Sean Mason | @SeanAMason | #BSidesNOLA
www.SeanMason.com Sean Mason IR Mgr Security Analyst Sr. IT Auditor Web Developer @SeanAMason Director IR VP, Incident Response ExecuYve IR Leader InfoSec Team Lead Agile Development Manager Web Developer R1
’96-‐’00 Technical School USAF ’01-‐’03 BS MIS McKendree University ’04-‐’06 ‘07 MBA Webster University ’08-‐’10 PMP CISA CISSP CISM ISSMP CSSLP ‘11 ’12-‐13 NMDC & AIMC GE Crotonville ’14-‐14 CCFP ’14-‐15 Prevention Will Fail
Shifting Landscape
Slower Response = Greater Risk
66%
Of Breaches Took
Months or Even Years
to Discover
60% 60,000
Of Breaches Have
Data Exfiltrated in
First 24 Hours
Number of Alerts Hackers
Set Off at
Neiman Marcus
229
Median Number of Days
Advanced Attackers
Present Before Detection
33%
Of Organizations Discover
Breaches Through Their
Own Monitoring
Stats: Verizon 2013 Data Breach Investigations Report, Mandiant MTrends 2014 & Neiman Marcus
The Evolution of IR
IR Source: David Bianco, Sqrrl Upfront Reality
Ø  You will get breached
Ø  Prevention is not a panacea
Ø  Detection is an absolute must
Ø  Outsourcing all Response is a recipe for failure
Ø  Speed to discovery and containment are critical
Ø  Intel isn’t just for spies anymore
Threat Landscape
Mental Anchors
Threats are People
Objec)ve Example Skill Poten)al Data Targets Named Actors Nuisance Hack)vism Insiders Cyber Crime State Sponsored/APT Access & PropagaYon DefamaYon, DestrucYon, Press & Policy Revenge, DestrucYon, Monetary Gain Financial Gain Economic, PoliYcal Advantage, DestrucYon Botnets & Spam Website Defacements, DDOS DestrucYon, The_ Credit Card The_ Intellectual Property The_, DDOS Low Low -‐ Med Med High Very High SensiYve InformaYon, Vulnerable Data Access to the Network, Compromising InformaYon Intellectual Property, Compromising InformaYon Credit Card Data, Personal IdenYﬁable InformaYon, Health Records Intellectual Property, NegoYaYon, NaYonal Intelligence General Malware Syrian Electronic Army, LizardSquad, Anonymous Jimmy, Suzy, Sally, Johnny Russian Business Network (RBN) APT1, EnergeYc Bear Case Study
AcquisiYon Acquiring Company ² 
Small 3rd party / acquisiYon targeted ²  All infrastructure compromised, to include e-‐mail ² 
All data within acquisiYon stolen ² 
Waited unYl networks connected to move into acquiring company… IR Fundamentals
Leadership
Ø  Credibility
Ø  Trust
Ø  Rapport
Ø  Consistency
Organizational Design
CISO IR Director Intelligence Security Opera)ons Center Incident Response Tools & Infra Strategic Intel ShiI 1 Coordinators Workﬂow/SW Tac)cal Intel ShiI 2 Detec)on Detec)on Physical Intel (a ShiI 3 Analysts Network/Infra a) Leverage for connecYon to CSO oﬃce to monitor company-‐wide & personnel threats. Organizational Sustainability & Elasticity
Ø  There simply isn’t enough talent
Ø  Don’t hire all Senior talent
Ø  Quit complaining- go do something!
Ø  Develop a pipeline of students & interns
Ø  Don’t be a school snob
Ø  Help schools design their InfoSec programs!
Ø  https://www.nsa.gov/ia/academic_outreach/nat_cae/
Ø  Provide opportunities both ways
Ø  Give your mid-level folks opportunities
Ø  Bring in talent outside of IR
Documentation — “A plan doesn’t need to be a single document anymore.” Ø  Wiki or other Platform
Ø  Flexibility
Ø  Track Changes
Ø  “Open” Access
Availability
Ø  Who is needed for wing-to-wing IR? (think outside security)
Ø  Who is on-call and when? (consider Holidays)
Ø  Pre-built DL’s for e-mails and info
Ø  Think through basics:
Ø  Phones, chat rooms, conference lines (2+), and remote access
Name Role Phone # Ray Incident Coordinator 555-‐2368 Danny Incident Coordinator 555-‐0840 Kate Network Team 606-‐0842 Jenny AD Team 867-‐5309 Alicia CISO 489-‐4608 Mike Incident Response 330-‐281-‐8004 Emily CIO 212-‐664-‐7665 Philip Legal Counsel 818-‐775-‐3993 Ramona Public RelaYons 212-‐664-‐7665 Business Leaders? Law Enforcement? Clear expecta:ons for returning phone calls RACI
Ø  Who does what? (think outside security)
Ø  Set expectations
Ø  Helps define process
Incident Severities — “Not all incidents are created equal.” Ø Deﬁne a common lexicon for incidents Ra)ng Impact Descrip)on Breach 1 1 Intruder has exﬁltrated sensiYve data or is suspected of exﬁltraYng sensiYve data based on volume, etc. Breach 2 2 Intruder has exﬁltrated nonsensiYve data or data that will facilitate access to sensiYve data Breach 3 3 Intruder has established command and control channel from asset with ready access to sensiYve data Cat 1 4 Intruder has compromised asset with ready access to sensiYve data Cat 2 5 Intruder has compromised asset with access to sensiYve data but requires privilege escalaYon Cat 3 6 Intruder is amempYng to exploit asset with access to sensiYve data Cat 6 7 Intruder is conducYng reconnaissance against asset with access to sensiYve data Vuln 1 8 Intruder must apply limle eﬀort to compromise asset and exﬁltrate sensiYve data Vuln 2 9 Intruder must apply moderate eﬀort to compromise asset and exﬁltrate sensiYve data Vuln 3 10 Intruder must apply substanYal eﬀort to compromise asset and exﬁltrate sensiYve data Ø Simpliﬁed & Flexible Ø Focus more on capability Ra)ng Descrip)on Response/Containment Severity 0 Intruder has exﬁltrated sensiYve data or is currently inside network. DDOS that has impacted availability. Malware outbreak. 1 hour Severity 1 Indicators show that an intruder is amempYng to gain a foothold or has amained an iniYal foothold on the network. DDOS that has the potenYal to impact availability. Malware causing disrupYon. 4 hours Severity 2 Compromised machine (General Malware) 72 hours Communication — “Compartmentalizing information is a recipe for failure.”
Ø  Communicate broadly, engage others
Ø  Communication template, rhythm and formats
Ø  Mobile technology and speed of information
Incident Severity Comm Rhythm Audience Grave (KC7) Within 1hr – Conf. Call 2x Daily – Conf. Call COB Daily – E-‐mail • 
• 
• 
• 
• 
• 
• 
• 
COO CSO CIO General Counsel Director of PR CISO Director of IR Chief Security Architect Signiﬁcant (KC6) Within 1hr – E-‐mail COB Daily – E-‐mail •  CISO •  Director of IR •  Chief Security Architect Benign (KC1-‐5) As needed or upon escalaYon •  Director of IR •  Security Manager Internal Communications — “‘I don’t know’ is a valid answer, but qualify it with ac:ons.” Kill Chain Phase: If your org uses the KC, allows for a quick look at where the current incident is at.
Business(es) & Location(s) Impacted: If your org has different locations or business units, helps to narrow impact.
Summary: Executive level summary, no longer than a paragraph, on the current status.
Impact: Current actual business impact- exfil? Servers down?
Next Update: 06-11-2014 1600 EST
Incident Status: More details on what is currently happening during the incident.
Intelligence & Attribution Summary: If your org has an intelligence group, details would go here.
Host Status: Deeper details on affected accounts or hosts.
Action Items:
Ac)on Status Owner Est. Comp Assemble Response Team Complete J. Smith 11 Jun 1200 EST Review Network Architecture Diagrams Complete S. Johnson 11 Jun 1600 EST Review ConﬁguraYon Sepngs In Progress S. Johnson 13 Jun 1200 EST Establish secure FTP site In Progress S. Johnson 13 Jun 1600 EST Collect forensic evidence Pending R. White TBD Note: Updated information is shaded in Green and completed actions are struck through.
External Communications
Ø  “Think Twitter” & the speed of information
Ø  Have approved templates ready to go
Ø  External, Internal, and Business Partners
Ø  Test and ensure you can actually identify all parties
Ø  Establish “easy-to-sign” NDA’s for use in the event of x-biz incidents
Intel Highlights
Types of Intel
Source: MWR InfoSecurity, 2015
Increasing risk & cost to contain & remediate Kill Chain (KC)
KC1- Reconnaissance: Collecting
information about the target
organization
Recon KC2- Weaponization: Packaging the
threat for delivery
Weapon-‐
izaYon KC3- Delivery: Transmission of the
weaponized payload
Delivery KC4- Exploitation: Exploting
vulnerabilities on a system
ExploitaYon InstallaYon KC5- Installation: Installing malware on
a target
KC6- Command & Control: Providing
“hands on the keyboard” access to the
target system
C2 AcYons on Intent KC7- Actions on Intent: The attacker
achieves their objective (e.g. stealing
information)
“Intelligence-‐Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Lockheed MarYn Structured Intel storage & analysis
Ø 
Ø 
Ø 
Ø 
Ø 
Incident Management
Indicator Management
Threat Actor Dossiers
Ma nage the “Sharing Problem”
Implementing threat sharing standards
Intel-Driven Prevention & Detection
Prevention & Detection Scenarios
Recon
Weaponization
Deliver
File
File
Behavior
Behavior
File - Name
File - Path
File
Win Registry Key
URI – Domain
Name
URI – URL
HTTP - GET
HTTP – UA String
Address – e-mail
Address – ipv4addr
URI - URL
File - Path
Exploitation
File
File - Name
File - Name
URI- Domain Name
URI – Domain
Name
URI - URL
HTTP - POST
Email Header Subject
Email Header – XMailer
Hash – MD5
Act on
Objectives
Installation
C2
Code – Binary
Code
Behavior
Behavior
Win Process
Win Registry
Key
Win Process
Win Registry Key
File
Win Registry Key
Win Service
File
File
File - Path
URI – Domain
Name
File - Path
URI – URL
File - Name
URI - URL
File - Name
Hash – MD5
URI – Domain
Name
HTTP - GET
URI – Domain
Name
Hash – SHA1
Address – cidr
Address – ipv4addr
URI - URL
HTTP - GET
HTTP – UA String
Hash – SHA1
Hash – MD5
Address – e-mail
Hash – SHA1
Address – ipv4addr
Address – e-mail
HTTP - POST
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
URI – URL
Hash – MD5
Hash – SHA1
Address – ipv4addr
Address – ipv4addr
Address – ipv4addr
Created by David Bianco, GE-‐CIRT Platform Strengths (example IDS Solution)
Recon
Weaponization
Deliver
File
File
Behavior
Behavior
File - Name
File - Path
File
Win Registry Key
URI – Domain
Name
URI – URL
HTTP - GET
HTTP – UA String
Address – e-mail
Address – ipv4addr
URI - URL
File - Path
Exploitation
File
File - Name
File - Name
URI- Domain Name
URI – Domain
Name
URI - URL
HTTP - POST
Email Header Subject
Email Header – XMailer
Hash – MD5
Act on
Objectives
Installation
C2
Code – Binary
Code
Behavior
Behavior
Win Process
Win Registry
Key
Win Process
Win Registry Key
File
Win Registry Key
Win Service
File
File
File - Path
URI – Domain
Name
File - Path
URI – URL
File - Name
URI - URL
File - Name
Hash – MD5
URI – Domain
Name
HTTP - GET
URI – Domain
Name
Hash – SHA1
Address – cidr
Address – ipv4addr
URI - URL
HTTP - GET
HTTP – UA String
Hash – SHA1
Hash – MD5
Address – e-mail
Hash – SHA1
Address – ipv4addr
Address – e-mail
HTTP - POST
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
URI – URL
Hash – MD5
Hash – SHA1
Address – ipv4addr
Address – ipv4addr
Address – ipv4addr
Notes:
Security solutions are able to investigate, analyze and monitor this indicator type
Security solutions are unable to track this indicator type. These areas represent gaps
Created by David Bianco, GE-‐CIRT All Platforms (aggregated view)
Recon
Weaponization
Deliver
File
File
Behavior
Behavior
File - Name
File - Path
File
Win Registry Key
URI – Domain
Name
URI – URL
HTTP - GET
HTTP – UA String
Address – e-mail
Address – ipv4addr
URI - URL
File - Path
Exploitation
File
File - Name
File - Name
URI- Domain Name
URI – Domain
Name
URI - URL
HTTP - POST
Email Header Subject
Email Header – XMailer
Hash – MD5
Act on
Objectives
Installation
C2
Code – Binary
Code
Behavior
Behavior
Win Process
Win Registry
Key
Win Process
Win Registry Key
File
Win Registry Key
Win Service
File
File
File - Path
URI – Domain
Name
File - Path
URI – URL
File - Name
URI - URL
File - Name
Hash – MD5
URI – Domain
Name
HTTP - GET
URI – Domain
Name
Hash – SHA1
Address – cidr
Address – ipv4addr
URI - URL
HTTP - GET
HTTP – UA String
Hash – SHA1
Hash – MD5
Address – e-mail
Hash – SHA1
Address – ipv4addr
Address – e-mail
HTTP - POST
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
URI – URL
Hash – MD5
Hash – SHA1
Address – ipv4addr
Address – ipv4addr
Address – ipv4addr
Notes:
Security solutions are able to investigate, analyze and monitor this indicator type
Security solutions are unable to track this indicator type. These areas represent gaps
Created by David Bianco, GE-‐CIRT Coverage gaps
Recon
HTTP – UA String
Weaponization
Deliver
Exploitation
Installation
C2
Act on
Objectives
File
Email Header - Subject
Hash – MD5
File - Path
Email Header – X-Mailer
Hash – SHA1
URI - URL
Created by David Bianco, GE-‐CIRT Containment & Collection
Outpost Locations
Outpost server
Centralized
Storage/Analysis
Example locations
Containment — “Containment is arguably the most cri:cal decision in IR”
Ø Who can accessed compromised devices? Ø How will you track down the devices? Ø When do you contain? Ø Who makes the containment call? Ø What method(s) will you use? Virtual Isolation
Ø 
Ø 
Ø 
Ø 
ICMP – Network Identification
DNS (UDP/53) – Host Resolution
SMB (TCP/445)– Authentication
DHCP (TCP/67) - Persistence
Specified Domain
Controllers
Suspect
(x.x.x.x/8)
C:\Isolator.bat
Netsh ipsec add policy “virtual isolation” SecPermit
Outpost_IP ANY ANY
Netsh ipsec add policy “virtual isolation” SecPermit DC_IP
TCP TCP
Netsh ipsec add policy “virtual isolation” SecPermit 67 TCP
TCP
Netsh ipsec add policy “virtual isolation” SecPermit 53 ANY
ANY
Netsh ipsec add policy “virtual isolation” SecPermit 445 TCP
TCP
Netsh ipsec add policy “virtual isolation” Block ANY ANY
ANY more %cd%\usernotification.txt | msg %username%
Outposts
Created by David Trollman, GE-‐CIRT Quarantine
Internet Routable IPs
Internal IP Space
(x.x.x.x/8)
Suspect
VPN IPs
Necessary Protocols*
*- ICMP – Network Identification
*- DNS (UDP/53) – Host Resolution
Created by David Trollman, GE-‐CIRT Analysis
Host & network forensic analysis
Volatility
Ø  Where are the logs? Do you aggregate logs?
Ø  Does the team have access to the compromised logs & devices?
Ø  Preserve forensic evidence
Ø  Who is properly trained to do the forensics? Do they have tools?
Analysis Infrastructure
Ø  Don’t forget to invest in hardware
Ø  Analysis Servers (CPU + RAM)
Ø  Storage (TBs)
Ø  Responder Laptops (MBP)
Staying Prepared
Recurring testing – “You shouldn’t be inventing process during a crisis.”
Ø  Paper Test – Ensure all documentation,
templates, etc… are properly updated.
Ø  Table Top Exercise – Verbally walking
through a number of different IR
scenarios.
Ø  Simulated Incident – A more invasive test
that leverages a Red Team to simulate an
attack (or utilize existing malware
samples). Allows for a more
comprehensive test of the IRT, to include
forensic work.
Ø  Blind Test (e.g. War Games) – Similar to
Simulation testing, but leadership
coordinates the attack unbeknownst to
the IRT.
Outside of IR…
Ø  Leverage the team for other hot issues such as:
Ø 
Ø 
Ø 
Ø 
Ø 
Ø 
Ø 
Heartbleed
Venom
Insider cases
Counterfeit gear
Software piracy
Acquisition evaluations
Etc…
Metrics
IR measured cycle times
Event (Event Time)
Event
Tria ge (Detect Time)
Dwell Time
Event
Analysis
How fast did
we find it?
Report (Report Time)
Report
IR Actions (Contain Time)
Contain Time
Contain
How fast did
we respond
to it?
Remedia tion (Remedia tion Time)
Business Impact Time
Remediate
How fast did
we fix it?
Dwell Time + Contain Time = Time of unauthorized a ccess to asset
Dwell & Contain
Example Data Intel & Detection
Intel Source Success 120 100% 100 80% 80 60 40 60% 40% 20 20% 0 0% False PosiYves Incidents Success Rate Example Data Collection & Analysis
Example Data Wrapping it up…
Nascent: Incident Response
• SIEM • AV/HIPS • ETDR • IDS/IPS • Etc… • Rebuild Host(s) • Reset Password(s) • Countermeasures • Lessons Learned • Contain Host(s) • Reset Password(s) • Acquire Evidence Detect Contain & Collect Remediate Analyze • Movement • Methods • Account • Timelines Evolved: Intel-driven risk mitigation
Sources TacYcal Intel PrevenYon Intel Analysis DetecYon Triage Response Strategic Intel Analysis Other FuncYons Containment CollecYon Lessons Learned Final thoughts
Ø Prevention Will Fail. Invest in Intel & IR; it can be measured, evolved, and
simplified
Ø Detection should be based on a foundation of prioritized intel;
understand your strengths, gaps and weaknesses
Ø Intel is more than a nice to have- it is a requirement; a structured
approach will assist the overall information security program
Ø Think beyond IT; Partnerships are critical to success. Educate and form
alliances in the business and externally (e.g. local FBI office, competitors,
colleges)
Ø Communicate findings back into other functions; Defense is a team sport
Ø Reward your teams!
Questions?
Sean Mason
[email protected]
Twitter: @SeanAMason
Web: www.SeanMason.com
LI: www.linkedin.com/in/SeanMason