SlideShare a Scribd company logo

Incident Response Triage

Albert Hui
Albert Hui

The document summarizes a presentation given by Albert Hui at the 5th Annual HTCIA Asia Pacific Conference on December 7th, 2011 in Hong Kong. The presentation discussed incident response triage, including the importance of triage in the incident response process. It covered how to systematically approach incident verification and assessing the severity and potential impact of incidents to prioritize response efforts. Key aspects of Hui's proposed severity assessment model included considering existing damage and scope, potential future damage and exploit chainability.

1 of 42
5th Annual HTCIA Asia Pacific Conference 7th December, 2011 @ Hong Kong Enterprises’ Dilemma INCIDENT RESPONSE TRIAGE Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA  Member of:  SANS Advisory Board  Digital Phishnet  ACFE  Consulted for setting up IR capabilities at critical infrastructure companies.  Former incident analyst / threat researcher at top-tier retail, commercial, and investment banks.  Dropped out of PhD to run a startup making IPS boxes.  Now a security ronin . Copyright © 2011 Albert Hui
Agenda  The Context: IR process and Triage.  Incident Verification: A Systematic Approach.  Severity Assessment: A Potentiality Model. Copyright © 2011 Albert Hui
Enterprises’ Dilemma  Huge Volume  Influx of Incidents  Time Critical  Horizontal vs. Vertical  Triage! Copyright © 2011 Albert Hui
Forensics vs. Incident Response Copyright © 2011 Albert Hui
Forensics Crime is suspected to have happened. Did it happen? Copyright © 2011 Albert Hui
Incident Response 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? How serious was that? How to deal with it? Copyright © 2011 Albert Hui
Incident Response 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? Triage! that? How serious was How to deal with it? Copyright © 2011 Albert Hui
Copyright © 2011 Albert Hui
Copyright © 2011 Albert Hui
Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment Copyright © 2011 Albert Hui
Triage Stages  Report (w/ Initial Severity) Interpretation  Report typically came in as alerts (IDS, AV, SIEM, etc.)  Alert rules typically assigned severity  MSSP supposed to further tune severity with respect to prevailing threat conditions  Verification  Is it material? (e.g. Serv-U alerts when no Serv-U installed)  Severity Assessment  Damage already done  Potential for further damage  Prioritization  Deal with most severe cases first Copyright © 2011 Albert Hui
Verification Copyright © 2011 Albert Hui
What Tools Do We Need?  log2timeline  auditpol  autoruns  uassist_lv  RegRipper  listdlls  RipXP  dumpel  RegScan  pclip  FastDump  fport  Volatility  tcpvcon  mdd  md5deep  Memoryze  ssdeep  Red Curtain  F-Response  Responder Pro  psexec  FlyPaper  wft  Recon  WireShark  dcfldd  analyzeMFT Copyright © 2011 Albert Hui
What Tools Do We Need? If you got a hammer, everything looks like a nail. Copyright © 2011 Albert Hui
Right Questions The Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
Fault Tree Copyright © 2011 Albert Hui
Fault Tree Copyright © 2011 Albert Hui
What Questions Are You Trying to Answer? Copyright © 2011 Albert Hui
What Questions Are You Trying to Answer? Breath-First Search Copyright © 2011 Albert Hui
What Data Do You Need to Answer that Question? Copyright © 2011 Albert Hui
Guiding Principles Locard’s Exchange Principle  Every contact leaves a trace Occam’s Razor  Facts > Inferences The Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
Severity Assessment And Prioritization Copyright © 2011 Albert Hui
Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
Risk Revisited Likelihood Likelihood = 100% (already happened) Impact Copyright © 2011 Albert Hui
Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope Copyright © 2011 Albert Hui
Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
Exploit Chainability  Small immaterial weaknesses can combine to become material.  You have to know your systems and configurations to assess. Copyright © 2011 Albert Hui
Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
Ease of Attack Copyright © 2011 Albert Hui
What Do Threat Analysts Need to Know?  Prevailing threat conditions  e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011”  Current easiness / reliability to mount an attack.  e.g. a certain exploit has just been committed to Metasploit  Consequence of a compromise (chained exploit).  Malware reverse engineering skills.  Etc. etc. Send them to conferences and trainings like HTCIA!! Copyright © 2011 Albert Hui
Conclusion FTA Potentiality Model Compromised Malware Lessons Preparation Identification Containment Eradication Recovery Capability Entities Learned Exploit Ease of Attack Chainability Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment Copyright © 2011 Albert Hui
Thank you! albert@securityronin.com Copyright © 2011 Albert Hui

Recommended

SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
Komand
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
Kumar Gaurav
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Elasticsearch
 

Recommended

SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
Komand
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
Kumar Gaurav
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Elasticsearch
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
FortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptxFortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptx
Alejandro Daricz
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Security operation center
Security operation centerSecurity operation center
Security operation center
MuthuKumaran267
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?Albert Hui
 
Control model testing
Control model testingControl model testing
Control model testingScott Barber
 

More Related Content

What's hot

From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
FortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptxFortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptx
Alejandro Daricz
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Security operation center
Security operation centerSecurity operation center
Security operation center
MuthuKumaran267
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 

What's hot (20)

From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
FortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptxFortiRecon Sales Presentation (1).pptx
FortiRecon Sales Presentation (1).pptx
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 

Similar to Incident Response Triage

The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?Albert Hui
 
Control model testing
Control model testingControl model testing
Control model testingScott Barber
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imhoW Fred Seigneur
 
Hoffman nsf presentation hoffman-25-aug11.ppt
Hoffman nsf presentation hoffman-25-aug11.pptHoffman nsf presentation hoffman-25-aug11.ppt
Hoffman nsf presentation hoffman-25-aug11.pptJesse Lingeman
 
Basic Personal Safety Concepts
Basic Personal Safety ConceptsBasic Personal Safety Concepts
Basic Personal Safety Concepts
Sergio Olivares & Associates
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
AlienVault
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
Peter Wood
 
Design of Indonesia Malware Attack Monitoring Center - Charles Lim
Design of Indonesia Malware Attack Monitoring Center - Charles LimDesign of Indonesia Malware Attack Monitoring Center - Charles Lim
Design of Indonesia Malware Attack Monitoring Center - Charles Limidsecconf
 
Can Information Security Survive
Can Information Security SurviveCan Information Security Survive
Can Information Security Survive
IT@Intel
 

Similar to Incident Response Triage (12)

The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
 
Control model testing
Control model testingControl model testing
Control model testing
 
101 ab 1530-1600
101 ab 1530-1600101 ab 1530-1600
101 ab 1530-1600
 
101 ab 1530-1600
101 ab 1530-1600101 ab 1530-1600
101 ab 1530-1600
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imho
 
Hoffman nsf presentation hoffman-25-aug11.ppt
Hoffman nsf presentation hoffman-25-aug11.pptHoffman nsf presentation hoffman-25-aug11.ppt
Hoffman nsf presentation hoffman-25-aug11.ppt
 
Basic Personal Safety Concepts
Basic Personal Safety ConceptsBasic Personal Safety Concepts
Basic Personal Safety Concepts
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
 
Design of Indonesia Malware Attack Monitoring Center - Charles Lim
Design of Indonesia Malware Attack Monitoring Center - Charles LimDesign of Indonesia Malware Attack Monitoring Center - Charles Lim
Design of Indonesia Malware Attack Monitoring Center - Charles Lim
 
Can Information Security Survive
Can Information Security SurviveCan Information Security Survive
Can Information Security Survive
 

More from Albert Hui

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
Albert Hui
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
Albert Hui
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Albert Hui
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
Albert Hui
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
Albert Hui
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationAlbert Hui
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersAlbert Hui
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
Albert Hui
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber eraAlbert Hui
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Albert Hui
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
Albert Hui
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemAlbert Hui
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 

More from Albert Hui (13)

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 

Recently uploaded

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 

Recently uploaded (20)

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 

Incident Response Triage

  • 1. 5th Annual HTCIA Asia Pacific Conference 7th December, 2011 @ Hong Kong Enterprises’ Dilemma INCIDENT RESPONSE TRIAGE Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
  • 2. Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA  Member of:  SANS Advisory Board  Digital Phishnet  ACFE  Consulted for setting up IR capabilities at critical infrastructure companies.  Former incident analyst / threat researcher at top-tier retail, commercial, and investment banks.  Dropped out of PhD to run a startup making IPS boxes.  Now a security ronin . Copyright © 2011 Albert Hui
  • 3. Agenda  The Context: IR process and Triage.  Incident Verification: A Systematic Approach.  Severity Assessment: A Potentiality Model. Copyright © 2011 Albert Hui
  • 4. Enterprises’ Dilemma  Huge Volume  Influx of Incidents  Time Critical  Horizontal vs. Vertical  Triage! Copyright © 2011 Albert Hui
  • 5. Forensics vs. Incident Response Copyright © 2011 Albert Hui
  • 6. Forensics Crime is suspected to have happened. Did it happen? Copyright © 2011 Albert Hui
  • 7. Incident Response 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? How serious was that? How to deal with it? Copyright © 2011 Albert Hui
  • 8. Incident Response 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? Triage! that? How serious was How to deal with it? Copyright © 2011 Albert Hui
  • 9. Copyright © 2011 Albert Hui
  • 10. Copyright © 2011 Albert Hui
  • 11. Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment Copyright © 2011 Albert Hui
  • 12. Triage Stages  Report (w/ Initial Severity) Interpretation  Report typically came in as alerts (IDS, AV, SIEM, etc.)  Alert rules typically assigned severity  MSSP supposed to further tune severity with respect to prevailing threat conditions  Verification  Is it material? (e.g. Serv-U alerts when no Serv-U installed)  Severity Assessment  Damage already done  Potential for further damage  Prioritization  Deal with most severe cases first Copyright © 2011 Albert Hui
  • 13. Verification Copyright © 2011 Albert Hui
  • 14. What Tools Do We Need?  log2timeline  auditpol  autoruns  uassist_lv  RegRipper  listdlls  RipXP  dumpel  RegScan  pclip  FastDump  fport  Volatility  tcpvcon  mdd  md5deep  Memoryze  ssdeep  Red Curtain  F-Response  Responder Pro  psexec  FlyPaper  wft  Recon  WireShark  dcfldd  analyzeMFT Copyright © 2011 Albert Hui
  • 15. What Tools Do We Need? If you got a hammer, everything looks like a nail. Copyright © 2011 Albert Hui
  • 16. Right Questions The Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
  • 17. Fault Tree Copyright © 2011 Albert Hui
  • 18. Fault Tree Copyright © 2011 Albert Hui
  • 19. What Questions Are You Trying to Answer? Copyright © 2011 Albert Hui
  • 20. What Questions Are You Trying to Answer? Breath-First Search Copyright © 2011 Albert Hui
  • 21. What Data Do You Need to Answer that Question? Copyright © 2011 Albert Hui
  • 22. Guiding Principles Locard’s Exchange Principle  Every contact leaves a trace Occam’s Razor  Facts > Inferences The Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
  • 23. Severity Assessment And Prioritization Copyright © 2011 Albert Hui
  • 24. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  • 25. Risk Revisited Likelihood Likelihood = 100% (already happened) Impact Copyright © 2011 Albert Hui
  • 26. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  • 27. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  • 28. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  • 29. Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
  • 30. Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
  • 31. Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope Copyright © 2011 Albert Hui
  • 32. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  • 33. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  • 34. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  • 35. Exploit Chainability  Small immaterial weaknesses can combine to become material.  You have to know your systems and configurations to assess. Copyright © 2011 Albert Hui
  • 36. Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
  • 37. Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
  • 38. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  • 39. Ease of Attack Copyright © 2011 Albert Hui
  • 40. What Do Threat Analysts Need to Know?  Prevailing threat conditions  e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011”  Current easiness / reliability to mount an attack.  e.g. a certain exploit has just been committed to Metasploit  Consequence of a compromise (chained exploit).  Malware reverse engineering skills.  Etc. etc. Send them to conferences and trainings like HTCIA!! Copyright © 2011 Albert Hui
  • 41. Conclusion FTA Potentiality Model Compromised Malware Lessons Preparation Identification Containment Eradication Recovery Capability Entities Learned Exploit Ease of Attack Chainability Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment Copyright © 2011 Albert Hui
  • 42. Thank you! albert@securityronin.com Copyright © 2011 Albert Hui