SlideShare uma empresa Scribd logo
1 de 48
Baixar para ler offline
CNIT 152:
Incident
Response
1 Real-World Incidents
Updated 8-17-2020
Events and Incidents
• Event
• Any observable occurrence in a system or
network
• Incident
• Violation or threat of violation of security
policies, acceptable use policies, or standard
security practices
Incident Response
• Confirm whether an incident occurred
• Rapid detection and containment
• Determine scope
• Prevent a disjointed, noncohesive response
• Determine and promote facts and actual
information
• Minimize disruption to business and network
operations
Incident Response
• Minimize damage to the compromised
organization
• Restore normal operations
• Manage public perception
• Allow for legal action against perpetrators
• Educate senior management
• Enhance security posture against future
incidents
IR Teams
• Investigation team
• Determines what has happened and performs
a damage assessment
• Remediation team
• Removes the attacker and enhances security
posture
• Public relations
Live Response
• Classical forensics was done post-mortem
• On a hard disk image
• Now much analysis was performed on systems
that are powered on (live)
• Including memory analysis to see running
processes, network connections, etc.
Case 1
Show Me the Money
Initial Compromise
• Early January: SQL injection vulnerability
exploited on server WEB1
• In a DMZ belonging to a small business unit
purchased by the parent organization four years
prior
• Command execution on database server DB1, with
privileges of the SQL Server service (local
administrator)
• Using xp_cmdshell
• Download malware and execute it on DB1
Escape DMZ
• Misconfiguration in DMZ firewall allowed
malware to execute SQL commands on a
database server intDB1
• Located within the corporate environment
Recon
• Attacker spent weeks performing
reconnaissance of corporate environment
• For first week, attacker used SQL injection
• Then the attacker implanted a backdoor
• Extracted and cracked password hash for local
administrator account on intDB1
• Now the attacker has local admin on most
systems
Lockheed
-Martin
Kill Chain
Mitre ATT&CK
Exploit Domain Controller
• Installed keylogger malware
• Obtained password hashes from multiple
systems for administrator accounts
• Including hashes from the Domain Controller
Mid-February
• More than 20 backdoors, spanning three distinct
malware families
• We'll call the primary backdoor family BKDOOR
• Custom malware creation kit
• Allowed attacker to modify binaries to avoid
antivirus detection
BKDOOR
• Full control of victim system
• File upload and download
• Tunnel Remote Desktop Protocol trafic into the
environment
• Proxy network traffic between backdoors
• Encrypts command-and-control (C2) traffic with
RC4 "C2 data"
• Persistence through "DLL search-order
hijacking"
PROXY Malware Family
• Redirected connections to destination address
specified in its configuration file
• Can also accept original destination address
from the BKDOOR malware
BKDNS Malware Family
• Tunneled C2 traffic through DNS queries and
responses
• A backup system, not used during this
investigation
• Used on both Windows and Linux systems
Late March
• Attacker stole data multiple times
• Took usernames and passwords
• Network architecture and IT information
• Information about financial systems and how
financial data was handled
Stealing Financial Data
• Outbound FTP connection to an attacker-
controlled FTP server
• Also used a backdoor to send financial data to
C2 server
• Compressed the data as ZIP, RAR or CAB files
Jump Server
• Gateway into restricted financial environment
PCI Data
• Payment Card Industry data
• Magnetic stripe has two tracks
• Track 1 & Track 2 (similar data)
• CVV/CVV2 number used to verify physical
possession of the card
• Not all merchants collect the CVV/CVV2 number
Compromise JMPSRV
• Gained access with stolen domain administrator
password (two-factor authentication not used)
• Transferred reconnaissance tools to JMPSRV
• Begin reconnaissance of restricted financial
environment
• Took password hashes from RAM on JMPSRV
Recon
• Next two months finding
• Systems that processed or stored cardholder
information
• Systems with direct Internet connections
• Stole documents that described the
infrastructure
Naming Convention
• 90 systems processed or stored financial
information
• PROC_FIN01, PROC_FIN02, STOR_FIN01,
STOR_FIN02, etc.
• None connected directly to the Internet
• Attacker sent data through JMPSRV and MAIL to
get out
Proxy Connections
Testing Methods
• Put Sysinternals "PsSuite" on PROC_FIN01
• Used pslist to see running processes
• Dumped RAM from multiple processes
• Created a RAR archive and transferred it out
• Trying to find processes that contained
cardholder data
Cardharvest
• Two days later, attacker installed a custom binary
named "cardharvest.exe" onto PROC_FIN01
• Searched process RAM for Track 2 data every
15 seconds
• Hashed the data to prevent duplicate collection
• Encrypted it using RC4 and a hard-coded static
key
• Saved it to a local file
Three Months
• Over the next three months
• Attacker stole millions of cardholder data
records
• From all 90 financial systems
Detection
• After ten months of exploitation
• A system administrator noticed that MAIL was
communicating with a server in a foreign
country over port 80
• Triage showed that there was a compromise
• Initiated incident response
Incident Response
• Team travelled to client location
• Immediate containment plan
• Comprehensive incident investigation
• Eradication event to remove all traces of the
attacker
• Less than two months for complete IR
Investigation Team
Remediation Team
Case 2
Certificate of Authenticity
Initial Compromise
• In mid-May, attacker sent 100 spear-phishing
emails
• Targets chosen because of business
relationship to speakers at an industry
conference
• Most had local administrator privileges
• None had domain administrator privileges
Malicious PDF
• One recipient, Bob, opened the attachment with
a vulnerable version of Adobe Acrobat
• Exploit installed GHoST RAT (Remote Access
Trojan)
• Attacker gained control of BOBSYS01 from the
C2 server
VPN Compromise
• Two days later, attacker performed
reconnaissance on BOBSYS01
• Bob was an engineer
• Had VPN software that used a machine
certificate, username, and password
• Obtained and cracked local administrator
password hash
• Used mimikatz.exe to extract Bob's password
and VPN machine certificate
The Attacker Obtained
• No longer needs Bob's system
• Attacker can now VPN in from any system
HOME3
• Less than one week later
• Attacker connected via VPN from a system
named HOME3
• Used RDP but ended the session by closing the
window instead of logging out
• Caused an event to be logged in the Security
event log
• Capturing attacker's host name and IP
address (from Texas)
Recon
• Attacker spent the next 2 weeks performing
reconnaissance
• Mapped network shares and directory listings
• Installed keyloggers
• Accessed email through Outlook Web Access
(OWA) with stolen credentials
SENS1
• Two weeks later, attacker started accessing
business-critical data from a share on file server
SENS1
• Sensitive engineering data for a new product
• Access Control Lists (ACLs) restricted this data
to engineers working on the project
• But the attacker had local administrator
access and modified the ACLs to gain access
Next Four Weeks
• Attacker sporadically stole data
• Created encrypted RAR files
• Renamed them to CAB files
• Uploaded to an attacker-controlled FTP server
• Then deleted RAR file and ran Windows
defragmentation utility
• In an attempt to cover tracks
SIEM
• Two weeks after the attacker began stealing
data
• Company started evaluating a new Security
Information and Event Management (SIEM)
utility
• Included VPN logs in the data sets
• SIEM showed Bob logging in from multiple
systems and IP addresses simultaneously on
multiple days
Chasing Attacker
• Security staff disabled Bob's account
• Attacker started using another account, Mary's
• SIEM quickly discovered malicious use of
Mary's account
• Initiated incident response and called IR
specialists in
Real IR
• Identify IP addresses attacker used to VPN from
• GHoST RAT was sending beacons to one of
those same IPs
• This led to discovery of compromise on
BOBSYS01
• Comprehensive eradication event performed
two weeks after IR initiated
OWA Access
• Two days after the eradication event
• SIEM detected one of attacker's IP addresses
attempting access to OWA, with multiple user
accounts
• Even though company had changed all
passwords during the eradication event, not all
users had actually changed their passwords
• A second enterprise-level password change
disabled all accounts that failed to change
passwords within 24 hours
CNIT 152: 1 Real-World Incidents
Attack Lifecycle
CNIT 152: 1 Real-World Incidents

Mais conteúdo relacionado

Mais procurados

CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistrySam Bowne
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1Sam Bowne
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologySam Bowne
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceSam Bowne
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
 

Mais procurados (20)

CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data Collection
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data Collection
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
 
CNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis MethodologyCNIT 152 11 Analysis Methodology
CNIT 152 11 Analysis Methodology
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X Systems
 

Semelhante a CNIT 152: 1 Real-World Incidents

Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesGokul Alex
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesDragos, Inc.
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleSam Bowne
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEANGINX, Inc.
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 

Semelhante a CNIT 152: 1 Real-World Incidents (20)

Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and Techniques
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEA
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 

Mais de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

Mais de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Último

Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 
Work Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sashaWork Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sashasashalaycock03
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRATanmoy Mishra
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
10 Topics For MBA Project Report [HR].pdf
10 Topics For MBA Project Report [HR].pdf10 Topics For MBA Project Report [HR].pdf
10 Topics For MBA Project Report [HR].pdfJayanti Pande
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
Optical Fibre and It's Applications.pptx
Optical Fibre and It's Applications.pptxOptical Fibre and It's Applications.pptx
Optical Fibre and It's Applications.pptxPurva Nikam
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsEugene Lysak
 
Riddhi Kevadiya. WILLIAM SHAKESPEARE....
Riddhi Kevadiya. WILLIAM SHAKESPEARE....Riddhi Kevadiya. WILLIAM SHAKESPEARE....
Riddhi Kevadiya. WILLIAM SHAKESPEARE....Riddhi Kevadiya
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
3.26.24 Race, the Draft, and the Vietnam War.pptx
3.26.24 Race, the Draft, and the Vietnam War.pptx3.26.24 Race, the Draft, and the Vietnam War.pptx
3.26.24 Race, the Draft, and the Vietnam War.pptxmary850239
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
EBUS5423 Data Analytics and Reporting Bl
EBUS5423 Data Analytics and Reporting BlEBUS5423 Data Analytics and Reporting Bl
EBUS5423 Data Analytics and Reporting BlDr. Bruce A. Johnson
 

Último (20)

Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 
March 2024 Directors Meeting, Division of Student Affairs and Academic Support
March 2024 Directors Meeting, Division of Student Affairs and Academic SupportMarch 2024 Directors Meeting, Division of Student Affairs and Academic Support
March 2024 Directors Meeting, Division of Student Affairs and Academic Support
 
Work Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sashaWork Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sasha
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRADUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
DUST OF SNOW_BY ROBERT FROST_EDITED BY_ TANMOY MISHRA
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
10 Topics For MBA Project Report [HR].pdf
10 Topics For MBA Project Report [HR].pdf10 Topics For MBA Project Report [HR].pdf
10 Topics For MBA Project Report [HR].pdf
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
Optical Fibre and It's Applications.pptx
Optical Fibre and It's Applications.pptxOptical Fibre and It's Applications.pptx
Optical Fibre and It's Applications.pptx
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George Wells
 
Riddhi Kevadiya. WILLIAM SHAKESPEARE....
Riddhi Kevadiya. WILLIAM SHAKESPEARE....Riddhi Kevadiya. WILLIAM SHAKESPEARE....
Riddhi Kevadiya. WILLIAM SHAKESPEARE....
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
3.26.24 Race, the Draft, and the Vietnam War.pptx
3.26.24 Race, the Draft, and the Vietnam War.pptx3.26.24 Race, the Draft, and the Vietnam War.pptx
3.26.24 Race, the Draft, and the Vietnam War.pptx
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
EBUS5423 Data Analytics and Reporting Bl
EBUS5423 Data Analytics and Reporting BlEBUS5423 Data Analytics and Reporting Bl
EBUS5423 Data Analytics and Reporting Bl
 

CNIT 152: 1 Real-World Incidents

  • 1. CNIT 152: Incident Response 1 Real-World Incidents Updated 8-17-2020
  • 2. Events and Incidents • Event • Any observable occurrence in a system or network • Incident • Violation or threat of violation of security policies, acceptable use policies, or standard security practices
  • 3. Incident Response • Confirm whether an incident occurred • Rapid detection and containment • Determine scope • Prevent a disjointed, noncohesive response • Determine and promote facts and actual information • Minimize disruption to business and network operations
  • 4. Incident Response • Minimize damage to the compromised organization • Restore normal operations • Manage public perception • Allow for legal action against perpetrators • Educate senior management • Enhance security posture against future incidents
  • 5. IR Teams • Investigation team • Determines what has happened and performs a damage assessment • Remediation team • Removes the attacker and enhances security posture • Public relations
  • 6. Live Response • Classical forensics was done post-mortem • On a hard disk image • Now much analysis was performed on systems that are powered on (live) • Including memory analysis to see running processes, network connections, etc.
  • 7. Case 1 Show Me the Money
  • 8. Initial Compromise • Early January: SQL injection vulnerability exploited on server WEB1 • In a DMZ belonging to a small business unit purchased by the parent organization four years prior • Command execution on database server DB1, with privileges of the SQL Server service (local administrator) • Using xp_cmdshell • Download malware and execute it on DB1
  • 9. Escape DMZ • Misconfiguration in DMZ firewall allowed malware to execute SQL commands on a database server intDB1 • Located within the corporate environment
  • 10. Recon • Attacker spent weeks performing reconnaissance of corporate environment • For first week, attacker used SQL injection • Then the attacker implanted a backdoor • Extracted and cracked password hash for local administrator account on intDB1 • Now the attacker has local admin on most systems
  • 13. Exploit Domain Controller • Installed keylogger malware • Obtained password hashes from multiple systems for administrator accounts • Including hashes from the Domain Controller
  • 14. Mid-February • More than 20 backdoors, spanning three distinct malware families • We'll call the primary backdoor family BKDOOR • Custom malware creation kit • Allowed attacker to modify binaries to avoid antivirus detection
  • 15. BKDOOR • Full control of victim system • File upload and download • Tunnel Remote Desktop Protocol trafic into the environment • Proxy network traffic between backdoors • Encrypts command-and-control (C2) traffic with RC4 "C2 data" • Persistence through "DLL search-order hijacking"
  • 16. PROXY Malware Family • Redirected connections to destination address specified in its configuration file • Can also accept original destination address from the BKDOOR malware
  • 17. BKDNS Malware Family • Tunneled C2 traffic through DNS queries and responses • A backup system, not used during this investigation • Used on both Windows and Linux systems
  • 18. Late March • Attacker stole data multiple times • Took usernames and passwords • Network architecture and IT information • Information about financial systems and how financial data was handled
  • 19. Stealing Financial Data • Outbound FTP connection to an attacker- controlled FTP server • Also used a backdoor to send financial data to C2 server • Compressed the data as ZIP, RAR or CAB files
  • 20. Jump Server • Gateway into restricted financial environment
  • 21. PCI Data • Payment Card Industry data • Magnetic stripe has two tracks • Track 1 & Track 2 (similar data) • CVV/CVV2 number used to verify physical possession of the card • Not all merchants collect the CVV/CVV2 number
  • 22. Compromise JMPSRV • Gained access with stolen domain administrator password (two-factor authentication not used) • Transferred reconnaissance tools to JMPSRV • Begin reconnaissance of restricted financial environment • Took password hashes from RAM on JMPSRV
  • 23. Recon • Next two months finding • Systems that processed or stored cardholder information • Systems with direct Internet connections • Stole documents that described the infrastructure
  • 24. Naming Convention • 90 systems processed or stored financial information • PROC_FIN01, PROC_FIN02, STOR_FIN01, STOR_FIN02, etc. • None connected directly to the Internet • Attacker sent data through JMPSRV and MAIL to get out
  • 26. Testing Methods • Put Sysinternals "PsSuite" on PROC_FIN01 • Used pslist to see running processes • Dumped RAM from multiple processes • Created a RAR archive and transferred it out • Trying to find processes that contained cardholder data
  • 27. Cardharvest • Two days later, attacker installed a custom binary named "cardharvest.exe" onto PROC_FIN01 • Searched process RAM for Track 2 data every 15 seconds • Hashed the data to prevent duplicate collection • Encrypted it using RC4 and a hard-coded static key • Saved it to a local file
  • 28. Three Months • Over the next three months • Attacker stole millions of cardholder data records • From all 90 financial systems
  • 29. Detection • After ten months of exploitation • A system administrator noticed that MAIL was communicating with a server in a foreign country over port 80 • Triage showed that there was a compromise • Initiated incident response
  • 30. Incident Response • Team travelled to client location • Immediate containment plan • Comprehensive incident investigation • Eradication event to remove all traces of the attacker • Less than two months for complete IR
  • 33. Case 2 Certificate of Authenticity
  • 34. Initial Compromise • In mid-May, attacker sent 100 spear-phishing emails • Targets chosen because of business relationship to speakers at an industry conference • Most had local administrator privileges • None had domain administrator privileges
  • 35. Malicious PDF • One recipient, Bob, opened the attachment with a vulnerable version of Adobe Acrobat • Exploit installed GHoST RAT (Remote Access Trojan) • Attacker gained control of BOBSYS01 from the C2 server
  • 36. VPN Compromise • Two days later, attacker performed reconnaissance on BOBSYS01 • Bob was an engineer • Had VPN software that used a machine certificate, username, and password • Obtained and cracked local administrator password hash • Used mimikatz.exe to extract Bob's password and VPN machine certificate
  • 37. The Attacker Obtained • No longer needs Bob's system • Attacker can now VPN in from any system
  • 38. HOME3 • Less than one week later • Attacker connected via VPN from a system named HOME3 • Used RDP but ended the session by closing the window instead of logging out • Caused an event to be logged in the Security event log • Capturing attacker's host name and IP address (from Texas)
  • 39. Recon • Attacker spent the next 2 weeks performing reconnaissance • Mapped network shares and directory listings • Installed keyloggers • Accessed email through Outlook Web Access (OWA) with stolen credentials
  • 40. SENS1 • Two weeks later, attacker started accessing business-critical data from a share on file server SENS1 • Sensitive engineering data for a new product • Access Control Lists (ACLs) restricted this data to engineers working on the project • But the attacker had local administrator access and modified the ACLs to gain access
  • 41. Next Four Weeks • Attacker sporadically stole data • Created encrypted RAR files • Renamed them to CAB files • Uploaded to an attacker-controlled FTP server • Then deleted RAR file and ran Windows defragmentation utility • In an attempt to cover tracks
  • 42. SIEM • Two weeks after the attacker began stealing data • Company started evaluating a new Security Information and Event Management (SIEM) utility • Included VPN logs in the data sets • SIEM showed Bob logging in from multiple systems and IP addresses simultaneously on multiple days
  • 43. Chasing Attacker • Security staff disabled Bob's account • Attacker started using another account, Mary's • SIEM quickly discovered malicious use of Mary's account • Initiated incident response and called IR specialists in
  • 44. Real IR • Identify IP addresses attacker used to VPN from • GHoST RAT was sending beacons to one of those same IPs • This led to discovery of compromise on BOBSYS01 • Comprehensive eradication event performed two weeks after IR initiated
  • 45. OWA Access • Two days after the eradication event • SIEM detected one of attacker's IP addresses attempting access to OWA, with multiple user accounts • Even though company had changed all passwords during the eradication event, not all users had actually changed their passwords • A second enterprise-level password change disabled all accounts that failed to change passwords within 24 hours