA INFORMATION SECURITY & CONSULTING
  • 15. Step 3: Design Your CSIRT Vision BGA INFORMATION SECURITY & CONSULTING In creating your vision, you should identify your constituency • Who does the CSIRT support and serve? • Define your CSIRT mission, goals, and objectives. What does the CSIRT do for the identified constituency? • Select the CSIRT services to provide to the constituency (or others). How does the CSIRT support its mission? • Determine the organizational model. How is the CSIRT structured and organized? • Identify required resources. What staff, equipment, and infrastructure are needed to operate the CSIRT? • Determine your CSIRT funding. How is the CSIRT funded for its initial startup and its long-term maintenance and growth?
  • 16. Step 4: Begin CSIRT Implementation Once management and constituency buy-in is obtained for the vision, begin the implementation: • Hire and train initial CSIRT staff. • Buy equipment and build any necessary network infrastructure to support the team. • Develop the initial set of CSIRT policies and procedures to support your services. • Define the specifications for and build your incident-tracking system. • Develop incident-reporting guidelines and forms for your constituency. BGA INFORMATION SECURITY & CONSULTING
  • 17. 45% 28% 14% 11% 2% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 0 1 2-5 5-10 10+ How many team members are fully dedicated to CSIRT? BGA INFORMATION SECURITY & CONSULTING
  • 18. Step 5: Evaluate the Effectiveness of the CSIRT Information on effectiveness can be gathered through a variety of feedback mechanisms, including: • Benchmarking against other CSIRTs • General discussions with constituency representatives • Evaluation surveys distributed to constituency members on a periodic basis • Creation of a set of criteria or quality parameters • Compare with Expectations for Computer Security Incident Response (RFC 2350) • Remember that Patience Can Be a Key! BGA INFORMATION SECURITY & CONSULTING
  • 19. How long it takes to respond Approximate average MTTI, MTTK, MTTF and MTTV experienced by organizations in an APT • Mean time to verify MTTV • Mean time to fix MTTF • Mean time to know MTTK • Mean time to identify MTTI BGA INFORMATION SECURITY & CONSULTING
  • 20. 80% 76% 67% 65% 56% 0% 20% 40% 60% 80% 100% Most effective security tools for detecting security breaches Anti-virus IP reputation & threat feed services Intrusion prevention/detection systems SIEM Analysis of NetFlow or packet captures BGA INFORMATION SECURITY & CONSULTING
  • 21. BGA INFORMATION SECURITY & CONSULTING
  • 22. Reactive Services Proactive Services Security Quality Management Services Alerts and Warnings Border Protection Device O&M Risk Analysis SOC Infrastructure O&M Incident Handling Custom Signature Creation Business Continuity and Disaster Recovery Planning • Incident analysis (Forensic & Tracking) Tool Research and Development • Incident response on site Security Audits or Assessments (Scan & Pentest) Security Consulting • Incident response support Tool Engineering and Deployment • Incident response coordination Configuration and Maintenance of Security Tools, Applications, and Infrastructures Awareness Building Vulnerability Handling Audit Data Collection and Distribution Education/Training • Vulnerability analysis • Vulnerability response Intrusion Detection Services Product Evaluation or Certification • Vulnerability response coordination Security-Related Information Dissemination Artifact Handling • Artifact analysis • Artifact response • Artifact response coordination BGA INFORMATION SECURITY & CONSULTING
  • 23. BGA INFORMATION SECURITY & CONSULTING
  • 24. BGA INFORMATION SECURITY & CONSULTING APT
  • 25. BGA INFORMATION SECURITY & CONSULTING
  • 27. What Is a SOC? The practice of defense against unauthorized activity within computer networks, including monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities. It includes: ◦ Computer Security Incident Response Team (CSIRT) ◦ Computer Incident Response Team (CIRT) ◦ Computer Incident Response Center (or Capability) (CIRC) ◦ Computer Security Incident Response Center (or Capability) (CSIRC) ◦ Security Operations Center (SOC) ◦ Cybersecurity Operations Center (CSOC) ◦ Computer Emergency Response Team (CERT) BGA INFORMATION SECURITY & CONSULTING
  • 28. SOC’s mission statement typically includes the following elements: 1. Prevention of cybersecurity incidents through proactive: a. Continuous threat analysis b. Network and host scanning for vulnerabilities c. Countermeasure deployment coordination d. Security policy and architecture consulting. 2. Monitoring, detection, and analysis of potential intrusions in real time and through historical trending on security-relevant data sources 3. Response to confirmed incidents, by coordinating resources and directing use of timely and appropriate countermeasures 4. Providing situational awareness and reporting on cybersecurity status, incidents, and trends in adversary behavior to appropriate organizations 5. Engineering and operating CND technologies such as IDSes and data collection/analysis systems. BGA INFORMATION SECURITY & CONSULTING
  • 29. Get Started 1. Founding: 0 to 6 Months 2. Build-Out: 6 to 12 Months 3. Initial Operating Capability: 12–18 Months 4. Full Operating Capability: 18 Months and More The best way to test a SOC is to measure the SOC’s performance in response to an actual Red Team penetration of constituency assets. BGA INFORMATION SECURITY & CONSULTING
  • 30. BGA INFORMATION SECURITY & CONSULTING SOC Roles and Incident Escalation
  • 31. BGA INFORMATION SECURITY & CONSULTING
  • 32. BGA INFORMATION SECURITY & CONSULTING
  • 33. Reactive Services Proactive Services Security Quality Management Services Alerts and Warnings Border Protection Device O&M Risk Analysis SOC Infrastructure O&M Incident Handling Custom Signature Creation Business Continuity and Disaster Recovery Planning • Incident analysis (Forensic & Tracking) Tool Research and Development • Incident response on site Security Audits or Assessments (Scan & Pentest) Security Consulting • Incident response support Tool Engineering and Deployment • Incident response coordination Configuration and Maintenance of Security Tools, Applications, and Infrastructures Awareness Building Vulnerability Handling Audit Data Collection and Distribution Education/Training • Vulnerability analysis • Vulnerability response Intrusion Detection Services Product Evaluation or Certification • Vulnerability response coordination Security-Related Information Dissemination Artifact Handling • Artifact analysis • Artifact response • Artifact response coordination BGA INFORMATION SECURITY & CONSULTING
  • 34. BGA INFORMATION SECURITY & CONSULTING
  • 35. BGA INFORMATION SECURITY & CONSULTING Typical SOC Tool Architecture Context to Tip-offs: Full- Spectrum CND Data
  • 36. The most prominent challenge for any monitoring system - particularly IDSes- is to achieve a high true positive rate. BGA INFORMATION SECURITY & CONSULTING
  • 37. No matter how good the tool or analyst, overzealous efforts to generate and aggregate huge amounts data into one place diminish the value of good data because it is lost in the noise of worthless data. Monitoring systems such as IDS and SIEM are not “fire and forget”—they require regular care and feeding. BGA INFORMATION SECURITY & CONSULTING
  • 38. BGA INFORMATION SECURITY & CONSULTING SIEM Overview • Perimeter network monitoring • Insider threat and audit • APT detection • Configuration monitoring. • Workflow and escalation • Incident analysis and network forensics • Incident analysis and network forensics • Policy compliance
  • 39. BGA INFORMATION SECURITY & CONSULTING
  • 40. BGA INFORMATION SECURITY & CONSULTING
  • 41. BGA INFORMATION SECURITY & CONSULTING Overlap Between SIEM, Network Management System, and LM
  • 42. Observations and Tips for Success ◦ Security and network management tools are not interchangeable. ◦ The best SIEMs were built from the ground up as SIEMs. ◦ Consider the whole package. ◦ A day to install; a year to operationalize. ◦ Each part of the SOC will use SIEM differently. ◦ A SIEM is only as good as the data you feed it. ◦ Automated response capabilities present the same challenges as IPS. BGA INFORMATION SECURITY & CONSULTING
  • 43. Let’s consider some dos and don’ts when we think the SOC has found something bad: ◦ Follow your SOPs. ◦ Don’t panic. ◦ Don’t jump to conclusions. ◦ Be careful about attribution. ◦ Assess the full extent of the intrusion. ◦ Understand the “so what?” ◦ Follow rules of evidence collection and documentation, when appropriate. ◦ Provide measured updates at measured times. ◦ Carefully assess the impact of countermeasures and response actions. ◦ Ensure the entire SOC is working toward the same goal. ◦ Don’t be afraid to ask for help. BGA INFORMATION SECURITY & CONSULTING
  • 44. BGA INFORMATION SECURITY & CONSULTING
  • 45. BGA INFORMATION SECURITY & CONSULTING
  • 46. BGA INFORMATION SECURITY & CONSULTING
  • 47. BGA INFORMATION SECURITY & CONSULTING
  • 48. BGA INFORMATION SECURITY & CONSULTING
  • 49. BGA INFORMATION SECURITY & CONSULTING
  • 50. BGA INFORMATION SECURITY & CONSULTING
  • 51. References [1] West-Brown, Moira J.; Stikvoort, Don; & Kossakowski, Klaus-Peter. Handbook for Computer Security Incident Response Teams (CSIRTs) (CMU/SEI-98-HB-001). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1998. Note that this document was superceded by the 2nd edition (CMU/SEI-2003-HB-002), published in April 2003. [2] Kossakowski, Klaus-Peter. Information Technology Incident Response Capabilities. Hamburg: Books on Demand, 2001 (ISBN: 3-8311-0059-4). [3] Kossakowski; Klaus-Peter & Stikvoort, Don. A Trusted CSIRT Introducer in Europe. Amersfoort, Netherlands: M&I/Stelvio, February, 2000. [4] Exposing One of China’s Cyber Espionage Units http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf [5] M-Trends® 2013: Attack the Security Gap http://pages.fireeye.com/MF0D0O0PDVp6y106k0TI0B3 [6] M-Trends® 2011: When Prevention Fails http://www.mandiant.com/assets/PDF_MTrends_2011.pdf [7] M-Trends® 2012: An Evolving Threat http://www.mandiant.com/assets/PDF_MTrends_2012.pdf [8] Cyber Security Incident Response 2014 http://www.lancope.com/files/documents/Industry-Reports/Lancope- Ponemon-Report-Cyber-Security-Incident-Response.pdf [9] Create a CSIRT https://www.cert.org/incident-management/products-services/creating-a-csirt.cfm [10] CSIRT Services list from CERT/CC https://www.enisa.europa.eu/activities/cert/support/guide/appendix/csirt-services BGA INFORMATION SECURITY & CONSULTING
  • 52. References [1] Wikimedia Foundation, Inc., “Advanced Persistent Threat,” 3 Feb 2014. [Online]. Available: http://en.wikipedia.org/wiki/Advanced_persistent_threat. [Accessed 13 Feb 2014]. [2] R. G. Bace, Intrusion Detection, Indianapolis: Macmillan Technical Publishing, 2000. [3] G. Killcrece, K.-P. Kossakowski, R. Ruefle and M. Zajicek, “State of the Practice of Computer Security Incident Response Teams (CSIRTs),” October 2003. [Online]. Available: http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6571. [Accessed 13 Feb 2014]. [4] Killcrece, Georgia; Kossakowski, Klaus-Peter; Ruegle, Robin; Zajicek, Mark, “Organizational Models for Computer Security Incident Response Teams,” December 2003. [Online]. Available: www.cert.org/archive/pdf/03hb001.pdf. [Accessed 13 Feb 2014]. [5] S. Northcutt, Network Intrusion Detection (3rd Edition), Indianapolis: New Riders Publishing, 2002. [6] T. Parker, E. Shaw, E. Stroz, M. G. Devost and M. H. Sachs, Cyber Adversary Characterization: Auditing the Hacker Mind, Rockland, MA: Syngress Publishing, Inc., 2004. [7] L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley Professional, 2002. [8] M. J. West-Brown, D. Stikvoort, K.-P. Kossakowski, G. Killcrece, R. Ruefle and M. Zajicekm, “Handbook for Computer Security Incident Response Teams (CSIRTs),” April 2003. [Online]. Available: http://resources.sei.cmu.edu/library/asset- view.cfm?assetid=6305. [Accessed 13 Feb 2014]. BGA INFORMATION SECURITY & CONSULTING
  • 54. BGA INFORMATION SECURITY & CONSULTING