incident response before:after breach
TRANSCRIPT
Incident Response Operation
Before/After HackedSumedt Jitpukdebodin
Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
# whoami• Name: Sumedt Jitpukdebodin
• Jobs: Security Consultant, Senior Security Researcher @ I-SECURE
• Website: www.r00tsec.com, www.techsuii.com
• Admin: @2600thailand, @OWASPThailand
• Book: Network Security Book
• Hobby: Writing, Hacking, Researching, Gaming, etc.
• My article: please search google with my name.
Hacker
SOC(Security Operation Center)
Attacker And DefenderCatch me if you can
# id• Hack is easy, defend is so f*cking hard.
• Surfaces
• 0day
• Social Engineering
• Etc.
Incident Response
# man ir
Definition
• Event - Activity that we monitor (Log)
• Incident - the damage event.
• Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
Top Priority for IR.
• Identify the problems
• Fix the problems.
• Recovery system back to normal.
Step of IR.
Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
Step of IR.• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
Step of IR.• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
Step of IR.• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
Step of IR.• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
Step of IR.• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
Step of IR.• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
What to look for• Look for abnormalities
• Performance issues, off peak activity
• Redirect some client.
• Example Indicators
• new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns
• Example Sources
• Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic
• Potential Issue
• File/ Folder Encryption
• BIOS Password Protection
• Whole Disk Encryption/ Risk
What to look for• Look for abnormalities
• Performance issues, off peak activity
• Redirect some client.
• Example Indicators
• new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns
• Example Sources
• Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic
• Potential Issue
• File/ Folder Encryption
• BIOS Password Protection
• Whole Disk Encryption/ Risk
What to look for• Look for abnormalities
• Performance issues, off peak activity
• Redirect some client.
• Example Indicators
• new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns
• Example Sources
• Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic
• Potential Issue
• File/ Folder Encryption
• BIOS Password Protection
• Whole Disk Encryption/ Risk
What to look for• Look for abnormalities
• Performance issues, off peak activity
• Redirect some client.
• Example Indicators
• new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns
• Example Sources
• Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic
• Potential Issue
• File/ Folder Encryption
• BIOS Password Protection
• Whole Disk Encryption/ Risk
Before BreachSource:: http://jokideo.com/wp-content/uploads/2013/03/Funny-cat-Come-on-birdy.jpg
Centralized Log DiagramSource:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
# whereis logs
• Device Log
• Server Log
• Application Log
# ls /var/log/
• web_server/{access.log,error.log}
• audit/audit.log
• syslog
• openvpn.log
# cat /var/log/apache2/access.log
# cat /var/log/syslog
Devices• Firewall
• IDS/IPS
• Next Generation Firewall
• Mail Gateway
• Etc.
Centralized Log
• Syslog-ng(rsyslog)
• Splunk
• Graylog2
• logstrash
• Scribe
Example of Splunk
SIEM(“Security Information and Event Management")
• Arcsight
• Log Correlation Engine By Tenable
• Splunk
• OSSIM **
• Alienvault **
• LOGalyze **
• Etc.
Log Correlation Engine By Tenable
Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
Arcsight
Source:: http://blog.rootshell.be/2013/06/26/out-of-the-box-siem-never/
Arcsight Dashboard
Source:: http://www.observeit.com/images/content/features_siem14.jpg
False Positive
SQL Injection Case
• Alert: SQL Injection
• Attacker: China
• Log From: Web Application Firewall
SQL Injection Case
After BreachSource:: http://www.dumpaday.com/wp-content/uploads/2013/01/funny-
cat-bath.jpg
Forensic
Forensic• Containment
• Ensure that the system(s) and network are protected from further risk.
• Isolate the compromised system(s)
• Eradication
• How they got in
• Where they went
• What they did
• The removal of malware
• Patching Vulnerability
• Identifying vulnerability
• Improve network and system countermeasures
Forensic• Containment
• Ensure that the system(s) and network are protected from further risk.
• Isolate the compromised system(s)
• Eradication
• How they got in
• Where they went
• What they did
• The removal of malware
• Patching Vulnerability
• Identifying vulnerability
• Improve network and system countermeasures
Recovery(Restore/Rebuild)• Restore status of service to normal
• System owners decide based on advice from incident handling team - Business Decision.
• Monitor the service after recovery
• Performance
• Anomalies
Lesson Learned• Detail of incident report
• Communicate to others on the team
• Apply fixes in environment
• Conduct a performance analysis of the overall incident and improve operations
• “Not!!!!” Blaming people
• Review/Rewrite Policy
• Determines cost of incident
• Apply lesson learned to the entire entity
• Budget for, install, and maintain protection software
