The Aftermath: You Have Been Attacked! So what's next?
13th Info-Security Conference 2012 8th May, 2012 @ Hong KongYou have been attacked!So what’s next? Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA Member of: • SANS Advisory Board • Digital Phishnet • ACFE Consulted for setting up IR capabilities at critical infrastructure companies. Former incident analyst / threat researcher at top- tier retail, commercial, and investment banks. Dropped out of PhD to run a startup making IPS boxes. Now a security ronin .
For the Unprepared1. Stay calm2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?)3. Keep log, log all communications4. Need-to-Known policy and Out-of-Band communications5. Stop bleeding (contanment) first6. Seek professional help 1. Know the problem (identification) 2. Protect your bases (might involve forensic acquisition) 3. Get rid of the problem (eradication) 4. Get back in business (recovery) 5. Lessons-Learned report
CSIRT(Computer Security Incident Response Team) Head of CSIRT Incident Incident Handler Responder Incident Analyst SOC
Core FunctionsIncident Response Incident Handling• All the technical works • Sole interface of CSIRT• Most outsourceable • Management liaison • Clients liaison(Common Functions) • Legal / Compliance / HR / PR liaison• Preparation and Planning • Peer CSIRT / CERT and LE liaison • Policies, procedures and banners • Incident response coordination • Incident response protocol and plan • Agreements with and pre-approvals from • Incident response log keeping legal / compliance / HR • Asset classification • Support infrastructure (logging, IDS, patch management, BCP, DR, incident reporting, guideline & education, etc.) • etc. etc.
IdentificationSo how did you know you’ve been attacked?• A little bird told you…• You made headline news…• IT guy reports abnormal behavior…
Alert 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/184.108.40.206 application/octet-stream Alert triggered. What the hell just happened? How serious was that? How to deal with it?
Triage StagesReport (w/ Initial Severity) Interpretation• Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severityVerification• Is it material? (e.g. software X alerts when no software X installed)Severity Assessment• Damage already done• Potential for further damagePrioritization• Deal with most severe cases first
Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you?
What Do Threat Analysts (and Your MSSP)Absolutely Need to Know?1. Prevailing threat conditions 1. e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011”2. Current easiness / reliability to mount an attack 1. e.g. exploit X has just been committed to Metasploit3. Consequence of a compromise (chained exploit)4. Malware reverse engineering skills5. etc. etc.
Before the Experts Arrive1. Do NOT pull the plug!!2. Describe the situation and seek immediate advices (say, over the phone) from IR professionals.3. Isolate affected systems 1. Disconnect from network (unless IR professionals advice otherwise).4. Secure the crime scene 1. Physical area access control. 2. Stop affected computer(s) from being used.
Conclusion1. Incident response process2. CSIRT organization structure 1. What people to hire, their R&Rs.3. Triage – a brief overview 1. How to verify an alert. 2. How to prioritize an incident.4. Preliminary containment 1. What do to before the experts arrive.