Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Incident response before:after breach

989 views

Published on

Describe what is required for incident response in company

Published in: Technology
  • Be the first to comment

Incident response before:after breach

  1. 1. Incident Response Operation Before/After Hacked Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
  2. 2. # whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Consultant, Senior Security Researcher @ I- SECURE • Website: www.r00tsec.com, www.techsuii.com • Admin: @2600thailand, @OWASPThailand • Book: Network Security Book • Hobby: Writing, Hacking, Researching, Gaming, etc. • My article: please search google with my name.
  3. 3. Hacker
  4. 4. SOC(Security Operation Center)
  5. 5. Attacker And Defender Catch me if you can
  6. 6. # id • Hack is easy, defend is so f*cking hard. • Surfaces • 0day • Social Engineering • Etc.
  7. 7. Incident Response
  8. 8. # man ir
  9. 9. Definition • Event - Activity that we monitor (Log) • Incident - the damage event. • Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
  10. 10. Top Priority for IR. • Identify the problems • Fix the problems. • Recovery system back to normal.
  11. 11. Step of IR. Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
  12. 12. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  13. 13. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  14. 14. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  15. 15. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  16. 16. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  17. 17. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  18. 18. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  19. 19. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  20. 20. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  21. 21. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  22. 22. Before Breach Source:: http://jokideo.com/wp-content/uploads/2013/03/Funny-cat-Come-on-birdy.jpg
  23. 23. Centralized Log Diagram Source:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
  24. 24. # whereis logs • Device Log • Server Log • Application Log
  25. 25. # ls /var/log/ • web_server/{access.log,error.log} • audit/audit.log • syslog • openvpn.log
  26. 26. # cat /var/log/apache2/access.log
  27. 27. # cat /var/log/syslog
  28. 28. Devices • Firewall • IDS/IPS • Next Generation Firewall • Mail Gateway • Etc.
  29. 29. Centralized Log • Syslog-ng(rsyslog) • Splunk • Graylog2 • logstrash • Scribe
  30. 30. Example of Splunk
  31. 31. SIEM(“Security Information and Event Management") • Arcsight • Log Correlation Engine By Tenable • Splunk • OSSIM ** • Alienvault ** • LOGalyze ** • Etc.
  32. 32. Log Correlation Engine By Tenable Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
  33. 33. Arcsight Source:: http://blog.rootshell.be/2013/06/26/out-of-the-box-siem-never/
  34. 34. Arcsight Dashboard Source:: http://www.observeit.com/images/content/features_siem14.jpg
  35. 35. False Positive
  36. 36. SQL Injection Case • Alert: SQL Injection • Attacker: China • Log From: Web Application Firewall
  37. 37. SQL Injection Case
  38. 38. After Breach Source:: http://www.dumpaday.com/wp-content/uploads/2013/01/funny- cat-bath.jpg
  39. 39. Forensic
  40. 40. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  41. 41. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  42. 42. Recovery(Restore/Rebuild) • Restore status of service to normal • System owners decide based on advice from incident handling team - Business Decision. • Monitor the service after recovery • Performance • Anomalies
  43. 43. Lesson Learned • Detail of incident report • Communicate to others on the team • Apply fixes in environment • Conduct a performance analysis of the overall incident and improve operations • “Not!!!!” Blaming people • Review/Rewrite Policy • Determines cost of incident • Apply lesson learned to the entire entity • Budget for, install, and maintain protection software

×