the anatomy of a breach - nchicanchica.org/wp-content/uploads/2015/05/sparrow.pdf · anatomy of a...

Anatomy of a Breach: A case study in how to protect your organization

Presented By

Greg Sparrow

1

Agenda

● Background & Threat landscape

● Breach: A Case Study

● Incident Response Best Practices

● Lessons Learned

2

Goals

● Review and analyze a real world breach

● Understand pre-breach best practices

● Understand how to respond, post-breach

● Understand best practices for breach

mitigation and incident response

3

Background

A brief history of Cyber Attacks

● Viruses & Hackers

● Rise of the botnets

● Monetization of datasets

● Organized Crime

4

Breach: A Case Study

Attack Facts:

● Payment aggregator/gateway

● 1 million card accounts compromised

● Attacker in environment since 2009

● Discovered in 2014

5

Breach: Secure Architecture

6

Breach: Initial Attack Vector

1. Attacked public facing web server with

known vulnerability with web

application server

2. Pivoted into the backup server

3. Used backup sever to reach database

and application servers

7

Breach: Pivot and Movement

Oct 2009

Web Server 1

• Attacker installed a revers shell on web server

• Installed Nemesis backdoor

November 2009

Web Server 2

• Installed RAR archive utility

• Created reverse shell

Backup Server

• Reverse shell created


• WinPCAP Driver installed

Application Server 1

• Reverse shell created


• WinPCAP Driver installed

8

Breach: Packet Captures

9

Breach: Exfiltration

4. RAR archives were used to package up

data payload

5. Reverse shells encapsulated with SSH

used to push data out

10

Breach: Containment

1. Began egress packet capture to create a

baseline signature

2. Implemented ACLs to remove Backup

server connectivity

3. Implemented ACLs for egress traffic

4. Reset user and service account credentials

11

Breach: Eradication

1. Applied robust system hardening to all servers

2. Removed Backup Server

3. Removed Web Servers and replaced with

hardened web servers

4. Implemented application whitelisting

5. Started from a known good state for all server

rebuilds

6. Deployed Jump servers within Management

segment

7. Performed application security assessment

8. Deployed more robust logging, aggregation and

event correlation

12 Proprietary & Confidential

Incident Response Life Cycle

NIST SP 800-61 life cycle for risk management

Define Governance Policies

● Address strategy, goals and requirements

● Communication policy

● Escalation and handling procedures

● Incident response team/strategy

● 3rd party involvement and law enforcement

● Log retention policies and procedures

● Establish system baselines and profiles

● Insurance coverage


Incident Response: Preparation

Define policies and procedures for the

following:

● Roles and responsibilities

● Escalation path

● Prioritization of events

● Identify team members

● Documentation templates

● Access privileges

● Training & tools


Incident Response: Incident Response Team


Incident Response: Incident Response Team

The detection process should include the

following:

● Identification of Attack Vector(s)

● Determine the scope of the breach

● Identify signatures of an incident:

– Multiple sources of information

– Volume of suspicious behavior

– Precursor

• Vulnerability Scans/Port Sweeps

• New Exploit

• External Threats


Incident Response: Detection

Identify the signs on an incident:

● Indicator

• IDS/IPS alerts

• Anti Virus

• Unauthorized or unusual file changes

• Unscheduled system configuration

changes

• Repeated failed login attempts

• Network traffic flow

● Deep technical knowledge


Incident Response: Detection (cont.)

Create a system profile or baseline:

● Run and compare file integrity checks with

baseline

● Monitor network bandwidth

● Understand normal system behavior (abnormal

behavior)

● Review logs and security alerts


Incident Response: Analysis

● Determine what you know and what you don’t

know (don’t assume)

● Multiple sources of information

● False alarms vs a real breach

● Timely notification

● Allocate resources and time for analysis

● Communication and coordination of team


Incident Response: Analysis (cont.)

● Short term-containment vs long term

solution

● Limit the damage

– Can the problem be isolated

– Can affected systems be separated

from non-affected systems

● Stop the spread

● Preserve evidence

– Forensic Imaging


Incident Response: Containment

● Clearly understand the scope and extent of

affected systems

● Document a plan of attack for removal of

these systems

– Network

– Host

– Application


Incident Response: Eradication

● Bring systems and services back online in

production

● Start from a good known state

● Restore data from backup

● Implement controls to test and verify system

state


Incident Response: Recovery

Is notification required? – Likely risk of harm

• Nature of the data elements

• Number of records/individuals affected

• Accessibility and usability

• Likelihood of harm

• Ability to mitigate risk

Statutory notification requirements – Identify Legal Jurisdictions Involved

– Identify Statutes Triggered


Incident Response: Notification

● Timelines for notification – Dependent on the type of data breached

• PII

• PCI

• PHI

– Notification without unreasonable delay

– Law enforcement may require delay


Incident Response: Notification (cont.)

● Source for notification – Senior member of management or executive.

– Organizational awareness

● Contents of Notification – Describe what happened

– Types of information breached

– Steps to protect affected parties

– What you are doing

– Who to contact for more info

● Means of Notification – Telephone

– First-Class Mail

– E-mail


Incident Response: Notification (cont.)


Lessons learned

● Cost of the breach – 20-30 million dollars

● Identification

● Patch your systems

● System configuration and

hardening

● Prepare and IR plan before your

breach

● Select vendors and partners

before your breach

Proprietary & Confidential 27

Q & A

Proprietary & Confidential 28

References

The following resources were used as part of this presentation:

● NIST Computer Security Incident Handling Guide Special

Publication 800-61 rev2

● Redacted Customer Forensic Report

● Computer Crime & Intellectual Property Section Criminal

Division U.S. Department of Justice - Best Practices for Victim

Response and Reporting of Cyber Incidents

● SANS Institute – Incident Handler’s Handbook

● DOJ – Incident Response Procedures for Data Breaches

the anatomy of a breach - nchicanchica.org/wp-content/uploads/2015/05/sparrow.pdf · anatomy of a...

Documents