Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Similar documents
O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Session 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP

SANS Top 20 Critical Controls for Effective Cyber Defense

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Defending Against Data Beaches: Internal Controls for Cybersecurity

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Enterprise Cybersecurity: Building an Effective Defense

RSA Security Analytics

Logging In: Auditing Cybersecurity in an Unsecure World

TRIPWIRE NERC SOLUTION SUITE

FACT SHEET: Ransomware and HIPAA

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

How to effectively respond to an information security incident

Cyber Security Metrics Dashboards & Analytics

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Caretower s SIEM Managed Security Services

Attachment A. Identification of Risks/Cybersecurity Governance

Seven Strategies to Defend ICSs

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

LogRhythm and NERC CIP Compliance

RSA Security Anatomy of an Attack Lessons learned

Big Data, Big Risk, Big Rewards. Hussein Syed

IT Security Incident Management Policies and Practices

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Standard: Information Security Incident Management

Security Information Management (SIM)

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

UCF Security Incident Response Plan High Level

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Information Security Incident Management Guidelines

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

How To Manage Security On A Networked Computer System

Things To Do After You ve Been Hacked

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

CSIRT Introduction to Security Incident Handling

Intelligence Driven Security

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Cybersecurity and internal audit. August 15, 2014

Incident Response. Proactive Incident Management. Sean Curran Director

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

GEARS Cyber-Security Services

Defending Against Cyber Attacks with SessionLevel Network Security

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Incident Response 101: You ve been hacked, now what?

Information Technology Policy

GE Measurement & Control. Cyber Security for NEI 08-09

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Protecting Sensitive Data Reducing Risk with Oracle Database Security

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Working with the FBI

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Enterprise Cybersecurity: Building an Effective Defense

Specific recommendations

FISMA / NIST REVISION 3 COMPLIANCE

The Value of Vulnerability Management*

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Into the cybersecurity breach

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Continuous Network Monitoring

OCIE CYBERSECURITY INITIATIVE

ICS-CERT Incident Response Summary Report

Information Security for the Rest of Us

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Advanced Threats: The New World Order

INCIDENT RESPONSE CHECKLIST

Who s Doing the Hacking?

Cyber Incident Response

MEDICAL DEVICE Cybersecurity.

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Agenda , Palo Alto Networks. Confidential and Proprietary.

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Penetration Testing Report Client: Business Solutions June 15 th 2015

Overcoming PCI Compliance Challenges

Top 20 Critical Security Controls

5 Steps to Advanced Threat Protection

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Are you prepared to be next? Invensys Cyber Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Keyfort Cloud Services (KCS)

Network Security & Privacy Landscape

Implementing SANS Top 20 Critical Security Controls with ConsoleWorks

FALSE ALARM? Incident Management Case Study. Carlos Villalba

Transcription:

Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow

Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned 1

Goals Review and analyze a real world breach Understand pre-breach best practices Understand how to respond, post-breach Understand best practices for breach mitigation and incident response 2

Background A brief history of Cyber Attacks Viruses & Hackers Rise of the botnets Monetization of datasets Organized Crime 3

Breach: A Case Study Attack Facts: Payment aggregator/gateway 1 million card accounts compromised Attacker in environment since 2009 Discovered in 2014 4

Breach: Secure Architecture 5

Breach: Initial Attack Vector 1. Attacked public facing web server with known vulnerability with web application server 2. Pivoted into the backup server 3. Used backup sever to reach database and application servers 6

Breach: Pivot and Movement Oct 2009 Web Server 1 Attacker installed a revers shell on web server Installed Nemesis backdoor November 2009 Web Server 2 Installed RAR archive utility Created reverse shell Backup Server Reverse shell created Installed RAR archive utility WinPCAP Driver installed Application Server 1 Reverse shell created Installed RAR archive utility WinPCAP Driver installed 7

Breach: Packet Captures 8

Breach: Exfiltration 4. RAR archives were used to package up data payload 5. Reverse shells encapsulated with SSH used to push data out 9

Breach: Containment 1. Began egress packet capture to create a baseline signature 2. Implemented ACLs to remove Backup server connectivity 3. Implemented ACLs for egress traffic 4. Reset user and service account credentials 10

Breach: Eradication 1. Applied robust system hardening to all servers 2. Removed Backup Server 3. Removed Web Servers and replaced with hardened web servers 4. Implemented application whitelisting 5. Started from a known good state for all server rebuilds 6. Deployed Jump servers within Management segment 7. Performed application security assessment 8. Deployed more robust logging, aggregation and event correlation 11

Incident Response Life Cycle NIST SP 800-61 life cycle for risk management 12

Incident Response: Preparation Define Governance Policies Address strategy, goals and requirements Communication policy Escalation and handling procedures Incident response team/strategy 3 rd party involvement and law enforcement Log retention policies and procedures Establish system baselines and profiles Insurance coverage 13

Incident Response: Incident Response Team Define policies and procedures for the following: Roles and responsibilities Escalation path Prioritization of events Identify team members Documentation templates Access privileges Training & tools 14

Incident Response: Incident Response Team 15

Incident Response: Detection The detection process should include the following: Identification of Attack Vector(s) Determine the scope of the breach Identify signatures of an incident: Multiple sources of information Volume of suspicious behavior Precursor Vulnerability Scans/Port Sweeps New Exploit External Threats 16

Incident Response: Detection (cont.) Identify the signs on an incident: Indicator IDS/IPS alerts Anti Virus Unauthorized or unusual file changes Unscheduled system configuration changes Repeated failed login attempts Network traffic flow Deep technical knowledge 17

Incident Response: Analysis Create a system profile or baseline: Run and compare file integrity checks with baseline Monitor network bandwidth Understand normal system behavior (abnormal behavior) Review logs and security alerts 18

Incident Response: Analysis (cont.) Determine what you know and what you don t know (don t assume) Multiple sources of information False alarms vs a real breach Timely notification Allocate resources and time for analysis Communication and coordination of team 19

Incident Response: Containment Short term-containment vs long term solution Limit the damage Can the problem be isolated Can affected systems be separated from non-affected systems Stop the spread Preserve evidence Forensic Imaging 20

Incident Response: Eradication Clearly understand the scope and extent of affected systems Document a plan of attack for removal of these systems Network Host Application 21

Incident Response: Recovery Bring systems and services back online in production Start from a good known state Restore data from backup Implement controls to test and verify system state 22

Incident Response: Notification Is notification required? Likely risk of harm Nature of the data elements Number of records/individuals affected Accessibility and usability Likelihood of harm Ability to mitigate risk Statutory notification requirements Identify Legal Jurisdictions Involved Identify Statutes Triggered 23

Incident Response: Notification (cont.) Timelines for notification Dependent on the type of data breached PII PCI PHI Notification without unreasonable delay Law enforcement may require delay 24

Incident Response: Notification (cont.) Source for notification Senior member of management or executive. Organizational awareness Contents of Notification Describe what happened Types of information breached Steps to protect affected parties What you are doing Who to contact for more info Means of Notification Telephone First-Class Mail E-mail 25

Lessons learned Cost of the breach 20-30 million dollars Identification Patch your systems System configuration and hardening Prepare and IR plan before your breach Select vendors and partners before your breach 26

Q & A 27

References The following resources were used as part of this presentation: NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice - Best Practices for Victim Response and Reporting of Cyber Incidents SANS Institute Incident Handler s Handbook DOJ Incident Response Procedures for Data Breaches 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information