SlideShare ist ein Scribd-Unternehmen logo

The Aftermath: You Have Been Attacked! So what's next?

Albert Hui
Albert Hui
TechnologieBusiness
1 von 41
13th Info-Security Conference 2012 8th May, 2012 @ Hong Kong You have been attacked! So what’s next? Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA Member of: • SANS Advisory Board • Digital Phishnet • ACFE Consulted for setting up IR capabilities at critical infrastructure companies. Former incident analyst / threat researcher at top- tier retail, commercial, and investment banks. Dropped out of PhD to run a startup making IPS boxes. Now a security ronin .
Agenda 1. Incident response process 2. Incident response organization structure 3. Incident response triage – a brief overview 4. Incident response preliminary containment
You’ve been attacked! So what’s next?
For the Unprepared 1. Stay calm 2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?) 3. Keep log, log all communications 4. Need-to-Known policy and Out-of-Band communications 5. Stop bleeding (contanment) first 6. Seek professional help  1. Know the problem (identification) 2. Protect your bases (might involve forensic acquisition) 3. Get rid of the problem (eradication) 4. Get back in business (recovery) 5. Lessons-Learned report
Incident Response Process Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
CSIRT (Computer Security Incident Response Team) Head of CSIRT Incident Incident Handler Responder Incident Analyst SOC
Core Functions Incident Response Incident Handling • All the technical works • Sole interface of CSIRT • Most outsourceable • Management liaison • Clients liaison (Common Functions) • Legal / Compliance / HR / PR liaison • Preparation and Planning • Peer CSIRT / CERT and LE liaison • Policies, procedures and banners • Incident response coordination • Incident response protocol and plan • Agreements with and pre-approvals from • Incident response log keeping legal / compliance / HR • Asset classification • Support infrastructure (logging, IDS, patch management, BCP, DR, incident reporting, guideline & education, etc.) • etc. etc.
Identification So how did you know you’ve been attacked? • A little bird told you… • You made headline news… • IT guy reports abnormal behavior…
Alert 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert triggered. What the hell just happened? How serious was that? How to deal with it?
Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
Triage Stages Report (w/ Initial Severity) Interpretation • Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severity Verification • Is it material? (e.g. software X alerts when no software X installed) Severity Assessment • Damage already done • Potential for further damage Prioritization • Deal with most severe cases first
(or, verification)
Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you?
What Questions Are You Trying to Answer?
What Questions Are You Trying to Answer? Breath-First Search
What Data Do You Need to Answer that Question?
Locard Exchange Principle “Every contact leaves a trace.”
Occam’s Razor …or, “Keep It Simple Stupid”
(or, severity assessment & prioritization)
Risk = Likelihood  Impact  Asset Value
Likelihood Likelihood Always 100% (it already happened) Impact
Focus on… 1.Asset values 1.classify your assets NOW! 2.Incident impact 1.damage 2.scope
Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope
Know thyself, know thy enemy, then you shall not perish. 知己知彼,百戰不殆
Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
Exploit Chainability Small immaterial weaknesses can combine to become material ones.
Reason’s Swiss Cheese Model From Duke University Medical Center
Reason’s Swiss Cheese Model From Duke University Medical Center
Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
Ease of Attack (example)
What Do Threat Analysts (and Your MSSP) Absolutely Need to Know? 1. Prevailing threat conditions 1. e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011” 2. Current easiness / reliability to mount an attack 1. e.g. exploit X has just been committed to Metasploit 3. Consequence of a compromise (chained exploit) 4. Malware reverse engineering skills 5. etc. etc.
(or preliminary containment)
Before the Experts Arrive 1. Do NOT pull the plug!! 2. Describe the situation and seek immediate advices (say, over the phone) from IR professionals. 3. Isolate affected systems 1. Disconnect from network (unless IR professionals advice otherwise). 4. Secure the crime scene 1. Physical area access control. 2. Stop affected computer(s) from being used.
Conclusion 1. Incident response process 2. CSIRT organization structure 1. What people to hire, their R&Rs. 3. Triage – a brief overview 1. How to verify an alert. 2. How to prioritize an incident. 4. Preliminary containment 1. What do to before the experts arrive.
Thank you! albert@securityronin.com

Empfohlen

Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response TriageAlbert Hui
 
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)John Allspaw
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Nelson Brito
 
Introduction To Malware
Introduction To MalwareIntroduction To Malware
Introduction To MalwareMichael Carthy
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Malware
MalwareMalware
MalwareMichael Carthy
 
Harnischfeger corporation
Harnischfeger corporationHarnischfeger corporation
Harnischfeger corporationShreya Sinha
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 

Empfohlen

Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response TriageAlbert Hui
 
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)Advanced PostMortem Fu and Human Error 101 (Velocity 2011)
Advanced PostMortem Fu and Human Error 101 (Velocity 2011)John Allspaw
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Inception: Tips and tricks I’ve learned reversing vulnerabilities!Nelson Brito
 
Introduction To Malware
Introduction To MalwareIntroduction To Malware
Introduction To MalwareMichael Carthy
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Malware
MalwareMalware
MalwareMichael Carthy
 
Harnischfeger corporation
Harnischfeger corporationHarnischfeger corporation
Harnischfeger corporationShreya Sinha
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)Jeff Green
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
Sexy defense
Sexy defenseSexy defense
Sexy defenseIftach Ian Amit
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentationCFG
 
Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Gabriel (Gaby) Bar Giora
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Denise Bailey
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsSteven SIM Kok Leong
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummiesIvo Depoorter
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Andreas Sfakianakis
 
Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Frode Hommedal
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SEdgevalue
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident responseHinne Hettema
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cyber Solutions
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Insider threat webinar slides no cn
Insider threat webinar slides no cnInsider threat webinar slides no cn
Insider threat webinar slides no cnDevOps.com
 
Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?Steinar Aandal-Vanger
 
Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and DesignAlbert Hui
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsAlbert Hui
 

Weitere ähnliche Inhalte

Ähnlich wie The Aftermath: You Have Been Attacked! So what's next?

Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)Jeff Green
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentationCFG
 
Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Gabriel (Gaby) Bar Giora
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Denise Bailey
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsSteven SIM Kok Leong
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummiesIvo Depoorter
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Andreas Sfakianakis
 
Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Frode Hommedal
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SEdgevalue
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident responseHinne Hettema
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cyber Solutions
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Insider threat webinar slides no cn
Insider threat webinar slides no cnInsider threat webinar slides no cn
Insider threat webinar slides no cnDevOps.com
 

Ähnlich wie The Aftermath: You Have Been Attacked! So what's next? (20)

Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
4 b. thomas whipp presentation
4 b. thomas whipp presentation4 b. thomas whipp presentation
4 b. thomas whipp presentation
 
Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"Risk assessment as "The Art of Prevention"
Risk assessment as "The Art of Prevention"
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical Threats
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
 
Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3S
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident response
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Insider threat webinar slides no cn
Insider threat webinar slides no cnInsider threat webinar slides no cn
Insider threat webinar slides no cn
 
Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?Hvordan stopper du CryptoLocker?
Hvordan stopper du CryptoLocker?
 

Mehr von Albert Hui

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and DesignAlbert Hui
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsAlbert Hui
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersAlbert Hui
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsAlbert Hui
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationAlbert Hui
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersAlbert Hui
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerAlbert Hui
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber eraAlbert Hui
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassAlbert Hui
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateAlbert Hui
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemAlbert Hui
 

Mehr von Albert Hui (12)

Information Security from Risk Management and Design
Information Security from Risk Management and DesignInformation Security from Risk Management and Design
Information Security from Risk Management and Design
 
The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime Investigations
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
Practical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank FraudstersPractical Defences Against A New Type of Professional Bank Fraudsters
Practical Defences Against A New Type of Professional Bank Fraudsters
 
New Frontiers in Cyber Forensics
New Frontiers in Cyber ForensicsNew Frontiers in Cyber Forensics
New Frontiers in Cyber Forensics
 
Laying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident InvestigationLaying the Corporate Groundwork for Effective Incident Investigation
Laying the Corporate Groundwork for Effective Incident Investigation
 
Cyber Fraud - The New Frontiers
Cyber Fraud - The New FrontiersCyber Fraud - The New Frontiers
Cyber Fraud - The New Frontiers
 
Detecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an AttackerDetecting Threats - How to Think Like an Attacker
Detecting Threats - How to Think Like an Attacker
 
(Mis)trust in the cyber era
(Mis)trust in the cyber era(Mis)trust in the cyber era
(Mis)trust in the cyber era
 
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation BypassUniversal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
 
Cyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the CorporateCyber Security: Challenges and Solutions for the Corporate
Cyber Security: Challenges and Solutions for the Corporate
 
Insights into the Cybercrime Ecosystem
Insights into the Cybercrime EcosystemInsights into the Cybercrime Ecosystem
Insights into the Cybercrime Ecosystem
 

Kürzlich hochgeladen

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

The Aftermath: You Have Been Attacked! So what's next?

  • 1. 13th Info-Security Conference 2012 8th May, 2012 @ Hong Kong You have been attacked! So what’s next? Albert Hui, GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA
  • 2. Who am I? Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GAWN, GSNA, CISA Member of: • SANS Advisory Board • Digital Phishnet • ACFE Consulted for setting up IR capabilities at critical infrastructure companies. Former incident analyst / threat researcher at top- tier retail, commercial, and investment banks. Dropped out of PhD to run a startup making IPS boxes. Now a security ronin .
  • 3. Agenda 1. Incident response process 2. Incident response organization structure 3. Incident response triage – a brief overview 4. Incident response preliminary containment
  • 4. You’ve been attacked! So what’s next?
  • 5.
  • 6. For the Unprepared 1. Stay calm 2. Write down: 1. When? 2. Where? 3. Why? 4. What? 5. How? (6. Who?) 3. Keep log, log all communications 4. Need-to-Known policy and Out-of-Band communications 5. Stop bleeding (contanment) first 6. Seek professional help  1. Know the problem (identification) 2. Protect your bases (might involve forensic acquisition) 3. Get rid of the problem (eradication) 4. Get back in business (recovery) 5. Lessons-Learned report
  • 7. Incident Response Process Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
  • 8. CSIRT (Computer Security Incident Response Team) Head of CSIRT Incident Incident Handler Responder Incident Analyst SOC
  • 9. Core Functions Incident Response Incident Handling • All the technical works • Sole interface of CSIRT • Most outsourceable • Management liaison • Clients liaison (Common Functions) • Legal / Compliance / HR / PR liaison • Preparation and Planning • Peer CSIRT / CERT and LE liaison • Policies, procedures and banners • Incident response coordination • Incident response protocol and plan • Agreements with and pre-approvals from • Incident response log keeping legal / compliance / HR • Asset classification • Support infrastructure (logging, IDS, patch management, BCP, DR, incident reporting, guideline & education, etc.) • etc. etc.
  • 10. Identification So how did you know you’ve been attacked? • A little bird told you… • You made headline news… • IT guy reports abnormal behavior…
  • 11. Alert 1263906912.307 1884 192.168.1.120 TCP_MISS/200 24593 GET http://hezlhhh.co.cc/x22/load.php?spl=java_gsb&h= - DIRECT/122.115.63.6 application/octet-stream Alert triggered. What the hell just happened? How serious was that? How to deal with it?
  • 12.
  • 13.
  • 14. Where Does Triage Belong? Lessons Preparation Identification Containment Eradication Recovery Learned Report Severity (w/ Initial Severity) Verification Prioritization Interpretation Assessment
  • 15. Triage Stages Report (w/ Initial Severity) Interpretation • Alerts (IDS, AV, SIEM, etc.) came in with pre-assigned severity Verification • Is it material? (e.g. software X alerts when no software X installed) Severity Assessment • Damage already done • Potential for further damage Prioritization • Deal with most severe cases first
  • 17. Alexious Principle 1. What question are you trying to answer? 2. What data do you need to answer that question? 3. How do you extract and analyze that data? 4. What does / would that data tell you?
  • 18. What Questions Are You Trying to Answer?
  • 19. What Questions Are You Trying to Answer? Breath-First Search
  • 20. What Data Do You Need to Answer that Question?
  • 21. Locard Exchange Principle “Every contact leaves a trace.”
  • 22. Occam’s Razor …or, “Keep It Simple Stupid”
  • 23. (or, severity assessment & prioritization)
  • 24. Risk = Likelihood  Impact  Asset Value
  • 25. Likelihood Likelihood Always 100% (it already happened) Impact
  • 26. Focus on… 1.Asset values 1.classify your assets NOW! 2.Incident impact 1.damage 2.scope
  • 27. Oft-Neglected Dimension Intensive Care Existing Damage and Scope Standard Immediate Mitigation Attention! Potential Damage and Scope
  • 28. Know thyself, know thy enemy, then you shall not perish. 知己知彼,百戰不殆
  • 29. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 30. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 31. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 32. Exploit Chainability Small immaterial weaknesses can combine to become material ones.
  • 33. Reason’s Swiss Cheese Model From Duke University Medical Center
  • 34. Reason’s Swiss Cheese Model From Duke University Medical Center
  • 35. Potential Scope and Damage Compromised Malware Artifact Entities Capability Hemisphere Exploit Ease of Attack Intellectual Chainability Hemisphere Know Know Thyself Thy Enemy
  • 36. Ease of Attack (example)
  • 37. What Do Threat Analysts (and Your MSSP) Absolutely Need to Know? 1. Prevailing threat conditions 1. e.g. pdf 0-day CVE-2011-2462 in the wild, Adobe promises a fix “no later than the week of December 12, 2011” 2. Current easiness / reliability to mount an attack 1. e.g. exploit X has just been committed to Metasploit 3. Consequence of a compromise (chained exploit) 4. Malware reverse engineering skills 5. etc. etc.
  • 39. Before the Experts Arrive 1. Do NOT pull the plug!! 2. Describe the situation and seek immediate advices (say, over the phone) from IR professionals. 3. Isolate affected systems 1. Disconnect from network (unless IR professionals advice otherwise). 4. Secure the crime scene 1. Physical area access control. 2. Stop affected computer(s) from being used.
  • 40. Conclusion 1. Incident response process 2. CSIRT organization structure 1. What people to hire, their R&Rs. 3. Triage – a brief overview 1. How to verify an alert. 2. How to prioritize an incident. 4. Preliminary containment 1. What do to before the experts arrive.
  • 41. Thank you! albert@securityronin.com