The document summarizes a presentation given by Albert Hui at the 5th Annual HTCIA Asia Pacific Conference on December 7th, 2011 in Hong Kong. The presentation discussed incident response triage, including the importance of triage in the incident response process. It covered how to systematically approach incident verification and assessing the severity and potential impact of incidents to prioritize response efforts. Key aspects of Hui's proposed severity assessment model included considering existing damage and scope, potential future damage and exploit chainability.

1. 5th Annual HTCIA Asia Pacific Conference
7th December, 2011 @ Hong Kong
Enterprises’ Dilemma
INCIDENT RESPONSE TRIAGE
Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA

2. Who am I?
Albert Hui
GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
 Member of:
 SANS Advisory Board
 Digital Phishnet
 ACFE
 Consulted for setting up IR capabilities
at critical infrastructure companies.
 Former incident analyst / threat
researcher at top-tier retail,
commercial, and investment banks.
 Dropped out of PhD to run a startup
making IPS boxes.
 Now a security ronin .
Copyright © 2011 Albert Hui

3. Agenda
 The Context: IR process and Triage.
 Incident Verification: A Systematic Approach.
 Severity Assessment: A Potentiality Model.
Copyright © 2011 Albert Hui

4. Enterprises’ Dilemma
 Huge Volume
 Influx of Incidents
 Time Critical
 Horizontal vs. Vertical
 Triage!
Copyright © 2011 Albert Hui

5. Forensics vs. Incident Response
Copyright © 2011 Albert Hui

6. Forensics
Crime is suspected to have happened.
Did it happen?
Copyright © 2011 Albert Hui

7. Incident Response
1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593
GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -
DIRECT/122.115.63.6 application/octet-stream
Alert tiggered.
What the hell just happened?
How serious was that?
How to deal with it?
Copyright © 2011 Albert Hui

8. Incident Response
1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593
GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -
DIRECT/122.115.63.6 application/octet-stream
Alert tiggered.
What the hell just happened?
Triage! that?
How serious was
How to deal with it?
Copyright © 2011 Albert Hui

9. Copyright © 2011 Albert Hui

10. Copyright © 2011 Albert Hui

11. Where Does Triage Belong?
Lessons
Preparation Identification Containment Eradication Recovery
Learned
Report
Severity
(w/ Initial Severity) Verification Prioritization
Interpretation Assessment
Copyright © 2011 Albert Hui

12. Triage Stages
 Report (w/ Initial Severity) Interpretation
 Report typically came in as alerts (IDS, AV, SIEM, etc.)
 Alert rules typically assigned severity
 MSSP supposed to further tune severity with respect to
prevailing threat conditions
 Verification
 Is it material? (e.g. Serv-U alerts when no Serv-U installed)
 Severity Assessment
 Damage already done
 Potential for further damage
 Prioritization
 Deal with most severe cases first
Copyright © 2011 Albert Hui

13. Verification
Copyright © 2011 Albert Hui

14. What Tools Do We Need?
 log2timeline  auditpol
 autoruns  uassist_lv
 RegRipper  listdlls
 RipXP  dumpel
 RegScan  pclip
 FastDump  fport
 Volatility  tcpvcon
 mdd  md5deep
 Memoryze  ssdeep
 Red Curtain  F-Response
 Responder Pro  psexec
 FlyPaper  wft
 Recon  WireShark
 dcfldd  analyzeMFT
Copyright © 2011 Albert Hui

15. What Tools Do We Need?
If you got a hammer,
everything looks like a
nail.
Copyright © 2011 Albert Hui

16. Right Questions
The Alexious Principle
1. What question are you trying to answer?
2. What data do you need to answer that question?
3. How do you extract and analyze that data?
4. What does / would that data tell you?
Copyright © 2011 Albert Hui

17. Fault Tree
Copyright © 2011 Albert Hui

18. Fault Tree
Copyright © 2011 Albert Hui

19. What Questions Are You
Trying to Answer?
Copyright © 2011 Albert Hui

20. What Questions Are You
Trying to Answer?
Breath-First Search
Copyright © 2011 Albert Hui

21. What Data Do You Need to
Answer that Question?
Copyright © 2011 Albert Hui

22. Guiding Principles
Locard’s Exchange Principle
 Every contact leaves a trace
Occam’s Razor
 Facts > Inferences
The Alexious Principle
1. What question are you trying to answer?
2. What data do you need to answer that question?
3. How do you extract and analyze that data?
4. What does / would that data tell you?
Copyright © 2011 Albert Hui

23. Severity Assessment
And Prioritization
Copyright © 2011 Albert Hui

24. Risk Revisited
Risk = Likelihood  Impact  Asset Value
Copyright © 2011 Albert Hui

25. Risk Revisited
Likelihood
Likelihood = 100%
(already happened)
Impact
Copyright © 2011 Albert Hui

26. Risk Revisited
Risk = Likelihood  Impact  Asset Value
Copyright © 2011 Albert Hui

27. Risk Revisited
Risk = Likelihood  Impact  Asset Value
Copyright © 2011 Albert Hui

28. Risk Revisited
Risk = Likelihood  Impact  Asset Value
Copyright © 2011 Albert Hui

29. Risk Revisited
Impact = Threat  Vulnerability
Copyright © 2011 Albert Hui

30. Risk Revisited
Impact = Threat  Vulnerability
Copyright © 2011 Albert Hui

31. Oft-Neglected Dimension
Intensive
Care
Existing
Damage and
Scope
Standard Immediate
Mitigation Attention!
Potential
Damage and
Scope
Copyright © 2011 Albert Hui

32. Potential Scope and Damage
Artifact Compromised Malware
Hemisphere Entities Capability
Intellectual Exploit
Ease of Attack
Hemisphere Chainability
Know Know
Thyself Thy Enemy
Copyright © 2011 Albert Hui

33. Potential Scope and Damage
Artifact Compromised Malware
Hemisphere Entities Capability
Intellectual Exploit
Ease of Attack
Hemisphere Chainability
Know Know
Thyself Thy Enemy
Copyright © 2011 Albert Hui

34. Potential Scope and Damage
Artifact Compromised Malware
Hemisphere Entities Capability
Intellectual Exploit
Ease of Attack
Hemisphere Chainability
Know Know
Thyself Thy Enemy
Copyright © 2011 Albert Hui

35. Exploit Chainability
 Small immaterial weaknesses can combine to
become material.
 You have to know your systems and
configurations to assess.
Copyright © 2011 Albert Hui

36. Reason’s Swiss Cheese Model
From Duke University Medical Center
Copyright © 2011 Albert Hui

37. Reason’s Swiss Cheese Model
From Duke University Medical Center
Copyright © 2011 Albert Hui

38. Potential Scope and Damage
Artifact Compromised Malware
Hemisphere Entities Capability
Intellectual Exploit
Ease of Attack
Hemisphere Chainability
Know Know
Thyself Thy Enemy
Copyright © 2011 Albert Hui

39. Ease of Attack
Copyright © 2011 Albert Hui

40. What Do Threat Analysts Need
to Know?
 Prevailing threat conditions
 e.g. pdf 0-day CVE-2011-2462 in the wild,
Adobe promises a fix “no later than the week of December
12, 2011”
 Current easiness / reliability to mount an attack.
 e.g. a certain exploit has just been committed to Metasploit
 Consequence of a compromise (chained exploit).
 Malware reverse engineering skills.
 Etc. etc.
Send them to conferences and trainings
like HTCIA!!
Copyright © 2011 Albert Hui

41. Conclusion
FTA Potentiality Model
Compromised Malware
Lessons
Preparation Identification Containment Eradication Recovery Capability
Entities
Learned
Exploit
Ease of Attack
Chainability
Report
Severity
(w/ Initial Severity) Verification Prioritization
Interpretation Assessment
Copyright © 2011 Albert Hui

42. Thank you!
albert@securityronin.com
Copyright © 2011 Albert Hui