Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Transcription

1 Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow

2 Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned 1

3 Goals Review and analyze a real world breach Understand pre-breach best practices Understand how to respond, post-breach Understand best practices for breach mitigation and incident response 2

4 Background A brief history of Cyber Attacks Viruses & Hackers Rise of the botnets Monetization of datasets Organized Crime 3

5 Breach: A Case Study Attack Facts: Payment aggregator/gateway 1 million card accounts compromised Attacker in environment since 2009 Discovered in

6 Breach: Secure Architecture 5

7 Breach: Initial Attack Vector 1. Attacked public facing web server with known vulnerability with web application server 2. Pivoted into the backup server 3. Used backup sever to reach database and application servers 6

8 Breach: Pivot and Movement Oct 2009 Web Server 1 Attacker installed a revers shell on web server Installed Nemesis backdoor November 2009 Web Server 2 Installed RAR archive utility Created reverse shell Backup Server Reverse shell created Installed RAR archive utility WinPCAP Driver installed Application Server 1 Reverse shell created Installed RAR archive utility WinPCAP Driver installed 7

9 Breach: Packet Captures 8

10 Breach: Exfiltration 4. RAR archives were used to package up data payload 5. Reverse shells encapsulated with SSH used to push data out 9

11 Breach: Containment 1. Began egress packet capture to create a baseline signature 2. Implemented ACLs to remove Backup server connectivity 3. Implemented ACLs for egress traffic 4. Reset user and service account credentials 10

12 Breach: Eradication 1. Applied robust system hardening to all servers 2. Removed Backup Server 3. Removed Web Servers and replaced with hardened web servers 4. Implemented application whitelisting 5. Started from a known good state for all server rebuilds 6. Deployed Jump servers within Management segment 7. Performed application security assessment 8. Deployed more robust logging, aggregation and event correlation 11

13 Incident Response Life Cycle NIST SP life cycle for risk management 12

14 Incident Response: Preparation Define Governance Policies Address strategy, goals and requirements Communication policy Escalation and handling procedures Incident response team/strategy 3 rd party involvement and law enforcement Log retention policies and procedures Establish system baselines and profiles Insurance coverage 13

15 Incident Response: Incident Response Team Define policies and procedures for the following: Roles and responsibilities Escalation path Prioritization of events Identify team members Documentation templates Access privileges Training & tools 14

16 Incident Response: Incident Response Team 15

17 Incident Response: Detection The detection process should include the following: Identification of Attack Vector(s) Determine the scope of the breach Identify signatures of an incident: Multiple sources of information Volume of suspicious behavior Precursor Vulnerability Scans/Port Sweeps New Exploit External Threats 16

18 Incident Response: Detection (cont.) Identify the signs on an incident: Indicator IDS/IPS alerts Anti Virus Unauthorized or unusual file changes Unscheduled system configuration changes Repeated failed login attempts Network traffic flow Deep technical knowledge 17

19 Incident Response: Analysis Create a system profile or baseline: Run and compare file integrity checks with baseline Monitor network bandwidth Understand normal system behavior (abnormal behavior) Review logs and security alerts 18

20 Incident Response: Analysis (cont.) Determine what you know and what you don t know (don t assume) Multiple sources of information False alarms vs a real breach Timely notification Allocate resources and time for analysis Communication and coordination of team 19

21 Incident Response: Containment Short term-containment vs long term solution Limit the damage Can the problem be isolated Can affected systems be separated from non-affected systems Stop the spread Preserve evidence Forensic Imaging 20

22 Incident Response: Eradication Clearly understand the scope and extent of affected systems Document a plan of attack for removal of these systems Network Host Application 21

23 Incident Response: Recovery Bring systems and services back online in production Start from a good known state Restore data from backup Implement controls to test and verify system state 22

24 Incident Response: Notification Is notification required? Likely risk of harm Nature of the data elements Number of records/individuals affected Accessibility and usability Likelihood of harm Ability to mitigate risk Statutory notification requirements Identify Legal Jurisdictions Involved Identify Statutes Triggered 23

25 Incident Response: Notification (cont.) Timelines for notification Dependent on the type of data breached PII PCI PHI Notification without unreasonable delay Law enforcement may require delay 24

26 Incident Response: Notification (cont.) Source for notification Senior member of management or executive. Organizational awareness Contents of Notification Describe what happened Types of information breached Steps to protect affected parties What you are doing Who to contact for more info Means of Notification Telephone First-Class Mail 25

27 Lessons learned Cost of the breach million dollars Identification Patch your systems System configuration and hardening Prepare and IR plan before your breach Select vendors and partners before your breach 26

28 Q & A 27

29 References The following resources were used as part of this presentation: NIST Computer Security Incident Handling Guide Special Publication rev2 Redacted Customer Forensic Report Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice - Best Practices for Victim Response and Reporting of Cyber Incidents SANS Institute Incident Handler s Handbook DOJ Incident Response Procedures for Data Breaches 28