O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Cyber security webinar 5 - Responding to an incident

365 visualizações

Publicada em

Preparation is the key to successful incident response. You can never stop all attempts to breach your company, and in real situations, people are bound to make mistakes. Therefore, you need to have the proper processes in place, and of course, try to stop as many of the attempted attacks as possible to leave less room for human error. Learn more about the six steps to properly respond to a security incident from the recording video in the following link and presentation slides at this page.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Cyber security webinar 5 - Responding to an incident

  4. 4. RESPONDING TOANINCIDENT Steps to proper incident response  Prepare your systems and people  Discover incidents  Do initial response and gather data  Analyze data and contain incident  Recover affected systems and implement security improvements  Check IT infrastructure for tampering  Handle PR  Make a root cause analysis and learn from the incident © F-Secure4
  5. 5. Preparation Do things mentioned in the previous webinars  Make sure your logging covers both system and network events and network supports it  Make sure you keep logs at least for 12 months and in a separate system  Make sure that all logs are time synchronized and in same time zone (UTC preferred)  Make sure systems are isolated from each other  Make sure you have integrity logs of servers and OS master images Prepare your people  Administration and security staff need to have IR training Know who to call  When it hits the fan, there’s no time to start negotiations with IR consultants © F-Secure5
  6. 6. Discovery Make sure you are reachable  A significant portion of incidents are discovered because of outside report or clue  List incident contact email and phone number publicly in your web page  Create abuse@company.com, incident@, security@, email addresses  List contact information in WHOIS information of your domain  Make sure your ISP and local cert have your security contact information  Register at well known incident reporting clearinghouses  www.shadowserver.org Keep notes of everything  This is important both for learning and legal © F-Secure6 https://www.viestintavirasto.fi/attachments/certesitykset/5 wf8GRFeM/Nordsec_2010_Erka_Koivunen_v2.0_web.pdf
  7. 7. InitialResponse If you have IR consultants on retainer, now it is time to call them  Also contact the police in case you want to press charges later Don’t panic. Stop, think, think again and then act Start by collecting volatile information  Processes running in suspected system, get memory dump of full system, or VM snapshot  Network connections  WHOIS information of any discovered network connections  Users who have logged into the system  All logs on the system, also make sure that remote logging is not overwritten Do not alert attacker by poking around blindly  Do not use any tools installed in the system  Rename all investigation tools, as attack may self-terminate on Sysinternals © F-Secure7
  8. 8. DeeperAnalysis Try to establish when attack happened  If attack is fresh, you may want to disconnect net. If it’s year old, there’s no rush Compare system against integrity check data or image master  If you lack that, get as identical system as possible for comparison Look for unusual files in the file system  Look especially into places covered in webinar 2 slide 5 Look for unusual registry launch points  Sysinternals autoruns is a very good tool for this © F-Secure8 http://www.sysforensics.org/2014/01/know-your-windows- processes/
  9. 9. LookForSigns OfLateral Movement Check the network and system logs for signs moving to other systems  Build a map of all network connections from the infected system  Pay attention to RPC, RDP, Windows remote management and logon scripts Check user account and login histories  Any user logged into system that they haven’t used ever before?  Have any users been added or elevated to administrator level? Check prefetch or amcache for executed processes, anything unusual there?  Note Prefetch/superfetch is often disabled for SSD drives © F-Secure9 https://attack.mitre.org/wiki/Lateral_Movement http://sysforensics.org/2014/01/lateral-movement http://www.swiftforensics.com/2013/12/amcachehve-in- windows-8-goldmine-for.html
  10. 10. AssessTheDamages Use logs to identify if any information has been stolen or modified  Pay attention to personal information, user accounts, source code, documents, etc Pay special attention to customer facing services  The actual target might be your customers  Make sure that every web page and file you serve to users is intact  Also verify that there are no backdoors left in internet facing servers Try to find out if the attack is already in public knowledge © F-Secure10
  11. 11. Containment AndRecovery  Using the IOCs (clues) found, investigate all other systems  The attacker may have moved without leaving noticeable network traces  Reinstall or restore from backup any affected systems  Remember to double check that the backup is clean  Review permissions of affected users, in case they have been modified  Issue password changes for affected parts of the organization © F-Secure11
  12. 12. HandlePR Internal communication is vital  Incident can be traumatic for the organization, make sure the people are kept up to date Information has a habit of getting out  Be in control, release suitable information before it leaks  Be boring, dry information does not make good news If incident was visible or affected users, inform the users and apologize  Tell what happened and what are the effects for the user  Tell how situation was corrected If incident has potential high media value, make a press release  But in most cases it’s enough to inform users and publish on company web page © F-Secure12
  13. 13. Report, LearnAndImprove Create a root cause analysis of the incident  How the incident was detected-> can detection speed be improved?  How the incident was possible->can future incidents be prevented?  How the incident was investigated-> can we improve the investigation?  How the incident was recovered-> can we make recovery faster?  What went wrong->how we can make it right?  What went right->celebrate and give credit for good work! Incidents happen, but try avoid repeating them © F-Secure13
  14. 14. CONCLUSIONS  Preparation is key to successful incident response  Verify that logging is on sufficient level  In real situations people will get excited and make mistakes  So doing a practice once per couple years might be a good idea  Prepare, Detect, Respond, Analyze, Learn, Improve © F-Secure14
  15. 15. THANK YOUFORYOUR PARTICIPATION! 15 STAY TUNED FOR THE LAST TOPIC OF THE CYBER SECURITY WEBINAR SERIES: 3 December 2015 at 11.00 EET: “Building secure systems” The Recording will be available at the BUSINESS SECURITY INSIDER https://business.f-secure.com