Post on 22-Apr-2015
description
You have been attacked!
So what’s next?
Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
13th Info-Security Conference 2012 8th May, 2012 @ Hong Kong
Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
Member of:
• SANS Advisory Board
• Digital Phishnet
• ACFE
Consulted for setting up IR capabilities at critical infrastructure companies.
Former incident analyst / threat researcher at top-tier retail, commercial, and investment banks.
Dropped out of PhD to run a startup making IPS boxes.
Now a security ronin .
Who am I?
1. Incident response process
2. Incident response organization structure
3. Incident response triage – a brief overview
4. Incident response preliminary containment
Agenda
You’ve been attacked!
So what’s next?
1. Stay calm
2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?)
3. Keep log, log all communications
4. Need-to-Known policy and Out-of-Band communications
5. Stop bleeding (contanment) first
6. Seek professional help
1. Know the problem (identification)
2. Protect your bases (might involve forensic acquisition)
3. Get rid of the problem (eradication)
4. Get back in business (recovery)
5. Lessons-Learned report
For the Unprepared
Preparation Identification Containment Eradication Recovery Lessons Learned
Incident Response Process
Report (w/ Initial Severity)
Interpretation Verification
Severity Assessment
Prioritization
Head of CSIRT
Incident Handler
Incident Responder
Incident Analyst
SOC
CSIRT (Computer Security Incident Response Team)
Incident Response Incident Handling
• Sole interface of CSIRT
• Management liaison
• Clients liaison
• Legal / Compliance / HR / PR liaison
• Peer CSIRT / CERT and LE liaison
• Incident response coordination
• Incident response log keeping
• All the technical works
• Most outsourceable
Core Functions
(Common Functions)
• Preparation and Planning
• Policies, procedures and banners
• Incident response protocol and plan
• Agreements with and pre-approvals from legal / compliance / HR
• Asset classification
• Support infrastructure (logging, IDS, patch management, BCP, DR, incident reporting, guideline & education, etc.)
• etc. etc.
So how did you know you’ve been attacked?
• A little bird told you…
• You made headline news…
• IT guy reports abnormal behavior…
Identification
1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593
GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -
DIRECT/122.115.63.6 application/octet-stream
Alert
Alert triggered. What the hell just happened? How serious was that? How to deal with it?
Preparation Identification Containment Eradication Recovery Lessons Learned
Where Does Triage Belong?
Report (w/ Initial Severity)
Interpretation Verification
Severity Assessment
Prioritization
Report (w/ Initial Severity) Interpretation
• Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severity
Verification
• Is it material? (e.g. software X alerts when no software X installed)
Severity Assessment
• Damage already done
• Potential for further damage
Prioritization
• Deal with most severe cases first
Triage Stages
(or, verification)
1. What question are you trying to answer?
2. What data do you need to answer that question?
3. How do you extract and analyze that data?
4. What does / would that data tell you?
Alexious Principle
What Questions Are You Trying to Answer?
What Questions Are You Trying to Answer?
Breath-First Search
What Data Do You Need to Answer that Question?
“Every contact leaves a trace.”
Locard Exchange Principle
…or, “Keep It Simple Stupid”
Occam’s Razor
(or, severity assessment & prioritization)
Risk = Likelihood Impact Asset Value
Likelihood Always 100% (it already happened)
Impact
Lik
eli
ho
od
1.Asset values
1.classify your assets NOW!
2.Incident impact
1.damage
2.scope
Focus on…
Oft-Neglected Dimension
Intensive Care
Standard Mitigation
Immediate Attention!
Existing Damage and
Scope
Potential Damage and Scope
Know thyself, know thy enemy,
then you shall not perish.
知己知彼,百戰不殆
Compromised Entities
Malware Capability
Exploit Chainability
Ease of Attack
Potential Scope and Damage
Know Thyself
Know Thy Enemy
Artifact Hemisphere
Intellectual Hemisphere
Compromised Entities
Malware Capability
Exploit Chainability
Ease of Attack
Potential Scope and Damage
Know Thyself
Know Thy Enemy
Artifact Hemisphere
Intellectual Hemisphere
Compromised Entities
Malware Capability
Exploit Chainability
Ease of Attack
Potential Scope and Damage
Know Thyself
Know Thy Enemy
Artifact Hemisphere
Intellectual Hemisphere
Small immaterial weaknesses can combine to become material ones.
Exploit Chainability
Reason’s Swiss Cheese Model
From Duke University Medical Center
Reason’s Swiss Cheese Model
From Duke University Medical Center
Compromised Entities
Malware Capability
Exploit Chainability
Ease of Attack
Potential Scope and Damage
Know Thyself
Know Thy Enemy
Artifact Hemisphere
Intellectual Hemisphere
Ease of Attack (example)
1. Prevailing threat conditions
1. e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011”
2. Current easiness / reliability to mount an attack
1. e.g. exploit X has just been committed to Metasploit
3. Consequence of a compromise (chained exploit)
4. Malware reverse engineering skills
5. etc. etc.
What Do Threat Analysts (and Your MSSP) Absolutely Need to Know?
(or preliminary containment)
1. Do NOT pull the plug!!
2. Describe the situation and seek immediate advices (say, over the phone) from IR professionals.
3. Isolate affected systems
1. Disconnect from network (unless IR professionals advice otherwise).
4. Secure the crime scene
1. Physical area access control.
2. Stop affected computer(s) from being used.
Before the Experts Arrive
1. Incident response process
2. CSIRT organization structure
1. What people to hire, their R&Rs.
3. Triage – a brief overview
1. How to verify an alert.
2. How to prioritize an incident.
4. Preliminary containment
1. What do to before the experts arrive.
Conclusion
albert@securityronin.com
Thank you!