FALSE ALARM? Incident Management Case Study Carlos Villalba carlos@tvrms.com
Initial Discovery The panic sets in: You think your company has been breached! So, what do you do?
First steps First things first. STOP, THINK, ANALYZE, THINK AGAIN, PROCEED and assemble your Response Team (PR, HR, C level, IT, Legal, Subject Matter Experts) You don't know what you don't know Let's fix that one first and then adopt the following motto: Do it right instead of quick! Start documenting EVERYTHING.
Agenda Breach response recipe (lessons learned in the field) Step 1: Confirm the breach Step 2: Contain the breach Step 3: Understand and investigate the breach Step 4: Report the breach (IC3) Step 5: Determine the cause Step 6: Communicate the breach? Step 7: Remediation Step 8: Proactive Security Protection
Step 1: Confirm the breach Signs of a breach: Site defacement Email attachments where sender is CEO or equivalent Abnormal activity on privileged user accounts Failed log-in attempts retailers beware Malware infection (The likely hood of key loggers and memory scrapper is high) Abnormal network traffic including ICMP, HTTP, and HTTPs. (e.g. Network connections to EU when your business is local) Your webcam light flickers on briefly Strange large files appear on the network. Sudden spikes in outbound DNS traffic. Your confidential data landed in PasteBin, ipaste.eu You have been informed by an authoritative source
Step 1: Confirm the breach Places to check, thing to do: Start you chain of custody. Not just the forms, document everything. Proceed with caution and treat the event as a breach until confirmed otherwise. (e.g. Pull the plug, memory image, disk image) Log files Your ISP? Extortion attempt.
Step 1: Confirm the breach Tools Old friends: grep, sed, awk, top, sysinternals, dumpit Open source tools: Filemon, Snort, Wireshark, volatility IDS, Netflow, and external threat data (Don t forget the flow) Useful findings: Flooded logs, files appearing and disappearing, intermittent processes.
Step 2: Contain the breach Collect the current state of the systems. As much as you can (e.g. Memory dump and disk image). Update your chain of custody documentation. Confirm your response team. Time to notify? Check legal and contract requirements. With information from previous phase (when applicable): Isolate breached system, some options: Connect system to its own network (isolated from the rest) Unplug the net. Add ACLs that reduce propagation via TCP/UDP Apply critical fix that closes the vulnerability In the event of virus (most of the times cleaning is not an option)
Step 2: Contain the breach Tools: Pull the plug (either network / power) IPS ACLs Firewalls Account removal
Step 3: Understand and investigate the breach Any recent terminations? Unable to identify the source and target of the breach? Unsure if breach has been contained? Crime? (If yes, local law enforcement) Legal or contractual obligation? If the answer is Yes or I don t know to any, then you need help. Professional security forensic services expertise Contact legal services with InfoSec expertise Update the Chain of Custody
Step 3: Understand and investigate the breach Tools: Autopsy The Sleuth Kit Kali dd combined with Live View Dumpit Volatility Framework Encase FTK Microsoft Coffee (Law enforcement)
Step 4: Report the breach (IC3) Consult legal, have them review SLAs and contracts. State requirements change, have them check that. Is your organization a covered entity or business associate in the health care market? The omnibus rule applies to you. Contact local police Contact local FBI office File IC3 report Contact your ISP Prepare for media (Leakages of breach by law enforcement have been known to happen)
Step 4: Report the breach (IC3) Resources: http://www.ic3.gov/default.aspx http://www.fbi.gov/phoenix/
Step 5: Determine the cause Identify entry and exit points What was taken? Any correlation point from previous phases?
Step 5: Determine the cause Tools SME s opinion Ntop (netflow analysis) Memory dump analysis Follow the money
Step 6: Communicate the breach? When appropriate and cleared by legal counsel. Business requirements Financial Requirements (FTC, PCI, etc.) Legal requirements (HIPAA, FTC, etc.) State requirements The Arizona breach disclosure law requires disclosure of data breaches without unreasonable delay. Arizona residents may be notified of breaches by phone. The law provides for civil and criminal penalties, but Arizona residents do not have the right of private legal action. Ariz. Rev. Stat. 44-7501 (http://www.azleg.state.az.us/formatdocument.asp?indoc=/ars/44/ 07501.htm&Title=44)
Step 7: Remediation Reset Your Passwords Update and Scan Take Back Your Accounts Check for Backdoors Follow the Money Perform a Security Audit on All Your Affected Accounts De-Authorize All Those Apps Monitor financials (keep an eye on the money)
Step 7: Remediation Tools: Logs IDS ISP assistance Forensic analysis
Step 8: Proactive Security Protection There is a proven ROI in the following: Monitoring Security events log correlation Business Impact Analysis Disaster Recovery Plan Business Continuity Plan Endpoint security Managed Security Services Incident response plans (tested of course)
Step 8: Proactive Security Protection Resources: Your own or managed security operations center. Eyes in the sky when your eyelids are tired or closed. Early warnings and detection. Let s stop using templates. Your policies and your procedures are only as good as you enforce them and if they apply to your own unique and realistic situation. Scanning, patching, passwords and perimeter security are very good but only a mere technical layer. Have a plan and test it!
Questions/Suggestions/Tips General advise Don t have a fight with your hair stylist when you are about to get a haircut. Public relations is often overlooked Insurance Monitoring 24/7 pays off Alerting 24/7 more than pays off