SlideShare ist ein Scribd-Unternehmen logo

Incident response before:after breach

Sumedt Jitpukdebodin
Sumedt Jitpukdebodin

Describe what is required for incident response in company

Technologie
1 von 44
Downloaden Sie, um offline zu lesen
Incident Response Operation Before/After Hacked Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
# whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Consultant, Senior Security Researcher @ I- SECURE • Website: www.r00tsec.com, www.techsuii.com • Admin: @2600thailand, @OWASPThailand • Book: Network Security Book • Hobby: Writing, Hacking, Researching, Gaming, etc. • My article: please search google with my name.
Hacker
SOC(Security Operation Center)
Attacker And Defender Catch me if you can
# id • Hack is easy, defend is so f*cking hard. • Surfaces • 0day • Social Engineering • Etc.
Incident Response
# man ir
Definition • Event - Activity that we monitor (Log) • Incident - the damage event. • Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
Top Priority for IR. • Identify the problems • Fix the problems. • Recovery system back to normal.
Step of IR. Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
Before Breach Source:: http://jokideo.com/wp-content/uploads/2013/03/Funny-cat-Come-on-birdy.jpg
Centralized Log Diagram Source:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
# whereis logs • Device Log • Server Log • Application Log
# ls /var/log/ • web_server/{access.log,error.log} • audit/audit.log • syslog • openvpn.log
# cat /var/log/apache2/access.log
# cat /var/log/syslog
Devices • Firewall • IDS/IPS • Next Generation Firewall • Mail Gateway • Etc.
Centralized Log • Syslog-ng(rsyslog) • Splunk • Graylog2 • logstrash • Scribe
Example of Splunk
SIEM(“Security Information and Event Management") • Arcsight • Log Correlation Engine By Tenable • Splunk • OSSIM ** • Alienvault ** • LOGalyze ** • Etc.
Log Correlation Engine By Tenable Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
Arcsight Source:: http://blog.rootshell.be/2013/06/26/out-of-the-box-siem-never/
Arcsight Dashboard Source:: http://www.observeit.com/images/content/features_siem14.jpg
False Positive
SQL Injection Case • Alert: SQL Injection • Attacker: China • Log From: Web Application Firewall
SQL Injection Case
After Breach Source:: http://www.dumpaday.com/wp-content/uploads/2013/01/funny- cat-bath.jpg
Forensic
Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
Recovery(Restore/Rebuild) • Restore status of service to normal • System owners decide based on advice from incident handling team - Business Decision. • Monitor the service after recovery • Performance • Anomalies
Lesson Learned • Detail of incident report • Communicate to others on the team • Apply fixes in environment • Conduct a performance analysis of the overall incident and improve operations • “Not!!!!” Blaming people • Review/Rewrite Policy • Determines cost of incident • Apply lesson learned to the entire entity • Budget for, install, and maintain protection software
Incident response before:after breach

Empfohlen

Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by primePrime Infoserv
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOCSplunk
 

Empfohlen

Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by primePrime Infoserv
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOCSplunk
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthPECB
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020Guido Marchetti
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cyclepenetration Tester
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineeringprimeteacher32
 
Cyber Security Emerging Threats
Cyber Security Emerging ThreatsCyber Security Emerging Threats
Cyber Security Emerging Threatsisc2dfw
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
GDPR Assessment Checklist.pptx
GDPR Assessment Checklist.pptxGDPR Assessment Checklist.pptx
GDPR Assessment Checklist.pptxinfosecTrain
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesAkshay Kurhade
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Lumension
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 

Weitere ähnliche Inhalte

Was ist angesagt?

Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthPECB
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Cyber Security Emerging Threats
Cyber Security Emerging ThreatsCyber Security Emerging Threats
Cyber Security Emerging Threatsisc2dfw
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
GDPR Assessment Checklist.pptx
GDPR Assessment Checklist.pptxGDPR Assessment Checklist.pptx
GDPR Assessment Checklist.pptxinfosecTrain
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesAkshay Kurhade
 

Was ist angesagt? (20)

Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in Depth
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Cyber Security Emerging Threats
Cyber Security Emerging ThreatsCyber Security Emerging Threats
Cyber Security Emerging Threats
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 
GDPR Assessment Checklist.pptx
GDPR Assessment Checklist.pptxGDPR Assessment Checklist.pptx
GDPR Assessment Checklist.pptx
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 

Andere mochten auch

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Lumension
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinAnton Chuvakin
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin
 
Server Management
Server ManagementServer Management
Server ManagementDell World
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Auditkeyuradmin
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration TestingChirag Jain
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...Amazon Web Services
 
Water conservation ppt
Water conservation pptWater conservation ppt
Water conservation pptbinnyaji
 

Andere mochten auch (15)

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion Investigation
 
Server Management
Server ManagementServer Management
Server Management
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
 
Wsus best practices
Wsus best practicesWsus best practices
Wsus best practices
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Save water
Save waterSave water
Save water
 
Save water Save Life!
Save water Save Life!Save water Save Life!
Save water Save Life!
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
 
Water conservation ppt
Water conservation pptWater conservation ppt
Water conservation ppt
 

Ähnlich wie Incident response before:after breach

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxFarzanMansoor1
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within AgileNetlight Consulting
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 

Ähnlich wie Incident response before:after breach (20)

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptx
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within Agile
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 

Mehr von Sumedt Jitpukdebodin

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environmentSumedt Jitpukdebodin
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threatsSumedt Jitpukdebodin
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsSumedt Jitpukdebodin
 

Mehr von Sumedt Jitpukdebodin (14)

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Phishing
PhishingPhishing
Phishing
 
Which side are you
Which side are youWhich side are you
Which side are you
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
R u hacked
R u hackedR u hacked
R u hacked
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threats
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
 
Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
 
DDoS handlering
DDoS handleringDDoS handlering
DDoS handlering
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
 

Kürzlich hochgeladen

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Incident response before:after breach

  • 1. Incident Response Operation Before/After Hacked Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
  • 2. # whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Consultant, Senior Security Researcher @ I- SECURE • Website: www.r00tsec.com, www.techsuii.com • Admin: @2600thailand, @OWASPThailand • Book: Network Security Book • Hobby: Writing, Hacking, Researching, Gaming, etc. • My article: please search google with my name.
  • 6. # id • Hack is easy, defend is so f*cking hard. • Surfaces • 0day • Social Engineering • Etc.
  • 9. Definition • Event - Activity that we monitor (Log) • Incident - the damage event. • Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
  • 10. Top Priority for IR. • Identify the problems • Fix the problems. • Recovery system back to normal.
  • 11. Step of IR. Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
  • 12. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 13. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 14. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 15. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 16. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 17. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 18. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 19. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 20. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 21. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 23. Centralized Log Diagram Source:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
  • 24. # whereis logs • Device Log • Server Log • Application Log
  • 25. # ls /var/log/ • web_server/{access.log,error.log} • audit/audit.log • syslog • openvpn.log
  • 28. Devices • Firewall • IDS/IPS • Next Generation Firewall • Mail Gateway • Etc.
  • 29. Centralized Log • Syslog-ng(rsyslog) • Splunk • Graylog2 • logstrash • Scribe
  • 31. SIEM(“Security Information and Event Management") • Arcsight • Log Correlation Engine By Tenable • Splunk • OSSIM ** • Alienvault ** • LOGalyze ** • Etc.
  • 32. Log Correlation Engine By Tenable Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
  • 36. SQL Injection Case • Alert: SQL Injection • Attacker: China • Log From: Web Application Firewall
  • 40. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  • 41. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  • 42. Recovery(Restore/Rebuild) • Restore status of service to normal • System owners decide based on advice from incident handling team - Business Decision. • Monitor the service after recovery • Performance • Anomalies
  • 43. Lesson Learned • Detail of incident report • Communicate to others on the team • Apply fixes in environment • Conduct a performance analysis of the overall incident and improve operations • “Not!!!!” Blaming people • Review/Rewrite Policy • Determines cost of incident • Apply lesson learned to the entire entity • Budget for, install, and maintain protection software