SlideShare una empresa de Scribd logo

HTCIA 2011: Incident Response Triage and Severity Assessment

Albert Hui
Albert Hui

The document summarizes a presentation given by Albert Hui at the 5th Annual HTCIA Asia Pacific Conference on December 7th, 2011 in Hong Kong. The presentation discussed incident response triage, including the importance of triage in the incident response process. It covered how to systematically approach incident verification and assessing the severity and potential impact of incidents to prioritize response efforts. Key aspects of Hui's proposed severity assessment model included considering existing damage and scope, potential future damage and exploit chainability.

Tecnología
1 de 42
5th Annual HTCIA Asia Pacific Conference 7th December, 2011 @ Hong Kong Enterprises’ Dilemma INCIDENT RESPONSE TRIAGE Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA  Member of:  SANS Advisory Board  Digital Phishnet  ACFE  Consulted for setting up IR capabilities at critical infrastructure companies.  Former incident analyst / threat researcher at top-tier retail, commercial, and investment banks.  Dropped out of PhD to run a startup making IPS boxes.  Now a security ronin . Copyright © 2011 Albert Hui
Agenda  The Context: IR process and Triage.  Incident Verification: A Systematic Approach.  Severity Assessment: A Potentiality Model. Copyright © 2011 Albert Hui
Enterprises’ Dilemma  Huge Volume  Influx of Incidents  Time Critical  Horizontal vs. Vertical  Triage! Copyright © 2011 Albert Hui
Forensics vs. Incident Response Copyright © 2011 Albert Hui
Forensics Crime is suspected to have happened. Did it happen? Copyright © 2011 Albert Hui
Incident Response 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? How serious was that? How to deal with it? Copyright © 2011 Albert Hui
Incident Response 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? Triage! that? How serious was How to deal with it? Copyright © 2011 Albert Hui
Copyright © 2011 Albert Hui
Copyright © 2011 Albert Hui
Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment Copyright © 2011 Albert Hui
Triage Stages  Report (w/ Initial Severity) Interpretation  Report typically came in as alerts (IDS, AV, SIEM, etc.)  Alert rules typically assigned severity  MSSP supposed to further tune severity with respect to prevailing threat conditions  Verification  Is it material? (e.g. Serv-U alerts when no Serv-U installed)  Severity Assessment  Damage already done  Potential for further damage  Prioritization  Deal with most severe cases first Copyright © 2011 Albert Hui
Verification Copyright © 2011 Albert Hui
What Tools Do We Need?  log2timeline  auditpol  autoruns  uassist_lv  RegRipper  listdlls  RipXP  dumpel  RegScan  pclip  FastDump  fport  Volatility  tcpvcon  mdd  md5deep  Memoryze  ssdeep  Red Curtain  F-Response  Responder Pro  psexec  FlyPaper  wft  Recon  WireShark  dcfldd  analyzeMFT Copyright © 2011 Albert Hui
What Tools Do We Need? If you got a hammer, everything looks like a nail. Copyright © 2011 Albert Hui
Right Questions The Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
Fault Tree Copyright © 2011 Albert Hui
Fault Tree Copyright © 2011 Albert Hui
What Questions Are You Trying to Answer? Copyright © 2011 Albert Hui
What Questions Are You Trying to Answer? Breath-First Search Copyright © 2011 Albert Hui
What Data Do You Need to Answer that Question? Copyright © 2011 Albert Hui
Guiding Principles Locard’s Exchange Principle  Every contact leaves a trace Occam’s Razor  Facts > Inferences The Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
Severity Assessment And Prioritization Copyright © 2011 Albert Hui
Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
Risk Revisited Likelihood Likelihood = 100% (already happened) Impact Copyright © 2011 Albert Hui
Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope Copyright © 2011 Albert Hui
Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
Exploit Chainability  Small immaterial weaknesses can combine to become material.  You have to know your systems and configurations to assess. Copyright © 2011 Albert Hui
Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
Ease of Attack Copyright © 2011 Albert Hui
What Do Threat Analysts Need to Know?  Prevailing threat conditions  e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011”  Current easiness / reliability to mount an attack.  e.g. a certain exploit has just been committed to Metasploit  Consequence of a compromise (chained exploit).  Malware reverse engineering skills.  Etc. etc. Send them to conferences and trainings like HTCIA!! Copyright © 2011 Albert Hui
Conclusion FTA Potentiality Model Compromised Malware Lessons Preparation Identification Containment Eradication Recovery Capability Entities Learned Exploit Ease of Attack Chainability Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment Copyright © 2011 Albert Hui
Thank you! albert@securityronin.com Copyright © 2011 Albert Hui

Recomendados

Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 

Recomendados

Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cyclepenetration Tester
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?Albert Hui
 
Control model testing
Control model testingControl model testing
Control model testingScott Barber
 

Más contenido relacionado

La actualidad más candente

Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 

La actualidad más candente (20)

Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplace
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 

Similar a HTCIA 2011: Incident Response Triage and Severity Assessment

The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?Albert Hui
 
Control model testing
Control model testingControl model testing
Control model testingScott Barber
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imhoW Fred Seigneur
 
Hoffman nsf presentation hoffman-25-aug11.ppt
Hoffman nsf presentation hoffman-25-aug11.pptHoffman nsf presentation hoffman-25-aug11.ppt
Hoffman nsf presentation hoffman-25-aug11.pptJesse Lingeman
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of AusterityPeter Wood
 
Design of Indonesia Malware Attack Monitoring Center - Charles Lim
Design of Indonesia Malware Attack Monitoring Center - Charles LimDesign of Indonesia Malware Attack Monitoring Center - Charles Lim
Design of Indonesia Malware Attack Monitoring Center - Charles Limidsecconf
 
Can Information Security Survive
Can Information Security SurviveCan Information Security Survive
Can Information Security SurviveIT@Intel
 

Similar a HTCIA 2011: Incident Response Triage and Severity Assessment (12)

The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?The Aftermath: You Have Been Attacked! So what's next?
The Aftermath: You Have Been Attacked! So what's next?
 
Control model testing
Control model testingControl model testing
Control model testing
 
101 ab 1530-1600
101 ab 1530-1600101 ab 1530-1600
101 ab 1530-1600
 
101 ab 1530-1600
101 ab 1530-1600101 ab 1530-1600
101 ab 1530-1600
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imho
 
Hoffman nsf presentation hoffman-25-aug11.ppt
Hoffman nsf presentation hoffman-25-aug11.pptHoffman nsf presentation hoffman-25-aug11.ppt
Hoffman nsf presentation hoffman-25-aug11.ppt
 
Basic Personal Safety Concepts
Basic Personal Safety ConceptsBasic Personal Safety Concepts
Basic Personal Safety Concepts
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
 
Design of Indonesia Malware Attack Monitoring Center - Charles Lim
Design of Indonesia Malware Attack Monitoring Center - Charles LimDesign of Indonesia Malware Attack Monitoring Center - Charles Lim
Design of Indonesia Malware Attack Monitoring Center - Charles Lim
 
Can Information Security Survive
Can Information Security SurviveCan Information Security Survive
Can Information Security Survive
 

Más de Albert Hui

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and DesignAlbert Hui
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsAlbert Hui
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersAlbert Hui
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsAlbert Hui
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationAlbert Hui
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersAlbert Hui
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerAlbert Hui
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber eraAlbert Hui
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassAlbert Hui
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateAlbert Hui
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemAlbert Hui
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 

Más de Albert Hui (13)

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 

Último

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Último (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

HTCIA 2011: Incident Response Triage and Severity Assessment

  • 1. 5th Annual HTCIA Asia Pacific Conference 7th December, 2011 @ Hong Kong Enterprises’ Dilemma INCIDENT RESPONSE TRIAGE Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
  • 2. Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA  Member of:  SANS Advisory Board  Digital Phishnet  ACFE  Consulted for setting up IR capabilities at critical infrastructure companies.  Former incident analyst / threat researcher at top-tier retail, commercial, and investment banks.  Dropped out of PhD to run a startup making IPS boxes.  Now a security ronin . Copyright © 2011 Albert Hui
  • 3. Agenda  The Context: IR process and Triage.  Incident Verification: A Systematic Approach.  Severity Assessment: A Potentiality Model. Copyright © 2011 Albert Hui
  • 4. Enterprises’ Dilemma  Huge Volume  Influx of Incidents  Time Critical  Horizontal vs. Vertical  Triage! Copyright © 2011 Albert Hui
  • 5. Forensics vs. Incident Response Copyright © 2011 Albert Hui
  • 6. Forensics Crime is suspected to have happened. Did it happen? Copyright © 2011 Albert Hui
  • 7. Incident Response 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? How serious was that? How to deal with it? Copyright © 2011 Albert Hui
  • 8. Incident Response 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert tiggered. What the hell just happened? Triage! that? How serious was How to deal with it? Copyright © 2011 Albert Hui
  • 9. Copyright © 2011 Albert Hui
  • 10. Copyright © 2011 Albert Hui
  • 11. Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment Copyright © 2011 Albert Hui
  • 12. Triage Stages  Report (w/ Initial Severity) Interpretation  Report typically came in as alerts (IDS, AV, SIEM, etc.)  Alert rules typically assigned severity  MSSP supposed to further tune severity with respect to prevailing threat conditions  Verification  Is it material? (e.g. Serv-U alerts when no Serv-U installed)  Severity Assessment  Damage already done  Potential for further damage  Prioritization  Deal with most severe cases first Copyright © 2011 Albert Hui
  • 13. Verification Copyright © 2011 Albert Hui
  • 14. What Tools Do We Need?  log2timeline  auditpol  autoruns  uassist_lv  RegRipper  listdlls  RipXP  dumpel  RegScan  pclip  FastDump  fport  Volatility  tcpvcon  mdd  md5deep  Memoryze  ssdeep  Red Curtain  F-Response  Responder Pro  psexec  FlyPaper  wft  Recon  WireShark  dcfldd  analyzeMFT Copyright © 2011 Albert Hui
  • 15. What Tools Do We Need? If you got a hammer, everything looks like a nail. Copyright © 2011 Albert Hui
  • 16. Right Questions The Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
  • 17. Fault Tree Copyright © 2011 Albert Hui
  • 18. Fault Tree Copyright © 2011 Albert Hui
  • 19. What Questions Are You Trying to Answer? Copyright © 2011 Albert Hui
  • 20. What Questions Are You Trying to Answer? Breath-First Search Copyright © 2011 Albert Hui
  • 21. What Data Do You Need to Answer that Question? Copyright © 2011 Albert Hui
  • 22. Guiding Principles Locard’s Exchange Principle  Every contact leaves a trace Occam’s Razor  Facts > Inferences The Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you? Copyright © 2011 Albert Hui
  • 23. Severity Assessment And Prioritization Copyright © 2011 Albert Hui
  • 24. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  • 25. Risk Revisited Likelihood Likelihood = 100% (already happened) Impact Copyright © 2011 Albert Hui
  • 26. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  • 27. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  • 28. Risk Revisited Risk = Likelihood  Impact  Asset Value Copyright © 2011 Albert Hui
  • 29. Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
  • 30. Risk Revisited Impact = Threat  Vulnerability Copyright © 2011 Albert Hui
  • 31. Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope Copyright © 2011 Albert Hui
  • 32. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  • 33. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  • 34. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  • 35. Exploit Chainability  Small immaterial weaknesses can combine to become material.  You have to know your systems and configurations to assess. Copyright © 2011 Albert Hui
  • 36. Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
  • 37. Reason’s Swiss Cheese Model From Duke University Medical Center Copyright © 2011 Albert Hui
  • 38. Potential Scope and Damage Artifact Compromised Malware Hemisphere Entities Capability Intellectual Exploit Ease of Attack Hemisphere Chainability Know Know Thyself Thy Enemy Copyright © 2011 Albert Hui
  • 39. Ease of Attack Copyright © 2011 Albert Hui
  • 40. What Do Threat Analysts Need to Know?  Prevailing threat conditions  e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011”  Current easiness / reliability to mount an attack.  e.g. a certain exploit has just been committed to Metasploit  Consequence of a compromise (chained exploit).  Malware reverse engineering skills.  Etc. etc. Send them to conferences and trainings like HTCIA!! Copyright © 2011 Albert Hui
  • 41. Conclusion FTA Potentiality Model Compromised Malware Lessons Preparation Identification Containment Eradication Recovery Capability Entities Learned Exploit Ease of Attack Chainability Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment Copyright © 2011 Albert Hui
  • 42. Thank you! albert@securityronin.com Copyright © 2011 Albert Hui