The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special...
Transcript of The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special...
![Page 1: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/1.jpg)
Anatomy of a Breach: A case study in how to protect your organization
Presented By
Greg Sparrow
![Page 2: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/2.jpg)
1
Agenda
● Background & Threat landscape
● Breach: A Case Study
● Incident Response Best Practices
● Lessons Learned
![Page 3: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/3.jpg)
2
Goals
● Review and analyze a real world breach
● Understand pre-breach best practices
● Understand how to respond, post-breach
● Understand best practices for breach
mitigation and incident response
![Page 4: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/4.jpg)
3
Background
A brief history of Cyber Attacks
● Viruses & Hackers
● Rise of the botnets
● Monetization of datasets
● Organized Crime
![Page 5: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/5.jpg)
4
Breach: A Case Study
Attack Facts:
● Payment aggregator/gateway
● 1 million card accounts compromised
● Attacker in environment since 2009
● Discovered in 2014
![Page 6: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/6.jpg)
5
Breach: Secure Architecture
![Page 7: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/7.jpg)
6
Breach: Initial Attack Vector
1. Attacked public facing web server with
known vulnerability with web
application server
2. Pivoted into the backup server
3. Used backup sever to reach database
and application servers
![Page 8: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/8.jpg)
7
Breach: Pivot and Movement
Oct 2009
Web Server 1
• Attacker installed a revers shell on web server
• Installed Nemesis backdoor
November 2009
Web Server 2
• Installed RAR archive utility
• Created reverse shell
Backup Server
• Reverse shell created
• Installed RAR archive utility
• WinPCAP Driver installed
Application Server 1
• Reverse shell created
• Installed RAR archive utility
• WinPCAP Driver installed
![Page 9: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/9.jpg)
8
Breach: Packet Captures
![Page 10: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/10.jpg)
9
Breach: Exfiltration
4. RAR archives were used to package up
data payload
5. Reverse shells encapsulated with SSH
used to push data out
![Page 11: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/11.jpg)
10
Breach: Containment
1. Began egress packet capture to create a
baseline signature
2. Implemented ACLs to remove Backup
server connectivity
3. Implemented ACLs for egress traffic
4. Reset user and service account credentials
![Page 12: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/12.jpg)
11
Breach: Eradication
1. Applied robust system hardening to all servers
2. Removed Backup Server
3. Removed Web Servers and replaced with
hardened web servers
4. Implemented application whitelisting
5. Started from a known good state for all server
rebuilds
6. Deployed Jump servers within Management
segment
7. Performed application security assessment
8. Deployed more robust logging, aggregation and
event correlation
![Page 13: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/13.jpg)
12 Proprietary & Confidential
Incident Response Life Cycle
NIST SP 800-61 life cycle for risk management
![Page 14: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/14.jpg)
Define Governance Policies
● Address strategy, goals and requirements
● Communication policy
● Escalation and handling procedures
● Incident response team/strategy
● 3rd party involvement and law enforcement
● Log retention policies and procedures
● Establish system baselines and profiles
● Insurance coverage
13 Proprietary & Confidential
Incident Response: Preparation
![Page 15: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/15.jpg)
Define policies and procedures for the
following:
● Roles and responsibilities
● Escalation path
● Prioritization of events
● Identify team members
● Documentation templates
● Access privileges
● Training & tools
14 Proprietary & Confidential
Incident Response: Incident Response Team
![Page 16: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/16.jpg)
15 Proprietary & Confidential
Incident Response: Incident Response Team
![Page 17: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/17.jpg)
The detection process should include the
following:
● Identification of Attack Vector(s)
● Determine the scope of the breach
● Identify signatures of an incident:
– Multiple sources of information
– Volume of suspicious behavior
– Precursor
• Vulnerability Scans/Port Sweeps
• New Exploit
• External Threats
16 Proprietary & Confidential
Incident Response: Detection
![Page 18: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/18.jpg)
Identify the signs on an incident:
● Indicator
• IDS/IPS alerts
• Anti Virus
• Unauthorized or unusual file changes
• Unscheduled system configuration
changes
• Repeated failed login attempts
• Network traffic flow
● Deep technical knowledge
17 Proprietary & Confidential
Incident Response: Detection (cont.)
![Page 19: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/19.jpg)
Create a system profile or baseline:
● Run and compare file integrity checks with
baseline
● Monitor network bandwidth
● Understand normal system behavior (abnormal
behavior)
● Review logs and security alerts
18 Proprietary & Confidential
Incident Response: Analysis
![Page 20: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/20.jpg)
● Determine what you know and what you don’t
know (don’t assume)
● Multiple sources of information
● False alarms vs a real breach
● Timely notification
● Allocate resources and time for analysis
● Communication and coordination of team
19 Proprietary & Confidential
Incident Response: Analysis (cont.)
![Page 21: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/21.jpg)
● Short term-containment vs long term
solution
● Limit the damage
– Can the problem be isolated
– Can affected systems be separated
from non-affected systems
● Stop the spread
● Preserve evidence
– Forensic Imaging
20 Proprietary & Confidential
Incident Response: Containment
![Page 22: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/22.jpg)
● Clearly understand the scope and extent of
affected systems
● Document a plan of attack for removal of
these systems
– Network
– Host
– Application
21 Proprietary & Confidential
Incident Response: Eradication
![Page 23: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/23.jpg)
● Bring systems and services back online in
production
● Start from a good known state
● Restore data from backup
● Implement controls to test and verify system
state
22 Proprietary & Confidential
Incident Response: Recovery
![Page 24: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/24.jpg)
Is notification required? – Likely risk of harm
• Nature of the data elements
• Number of records/individuals affected
• Accessibility and usability
• Likelihood of harm
• Ability to mitigate risk
Statutory notification requirements – Identify Legal Jurisdictions Involved
– Identify Statutes Triggered
23 Proprietary & Confidential
Incident Response: Notification
![Page 25: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/25.jpg)
● Timelines for notification – Dependent on the type of data breached
• PII
• PCI
• PHI
– Notification without unreasonable delay
– Law enforcement may require delay
24 Proprietary & Confidential
Incident Response: Notification (cont.)
![Page 26: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/26.jpg)
● Source for notification – Senior member of management or executive.
– Organizational awareness
● Contents of Notification – Describe what happened
– Types of information breached
– Steps to protect affected parties
– What you are doing
– Who to contact for more info
● Means of Notification – Telephone
– First-Class Mail
25 Proprietary & Confidential
Incident Response: Notification (cont.)
![Page 27: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/27.jpg)
26 Proprietary & Confidential
Lessons learned
● Cost of the breach – 20-30 million dollars
● Identification
● Patch your systems
● System configuration and
hardening
● Prepare and IR plan before your
breach
● Select vendors and partners
before your breach
![Page 28: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/28.jpg)
Proprietary & Confidential 27
Q & A
![Page 29: The Anatomy of a Breach - NCHICA · NIST Computer Security Incident Handling Guide Special Publication 800-61 rev2 Redacted Customer Forensic Report Computer Crime & Intellectual](https://reader030.fdocuments.us/reader030/viewer/2022041022/5ed38a78df3d633a9b1bf69f/html5/thumbnails/29.jpg)
Proprietary & Confidential 28
References
The following resources were used as part of this presentation:
● NIST Computer Security Incident Handling Guide Special
Publication 800-61 rev2
● Redacted Customer Forensic Report
● Computer Crime & Intellectual Property Section Criminal
Division U.S. Department of Justice - Best Practices for Victim
Response and Reporting of Cyber Incidents
● SANS Institute – Incident Handler’s Handbook
● DOJ – Incident Response Procedures for Data Breaches