incident response & forensic best practice cyber attack ! · 2012-03-19 · • affidavit bag /...
TRANSCRIPT
Cyber Attack ! Incident Response & Forensic Best Practice
Overview
Incident Response
Log Interpretation
Forensic Requirement / Evidence Handling
Advanced Correlation For Traceability
Investigative Steps
Real World Examples
Incident Response Cyber Attack – Incident Response & Forensic Best Practice
Get A Plan In Place & Rehearse It – Do The Preparation Now !
• Identification & Assessment
• Scope / Location / Significance & Impact
Phase / Day 1
• Triage & Containment
• Stop the Bleeding / Contain The Breach Phase / Day 2
• Eradicate Malware / Breach Method
• Repair
• Report to Customers / Stake Holders Phase / Day 3
Determine Lessons Learned / Amend Security or Procedures to Reduce Future Occurrences ….
Forensic Requirement Cyber Attack – Incident Response & Forensic Best Practice
Determine if Incident is Internal I.E. HR / Legal / Corp Risk etc Consider Possibility of a Crime Scene – Civil / Criminal Keep Opinions Out – State Facts - Say What You See / Saw
Document ! • Evidence &
Method • Source Handling • Custody
Digital Duplicates • Evidence Files • Archive Originals • HASH/Stamps • Tools Etc
Pro Witness • Tools Used • OS/Tech Specific • Be Objective • Affidavit
Bag / Tag & Forensically Seal any data / documents Use Write Blockers / HASH any Files & Time Date Stamp Create Evidence Files / Working Copies & Digital Duplicates Archive Original Evidence to closed session / DVD etc….
Investigative Steps Cyber Attack – Incident Response & Forensic Best Practice
Collect & Examine Perimeter Logs (Firewall / IDS – IPS / Routers etc) - Forensically Archive Originals & Digital Dupes !
Document Findings & Explore Lines of Evidence
Forensically Acquire & Investigate Impacted Devices / Hosts Document Findings & Explore Lines of Evidence
Determine Method of Entry / Payload & Vector / Exit & Nature of
Breach – Malware / Data Loss / Command & Control ? Document Findings & Explore Lines of Evidence
Profile Attack (Hacker / Malware / Methodology / Modus Operandi ) Document Findings & Explore Lines of Evidence
Produce Intelligence / Reports / Recommendations For Required Actions / Legal – HR or Civil / Criminal Case
Log Interpretation Cyber Attack – Incident Response & Forensic Best Practice
2011-05-05 13:27:34 W3SVC234959820 123.123.123.123 GET /page/news/news_artists.asp id=999999.9+UNION+ALL+SELECT+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534383035343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536-- 80 – 123.123.123.123 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727)+Havij 200 0 0
Advanced Correlation for Traceability Cyber Attack – Incident Response & Forensic Best Practice
Eve
nt A
Multiple similar attacks over a give time span
Malware Payload / Vector
Hack Tool
Geolocation / IP Address Range
Time of Day / Week
Eve
nt B
Correlation of Logs / Time,Date Geolocation / IP Address Range Network Scanning Failed User Logons User Account Compromised
Ala
rm &
Inte
lligen
ce Hacker Posted
Defacement on Blog Correlation Alarms on Event A+B or A-B or B-A or B+A Recognised Attack Vector / Tool Out Of Ours / Unauthorised Behavior
Looking for a common point or patterns between multiple events that give a clear association
Real World Example: Cyber Attack – Incident Response & Forensic Best Practice
Nov 2010 – June 2011
Protracted IT Systems Reconnaissance
Shutdown / Network Hacked & Held Ransom (Root Kit – C&C)
Targeted – CopyCat Hackers
Targeted – WWW Site Defaced
Exploited Commonality between developed websites
Unrelated attacks damage Corporate Reputation
Global Market Presence decline….
Real World Example: Cyber Attack – Incident Response & Forensic Best Practice
Real World Example: Cyber Attack – Incident Response & Forensic Best Practice
SQLi attack DB stripped and leaked via PasteBin Page Defacement
2011-05-05 13:27:34 W3SVC234959820 123.123.123.123 GET /page/news/news_artists.asp id=999999.9+UNION+ALL+SELECT+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534383035343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536-- 80 – 123.123.123.123 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727)+Havij 200 0 0
Real World Example: Cyber Attack – Incident Response & Forensic Best Practice
Profiling the Attackers Forensics on Servers
Analysis of Logs
2011-05-05 13:27:34 W3SVC234959820 123.123.123.123 GET /page/news/news_artists.asp id=999999.9+UNION+ALL+SELECT+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x3130323534383035343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536-- 80 – 123.123.123.123 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727)+Havij 200 0 0
Real World Example: Cyber Attack – Incident Response & Forensic Best Practice
Document & Forensically Archive Everything …..
Real World Example: Cyber Attack – Incident Response & Forensic Best Practice
Document & Forensically Archive Everything …..
Real World Example: Cyber Attack – Incident Response & Forensic Best Practice
Document & Forensically Archive Everything …..
Real World Example: Cyber Attack – Incident Response & Forensic Best Practice
Document & Forensically Archive Everything …..
Recap:- Cyber Attack – Incident Response & Forensic Best Practice
Preparation
Phase - Identification
Phase – Triage & Containment
Phase – Repair & Report
