Things To Do After You ve Been Hacked

Transcription

1 Problem: You ve been hacked! Now what? Solution: Proactive, automated incident response from inside the network Things To Do After You ve Been Hacked Tube web share

2 It only takes one click to compromise an organization Once a breach happens, the damage can be devastating. And unless you adopt a proactive stance in responding to incidents, you are doomed to get compromised over and over again. How many times will you fall...hook, line and sinker? It s time to change your strategy. * 2013 Verizon Data Breach Investigations Report (VDBIR) 95% of all state-affiliated espionage attacks still rely on phishing in some way.* Hexis Page 2

3 It is only a matter of time before you are hacked. Why? Because hackers only need to exploit one vulnerability and defenders need to defend all. It only takes one click by an unknowing user and the hacker is in. It s that simple. To make matters worse, the Verizon Data Breach Investigations Report (VDBIR) found that in 66% of cases the breach wasn t discovered for months or even years. During that time critical data and assets are at risk. How quickly and effectively you respond matters a lot. It isn t realistic to expect you ll never get hacked. But it is realistic to expect you can improve your response and mitigate the impact of attacks now and in the future. These 5 steps can help. * 2013 Verizon Data Breach Investigations Report (VDBIR) 66 % In 66% of cases it took months or even years to discover a breach.* Hexis Page 3

4 1. De 1. Detect and Identify # 1 Error messages, suspicious events in logs, poor performance and unusual bandwidth usage can all indicate a possible event. Once you ve validated that you re dealing with a malicious situation and not noise, such as an instance of misconfiguration or a false positive, you need to establish a cross-functional team to oversee all aspects of the response process and immediately begin to: Locate patient zero if possible, or any device known to be compromised If you can gain access to the actual malware and have the skills, analyze it to determine how it got in, how it is behaving, how it is spreading and if it has exfiltrated any data Even if you can t directly do malware analysis, examine a compromised device to determine Indicators of Compromise (IOCs) so you can search other hosts for signs of exploit Collect and correlate log data from as many sources as available, including server logs, firewall and IDS/IPS logs and flow data, to gather more details about what happened and determine if other hosts are infected Time is of the essence. Given the amount of work and expertise required, you may need to hire professional services to supplement your in-house security team. Do this at your discretion. Hexis Page 4

5 2. To Contain or Not to Contain? # 2 Now that you ve identified the nature, extent and severity of the attack, you have two options contain it or jump straight to removal. Traditional incident response plans dictate you contain and stop it. This involves: Quarantining the compromised host(s) or system(s) or disabling certain functions Removing user access or login to the system Determining the access point and blocking it to prevent ongoing damage Containing is appropriate if you re dealing with a drive-by type attack in which a virus or other rudimentary threat is introduced and the attacker quickly moves on to the next victim. But if you believe you re dealing with advanced malware or an APT that watches and alters its techniques depending on your reaction, the more effective approach could be to jump directly to #3 and coordinate the removal phase. Quarantining systems and blocking access is an immediate tip-off to the attacker that you re on to them. They ll simply hide and lay dormant within your environment to launch at a point in the future, or alter their methods in a way that you can t detect and continue on their mission. Hexis Page 5

6 3. Remove and Recover # 3 Whether you choose to contain the attack or not, comprehensively removing the threat is critical so that you can reduce the risk of reinfection and get back to normal operations. This is particularly important when dealing with an APT that will simply move elsewhere in the network and attack again, requiring you to repeat this entire process. If possible, identify all infected hosts on the network and then perform the following steps on the hosts known to be compromised: Stop or kill all active processes of the attacker Remove all the files, back doors and malicious programs the attacker created and save them as evidence for the investigation Protect sensitive data by separating it from the compromised system(s) or network Check all associated systems including those through trusted relationships Apply patches and fixes to eliminate vulnerabilities and correct any improper settings/misconfigurations to prevent subsequent similar attacks Update all login accounts and passwords that may have been accessed by the attacker Perform a damage assessment on each system/file Reinstall the affected files or the entire system as needed Turn on functions in stages in order of priority, verify successful restoration, and notify all affected parties Disconnect the infected hosts and, if necessary, obtain forensic information Perform daily reboots of systems to eliminate memory-only resident malware Hexis Page 6

7 4. Be Proactive # 4. At this point you probably think you re out of the woods. And in some ways you are, having executed a thorough response, mitigated the impact of the attack, and learned from it to prevent future similar attacks. But sophisticated and relentless attackers learned from the experience as well. They ll return with nuanced versions of the attack and you ll be back on the defensive, repeating this process again and again. If you ve hired professional services to help with incident response and remediation then dealing with reinfections can cause security costs to spiral out of control. To break the cycle, you need to take a proactive stance by: Changing your mindset from if to when an attack will happen so that you can better anticipate threats and take action to reduce the amount of time an APT lives in your organization Actively investigating your environment for IOCs by continuing to collect data from multiple sources and looking for known malware via signatures and unknown malware via behavioral detection algorithms Staying current with the latest threat intelligence and available countermeasures and deploying them as required within the context of your environment Hexis Page 7

8 5. Automate Incident Response Being proactive can be potentially time consuming because you are now investing resources in looking for attacks before they occur. In the long term it makes financial sense, but it may be difficult to justify in the short term because of the additional resources required. This is why automation goes hand in hand with a proactive approach. Automation eliminates the need to perform manual work that is crucial but time consuming, such as collecting endpoint data from a large number of hosts and searching for IOCs. # 5. To begin to incorporate automation into your approach to incident response: Select solutions that you and your team trust and that integrate well with your existing security infrastructure Evolve from manual methods to automation over time as your comfort level grows and the value is demonstrated begin with low hanging fruit such as searching for and removing files with known bad MD5 hash values on endpoints; move to more sophisticated methods of analyzing data to identify IOCs and kill processes or remove files Report back to the business on how automation is saving costs while enhancing security by freeing up highly skilled security staff to be proactive Status quo is not an option. If you shun automation entirely you ll find yourself at a constant and mounting disadvantage against attackers. Hexis Page 8

9 STOP Don t tip your hand needlessly. You may decide to contain the attack but be careful how you respond. Actions such as hacking back or submitting the malware to a reporting site will inform the adversary you re on to them. The same is true if you use your compromised network to coordinate incident response efforts, rather than establish out-of-band communications. Before you know it, hackers will deploy another technique while you re still dealing with the first attack. Don t start investigating without a plan. An overzealous response can compound the damage. For example, utilizing an external tool to attempt to find the threat can taint the data required to perform proper timeline analysis. External tools can also overwrite data that may provide valuable forensic artifacts such as prefetch data (data that is preloaded to speed the boot process and shorten application startup time). Prefetch data may help to answer the what, where and when of an attack. Don t keep it to yourself. Inform management and the right people using the incident notification call list and call tree. Collaboration can help you more effectively deal with the situation. If you ve hired professional services to help, make sure knowledge transfer is part of their process to help keep costs in check. Hexis Page 9

10 After you ve been hacked, reducing the amount of time an APT lives in your organization is the goal. To get the job done you need a methodical approach that includes steps to detect/identify, contain or perhaps not, and remove/recover from the attack as quickly as possible. But you can t and there s no reason why you should stop there. Attackers are increasingly creative in their methods of attack. You need to become more creative in how you identify and remediate the growing number of security incidents you organization will continue to face. By adopting a proactive approach that includes the option of policy-based automation you can reduce the time and costs your team spends on incident response. Only then can you shift the bulk of your resources from focusing on what happened in the past, to creating a safer future. 5 Steps to Stop the Cycle Hexis Page 10

11 Attacks are inevitable Companies should devote more time and effort to detection and remediation; preventing attacks becoming breaches, and breaches becoming financial and reputational disasters.* For more information: Request the full white paper or arrange a demo of proactive defense from inside the network: info@hexiscyber.com. 86 % Is IT spending time on the right prevention measures? 86% of breaches were discovered by non-it efforts; 76% were by external parties.* * 2013 Verizon Data Breach Investigations Report (VDBIR) Hexis Cyber Solutions, Inc., a subsidiary of The KEYW Holding Corporation (Nasdaq:KEYW), serves commercial companies, government agencies, and the Intelligence Community (IC) with tools and capability to detect, engage, and remove both external and internal cyber threats. To learn more, phone ; info@hexiscyber.com; or visit Hexis Page 11