• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Incident Response Triage
 

Incident Response Triage

on

  • 3,354 views

 

Statistics

Views

Total Views
3,354
Views on SlideShare
3,344
Embed Views
10

Actions

Likes
1
Downloads
0
Comments
0

3 Embeds 10

http://www.linkedin.com 8
http://paper.li 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Incident Response Triage Incident Response Triage Presentation Transcript

    • 5th Annual HTCIA Asia Pacific Conference 7th December, 2011 @ Hong KongEnterprises’ DilemmaINCIDENT RESPONSE TRIAGEAlbert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
    • Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA  Member of:  SANS Advisory Board  Digital Phishnet  ACFE  Consulted for setting up IR capabilities at critical infrastructure companies.  Former incident analyst / threat researcher at top-tier retail, commercial, and investment banks.  Dropped out of PhD to run a startup making IPS boxes.  Now a security ronin . Copyright © 2011 Albert Hui
    • Agenda The Context: IR process and Triage. Incident Verification: A Systematic Approach. Severity Assessment: A Potentiality Model. Copyright © 2011 Albert Hui
    • Enterprises’ Dilemma Huge Volume Influx of Incidents Time Critical Horizontal vs. Vertical Triage! Copyright © 2011 Albert Hui
    • Forensics vs. Incident Response Copyright © 2011 Albert Hui
    • Forensics Crime is suspected to have happened. Did it happen? Copyright © 2011 Albert Hui
    • Incident Response1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? How serious was that? How to deal with it? Copyright © 2011 Albert Hui
    • Incident Response1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? Triage! that? How serious was How to deal with it? Copyright © 2011 Albert Hui
    • Copyright © 2011 Albert Hui
    • Copyright © 2011 Albert Hui
    • Where Does Triage Belong? LessonsPreparation Identification Containment Eradication Recovery Learned Report Severity(w/ Initial Severity) Verification PrioritizationInterpretation Assessment Copyright © 2011 Albert Hui
    • Triage Stages Report (w/ Initial Severity) Interpretation  Report typically came in as alerts (IDS, AV, SIEM, etc.)  Alert rules typically assigned severity  MSSP supposed to further tune severity with respect to prevailing threat conditions Verification  Is it material? (e.g. Serv-U alerts when no Serv-U installed) Severity Assessment  Damage already done  Potential for further damage Prioritization  Deal with most severe cases first Copyright © 2011 Albert Hui
    • Verification Copyright © 2011 Albert Hui
    • What Tools Do We Need? log2timeline  auditpol autoruns  uassist_lv RegRipper  listdlls RipXP  dumpel RegScan  pclip FastDump  fport Volatility  tcpvcon mdd  md5deep Memoryze  ssdeep Red Curtain  F-Response Responder Pro  psexec FlyPaper  wft Recon  WireShark dcfldd  analyzeMFT Copyright © 2011 Albert Hui
    • What Tools Do We Need? If you got a hammer, everything looks like a nail. Copyright © 2011 Albert Hui
    • Right QuestionsThe Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
    • Fault Tree Copyright © 2011 Albert Hui
    • Fault Tree Copyright © 2011 Albert Hui
    • What Questions Are YouTrying to Answer? Copyright © 2011 Albert Hui
    • What Questions Are YouTrying to Answer? Breath-First Search Copyright © 2011 Albert Hui
    • What Data Do You Need toAnswer that Question? Copyright © 2011 Albert Hui
    • Guiding PrinciplesLocard’s Exchange Principle  Every contact leaves a traceOccam’s Razor  Facts > InferencesThe Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
    • Severity AssessmentAnd Prioritization Copyright © 2011 Albert Hui
    • Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
    • Risk Revisited Likelihood Likelihood = 100% (already happened) Impact Copyright © 2011 Albert Hui
    • Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
    • Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
    • Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
    • Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
    • Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
    • Oft-Neglected Dimension Intensive Care ExistingDamage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope Copyright © 2011 Albert Hui
    • Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
    • Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
    • Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
    • Exploit Chainability Small immaterial weaknesses can combine to become material. You have to know your systems and configurations to assess. Copyright © 2011 Albert Hui
    • Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
    • Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
    • Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
    • Ease of Attack Copyright © 2011 Albert Hui
    • What Do Threat Analysts Needto Know? Prevailing threat conditions  e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011” Current easiness / reliability to mount an attack.  e.g. a certain exploit has just been committed to Metasploit Consequence of a compromise (chained exploit). Malware reverse engineering skills. Etc. etc. Send them to conferences and trainings like HTCIA!! Copyright © 2011 Albert Hui
    • Conclusion FTA Potentiality Model Compromised Malware LessonsPreparation Identification Containment Eradication Recovery Capability Entities Learned Exploit Ease of Attack Chainability Report Severity(w/ Initial Severity) Verification PrioritizationInterpretation Assessment Copyright © 2011 Albert Hui
    • Thank you! albert@securityronin.com Copyright © 2011 Albert Hui