FALSE ALARM?

Incident Management Case Study

Carlos Villalba

carlos@tvrms.com

Initial Discovery

• The panic sets in: You think your company has been

breached!

• So, what do you do?

First steps

• First things first.

• STOP, THINK, ANALYZE, THINK AGAIN,

• PROCEED and assemble your Response Team

(PR, HR, C level, IT, Legal, Subject Matter Experts)

• You don't know what you don't know

• Let's fix that one first and then adopt the following motto:

• Do it right instead of quick!

• Start documenting EVERYTHING.

Agenda

• Breach response recipe (lessons learned in the field)

• Step 1: Confirm the breach

• Step 2: Contain the breach

• Step 3: Understand and investigate the breach

• Step 4: Report the breach (IC3)

• Step 5: Determine the cause

• Step 6: Communicate the breach?

• Step 7: Remediation

• Step 8: Proactive Security Protection

Step 1: Confirm the breach

Signs of a breach:

• Site defacement

• Email attachments where sender is CEO or equivalent

• Abnormal activity on privileged user accounts

• Failed log-in attempts — retailers beware

• Malware infection (The likely hood of key loggers and memory scrapper is high)

• Abnormal network traffic including ICMP, HTTP, and HTTPs. (e.g. Network connections to EU when your business is local)

• Your webcam light flickers on briefly

• Strange large files appear on the network.

• Sudden spikes in outbound DNS traffic.

• Your confidential data landed in PasteBin, ipaste.eu

• You have been informed by an authoritative source

Step 1: Confirm the breach

Places to check, thing to do:

• Start you “chain of custody”. Not just the forms, document

everything.

• Proceed with caution and treat the event as a breach until

confirmed otherwise. (e.g. Pull the plug, memory

image, disk image)

• Log files

• Your ISP?

• Extortion attempt.

Step 1: Confirm the breach

Tools

• Old friends: grep, sed, awk, top, sysinternals, dumpit

• Open source tools: Filemon, Snort, Wireshark, volatility

• IDS, Netflow, and external threat data (Don’t forget the

flow)

Useful findings:

• Flooded logs, files appearing and

disappearing, intermittent processes.

Step 2: Contain the breach

• Collect the current state of the systems. As much as you

can (e.g. Memory dump and disk image).

• Update your “chain of custody” documentation.

• Confirm your response team.

• Time to notify? Check legal and contract requirements.

• With information from previous phase (when applicable):

• Isolate breached system, some options:

• Connect system to its own network (isolated from the rest)

• Unplug the net.

• Add ACLs that reduce propagation via TCP/UDP

• Apply critical fix that closes the vulnerability

• In the event of virus (most of the times cleaning is not an option)

Step 2: Contain the breach

Tools:

• Pull the plug (either network / power)

• IPS

• ACLs

• Firewalls

• Account removal

Step 3: Understand and investigate the breach

• Any recent terminations?

• Unable to identify the source and target of the breach?

• Unsure if breach has been contained?

• Crime? (If yes, local law enforcement)

• Legal or contractual obligation?

If the answer is “Yes” or “I don’t know” to any, then you

need help.

• Professional security forensic services expertise

• Contact legal services with InfoSec expertise

• Update the “Chain of Custody”

Step 3: Understand and investigate the breach

Tools:

• Autopsy

• The Sleuth Kit

• Kali

• dd combined with Live View

• Dumpit

• Volatility Framework

• Encase

• FTK

• Microsoft Coffee (Law enforcement)

Step 4: Report the breach (IC3)

• Consult legal, have them review SLAs and contracts.

State requirements change, have them check that.

• Is your organization a covered entity or business

associate in the health care market? The omnibus rule

applies to you.

• Contact local police

• Contact local FBI office

• File IC3 report

• Contact your ISP

• Prepare for media (Leakages of breach by law

enforcement have been known to happen)

Step 4: Report the breach (IC3)

Resources:

• http://www.ic3.gov/default.aspx

• http://www.fbi.gov/phoenix/

Step 5: Determine the cause

• Identify entry and exit points

• What was taken?

• Any correlation point from previous phases?

Step 5: Determine the cause

Tools

• SME’s opinion

• Ntop (netflow analysis)

• Memory dump analysis

• Follow the money

Step 6: Communicate the breach?

When appropriate and cleared by legal counsel.

• Business requirements

• Financial Requirements (FTC, PCI, etc.)

• Legal requirements (HIPAA, FTC, etc.)

• State requirements

• The Arizona breach disclosure law requires disclosure of data

breaches without unreasonable delay. Arizona residents may be

notified of breaches by phone. The law provides for civil and

criminal penalties, but Arizona residents do not have the right of

private legal action.

• Ariz. Rev. Stat. 44-7501

(http://www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/

07501.htm&Title=44)

Step 7: Remediation

• Reset Your Passwords

• Update and Scan

• Take Back Your Accounts

• Check for Backdoors

• Follow the Money

• Perform a Security Audit on All Your Affected Accounts

• De-Authorize All Those Apps

• Monitor financials (keep an eye on the money)

Step 7: Remediation

Tools:

• Logs

• IDS

• ISP assistance

• Forensic analysis

Step 8: Proactive Security Protection

There is a proven ROI in the following:

• Monitoring

• Security events log correlation

• Business Impact Analysis

• Disaster Recovery Plan

• Business Continuity Plan

• Endpoint security

• Managed Security Services

• Incident response plans (tested of course)

Step 8: Proactive Security Protection

Resources:

• Your own or managed security operations center. Eyes in

the sky when your eyelids are tired or closed.

• Early warnings and detection.

• Let’s stop using templates. Your policies and your

procedures are only as good as you enforce them and if

they apply to your own unique and realistic situation.

• Scanning, patching, passwords and perimeter security are

very good but only a mere technical layer.

• Have a plan and test it!

Questions/Suggestions/Tips

General advise

• Don’t have a fight with your hair stylist when you are

about to get a haircut.

• Public relations is often overlooked

• Insurance

• Monitoring 24/7 pays off

• Alerting 24/7 more than pays off