Upload
terra-verde
View
275
Download
2
Embed Size (px)
DESCRIPTION
From the Phoenix ISACA Chapter April Meeting. From time to time Terra Verde receives frantic phone calls or dreaded SMS texts from clients with the message - "Call me ASAP 911!". Once on the phone the most eloquent explanations usually yield the same outcome, "We do not know what's happening! Please come help!" They just called the cavalry...Hypotheses are then created based on data, cross related with hunches and supported by collective wisdom (best practices). This presentation will use a real life case study (identities withheld for professional and legal reasons) that will propose a method of static root-cause analysis to reduce response time and unify criteria when forced to make the determination of whether or not hacking has taken place in your environment.
Citation preview
Initial Discovery
• The panic sets in: You think your company has been
breached!
• So, what do you do?
First steps
• First things first.
• STOP, THINK, ANALYZE, THINK AGAIN,
• PROCEED and assemble your Response Team
(PR, HR, C level, IT, Legal, Subject Matter Experts)
• You don't know what you don't know
• Let's fix that one first and then adopt the following motto:
• Do it right instead of quick!
• Start documenting EVERYTHING.
Agenda
• Breach response recipe (lessons learned in the field)
• Step 1: Confirm the breach
• Step 2: Contain the breach
• Step 3: Understand and investigate the breach
• Step 4: Report the breach (IC3)
• Step 5: Determine the cause
• Step 6: Communicate the breach?
• Step 7: Remediation
• Step 8: Proactive Security Protection
Step 1: Confirm the breach
Signs of a breach:
• Site defacement
• Email attachments where sender is CEO or equivalent
• Abnormal activity on privileged user accounts
• Failed log-in attempts — retailers beware
• Malware infection (The likely hood of key loggers and memory scrapper is high)
• Abnormal network traffic including ICMP, HTTP, and HTTPs. (e.g. Network connections to EU when your business is local)
• Your webcam light flickers on briefly
• Strange large files appear on the network.
• Sudden spikes in outbound DNS traffic.
• Your confidential data landed in PasteBin, ipaste.eu
• You have been informed by an authoritative source
Step 1: Confirm the breach
Places to check, thing to do:
• Start you “chain of custody”. Not just the forms, document
everything.
• Proceed with caution and treat the event as a breach until
confirmed otherwise. (e.g. Pull the plug, memory
image, disk image)
• Log files
• Your ISP?
• Extortion attempt.
Step 1: Confirm the breach
Tools
• Old friends: grep, sed, awk, top, sysinternals, dumpit
• Open source tools: Filemon, Snort, Wireshark, volatility
• IDS, Netflow, and external threat data (Don’t forget the
flow)
Useful findings:
• Flooded logs, files appearing and
disappearing, intermittent processes.
Step 2: Contain the breach
• Collect the current state of the systems. As much as you
can (e.g. Memory dump and disk image).
• Update your “chain of custody” documentation.
• Confirm your response team.
• Time to notify? Check legal and contract requirements.
• With information from previous phase (when applicable):
• Isolate breached system, some options:
• Connect system to its own network (isolated from the rest)
• Unplug the net.
• Add ACLs that reduce propagation via TCP/UDP
• Apply critical fix that closes the vulnerability
• In the event of virus (most of the times cleaning is not an option)
Step 2: Contain the breach
Tools:
• Pull the plug (either network / power)
• IPS
• ACLs
• Firewalls
• Account removal
Step 3: Understand and investigate the breach
• Any recent terminations?
• Unable to identify the source and target of the breach?
• Unsure if breach has been contained?
• Crime? (If yes, local law enforcement)
• Legal or contractual obligation?
If the answer is “Yes” or “I don’t know” to any, then you
need help.
• Professional security forensic services expertise
• Contact legal services with InfoSec expertise
• Update the “Chain of Custody”
Step 3: Understand and investigate the breach
Tools:
• Autopsy
• The Sleuth Kit
• Kali
• dd combined with Live View
• Dumpit
• Volatility Framework
• Encase
• FTK
• Microsoft Coffee (Law enforcement)
Step 4: Report the breach (IC3)
• Consult legal, have them review SLAs and contracts.
State requirements change, have them check that.
• Is your organization a covered entity or business
associate in the health care market? The omnibus rule
applies to you.
• Contact local police
• Contact local FBI office
• File IC3 report
• Contact your ISP
• Prepare for media (Leakages of breach by law
enforcement have been known to happen)
Step 4: Report the breach (IC3)
Resources:
• http://www.ic3.gov/default.aspx
• http://www.fbi.gov/phoenix/
Step 5: Determine the cause
• Identify entry and exit points
• What was taken?
• Any correlation point from previous phases?
Step 5: Determine the cause
Tools
• SME’s opinion
• Ntop (netflow analysis)
• Memory dump analysis
• Follow the money
Step 6: Communicate the breach?
When appropriate and cleared by legal counsel.
• Business requirements
• Financial Requirements (FTC, PCI, etc.)
• Legal requirements (HIPAA, FTC, etc.)
• State requirements
• The Arizona breach disclosure law requires disclosure of data
breaches without unreasonable delay. Arizona residents may be
notified of breaches by phone. The law provides for civil and
criminal penalties, but Arizona residents do not have the right of
private legal action.
• Ariz. Rev. Stat. 44-7501
(http://www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/
07501.htm&Title=44)
Step 7: Remediation
• Reset Your Passwords
• Update and Scan
• Take Back Your Accounts
• Check for Backdoors
• Follow the Money
• Perform a Security Audit on All Your Affected Accounts
• De-Authorize All Those Apps
• Monitor financials (keep an eye on the money)
Step 7: Remediation
Tools:
• Logs
• IDS
• ISP assistance
• Forensic analysis
Step 8: Proactive Security Protection
There is a proven ROI in the following:
• Monitoring
• Security events log correlation
• Business Impact Analysis
• Disaster Recovery Plan
• Business Continuity Plan
• Endpoint security
• Managed Security Services
• Incident response plans (tested of course)
Step 8: Proactive Security Protection
Resources:
• Your own or managed security operations center. Eyes in
the sky when your eyelids are tired or closed.
• Early warnings and detection.
• Let’s stop using templates. Your policies and your
procedures are only as good as you enforce them and if
they apply to your own unique and realistic situation.
• Scanning, patching, passwords and perimeter security are
very good but only a mere technical layer.
• Have a plan and test it!
Questions/Suggestions/Tips
General advise
• Don’t have a fight with your hair stylist when you are
about to get a haircut.
• Public relations is often overlooked
• Insurance
• Monitoring 24/7 pays off
• Alerting 24/7 more than pays off