Post on 28-May-2020
Anatomy of a Breach: A case study in how to protect your organization
Presented By
Greg Sparrow
1
Agenda
● Background & Threat landscape
● Breach: A Case Study
● Incident Response Best Practices
● Lessons Learned
2
Goals
● Review and analyze a real world breach
● Understand pre-breach best practices
● Understand how to respond, post-breach
● Understand best practices for breach
mitigation and incident response
3
Background
A brief history of Cyber Attacks
● Viruses & Hackers
● Rise of the botnets
● Monetization of datasets
● Organized Crime
4
Breach: A Case Study
Attack Facts:
● Payment aggregator/gateway
● 1 million card accounts compromised
● Attacker in environment since 2009
● Discovered in 2014
5
Breach: Secure Architecture
6
Breach: Initial Attack Vector
1. Attacked public facing web server with
known vulnerability with web
application server
2. Pivoted into the backup server
3. Used backup sever to reach database
and application servers
7
Breach: Pivot and Movement
Oct 2009
Web Server 1
• Attacker installed a revers shell on web server
• Installed Nemesis backdoor
November 2009
Web Server 2
• Installed RAR archive utility
• Created reverse shell
Backup Server
• Reverse shell created
• Installed RAR archive utility
• WinPCAP Driver installed
Application Server 1
• Reverse shell created
• Installed RAR archive utility
• WinPCAP Driver installed
8
Breach: Packet Captures
9
Breach: Exfiltration
4. RAR archives were used to package up
data payload
5. Reverse shells encapsulated with SSH
used to push data out
10
Breach: Containment
1. Began egress packet capture to create a
baseline signature
2. Implemented ACLs to remove Backup
server connectivity
3. Implemented ACLs for egress traffic
4. Reset user and service account credentials
11
Breach: Eradication
1. Applied robust system hardening to all servers
2. Removed Backup Server
3. Removed Web Servers and replaced with
hardened web servers
4. Implemented application whitelisting
5. Started from a known good state for all server
rebuilds
6. Deployed Jump servers within Management
segment
7. Performed application security assessment
8. Deployed more robust logging, aggregation and
event correlation
12 Proprietary & Confidential
Incident Response Life Cycle
NIST SP 800-61 life cycle for risk management
Define Governance Policies
● Address strategy, goals and requirements
● Communication policy
● Escalation and handling procedures
● Incident response team/strategy
● 3rd party involvement and law enforcement
● Log retention policies and procedures
● Establish system baselines and profiles
● Insurance coverage
13 Proprietary & Confidential
Incident Response: Preparation
Define policies and procedures for the
following:
● Roles and responsibilities
● Escalation path
● Prioritization of events
● Identify team members
● Documentation templates
● Access privileges
● Training & tools
14 Proprietary & Confidential
Incident Response: Incident Response Team
15 Proprietary & Confidential
Incident Response: Incident Response Team
The detection process should include the
following:
● Identification of Attack Vector(s)
● Determine the scope of the breach
● Identify signatures of an incident:
– Multiple sources of information
– Volume of suspicious behavior
– Precursor
• Vulnerability Scans/Port Sweeps
• New Exploit
• External Threats
16 Proprietary & Confidential
Incident Response: Detection
Identify the signs on an incident:
● Indicator
• IDS/IPS alerts
• Anti Virus
• Unauthorized or unusual file changes
• Unscheduled system configuration
changes
• Repeated failed login attempts
• Network traffic flow
● Deep technical knowledge
17 Proprietary & Confidential
Incident Response: Detection (cont.)
Create a system profile or baseline:
● Run and compare file integrity checks with
baseline
● Monitor network bandwidth
● Understand normal system behavior (abnormal
behavior)
● Review logs and security alerts
18 Proprietary & Confidential
Incident Response: Analysis
● Determine what you know and what you don’t
know (don’t assume)
● Multiple sources of information
● False alarms vs a real breach
● Timely notification
● Allocate resources and time for analysis
● Communication and coordination of team
19 Proprietary & Confidential
Incident Response: Analysis (cont.)
● Short term-containment vs long term
solution
● Limit the damage
– Can the problem be isolated
– Can affected systems be separated
from non-affected systems
● Stop the spread
● Preserve evidence
– Forensic Imaging
20 Proprietary & Confidential
Incident Response: Containment
● Clearly understand the scope and extent of
affected systems
● Document a plan of attack for removal of
these systems
– Network
– Host
– Application
21 Proprietary & Confidential
Incident Response: Eradication
● Bring systems and services back online in
production
● Start from a good known state
● Restore data from backup
● Implement controls to test and verify system
state
22 Proprietary & Confidential
Incident Response: Recovery
Is notification required? – Likely risk of harm
• Nature of the data elements
• Number of records/individuals affected
• Accessibility and usability
• Likelihood of harm
• Ability to mitigate risk
Statutory notification requirements – Identify Legal Jurisdictions Involved
– Identify Statutes Triggered
23 Proprietary & Confidential
Incident Response: Notification
● Timelines for notification – Dependent on the type of data breached
• PII
• PCI
• PHI
– Notification without unreasonable delay
– Law enforcement may require delay
24 Proprietary & Confidential
Incident Response: Notification (cont.)
● Source for notification – Senior member of management or executive.
– Organizational awareness
● Contents of Notification – Describe what happened
– Types of information breached
– Steps to protect affected parties
– What you are doing
– Who to contact for more info
● Means of Notification – Telephone
– First-Class Mail
25 Proprietary & Confidential
Incident Response: Notification (cont.)
26 Proprietary & Confidential
Lessons learned
● Cost of the breach – 20-30 million dollars
● Identification
● Patch your systems
● System configuration and
hardening
● Prepare and IR plan before your
breach
● Select vendors and partners
before your breach
Proprietary & Confidential 27
Q & A
Proprietary & Confidential 28
References
The following resources were used as part of this presentation:
● NIST Computer Security Incident Handling Guide Special
Publication 800-61 rev2
● Redacted Customer Forensic Report
● Computer Crime & Intellectual Property Section Criminal
Division U.S. Department of Justice - Best Practices for Victim
Response and Reporting of Cyber Incidents
● SANS Institute – Incident Handler’s Handbook
● DOJ – Incident Response Procedures for Data Breaches