Managing an Active Incident Response Case Paul Underwood, COO
2 About Us Paul Underwood - COO Emagined Security is a leading professional services firm for Information Security, Privacy & Compliance solutions. Our commercial clients cover a wide range of U.S. and global Fortune 1000 organizations, including the financial services, energy, healthcare, high tech, manufacturing, & insurance industries. We empower our clients to help them effectively manage IT risk in today s dynamic business environments while also providing our clients with the ability to scale quickly and efficiently to provide the rapid response required by best-inclass organizations. Our deep industry and domain expertise, proven track record, and well-known and respected employees from the Information Security community make us an invaluable resource to our clients.
Who s Behind Data Breaches Global Study of almost 2,000 Data Breaches 3 *Verizon 2017
Motives Behind Cyberattacks Global Study of Organizations that were Victims to a Cyberattacks 4 *Radware 2017 Why hackers hack https://www.emagined.com/news-notes/2018/7/17/why-hackers-hack
5 Industries Attacked & Method THE THREAT Food Services Manufacturing Healthcare Education Denial of Service Point of Sale Web App Espionage Privilege Misuse Finance & Insurance No industry is immune We will remove from the world wide web the site belonging to YOUR COMPANY and in addition we will Black Fax and E-Mail Bomb every inbox at YOUR COMPANY. This cyber action by Anonymous will be accompanied by a protest on the ground tomorrow. -Anonymous
How Hackers Hack 6 A High Level Attack Anatomy of the Kill Chain Passive and Active recon allows for the harvesting of email addresses or other information deemed valuable. Attackers create a blueprint of the target and search for vulnerabilities. Attacker determines the plan of attack, weaponizes payloads and chooses the delivery mechanisms. Once delivered, payloads are installed. Attacker looks to maintain persistence, while obtaining command and control. Maintain Access Covering Tracks Attacker has established control Recon Escalation of Privileges privileges on multiple hosts or devices, and works to move silently between networks and systems to Copyright Emagined Security Gain Access Attacker looks to progress access levels obtained to other systems (e.g. pivoting) or devices within the environment. Ultimate goal is to maintain access to the environment should a single compromised host fail. find and extract sensitive or desired data. Attacker may modify logs and/or misdirect security events making it more difficult to determine attack origins and reproduce a viable attack traffic flow.
7 Anatomy of an Attack Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Continued Persistence STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5 STAGE 6 EXAMPLE TACTICS, TECHNIQUES, AND ATTACK VECTORS 1. Gather E-mail addresses and User Info. 2. Create Phishing Campaigns 3. Verify Target(s) 4. Develop Delivery Mechanisms 5. Develop Exploits (browser, MS Office, etc.) 6. Develop Blended Attack Vectors 7. Deliver the payloads to target 8. Run the exploits (scripts, code, binaries) 9. Use PW Hash, file, Registry or OS Services to own the local system 10. Establish C2 from the compromised host(s) 11. Identify weak passwords or known OS exploits to escalate privileges 12. Obtain tokens and/or credentials 13. Perform additional recon through port scanning, sniffing or probing 14. Collect Authentication credentials (Kerberos tickets, OS Services, file share) for access across the network 15. Exploit groups, passwords, and domain trusts 16. Access sensitive data via mail, files, financial systems, databases 17. #Winning *Follows Industry Standard Stages documented in Lockheed Martin Cyber Kill Chain
8 Preparing for an Attack Think Like A Hacker Reconnaissance Weaponization Delivery STAGE 1 STAGE 2 Reconnaissance (Defense) Weaponization (Defense) Delivery (Defense) Do reconnaissance on yourself: 1. Web & Other Services 2. What is on your web services 3. Test and remove as you can 4. Find what you don t know 5. Remove what is not necessary from attackers prying hacks. 6. Know you re your audience Get your own toolset 1. Wireshark 2. Logging 3. Monitoring 4. Online monitoring chatter 5. Contact ISP- Make sure the don t shut you down. Secure and Fortify the points of entry: 1. Firewall 2. IPS 3. AntiVirus 4. WebContent Filters 5. AntiSpam
What to do During the Attack & After You re prepared for this 9 Slow the Flow Track & Capture Document Analyze Limit Connections Shut down unnecessary services. Rethink what is public Size, Speed, Ports/connections per second Block the bad and let the good roam free Deny lists and their benefits. Shadow Sites Where did everyone go? Capture Capture traffic for future use. Honeypots and where they help. Automated Scans Script Kiddies Set Signatures Block & Protect Weather the storm Document Document what you do and how you do it. Document everything for the post mortem. Analysis Validate what is happening Analyze attacks v. normal traffic (SIEM devices) Revisit the attack after it has ended What went wrong what went right. Were there any outages What needs to change? Where did you have problems.
Challenges 10 Personnel and OT management Recognizing abnormal traffic which connections to drop and block Managing multiple connections to the outside and multiple stakeholders Correlating 100,000 events an hour Keeping track of large amounts of code and configuration changes done by multiple staff Keeping City personnel aware and involved Changing Firewall, router, switch and IPS configuration on the fly
The Making of an Incident Response Program 11 THE PROGRAM Target (self) Analysis Attacker Analysis Defense Methodology Best Practices
12 Documentation Incident Response Program Contacts for : ISP Proper Authorities (FBI, Local PD) Media Management Forensics Program & Equipment Security Awareness Program
13 Gene Shultz Top 15 List of Mistakes in IR Neglecting to establish an incident response effort in the first place Lack of a well-defined charter Failure to set up a management infrastructure for incident response Neglecting to acquire necessary forensic and incident response hardware and software in advance Not taking advantage of Security Information and Event Managers (SIEM) type technology to identify incidents in realtime Failing to understand your intrusion detection capability Failure to respond to incidents in a systematic manner Neglecting to adequately test procedures Failure to work cooperatively with other groups/organizations when incidents occur
14 Gene Shultz Top 15 List of Mistakes in IR (2) Communication deficiencies (Internal and external) Lack of top-level management support Lack of technical expertise Lack of forensics training Failure to integrate efforts sufficiently with business continuity/disaster recovery efforts Failure to automate
Conclusion 15 In many respects, proficiently responding to incidents is the ultimate information security challenge There is a lot more to incident response than meets the eye Careful planning and justification of needed resources are critical The number of potential serious mistakes is enormous we have gone over just a few of the worst ones Good news most of the mistakes discussed in this presentation are not that difficult to correct Whatever you do, be sure to keep a proactive focus
16 Thank You! Emagined Security San Carlos, California 801-294-2917 @emagined @emaginedsec paulunderwood@emagined.com