Security incidents targeting corporations are occurring on a daily basis. While we may hear about the large cases in the news, network and security administrators from smaller organization quake in fear of losing their jobs after a successful attack of their network. Simple bad decisions and stupid mistakes in responding to a data breach or network intrusion are a great way to find yourself new employment. In this talk I’ll show you in twelve easy steps how to do so after, or even during, a security incident in your company.

1. Walking the Green Mile
How to Get Fired After a
Security Incident
Brian Baskin

2. $ whoami
• Senior Consultant at cmdLabs
• Intrusions Examiner / Malware Analyst at DCFL
• Author/Coauthor of eight Information Security books

3. So you have an incident…

4. And they called in for support…
You’ve got a corpse in
a car, minus a head, in
a garage… take me to
it!

5. For you to assist …

6. And you’re going to be fired…

7. 1) Oblivious that you were hacked

8. Oblivious that you were hacked
• No active or routine monitoring of traffic
• No investigation of log irregularities
• Often find out about attack after:
– Data is exfiltrated
– Received notification from third party
– Competitor releases one of your products

9. Levels of Obliviousness
Notified by third
party months later
Didn’t see until next day
Saw and stopped
during exfiltration
Saw and stopped
during attack
Attacks automatically
blocked by existing rules

10. 2) Did not own up to being hacked
• Hope that no one will notice and that it'll just
blow over
• Downplay effect of the attack or scope of
intrusion

11. Did not own up to being hacked
• Loyal to your vendor products
– But XYZ has NEVER been hacked?!
• Their sales person told me so…
– DoD STIGs / Gold Disk

12. 3) Tried to be the hero
• Single-handedly "fixed" the issue
• Went straight into mitigation without
planning:
– Analysis
– Forensics
– Reverse engineering

13. Tried to be the hero
• Did not seek help from others
• Did not bring in the lawyers
• Did not realize insurance policy required
bringing in independent security team
• Communicate!
– Pass the buck up the chain

14. 4) Did not preserve evidence
• Wiped and re-installed server
• Thought that having server back up
immediately would make you look better
• Did not copy off backups of logs/malware

15. 5) Improperly Managed Antivirus
• Mass-updated clients during an incident and
removed all traces of attack
• Allowed AV to delete critical malware
• Submitted AV sample to vendor too early
– Or VirusTotal / Jotti

16. 6) Improperly Managed Logs
* discipleofjude

17. Improperly Managed Logs
• No log management!
• Did not have correct logs
– Cisco logs rock!
• If you collect the right logs…
• 302013+302014 / 302015+302016, etc
• No appropriate preservation period for logs

18. 7) Did Not Track Incidents
• Email? Really?
• Set up a security tracking database
– Any help desk tool will do
– RTIR (RT for Incident Response)
• You will be hacked again…
– By the same exploit

19. 8) Disrespected Indicators

20. Disrespected Indicators
• Trusted A/V write-ups like the bible
• Did not verify and examine own malware
• Network:
– Listening ports
– Connection attempts (ports, IPs, URLs)
• File system:
– Files, registry
• Memory

21. 9) Miscommunicated About Attack
• Shared information with outsiders without
senior approval
… at a con
… on camera
… then did published interviews
• Did NOT share information with those who
need to know
–FBI / DCISE
– Exercise the Client Attorney privilege

22. Don’t Tell the Hackers
• Ping backs
• Hack backs
• Not using air-gapped systems
• Online sandboxes
• WHOIS lookups

23. 10) Did Not Learn From the Attack
• After-Action Report / Hot Wash
• Be Honest
• Take your hits
• Document risk analysis in decisions
– And the decision maker

24. • You had an IR Plan before… right?
• Revise after every incident
– At the very least with case studies
Incident Response Plan

25. Save Your Job

26. Save Your Job
• Use hacker/paranoia senses
• Document your actions
• Take the high road
• Understand that you’re screwing up
– But document what you did right
• Give your management a way out
– When all else fails, drop the A-word (APT)

27. Contact Us:
e-mail: contact@cmdlabs.com
p: 443.451.7330
www.cmdlabs.com
1101 E. 33rd Street, Suite B308
Baltimore, MD 21218
Brian Baskin
@bbaskin
bbaskin@cmdlabs.com