APT Event - New York

Global APT Defense Summit New York

John Walker | Cytelligence

Malware Activity & Network

Retaliate - Respond & Survive

October 22, 2014 – East Rutherford, NJ

Global APT Defense Summit New York #APTSummit2

About the Speaker

John Walker

John is a Visiting Professor at the School of Science and

Technology at Nottingham Trent University [NTU], Visiting

Professor/Lecturer at the University of Slavonia [to 2015], CTO &

Company, Director of CSIRT, Cyber Forensics/Research at

Cytelligence Ltd & is the Architect of the Cytelligence OSINT

Platform. John is also a Practicing Expert Witness, ENISA CEI

Listed Expert, Editorial Member of the Cyber Security Research

Institute (CRSI), Fellow of the British Computer Society (BCS),

Fellow of the Royal Society of the Arts, and has delivered over 100

published papers\presentations to a global audience.


Agenda - Engaging the Security Event - Capabilities

1. Anomaly Indication - Conditions may qualify, or infer some form of anomaly has taken place, or is in progress?

2. Cyber Intelligence - Utilisation of reverse investigations – looking to discover the unknown unknowns

3. Acquisition of Artifacts – The importance of acquiring Artifacts – whilst keeping the operational lights burning

4. Decision Time – When to apply mitigations which will impact the business [e.g. Network Segment Disconnect]

5. Standards & Guides – Have stablished processes when engaging an incident

6. Communications - The importance of internal, and where required external communications

7. Tools & Training – Maintain capabilities and skill-sets

8. Dealing with external factors such as Law Enforcement, and where applicable Third Parties and Associates

9. The Wash-up – when is it safe to stand-down ?

10. Lessons learned


Anomaly Indication

There is a range of conditions which may indicate that some form of anomaly has occurred, or is

in progress – consider:

• Over-active Networks or Segments

• Perimeter Indicators – the usual. F/W, IPS, IDS

• Mail Relays

• Logs – but you have to read them

• Believe it or not – ITIL Process Service Records

• Service Desk Call – user reports

• External Reports – Media – of Client Notifications – [example the Tasmanian Devil]


Cyber Intelligence

Both during, and post a Cyber Attack, Invasion, or Compromise, based on the known

information, it may be possible to identify some unknowns to assist with the First Responder

engagement using:

• OSINT [Open Source Intelligence]

• Tracking – Communications – in particular the headers

• Tracking of IP – but don’t always trust it

• Media Streams – you can learn a lot

• Under-Ground Chatter

• Partner Organizations

• Investigation of end-to-end logging where possible


Acquisition of Artifacts

Experience has proven that there can be a tendency to focus on keeping the lights on, which

can be at the expense of any follow up investigation – this does not have to be the case -

consider:

• Deploying an evolved CSIRT

• Accommodation of the necessary documentation underpin

• Consider establishing Run-Book’s

• Ensure appropriate tools are available in the CSIRT

• Don’t forget training

• Have a capability to track the investigation and to securely

• Remember Business, and Third Party [Cloud] interfaces


Decision Time

Occasions may/will arise in which there is a necessity to make a decision to assure the overall

impact of the event is minimized, mitigated, contained to ensure the business environments are

not impacted by Event Sprawl. For example, taking down a web site, or isolating a network or

segment. It is however important at such times that:

• The Business are involved

• The impact is understood in time and financial terms

• Inter-organization communications

• That the external communications element is in place

• Teams are well briefed to engage – and appreciate the impact of their actions [example]

• Reporting – Managing Expectations

• Recovery and Testing


Standards & Guides

It is important to have a formalized response which meets the

expectations of promulgated and established standards to ensure the

desired protocols are followed and maintained – for example, and as

applicable.

• ISO 27001

• PAS 555

• PCI-DSS

• Government Directives

• Others ITA 2000, SB 1386 etc


Communications

During and post any form of security event, it is essential that the

60/40 Rule of communications is applied, with 60% focusing on the

people, and 40% representing the actual event – here we are in the

business of managing reputations.

Here an example of getting this wrong, with some very realistic

implications.


Tools & Training

The outcome of a security event is very dependent on the capabilities

of the First Response Team, and those who will engage the incident.

Here having the right tool, and training can represent essential

elements:

Basic Technological Skills

Application of Process – keep it secure and legal

Fit-for-Purpose Tools

Cross Team Connection


Final Thoughts

• Logging

• Full-packet capture

Thank you!

APT Event - New York

Technology

Transcript of APT Event - New York