Your SlideShare is downloading. ×
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Aftermath: You Have Been Attacked! So what's next?

1,452

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,452
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 13th Info-Security Conference 2012 8th May, 2012 @ Hong KongYou have been attacked!So what’s next? Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
  • 2. Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA Member of: • SANS Advisory Board • Digital Phishnet • ACFE Consulted for setting up IR capabilities at critical infrastructure companies. Former incident analyst / threat researcher at top- tier retail, commercial, and investment banks. Dropped out of PhD to run a startup making IPS boxes. Now a security ronin .
  • 3. Agenda1. Incident response process2. Incident response organization structure3. Incident response triage – a brief overview4. Incident response preliminary containment
  • 4. You’ve been attacked! So what’s next?
  • 5. For the Unprepared1. Stay calm2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?)3. Keep log, log all communications4. Need-to-Known policy and Out-of-Band communications5. Stop bleeding (contanment) first6. Seek professional help  1. Know the problem (identification) 2. Protect your bases (might involve forensic acquisition) 3. Get rid of the problem (eradication) 4. Get back in business (recovery) 5. Lessons-Learned report
  • 6. Incident Response Process Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
  • 7. CSIRT(Computer Security Incident Response Team) Head of CSIRT Incident Incident Handler Responder Incident Analyst SOC
  • 8. Core FunctionsIncident Response Incident Handling• All the technical works • Sole interface of CSIRT• Most outsourceable • Management liaison • Clients liaison(Common Functions) • Legal / Compliance / HR / PR liaison• Preparation and Planning • Peer CSIRT / CERT and LE liaison • Policies, procedures and banners • Incident response coordination • Incident response protocol and plan • Agreements with and pre-approvals from • Incident response log keeping legal / compliance / HR • Asset classification • Support infrastructure (logging, IDS, patch management, BCP, DR, incident reporting, guideline & education, etc.) • etc. etc.
  • 9. IdentificationSo how did you know you’ve been attacked?• A little bird told you…• You made headline news…• IT guy reports abnormal behavior…
  • 10. Alert 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert triggered. What the hell just happened? How serious was that? How to deal with it?
  • 11. Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
  • 12. Triage StagesReport (w/ Initial Severity) Interpretation• Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severityVerification• Is it material? (e.g. software X alerts when no software X installed)Severity Assessment• Damage already done• Potential for further damagePrioritization• Deal with most severe cases first
  • 13. (or, verification)
  • 14. Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you?
  • 15. What Questions Are You Trying to Answer?
  • 16. What Questions Are You Trying to Answer? Breath-First Search
  • 17. What Data Do You Need to Answer thatQuestion?
  • 18. Locard Exchange Principle “Every contact leaves a trace.”
  • 19. Occam’s Razor …or, “Keep It Simple Stupid”
  • 20. (or, severity assessment & prioritization)
  • 21. Risk = Likelihood  Impact  Asset Value
  • 22. Likelihood Likelihood Always 100% (it already happened) Impact
  • 23. Focus on…1.Asset values 1.classify your assets NOW!2.Incident impact 1.damage 2.scope
  • 24. Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope
  • 25. Know thyself, know thy enemy, then you shall not perish.知己知彼,百戰不殆
  • 26. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 27. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 28. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 29. Exploit ChainabilitySmall immaterial weaknesses can combine tobecome material ones.
  • 30. Reason’s Swiss Cheese Model From Duke University Medical Center
  • 31. Reason’s Swiss Cheese Model From Duke University Medical Center
  • 32. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 33. Ease of Attack (example)
  • 34. What Do Threat Analysts (and Your MSSP)Absolutely Need to Know?1. Prevailing threat conditions 1. e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011”2. Current easiness / reliability to mount an attack 1. e.g. exploit X has just been committed to Metasploit3. Consequence of a compromise (chained exploit)4. Malware reverse engineering skills5. etc. etc.
  • 35. (or preliminary containment)
  • 36. Before the Experts Arrive1. Do NOT pull the plug!!2. Describe the situation and seek immediate advices (say, over the phone) from IR professionals.3. Isolate affected systems 1. Disconnect from network (unless IR professionals advice otherwise).4. Secure the crime scene 1. Physical area access control. 2. Stop affected computer(s) from being used.
  • 37. Conclusion1. Incident response process2. CSIRT organization structure 1. What people to hire, their R&Rs.3. Triage – a brief overview 1. How to verify an alert. 2. How to prioritize an incident.4. Preliminary containment 1. What do to before the experts arrive.
  • 38. Thank you! albert@securityronin.com

×