3. Agenda
•
IntroducYon
•
Cyber
AZack
in
the
world
•
CSIRT
staYsYcs
from
USA
&
UK
•
CSIRT
efficiency
measurement
•
Best
PracYces
for
CreaYng
a
CSIRT
•
Conclusion
&
RecommendaYon
•
QuesYons
BGA
INFORMATION
SECURITY
&
CONSULTING
4. Challenges that today’s security
organizaEons have to deal with:
Malware
campaigns
launched
by
organized
criminal
groups
who
look
to
steal
informaYon
that
can
be
sold
on
the
black
market
Increasingly
powerful
distributed
denial-‐of-‐service
(DDoS)
aZacks
that
can
take
out
large
websites
State-‐sponsored
espionage
that
can
penetrate
even
well-‐defended
networks.
BGA
INFORMATION
SECURITY
&
CONSULTING
5. As aIacks have become more sophisEcated, the
need for Computer Security Incident Response
Teams (CSIRTs) has grown.
Botnets
Distributed
denial-‐of-‐
service
(DDoS)
aZacks
Insider
threats
Advanced
persistent
threats
(APTs).
CSIRT
BGA
INFORMATION
SECURITY
&
CONSULTING
9. What Are the QuesEons?
•
What
are
the
basic
requirements
for
establishing
a
CSIRT?
•
What
type
of
CSIRT
will
be
needed?
•
What
type
of
services
should
be
offered?
•
How
big
should
the
CSIRT
be?
•
Where
should
the
CSIRT
be
located
in
the
organizaYon?
•
How
much
will
it
cost
to
implement
and
support
a
team?
•
What
are
the
iniYal
steps
to
follow
to
create
a
CSIRT?
BGA
INFORMATION
SECURITY
&
CONSULTING
10. What Are Some Best PracEces for
CreaEng a CSIRT?
• Obtain
management
support
and
buy-‐in
Step
#1
• Determine
the
CSIRT
strategic
plan
Step
#2
• Gather
relevant
informaYon
Step
#3
• Design
the
CSIRT
vision
Step
#4
• Communicate
the
CSIRT
vision
and
operaYonal
plan
Step
#5
• Begin
CSIRT
implementaYon
Step
#6
• Announce
the
operaYonal
CSIRT
Step
#7
• Evaluate
CSIRT
effecYveness
Step
#8
BGA
INFORMATION
SECURITY
&
CONSULTING
11. Step 1: Obtain Management Support and
Buy-‐In
•
ExecuYve
and
business
or
department
managers
and
their
staffs
commiong
Yme
to
parYcipate
in
this
planning
process;
their
input
is
essenYal
during
the
design
effort.
•
Along
with
obtaining
management
support
for
the
planning
and
implementaYon
process,
it
is
equally
important
to
get
management
commitment
to
sustain
CSIRT
operaYons
and
authority
for
the
long
term.
•
It
is
important
to
elicit
management's
expectaYons
and
percepYons
of
the
CSIRT's
funcYon
and
responsibiliYes.
BGA
INFORMATION
SECURITY
&
CONSULTING
13. 1%
2%
5%
11%
31%
50%
What
percentage
of
your
organiza8on’s
security
budget
is
allocated
to
incident
response?
More
than
50%
41%
to
50%
31%
to
40%
21%
to
30%
10%
to
20%
Less
than
10%
BGA
INFORMATION
SECURITY
&
CONSULTING
14. Step 2: Determine the CSIRT
Development Strategic Plan
•
Are
there
specific
Yme
frames
to
be
met?
Are
they
realisYc,
and
if
not,
can
they
be
changed?
•
Is
there
a
project
group?
Where
do
the
group
members
come
from?
You
want
to
ensure
that
all
stakeholders
are
represented.
•
How
do
you
let
the
organizaYon
know
about
the
development
of
the
CSIRT?
•
If
you
have
a
project
team,
how
do
you
record
and
communicate
the
informaYon
you
are
collecYng,
especially
if
the
team
is
geographically
dispersed?
BGA
INFORMATION
SECURITY
&
CONSULTING
15. Step 3: Gather Relevant InformaEon
The
stakeholders
could
include
but
are
not
limited
to:
• Business
managers
• RepresentaYves
from
IT
• RepresentaYves
from
the
legal
department
• RepresentaYves
from
human
resources
• RepresentaYves
from
public
relaYons
• Any
exisYng
security
groups,
including
physical
security
• Audit
and
risk
management
specialists
• General
representaYves
from
the
consYtuency
BGA
INFORMATION
SECURITY
&
CONSULTING
16. Step 4: Design Your CSIRT Vision
BGA
INFORMATION
SECURITY
&
CONSULTING
In
creaYng
your
vision,
you
should
idenYfy
your
consYtuency
• Who
does
the
CSIRT
support
and
serve?
• Define
your
CSIRT
mission,
goals,
and
objecYves.
What
does
the
CSIRT
do
for
the
idenYfied
consYtuency?
• Select
the
CSIRT
services
to
provide
to
the
consYtuency
(or
others).
How
does
the
CSIRT
support
its
mission?
• Determine
the
organizaYonal
model.
How
is
the
CSIRT
structured
and
organized?
• IdenYfy
required
resources.
What
staff,
equipment,
and
infrastructure
are
needed
to
operate
the
CSIRT?
• Determine
your
CSIRT
funding.
How
is
the
CSIRT
funded
for
its
iniYal
startup
and
its
long-‐term
maintenance
and
growth?
17. Step 5: Communicate the CSIRT Vision
•
Communicate
the
CSIRT
vision
and
operaYonal
plan
to
management,
your
consYtuency,
and
others
who
need
to
know
and
understand
its
operaYons.
•
Make
adjustments
to
the
plan
based
on
their
feedback.
•
CommunicaYng
your
vision
in
advance
can
help
idenYfy
process
or
organizaYonal
problems
before
implementaYon.
•
It
is
a
way
to
let
people
know
what
is
coming
and
allow
them
to
provide
input
into
CSIRT
development.
This
is
a
way
to
begin
markeYng
the
CSIRT
to
the
consYtuency
and
gaining
the
needed
buy-‐in
from
all
organizaYonal
levels.
BGA
INFORMATION
SECURITY
&
CONSULTING
18. Step 6: Begin CSIRT ImplementaEon
Once
management
and
consYtuency
buy-‐in
is
obtained
for
the
vision,
begin
the
implementaYon:
• Hire
and
train
iniYal
CSIRT
staff.
• Buy
equipment
and
build
any
necessary
network
infrastructure
to
support
the
team.
• Develop
the
iniYal
set
of
CSIRT
policies
and
procedures
to
support
your
services.
• Define
the
specificaYons
for
and
build
your
incident-‐tracking
system.
• Develop
incident-‐reporYng
guidelines
and
forms
for
your
consYtuency.
BGA
INFORMATION
SECURITY
&
CONSULTING
19. 45%
28%
14%
11%
2%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
0
1
2-‐5
5-‐10
10+
How
many
team
members
are
fully
dedicated
to
CSIRT?
BGA
INFORMATION
SECURITY
&
CONSULTING
20. Step 7: Announce the CSIRT
•
When
the
CSIRT
is
operaYonal,
announce
it
broadly
to
the
consYtuency
or
parent
organizaYon.
•
Include
the
contact
informaYon
and
hours
of
operaYon
for
the
CSIRT
in
the
announcement.
•
You
may
also
want
to
develop
informaYon
to
publicize
the
CSIRT,
such
as
a
simple
flyer
or
brochure
outlining
the
CSIRT
mission
and
services.
BGA
INFORMATION
SECURITY
&
CONSULTING
21. Step 8: Evaluate the EffecEveness of the
CSIRT
InformaYon
on
effecYveness
can
be
gathered
through
a
variety
of
feedback
mechanisms,
including:
• Benchmarking
against
other
CSIRTs
• General
discussions
with
consYtuency
representaYves
• EvaluaYon
surveys
distributed
to
consYtuency
members
on
a
periodic
basis
• CreaYon
of
a
set
of
criteria
or
quality
parameters
• Compare
with
ExpectaYons
for
Computer
Security
Incident
Response
(RFC
2350)
• Remember
that
PaYence
Can
Be
a
Key!
BGA
INFORMATION
SECURITY
&
CONSULTING
22. How long it takes to respond Approximate average MTTI, MTTK, MTTF and
MTTV experienced by organizaEons in recent incidents
• Mean
Yme
to
verify
MTTV
• Mean
Yme
to
fix
MTTF
• Mean
Yme
to
know
MTTK
• Mean
Yme
to
idenYfy
MTTI
BGA
INFORMATION
SECURITY
&
CONSULTING
23. 80%
76%
67%
65%
56%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Most
effec8ve
security
tools
for
detec8ng
security
breaches
An8-‐virus
IP
reputa8on
&
threat
feed
services
Intrusion
preven8on/detec8on
systems
SIEM
Analysis
of
NetFlow
or
packet
captures
BGA
INFORMATION
SECURITY
&
CONSULTING
27. Conclusion & RecommendaEons
•
Make
it
a
priority
to
build
an
incident
response
team
consisYng
of
experienced,
full-‐Yme
members
•
Assess
the
readiness
of
incident
response
team
members
on
an
ongoing
basis
•
Create
clearly
defined
rules
of
engagement
for
the
incident
response
team
•
Translate
the
results
of
these
measures
into
user-‐friendly
business
communicaYons
•
Involve
mulY-‐disciplinary
areas
of
the
organizaYon
in
the
incident
response
process
•
Invest
in
technologies
that
support
the
collecYon
of
informaYon
to
idenYfy
potenYal
threats
•
Consider
sharing
threat
indicators
with
third-‐party
organizaYons
to
foster
collaboraYon
•
Have
meaningful
operaYonal
metrics
to
gauge
the
overall
effecYveness
of
incident
response
BGA
INFORMATION
SECURITY
&
CONSULTING
28. References
[1]
West-‐Brown,
Moira
J.;
SYkvoort,
Don;
&
Kossakowski,
Klaus-‐Peter.
Handbook
for
Computer
Security
Incident
Response
Teams
(CSIRTs)
(CMU/SEI-‐98-‐HB-‐001).
PiZsburgh,
PA:
So|ware
Engineering
InsYtute,
Carnegie
Mellon
University,
1998.
Note
that
this
document
was
superceded
by
the
2nd
ediYon
(CMU/SEI-‐2003-‐HB-‐002),
published
in
April
2003.
[2]
Kossakowski,
Klaus-‐Peter.
InformaYon
Technology
Incident
Response
CapabiliYes.
Hamburg:
Books
on
Demand,
2001
(ISBN:
3-‐8311-‐0059-‐4).
[3]
Kossakowski;
Klaus-‐Peter
&
SYkvoort,
Don.
A
Trusted
CSIRT
Introducer
in
Europe.
Amersfoort,
Netherlands:
M&I/Stelvio,
February,
2000.
[4]
Exposing
One
of
China’s
Cyber
Espionage
Units
hZp://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
[5]
M-‐Trends®
2013:
AZack
the
Security
Gap
hZp://pages.fireeye.com/MF0D0O0PDVp6y106k0TI0B3
[6]
M-‐Trends®
2011:
When
PrevenYon
Fails
hZp://www.mandiant.com/assets/PDF_MTrends_2011.pdf
[7]
M-‐Trends®
2012:
An
Evolving
Threat
hZp://www.mandiant.com/assets/PDF_MTrends_2012.pdf
[8]
Cyber
Security
Incident
Response
2014
hZp://www.lancope.com/files/documents/Industry-‐Reports/Lancope-‐Ponemon-‐
Report-‐Cyber-‐Security-‐Incident-‐Response.pdf
[9]
Create
a
CSIRT
hZps://www.cert.org/incident-‐management/products-‐services/creaYng-‐a-‐csirt.cfm
[10]
CSIRT
Services
list
from
CERT/CC
hZps://www.enisa.europa.eu/acYviYes/cert/support/guide/appendix/csirt-‐services
BGA
INFORMATION
SECURITY
&
CONSULTING