The State of the Hack. Kevin Mandia MANDIANT

Similar documents
Kevin Mandia MANDIANT. Carnegie Mellon University Incident Response Master of Information System Management

Cyber Risks in the Boardroom Conference

CYBER SECURITY AND MITIGATING RISKS

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

CYBER ALERT. Cyber Investigations, Part 4: Hallmarks of Enterprise Impact Investigations. Key Components of an Enterprise Impact Investigation

What to do if your business is the victim of a data or security breach?

Hacking and Cyber Espionage

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Information Security Incident Response Plan

Information Security Incident Response Plan

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Lakeshore Technical College Official Policy

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Defining Computer Security Incident Response Teams

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

The Data Breach: How to Stay Defensible Before, During & After the Incident

Cybersecurity Auditing in an Unsecure World

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

VANGUARD POLICY MANAGERTM

Credit Card Data Compromise: Incident Response Plan

Information Security in Corporation

POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

VANGUARD Policy Manager TM

Security of Information Technology Resources IT-12

Information Security Is a Business

Taming the Data Breach Beast... because we all know it will happen. John Tomaszewski Seyfarth Shaw January 2015

You ve Been Hacked Now What? Incident Response Tabletop Exercise

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

The Impact of Cybersecurity, Data Privacy and Social Media

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

locuz.com SOC Services

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

DIGITAL FORENSICS. We Place Digital Evidence at Your Fingertips. Cyanre is South Africa's leading provider of computer and digital forensic services

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Legal Considerations and Case Studies

Assessing Your Incident Response Capabilities Do You Have What it Takes?

How Breaches Really Happen

CNIT 50: Network Security Monitoring. 9 NSM Operations

NIST Standards. October 14, 2016 Steve Konecny

Effective Cyber Incident Response in Insurance Companies

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

SDR Guide to Complete the SDR

Privacy: Pre- and Post-Breach

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

ADIENT VENDOR SECURITY STANDARD

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

CipherCloud CASB+ Connector for ServiceNow

Endpoint Protection : Last line of defense?

Cybersecurity: Incident Response Short

Data Breach Preparation and Response. April 21, 2017

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

CS0-001.exam. Number: CS0-001 Passing Score: 800 Time Limit: 120 min File Version: CS0-001

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

How Network Security Services Work to Protect Your Business

It s Not If But When: How to Build Your Cyber Incident Response Plan

Moving Beyond Prevention: Proactive Security with Integrity Monitoring

Security

AT&T Endpoint Security

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

TECHNICALLY CHALLENGED BY CYBERSECURITY RISK MANAGEMENT?

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

CyberArk Privileged Threat Analytics

PTLGateway Acceptable Use Policy

Introduction to Ethical Hacking. Chapter 1

Security Terminology Related to a SOC

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Cyber Risks, Coverage, and the Board of Directors.

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

CYBERSECURITY RISK LOWERING CHECKLIST

NETWORK THREATS DEMAN

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Solutionary helps prepare for the inevitable

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Data Breach and Incident Response

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Playing in the Big (Data) Leagues: Consumer Data Mining Data Privacy and Compliance

2017 Annual Meeting of Members and Board of Directors Meeting

Cybersecurity The Evolving Landscape

Business continuity management and cyber resiliency

Addressing PCI DSS 3.2

Cybersecurity and Nonprofit

CSIRT SERVICES. Service Categories

Securing Information Systems

Ransomware A case study of the impact, recovery and remediation events

Identity Theft Policies and Procedures

Transcription:

The State of the Hack Kevin Mandia MANDIANT

Who Am I? Adjunct Professor Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington University Computer Forensics III Masters in Forensic Science Author for McGraw-Hill Honeynet Project 1

Who Am I? Last 5 Years Responded to over 300 Potentially Compromised Systems. Responded to Intrusions at Over 40 Organizations. Created IR Programs at Several Fortune 500 Firms. 2

Evolution of IT Attacks -- 1998 - Technical Problem - Unix Systems - Servers - Attacks were a Nuisance 1998 -- 2002 - Technical/Business Problem - Windows Systems - Servers - Attacks Were About Money 2002 -- Now - Technical/Business/Legal Problem - Windows Systems - Client Systems / End Users - Attacks Are About Money 3

Agenda Incident Detection Case Studies Challenges When Responding to Security Incidents 4

Incident Detection How Organizations are Detecting Incidents?

1. How are Organization s Detecting Incidents? Antivirus Alerts? Perhaps, but do not Count on It Alerts are Often Ignored and Perhaps Value-less Without an In-Depth Review of the System. Quarantined Files Often Remain a Mystery Anti-Virus Merely Alerts an an Organization that that Something Bad Bad Might have Occurred. No No Confirmation. Potential Loss of of Critical Data 6

7

2. How are Organization s Detecting Incidents? IDS Alerts? Rare Detection Mechanism. IDS Port 22 Port 443 VPN Port 22 Port 443 VPN 8

3. How are Organization s Detecting Incidents? Clients (Outside Company) Malicious Software Discovered on Compromised End-User Systems. Account Manipulation (Online Trading). 9

4. How are Organization s Detecting Incidents? End Users (Internal) System Crashes (Blue Screens of Death) Continual Termination of Antivirus Software. Installing New Applications Simply Does Not Work. Commonly Used Applications Do Not Run. You Cannot Save As. Task Manager Closes Immediately When You Execute It. 10

5. How Are Organization s Detecting Incidents? Proactive Audits or Security Scans 11

6. How Are Organization s Detecting Incidents? Something Obvious 12

Rogue ASP Pages 13

7. How are Organizations Detecting Incidents? Notification from other Victims. Notification from Government Agencies. 14

Types of Intrusions - 2008 Last 20 Computer Intrusions in 2008: 10 Financial Services 5 Retailers 2 Government 2 EDU 1 Insurance Type of Intrusion Other 6 FS 11 APT 3 APT FS Other 15

Detection Last 20 Incidents Antivirus.5 IDS.5 Clients/External 1 End Users 6 IT Audits 0 Obvious 0 External 12 FS 11 Type of Intrusion Other 6 APT 3 APT FS Other 16

CSI Computer Intrusion Forensics!!! A Walkthrough of Real Cases

Incident is Detected Network Monitoring Incident Detected on Host 1 Corporate Network Backdoor Channel Internet 18

Performing Live Response Incident Detected on Host 1 Respond on Host 1 1. Last Accessed Time of Files 2. Last Written Time of Files 3. Creation Time of Files 4. Volatile Information 5. Services Running 6. Event Logs 7. Registry Entries 8. Host Status (Uptime, Patch Level) 9. IIS and Other Application Logs Live Data Collection Performed to Verify Incident and Determine Indicators / Signature of the Attack 19

How Are Attackers Gaining Initial Entry?

How are Attackers Gaining Entry? Vulnerable Services? Not Nearly as Common as 1998-2003. 21

How are Attackers Gaining Entry? Web Application Vulnerabilities? SQL Injection 22

How Are Attackers Gaining Entry? End User Attacks 23

How Are Attackers Gaining Entry? Never Find Victim 0? Valid Credentials 24

What Attackers are Doing Now Depends on Attack Type 1. Attacks for Money 2. Attacks for Information 3. Attacks for Access 4. Attractive Nuisances 5. Information Warfare 25

Case Studies The State of the Hack

Case Studies Attacks for Information

Case Studies Attacks for Money

Challenge Knowing the Constituencies you are Investigating the Breach for: Executive Management Technical Management Legal Counsel Insurance Clients/Customers There are Conflicts Amongst these Constituencies 29

Evolution of Incident Response Executive Concerns Legal Concerns Technical Concerns 30

Management Concerns (Board and CEO) What is the Incident s Impact on Business? Do We have to Notify our Clients? Do We have to Notify our Regulators? Do We have to Notify our Stock Holders? What is Everyone Else Doing about this Sort of thing? 31

Legal Counsel Concerns Are we required to notify our clients, consumers, or employees about the security breach? What constitutes a reasonable belief that protected information was compromised the standard used in many states to determine whether notification is required? 32

Legal Counsel Concerns What are the applicable regulations or statutes that impact our organization s response to the security breach? Which state laws are applicable? Which might be in the future? Are there any contractual obligations that impact our incident response strategy? 33

Legal Counsel Concerns How might public knowledge of the compromise impact the organization? What is our liability if PII was compromised? What is our liability if the compromised network hosted copyrighted content (pirated movies, music, software ) Does notifying our customers increase the likelihood of a lawsuit? 34

Legal Counsel Concerns Is it permissible to monitor/intercept the intruder s activities? How far can/should we go to identify the intruder? Who knows about the incident? Should the organization notify our regulators? Law enforcement? 35

Technical Management (CIO) How long were we exposed? How many systems were affected? What data, if any, was compromised (i.e., viewed, downloaded, or copied)? Was any Personal Identifiable Information (PII) compromised? What countermeasures are we taking? 36

Technical Management (CIO) What are the chances that our countermeasures will succeed? Who else knows about the security breach? Is the incident ongoing? Preventable? Is there a risk of insider involvement? 37

38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback