Incident Response

Incident Identification

Step 1: Prepare your documentation

You will need to document all your activities, from meeting minutes and decisions down to commands typed into your systems by your incident response team.

 

For each step, you will need to record, at minimum:

  • Identifying information (location, serial no, model no, hostname, MAC address, IP Address)
  • Name, title, and phone number of each person who collected or handled evidence during the investigation
  • Time and date (including time zone) of each occurrence of evidence handling
  • Locations where the evidence was stored

Step 2: Assemble your Team

Get your incident response team together! Where possible use phone communication – your email and chat systems may be compromised and you might tip off an attacker that you are aware of them.

You’ll need a broad set of people:

  • Security personnel, including incident responders
  • System and network administrators
  • Business stakeholders, such as PR

Remember! Apply a need-to-know policy for now – no need to blow it out of proportion just yet.

Hint: If you have Cyber Insurance, notify them of a potential claim.

Step 3: Determine Scope

Working with your team, determine as best you can what devices have been compromised.

Assume the worst – that more of your environment is compromised. Yes, it will increase the scope of the response, but will reduce the chance of an incident recurring.

‘Indicators of compromise’ are unexpected or suspicious behaviour which may mean an incident has occurred. This may include behaviours such as:

  • Strange or unexpected system activity
  • Alerts from a Network IDS or Antivirus system
  • Unscheduled system crashes or server reboots
  • Unexplained configuration changes, unusual files, unknown processes, unexpected web-site changes, etc.
  • Influx of phishing e-mails, spoofed e-mails, etc.
  • Unusual activity in log files, or gaps in or missing logs
  • E-mail system showing a large number of bounced/invalid emails
  • Large volumes of network traffic to unknown countries and networks

Containment

Step 1: Contain to Affected Systems.

A hacker will try to traverse to other systems, so isolate affected systems as soon as possible. The goal here is to prevent the problem from getting worse.

There are some key actions – these may affect incident response, forensic, and legal activities, so make sure you do it right:

  • Do unplug the network cable of affected systems
  • Do suspend affected VMs (a copy of the RAM is taken, which is important for forensic analysis)
  • Do disable wireless connections (in order of preference: at the router, hibernating the laptop, then disconnecting via the computer operating system)
  • Do declare an incident, if it appears to be one
  • Don’t run an anti-virus scan (this changes timestamps)
  • Don’t shut down operating systems

Step 2: Backup affected systems

You want to keep copies of the affected system for forensic purposes.

The best approach is to remove the affected system from the environment, and provide a new system for the user, or build a new server from a clean SOE.

Of course, sometimes this isn’t possible, in which case you should:

  • Obtain a brand new disk drive and create a complete bit-for-bit backup; and
  • Get another copy on write-once media (CD-R or DVD-R) in the event that you need pursue legal recourse.

Hint: Use the ‘dcfldd’ tool, which is available for Unix and Windows.

3rd party forensic investigators will have disk cloning hardware to perform this task if you don’t have the relevant expertise.

Eradicate the Problem

Step 1: Remove the malicious code

Eradication means removing the problem from affected systems determined through your scoping efforts.

The actual technical actions for eradication may vary considerably.

Hacking

For attacks on vulnerable systems, cleaning the system and patching the system may be sufficient.

Malware outbreaks

It can be very difficult and time-consuming to verify that systems are in fact secure, and malware has been completely removed. Rootkits in particular need specialist skills to detect.

We recommend rebuilding systems affected by malware, by either:

  • Reinstall the operating system from original media or image, and restore data from the last known good backup onto new media;
  • Wipe the existing media, reinstall the operating system from original media, and restore data from the last known good backup;

See the eradication tools in the Links below.

Step 2: Apply compensating controls

If you have indeed been breached, it will be best to apply further controls to ensure you are better able to prevent and detect malicious activity next time.

These controls may include:

  • Additional logging and monitoring of systems, applications, and databases
  • Increased monitoring of infrastructure logs, such as SIEM, firewalls, and IDS/IPS
  • Restriction of logical access to databases
  • Additional network segmentation
  • Restrict access to databases

Recovery

Step 1: Recover your systems

Once you’ve eradicated the problem, you can recover the affected systems and return them to production.

Remember to check the integrity of your backups before restoring from them. Malware may have been backed up with your system and data files.

There are key actions when you recover your systems:

  • Do patch all affected systems
  • Do check and remediate the original attack vector
  • Don’t re-introduce the vulnerability from your backups

Step 2: Monitor your environment

You need to conduct logging and monitoring of systems and network traffic to verify that the system or environment has been remediated.

  • Setup a sniffer on a switches span port to capture all network traffic
  • Log all traffic and send to your logging and monitoring solution
  • Check for further activity on the network

If you’re satisfied that the attack has been completely eradicated, then you can formally terminate the incident and conduct post-incident activities.

Have a look at our Incident Response Guide (available to subscribers) for supporting information on conducting post-incident activities, and preparing for the next security incident.

Incident Response Flow Chart

 What to capture

  • Network Diagram
  • Internal LAN IP Address(s)
  • External WAN IP Address(s)
  • Log Files
  • Firewall
  • IDS / IPS
  • Web / Proxy Server
  • Other Application Logs as Needed
  • PowerShell ▪ SQL
  • RDP
  • DNS
  • Active Directory
  • Disk Images for Affected Systems
  • Forensic Image of Disk
  • Volatile Memory Capture o Event Logs
  • Specific Application Logs
  • Detailed Timeline Prior to Engagement

Links

Eradication Tools

Microsoft Malicious Software Removal Tool
Avira Rescue System
McAfee Stinger Malware Removal Tool

Incident Reporting

Australian Cybercrime Online Reporting Network (ACORN)
CERT Australia

Data Breach Infographics and Cyber Security Research Reports

Data Breach Infographics

Cyber Security Research Reports

Security operations and analytics platform architecture (SOAPA)

Security operations and analytics platform architecture (SOAPA)

Security information and event management (SIEM) systems have been around for a dozen years or so. During that timeframe, SIEMs evolved from perimeter security event correlation tools, to GRC platforms, to security analytics systems. Early vendors like eSecurity, GuardedNet, Intellitactics, and NetForensics, are distant memories; today’s SIEM market is now dominated by a few leaders: LogRhythm, McAfee (aka: Nitro Security), HP (aka: ArcSight), IBM (aka: QRadar), and Splunk.

Of course, there is a community of innovative upstarts that believe that SIEM is a legacy technology. They proclaim that log management and event correlation can’t keep up with the pace of cybersecurity today, thus you need new technologies like artificial intelligence, machine learning algorithms, and neural networks to consume, process, and analyze security data in real-time.

 

As an industry analyst, I should be waving my arms around madly, proclaiming that “SIEM is dead,” since that’s what those in my profession tend to do. Sorry, but I don’t think SIEM is dead at all. Instead, enterprise security operations and analytics requirements are forcing rapid consolidation into something new that ESG calls a security operations and analytics platform architecture (SOAPA).

Within SOAPA, SIEM -like functionality still plays a starring role, often aggregating analytics data into a common repository. But unlike the past, SIEM is one of several security tools within SOAPA, and these technologies must be designed for asynchronous cooperation so security analysts can quickly pivot across tools to find data and take action as they need to in real-time.

SOAPA is a dynamic architecture, meaning that new data sources and control planes will be added incrementally overtime. I do believe, however, that today’s SOAPA is built with SIEMs (or similar log management and search products/services) and:

  • Endpoint detection/response tools (EDR). Security analysts often want to dig deep into security alerts by monitoring and investigating host behavior so EDR (i.e. CarbonBlack, Countertack, CrowdStrike, Guidance Software, etc.) is an essential component of SOAPA.
  • Incident response platforms (IRPs). Aside from collecting, processing, and analyzing security data, cybersecurity professionals want to prioritize alerts and remediate problems as soon as possible. These requirements are giving rise to the rise of IRPs like Hexadite, Phantom, Resilient Systems (IBM), ServiceNow, and Swimlane.
  • Network security analytics. SIEM’s log analysis and EDR host behavior monitoring are complemented by flow and packet analysis in SOAPA, provided by vendors like Arbor Networks, Blue Coat/Symantec, Cisco (Lancope), RSA, etc.
  • UBA/machine learning algorithms. While these tools have received an inordinate degree of industry hype, there’s little doubt that machine learning will be baked into security analytics henceforth, thus vendors like Bay Dynamics, Caspeda (Splunk), Exabeam, Niara, Sqrrl, and Varonis should be included in SOAPA.
  • Vulnerability scanners and security asset managers. Part of security operations is knowing which alerts should be prioritized. These decisions must be driven by solid data from vulnerability management systems (i.e., Qualys, Rapid7, Tanium), and other tools that monitor the state of systems and network configurations (i.e., RedSeal, Skybox, Verodin, etc.).
  • Anti-malware sandboxes. This technology represents another key pivot point for understanding targeted attacks that may use zero-day malware. Sandboxes from FireEye, Fidelis, and Trend Micro are definitely part of SOAPA.
  • Threat intelligence. Enterprise organizations want to compare internal network anomalies with malicious “in-the-wild” activities so SOAPA extends to threat intelligence sources and platforms (i.e., BrightPoint [ServiceNow], FireEye/iSight Partners, RecordedFuture, ThreatConnect, ThreatQuotient, etc.).

Aside from the technologies themselves, here are a few other thoughts on SOAPA:

  1. Beyond data exchange between security tools, the next big innovation will be central SOAPA command-and-control for analytics and management (i.e., configuration management, policy management, etc.) of the security infrastructure.
  2. The market is already moving in SOAPA’s direction. Witness IBM’s acquisition of Resilient Systems for IRP, Splunk’s purchase of Caspida for UBA, and Elastic Search’s acquisition of Prelert.
  3. Now that McAfee is independent of Intel, look for it to invest in its enterprise security manager (i.e., Nitro). McAfee will also accelerate SOAPA technology integration with its own tools and ecosystem partners, and acquisitions aimed at filling architectural gaps.
  4. Given the central role that SIEM still plays in SOAPA, someone (CA? Palo Alto? Symantec? Trend Micro?) will buy LogRhythm.
  5. Each of the technology elements described above could be delivered on-premises or via SaaS options. SOAPA must be flexible to accommodate these options.
  6. SOAPA must be built for immense scale – especially as organizations increase their use of cloud computing and IoT. It’s likely cloud analytics or storage will become part of the architecture.
  7. A few vendors may be able to deliver their own proprietary SOAPA solutions but enterprise customers will likely eschew single vendor solutions while anchoring their SOAPAs with lead vendors and ecosystem partners. Small enterprises and SMBs could buy from a single product or SaaS vendor however.

Cyber Security Frameworks

 

Cyber Security Frameworks

 

 

Cyber Threats

Cyber Threats

List of Cyber Threats

  • Malicious software
  • Unauthrized access
  • Denial of Service
  • Data Leak
  • Unauthrozed use of services
  • Government and competitor cyber espionage
    • 3rd Party attack
  • https://www.cpni.gov.uk/advice/cyber/Cyber-Attack-Types/
  • https://www.getcybersafe.gc.ca/cnt/rsks/index-en.aspx
  • Physical Security
    • Theft
  • Human Error
      • misdelivery of sensitive information to the wrong person by email or fax;
      • mistakenly making information publicly available on a web server or website;
      • losing or inadequately disposing of data, including paper records;
      • losing an unencrypted laptop, cellphone or storage device such as a USB key.
  • Insider Threat
    • Misuse of privileges by rogue employee or other insiders,
    • Payment card skimmers, a skimming device is implanted in a device that reads magnetic stripe data from a payment card. Examples include ATMs, gas pumps, and POS (Point of Sale) terminals.
  • Cyber Risk and Business Impact Analysis

RTLO (right to left override) technique for file extension spoofing U+202e

RTLO (right to left override) technique for file extension spoofing

Step-by-Step Guide

U+202E 2017-03-27 10-34-50

  1. Open Windows Character Map Tool (Start, Run, Charmap)
  2. Go to Unicode 202E: Right-To-Left Override
  3. Click Select and then Copy
  4. Edit a file name and just before the . Paste here. (Example, notepad.exe notepad[202E].exe
  5. Then type in the file extension your require.
    1. doc=cod
    2. pdf=fdp
  6. User Resource Hacker to change the ICON (http://www.angusj.com/resourcehacker/)

Self Extracting and Executing archive SFX

Software

 Method

  1. Email encrypted self extracting SFX file that is a .SCR VbScript with file name that looks like a PDF using 202E which then executes DLL to download payload and executes in users admin area.

Essentially, the file’s actual name can be something like “Awesome Song uploaded by [U+202e]3pm.SCR”. The special character forces Windows to display the end of the file’s name in reverse, so the file’s name will appear as “Awesome Song uploaded by RCS.mp3”. However, it’s not an MP3 file – it’s an SCR file and it will be executed if you double-click it. (See below for more types of dangerous file extensions.)

Method 1: Universal

This method works regardless of any of your language settings, but is the most cumbersome to type.

  1. Press and hold down the Alt key.
  2. Press the + (plus) key on the numeric keypad.
  3. Type the hexidecimal unicode value.
  4. Release the Alt key.

Alas, this appears to require a registry setting. It was already set on my computer, but some readers report that this method didn’t work for them, and this is probably why. If you don’t know what the registry is, please don’t try this. Under HKEY_Current_User/Control Panel/Input Method, set EnableHexNumpad to “1”. If you have to add it, set the type to be REG_SZ.

Method 2: Input-language Specific

This method depends on the specific input language you are using.

  1. Press and hold down the Alt key.
  2. Type 0 (zero) and the decimal unicode value on the numeric keypad.
  3. Release the Alt key.

You can see which input language you are using (and which are installed) by:

  1. Start Menu
  2. Settings
  3. Control Panel
  4. Regional and Language Options
  5. Languages tab
  6. Detail button

The entries in the Unicode character information section are using the Windows Latin 1 input language.

Method 3: Code-page Specific

This method depends on the specific code page you have installed.

  1. Press and hold down the Alt key.
  2. Type the decimal codepage value on the numeric keypad. Do not type any leading zeros.
  3. Release the Alt key.

You can see which code page you have by typing chcp at a command prompt. Check the grid for your code page from the list of known code pages to see what characters you can enter this way.

The entries in the Unicode character information section are using code page 437.

Method 4: Application-specific

Applications can support their own methods. These are not standardized.

Several Microsoft applications, including WordPad and Microsoft Word:
press Alt-X after typing some hex digits. You see the digits as you type them, and they’re replaced by the Unicode equivalent. Pressing Alt-X again converts it back to numbers.

Method 5: Unicode IME

Microsoft has a Unicode Input Method ?Editor? that works the same way my UnicodeInput pop-up does, but with LeftAlt Shift as the trigger key.

Michael Kaplan, a Microsoft i18n guru, has the details on how the Unicode IME works. Some notes to fill in some details that he assumes:

  • Go into Control Panel -> Regional Settings, on the languages tab, enable support for East Asian languages. This takes 230 MB of disk space and a restart.
  • Go back into Control Panel -> Regional Settings, on the languages tab, press the Details button.
  • Add Chinese (Taiwan) (Others would probably work too) and choose Chinese (Traditional) - Unicode.
  • You will now have an extra do-hickey in the taskbar showing which language you’re in.
  • Press LeftAlt Shift to switch into the IME (taskbar shows CH).
  • Type the hex digits of the Unicode character. As soon as you type the last one, it is sent to the application.
  • Press LeftAlt Shift to switch out of the IME (taskbar shows your original language code).

Tips

  • Fonts – you must have a font that contains the character. It seems obvious, but Windows can’t display characters it doesn’t know about. Often, you will need to select the font yourself, since only a few applications are smart enough to switch fonts automatically.
  • WordPad – works, but you have to have it set to a font that contains the character. Method 4 ([hex][AltX]) seems to switch to an appropriate font automatically.
  • Notepad – generally doesn’t work since its font doesn’t support many characters.
  • Internet Explorer – in the URL bar, the universal method doesn’t work if it has A-F, since it opens the menu (i.e. Alt-F opens the File menu).
  • Mozilla Firebird – works correctly (if you have a font that supports it). Note that if you type it on a page that is is using a charset that doesn’t support it, it will not be transmitted to the website correctly.

References

  • The Alt+NumPad entry in Microsoft’s Global Windows Glossary
  • Windows XP docs that inexcusably don’t mention the universal variation.
  • Discussion on GeorgeHernandez.com (search for “2005-04-24”) – discussion of the various problems with someone who did some real work to figure out what works and doesn’t. He also has a Unicode shortcuts page that summarizes his findings (quite similar to this page, but with more detail).
  • Wikipedia article Unicode_input with some Mac and Linux tips.