13th Info-Security Conference 2012                                                                 8th May, 2012 @ Hong Ko...
Who am I?            Albert Hui            GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA            Member of:           ...
Agenda1. Incident response process2. Incident response organization structure3. Incident response triage – a brief overvie...
You’ve been attacked!   So what’s next?
For the Unprepared1. Stay calm2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?)3. Keep log, log all com...
Incident Response Process                                                                               Lessons  Preparati...
CSIRT(Computer Security Incident Response Team)                  Head of                   CSIRT           Incident      I...
Core FunctionsIncident Response                                Incident Handling•    All the technical works              ...
IdentificationSo how did you know you’ve been attacked?• A little bird told you…• You made headline news…• IT guy reports ...
Alert   1263906912.307   1884 192.168.1.120 TCP_MISS/200 24593   GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -  ...
Where Does Triage Belong?                                                                               Lessons  Preparati...
Triage StagesReport (w/ Initial Severity) Interpretation• Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severityV...
(or, verification)
Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that    question? 3. How ...
What Questions Are You Trying to Answer?
What Questions Are You Trying to Answer?     Breath-First Search
What Data Do You Need to Answer thatQuestion?
Locard Exchange Principle     “Every contact leaves a trace.”
Occam’s Razor     …or, “Keep It Simple Stupid”
(or, severity assessment & prioritization)
Risk = Likelihood  Impact  Asset Value
Likelihood             Likelihood Always 100%              (it already happened)                     Impact
Focus on…1.Asset values 1.classify your assets NOW!2.Incident impact 1.damage 2.scope
Oft-Neglected Dimension                Intensive                  Care     Existing  Damage and      Scope                ...
Know thyself, know thy enemy,  then you shall not perish.知己知彼,百戰不殆
Potential Scope and Damage               Compromised       Malware      Artifact   Entities        Capability   Hemisphere...
Potential Scope and Damage               Compromised       Malware      Artifact   Entities        Capability   Hemisphere...
Potential Scope and Damage               Compromised       Malware      Artifact   Entities        Capability   Hemisphere...
Exploit ChainabilitySmall immaterial weaknesses can combine tobecome material ones.
Reason’s Swiss Cheese Model                From Duke University Medical Center
Reason’s Swiss Cheese Model                From Duke University Medical Center
Potential Scope and Damage               Compromised       Malware      Artifact   Entities        Capability   Hemisphere...
Ease of Attack (example)
What Do Threat Analysts (and Your MSSP)Absolutely Need to Know?1. Prevailing threat conditions 1. e.g. pdf 0-day CVE-2011-...
(or preliminary containment)
Before the Experts Arrive1. Do NOT pull the plug!!2. Describe the situation and seek immediate advices   (say, over the ph...
Conclusion1. Incident response process2. CSIRT organization structure 1. What people to hire, their R&Rs.3. Triage – a bri...
Thank you!             albert@securityronin.com
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
Upcoming SlideShare
Loading in...5
×

The Aftermath: You Have Been Attacked! So what's next?

1,643

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,643
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Aftermath: You Have Been Attacked! So what's next?

  1. 1. 13th Info-Security Conference 2012 8th May, 2012 @ Hong KongYou have been attacked!So what’s next? Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
  2. 2. Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA Member of: • SANS Advisory Board • Digital Phishnet • ACFE Consulted for setting up IR capabilities at critical infrastructure companies. Former incident analyst / threat researcher at top- tier retail, commercial, and investment banks. Dropped out of PhD to run a startup making IPS boxes. Now a security ronin .
  3. 3. Agenda1. Incident response process2. Incident response organization structure3. Incident response triage – a brief overview4. Incident response preliminary containment
  4. 4. You’ve been attacked! So what’s next?
  5. 5. For the Unprepared1. Stay calm2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?)3. Keep log, log all communications4. Need-to-Known policy and Out-of-Band communications5. Stop bleeding (contanment) first6. Seek professional help  1. Know the problem (identification) 2. Protect your bases (might involve forensic acquisition) 3. Get rid of the problem (eradication) 4. Get back in business (recovery) 5. Lessons-Learned report
  6. 6. Incident Response Process Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
  7. 7. CSIRT(Computer Security Incident Response Team) Head of CSIRT Incident Incident Handler Responder Incident Analyst SOC
  8. 8. Core FunctionsIncident Response Incident Handling• All the technical works • Sole interface of CSIRT• Most outsourceable • Management liaison • Clients liaison(Common Functions) • Legal / Compliance / HR / PR liaison• Preparation and Planning • Peer CSIRT / CERT and LE liaison • Policies, procedures and banners • Incident response coordination • Incident response protocol and plan • Agreements with and pre-approvals from • Incident response log keeping legal / compliance / HR • Asset classification • Support infrastructure (logging, IDS, patch management, BCP, DR, incident reporting, guideline & education, etc.) • etc. etc.
  9. 9. IdentificationSo how did you know you’ve been attacked?• A little bird told you…• You made headline news…• IT guy reports abnormal behavior…
  10. 10. Alert 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert triggered. What the hell just happened? How serious was that? How to deal with it?
  11. 11. Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
  12. 12. Triage StagesReport (w/ Initial Severity) Interpretation• Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severityVerification• Is it material? (e.g. software X alerts when no software X installed)Severity Assessment• Damage already done• Potential for further damagePrioritization• Deal with most severe cases first
  13. 13. (or, verification)
  14. 14. Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you?
  15. 15. What Questions Are You Trying to Answer?
  16. 16. What Questions Are You Trying to Answer? Breath-First Search
  17. 17. What Data Do You Need to Answer thatQuestion?
  18. 18. Locard Exchange Principle “Every contact leaves a trace.”
  19. 19. Occam’s Razor …or, “Keep It Simple Stupid”
  20. 20. (or, severity assessment & prioritization)
  21. 21. Risk = Likelihood  Impact  Asset Value
  22. 22. Likelihood Likelihood Always 100% (it already happened) Impact
  23. 23. Focus on…1.Asset values 1.classify your assets NOW!2.Incident impact 1.damage 2.scope
  24. 24. Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope
  25. 25. Know thyself, know thy enemy, then you shall not perish.知己知彼,百戰不殆
  26. 26. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  27. 27. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  28. 28. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  29. 29. Exploit ChainabilitySmall immaterial weaknesses can combine tobecome material ones.
  30. 30. Reason’s Swiss Cheese Model From Duke University Medical Center
  31. 31. Reason’s Swiss Cheese Model From Duke University Medical Center
  32. 32. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  33. 33. Ease of Attack (example)
  34. 34. What Do Threat Analysts (and Your MSSP)Absolutely Need to Know?1. Prevailing threat conditions 1. e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011”2. Current easiness / reliability to mount an attack 1. e.g. exploit X has just been committed to Metasploit3. Consequence of a compromise (chained exploit)4. Malware reverse engineering skills5. etc. etc.
  35. 35. (or preliminary containment)
  36. 36. Before the Experts Arrive1. Do NOT pull the plug!!2. Describe the situation and seek immediate advices (say, over the phone) from IR professionals.3. Isolate affected systems 1. Disconnect from network (unless IR professionals advice otherwise).4. Secure the crime scene 1. Physical area access control. 2. Stop affected computer(s) from being used.
  37. 37. Conclusion1. Incident response process2. CSIRT organization structure 1. What people to hire, their R&Rs.3. Triage – a brief overview 1. How to verify an alert. 2. How to prioritize an incident.4. Preliminary containment 1. What do to before the experts arrive.
  38. 38. Thank you! albert@securityronin.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×