Incident Response Triage

10,395 views

Published on

Published in: Technology

Incident Response Triage

  1. 1. 5th Annual HTCIA Asia Pacific Conference 7th December, 2011 @ Hong KongEnterprises’ DilemmaINCIDENT RESPONSE TRIAGEAlbert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
  2. 2. Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA  Member of:  SANS Advisory Board  Digital Phishnet  ACFE  Consulted for setting up IR capabilities at critical infrastructure companies.  Former incident analyst / threat researcher at top-tier retail, commercial, and investment banks.  Dropped out of PhD to run a startup making IPS boxes.  Now a security ronin . Copyright © 2011 Albert Hui
  3. 3. Agenda The Context: IR process and Triage. Incident Verification: A Systematic Approach. Severity Assessment: A Potentiality Model. Copyright © 2011 Albert Hui
  4. 4. Enterprises’ Dilemma Huge Volume Influx of Incidents Time Critical Horizontal vs. Vertical Triage! Copyright © 2011 Albert Hui
  5. 5. Forensics vs. Incident Response Copyright © 2011 Albert Hui
  6. 6. Forensics Crime is suspected to have happened. Did it happen? Copyright © 2011 Albert Hui
  7. 7. Incident Response1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? How serious was that? How to deal with it? Copyright © 2011 Albert Hui
  8. 8. Incident Response1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? Triage! that? How serious was How to deal with it? Copyright © 2011 Albert Hui
  9. 9. Copyright © 2011 Albert Hui
  10. 10. Copyright © 2011 Albert Hui
  11. 11. Where Does Triage Belong? LessonsPreparation Identification Containment Eradication Recovery Learned Report Severity(w/ Initial Severity) Verification PrioritizationInterpretation Assessment Copyright © 2011 Albert Hui
  12. 12. Triage Stages Report (w/ Initial Severity) Interpretation  Report typically came in as alerts (IDS, AV, SIEM, etc.)  Alert rules typically assigned severity  MSSP supposed to further tune severity with respect to prevailing threat conditions Verification  Is it material? (e.g. Serv-U alerts when no Serv-U installed) Severity Assessment  Damage already done  Potential for further damage Prioritization  Deal with most severe cases first Copyright © 2011 Albert Hui
  13. 13. Verification Copyright © 2011 Albert Hui
  14. 14. What Tools Do We Need? log2timeline  auditpol autoruns  uassist_lv RegRipper  listdlls RipXP  dumpel RegScan  pclip FastDump  fport Volatility  tcpvcon mdd  md5deep Memoryze  ssdeep Red Curtain  F-Response Responder Pro  psexec FlyPaper  wft Recon  WireShark dcfldd  analyzeMFT Copyright © 2011 Albert Hui
  15. 15. What Tools Do We Need? If you got a hammer, everything looks like a nail. Copyright © 2011 Albert Hui
  16. 16. Right QuestionsThe Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
  17. 17. Fault Tree Copyright © 2011 Albert Hui
  18. 18. Fault Tree Copyright © 2011 Albert Hui
  19. 19. What Questions Are YouTrying to Answer? Copyright © 2011 Albert Hui
  20. 20. What Questions Are YouTrying to Answer? Breath-First Search Copyright © 2011 Albert Hui
  21. 21. What Data Do You Need toAnswer that Question? Copyright © 2011 Albert Hui
  22. 22. Guiding PrinciplesLocard’s Exchange Principle  Every contact leaves a traceOccam’s Razor  Facts > InferencesThe Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
  23. 23. Severity AssessmentAnd Prioritization Copyright © 2011 Albert Hui
  24. 24. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  25. 25. Risk Revisited Likelihood Likelihood = 100% (already happened) Impact Copyright © 2011 Albert Hui
  26. 26. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  27. 27. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  28. 28. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  29. 29. Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
  30. 30. Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
  31. 31. Oft-Neglected Dimension Intensive Care ExistingDamage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope Copyright © 2011 Albert Hui
  32. 32. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  33. 33. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  34. 34. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  35. 35. Exploit Chainability Small immaterial weaknesses can combine to become material. You have to know your systems and configurations to assess. Copyright © 2011 Albert Hui
  36. 36. Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
  37. 37. Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
  38. 38. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  39. 39. Ease of Attack Copyright © 2011 Albert Hui
  40. 40. What Do Threat Analysts Needto Know? Prevailing threat conditions  e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011” Current easiness / reliability to mount an attack.  e.g. a certain exploit has just been committed to Metasploit Consequence of a compromise (chained exploit). Malware reverse engineering skills. Etc. etc. Send them to conferences and trainings like HTCIA!! Copyright © 2011 Albert Hui
  41. 41. Conclusion FTA Potentiality Model Compromised Malware LessonsPreparation Identification Containment Eradication Recovery Capability Entities Learned Exploit Ease of Attack Chainability Report Severity(w/ Initial Severity) Verification PrioritizationInterpretation Assessment Copyright © 2011 Albert Hui
  42. 42. Thank you! albert@securityronin.com Copyright © 2011 Albert Hui

×