The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a...
Transcript of The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a...
![Page 1: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/1.jpg)
Anatomy of a Breach: A case study in how to protect your organization
Presented By
Greg Sparrow
![Page 2: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/2.jpg)
1
Agenda
● Background & Threat landscape
● Breach: A Case Study
● Incident Response Best Practices
● Lessons Learned
![Page 3: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/3.jpg)
2
Goals
● Review and analyze a real world breach
● Understand pre-breach best practices
● Understand how to respond, post-breach
● Understand best practices for breach
mitigation and incident response
![Page 4: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/4.jpg)
3
Background
A brief history of Cyber Attacks
● Viruses & Hackers
● Rise of the botnets
● Monetization of datasets
● Organized Crime
![Page 5: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/5.jpg)
4
Breach: A Case Study
Attack Facts:
● Payment aggregator/gateway
● 1 million card accounts compromised
● Attacker in environment since 2009
● Discovered in 2014
![Page 6: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/6.jpg)
5
Breach: Secure Architecture
![Page 7: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/7.jpg)
6
Breach: Initial Attack Vector
1. Attacked public facing web server with
known vulnerability with web
application server
2. Pivoted into the backup server
3. Used backup sever to reach database
and application servers
![Page 8: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/8.jpg)
7
Breach: Pivot and Movement
Oct 2009
Web Server 1
• Attacker installed a revers shell on web server
• Installed Nemesis backdoor
November 2009
Web Server 2
• Installed RAR archive utility
• Created reverse shell
Backup Server
• Reverse shell created
• Installed RAR archive utility
• WinPCAP Driver installed
Application Server 1
• Reverse shell created
• Installed RAR archive utility
• WinPCAP Driver installed
![Page 9: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/9.jpg)
8
Breach: Packet Captures
![Page 10: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/10.jpg)
9
Breach: Exfiltration
4. RAR archives were used to package up
data payload
5. Reverse shells encapsulated with SSH
used to push data out
![Page 11: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/11.jpg)
10
Breach: Containment
1. Began egress packet capture to create a
baseline signature
2. Implemented ACLs to remove Backup
server connectivity
3. Implemented ACLs for egress traffic
4. Reset user and service account credentials
![Page 12: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/12.jpg)
11
Breach: Eradication
1. Applied robust system hardening to all servers
2. Removed Backup Server
3. Removed Web Servers and replaced with
hardened web servers
4. Implemented application whitelisting
5. Started from a known good state for all server
rebuilds
6. Deployed Jump servers within Management
segment
7. Performed application security assessment
8. Deployed more robust logging, aggregation and
event correlation
![Page 13: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/13.jpg)
12 Proprietary & Confidential
Incident Response Life Cycle
NIST SP 800-61 life cycle for risk management
![Page 14: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/14.jpg)
Define Governance Policies
● Address strategy, goals and requirements
● Communication policy
● Escalation and handling procedures
● Incident response team/strategy
● 3rd party involvement and law enforcement
● Log retention policies and procedures
● Establish system baselines and profiles
● Insurance coverage
13 Proprietary & Confidential
Incident Response: Preparation
![Page 15: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/15.jpg)
Define policies and procedures for the
following:
● Roles and responsibilities
● Escalation path
● Prioritization of events
● Identify team members
● Documentation templates
● Access privileges
● Training & tools
14 Proprietary & Confidential
Incident Response: Incident Response Team
![Page 16: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/16.jpg)
15 Proprietary & Confidential
Incident Response: Incident Response Team
![Page 17: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/17.jpg)
The detection process should include the
following:
● Identification of Attack Vector(s)
● Determine the scope of the breach
● Identify signatures of an incident:
– Multiple sources of information
– Volume of suspicious behavior
– Precursor
• Vulnerability Scans/Port Sweeps
• New Exploit
• External Threats
16 Proprietary & Confidential
Incident Response: Detection
![Page 18: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/18.jpg)
Identify the signs on an incident:
● Indicator
• IDS/IPS alerts
• Anti Virus
• Unauthorized or unusual file changes
• Unscheduled system configuration
changes
• Repeated failed login attempts
• Network traffic flow
● Deep technical knowledge
17 Proprietary & Confidential
Incident Response: Detection (cont.)
![Page 19: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/19.jpg)
Create a system profile or baseline:
● Run and compare file integrity checks with
baseline
● Monitor network bandwidth
● Understand normal system behavior (abnormal
behavior)
● Review logs and security alerts
18 Proprietary & Confidential
Incident Response: Analysis
![Page 20: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/20.jpg)
● Determine what you know and what you don’t
know (don’t assume)
● Multiple sources of information
● False alarms vs a real breach
● Timely notification
● Allocate resources and time for analysis
● Communication and coordination of team
19 Proprietary & Confidential
Incident Response: Analysis (cont.)
![Page 21: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/21.jpg)
● Short term-containment vs long term
solution
● Limit the damage
– Can the problem be isolated
– Can affected systems be separated
from non-affected systems
● Stop the spread
● Preserve evidence
– Forensic Imaging
20 Proprietary & Confidential
Incident Response: Containment
![Page 22: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/22.jpg)
● Clearly understand the scope and extent of
affected systems
● Document a plan of attack for removal of
these systems
– Network
– Host
– Application
21 Proprietary & Confidential
Incident Response: Eradication
![Page 23: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/23.jpg)
● Bring systems and services back online in
production
● Start from a good known state
● Restore data from backup
● Implement controls to test and verify system
state
22 Proprietary & Confidential
Incident Response: Recovery
![Page 24: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/24.jpg)
Is notification required? – Likely risk of harm
• Nature of the data elements
• Number of records/individuals affected
• Accessibility and usability
• Likelihood of harm
• Ability to mitigate risk
Statutory notification requirements – Identify Legal Jurisdictions Involved
– Identify Statutes Triggered
23 Proprietary & Confidential
Incident Response: Notification
![Page 25: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/25.jpg)
● Timelines for notification – Dependent on the type of data breached
• PII
• PCI
• PHI
– Notification without unreasonable delay
– Law enforcement may require delay
24 Proprietary & Confidential
Incident Response: Notification (cont.)
![Page 26: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/26.jpg)
● Source for notification – Senior member of management or executive.
– Organizational awareness
● Contents of Notification – Describe what happened
– Types of information breached
– Steps to protect affected parties
– What you are doing
– Who to contact for more info
● Means of Notification – Telephone
– First-Class Mail
25 Proprietary & Confidential
Incident Response: Notification (cont.)
![Page 27: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/27.jpg)
26 Proprietary & Confidential
Lessons learned
● Cost of the breach – 20-30 million dollars
● Identification
● Patch your systems
● System configuration and
hardening
● Prepare and IR plan before your
breach
● Select vendors and partners
before your breach
![Page 28: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/28.jpg)
Proprietary & Confidential 27
Q & A
![Page 29: The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow](https://reader036.fdocuments.in/reader036/viewer/2022062917/5ed38a86df3d633a9b1bf6ba/html5/thumbnails/29.jpg)
Proprietary & Confidential 28
References
The following resources were used as part of this presentation:
● NIST Computer Security Incident Handling Guide Special
Publication 800-61 rev2
● Redacted Customer Forensic Report
● Computer Crime & Intellectual Property Section Criminal
Division U.S. Department of Justice - Best Practices for Victim
Response and Reporting of Cyber Incidents
● SANS Institute – Incident Handler’s Handbook
● DOJ – Incident Response Procedures for Data Breaches