SlideShare a Scribd company logo

Tech w21

S
SelectedPresentations
1 of 45
Download to read offline
Session ID: Session Classification: James Christiansen Sands Corporation TECH-W21 Advanced Incident Response: How To GiveThe Advantage ToThe Hackers Paul Underwood Emagined Security
Focus Of Our Presentation Giving The Advantage To The Hackers Due To: ONE : The inability to distinguish what activities are normal for your infrastructure TWO : Not having all your incident response ducks lined up in a row THREE : Over reliance on untested resources FOUR : Running out of energy before the bad guys do FIVE : A lack of appreciation for how really difficult it is to stop an ongoing hack attack completely SIX :
Giving HackersThe Advantage PROBLEM ONE The inability to distinguish what activities are normal for your infrastructure
Giving HackersThe Advantage We are prettysure that'snormal traffic,at least it lookssomewhatfamiliar THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage We are prettysure that'snormal traffic,at least it lookssomewhatfamiliar THE FIX Old systemlogsare not availablewhich would help figuring withinyour infrastructure THE SCENARIO THE GOTCHA
Giving HackersThe Advantage We are prettysure that'snormal traffic,at least it lookssomewhatfamiliar Don't be in arush todisposeofyour old systemlogs Old systemlogsare not availablewhich withinyour infrastructure THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage So, whatshould we do next? Isthisan anomalythatisworth investigating? THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage So, whatshould we do next? Isthisan anomalythatisworth investigating? THE FIX Strange thingsare happeningbut youare unable toprioritizeyour incidentresponse team'sactivity THE SCENARIO THE GOTCHA
Giving HackersThe Advantage So, whatshould we do next? Isthisan anomalythatisworth investigating? Know what'snormal in your infrastructure soanomalousactivitiesstandout Strange thingsare happeningbut youare unable toprioritizeyour incidentresponse team'sactivity THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage PROBLEM TWO Not having all your incident response ducks lined up in a row
Giving HackersThe Advantage We needaspecialfirewallrule written NOW! Get the vendor'sexperton the line! THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage We needaspecialfirewallrule written NOW! Get the vendor'sexperton the line! THE FIX You are unable tofind thesupport phone numberfor thevendor'sexpert,no one else hasit either THE SCENARIO THE GOTCHA
Giving HackersThe Advantage We needaspecialfirewallrule written NOW! Get the vendor'sexperton the line! Have these "emergency"phonenumbers printedout.Treat thesefolksbetterthan your best friends! You are unable tofind thesupport phone numberfor thevendor's expert,no one else hasit either. THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage You have evidencethatAdminlevel passwordshave been hacked THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage You have evidencethatAdminlevel passwordshave been hacked THE FIX The sameAdminpasswordis used on numerouscritical systems,but no one knows exactlywhich ones THE SCENARIO THE GOTCHA
Giving HackersThe Advantage You have evidencethatAdminlevel passwordshave been hacked Be preparedtochangeall Adminlevel passwordsat a noticeusing a testedprocess The sameAdminpasswordis used on numerouscritical systems,but no one knows exactlywhich ones THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage You needtoisolateanetworksegment, but Marketingsaysthatwould kill a pendingnew product launch THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage You needtoisolateanetworksegment, but Marketingsaysthatwould kill a pendingnew product launch THE FIX The inabilitytoisolatesegmentsofthe network,only further complicatesa complexproject THE SCENARIO THE GOTCHA
Giving HackersThe Advantage You needtoisolateanetworksegment, but Marketingsaysthatwould kill a pendingnew product launch Have a CEO supportedplan forsuspending ongoingprojects while the incident responseeffortis underway The inabilitytoisolatesegmentsofthe network, only further complicatesa complexproject THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage The IRTeamisasking youfora decision. Unfortunately,the decisionrequiresthat youmakea LOT ofassumptions. THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage The IRTeamisasking youfora decision. Unfortunately,the decisionrequiresthat youmakea LOT ofassumptions. THE FIX Being forcedintoa positionwhere you have tostart guessing meansyou have control ofthe situation. THE SCENARIO THE GOTCHA
Giving HackersThe Advantage The IRTeamis asking youfora decision. Unfortunately,the decisionrequiresthat youmakea LOT ofassumptions. Run legitimatehacks againstyour infrastructure tounderstandwhat happens,do thisbefore-the-fact. Being forcedintoa positionwhere you have tostart guessing meansyou have control ofthe situation. THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage The hackersown your system. The Webmasteristrying toget "pornlinks"off THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage The hackersown your system. The Webmasteristrying toget "porn links"off THE FIX The situationisgetting a lot worse. Your only optionleft istothrow in the towel and declarea disaster. THE SCENARIO THE GOTCHA
Giving HackersThe Advantage The hackersown your system. The Webmasteristrying toget "pornlinks"off homepage. Restoringyour systemstoa known good stateand having a testedcustomer notificationplan readytogo. The situationisgetting a lot worse. Your only optionleft istothrow in the towel and declarea disaster. THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage PROBLEM THREE Over reliance on untested resources
Giving HackersThe Advantage Critical evidenceismistakenlydeleted, attemptsat recoveringit have failed. THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage Critical evidenceismistakenlydeleted, attemptsat recoveringit have failed. THE FIX Not beingpreparedfor the fact thatserious blunders will occur at somepointin the response. THE SCENARIO THE GOTCHA
Giving HackersThe Advantage Critical evidenceismistakenlydeleted, attemptsat recoveringit have failed. Aboveall else, rememberthatthisisa learningprocessand not an exercisein findingsomeonetoblame. Not beingpreparedfor the fact thatserious blunders will occur at somepointin the response. THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage PROBLEM FOUR Running out of energy beforethe bad guys do
Giving HackersThe Advantage The initialincidentresponseisenteringits 3rd daywith no end in sight THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage The initialincidentresponseisenteringits 3rd daywith no end in sight THE FIX Without enough sleepyou becomepart of the problem THE SCENARIO THE GOTCHA
Giving HackersThe Advantage The initialincidentresponseisenteringits 3rd daywith no end in sight Cut a dealwith a nearbyhotel for temporaryrooms -- make4 hr. sleep breaksmandatoryevery 18 hours Without enough sleepyou becomepart of the problem THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage PROBLEM FIVE A lack of appreciation for how really difficult it is to stop an ongoing hack attack completely
Giving HackersThe Advantage The hackersmayhave compromisedyour VM farm. THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage The hackersmayhave compromisedyour VM farm. THE FIX The IncidentResponseteamisn't fluent in VM speak,nor isit up on all theVM tools. THE SCENARIO THE GOTCHA
Giving HackersThe Advantage The hackersmayhave compromisedyour VM farm. AvoidusingVM formission criticalsystems asthey are hardertoanalyzefroma forensicperspective. The IncidentResponseteamisn't fluent in VM speak,nor isit up on all theVM tools. THE SCENARIO THE GOTCHA THE FIX
Giving HackersThe Advantage PROBLEM SIX
Giving HackersThe Advantage During the incidentresponseyour CEO is clearly not happywith thecontinuedflow ofbad news. THE FIX THE GOTCHA FACTOR THE SCENARIO
Giving HackersThe Advantage During the incidentresponseyour CEO is clearly not happywith thecontinuedflow ofbad news. THE FIX Incidentresponsemitigationsseldomhave anygoodnews during first80% of the effort. THE SCENARIO THE GOTCHA
Giving HackersThe Advantage During the incidentresponseyour CEO is clearly not happywith thecontinued flow ofbad news. Educate managementto expectlots ofbad news. Bad news meansthe teamunderstands the issues. Incidentresponsemitigationsseldomhave anygoodnews during first80% of the effort. THE SCENARIO THE GOTCHA THE FIX
► Within three months, you should: ► Review your incident response plan with the scenarios from this presentation ► Update your contact lists, system inventories and skill assessments ► Beyond three months, you should: ► Obtain specific training for members of your incident response team for areas of weakness you identified during your scenario testing ► Upgrade your staff with experts that can handle a major incident within your organization ► Contract with a Business Recover Team (BRT) that can assist your organization during a crisis How to ApplyWhatYou Have Learned
► for even the best plan ► How to give the advantage to the hackers: ► ► Not having current contact lists, technical resources or contracted resources to help ► Not having a good relationship with the business so they have confidence in your ability to manage the incident ► Burning out the staff so they make bad decisions ► Not having a trained staff in investigation tools and techniques ► Not being able to make decisions and staying calm Summary
► CSIRT Resources (www.cert.org) Handbook for Computer Security Incident Response Teams http://www.cert.org/archive/pdf/csirt-handbook.pdf CSIRT Services http://www.cert.org/csirts/services.html Organizational Models for CSIRTs http://www.cert.org/archive/pdf/03hb001.pdf State of the Practice for CSIRTs http://www.cert.org/archive/pdf/03tr001.pdf ► www.sans.org Resources Available Steps for Creating National CSIRTs http://www.cert.org/archive/pdf/NationalCSIRTs.pdf Defining Incident Management Processes http://www.cert.org/archive/pdf/04tr015.pdf StaffingYour CSIRT http://www.cert.org/csirts/csirt-staffing.html
Q&A ThatWraps Up OurTime, ThankYou ForYours!

Recommended

Kriss Rochefolle: "How to Convince Your Boss to Say "Yes!" to Chaos Engineeri...
Kriss Rochefolle: "How to Convince Your Boss to Say "Yes!" to Chaos Engineeri...Kriss Rochefolle: "How to Convince Your Boss to Say "Yes!" to Chaos Engineeri...
Kriss Rochefolle: "How to Convince Your Boss to Say "Yes!" to Chaos Engineeri...Christophe Rochefolle
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018Christophe Rochefolle
 
Rugged Software Using Rugged Driven Development
Rugged Software Using Rugged Driven DevelopmentRugged Software Using Rugged Driven Development
Rugged Software Using Rugged Driven DevelopmentJames Wickett
 
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Yan Cui
 
8 Quick Tips for Penetration Testing
8 Quick Tips for Penetration Testing8 Quick Tips for Penetration Testing
8 Quick Tips for Penetration TestingCore Security
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud SecurityTudor Damian
 
Automating Web Applications Security Assessments Through Scanners
Automating Web Applications Security Assessments Through ScannersAutomating Web Applications Security Assessments Through Scanners
Automating Web Applications Security Assessments Through Scannersnfteodoro
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsMustafa Khaleel
 

Recommended

Kriss Rochefolle: "How to Convince Your Boss to Say "Yes!" to Chaos Engineeri...
Kriss Rochefolle: "How to Convince Your Boss to Say "Yes!" to Chaos Engineeri...Kriss Rochefolle: "How to Convince Your Boss to Say "Yes!" to Chaos Engineeri...
Kriss Rochefolle: "How to Convince Your Boss to Say "Yes!" to Chaos Engineeri...Christophe Rochefolle
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018Christophe Rochefolle
 
Rugged Software Using Rugged Driven Development
Rugged Software Using Rugged Driven DevelopmentRugged Software Using Rugged Driven Development
Rugged Software Using Rugged Driven DevelopmentJames Wickett
 
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Yan Cui
 
8 Quick Tips for Penetration Testing
8 Quick Tips for Penetration Testing8 Quick Tips for Penetration Testing
8 Quick Tips for Penetration TestingCore Security
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud SecurityTudor Damian
 
Automating Web Applications Security Assessments Through Scanners
Automating Web Applications Security Assessments Through ScannersAutomating Web Applications Security Assessments Through Scanners
Automating Web Applications Security Assessments Through Scannersnfteodoro
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsMustafa Khaleel
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
14 (IDNOG01) Next Generation Campus Network by Affan Basalamah
14 (IDNOG01) Next Generation Campus Network by Affan Basalamah14 (IDNOG01) Next Generation Campus Network by Affan Basalamah
14 (IDNOG01) Next Generation Campus Network by Affan BasalamahIndonesia Network Operators Group
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMSOliver Hader
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking peopleTudor Damian
 
Testing web security security of web sites and applications
Testing web security security of web sites and applicationsTesting web security security of web sites and applications
Testing web security security of web sites and applicationsHuong Muoi
 
"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te...
"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te..."WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te...
"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te...Lohika_Odessa_TechTalks
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsNSS Labs
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016Tudor Damian
 
Web Security
Web SecurityWeb Security
Web SecurityDipika Bambhaniya
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Web security 2012
Web security 2012Web security 2012
Web security 2012Mohamed Elabnody
 
Majority World Report 2016 - Web Summit Lisbon
Majority World Report 2016 - Web Summit Lisbon Majority World Report 2016 - Web Summit Lisbon
Majority World Report 2016 - Web Summit Lisbon Saul Klein
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Web Security
Web SecurityWeb Security
Web SecurityTripad M
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)ClubHack
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 

More Related Content

Viewers also liked

Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
14 (IDNOG01) Next Generation Campus Network by Affan Basalamah
14 (IDNOG01) Next Generation Campus Network by Affan Basalamah14 (IDNOG01) Next Generation Campus Network by Affan Basalamah
14 (IDNOG01) Next Generation Campus Network by Affan BasalamahIndonesia Network Operators Group
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMSOliver Hader
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking peopleTudor Damian
 
Testing web security security of web sites and applications
Testing web security security of web sites and applicationsTesting web security security of web sites and applications
Testing web security security of web sites and applicationsHuong Muoi
 
"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te...
"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te..."WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te...
"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te...Lohika_Odessa_TechTalks
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsNSS Labs
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016Tudor Damian
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Majority World Report 2016 - Web Summit Lisbon
Majority World Report 2016 - Web Summit Lisbon Majority World Report 2016 - Web Summit Lisbon
Majority World Report 2016 - Web Summit Lisbon Saul Klein
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Web Security
Web SecurityWeb Security
Web SecurityTripad M
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 

Viewers also liked (20)

Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
 
14 (IDNOG01) Next Generation Campus Network by Affan Basalamah
14 (IDNOG01) Next Generation Campus Network by Affan Basalamah14 (IDNOG01) Next Generation Campus Network by Affan Basalamah
14 (IDNOG01) Next Generation Campus Network by Affan Basalamah
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking people
 
Testing web security security of web sites and applications
Testing web security security of web sites and applicationsTesting web security security of web sites and applications
Testing web security security of web sites and applications
 
"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te...
"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te..."WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te...
"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA Te...
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test Results
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 
Web Security
Web SecurityWeb Security
Web Security
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 
Majority World Report 2016 - Web Summit Lisbon
Majority World Report 2016 - Web Summit Lisbon Majority World Report 2016 - Web Summit Lisbon
Majority World Report 2016 - Web Summit Lisbon
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Web Security
Web SecurityWeb Security
Web Security
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 

Similar to Tech w21

Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)ClubHack
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
The on-call survival guide - how to be confident on-call
The on-call survival guide - how to be confident on-call The on-call survival guide - how to be confident on-call
The on-call survival guide - how to be confident on-call Raygun
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...Dana Gardner
 
Software Selection Process: 10 Easy Steps to Success
Software Selection Process: 10 Easy Steps to SuccessSoftware Selection Process: 10 Easy Steps to Success
Software Selection Process: 10 Easy Steps to SuccessAgnieszka Yordanova
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Dave Cole
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuiteDave R. Taylor
 
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...Ron Pierce
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeMelbourne IT
 
The Marketing Technologist: Neo of the Marketing Matrix
The Marketing Technologist: Neo of the Marketing MatrixThe Marketing Technologist: Neo of the Marketing Matrix
The Marketing Technologist: Neo of the Marketing Matrixion interactive
 
The Why and How of Continuous Delivery
The Why and How of Continuous DeliveryThe Why and How of Continuous Delivery
The Why and How of Continuous DeliveryNigel McNie
 
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterStop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterAmazon Web Services
 

Similar to Tech w21 (20)

Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
The on-call survival guide - how to be confident on-call
The on-call survival guide - how to be confident on-call The on-call survival guide - how to be confident on-call
The on-call survival guide - how to be confident on-call
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
232 a7d01
232 a7d01232 a7d01
232 a7d01
 
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...
 
Software Selection Process: 10 Easy Steps to Success
Software Selection Process: 10 Easy Steps to SuccessSoftware Selection Process: 10 Easy Steps to Success
Software Selection Process: 10 Easy Steps to Success
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuite
 
Thulasinath CV_IM
Thulasinath CV_IMThulasinath CV_IM
Thulasinath CV_IM
 
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat Landscape
 
The Marketing Technologist: Neo of the Marketing Matrix
The Marketing Technologist: Neo of the Marketing MatrixThe Marketing Technologist: Neo of the Marketing Matrix
The Marketing Technologist: Neo of the Marketing Matrix
 
BSides LA/PDX
BSides LA/PDXBSides LA/PDX
BSides LA/PDX
 
The Why and How of Continuous Delivery
The Why and How of Continuous DeliveryThe Why and How of Continuous Delivery
The Why and How of Continuous Delivery
 
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterStop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
 

More from SelectedPresentations

Длительное архивное хранение ЭД: правовые аспекты и технологические решения
Длительное архивное хранение ЭД: правовые аспекты и технологические решенияДлительное архивное хранение ЭД: правовые аспекты и технологические решения
Длительное архивное хранение ЭД: правовые аспекты и технологические решенияSelectedPresentations
 
Трансграничное пространство доверия. Доверенная третья сторона.
Трансграничное пространство доверия. Доверенная третья сторона.Трансграничное пространство доверия. Доверенная третья сторона.
Трансграничное пространство доверия. Доверенная третья сторона.SelectedPresentations
 
Варианты реализации атак через мобильные устройства
Варианты реализации атак через мобильные устройстваВарианты реализации атак через мобильные устройства
Варианты реализации атак через мобильные устройстваSelectedPresentations
 
Новые технологические возможности и безопасность мобильных решений
Новые технологические возможности и безопасность мобильных решенийНовые технологические возможности и безопасность мобильных решений
Новые технологические возможности и безопасность мобильных решенийSelectedPresentations
 
Управление безопасностью мобильных устройств
Управление безопасностью мобильных устройствУправление безопасностью мобильных устройств
Управление безопасностью мобильных устройствSelectedPresentations
 
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...SelectedPresentations
 
Кадровое агентство отрасли информационной безопасности
Кадровое агентство отрасли информационной безопасностиКадровое агентство отрасли информационной безопасности
Кадровое агентство отрасли информационной безопасностиSelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности и...
Основное содержание профессионального стандарта «Специалист по безопасности и...Основное содержание профессионального стандарта «Специалист по безопасности и...
Основное содержание профессионального стандарта «Специалист по безопасности и...SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности а...
Основное содержание профессионального стандарта «Специалист по безопасности а...Основное содержание профессионального стандарта «Специалист по безопасности а...
Основное содержание профессионального стандарта «Специалист по безопасности а...SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по технической за...
Основное содержание профессионального стандарта «Специалист по технической за...Основное содержание профессионального стандарта «Специалист по технической за...
Основное содержание профессионального стандарта «Специалист по технической за...SelectedPresentations
 
Основное содержание профессионального стандарта «Специалист по безопасности т...
Основное содержание профессионального стандарта «Специалист по безопасности т...Основное содержание профессионального стандарта «Специалист по безопасности т...
Основное содержание профессионального стандарта «Специалист по безопасности т...SelectedPresentations
 
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...SelectedPresentations
 
Запись активности пользователей с интеллектуальным анализом данных
Запись активности пользователей с интеллектуальным анализом данныхЗапись активности пользователей с интеллектуальным анализом данных
Запись активности пользователей с интеллектуальным анализом данныхSelectedPresentations
 
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...SelectedPresentations
 
Обеспечение защиты информации на стадиях жизненного цикла ИС
Обеспечение защиты информации на стадиях жизненного цикла ИСОбеспечение защиты информации на стадиях жизненного цикла ИС
Обеспечение защиты информации на стадиях жизненного цикла ИСSelectedPresentations
 
Документ, как средство защиты: ОРД как основа обеспечения ИБ
Документ, как средство защиты: ОРД как основа обеспечения ИБДокумент, как средство защиты: ОРД как основа обеспечения ИБ
Документ, как средство защиты: ОРД как основа обеспечения ИБSelectedPresentations
 
Чего не хватает в современных ids для защиты банковских приложений
Чего не хватает в современных ids для защиты банковских приложенийЧего не хватает в современных ids для защиты банковских приложений
Чего не хватает в современных ids для защиты банковских приложенийSelectedPresentations
 
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...SelectedPresentations
 
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
Оценка состояния, меры формирования индустрии информационной безопасности Рос...Оценка состояния, меры формирования индустрии информационной безопасности Рос...
Оценка состояния, меры формирования индустрии информационной безопасности Рос...SelectedPresentations
 
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Об угрозах информационной безопасности, актуальных для разработчика СЗИОб угрозах информационной безопасности, актуальных для разработчика СЗИ
Об угрозах информационной безопасности, актуальных для разработчика СЗИSelectedPresentations
 

More from SelectedPresentations (20)

Длительное архивное хранение ЭД: правовые аспекты и технологические решения
Длительное архивное хранение ЭД: правовые аспекты и технологические решенияДлительное архивное хранение ЭД: правовые аспекты и технологические решения
Длительное архивное хранение ЭД: правовые аспекты и технологические решения
 
Трансграничное пространство доверия. Доверенная третья сторона.
Трансграничное пространство доверия. Доверенная третья сторона.Трансграничное пространство доверия. Доверенная третья сторона.
Трансграничное пространство доверия. Доверенная третья сторона.
 
Варианты реализации атак через мобильные устройства
Варианты реализации атак через мобильные устройстваВарианты реализации атак через мобильные устройства
Варианты реализации атак через мобильные устройства
 
Новые технологические возможности и безопасность мобильных решений
Новые технологические возможности и безопасность мобильных решенийНовые технологические возможности и безопасность мобильных решений
Новые технологические возможности и безопасность мобильных решений
 
Управление безопасностью мобильных устройств
Управление безопасностью мобильных устройствУправление безопасностью мобильных устройств
Управление безопасностью мобильных устройств
 
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
 
Кадровое агентство отрасли информационной безопасности
Кадровое агентство отрасли информационной безопасностиКадровое агентство отрасли информационной безопасности
Кадровое агентство отрасли информационной безопасности
 
Основное содержание профессионального стандарта «Специалист по безопасности и...
Основное содержание профессионального стандарта «Специалист по безопасности и...Основное содержание профессионального стандарта «Специалист по безопасности и...
Основное содержание профессионального стандарта «Специалист по безопасности и...
 
Основное содержание профессионального стандарта «Специалист по безопасности а...
Основное содержание профессионального стандарта «Специалист по безопасности а...Основное содержание профессионального стандарта «Специалист по безопасности а...
Основное содержание профессионального стандарта «Специалист по безопасности а...
 
Основное содержание профессионального стандарта «Специалист по технической за...
Основное содержание профессионального стандарта «Специалист по технической за...Основное содержание профессионального стандарта «Специалист по технической за...
Основное содержание профессионального стандарта «Специалист по технической за...
 
Основное содержание профессионального стандарта «Специалист по безопасности т...
Основное содержание профессионального стандарта «Специалист по безопасности т...Основное содержание профессионального стандарта «Специалист по безопасности т...
Основное содержание профессионального стандарта «Специалист по безопасности т...
 
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
 
Запись активности пользователей с интеллектуальным анализом данных
Запись активности пользователей с интеллектуальным анализом данныхЗапись активности пользователей с интеллектуальным анализом данных
Запись активности пользователей с интеллектуальным анализом данных
 
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
 
Обеспечение защиты информации на стадиях жизненного цикла ИС
Обеспечение защиты информации на стадиях жизненного цикла ИСОбеспечение защиты информации на стадиях жизненного цикла ИС
Обеспечение защиты информации на стадиях жизненного цикла ИС
 
Документ, как средство защиты: ОРД как основа обеспечения ИБ
Документ, как средство защиты: ОРД как основа обеспечения ИБДокумент, как средство защиты: ОРД как основа обеспечения ИБ
Документ, как средство защиты: ОРД как основа обеспечения ИБ
 
Чего не хватает в современных ids для защиты банковских приложений
Чего не хватает в современных ids для защиты банковских приложенийЧего не хватает в современных ids для защиты банковских приложений
Чего не хватает в современных ids для защиты банковских приложений
 
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
 
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
Оценка состояния, меры формирования индустрии информационной безопасности Рос...Оценка состояния, меры формирования индустрии информационной безопасности Рос...
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
 
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Об угрозах информационной безопасности, актуальных для разработчика СЗИОб угрозах информационной безопасности, актуальных для разработчика СЗИ
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
 

Tech w21

  • 1. Session ID: Session Classification: James Christiansen Sands Corporation TECH-W21 Advanced Incident Response: How To GiveThe Advantage ToThe Hackers Paul Underwood Emagined Security
  • 2. Focus Of Our Presentation Giving The Advantage To The Hackers Due To: ONE : The inability to distinguish what activities are normal for your infrastructure TWO : Not having all your incident response ducks lined up in a row THREE : Over reliance on untested resources FOUR : Running out of energy before the bad guys do FIVE : A lack of appreciation for how really difficult it is to stop an ongoing hack attack completely SIX :
  • 3. Giving HackersThe Advantage PROBLEM ONE The inability to distinguish what activities are normal for your infrastructure
  • 4. Giving HackersThe Advantage We are prettysure that'snormal traffic,at least it lookssomewhatfamiliar THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 5. Giving HackersThe Advantage We are prettysure that'snormal traffic,at least it lookssomewhatfamiliar THE FIX Old systemlogsare not availablewhich would help figuring withinyour infrastructure THE SCENARIO THE GOTCHA
  • 6. Giving HackersThe Advantage We are prettysure that'snormal traffic,at least it lookssomewhatfamiliar Don't be in arush todisposeofyour old systemlogs Old systemlogsare not availablewhich withinyour infrastructure THE SCENARIO THE GOTCHA THE FIX
  • 7. Giving HackersThe Advantage So, whatshould we do next? Isthisan anomalythatisworth investigating? THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 8. Giving HackersThe Advantage So, whatshould we do next? Isthisan anomalythatisworth investigating? THE FIX Strange thingsare happeningbut youare unable toprioritizeyour incidentresponse team'sactivity THE SCENARIO THE GOTCHA
  • 9. Giving HackersThe Advantage So, whatshould we do next? Isthisan anomalythatisworth investigating? Know what'snormal in your infrastructure soanomalousactivitiesstandout Strange thingsare happeningbut youare unable toprioritizeyour incidentresponse team'sactivity THE SCENARIO THE GOTCHA THE FIX
  • 10. Giving HackersThe Advantage PROBLEM TWO Not having all your incident response ducks lined up in a row
  • 11. Giving HackersThe Advantage We needaspecialfirewallrule written NOW! Get the vendor'sexperton the line! THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 12. Giving HackersThe Advantage We needaspecialfirewallrule written NOW! Get the vendor'sexperton the line! THE FIX You are unable tofind thesupport phone numberfor thevendor'sexpert,no one else hasit either THE SCENARIO THE GOTCHA
  • 13. Giving HackersThe Advantage We needaspecialfirewallrule written NOW! Get the vendor'sexperton the line! Have these "emergency"phonenumbers printedout.Treat thesefolksbetterthan your best friends! You are unable tofind thesupport phone numberfor thevendor's expert,no one else hasit either. THE SCENARIO THE GOTCHA THE FIX
  • 14. Giving HackersThe Advantage You have evidencethatAdminlevel passwordshave been hacked THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 15. Giving HackersThe Advantage You have evidencethatAdminlevel passwordshave been hacked THE FIX The sameAdminpasswordis used on numerouscritical systems,but no one knows exactlywhich ones THE SCENARIO THE GOTCHA
  • 16. Giving HackersThe Advantage You have evidencethatAdminlevel passwordshave been hacked Be preparedtochangeall Adminlevel passwordsat a noticeusing a testedprocess The sameAdminpasswordis used on numerouscritical systems,but no one knows exactlywhich ones THE SCENARIO THE GOTCHA THE FIX
  • 17. Giving HackersThe Advantage You needtoisolateanetworksegment, but Marketingsaysthatwould kill a pendingnew product launch THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 18. Giving HackersThe Advantage You needtoisolateanetworksegment, but Marketingsaysthatwould kill a pendingnew product launch THE FIX The inabilitytoisolatesegmentsofthe network,only further complicatesa complexproject THE SCENARIO THE GOTCHA
  • 19. Giving HackersThe Advantage You needtoisolateanetworksegment, but Marketingsaysthatwould kill a pendingnew product launch Have a CEO supportedplan forsuspending ongoingprojects while the incident responseeffortis underway The inabilitytoisolatesegmentsofthe network, only further complicatesa complexproject THE SCENARIO THE GOTCHA THE FIX
  • 20. Giving HackersThe Advantage The IRTeamisasking youfora decision. Unfortunately,the decisionrequiresthat youmakea LOT ofassumptions. THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 21. Giving HackersThe Advantage The IRTeamisasking youfora decision. Unfortunately,the decisionrequiresthat youmakea LOT ofassumptions. THE FIX Being forcedintoa positionwhere you have tostart guessing meansyou have control ofthe situation. THE SCENARIO THE GOTCHA
  • 22. Giving HackersThe Advantage The IRTeamis asking youfora decision. Unfortunately,the decisionrequiresthat youmakea LOT ofassumptions. Run legitimatehacks againstyour infrastructure tounderstandwhat happens,do thisbefore-the-fact. Being forcedintoa positionwhere you have tostart guessing meansyou have control ofthe situation. THE SCENARIO THE GOTCHA THE FIX
  • 23. Giving HackersThe Advantage The hackersown your system. The Webmasteristrying toget "pornlinks"off THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 24. Giving HackersThe Advantage The hackersown your system. The Webmasteristrying toget "porn links"off THE FIX The situationisgetting a lot worse. Your only optionleft istothrow in the towel and declarea disaster. THE SCENARIO THE GOTCHA
  • 25. Giving HackersThe Advantage The hackersown your system. The Webmasteristrying toget "pornlinks"off homepage. Restoringyour systemstoa known good stateand having a testedcustomer notificationplan readytogo. The situationisgetting a lot worse. Your only optionleft istothrow in the towel and declarea disaster. THE SCENARIO THE GOTCHA THE FIX
  • 26. Giving HackersThe Advantage PROBLEM THREE Over reliance on untested resources
  • 27. Giving HackersThe Advantage Critical evidenceismistakenlydeleted, attemptsat recoveringit have failed. THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 28. Giving HackersThe Advantage Critical evidenceismistakenlydeleted, attemptsat recoveringit have failed. THE FIX Not beingpreparedfor the fact thatserious blunders will occur at somepointin the response. THE SCENARIO THE GOTCHA
  • 29. Giving HackersThe Advantage Critical evidenceismistakenlydeleted, attemptsat recoveringit have failed. Aboveall else, rememberthatthisisa learningprocessand not an exercisein findingsomeonetoblame. Not beingpreparedfor the fact thatserious blunders will occur at somepointin the response. THE SCENARIO THE GOTCHA THE FIX
  • 30. Giving HackersThe Advantage PROBLEM FOUR Running out of energy beforethe bad guys do
  • 31. Giving HackersThe Advantage The initialincidentresponseisenteringits 3rd daywith no end in sight THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 32. Giving HackersThe Advantage The initialincidentresponseisenteringits 3rd daywith no end in sight THE FIX Without enough sleepyou becomepart of the problem THE SCENARIO THE GOTCHA
  • 33. Giving HackersThe Advantage The initialincidentresponseisenteringits 3rd daywith no end in sight Cut a dealwith a nearbyhotel for temporaryrooms -- make4 hr. sleep breaksmandatoryevery 18 hours Without enough sleepyou becomepart of the problem THE SCENARIO THE GOTCHA THE FIX
  • 34. Giving HackersThe Advantage PROBLEM FIVE A lack of appreciation for how really difficult it is to stop an ongoing hack attack completely
  • 35. Giving HackersThe Advantage The hackersmayhave compromisedyour VM farm. THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 36. Giving HackersThe Advantage The hackersmayhave compromisedyour VM farm. THE FIX The IncidentResponseteamisn't fluent in VM speak,nor isit up on all theVM tools. THE SCENARIO THE GOTCHA
  • 37. Giving HackersThe Advantage The hackersmayhave compromisedyour VM farm. AvoidusingVM formission criticalsystems asthey are hardertoanalyzefroma forensicperspective. The IncidentResponseteamisn't fluent in VM speak,nor isit up on all theVM tools. THE SCENARIO THE GOTCHA THE FIX
  • 39. Giving HackersThe Advantage During the incidentresponseyour CEO is clearly not happywith thecontinuedflow ofbad news. THE FIX THE GOTCHA FACTOR THE SCENARIO
  • 40. Giving HackersThe Advantage During the incidentresponseyour CEO is clearly not happywith thecontinuedflow ofbad news. THE FIX Incidentresponsemitigationsseldomhave anygoodnews during first80% of the effort. THE SCENARIO THE GOTCHA
  • 41. Giving HackersThe Advantage During the incidentresponseyour CEO is clearly not happywith thecontinued flow ofbad news. Educate managementto expectlots ofbad news. Bad news meansthe teamunderstands the issues. Incidentresponsemitigationsseldomhave anygoodnews during first80% of the effort. THE SCENARIO THE GOTCHA THE FIX
  • 42. ► Within three months, you should: ► Review your incident response plan with the scenarios from this presentation ► Update your contact lists, system inventories and skill assessments ► Beyond three months, you should: ► Obtain specific training for members of your incident response team for areas of weakness you identified during your scenario testing ► Upgrade your staff with experts that can handle a major incident within your organization ► Contract with a Business Recover Team (BRT) that can assist your organization during a crisis How to ApplyWhatYou Have Learned
  • 43. ► for even the best plan ► How to give the advantage to the hackers: ► ► Not having current contact lists, technical resources or contracted resources to help ► Not having a good relationship with the business so they have confidence in your ability to manage the incident ► Burning out the staff so they make bad decisions ► Not having a trained staff in investigation tools and techniques ► Not being able to make decisions and staying calm Summary
  • 44. ► CSIRT Resources (www.cert.org) Handbook for Computer Security Incident Response Teams http://www.cert.org/archive/pdf/csirt-handbook.pdf CSIRT Services http://www.cert.org/csirts/services.html Organizational Models for CSIRTs http://www.cert.org/archive/pdf/03hb001.pdf State of the Practice for CSIRTs http://www.cert.org/archive/pdf/03tr001.pdf ► www.sans.org Resources Available Steps for Creating National CSIRTs http://www.cert.org/archive/pdf/NationalCSIRTs.pdf Defining Incident Management Processes http://www.cert.org/archive/pdf/04tr015.pdf StaffingYour CSIRT http://www.cert.org/csirts/csirt-staffing.html