incident response and forensic prepardness - acuia.org - incident response... · incident response...
TRANSCRIPT
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Incident Response and Forensic Preparedness Strategies to Combat Cyber Fraud
Randy Romes, CISSP, CRISC, MCP, PCI-QSA CliftonLarsonAllen LLP Information Security Services / Financial Institutions
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Our perspective… CliftonLarsonAllen – Started in 1953 with a goal of total
client service
– Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S.
– Largest Credit Union Service Practice*
*Callahan and Associates 2014 Guide to Credit Union CPA Auditors. CliftonLarsonAllen’s credit union practice has recently grown to over 100 professionals including more than 20 principals. The group focuses on audit, assurance, consulting and advisory, information technology, and human resource management for credit unions across the country. www.larsonallen.com – news release
2
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Learning Objectives
1. Recognize the current risk environment
2. Obtain an understanding of the fundamentals of responding to a computer security incident
3. Obtain an understanding of types of data that may be critical to investigating an incident
4. Understand some common mistakes that organization’s make
3
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Security is a Business Issue, Not a Technical Issue
4
People Rules
`
Tools
Definition of a Secure System:
“A secure system is one we can depend on to
behave as we expect.”
Source: “Web Security and Commerce”
by Simson Garfinkel with Gene Spafford
• Confidentiality
• Integrity
• Availability
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
A Lesson In “Incident Response”
• Randy Romes
– Professional Student
– Pizza Guy
– High School Science Teacher
– Hacker
– Dad
– Cub scout leader
5
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cub Scouts, IT Professionals, & Incident Handling
• Cub Scouts
– Be Prepared
– Camping Trip
Preparation
– Road Trip!!!
6
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cub Scouts, IT Professionals, & Hackers
• Cub Scouts
– Camp Tomahawk
– Daily Routine
– Business as Usual…
7
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cub Scouts, IT Professionals, & Hackers
• Cub Scouts
– Monday Morning…
– NOT Business as usual…
Parking
Ecology Camp Sites
Main Lodge
X
8
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• City finance office
• Mining company
• Small CU ( ~$120M)
• Catholic church parish
• Rural hospital
• Health care trade association
• Collection agency
• Main Street newspaper stand
• Large CU (~$1.8B)
• On and on and on and on……………..
What do the following have in common?
9
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Three Reasons Why We Should Care
• Organized Crime
– Wholesale theft of personal financial information
• Payment Fraud – Corporate Account Takeover
– Use of online credentials for ACH, CC and wire fraud
• Hackers are targeting you!
– A variety of cash out schemes
10
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Norton/Symantec Corp – The Cost • Norton/Symantec Corp.
• Cost of global cybercrime: $114 billion annually.
• Time lost due to cybercrime an additional $274 billion.
• Cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).
Hackers go for the “easy money”
Bank customers are much easier targets than the banks themselves
11
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Hackers, Fraudsters, and Victims • Opportunistic Attacks
• Targeted Attacks
12
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Hackers and Fraudsters • Objectives…
– Identity Theft and Account Hijacking
◊ Phishing Identity theft and fraudulent credit
◊ ACH fraud Corporate Account Take over's
– Targeted Attacks ◊ Internal access for privilege escalation (“control systems”)
◊ Corporate/Government Espionage - Mass data theft
◊ Access to Intellectual Property (IP) or Financial Information
◊ Targeted “Corporate Account Take Over”
– System Access for “Processing Power” ◊ Bot Nets
13
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Phishing and ACH – Examples • Church ($29,000 and $32,000)
• Public School District ($110,000)
• County Hospital System ($150,000)
• Trade Association ($1,088,000)
• Manufacturing Company ($348,000)
Security Breach
• Credit Union Heartbleed
• Credit Union Member “cash out”
14
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Defining an Incident
• What is an incident
– NIST 800-61 Rev2 - “A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”
• How does your response plan define an incident?
15
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Types of Incidents
• External
– Email Phishing
– Malicious Website
– Website hacking
– Social Engineering
• Internal
– Malicious Insider
– Rouge IT employee
– Issues with vendors/service providers
– External party physically intruding
16
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 1 - Church
17
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 1
• Background:
– A Church’s internal network and internet banking account was breached
– $30,000 fraudulent ACH payroll transaction was submitted via online banking and processed by the bank
– The organization’s workstation was infected with the Zbot Trojan through a “DocuSign” phishing email appearing to come from administrator@<organization>.org
18
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 1
• Lessons learned
– No incident response plan
– No communication protocol
– Lack of employee awareness
– Lacking Segregation of Duties/Excessive Access
19
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 1
• Lessons learned
– Weak network controls
◊ Shut down system – lost running memory
◊ Server logging was not enabled
◊ No formal IT support
◊ Excessive spam containing malicious attachments and links
◊ No web content filtering system
• Don’t panic! Assess the situation first and maintain documentation!
20
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61
• Develop an incident response policy and plan
– Management should support the mission
– Consider and define the following:
◊ Scope of the policy and plan
◊ Computer Security Incidents
◊ Roles and responsibilities
◊ Prioritization (tie back to BIA)
◊ Performance Measures
◊ Reporting and contact forms
21
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61
• Develop incident response procedures
– Establish lines of communication with internal and external sources
◊ Staff
◊ Board
◊ Examiners/Regulators
◊ Law enforcement
◊ Media
◊ Vendors
◊ ISP
22
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61
• Develop incident response procedures
– Define and develop a team
◊ Determine capabilities of team members
– Consider other supporting groups
◊ Legal
◊ Human Resources
◊ Media Relations
◊ Outside (consulting) support
23
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61
• Develop incident response procedures cont…
– Documentation requirements
– Post incident response review – what can we improve on?
– Perform incident response procedure testing ◊ Table top exercises
◊ Simulations
– Establish a training program for IR team and employees
24
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61
Incident Handler Communications and Facilities
• Contact information for team members and others within and outside the organization (primary and backup contacts)
• On-call information for other teams within the organization, including escalation information
• Incident reporting mechanisms, how to report incidents; at least one mechanism should permit people to report incidents anonymously
• Issue tracking system for tracking incident information, status, etc.
25
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61
Incident Handler Communications and Facilities
• Smartphones to be carried by team members for off-hour support and onsite communications
• Encryption software to be used for communications among team members, within the organization and with external parties; for Federal agencies, software must use a FIPS-validated encryption algorithm20
• War room for central communication and coordination;
• Secure storage facility for securing evidence and other sensitive materials
26
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61 Incident Analysis Hardware and Software:
• Digital forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data
• Laptops for activities such as analyzing data, sniffing packets, and writing reports
• Spare workstations, servers, and networking equipment, or the virtualized equivalents, which may be used for many purposes, such as restoring backups and trying out malware
27
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61
Incident Analysis Hardware and Software:
• Blank removable media
• Portable printer to print copies of log files and other evidence from non-networked systems
• Packet sniffers and protocol analyzers to capture and analyze network traffic
• Digital forensic software to analyze disk images
28
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61
Incident Analysis Hardware and Software:
• Removable media with trusted versions of programs to be used to gather evidence from systems
• Evidence gathering accessories, including hard-bound notebooks, digital cameras, audio recorders, chain of custody forms, evidence storage bags and tags, and evidence tape, to preserve evidence for possible legal actions
29
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Incident Response Fundamentals – NIST 800-61
Incident Analysis Resources
• Port lists, including commonly used ports and Trojan horse ports
• Documentation for OSs, applications, protocols, and intrusion detection and antivirus products
• Network diagrams and lists of critical assets, such as database servers
• Current baselines of expected network, system, and application activity
• Cryptographic hashes of critical files22 to speed incident analysis, verification, and eradication
30
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Be Prepared • Documentation…
– Network diagrams
– Application diagrams and flow charts
– System inventories
– Locations and types of event logs available for analysis
31
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 2 – Public School District
http:// mytime-ufa.ru/images/nacha_paychange[.]html
32
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 2
• Employee clicked on a phishing email appearing to come from the National Automated Clearing House Association (NACHA)
– Embedded link resolves to a Russian IP address
• Employee’s internet banking credentials were compromised
• Employee’s browser was injected with malicious HTML asking for additional confidential information when they visited the internet banking site
– Employee also received a call from supporting actor in the attack
33
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 2
• Attacker initiated approximately $125,000 in fraudulent ACH transactions
• The “weird call” prompted the employee to call the bank and transactions were stopped
• Additional information:
– Employee indicated to IT that anti virus logs were reporting malicious activity the day before the malicious transaction activity
34
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 2 • Lessons Learned
– No incident response plan (trend?)
– Lack of employee awareness (trend?)
– Lacking Segregation of Duties/Excessive Access (trend?)
– IT indicated the employees system was “clean” – this was not the case
– Lack of log retention
– System was powered off
35
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Critical Data in an Incident
• System’s directly impacted
– Employee indicated they clicked on email
– AV logs indicate malicious files
– Weird activity
• Logs
– Server and workstation logs
– Internet Banking Logs – detail is key!
– Firewall
– AV logs
– IDS/IPS logs
– Network packet capture 36
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Critical Data in an Incident
• System memory
– In both cases described above, the system was powered off…critical evidence was lost
– Think before you pull the plug, don’t panic ◊ Why are we pulling the plug?
◊ What data may be lost?
– Train employees on what to do if they think they have malware on their system
• Journaling – write everything down in detail
• Other
– Video surveillance
– Alarm and door logs
37
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Critical Data in an Incident
• Vendor systems - critical data may reside here!
– Inventory where your data resides ◊ What data do vendors store, process, transmit?
◊ What systems are used for wires, ACH, bill pay, etc…?
◊ What happens if the data on those sites are compromised or fraudulent transfers are approved?
◊ What does the contract say?
– Do the vendor systems that control your data or money log ALL activity?
38
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
NIST 800-86 Supporting Forensics in the Information System Life Cycle
• Performing regular backups of systems and maintaining previous backups for a specific period of time
• Enabling auditing on workstations, servers, and network devices
• Forwarding audit records to secure centralized log servers (SIEM)
• Configuring mission-critical applications to perform auditing, including recording all authentication attempts
39
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
NIST 800-86 Supporting Forensics in the Information System Life Cycle
• Maintaining a database of file hashes for the files of common OS and application deployments
• Using file integrity checking software on particularly important assets
• Maintaining records (e.g., baselines) of network and system configurations
40
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 3 - Hospital
• Finance person is phished
• Employee’s internet banking credentials were compromised
• Fraudulent ACH payroll files totaling over $150,000 are sent
Law enforcement
Independent investigation
Problems with investigation…
Current state (this is ongoing…)
41
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 4 – Trade Association • Finance person receives “2000 spam
messages”
• Later in the day, fraudsters make three ACH transfers all within 30 minutes:
– $8,000 to Houston
– Two transfers for $540,000 each to Romania
• In this case, business insists the following controls were not followed:
– Dollar limit/thresholds were exceeded
– Call back verification did not occur
• Lessons learned… 42
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Case Study 5 – Credit Union (Last Week) • Malware on the network
• Windows domain credentials created
• Core application credentials hijacked
• Member accounts modified
• “Cash” deposit at branch
– After close of business
– Associated w/ employee who was not working that day
• $ Mule attempts to withdraw funds the next day
43
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Sources for Standards and Guidelines
• NIST 800-61: Computer Security Incident Handling Guide http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911736
• PCI Requirements https://www.pcisecuritystandards.org/documents/PFI_Program_Guide.pdf
• SANS/GIAC Certified Incident Handler http://www.giac.org/certification/certified-incident-handler-gcih
• State laws: http://www.privacyrights.org/data-breach#10
44
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
45
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
46
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
47
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
48
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Cybersecurity Leadership - FFIEC
• https://www.fdic.gov/news/news/financial/2014/fil14021.html
49
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Conclusion
• Develop a solid foundation of incident response practices – management must be on-board
– Documentation is key/critical…
• PERIODICALLY train employees on computer security related topics
– It only takes one employee to click on a phishing email
• Be proactive instead of reactive
– Do you have legal counsel that can advise you on cyber security and data breaches?
– Do you have expertise in digital forensic and incident response internally or externally?
50
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Conclusion
• Develop a mentality of:
– “If (and when) this happens to us, we’ll be ready to respond…”
Not:
– “This will never happen to us…because <fill in the blank>”
• Practice…
51
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Questions?
52
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Thank you!
Randy Romes, CISSP, CRISC, MCP, PCI-QSA CliftonLarsonAllen LLP Information Security Services / Financial Institutions
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
References
• NIST SP800-61
– http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf
• FFIEC Cybersecurity Guidance – https://www.fdic.gov/news/news/financial/2014/fil14021.html
• Verizon Breach Analysis Reports
– http://www.verizonenterprise.com/DBIR/2014/