Hello! we are here to share some stories

Size: px

Start display at page:

Download "Hello! we are here to share some stories"

Ernest Kennedy
5 years ago
Views:

1 SHARING SESSION

2 Hello! Paulus Tamba CISSP, former PCI-QSA Was with Verizon-CyberTrust, BT Global Services, and FireEye Specialize in Threat and Vulnerability Management, Security Operation, and Managed Security Services Co-Founder of PT Korelasi Persada Indonesia / paulus.tamba@korelasipersada.com we are here to share some stories

3 Agenda Use Cases Lesson Learned

4 SECURITY OPERATION USE CASES BITCOIN MINER

5 THREAT USE CASE BITCOIN MINER CASE DESCRIPTION : 1. INFOSEC ANALYST RECEIVES A CALL FROM USER THAT OBSERVES A WEIRD CHARACTERS SHOWING UP IN HER COMPUTER 2. INFOSEC ANALYST REGISTER THE CASE AND BEGIN INVESTIGATION 3. VICTIM : WINDOWS 7, DOMAIN JOINED Discovery Acquire victim IP Address Check EndPoint Antivirus status Antivirus is up-to-date Initiate Remote Antivirus Scan No virus detected Review Perimeter Defenses Connection Attempt from Victim to External IP Address Documents & Notifications Known Facts Escalate to Infosec Analyst Manager Infosec Analyst analyst needs to be onsite

6 THREAT USE CASE BITCOIN MINER WHAT WE KNOW SO FAR: 1. ANTIVIRUS DOES NOT DETECT A VIRUS 2. THE VICTIM COMPUTER IS ATTEMPTING TO CONNECT TO AN IP ADDRESS IN GERMANY WHAT WE WANT TO KNOW: 1. WHICH PROCESS STARTED THE CONNECTION 2. WHAT PROCESS IS IT Acknowledgement Analysis of victim endpoints A process is started from a suspicious directory The process is registered to start during computer boot Hash analysis indicates that the file is a malicious bitcoin miner Target IP connection is a known bit-coin server Analyst confirmed and declare a security incidents Containment Confirm with the victim that sensitive files are backed-up In case a full restore is needed Analyst remove files and process related to the malicious process Reboot the system and confirms no further process is started

7 THREAT USE CASE BITCOIN MINER WHAT WE KNOW SO FAR: 1. THE VICTIM IS INFECTED WITH A BIT COIN MINER MALWARE WHAT WE WANT TO KNOW: 1. HOW IT GETS THERE 2. HOW TO PREVENT Investigation Lack of forensic tools prevent analysis for further investigation Forensic skillset not yet available in the infosec analyst Highest suspect is that the victim is infected through a drive-bydownload while working out of band Recovery Infosec Analyst analyst is able to successfully clean the infected victim computer No connection were established to bit-coin server while the victim is in enterprise network Prevention The file is submitted to antivirus vendor for signature creation

8 SECURITY OPERATION USE CASES CEO SCAM

9 THREAT USE CASE CEO SCAM PHISHING

10 THREAT USE CASE CEO SCAM PHISHING CASE DESCRIPTION : 1. INFOSEC ANALYST RECEIVES A FORWARDED PHISHING REQUESTING FOR FUND TRANSFER 2. INFOSEC ANALYST REGISTER THE CASE AND BEGIN INVESTIGATION 3. VICTIM IS THE CFO OF THE ORGANIZATION Discovery Finance dept receives from attacker posing as CEO of the company The contains a threaded conversation, culminating in the attacker requesting fund transfer by providing details of bank account The victim forwarded the message to INFOSEC ANALYST out of suspicion Documentation & Notification INFOSEC ANALYST documents the case and create incident report Quick overview of anti-spam indicates that the message is passed as clean

11 THREAT USE CASE CEO SCAM PHISHING WHAT WE KNOW SO FAR: 1. WAS NOT BLOCKED BY ANTI SPAM 2. THE SENDER IS POSING AS CEO OF THE COMPANY 3. ATTACKER IS REQUESTING FUND TRANSFER TO AN ACCOUNT IN HONGKONG WHAT WE WANT TO KNOW: 1. WHY WASN T THE BLOCKED? 2. HOW DOES THE ATTACK HAPPEN? Acknowledgement INFOSEC ANALYST analyse the content of The sender domain is closely similar to receiving organization domain name The does not contain links or attachment, only instruction to transfer fund The sender domain is registered on the same day that the attack took place The is cleverly crafted as if it's a threaded conversation INFOSEC ANALYST confirm it's a targeted attack Containment Initial containment was to block the offending domain in the gatway anti-spam Quick overview of anti-spam indicates that the message is passed as clean

THREAT USE CASE CEO SCAM PHISHING WHAT WE KNOW SO FAR: 1. THE VICTIM IS BEING TARGETED WITH SPEARPHISHING WHAT WE WANT TO KNOW: 1. HOW IT BYPASS THE ANTI SPAM PROTECTION 2.

12 THREAT USE CASE CEO SCAM PHISHING WHAT WE KNOW SO FAR: 1. THE VICTIM IS BEING TARGETED WITH SPEARPHISHING WHAT WE WANT TO KNOW: 1. HOW IT BYPASS THE ANTI SPAM PROTECTION 2. HOW TO PREVENT Investigation The mail was not blocked because: It does not contain links or attachments It's coming from a clear reputation IP address It's drafted in proper English to avoid suspicion contents It contains name of valid finance departments staffs name, up to the CFO, indicating this is clearly a targeted attack Recovery Victim was smart enough not to fall trap into the phishing attempt, so there s no loss occurred Prevention INFOSEC ANALYST requested domain takedown to the registrar abuse address INFOSEC ANALYST issue advisory s to all users as part of awareness

13 PHISHING IS IT REALLY EFFECTIVE?

14 SECURITY OPERATION USE CASES RANSOMWARE

15 THREAT USE CASE RANSOMWARE

THREAT USE CASE RANSOMWARE CASE DESCRIPTION : 1. SERVICE DESK RECEIVED CALLS FROM END USER COMPLAINING THAT ALL HIS DOCUMENTS ARE RENAMED TO.CRYPT AND CAN T BE OPENED 2.

16 THREAT USE CASE RANSOMWARE CASE DESCRIPTION : 1. SERVICE DESK RECEIVED CALLS FROM END USER COMPLAINING THAT ALL HIS DOCUMENTS ARE RENAMED TO.CRYPT AND CAN T BE OPENED 2. SERVICE DESK ESCALATES THE PROBLEM TO INFOSEC ANALYST FOR INVESTIGATION Discovery A user calls service desk complaining that all his documents (.doc,.xls,.pdf) are renamed to.crpyt and can t be opened Service Desk dispatched engineers tried to fix the problem through remote support but failed ServiceDesk call infosec analyst to investigate the issue Documentation & Notification Upon accessing the victim computer, analyst immediately suggest involvement of ransomware Quick overview of all folders indicate that the malware in in the process of trying to encrypt files in share folders Analyst immediately declare a security incident and begin incident response

17 THREAT USE CASE RANSOMWARE WHAT WE KNOW SO FAR: 1. USER COMPUTER IS COMPROMISED 2. PROBABLY INVOLVING RANSOMWARE 3. IT STARTED TO INFECT SHARE FOLDERS WHAT WE WANT TO KNOW: 1. WHY DOESN T ANTIVIRUS BLOCK THE THREAT? 2. HOW TO PREVENT IT FROM HAPPENING? Containtment Analyst decided to immediately disconnect the victim computer from the network to avoid further damage to the share folder Investigation After the threat is contained, analyst uses various anti malware tools to scan the computer for malware and discovered ransomware Antivirus was unable to identify because it doesn't have the signature to identify the malware

18 THREAT USE CASE RANSOMWARE WHAT WE KNOW SO FAR: 1. THE VICTIM IS INFECTED WITH RANSOMWARE WHAT WE WANT TO KNOW: 1. HOW TO PREVENT THE CASE FROM RE- OCCURING Recovery Analyst suggest that the victim image to be reimaged for clean start Analyst suggest that the affected files in share folder to be recovered from backup Prevention Infosec issue advisory s on the danger of s and browsing InfoSec analyst recommends to accelerate the evaluation process of malware prevention solutions acquisition

19 Secure::SPOT Secure :: strategize, provision, operate, train

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Assessing Your Incident Response Capabilities Do You Have What it Takes? March 31, 2017 Presenters Tim L. Bryan, CPA/CFF/CITP, CISA, EnCE Director, Advisory Services Forensic Technology & Investigation