Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Walking the Green MileHow to Get Fired After aSecurity IncidentBrian Baskin
$ whoami• Senior Consultant at cmdLabs• Intrusions Examiner / Malware Analyst at DCFL• Author/Coauthor of eight Informatio...
So you have an incident…
And they called in for support…You’ve got a corpse ina car, minus a head, ina garage… take me toit!
For you to assist …
And you’re going to be fired…
1) Oblivious that you were hacked
Oblivious that you were hacked• No active or routine monitoring of traffic• No investigation of log irregularities• Often ...
Levels of ObliviousnessNotified by thirdparty months laterDidn’t see until next daySaw and stoppedduring exfiltrationSaw a...
2) Did not own up to being hacked• Hope that no one will notice and that itll justblow over• Downplay effect of the attack...
Did not own up to being hacked• Loyal to your vendor products– But XYZ has NEVER been hacked?!• Their sales person told me...
3) Tried to be the hero• Single-handedly "fixed" the issue• Went straight into mitigation withoutplanning:– Analysis– Fore...
Tried to be the hero• Did not seek help from others• Did not bring in the lawyers• Did not realize insurance policy requir...
4) Did not preserve evidence• Wiped and re-installed server• Thought that having server back upimmediately would make you ...
5) Improperly Managed Antivirus• Mass-updated clients during an incident andremoved all traces of attack• Allowed AV to de...
6) Improperly Managed Logs* discipleofjude
Improperly Managed Logs• No log management!• Did not have correct logs– Cisco logs rock!• If you collect the right logs…• ...
7) Did Not Track Incidents• Email? Really?• Set up a security tracking database– Any help desk tool will do– RTIR (RT for ...
8) Disrespected Indicators
Disrespected Indicators• Trusted A/V write-ups like the bible• Did not verify and examine own malware• Network:– Listening...
9) Miscommunicated About Attack• Shared information with outsiders withoutsenior approval… at a con… on camera… then did p...
Don’t Tell the Hackers• Ping backs• Hack backs• Not using air-gapped systems• Online sandboxes• WHOIS lookups
10) Did Not Learn From the Attack• After-Action Report / Hot Wash• Be Honest• Take your hits• Document risk analysis in de...
• You had an IR Plan before… right?• Revise after every incident– At the very least with case studiesIncident Response Plan
Save Your Job
Save Your Job• Use hacker/paranoia senses• Document your actions• Take the high road• Understand that you’re screwing up– ...
Contact Us:e-mail: contact@cmdlabs.comp: 443.451.7330www.cmdlabs.com1101 E. 33rd Street, Suite B308Baltimore, MD 21218Bria...
Upcoming SlideShare
Loading in …5
×

Walking the Green Mile

3,579 views

Published on

Security incidents targeting corporations are occurring on a daily basis. While we may hear about the large cases in the news, network and security administrators from smaller organization quake in fear of losing their jobs after a successful attack of their network. Simple bad decisions and stupid mistakes in responding to a data breach or network intrusion are a great way to find yourself new employment. In this talk I’ll show you in twelve easy steps how to do so after, or even during, a security incident in your company.

Published in: Technology, Health & Medicine
no profile picture user

  • Be the first to comment

  • Be the first to like this

Walking the Green Mile

  1. 1. Walking the Green MileHow to Get Fired After aSecurity IncidentBrian Baskin
  2. 2. $ whoami• Senior Consultant at cmdLabs• Intrusions Examiner / Malware Analyst at DCFL• Author/Coauthor of eight Information Security books
  3. 3. So you have an incident…
  4. 4. And they called in for support…You’ve got a corpse ina car, minus a head, ina garage… take me toit!
  5. 5. For you to assist …
  6. 6. And you’re going to be fired…
  7. 7. 1) Oblivious that you were hacked
  8. 8. Oblivious that you were hacked• No active or routine monitoring of traffic• No investigation of log irregularities• Often find out about attack after:– Data is exfiltrated– Received notification from third party– Competitor releases one of your products
  9. 9. Levels of ObliviousnessNotified by thirdparty months laterDidn’t see until next daySaw and stoppedduring exfiltrationSaw and stoppedduring attackAttacks automaticallyblocked by existing rules
  10. 10. 2) Did not own up to being hacked• Hope that no one will notice and that itll justblow over• Downplay effect of the attack or scope ofintrusion
  11. 11. Did not own up to being hacked• Loyal to your vendor products– But XYZ has NEVER been hacked?!• Their sales person told me so…– DoD STIGs / Gold Disk
  12. 12. 3) Tried to be the hero• Single-handedly "fixed" the issue• Went straight into mitigation withoutplanning:– Analysis– Forensics– Reverse engineering
  13. 13. Tried to be the hero• Did not seek help from others• Did not bring in the lawyers• Did not realize insurance policy requiredbringing in independent security team• Communicate!– Pass the buck up the chain
  14. 14. 4) Did not preserve evidence• Wiped and re-installed server• Thought that having server back upimmediately would make you look better• Did not copy off backups of logs/malware
  15. 15. 5) Improperly Managed Antivirus• Mass-updated clients during an incident andremoved all traces of attack• Allowed AV to delete critical malware• Submitted AV sample to vendor too early– Or VirusTotal / Jotti
  16. 16. 6) Improperly Managed Logs* discipleofjude
  17. 17. Improperly Managed Logs• No log management!• Did not have correct logs– Cisco logs rock!• If you collect the right logs…• 302013+302014 / 302015+302016, etc• No appropriate preservation period for logs
  18. 18. 7) Did Not Track Incidents• Email? Really?• Set up a security tracking database– Any help desk tool will do– RTIR (RT for Incident Response)• You will be hacked again…– By the same exploit
  19. 19. 8) Disrespected Indicators
  20. 20. Disrespected Indicators• Trusted A/V write-ups like the bible• Did not verify and examine own malware• Network:– Listening ports– Connection attempts (ports, IPs, URLs)• File system:– Files, registry• Memory
  21. 21. 9) Miscommunicated About Attack• Shared information with outsiders withoutsenior approval… at a con… on camera… then did published interviews• Did NOT share information with those whoneed to know–FBI / DCISE– Exercise the Client Attorney privilege
  22. 22. Don’t Tell the Hackers• Ping backs• Hack backs• Not using air-gapped systems• Online sandboxes• WHOIS lookups
  23. 23. 10) Did Not Learn From the Attack• After-Action Report / Hot Wash• Be Honest• Take your hits• Document risk analysis in decisions– And the decision maker
  24. 24. • You had an IR Plan before… right?• Revise after every incident– At the very least with case studiesIncident Response Plan
  25. 25. Save Your Job
  26. 26. Save Your Job• Use hacker/paranoia senses• Document your actions• Take the high road• Understand that you’re screwing up– But document what you did right• Give your management a way out– When all else fails, drop the A-word (APT)
  27. 27. Contact Us:e-mail: contact@cmdlabs.comp: 443.451.7330www.cmdlabs.com1101 E. 33rd Street, Suite B308Baltimore, MD 21218Brian Baskin@bbaskinbbaskin@cmdlabs.com

×