incident response - isaca south...
TRANSCRIPT
History Of Malware
Creeper Virus
-
Experimental
self replicating
worm
1971
Rabbit
-
The Fork
Bomb
1974
Pervading
Animal
-
First Trojan
1975
Elk Cloner
-
Storage
Vulnerability
1981
Brain
-
Boot sector
virus
1986
Morris Worm
-
Buffer
Overrun
1988
Chameleon
-
Polymorphic
virus
1990
Michelangelo
Leandro & Kelly
OneHalf
Concept
Ply
CIH
Happy 99
Melissa
ExploreZip
Kak Worm
1991-1999
2000-2013
• ILOVEYOU
• Anna Kournikova
• Sadmind Worm
• Sircam
• Code Red
• Code Red II
• Nimda
• Klez
• Simile Virus
• Beast
• Mylife
• Optix Pro
• SQL Slammer
• Graybird
• ProRat
• Blaster
• Welchia
• Sobig
• Sober
• Agobot
• Bolgimo
• Bagle
• L10n
• MyDoom
• Netsky
• Witty
• Sasser
• Cabir
• Torpig
• Koobface
• W32.Dozer
• Stuxnet
• Kenzero
• The list goes on…
APT – The New Threat Landscape
2005 2007 2009 2011 2013
Advanced Persistent Threats
Zero-day Targeted Attacks Dynamic Trojans
Stealth Bots
Worms Viruses
Disruption Spyware/ Bots
Cybercrime
Cyber-espionage and Cybercrime
Dam
age
of
Att
acks
New Threat Landscape
Dynamic, Polymorphic Malware
Coordinated Persistent Threat Actors
Multi-Vector Attacks Multi-Staged Attacks
Cyber Attacks
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0% 100,000 10,000 1,000 100 10
Percent of Deployments
1 Gbps
Source: FireEye Advanced Threat Report, March, 2013
* Incidents include inbound and outbound activity
Incidents/Week at Normalized Bandwidth
20% of deployments have thousands of incidents*/week
Average is about 221 incidents*/week
98.5% of deployments see at least 10 incidents*/week/Gbps
Why Are Targeted Attacks Different?
5
• Often well-funded and organized
• Division of labor for different stages of attack
• Utilize change management processes
• Escalate sophistication of tactics as needed
• They have specific objectives
• Their goal is long-term occupation
• Persistence tools ensure ongoing access
• They are relentlessly focused on their objective
• There’s a human at a keyboard
• Highly tailored and customized attacks
• Targeted specifically at you
• Effective at bypassing preventive controls
It’s a “Who”,
Not a “What”…
They are Professional,
Organized & Well Funded…
If You Kick Them
Out They Will Return
Organizations that do not fully understand this often react
in ways that do more harm than good by tipping off the attackers.
Old Model Everywhere
Secure Web Gateways
IPS Anti-Spam Gateways
Desktop AV
The New Breed of Attacks Evade Signature-Based Defenses
Firewalls /NGFWs
Multiple Stages of a Next Generation Attack
Exploit Detection is Critical All Subsequent
Stages can be Hidden or Obfuscated
Callback
Server
NGFW
File Share
2
File Share
1
Exploit
Server 1. Exploitation of System
2. Malware Executable Download
3. Callbacks and Control Established
4. Data Exfiltration
5. Malware Spreads Laterally
IPS
What is an exploit?
Compromised webpage
with exploit object
1. Exploit object rendered by vulnerable software 2. Exploit injects code into running program
memory
3. Control transfers to exploit code
Exploit object can be in
ANY web page
An exploit is NOT the same as the malware executable file!
Structure of a multi-flow APT attack
Callback
and data
exfiltration
Embedded
Exploit Alters
Endpoint
Exploit Server
Callback
and data
exfiltration
Embedded
Exploit Alters
Endpoint
Callback
Callback Server Exploit Server
Structure of a multi-flow APT attack
Encrypted
Malware
Callback
and data
exfiltration
Encrypted
malware
downloads
Embedded
Exploit Alters
Endpoint
Callback
Callback Server Exploit Server
Structure of a multi-flow APT attack
Encrypted
Malware
Command and
Control Server
Callback
and data
exfiltration
Encrypted
malware
downloads
Callback
and data
exfiltration
Embedded
Exploit Alters
Endpoint
Callback
Callback Server Exploit Server
Structure of a multi-flow APT attack
Encrypted
malware
Command and
Control Server
Callback
and data
exfiltration
Encrypted
malware
downloads
Callback
and data
exfiltration
Embedded
Exploit Alters
Endpoint
Callback
Callback Server Exploit Server
Structure of a multi-flow APT attack
Multi-Flow Structure of APT Attacks
(Aurora, Beebus, CFR, etc.)
Decry
pt
Encrypted
Malware
Command and
Control Server
Exploit code decrypts malware
Exploit code downloads
encrypted malware (not SSL!)
Exploit injects code in Web
browser
Target end point connects to
C&C server
Callback Exploit in compromised
Web page
Multi-Vector Structure
Weaponized email attachment with zero-day exploit
Callback
Server
Weaponized Email
(2011 Recruitment
Plan.xls)
Backdoor C&C Server
Backdoor DLL dropped
Client endpoint calls back to
infection server
Email with weaponized
document, opened by user,
causing exploit
Encrypted callback over HTTP
to command and control server
Multi-vectored attack
Multi-Vector Analysis of RSA Attack
1 – Email/Web with weaponized malware
2 – User opens attachment causing exploit
3 – Backdoor DLL dropped
4 – Encrypted callback over HTTP to C&C
3
C&C Server Encrypted callback
4
SMTP
1
Weaponized Email
(2011 Recruitment Plan.xls) 2
Backdoor Backdoor
Multi-vectored attack
Multi-Vector Analysis of Operation Beebus Attack
Apr 2011 update.exe
Sept 2011 UKNOWN
Dec 2011 RHT_SalaryGuide_2012.pdf
Feb 2012
Mar 2012
Apr 2012
May 2012
Jul 2012
Aug 2012
Sept 2012
Nov 2012
Jan 2013
install_flash_player.tmp2
Conflict-Minerals-Overview-for-KPMG.doc
dodd-frank-conflict-minerals.doc
update.exe Boeing_Current_Market_Outlook_…pdf
Understand your blood test report.pdf
RHT_SalaryGuide_2012.pdf sensor environments.doc
FY2013_Budget_Request.doc
Dept of Defense FY12 …Boeing.pdf
April is the Cruelest Month.pdf National Human Rights…China.pdf
Security Predictions…2013.pdf
rundll32.exe
UKNOWN
сообщить.doc
install_flash_player.ex
install_flash_player.tmp2
Global_A&D_outlook_2012.pdf
Defense Industry
UAV/UAS Manufacturers
Aerospace Industry
1 – Email/Web with weaponized malware
2 – Backdoor DLL dropped on user opening email
3 – Encrypted callback over HTTP to C&C
2
C&C Server:
worldnews.alldownloads.ftpserver.biz
Backdoor Backdoor
Encrypted callback
3
SMTP / HTTP
1
Tim
elin
e o
f a
tta
ck –
mu
ltip
le v
ecto
rs, m
ultip
le
ca
mp
aig
ns
Weaponized Email
(RHT_SalaryGuide_2012.pdf)
Challenges Incident Response Teams Face
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
Challenges Incident Response Teams Face
1/2
experienced
malicious code
in the past year
Only 1 in 5 rate incident response programs “very effective.”
62% struggle with speed of detection
44% Struggle with accuracy
of detection
47% Experienced system downtime
as a result of an attack
66% Struggle to detect
APT
28% have an APT incident
response plan
Source: ISMG Incident Response Survey
Incident Response – 10 Most Common Mistakes
• Size of organization is not relevant
• Industry is not relevant
• Crisis management capabilities vary
• Technical skills vary
• Consistent patterns of behavior under stress
• • Discussion focus – Strategic Mistakes – Technical Mistakes
Response Time is Not Getting Better
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
Response is Not Getting Better
Percentage of breaches
taking months or more to
be discovered (62%
months, 4% years).
66%
In 2012 annual report percentage
of breaches taking months or
more to be discovered.
54%
2
Hours Days Months
ATTACK to
COMPROMISE COMPROMISE
to DISCOVERY
DISCOVERY to
CONTAINMENT
Minutes Weeks Years
f igure 5: Timescales of data breaches
• In 84% of cases, the initial compromise took hours — or even less.
• In 66% of cases, the breach wasn’t discovered for months — or even years.
• In 22% of cases, it took months to contain the breach.
2013 Verizon Data Breach Investigations Report 2013
2012
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
Response is Not Getting Better
Percentage of breaches
taking months or more to
be discovered (62%
months, 4% years).
66%
In 2012 annual report percentage
of breaches taking months or
more to be discovered.
54%
2
Hours Days Months
ATTACK to
COMPROMISE COMPROMISE
to DISCOVERY
DISCOVERY to
CONTAINMENT
Minutes Weeks Years
f igure 5: Timescales of data breaches
• In 84% of cases, the initial compromise took hours — or even less.
• In 66% of cases, the breach wasn’t discovered for months — or even years.
• In 22% of cases, it took months to contain the breach.
2013 Verizon Data Breach Investigations Report 2013
2012
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
Response is Not Getting Better
Percentage of breaches
taking months or more to
be discovered (62%
months, 4% years).
66%
In 2012 annual report percentage
of breaches taking months or
more to be discovered.
54%
2
Hours Days Months
ATTACK to
COMPROMISE COMPROMISE
to DISCOVERY
DISCOVERY to
CONTAINMENT
Minutes Weeks Years
f igure 5: Timescales of data breaches
• In 84% of cases, the initial compromise took hours — or even less.
• In 66% of cases, the breach wasn’t discovered for months — or even years.
• In 22% of cases, it took months to contain the breach.
2013 Verizon Data Breach Investigations Report 2013
2012
Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
Response is Not Getting Better
Percentage of breaches
taking months or more to
be discovered (62%
months, 4% years).
66%
In 2012 annual report percentage
of breaches taking months or
more to be discovered.
54%
2
Hours Days Months
ATTACK to
COMPROMISE COMPROMISE
to DISCOVERY
DISCOVERY to
CONTAINMENT
Minutes Weeks Years
f igure 5: Timescales of data breaches
• In 84% of cases, the initial compromise took hours — or even less.
• In 66% of cases, the breach wasn’t discovered for months — or even years.
• In 22% of cases, it took months to contain the breach.
2013 Verizon Data Breach Investigations Report 2013
2012
2013 Verizon Data Breach Investigations Report
Percentage of breaches taking
months or more to be
discovered (62% months, 4%
years).
In 2012 annual report percentage
of breaches taking months or
more to be discovered.
2013
2012
IR 10 Most Common Mistakes
• Nobody is in charge
• Failure to establish command center
• Failure to create containment plan
• Failure to document
• Failure to create incident timeline
• Failure to find & know the enemy
• Confusing containment with remediation
• Failure to secure network perimeters
• Inadequate logging
• Orphaned A/V systems
Avoid the IR Traps
• Establish an Incident Response Program
• Know your network
• Log,log,log
• Actively manage your Enterprise A/V system • Know your enemy
• • Document, document, document • Create an incident timeline
• Create a remediation plan
• Contain first–then remediate
Security Incident Response
•Determine the specific threat(s) in the environment
• Identify the specific behaviors of those threat(s)
•Determine attack vector and initial threat timeline Threat Identification
• Identify the geographic impact of the threat(s)
•Determine the scope of business disruption
• Identify assets at risk Incident Scoping
•Create and document a threat containment strategy
•Establish a communication process
•Delegate and manage containment tasks
Containment Strategy
•Acquire relevant evidence in an approved manner
•Place all evidence in chain-of-custody process
•Analyze evidence and respond accordingly
Evidence Collection & Forensic Analysis
•Create initial findings report
•Document incident timeline
•Document recommendations Reporting