INCIDENT RESPONSE

THREAT LANDSCAPE

• The Advanced Persistent Threat (APT) concern

• –The “UFO” of hacking/cracking activities

• •Malice—Malicious insiders (employees, contractors, vendors) may be higher risk than outsiders

• •Poor Practices—Newer systems allow for more connectivity and higher risk—users may not see risk of business as usual

• •Emerging threats and reports

• –New vulnerabilities and exploits are released daily

• •Enhanced media focus leads to ineffective quick-fixes and attracts all manner of new attackers and threats.

• –The cyber “copycat” is increasingly common

FIRST RESPONDER

• Individuals, who in the early stages of an incident, are responsible for the protection and preservation of life, property, evidence, and the environment, including emergency response providers as defined in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101), as well as emergency management, public health, clinical care, public works, and other skilled support personnel (such as equipment operators) that provide immediate support services during prevention, response, and recovery operations.

THE FIRST RESPONDER ROLE

• As a First Responder, you are the first person notified and reacting to an information security related incident launched against potential critical infrastructure or key resources (CI/KR).

• •Responsibilities include: • –Assessing the severity of the threat, the scope of the breach and targets, and the

associated appropriate response

• –Containing the threat or breach

• –Eradicating the threat or breach

• –Restoring critical cyber services

• –Conveying support to secondary response personnel

• –Assisting with the reestablishment of security controls

FIRST RESPONDERS ROLES

• Internal: • –System/network staff performing regular duties

• –IT Security staff responding to any incident

• –Helpdesk support, collecting and providing solutions to user issues and concerns

• •External: • –A DHS-designated, trained CFR

• –Locally recognized response expert

• –Law enforcement emergency cyber response personnel

• –Government trained and delegated cyber response personnel (local, state, or federal)

RESPONSE EVOLUTION

• Technology has evolved.

• Security threats have evolved.

• Incident Response has not.

• Security and Incident Response professionals must find ways to more proactively, efficiently, and effectively respond to the escalating cyber threat landscape.

• The Internet is the Wild West of old. We either train to be the Sheriff, or we wait to become the victim.

THE FIRST RESPONDER METHODOLOGY

• Step 1: Emergency Assessment

• The ability to quickly assess the potential breach to determine attack type, potential targets, and severity.

• The intent is to focus on most critical systems, and most severe breach to quickly combat an attack.

• Step 2: Emergency Containment • Once the emergency assessment is completed, immediate containment efforts must be initiated.

• A cyber triage system must be established to contain the critical systems and the most severe breaches.

• Step 3: Emergency Eradication • Building on the prior steps, the eradication process focuses on eliminating the most severe threats against the most critical targets.

• This eradication step is intended to provide a temporary remediation for the breach, leading to restored services.

• Step 4: Emergency Restoration • This final emergency step provides for the immediate restoration of critical systems and associated services.

• This is a short-term restoration that re-establishes critical services, while a more thorough response is initiated.

• Step 5: Post-Emergency Response • More thorough response activities are conducted to ensure that ongoing security of restored services is maintained.

• This includes assessment, containment, eradication, and restoration processes.

• Step 6: The Hand-Off • The final active CFR step is the transfer of responsibility to investigative and forensics personnel.

• Documentation and oral updates are provided to follow-up incident response personnel for ongoing forensic and law enforcement activities.

FIRST RESPONDER PREPARATION

• The CFR Incident Response Team

• Core Response Team

• Smaller, more nimble and broadly experienced first response group

• Support Team

• Diverse, specific skillset, on call as needed

• Management Liaison Team

• Focused on executive-level updates, external updates, communication and coordination

THE FIRST RESPONDER TOOLKIT

• The CFR should maintain a kit of response tools that are readily available, easily useable, and guaranteed secure/authentic.

• Create hashes of stored tools

• The CFR should be very familiar with the tools and the proper use of each application.

• •Sample Toolkit Options

• System Tools

• Fport,, Process Explorer , Netstat , PsList , PsService

• Network Tools • Wireshark, Arp , Kismet , TCPDump , Cain and Abel

• Post-Restoration Tools

• Nessus , NMap , Snort , NetStumbler , Nikto

THE CYBER ATTACK METHOD

• Cyber attacks typically follow logical patterns:

• –Target Research

• Review of available information regarding potential target(s)

• Public data, Google hacking, corporate records, etc. • –Information Gathering and Reconnaissance

• Slow, precise discovery of target’s footprint

• Creating an electronic blueprint

• –Vulnerability Assessments

• Methodical discovery of potential weaknesses

• Time consuming and deliberate step in the process • –Exploitation of Vulnerabilities

• Subtle exploitation to avoid discovery

• Establishing the initial entry point

THE CYBER ATTACK METHOD

• Cyber attacks typically follow logical patterns:

• –Privilege Escalation

• Turning initial entry point into elevated access

• Reinforcing access and providing improved expansion opportunities

• –Conducting Breach Goals

• Data or monetary theft, service disruption or elimination, etc.

• –Maintaining Access

• Anticipating the discovery and removal of the initial ingress point, the attacker will create a point of return

• Backdoors with possible outbound connections

• –Anti-Forensics

• Working to eliminate responders’ research tools such as event logs, alert messages, etc.

• Eliminating evidence

ATTACK INDICATORS

• Attack steps have notable traits, and learning these traits can help you more quickly identify a potential problem.

• Know your enemies and know yourself!

• Learning how an attack is conducted and knowing how tools appear when used against your environment will help you more quickly respond.

• For example, consider what is done for information gathering and reconnaissance:

• –Fast-paced port scanning versus slow, methodical probing

• Precursors and Indicators: Certain events or anomalies can indicate the existence of a potential cyber threat.

• There are few specific, definitive notices of a breach, but a collection of indicative activities can be correlated to determine that a security event has occurred (or is currently occurring). Initially, the incident may be reported by an end user, detected by a system administrator, identified by IDS alerts, or discovered by many other means.

IDENTIFICATION

• Look for system anomalies, deviations

• Unusual network traffic patterns

• Notable IDS/IPS alerts

• Logon attempts/activities (failed or successful)

• Newly active services or open ports

• Newly created user accounts

• Newly installed programs

• Related system alerts, warnings (SIEM)

• Spiked CPU, memory, or hard drive utilization

CONTAINMENT

• The primary goal of containment is to quickly track down, identify, and isolate a breach or threat.

• –Once the impacted systems have been identified, the scope of the review can be more targeted.

• –Identification of the breach will lead to the proper containment and eradication steps.

• –Isolation of the breach will prevent a potential spread or relocation of the infection/breach.

• –Isolation of the breach will also ensure that additional data loss or progressive system loss is minimized.

• Tracking down impacted systems

• –Information gathered during the emergency assessment process will help to determine breached systems.

• –IP addresses, system names, logical/physical network locations, and impacted databases or applications can be used to locate breached systems.

• –Assumptions must be made that similarly configured systems with similar connections and similar protective mechanisms may also have been targeted.

• –Systems on the same network segments or systems that are logically connected to impacted systems must also be assumed to have been breached.

ERADICATION

• The most critical and difficult step of the FR response methodology is the removal of the breach from the impacted network/systems, regardless of type.

• Eradication is not limited to only initial removal of a threat, but can also include the ongoing review of the impacted network/systems to prevent a recurring breach.

• Eradication processes can consist of two primary removal methods: • –“The scalpel versus the machete”

VS.

ERADICATION

• Network-based eradication

• –If multiple systems within the same network segments have been breached, a full network compromise must be suspected.

• –A network eradication process can entail a variety of actions to eliminate continued unwanted access.

• Changing SNMP strings

• Changing device passwords (standard, enable, etc.)

• Changing IP address schemes, assignments

• Changing centralized network management tool accounts

• Modifying firewall rules, IPS scanning filters

• Server/Desktop-based eradication • –If a system is known to have been compromised, eradication steps must include a review of connected systems to ensure a

spread is contained.

• –Removing a breach against a server or desktop can entail multiple steps, with variations based on OS.

• Deleting any non-mandatory accounts

• Changing system passwords (local and domain) for ALL accounts on the impacted systems

• Running full anti-virus scans for possible malware

• Thoroughly reviewing all running processes and listening ports, while looking for correlated file activity

RESTORATION

• Restoration from Backup

• If adequate backups are available, system restoration from tape (or other storage media) will likely be the second most desirable option.

• Tape/media restoration from backup should be quickly reviewed in an offline test environment to ensure that a breach and/or infection was not backed up.

• This restoration may be for an entire system, specific operating systems files, or specific database or application files.

• –Correlated to the Emergency Eradication technique selected; Scalpel versus Machete

• –Reinstallation of system files

• Another emergency restoration technique is the reinstallation of verified, valid operating systems, applications, etc.

• Attention to software versions, patch levels, protective applications.

POST-EMERGENCY RESPONSE

• After emergency steps 1-4 are completed, follow-up activities are necessary to ensure that the existing threat is completely eliminated.

• –Conduct ongoing system monitoring for pending new or returned threats.

• –Conduct fast-paced vulnerability assessments to make sure systems are appropriately patched, secure after conclusion of emergency response activities.

• –Gather additional logs, records for more in-depth review

• –Findings and associated activities conducted during the emergency response activities should be analyzed to begin standard, complex incident response.

• Lessons Learned

• –Convey knowledge and responsibility for ongoing activities to secondary response personnel

• –Respond to questions, concerns, needs of investigative personnel for possible prosecution, legal recourse

• –Educate on-site security operations personnel about the breaches found, characteristics and similarities of the targeted systems, and the successful countering methods conducted during the CFR process.

• In short, impart knowledge to those responsible for ensuring that a similar breach does not happen again