Performing Advanced Incident Response Interactive Exercise

Similar documents
Security Analytics for Smart Grid

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Using SIEM for Real- Time Threat Detection

A Love Affair: Cyber Security, Big-data and Risk

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Network/Internet Forensic and Intrusion Log Analysis

Software that provides secure access to technology, everywhere.

Concierge SIEM Reporting Overview

Targeted attacks: Tools and techniques

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Evaluating, choosing and implementing a SIEM solution. Dan Han, Virginia Commonwealth University

UNCLASSIFIED. General Enquiries. Incidents Incidents

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

DYNAMIC DNS: DATA EXFILTRATION

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Win the race against time to stay ahead of cybercriminals

Evolution Of Cyber Threats & Defense Approaches

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Good Guys vs. the Bad Guys: Can Big Data Tools Counteract Advanced Threats?

Modern Approach to Incident Response: Automated Response Architecture

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Top 20 Critical Security Controls

Guideline on Auditing and Log Management

INCIDENT RESPONSE CHECKLIST

Information Security Services

Critical Security Controls

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

SANS Top 20 Critical Controls for Effective Cyber Defense

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

The SIEM Evaluator s Guide

Defence Cyber Protection Partnership Cyber Risks Profile Requirements

Defending Against Data Beaches: Internal Controls for Cybersecurity

Can We Become Resilient to Cyber Attacks?

Enterprise Cybersecurity: Building an Effective Defense

Log Management for the University of California: Issues and Recommendations

Speed Up Incident Response with Actionable Forensic Analytics

A New Perspective on Protecting Critical Networks from Attack:

Defending Against Cyber Attacks with SessionLevel Network Security

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Defending against Cyber Attacks

Practical Threat Intelligence. with Bromium LAVA

Enabling Security Operations with RSA envision. August, 2009

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

The Role of Security Monitoring & SIEM in Risk Management

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Centre for the Protection of National Infrastructure Effective Log Management

Enterprise Cybersecurity: Building an Effective Defense

White Paper. PCI Guidance: Microsoft Windows Logging

How Attackers are Targeting Your Mobile Devices. Wade Williamson

USM IT Security Council Guide for Security Event Logging. Version 1.1

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Things To Do After You ve Been Hacked

2012 Data Breach Investigations Report

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

Active Response: Automated Risk Reduction or Manual Action?

All Information is derived from Mandiant consulting in a non-classified environment.

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements

Securing OS Legacy Systems Alexander Rau

SPEAR PHISHING UNDERSTANDING THE THREAT

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

Unified Security Management and Open Threat Exchange

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Security Business Intelligence Big Data for Faster Detection/Response

SIEM is only as good as the data it consumes

IBM Advanced Threat Protection Solution

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Hunting for Indicators of Compromise

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

Threat Intelligence is Dead. Long Live Threat Intelligence!

Using Network Forensics to Visualize Advanced Persistent Threats

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

UNMASKCONTENT: THE CASE STUDY

ICS-CERT Incident Response Summary Report

Security Policy for External Customers

APT Advanced Persistent Threat Time to rethink?

OWG 60 IT Backend Systems Approved Recommendations

CALNET 3 Category 7 Network Based Management Security. Table of Contents

WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM

How to effectively respond to an information security incident

Presented by: Mike Morris and Jim Rumph

Transcription:

Performing Advanced Incident Response Interactive Exercise Post-Conference Summary Merlin Namuth Robert Huber

SCENARIO 1 - PHISHING EMAILS... 3... 3 Mitigations... 3 SCENARIO 2 - IDS ALERT FOR PSEXEC... 4... 4 SCENARIO 3 - THREAT HUNTER... 4... 4 SCENARIO 4 - EMPLOYEE INVESTIGATION... 4... 5 LESSONS LEARNED... 5 Application in first month... 5 Application within 3 months... 5 Application within 6 months... 5 2

Performing Advanced Incident Response Interactive Exercise Incident response is more than just acknowledging an alert in a security tool and having a workstation reimaged. A large amount of information can be gathered to create a picture of how the incident occurred, the goal of the attack, if any sensitive information was stolen, and how to prevent a similar incident from happening again. The goal of this Learning Lab was to learn from each other on how to approach incident response answering these questions. A total of four scenarios were presented one at a time. Participants were given the opportunity to work the incident with their table partners. Everyone came back together to discuss and learn from each other. Scenario 1 - Phishing Emails It is common for people to receive phishing emails. When an employee forwards a phishing email to the incident response team, it must be analyzed to determine if an incident has occurred. Collect metadata o SMTP display name, originating IP address, attachment name, boundary, receiver, X- Mailer, encoding, language, and timezone are some examples o File filesize, author, creation date, language set, hash, and mutex are some data points Language/Timezone settings o Is this a region where your company conducts business? Can use automated analysis platforms to determine if the attachment is malicious Find patterns of the recipients, such as department, same level of access to information, job title, and publicly available information about them Determine if this sender has sent other emails before We learned there are several data points to pivot to and from. Pivot on all metadata into other logs such as DNS, firewall, proxy, host, and security. Mitigations Implement proxy block on malicious domain Implement DNS Blackhole Log for other hosts attempting to reach the same malicious site Ensure SIEM, IDS, and/or Flow are updated to alert for IP or DNS requests to the bad site 3

Scenario 2 - IDS Alert for psexec IDS systems can alert on a wide variety of different malicious activity. For this scenario, we focused on psexec activity. The different analysis activities can be applied to most alerts from IDS systems, as well as other security tools. Track down the host. Ensure before incident you have retention of at least 1 month s worth of DHCP logs o Were there any alerts for psexec on other hosts or did this host have IDS alerts for other activity? Determine how psexec was installed on host o Trace back to the first compromised system. o What was the method of compromise? How was psexec used? o It may have been used for exfiltration of sensitive company information o Psexec could have copied other attack tools to the victim system and other computers Pivoting o Correlate network and host-based forensics to determine timelines and method of compromise Scenario 3 - Threat Hunter This scenario was focused on the security tools functioning properly and how the incident responder can use the tools to find problems the security devices are missing. It can be overwhelming to know where to start. We discussed different data points. Look for systems trying to communicate to the Internet bypassing the proxy Patterns of traffic to regions your company does not conduct business can be an indicator of an issue Determine if there are large file transfers after hours Multiple failed logins may indicate an attacker trying to brute force a password Binaries copied to critical servers may be a sign of an attacker copying malicious tools as well as repeated occurrences of the same filesize Search across network, endpoint, and security analytic solutions to gain a wide perspective using available threat intelligence Scenario 4 - Employee Investigation Sometimes incident response teams are called upon to support an internal investigation, as they have the tools and experience on using the tools to gather data. It is important to understand the sensitivity and documentation requirements for these efforts. 4

Determine the requester is authorized, such as HR or Legal Maintain strict confidentiality, such as using a different ticketing system only the IR team uses Document forensically sound process including date, time, and all actions performed Establish chain of custody of the evidence to prove it was not tampered Write a report with details and explanation of the technical aspects Lessons Learned Incident response is more than responding to individual alerts It is not a helpdesk job and just acknowledging alerts Pivoting off of different data points can reveal a more complete and detailed picture Application in first month Review your organization s incident response capabilities Start researching and reading more about incident response and threat hunting Get or create your own threat intelligence Application within 3 months Create incident response plan, if you don t have one Search for examples Create incident response procedure Application within 6 months Test incident response plan and procedure Create tracking metrics 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information