SlideShare una empresa de Scribd logo

The Aftermath: You Have Been Attacked! So what's next?

Albert Hui
Albert Hui
TecnologíaEmpresariales
1 de 41
13th Info-Security Conference 2012 8th May, 2012 @ Hong Kong You have been attacked! So what’s next? Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA Member of: • SANS Advisory Board • Digital Phishnet • ACFE Consulted for setting up IR capabilities at critical infrastructure companies. Former incident analyst / threat researcher at top- tier retail, commercial, and investment banks. Dropped out of PhD to run a startup making IPS boxes. Now a security ronin .
Agenda 1. Incident response process 2. Incident response organization structure 3. Incident response triage – a brief overview 4. Incident response preliminary containment
You’ve been attacked! So what’s next?
For the Unprepared 1. Stay calm 2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?) 3. Keep log, log all communications 4. Need-to-Known policy and Out-of-Band communications 5. Stop bleeding (contanment) first 6. Seek professional help  1. Know the problem (identification) 2. Protect your bases (might involve forensic acquisition) 3. Get rid of the problem (eradication) 4. Get back in business (recovery) 5. Lessons-Learned report
Incident Response Process Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
CSIRT (Computer Security Incident Response Team) Head of CSIRT Incident Incident Handler Responder Incident Analyst SOC
Core Functions Incident Response Incident Handling • All the technical works • Sole interface of CSIRT • Most outsourceable • Management liaison • Clients liaison (Common Functions) • Legal / Compliance / HR / PR liaison • Preparation and Planning • Peer CSIRT / CERT and LE liaison • Policies, procedures and banners • Incident response coordination • Incident response protocol and plan • Agreements with and pre-approvals from • Incident response log keeping legal / compliance / HR • Asset classification • Support infrastructure (logging, IDS, patch management, BCP, DR, incident reporting, guideline & education, etc.) • etc. etc.
Identification So how did you know you’ve been attacked? • A little bird told you… • You made headline news… • IT guy reports abnormal behavior…
Alert 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert triggered. What the hell just happened? How serious was that? How to deal with it?
Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
Triage Stages Report (w/ Initial Severity) Interpretation • Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severity Verification • Is it material? (e.g. software X alerts when no software X installed) Severity Assessment • Damage already done • Potential for further damage Prioritization • Deal with most severe cases first
(or, verification)
Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you?
What Questions Are You Trying to Answer?
What Questions Are You Trying to Answer? Breath-First Search
What Data Do You Need to Answer that Question?
Locard Exchange Principle “Every contact leaves a trace.”
Occam’s Razor …or, “Keep It Simple Stupid”
(or, severity assessment & prioritization)
Risk = Likelihood  Impact  Asset Value
Likelihood Likelihood Always 100% (it already happened) Impact
Focus on… 1.Asset values 1.classify your assets NOW! 2.Incident impact 1.damage 2.scope
Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope
Know thyself, know thy enemy, then you shall not perish. 知己知彼,百戰不殆
Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
Exploit Chainability Small immaterial weaknesses can combine to become material ones.
Reason’s Swiss Cheese Model From Duke University Medical Center
Reason’s Swiss Cheese Model From Duke University Medical Center
Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
Ease of Attack (example)
What Do Threat Analysts (and Your MSSP) Absolutely Need to Know? 1. Prevailing threat conditions 1. e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011” 2. Current easiness / reliability to mount an attack 1. e.g. exploit X has just been committed to Metasploit 3. Consequence of a compromise (chained exploit) 4. Malware reverse engineering skills 5. etc. etc.
(or preliminary containment)
Before the Experts Arrive 1. Do NOT pull the plug!! 2. Describe the situation and seek immediate advices (say, over the phone) from IR professionals. 3. Isolate affected systems 1. Disconnect from network (unless IR professionals advice otherwise). 4. Secure the crime scene 1. Physical area access control. 2. Stop affected computer(s) from being used.
Conclusion 1. Incident response process 2. CSIRT organization structure 1. What people to hire, their R&Rs. 3. Triage – a brief overview 1. How to verify an alert. 2. How to prioritize an incident. 4. Preliminary containment 1. What do to before the experts arrive.
Thank you! albert@securityronin.com

Recomendados

Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
Albert Hui
 
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
John Allspaw
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Nelson Brito
 
Introduction To Malware
Introduction To MalwareIntroduction To Malware
Introduction To Malware
Michael Carthy
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
Lastline, Inc.
 
Malware
MalwareMalware
Malware
Michael Carthy
 
Harnischfeger corporation
Harnischfeger corporationHarnischfeger corporation
Harnischfeger corporation
Shreya Sinha
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 

Recomendados

Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
Albert Hui
 
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
John Allspaw
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Nelson Brito
 
Introduction To Malware
Introduction To MalwareIntroduction To Malware
Introduction To Malware
Michael Carthy
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
Lastline, Inc.
 
Malware
MalwareMalware
Malware
Michael Carthy
 
Harnischfeger corporation
Harnischfeger corporationHarnischfeger corporation
Harnischfeger corporation
Shreya Sinha
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)
Jeff Green
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
AlienVault
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
Iftach Ian Amit
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
Christiaan Beek
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentation
CFG
 
Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"
Gabriel (Gaby) Bar Giora
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
Denise Bailey
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical Threats
Steven SIM Kok Leong
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
Ivo Depoorter
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
ahmad abdelhafeez
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Andreas Sfakianakis
 
Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]
Frode Hommedal
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3S
Edgevalue
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
OWASP EEE
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident response
Hinne Hettema
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cyber Solutions
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
Insider threat webinar slides no cn
Insider threat webinar slides no cnInsider threat webinar slides no cn
Insider threat webinar slides no cn
DevOps.com
 
Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?
Steinar Aandal-Vanger
 
Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
Albert Hui
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
Albert Hui
 

Más contenido relacionado

Similar a The Aftermath: You Have Been Attacked! So what's next?

4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentation
CFG
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
Denise Bailey
 
Insider threat webinar slides no cn
Insider threat webinar slides no cnInsider threat webinar slides no cn
Insider threat webinar slides no cn
DevOps.com
 

Similar a The Aftermath: You Have Been Attacked! So what's next? (20)

Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentation
 
Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical Threats
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
 
Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3S
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident response
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Insider threat webinar slides no cn
Insider threat webinar slides no cnInsider threat webinar slides no cn
Insider threat webinar slides no cn
 
Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?
 

Más de Albert Hui

Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
Albert Hui
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
Albert Hui
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
Albert Hui
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
Albert Hui
 

Más de Albert Hui (12)

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 

The Aftermath: You Have Been Attacked! So what's next?

  • 1. 13th Info-Security Conference 2012 8th May, 2012 @ Hong Kong You have been attacked! So what’s next? Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
  • 2. Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA Member of: • SANS Advisory Board • Digital Phishnet • ACFE Consulted for setting up IR capabilities at critical infrastructure companies. Former incident analyst / threat researcher at top- tier retail, commercial, and investment banks. Dropped out of PhD to run a startup making IPS boxes. Now a security ronin .
  • 3. Agenda 1. Incident response process 2. Incident response organization structure 3. Incident response triage – a brief overview 4. Incident response preliminary containment
  • 4. You’ve been attacked! So what’s next?
  • 5.
  • 6. For the Unprepared 1. Stay calm 2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?) 3. Keep log, log all communications 4. Need-to-Known policy and Out-of-Band communications 5. Stop bleeding (contanment) first 6. Seek professional help  1. Know the problem (identification) 2. Protect your bases (might involve forensic acquisition) 3. Get rid of the problem (eradication) 4. Get back in business (recovery) 5. Lessons-Learned report
  • 7. Incident Response Process Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
  • 8. CSIRT (Computer Security Incident Response Team) Head of CSIRT Incident Incident Handler Responder Incident Analyst SOC
  • 9. Core Functions Incident Response Incident Handling • All the technical works • Sole interface of CSIRT • Most outsourceable • Management liaison • Clients liaison (Common Functions) • Legal / Compliance / HR / PR liaison • Preparation and Planning • Peer CSIRT / CERT and LE liaison • Policies, procedures and banners • Incident response coordination • Incident response protocol and plan • Agreements with and pre-approvals from • Incident response log keeping legal / compliance / HR • Asset classification • Support infrastructure (logging, IDS, patch management, BCP, DR, incident reporting, guideline & education, etc.) • etc. etc.
  • 10. Identification So how did you know you’ve been attacked? • A little bird told you… • You made headline news… • IT guy reports abnormal behavior…
  • 11. Alert 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert triggered. What the hell just happened? How serious was that? How to deal with it?
  • 12.
  • 13.
  • 14. Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
  • 15. Triage Stages Report (w/ Initial Severity) Interpretation • Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severity Verification • Is it material? (e.g. software X alerts when no software X installed) Severity Assessment • Damage already done • Potential for further damage Prioritization • Deal with most severe cases first
  • 17. Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you?
  • 18. What Questions Are You Trying to Answer?
  • 19. What Questions Are You Trying to Answer? Breath-First Search
  • 20. What Data Do You Need to Answer that Question?
  • 21. Locard Exchange Principle “Every contact leaves a trace.”
  • 22. Occam’s Razor …or, “Keep It Simple Stupid”
  • 23. (or, severity assessment & prioritization)
  • 24. Risk = Likelihood  Impact  Asset Value
  • 25. Likelihood Likelihood Always 100% (it already happened) Impact
  • 26. Focus on… 1.Asset values 1.classify your assets NOW! 2.Incident impact 1.damage 2.scope
  • 27. Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope
  • 28. Know thyself, know thy enemy, then you shall not perish. 知己知彼,百戰不殆
  • 29. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 30. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 31. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 32. Exploit Chainability Small immaterial weaknesses can combine to become material ones.
  • 33. Reason’s Swiss Cheese Model From Duke University Medical Center
  • 34. Reason’s Swiss Cheese Model From Duke University Medical Center
  • 35. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 36. Ease of Attack (example)
  • 37. What Do Threat Analysts (and Your MSSP) Absolutely Need to Know? 1. Prevailing threat conditions 1. e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011” 2. Current easiness / reliability to mount an attack 1. e.g. exploit X has just been committed to Metasploit 3. Consequence of a compromise (chained exploit) 4. Malware reverse engineering skills 5. etc. etc.
  • 39. Before the Experts Arrive 1. Do NOT pull the plug!! 2. Describe the situation and seek immediate advices (say, over the phone) from IR professionals. 3. Isolate affected systems 1. Disconnect from network (unless IR professionals advice otherwise). 4. Secure the crime scene 1. Physical area access control. 2. Stop affected computer(s) from being used.
  • 40. Conclusion 1. Incident response process 2. CSIRT organization structure 1. What people to hire, their R&Rs. 3. Triage – a brief overview 1. How to verify an alert. 2. How to prioritize an incident. 4. Preliminary containment 1. What do to before the experts arrive.
  • 41. Thank you! albert@securityronin.com