LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestras Condiciones de uso y nuestra Política de privacidad para más información.
LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestra Política de privacidad y nuestras Condiciones de uso para más información.
Incident handling of intrusions related to cyber espionage operations is a complex and challenging task. As a national CERT with a unique national early warning detection system, NSM NorCERT has detected and responded to incidents that vary from traditional incident response and abuse handling to counter-intelligence operations. Based on some real-world examples, this talk will be about incident handling of cyber espionage intrusions. What are the most common pitfalls and how can companies be better prepared?
The Honeynet Project Workshop 2015
Marie Moe, Ph. D., Researcher at SINTEF
Incident handling of cyber espionage
• Threats and trends
• Case studies with examples from real incidents
• Incident handling
SINTEF ICT 3
§ Research scientist at SINTEF
§ Associate Professor II at HiG (20%)
§ MSc in Mathematics
§ PhD in Information Security
§ GIAC certified Incident Handler
§ Previously working for NSM NorCERT
PHOTO: ROBERT MCPHERSON, Aftenposten
Crisis / War
Society in general
Advanced Persistent Threats
SINTEF ICT 5
• Modern espionage is most effectively
conducted through network
• Significant amounts of information
• Russia and China are the most active
nation states behind network
operations against Norway
How do they compromise our systems?
• Spear phishing
• Often contains predictable elements
• Targeting information often available online
• Watering hole/strategic web compromise
• User profiling and whitelisting of targets
• Harder to detect and more difficult to handle than spear phishing
• Credentials harvesting
• Using compromised accounts for new spear phishing
• Direct access to mail and systems without leaving traces
• Known vulnerabilities
• Zero-‐days may be used against high priority targets
• Physical delivery rarely used
• NorCERT was contacted by a company that discovered that they were compromised
• Detected at the exfiltration stage
• Data ready for exfil was filling up the disk on the Exchange server!
• Large files that appeared to be image files (.jpg), but these were in fact password protected
• The exfiltration was carried out via HTTP GET-‐requests
• NorCERT coordinated incident response with the victim and performed forensic
• The initial attack vector was found to be a vulnerability in ColdFusion which gave the
attackers the ability to upload a ”China chopper” webshell
• The password for the RAR-‐files was eventually found and the company could get a clear idea
of the amount of intellectual property that was lost..
SINTEF ICTSINTEF ICT
Case B: Spear phishing against the energy sector
Clear understanding of network and systems
Access control and segmentation
Quick updating and patching
What about cloud services? Are you in control?
Control and monitor network traffic
Detection team that look for intruders and abnormalities
Clear areas of responsibility
Escalation routines, contact information
Guidelines for incident handling
The contingency plan should be rehearsed!
Detection and Analysis
Your IDS needs to be constantly updated with the latest threat intel!
Logging enables detection and scoping of an incident!
• Traffic logs
– Web traffic logs
– Proxy logs w/ SSL-‐inspection
– DNS logging / Passive DNS
– Web access logs on your own web servers
• Authentication logs
• Administration logs
• Security logs
• E-‐mail logs
Containment, Eradication and Recovery
You detected or got informed that you have been a victim of cyber espionage…
What to do now?
Selection of strategy:
• Protect and forget
• Watchful waiting, possible honeypot operation?
Clean up after compromise
• Plan and execute clean ups in a controlled fashion!
– Hire a MSSP if you lack the necessary know-‐how
• Establish necessary logging and monitoring/IDS
• Isolate compromised systems from the network
• Secure memory dump and disc image of compromised systems
• Reinstall clean back ups
• Change all passwords!
• Evaluation of the incident handling
– Identification of lessons learned
– Update contingency plans
– Case studies are very useful for training
The ”Cyber Kill Chain”
• Lockheed Martin: 7 stages/states of an ”APT-‐style” incident
• If the attacker fails in one of the stages the compromise will not succeed!
• Detection and response should be implemented for each stage
● What can the organization handle themselves?
● Where is collaboration or outsourcing required?
● Risks and costs increase for each stage
● Timeline: hours or days from successful exploitation
Recon Weaponize Deliver Exploit Install C2 Action
Guidelines for incident handling
• NSM has published a guide for
incident handling of cyber
– Can be downloaded at
_2014.pdf (only in Norwegian)
• Overview of logging that
should be in place
• What information to submit to
NorCERT if you want their