Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Security-focused operating system wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Cyberwarfare wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Mobile device forensics wikipedia , lookup
Computer security wikipedia , lookup
Mobile security wikipedia , lookup
Managing Security Events** A model for 21st century information security threats Matthew Standart, MSIM, CISSP Senior Security Engineer About the Speaker Matthew Standart • 10+ years working in IT • 5 years directly in Forensics/Security • Experienced examiner for Criminal and Civil Matters of all types • Experienced corporate investigator and examiner of all matters (IT, Security, HR, Legal) for Defense Contractor • MS: Information Management • BS: Software Engineering • CISSP, EnCE, GCFA, CCE, N+, S+ certified Premise 1. Threats cannot be prevented, incidents will occur; therefore incident response is inevitable. 2. Information Security Incidents are caused by threats that operate both internally and externally. 3. By better understanding the threat landscape, we can devise a risk-based approach to monitoring and mitigating information security threats. 4. By strategically aligning IT to this business objective, we can integrate efficiency and intelligence gathering into the process.*** Functional Shift: From Prevention to Response • Prevention is no longer the key to security*** • The attacker has the advantage; they are more creative at finding ways in than security experts are able to think of ways to keep them out.*** Understanding the Threat Landscape 1. Threats operate externally or internally 2. Threats occur directly or indirectly • Distinguishing between threats is important to formulate appropriate response strategy • Many companies fail to recognize all threats, where instead they focus on one (or even none) threat types.*** Threat Matrix • A visual representation of threat categories. External Targeted Attacks (APT) Non-Targeted Attacks (Drive-Bys) False Positive Internal Insiders (CI) Misuse (HR Matters) Direct Indirect Traditional I/R Cycle Events Monitoring Formulate Response Strategy Remediation Response Gather Intel Traditional Mistakes Events Monitoring Breakdown #1: “Trust AV” Remediation Breakdown #2: “Reimage” Strategy Breakdown #3: Not Preventing “Reinfection” Response Gather Intel Formulate Response Strategy HBGary Continuous Protection Cycle Codified Rules Events Plan Prepare Detect Monitoring Lessons Learned Tracking Formulate Response Strategy Reporting/Metrics Perimeter Remediation Validation Accurate Classification Network Gather Intel Host Execute Response Strategy Enterprise Scanning Direct External Disk Threat Intelligence Memory Indirect External False Positive Network Direct Internal Indirect Internal HBGary Integrated Approach Codified Rules Inoculator Events Active Defense w/ DDNA Razor Monitoring Lessons Learned Tracking Formulate Response Strategy Reporting/Metrics Razor Remediation Active Defense w/ DDNA Inoculator Gather Intel Active Defense (IOC) Threat Intelligence Execute Response Strategy Active Defense Active Defense Direct External Active Defense False Positive Network Responder Pro Indirect External Direct Internal Indirect Internal Monitoring • Generally, insufficient information is available at the time of the detection of an adverse event to accurately classify the threat. • The same detection can result from different threat agents, and with different root causes. • This knowledge comes from the investigation, documentation, and post-analytics of all Adverse Events detected in an organization Adverse Events • An incident can be defined as an adverse event where damage or loss has occurred • Definitions are set by senior management Incident Management 1. (Event) Detection logs often do not contain sufficient information to make this distinction; therefore an organization must devise a process to investigate events to identify and separate incidents from adverse events. 2. The optimal IR process will consist of: • • • • An investigation for every adverse event Documentation for every adverse event (and incident) Minimum required collection of data per investigation Scalability to respond to every type of adverse event Investigate Threats • When a threat is detected or suspected, triage is the first step of the response process. • The first goal of the triage is to classify the threat, and to determine whether the detection is an incident or not. • The second goal of the triage is to collect salient information to support the formulation of a threat response strategy. Response Strategy Goals • Threat Assessment • Scope of Impact • Exposure, Damage, and Losses • Threat Intelligence Gathering • Codify Intelligence • Risk Identification • Threat Identification • Threat Containment • Host Sanitization • Network/Perimeter Sanitization Triage • Effective Triage looks for artifacts, or digital remnants, caused by human activity or interaction with a computer system • Noise has to be filtered out from valuable information • The more informative/valuable or “human” the artifact, typically the more volatile System Artifacts Core OS Files Less Volatile Human Artifacts Patches Updates Corporate Software Personal Software Event Logs Internet History User Files/Documents Date/Time Stamps Malware More Volatile Digital Artifacts • File System: • Event Logs • Events such as process start/stop, logon/logoff • Internet History Records • URLs accessed, Files downloaded • File System Metadata ($MFT) • Files Created/Accessed/Modified • Files • Malware/Droppers, Hack Tools, Exfil Data • Registry • Modified Keys (Services, Run) • MRU Keys (OpenSaveMRU, LastVisitedMRU) Digital Artifacts Continued • Memory: • • • • Processes/Modules Binary Strings Network Connections Website Data • Malware (Reverse Engineering) • C2 Domains • Compile Time • Registry Keys Threat Matrix • A visual representation of threat categories. External Targeted Attacks (APT) Non-Targeted Attacks (Drive-Bys) False Positive Internal Insiders (CI) Misuse (HR Matters) Direct Indirect Threat Matrix • Traditional Response Methodology External (offline) Forensics Live Collection Live Collection Internal (offline) Forensics Live Collection Direct Indirect Threat Matrix • New Response Methodology, integrating Enterprise Forensic Technology External Live (network) Forensics Traditional (offline) Forensics Live (network) Forensics Live (network) Forensics Internal Live (network) Forensics Traditional (offline) Forensics Live (network) Forensics Direct Indirect Live Forensics • New technologies allow for live “forensically sound” acquisition of digital artifacts • Initial Triage is the process of searching for and collecting common digital artifacts in support of the detected event • “Low-hanging fruit” concept • Why take down and forensically image a system if all you need is the history file and event logs? Impact of Policy and Process Improvement Ratio of Cases handled via Offline Forensics vs Live Forensics 60% 50% 40% 49% 47% 44% 42% 36% 39% Implementation of Live Forensic Methodology 30% Ratio 20% 9% 10% 11% 9% 10% 11% 13% 0% Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Timeline • Effective timelines come from joining various digital artifacts based on date/time and activity • Timelines can help determine attack vector, date of compromise, exposure, and actions by an unauthorized intruder Source Date/Time Activity IE History 9/28/2010 13:44:47 http://compromisedsite.com/index.php IE History 9/28/2010 13:45:05 http://baddomain.net/malware.exe File System 9/28/2010 13:45:08 [Created] C:\Documents And Settings\Bob\malware.exe Event Logs 9/28/2010 13:45:09 [Event ID 592] A new process has been created: malware.exe File System 9/28/2010 13:45:11 [Created] C:\Documents And Settings\Administrator\dropper.exe File System 9/28/2010 13:45:12 [Created] C:\Windows\System32\service32.exe Event Logs 9/28/2010 13:45:13 [Event ID 592] A new process has been created: service32.exe File System 9/29/2010 01:14:55 [Accessed] telnet.exe Using Active Defense for Triage • Live Memory/Binary Analysis • Remote File Browser • Timeline • MFT Analysis (Feature Request) • EVT Analysis (Feature Request) • Registry Analysis (Feature Request) • History Analysis (Feature Request) • Multiple File Search/Collection (Feature Request) Remediate Threats • Extract Indicators of Compromise from Digital Artifacts: • • • • File Names Binary Strings Registry Keys File Metadata (Create/Access Time) • Scan Network Hosts for same IOCs • Clean Systems with Positive Hits Reports