1 / 38

Incident Response and Forensics

Incident Response and Forensics. A Call to Action for organizations. Evolution of Incident Response. Executive Concerns Legal Concerns Technical Concerns. Technical. Business . Compliance. Who Is Behind Data Breaches?. Resulted from External Agents Were Caused by Insiders

reece
Download Presentation

Incident Response and Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incident Response and Forensics • A Call to Action for organizations

  2. Evolution of Incident Response • Executive Concerns • Legal Concerns • Technical Concerns Technical Business Compliance

  3. Who Is Behind Data Breaches? Resulted from External Agents Were Caused by Insiders Implicated Business Partners Involved Multiple Partners 17% 7% 45% 31% http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

  4. How Do Breaches Occur? 9% Involved Privileged Misuse Resulted from Hacking Utilized Malware Employed Social Tactics Comprised Physical Attacks 29% 16% 22% 24%

  5. Demographics By Industry 5% 3% 4% Financial Services Hospitality Retail Manufacturing Tech Services Business Services Government Media Healthcare Other 4% 4% 32% 5% 6% 15% 23%

  6. What Commonalities Exist? 98% of all breaches came from servers 85% of attacks were not considered highly difficult 61% were discovered by a third party 86% of victims had evidence of the breach in their log files 96% of breaches were avoidable through simple or intermediate controls 79% of victims subject to PCI DSS had not achieved compliance

  7. Conclusions • Attacks are being more elaborate, with custom and targeted malware being developed •  Encryption is being bypassed at different layers •  Lax host and network security • Easy entry for attackers. • Passwords are paramount. Defaults need to be changed before even plugging in.

  8. Credit Card Breach • Why should you care if your card is compromised? • Personal liability • Unauthorized Recurring Charges • Potential downtime • Inconvenience? Yes. • Major Issue? Generally Not.

  9. Credit Card Breach • Card Brands • Reduced consumer confidence in the payment system • Loss of revenue • Brand damage • Investigation costs • Litigation costs • Bank • Customer service costs • Notifications cost • Re-issue cards cost • Investigation costs • Litigation • Who Cares?

  10. Credit Card Breach • Merchants • Brand damage? • Brick and Mortar vs. Online • Investigation costs • $12k to well over $1M • Remediation costs • $5k to well in the Millions • Increase in transaction fee rates • Big ticket item • Immediate Fines from Brands • Litigation costs • Legal, Experts • Who Cares?

  11. Case Study # 1

  12. Case Study 1 • Strengths • Multi-layered Firewalls between Corporate and the Retail locations. • Segmented POS networks. • Encryption from the Back of House server to Payment Switch. • Weaknesses • ACL’s not well defined. • Multi-homed Servers bypassed Access Control List (ACL)’s. • Outbound filtering was not protocol aware. • PCI Level 1 Retail Merchant

  13. Case Study 1 • Network Layout

  14. Case Study 1 • Attacked Network

  15. Case Study 1 • The attacker defeated the protection of encryption before the data even hit the application. • The data was sniffed and parsed in a nice neat packaged format. • Weak passwords were the originations downfall which allowed the attacker to fan out to several hundred systems. • Attacker made use the publicside of the multi-homed system to exploit and explore other systems. • Lack of protocol awareness filtering. • Examination Findings

  16. Case Study # 2

  17. Case Study 2 • Strengths • Small, “should be” an easy to manage infrastructure. • Encryption from the POS Terminals to POS Back of House with Encryption to the Payment Switch. • Weaknesses • ACL’s not well defined. • Multi-homed Servers. One leg connected the internet, the other to the internal LAN. • Remote support often left wide open. (e.g. PcAnywhere, VNC, RDP). • A Level 4 Merchant & Level 1 Service Provider

  18. PCI Breach Process

  19. Identification • The Merchant ID is being identified by one of the card brands as Common Point of Purchase (CPP) based on fraudulent transactions • Analysis leads to isolation of activity

  20. Identification • Immediately contain and limit the exposure. • Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information. • Alert all necessary parties immediately. • Your internal information security group and incident response team. • Your merchant bank. • Your local office of the United States Secret Service. • What To Do

  21. Investigation • http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf • You need to contract with a PCI Forensic Investigator (PFI) • 7 approved vendors in the US • “PFI of Record” • Forensic investigation • Lengthy • Expensive • Invasive

  22. PFI Onsite • Forensic Analysis of (potentially) affected systems • Breached internet-facing systems (for example, ecommerce sites) must not be brought online until • QIRA report accepted by VISA • Remediation actions completed • Forensic Investigation can go into business partners, suppliers, service providers

  23. Remediation • Become Level 1 • Remain for one year minimum • Perform a complete Level 1 Assessment • Fixing the problems • HUGE expense to organization ($MM) • Both hard and soft costs • Major retailer replaced ½ their POS systems • 2500 stores • Enterprise Encryption • Network Redesign

  24. Litigation • Fines • Non-compliance fines ($5-25k/$$M) • Increase in credit card transaction fees • Mandates for other regulations • FTC • Lawsuits • Plaintiff costs • Trickle effect? Are others vulnerable? • What does the trust model look like? • Does a breach of one affect others?

  25. 5 Biggest Technical Mistakes In Response to a Breach

  26. Technical Mistake # 1 • Delaying Actions

  27. Delaying Actions Organizations need to pre-plan through “what if” scenarios because at some point in time an incident will happen. • Time is one of the biggest enemies in responding to a breach. • Think of the “golden hour”rule – same applies to IR and investigations.

  28. Technical Mistake # 2 • Change

  29. Change • Giving the nature of electronic evidence and computing systems, data is constantly changing from second to second. • Organizations need to adhere to a “change freeze” policy in the event of a data security breach so they may capture the best evidence possible. • If an organization cannot hold changes then a full system backup or image should be taken.

  30. Technical Mistake # 3 • Over / Under Reacting

  31. Overreacting • Organizations will move into an over reacting state rather quickly, whereby they will inadvertently change, or destroy critical evidence. • In most cases, this is due to the lack of planning, or experience within the organization.

  32. Underreacting • Just the opposite of over reacting, some organizations will under react whereby not notifying parties in a timely fashion. • Some will brush the event off as an anomaly.

  33. Technical Mistake # 4 • Inexperience

  34. Inexperience • More often organizations will call the “IT” guy to come review the systems. • Mainly seen to be an issue with smaller organizations. • An experienced staff or firm needs to be ready to act in a timely manner to limit the exposure of the compromise. • Proper training is paramount and the benefits and importance of training are especially important given the constant changes in today’s technology.

  35. Inexperience • Users can be a major source of security breaches if they are not knowledgeable concerning security policy and acceptable computer/network usage. • The bottom line is organizations need to continuously train and educate users. Proper security awareness training should be done on a regular basis.

  36. Technical Mistake # 5 • Inconclusive Findings

  37. Inconclusive Findings • More often than not, organizations will have one or more areas where data is inconclusive to support the investigation. • No supporting evidence at the border (Firewalls, Router, or IDS/IPS) • If logging is not enabled, an organization will have no way to detect if they are compromised. • Logging also allows the investigatorsto trace back to the origin, which in some cases can aid law enforcement in a successful apprehension.

More Related