Security incidents targeting corporations are occurring on a daily basis. While we may hear about the large cases in the news, network and security administrators from smaller organization quake in fear of losing their jobs after a successful attack of their network. Simple bad decisions and stupid mistakes in responding to a data breach or network intrusion are a great way to find yourself new employment. In this talk I’ll show you in twelve easy steps how to do so after, or even during, a security incident in your company.
8. Oblivious that you were hacked
• No active or routine monitoring of traffic
• No investigation of log irregularities
• Often find out about attack after:
– Data is exfiltrated
– Received notification from third party
– Competitor releases one of your products
9. Levels of Obliviousness
Notified by third
party months later
Didn’t see until next day
Saw and stopped
during exfiltration
Saw and stopped
during attack
Attacks automatically
blocked by existing rules
10. 2) Did not own up to being hacked
• Hope that no one will notice and that it'll just
blow over
• Downplay effect of the attack or scope of
intrusion
11. Did not own up to being hacked
• Loyal to your vendor products
– But XYZ has NEVER been hacked?!
• Their sales person told me so…
– DoD STIGs / Gold Disk
12. 3) Tried to be the hero
• Single-handedly "fixed" the issue
• Went straight into mitigation without
planning:
– Analysis
– Forensics
– Reverse engineering
13. Tried to be the hero
• Did not seek help from others
• Did not bring in the lawyers
• Did not realize insurance policy required
bringing in independent security team
• Communicate!
– Pass the buck up the chain
14. 4) Did not preserve evidence
• Wiped and re-installed server
• Thought that having server back up
immediately would make you look better
• Did not copy off backups of logs/malware
15. 5) Improperly Managed Antivirus
• Mass-updated clients during an incident and
removed all traces of attack
• Allowed AV to delete critical malware
• Submitted AV sample to vendor too early
– Or VirusTotal / Jotti
17. Improperly Managed Logs
• No log management!
• Did not have correct logs
– Cisco logs rock!
• If you collect the right logs…
• 302013+302014 / 302015+302016, etc
• No appropriate preservation period for logs
18. 7) Did Not Track Incidents
• Email? Really?
• Set up a security tracking database
– Any help desk tool will do
– RTIR (RT for Incident Response)
• You will be hacked again…
– By the same exploit
20. Disrespected Indicators
• Trusted A/V write-ups like the bible
• Did not verify and examine own malware
• Network:
– Listening ports
– Connection attempts (ports, IPs, URLs)
• File system:
– Files, registry
• Memory
21. 9) Miscommunicated About Attack
• Shared information with outsiders without
senior approval
… at a con
… on camera
… then did published interviews
• Did NOT share information with those who
need to know
–FBI / DCISE
– Exercise the Client Attorney privilege
22. Don’t Tell the Hackers
• Ping backs
• Hack backs
• Not using air-gapped systems
• Online sandboxes
• WHOIS lookups
23. 10) Did Not Learn From the Attack
• After-Action Report / Hot Wash
• Be Honest
• Take your hits
• Document risk analysis in decisions
– And the decision maker
24. • You had an IR Plan before… right?
• Revise after every incident
– At the very least with case studies
Incident Response Plan
26. Save Your Job
• Use hacker/paranoia senses
• Document your actions
• Take the high road
• Understand that you’re screwing up
– But document what you did right
• Give your management a way out
– When all else fails, drop the A-word (APT)
Jumped straight to remediation without scope analysis
Louisville bridgeLAWYERS!Cyber Insurance
Set aside the original hard drive in a safeCopy all logs and set in safeGet logs ASAP and store them. Go back as far as you can on 1-2TB drive.GET PCAPS! – But talk to lawyer first