The Aftermath: You Have Been Attacked! So what's next?
1. 13th Info-Security Conference 2012
8th May, 2012 @ Hong Kong
You have been attacked!
So what’s next?
Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
2. Who am I?
Albert Hui
GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
Member of:
• SANS Advisory Board
• Digital Phishnet
• ACFE
Consulted for setting up IR capabilities at critical
infrastructure companies.
Former incident analyst / threat researcher at top-
tier retail, commercial, and investment banks.
Dropped out of PhD to run a startup making IPS
boxes.
Now a security ronin .
6. For the Unprepared
1. Stay calm
2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?)
3. Keep log, log all communications
4. Need-to-Known policy and Out-of-Band communications
5. Stop bleeding (contanment) first
6. Seek professional help
1. Know the problem (identification)
2. Protect your bases (might involve forensic acquisition)
3. Get rid of the problem (eradication)
4. Get back in business (recovery)
5. Lessons-Learned report
9. Core Functions
Incident Response Incident Handling
• All the technical works • Sole interface of CSIRT
• Most outsourceable • Management liaison
• Clients liaison
(Common Functions) • Legal / Compliance / HR / PR liaison
• Preparation and Planning • Peer CSIRT / CERT and LE liaison
• Policies, procedures and banners • Incident response coordination
• Incident response protocol and plan
• Agreements with and pre-approvals from • Incident response log keeping
legal / compliance / HR
• Asset classification
• Support infrastructure (logging, IDS,
patch management, BCP, DR, incident
reporting, guideline & education, etc.)
• etc. etc.
10. Identification
So how did you know you’ve been attacked?
• A little bird told you…
• You made headline news…
• IT guy reports abnormal behavior…
11. Alert
1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593
GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= -
DIRECT/122.115.63.6 application/octet-stream
Alert triggered.
What the hell just happened?
How serious was that?
How to deal with it?
15. Triage Stages
Report (w/ Initial Severity) Interpretation
• Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severity
Verification
• Is it material? (e.g. software X alerts when no software X installed)
Severity Assessment
• Damage already done
• Potential for further damage
Prioritization
• Deal with most severe cases first
17. Alexious Principle
1. What question are you trying to answer?
2. What data do you need to answer that
question?
3. How do you extract and analyze that data?
4. What does / would that data tell you?
37. What Do Threat Analysts (and Your MSSP)
Absolutely Need to Know?
1. Prevailing threat conditions
1. e.g. pdf 0-day CVE-2011-2462 in the wild,
Adobe promises a fix “no later than the week of December
12, 2011”
2. Current easiness / reliability to mount an attack
1. e.g. exploit X has just been committed to Metasploit
3. Consequence of a compromise (chained exploit)
4. Malware reverse engineering skills
5. etc. etc.
39. Before the Experts Arrive
1. Do NOT pull the plug!!
2. Describe the situation and seek immediate advices
(say, over the phone) from IR professionals.
3. Isolate affected systems
1. Disconnect from network (unless IR professionals
advice otherwise).
4. Secure the crime scene
1. Physical area access control.
2. Stop affected computer(s) from being used.
40. Conclusion
1. Incident response process
2. CSIRT organization structure
1. What people to hire, their R&Rs.
3. Triage – a brief overview
1. How to verify an alert.
2. How to prioritize an incident.
4. Preliminary containment
1. What do to before the experts arrive.