incident response - isaca south...

Randy Lee

FireEye Labs

Incident Response

History Of Malware

Creeper Virus

-

Experimental

self replicating

worm

1971

Rabbit

-

The Fork

Bomb

1974

Pervading

Animal

-

First Trojan

1975

Elk Cloner

-

Storage

Vulnerability

1981

Brain

-

Boot sector

virus

1986

Morris Worm

-

Buffer

Overrun

1988

Chameleon

-

Polymorphic

virus

1990

Michelangelo

Leandro & Kelly

OneHalf

Concept

Ply

CIH

Happy 99

Melissa

ExploreZip

Kak Worm

1991-1999

2000-2013

• ILOVEYOU

• Anna Kournikova

• Sadmind Worm

• Sircam

• Code Red

• Code Red II

• Nimda

• Klez

• Simile Virus

• Beast

• Mylife

• Optix Pro

• SQL Slammer

• Graybird

• ProRat

• Blaster

• Welchia

• Sobig

• Sober

• Agobot

• Bolgimo

• Bagle

• L10n

• MyDoom

• Netsky

• Witty

• Sasser

• Cabir

• Torpig

• Koobface

• W32.Dozer

• Stuxnet

• Kenzero

• The list goes on…

APT – The New Threat Landscape

2005 2007 2009 2011 2013

Advanced Persistent Threats

Zero-day Targeted Attacks Dynamic Trojans

Stealth Bots

Worms Viruses

Disruption Spyware/ Bots

Cybercrime

Cyber-espionage and Cybercrime

Dam

age

of

Att

acks

New Threat Landscape

Dynamic, Polymorphic Malware

Coordinated Persistent Threat Actors

Multi-Vector Attacks Multi-Staged Attacks

Cyber Attacks

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

0% 100,000 10,000 1,000 100 10

Percent of Deployments

1 Gbps

Source: FireEye Advanced Threat Report, March, 2013

* Incidents include inbound and outbound activity

Incidents/Week at Normalized Bandwidth

20% of deployments have thousands of incidents*/week

Average is about 221 incidents*/week

98.5% of deployments see at least 10 incidents*/week/Gbps

Why Are Targeted Attacks Different?

5

• Often well-funded and organized

• Division of labor for different stages of attack

• Utilize change management processes

• Escalate sophistication of tactics as needed

• They have specific objectives

• Their goal is long-term occupation

• Persistence tools ensure ongoing access

• They are relentlessly focused on their objective

• There’s a human at a keyboard

• Highly tailored and customized attacks

• Targeted specifically at you

• Effective at bypassing preventive controls

It’s a “Who”,

Not a “What”…

They are Professional,

Organized & Well Funded…

If You Kick Them

Out They Will Return

Organizations that do not fully understand this often react

in ways that do more harm than good by tipping off the attackers.

Old Model Everywhere

Secure Web Gateways

IPS Anti-Spam Gateways

Desktop AV

The New Breed of Attacks Evade Signature-Based Defenses

Firewalls /NGFWs

Multiple Stages of a Next Generation Attack

Exploit Detection is Critical All Subsequent

Stages can be Hidden or Obfuscated

Callback

Server

NGFW

File Share

2

File Share

1

Exploit

Server 1. Exploitation of System

2. Malware Executable Download

3. Callbacks and Control Established

4. Data Exfiltration

5. Malware Spreads Laterally

IPS

What is an exploit?

Compromised webpage

with exploit object

1. Exploit object rendered by vulnerable software 2. Exploit injects code into running program

memory

3. Control transfers to exploit code

Exploit object can be in

ANY web page

An exploit is NOT the same as the malware executable file!

Structure of a multi-flow APT attack

Callback

and data

exfiltration

Embedded

Exploit Alters

Endpoint

Exploit Server

Callback

and data

exfiltration

Embedded

Exploit Alters

Endpoint

Callback

Callback Server Exploit Server


Encrypted

Malware

Callback

and data

exfiltration

Encrypted

malware

downloads

Embedded

Exploit Alters

Endpoint

Callback



Encrypted

Malware

Command and

Control Server

Callback

and data

exfiltration

Encrypted

malware

downloads

Callback

and data

exfiltration

Embedded

Exploit Alters

Endpoint

Callback



Encrypted

malware

Command and

Control Server

Callback

and data

exfiltration

Encrypted

malware

downloads

Callback

and data

exfiltration

Embedded

Exploit Alters

Endpoint

Callback



Multi-Flow Structure of APT Attacks

(Aurora, Beebus, CFR, etc.)

Decry

pt

Encrypted

Malware

Command and

Control Server

Exploit code decrypts malware

Exploit code downloads

encrypted malware (not SSL!)

Exploit injects code in Web

browser

Target end point connects to

C&C server

Callback Exploit in compromised

Web page

Multi-Vector Structure

Weaponized email attachment with zero-day exploit

Callback

Server

Weaponized Email

(2011 Recruitment

Plan.xls)

Backdoor C&C Server

Backdoor DLL dropped

Client endpoint calls back to

infection server

Email with weaponized

document, opened by user,

causing exploit

Encrypted callback over HTTP

to command and control server

Multi-vectored attack

Multi-Vector Analysis of RSA Attack

1 – Email/Web with weaponized malware

2 – User opens attachment causing exploit

3 – Backdoor DLL dropped

4 – Encrypted callback over HTTP to C&C

3

C&C Server Encrypted callback

4

SMTP

1

Weaponized Email

(2011 Recruitment Plan.xls) 2

Backdoor Backdoor

Multi-vectored attack

Multi-Vector Analysis of Operation Beebus Attack

Apr 2011 update.exe

Sept 2011 UKNOWN

Dec 2011 RHT_SalaryGuide_2012.pdf

Feb 2012

Mar 2012

Apr 2012

May 2012

Jul 2012

Aug 2012

Sept 2012

Nov 2012

Jan 2013

install_flash_player.tmp2

Conflict-Minerals-Overview-for-KPMG.doc

dodd-frank-conflict-minerals.doc

update.exe Boeing_Current_Market_Outlook_…pdf

Understand your blood test report.pdf

RHT_SalaryGuide_2012.pdf sensor environments.doc

FY2013_Budget_Request.doc

Dept of Defense FY12 …Boeing.pdf

April is the Cruelest Month.pdf National Human Rights…China.pdf

Security Predictions…2013.pdf

rundll32.exe

UKNOWN

сообщить.doc

install_flash_player.ex

install_flash_player.tmp2

Global_A&D_outlook_2012.pdf

Defense Industry

UAV/UAS Manufacturers

Aerospace Industry

1 – Email/Web with weaponized malware

2 – Backdoor DLL dropped on user opening email

3 – Encrypted callback over HTTP to C&C

2

C&C Server:

worldnews.alldownloads.ftpserver.biz

Backdoor Backdoor

Encrypted callback

3

SMTP / HTTP

1

Tim

elin

e o

f a

tta

ck –

mu

ltip

le v

ecto

rs, m

ultip

le

ca

mp

aig

ns

Weaponized Email

(RHT_SalaryGuide_2012.pdf)

Challenges Incident Response Teams Face

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4

Challenges Incident Response Teams Face

1/2

experienced

malicious code

in the past year

Only 1 in 5 rate incident response programs “very effective.”

62% struggle with speed of detection

44% Struggle with accuracy

of detection

47% Experienced system downtime

as a result of an attack

66% Struggle to detect

APT

28% have an APT incident

response plan

Source: ISMG Incident Response Survey

Incident Response – 10 Most Common Mistakes

• Size of organization is not relevant

• Industry is not relevant

• Crisis management capabilities vary

• Technical skills vary

• Consistent patterns of behavior under stress

• • Discussion focus – Strategic Mistakes – Technical Mistakes

Response Time is Not Getting Better


Response is Not Getting Better

Percentage of breaches

taking months or more to

be discovered (62%

months, 4% years).

66%

In 2012 annual report percentage

of breaches taking months or

more to be discovered.

54%

2

Hours Days Months

ATTACK to

COMPROMISE COMPROMISE

to DISCOVERY

DISCOVERY to

CONTAINMENT

Minutes Weeks Years

f igure 5: Timescales of data breaches

• In 84% of cases, the initial compromise took hours — or even less.

• In 66% of cases, the breach wasn’t discovered for months — or even years.

• In 22% of cases, it took months to contain the breach.

2013 Verizon Data Breach Investigations Report 2013

2012





be discovered (62%

months, 4% years).

66%




54%

2

Hours Days Months

ATTACK to


to DISCOVERY

DISCOVERY to

CONTAINMENT

Minutes Weeks Years






2012





be discovered (62%

months, 4% years).

66%




54%

2

Hours Days Months

ATTACK to


to DISCOVERY

DISCOVERY to

CONTAINMENT

Minutes Weeks Years






2012





be discovered (62%

months, 4% years).

66%




54%

2

Hours Days Months

ATTACK to


to DISCOVERY

DISCOVERY to

CONTAINMENT

Minutes Weeks Years






2012

2013 Verizon Data Breach Investigations Report

Percentage of breaches taking

months or more to be

discovered (62% months, 4%

years).




2013

2012

IR 10 Most Common Mistakes

• Nobody is in charge

• Failure to establish command center

• Failure to create containment plan

• Failure to document

• Failure to create incident timeline

• Failure to find & know the enemy

• Confusing containment with remediation

• Failure to secure network perimeters

• Inadequate logging

• Orphaned A/V systems

Avoid the IR Traps

• Establish an Incident Response Program

• Know your network

• Log,log,log

• Actively manage your Enterprise A/V system • Know your enemy

• • Document, document, document • Create an incident timeline

• Create a remediation plan

• Contain first–then remediate

Security Incident Response

•Determine the specific threat(s) in the environment

• Identify the specific behaviors of those threat(s)

•Determine attack vector and initial threat timeline Threat Identification

• Identify the geographic impact of the threat(s)

•Determine the scope of business disruption

• Identify assets at risk Incident Scoping

•Create and document a threat containment strategy

•Establish a communication process

•Delegate and manage containment tasks

Containment Strategy

•Acquire relevant evidence in an approved manner

•Place all evidence in chain-of-custody process

•Analyze evidence and respond accordingly

Evidence Collection & Forensic Analysis

•Create initial findings report

•Document incident timeline

•Document recommendations Reporting

Next Generation Threat Protection STOP

Re-imagined. Security.

Questions?

incident response - isaca south...

Documents