the aftermath: you have been attacked! so what's next?

You have been attacked!

So what’s next?

Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA

13th Info-Security Conference 2012 8th May, 2012 @ Hong Kong

Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA

Member of:

• SANS Advisory Board

• Digital Phishnet

• ACFE

Consulted for setting up IR capabilities at critical infrastructure companies.

Former incident analyst / threat researcher at top-tier retail, commercial, and investment banks.

Dropped out of PhD to run a startup making IPS boxes.

Now a security ronin .

Who am I?

1. Incident response process

2. Incident response organization structure

3. Incident response triage – a brief overview

4. Incident response preliminary containment

Agenda

You’ve been attacked!

So what’s next?

1. Stay calm

2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?)

3. Keep log, log all communications

4. Need-to-Known policy and Out-of-Band communications

5. Stop bleeding (contanment) first

6. Seek professional help

1. Know the problem (identification)

2. Protect your bases (might involve forensic acquisition)

3. Get rid of the problem (eradication)

4. Get back in business (recovery)

5. Lessons-Learned report

For the Unprepared

Preparation Identification Containment Eradication Recovery Lessons Learned

Incident Response Process

Report (w/ Initial Severity)

Interpretation Verification

Severity Assessment

Prioritization

Head of CSIRT

Incident Handler

Incident Responder

Incident Analyst

SOC

CSIRT (Computer Security Incident Response Team)

Incident Response Incident Handling

• Sole interface of CSIRT

• Management liaison

• Clients liaison

• Legal / Compliance / HR / PR liaison

• Peer CSIRT / CERT and LE liaison

• Incident response coordination

• Incident response log keeping

• All the technical works

• Most outsourceable

Core Functions

(Common Functions)

• Preparation and Planning

• Policies, procedures and banners

• Incident response protocol and plan

• Agreements with and pre-approvals from legal / compliance / HR

• Asset classification

• Support infrastructure (logging, IDS, patch management, BCP, DR, incident reporting, guideline & education, etc.)

• etc. etc.

So how did you know you’ve been attacked?

• A little bird told you…

• You made headline news…

• IT guy reports abnormal behavior…

Identification

1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593

GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -

DIRECT/122.115.63.6 application/octet-stream

Alert

Alert triggered. What the hell just happened? How serious was that? How to deal with it?

Preparation Identification Containment Eradication Recovery Lessons Learned

Where Does Triage Belong?

Report (w/ Initial Severity)

Interpretation Verification

Severity Assessment

Prioritization

Report (w/ Initial Severity) Interpretation

• Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severity

Verification

• Is it material? (e.g. software X alerts when no software X installed)

Severity Assessment

• Damage already done

• Potential for further damage

Prioritization

• Deal with most severe cases first

Triage Stages

(or, verification)

1. What question are you trying to answer?

2. What data do you need to answer that question?

3. How do you extract and analyze that data?

4. What does / would that data tell you?

Alexious Principle

What Questions Are You Trying to Answer?

What Questions Are You Trying to Answer?

Breath-First Search

What Data Do You Need to Answer that Question?

“Every contact leaves a trace.”

Locard Exchange Principle

…or, “Keep It Simple Stupid”

Occam’s Razor

(or, severity assessment & prioritization)

Risk = Likelihood Impact Asset Value

Likelihood Always 100% (it already happened)

Impact

Lik

eli

ho

od

1.Asset values

1.classify your assets NOW!

2.Incident impact

1.damage

2.scope

Focus on…

Oft-Neglected Dimension

Intensive Care

Standard Mitigation

Immediate Attention!

Existing Damage and

Scope

Potential Damage and Scope

Know thyself, know thy enemy,

then you shall not perish.

知己知彼，百戰不殆

Compromised Entities

Malware Capability

Exploit Chainability

Ease of Attack

Potential Scope and Damage

Know Thyself

Know Thy Enemy

Artifact Hemisphere

Intellectual Hemisphere

Small immaterial weaknesses can combine to become material ones.


Reason’s Swiss Cheese Model

From Duke University Medical Center

Compromised Entities

Malware Capability


Ease of Attack

Potential Scope and Damage

Know Thyself

Know Thy Enemy

Artifact Hemisphere

Intellectual Hemisphere

Ease of Attack (example)

1. Prevailing threat conditions

1. e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011”

2. Current easiness / reliability to mount an attack

1. e.g. exploit X has just been committed to Metasploit

3. Consequence of a compromise (chained exploit)

4. Malware reverse engineering skills

5. etc. etc.

What Do Threat Analysts (and Your MSSP) Absolutely Need to Know?

(or preliminary containment)

1. Do NOT pull the plug!!

2. Describe the situation and seek immediate advices (say, over the phone) from IR professionals.

3. Isolate affected systems

1. Disconnect from network (unless IR professionals advice otherwise).

4. Secure the crime scene

1. Physical area access control.

2. Stop affected computer(s) from being used.

Before the Experts Arrive

1. Incident response process

2. CSIRT organization structure

1. What people to hire, their R&Rs.

3. Triage – a brief overview

1. How to verify an alert.

2. How to prioritize an incident.

4. Preliminary containment

1. What do to before the experts arrive.

Conclusion

[email protected]

Thank you!

the aftermath: you have been attacked! so what's next?

Technology