agile incident response operating through ongoing
play

Agile Incident Response: Operating through Ongoing Confrontation - PowerPoint PPT Presentation

Oct 09, 2022 •676 likes •1.29k views

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

  1. Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia

  2. Who Am I?  Professorial Lecturer • Carnegie Mellon University  95-856 Incident Response  Master of Information System Management • The George Washington University  Computer Forensics III  Masters in Forensic Science  Author for McGraw-Hill  Honeynet Project 1

  3. Who Am I?  Last 3 Years • Responded to over 300 Potentially Compromised Systems. • Responded to Intrusions at Over 40 Organizations. • Created IR Programs at Several Fortune 500 Firms. 2

  4. Agenda  Incident Detection  Case Studies  Performing Agile Incident Response  Operating through a Constant Aggressor 3

  5. How Are Organizations Detecting Computer Security Incidents?

  6. 1. How are Organization’s Detecting Incidents?  Antivirus Alerts? • Perhaps, but do not Count on It… • Alerts are Often Ignored – and Perhaps Value-less without an In-Depth Review of the System. • Quarantined Files Often Remain a Mystery Anti-Virus Merely Alerts an Organization that Something Bad Might have Occurred. No Confirmation. Potential Loss of Critical Data 5

  7. Findings – Ongoing Intrusion  The Review of 10 Malicious Executable Files Yielded: • 12/12 Files were NOT Publicly Available • 12/12 Files were NOT Detected by AV • 11/12 Files Reviewed were Packed via 2(5) Different Methods It is Highly Unlikely AV will ever Trigger on Microsoft Tools or Sysinternal Tools. 6

  8. 2. How are Organization’s Detecting Incidents?  IDS Alerts? • Rare Detection Mechanism. IDS Port 22 Port 22 Port 443 Port 443 VPN VPN 7

  9. 3. How are Organization’s Detecting Incidents?  Clients (Outside Company) • More Often than Pro-Active Countermeasures. • Malicious Software Discovered on Compromised End-User Systems. • Recently (December 2005) Found a Keylogger Configuration File that Contained Approximately 1,157 Keyword Search Terms, and URL’s for Approximately 74 Online Banking Facilities. 8

  10. 4. How are Organization’s Detecting Incidents?  End Users (Internal) • System Crashes (Blue Screens of Death) • Continual Termination of Antivirus Software. • Installing New Applications Simply Does Not Work. • Commonly Used Applications Do Not Run. • You Cannot “Save As”. • Task Manager Closes Immediately When You Execute It. 9

  11. 5. How Are Organization’s Detecting Incidents?  Something Obvious … 10

  12. 6. How are Organizations Detecting Incidents?  Notification from other Victims.  Notification from Government Agencies. 11

  13. Case Studies The State of the Hack

  14. The State of the Hack  End User Attacks • Phishing • Spam / Rogue Attachments*  Web Application Compromises • Custom App Vulnerabilities  Valid Credentials • VPN Access • PSEXEC* 13

  15. Case Study – Targeted Spamming

  16. Incident Detected  A Network Intrusion Detection System Observed Traffic Outbound to a Hostile / Uncommon Domain  Traced IP Address Internally to a Laptop Victim Laptop Hostile Domain 15

  17. Demonstration

  18. Demo 1  Victim Receives “Innocuous Email” • Command Shell Backdoor sent to Drop Site Victim Drop Site Attacker 66.92.146.248 66.92.146.1 66.92.146.247 17

  19. Demo 2  Victim Receives “Innocuous Email” • “Server” Sends Connection to Attacker Victim Drop Site Attacker 66.92.146.248 66.92.146.1 66.92.146.247 18

  20. Demo 3  Attacker Uses Valid Credentials and PSEXEC to Connect and Launch Evil Code on Victim System Victim Drop Site Attacker 66.92.146.248 66.92.146.1 66.92.146.247 19

  21. Practicing Agile Incident Response

  22. Practicing Agile Incident Response  Agile Incident Response Requires • Understanding the Corporate/Organization Priorities • Rapid Data Collection Capability • Rapid Data Analysis • Focused Response:  Identify Host-Based Countermeasures  Identify Network-Based Countermeasures  Rapid/Concise Documentation 21

  23. 1. Understanding Corporate/Organization Priorities

  24. Understanding Corporate Priorities  Executive Concerns  Legal Concerns  Technical Concerns 23

  25. Management Concerns (Board and CEO)  What is the Incident’s Impact on Business?  Do We have to Notify our Clients?  Do We have to Notify our Regulators?  Do We have to Notify our Stock Holders?  What is Everyone Else Doing about this Sort of thing? 24

  26. Legal Counsel Concerns  What are the applicable regulations or statutes that impact our organization’s response to the security breach?  Are there any contractual obligations that impact our incident response strategy?  Are we required to notify our clients, consumers, or employees about the security breach?  What constitutes a “reasonable belief” that protected information was compromised – the standard used in many states to determine whether notification is required? 25

  27. Legal Counsel Concerns  How might public knowledge of the compromise impact the organization?  What is our liability if the compromised network hosted pirated software, music, or videos?  Does notifying our customers increase the likelihood of a lawsuit?  Is it permissible to monitor/intercept the intruder’s activities?  How far can/should we go to identify the intruder?  Should the organization notify our regulators? Law enforcement? 26

  28. Technical Management (CIO)  How long were we exposed?  How many systems were affected?  What data, if any, was compromised (i.e., viewed, downloaded, or copied)?  Was any Personal Identifiable Information (PII) compromised?  What countermeasures are we taking? 27

  29. Technical Management (CIO)  What are the chances that our countermeasures will succeed?  Who else knows about the security breach?  Is the incident ongoing? Preventable?  Is there a risk of insider involvement? 28

  30. 2. Rapid Data Collection

  31. Performing Live Response  Cost-Effective Manner to Collect Information  Collecting Information that is Lost When a Machine is Powered Off  Collecting Windows/Unix Artifacts that Assist in the Investigation 30

  32. Volatile Data  The System Date and Time  Current Network Connections  Which Programs are Opening Network Connections (Listening)  Users Currently Logged On  Running Processes  Running Services  Memory Space of Active Processes  Scheduled Jobs  RAM 31

  33. Windows Artifacts Collected from Live Systems  File Lists  The Windows Registry  The Windows Event Logs  Specific/Relevant Files  The System Patch Level  Certain Proprietary Log Files 32

  34. Incident is Detected Network Monitoring Internet Incident Corporate Network Detected on Host 1 Backdoor Channel 33

  35. Performing Live Response 1. Last Accessed Time of Files Incident 2. Last Written Time of Files Detected on 3. Creation Time of Files Host 1 4. Volatile Information 5. Services Running 6. Event Logs Respond 7. Registry Entries on Host 1 8. Host Status (Uptime, Patch Level) 9. IIS and Other Application Logs Live Data Collection Performed to Verify Incident and Determine Indicators / Signature of the Attack 34

  36. Demo 4  Live Response Victim Drop Site Attacker 66.92.146.248 66.92.146.1 66.92.146.247 35

  37. 3. Rapid Data Analysis

  38. Case 2 - Initial Detection  Victim Organization Targeted - Ongoing Computer Intrusion  Victim Organization Tweaked Proxy Server Logs to Review all Outbound Connects to Hostile Domains  Caught a Bleep on the Radar from a Host  Performs a Remote Live Response Using First Response 37

  39. Demo 5  Rapid Analysis Victim Drop Site Attacker 66.92.146.248 66.92.146.1 66.92.146.247 38

  40. 4. Focus: Countermeasures/Documentation

  41. Focus  Focus = Defined and Established • Goals • Roles • Expectations  Speed  Communication  Documentation 40

  42. Know Your Goals 41

  43. Know Roles  Data Collection  Data Analysis  Malware Analysis  Network Traffic Analysis  Host-Based Detection  Documentation 42

  44. Speed  Incident Response – Fast and Steady  Fast Enough to Get Reliable Answers  Fast Enough to Provide Simple but Adequate Documentation  We Strongly Dissuade Briefing Anything that has not been Written. 43

  45. Documentation  Establish Champions Responsible for the Necessary Documents: • Status Reports • Live Response Investigative Steps • Hot IPs • Host-Based Indicators of Compromise • Network-Based Indicators of Compromise • Remedial Steps 44

  46. Operating through an Attack

  47. Operating through an Attack Obtain High-Level   Direction Know your Remediation  Philosophy Identify the “Zone” You  Are In Determine Remediation   Plan Determine Readiness  Execute  46

  48. 1. Obtaining High-Level Direction  The Most Difficult and Confusing Aspect of Remediation Planning  Impacts All Aspects of your Remediation Plan • What is Your Leadership’s Tolerance of the Status Quo? • How Good Does Your Incident Response Need to Be? • How Much are You Willing to Spend? • What is the Risk?  Do you have to Tell Shareholders?  Do you have to tell Clients? 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Aaron LeMasters & Michael Murphy 1 1 RETRI is a new, agile approach to the Incident

Aaron LeMasters & Michael Murphy 1 1 RETRI is a new, agile approach to the Incident

By: Aaron LeMasters & Michael Murphy 1 1 RETRI is a new, agile approach to the Incident Response process, consisting of 4 phases with clear entry and exit criteria Using special network segmentation and isolation technologies,

1.09k views • 74 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT MIRG OOERATIONAL GUIDELINES The project developed the following operational guidelines: 1. Assessing the Safety Status of a Vessel

598 views • 16 slides
Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored By: Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Visit www.advisenltd.com at the end of this webinar to

498 views • 18 slides
Commission Briefing Emergency Preparedness and Response Office of Nuclear Security Office of

Commission Briefing Emergency Preparedness and Response Office of Nuclear Security Office of

Commission Briefing Emergency Preparedness and Response Office of Nuclear Security Office of Nuclear Security and and Incident Response Incident Response 1 Emergency Planning Emergency Planning Ongoing coordination, planning, practice,

1.09k views • 72 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance Operators 3 FillIn Motorist Assistance Operators from Maintenance 1 Work Zone Coordinator 2 MoDOT TMC Operators 1 City of Springfield

404 views • 24 slides
The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren

The Incident Responders Toolkit the stuff they dont teach you in school Judith van Stegeren After my graduation After my graduation Where I work Skill set What I do What I do Case study: incident response Incident Response for fictional

709 views • 39 slides
Corporate Presentation February 2020 Disclaimer This presentation does not constitute or form

Corporate Presentation February 2020 Disclaimer This presentation does not constitute or form

TSXV & BVL:TK | OTCPK: TKRFF www.tinkaresources.com Corporate Presentation February 2020 Disclaimer This presentation does not constitute or form a part of, and should not be construed as an offer, solicitation or invitation to

475 views • 28 slides
The COVID-19 Workforce Challenge Strategies to manage your workforce to come out stronger in

The COVID-19 Workforce Challenge Strategies to manage your workforce to come out stronger in

The COVID-19 Workforce Challenge Strategies to manage your workforce to come out stronger in recovery April 24, 2020 Introductions Faiz Khanbabi (A&M) Teal Reamer (BTS) Kevin McMahon (A&M) Riz Shah (A&M) Ryan Isherwood (A&M)

454 views • 19 slides
Main Hoshangabad Road Bhopal, MP www.beyondsquarefeet.com 1 Description : Shopping Mall

Main Hoshangabad Road Bhopal, MP www.beyondsquarefeet.com 1 Description : Shopping Mall

Main Hoshangabad Road Bhopal, MP www.beyondsquarefeet.com 1 Description : Shopping Mall Location : Main Hoshangabad Road, Bhopal. Mall GLA : 3,00,000 sq.ft * Levels : LG+GF+FF+SF+TF Status : Operational Mall

474 views • 10 slides
Indian National Trust for Art and Cultural Heritage (INTACH), India Cultural Mapping of a

Indian National Trust for Art and Cultural Heritage (INTACH), India Cultural Mapping of a

Community Involvement in Cultural Mapping and Safeguarding of Intangible Cultural Heritage (ICH) Indian National Trust for Art and Cultural Heritage (INTACH), India Cultural Mapping of a Community Cultural Elements and Resources to look for

326 views • 13 slides
US-69 McAlester US-69 from the US-270 junction south approximately 2 miles to Fourteenth Street,

US-69 McAlester US-69 from the US-270 junction south approximately 2 miles to Fourteenth Street,

US-69 McAlester US-69 from the US-270 junction south approximately 2 miles to Fourteenth Street, including the Village Road (Kinkead Road) interchange and adjacent frontage roads. Anthony Echelle, P.E. ODOT Division II Engineer Project Area

746 views • 39 slides
Ohios M aritime Transportation System 1 Its hard to believe that until recently ODOT

Ohios M aritime Transportation System 1 Its hard to believe that until recently ODOT

Ohios M aritime Transportation System 1 Its hard to believe that until recently ODOT didnt have a Maritime presence 2 Ohio Contractors Magazine Feature Story Nov/ Dec 2009 Ohios M aritime Transportation System Linking

417 views • 22 slides
Janet Lewis Providing community healthcare in London and the Home Counties CLCH who are we?

Janet Lewis Providing community healthcare in London and the Home Counties CLCH who are we?

Janet Lewis Providing community healthcare in London and the Home Counties CLCH who are we? CLCH is Londons largest stand -alone community NHS Trust Community Services is our core business deliver Childrens Services across 9

170 views • 14 slides
Agenda Introduction Overview of components Command Center Modes Of Operation

Agenda Introduction Overview of components Command Center Modes Of Operation

ACCS A twood C omfort C ontrol S ystem By: ATWOOD MOBILE PRODUCTS 1 Atwood Comfort Control System 4/12/2019 Agenda Introduction Overview of components Command Center Modes Of Operation Trouble Shooting 2 Atwood Comfort

833 views • 50 slides

More recommend