+ All Categories
Home > Documents > © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response...

© Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response...

Date post: 10-Oct-2020
Category:

Documents
Upload: others
View: 2 times
Download: 0 times
Download Report this document
Share this document with a friend
20
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Transcript
Page 1: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Page 2: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

The incident response playbook:For Android and iOS

Page 3: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

Andrew HoogNowSecure CEO and Co-founder

© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.

● Computer scientist & mobile security researcher

● Author of three mobile security books

● Enjoyer of science fiction, running and red wine

© Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary

Information.

Page 4: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Mobile incident

response challenges

Page 5: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information..

DFIR professionals vs. giants

● Mobile defenders have few allies

● Apple and Google making strides to make iOS and Android more secure

● Restricted platforms amplify attackers’ asymmetric advantage

● (Attackers know something their targets don’t)

Titans of industry, governments, organized crime

Page 6: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Resulting from large user base, dual-use devices, rapid development, and continuous connectivity

Broad attack surface

Page 7: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

The challenges of mobile IR

DUAL-USENO ADMIN

ACCESS

DIFFERENT

TOOLS

ALWAYS-ON

CONNECTIVITY

Page 8: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

Building blocks for your

mobile incident response plan

Page 9: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

You need to start somewhere

● Identify assets:

○ Devices

○ Operating systems

○ Installed apps

● SCAN Principle

○ System

○ Configuration

○ Apps

○ Network

● Historical data is crucial to response

Page 10: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Your mobile IR “jump bag”Install and configure your tools and know how to use them

CONTINUAL

ANALYSIS TOOLS

ACQUISITION

TOOLS

FORENSIC

ANALYSIS TOOLS

(& more)

See a detailed list at

https://www.nowsecure.com/resources/mobile-incident-response/en/tools/index.html

https://www.nowsecure.com/resources/mobile-incident-response/en/tools/index.html
Page 11: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Phases of incident responsePlaybooks are an output of the preparation phase

Preparation DebriefRecoveryIdentification EradicationContainment

Lessons learned

Playbooks

Great reference: Mason Pokladnik’s “Checklist for incident response capability”

https://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791
Page 12: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Types of mobile incidents

Page 13: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Mobile incident response

playbook

Page 14: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.

It all began on Saturday, February 13Here’s the data you might get from an end user

© Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary

Information.

Page 15: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Step 1 — Identification

● Device Indicators of Compromise (IoCs)

o Battery drain

o Unusual network traffic

o Certificate errors

o Unusual log messages

o Crash reports

● App reputation monitoring

o Unauthorized use of brand

o Apps connecting to your transactional servers

● User reported

Page 16: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Step 2 — Containment

Once you have identified and logged an

incident

● Gain access to device, if possible

● Capture device, OS, and app baseline

● Determine if network analysis is appropriate

● Isolate the device

o Airplane mode

o Faraday bag

o Etc.

● Perform full forensic acquisition

Page 17: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

● Analyze attack artifacts

● Determine if threat can be removed

● Identify all impacted (if malware on app store)

● Remove threat or wipe corporate data

Step 3 — Eradication

Page 18: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Mobile recovery typically involves

● Re-provision mobile devices

● Ensure attacker didn’t move laterally

● Monitor accounts and systems connected to

mobile device and impacted user(s)

● Effectiveness of social engineering attacks is

greatly increased

Step 4 — Recovery

Page 19: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

● Team debrief:

o What worked, what can be improved

o Policies & procedures changes, user education

● Determine IOCs

o Attribution

o Share threat intel data

● Inoculate against future attacks

o Static signatures generally ineffective

o Focus on anomaly detection

o Shared insights and cross-referenceable data

Step 5 — Debriefing

Page 20: © Copyright 2016 NowSecure, Inc. All Rights Reserved ...€¦ · Phases of incident response Playbooks are an output of the preparation phase Preparation Identification Containment

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Don’t panic

Andrew Hoog // CEO & Co-founder

NowSecure

[email protected]

+1.312.878.1100

@ahoog42


Recommended
NowSecure Eduardo Novella - cybertruckchallenge.org

NowSecure Eduardo Novella - cybertruckchallenge.org

Documents

Tsunami Emergency Response Playbooks and FASTER Tsunami ...nws.weather.gov/nthmp/2013mesmms/abstracts/Californiaevacplay… · Scenario Playbooks The database of numerical modeling

Tsunami Emergency Response Playbooks and FASTER Tsunami ...nws.weather.gov/nthmp/2013mesmms/abstracts/Californiaevacplay… · Scenario Playbooks The database of numerical modeling

Documents

Avatar Playbooks

Avatar Playbooks

Documents

Playbooks - FINAL

Playbooks - FINAL

Documents

Sales Playbooks and Hitachi trueNortH Partners

Sales Playbooks and Hitachi trueNortH Partners

Documents

Transform Your Sales Playbooks with Brain Science

Transform Your Sales Playbooks with Brain Science

Business

Masks Beta Playbooks V2

Masks Beta Playbooks V2

Documents

Planet Parade - Playbooks® Roleplay Reader

Planet Parade - Playbooks® Roleplay Reader

Documents

Clickto&edit&Master&title&style - Black Hat Briefings · Whoarewe? Marco&Grassi& Mobile&Security&Researcher& NowSecure Sebas&Guerrero& Mobile&Security&Researcher& NowSecure

Clickto&edit&Master&title&style - Black Hat Briefings · Whoarewe? Marco&Grassi& Mobile&Security&Researcher& NowSecure Sebas&Guerrero& Mobile&Security&Researcher& NowSecure

Documents

RRP playbooks Playbook_Final print.pdf · RRP playbooks Our seven-step approach and practical insights RRP Viewpoint March 2018

RRP playbooks Playbook_Final print.pdf · RRP playbooks Our seven-step approach and practical insights RRP Viewpoint March 2018

Documents

CACAO Security Playbooks Version 1 - docs.oasis-open.org

CACAO Security Playbooks Version 1 - docs.oasis-open.org

Documents

Qvidian Sales Playbooks & Analytics Application

Qvidian Sales Playbooks & Analytics Application

Technology

Sales Playbooks for the 21st Century - Veeloveeloinc.com/wp-content/uploads/2014/04/Veelo_brief_sales_playbook... · Sales Playbooks for the 21st Century Revitalize Playbooks with

Sales Playbooks for the 21st Century - Veeloveeloinc.com/wp-content/uploads/2014/04/Veelo_brief_sales_playbook... · Sales Playbooks for the 21st Century Revitalize Playbooks with

Documents

Sales Playbooks of the 21st Century - MobilePaks

Sales Playbooks of the 21st Century - MobilePaks

Business

NowSecure Automated NIAP Mobile App Vetting Solution€¦ · app deployment to give a more complete view or risk. About NowSecure Platform Purpose-built for mobile-centered Agile

NowSecure Automated NIAP Mobile App Vetting Solution€¦ · app deployment to give a more complete view or risk. About NowSecure Platform Purpose-built for mobile-centered Agile

Documents

How to create playbooks that really work

How to create playbooks that really work

Marketing

Dungeon World playbooks

Dungeon World playbooks

Documents

Security Playbooks Version 1 - OASIS

Security Playbooks Version 1 - OASIS

Documents