Preparing for and Responding to a Breach
Ohio Information Security Conference
March 15, 2017, Dayton Ohio
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Before anything else, preparation is the key to success.
Alexander Graham Bell
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
By the Numbers• 79,000+ security incidents
• Over 700 millionrecords compromised
• The US Military Treats Cyber as one of five domains: air, sea, land, space and now cyber.-General Michael Hayden. Former Director CIA and NSA
• 260 days to detection
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Cyber Statistics
• In 60% of cases, attackers compromise an organization in minutes
• 75% of attacks spread from Victim 0 to Victim 1 in 24 hours
• 23% of recipients open phishing emails and 11% click on attachments
Source: 2015 Data Breach Investigations Report, Verizon
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Cyber Statistics• Finance: 350 events per week
• Insurance: 575 events per week
• Retail: 801 events per week
• Utilities: 772 events per week
Source: 2015 Data Breach Investigations Report, Verizon
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
More (Sickening) Stats
• 70-90% of malware samples are unique to an organization
• 99.9% of exploited vulnerabilities were more than a year after being published
• Half of the malware made to exploit a vulnerability was ready in 2 weeks
Source: 2015 Data Breach Investigations Report, Verizon
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Planning for a Breach
• Getting legal involved• Protecting the analysis and results
• Seeing that notification laws are considered
• What would the technical goals of a breach response be• Handling the breach internally
• Outsourcing the investigation
• When to engage a public relations firm
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Planning for a Breach
• Employee involvement• Are they trained to identify breach attempts?
• Do they know the procedure for notifying someone in the event of a breach?
• Provide reminders of what is happening• New methods of attacks/phishing
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
IR Plan Basics• Member and responsibilities of the following
• PR• IT• Legal
• 24x7 contact information• How to proceed if unreachable
• Prioritization of IT assets• Risk assessment if a system is down
• Preservation steps
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
IR Plan Basics
• When to contact the C-Suite• A balance between knowing soon and knowing the full
picture
• What is required by your insurance
• Communication when Email/VM/Messaging is compromised
• Do you have a “single voice” policy?
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
IR Plan Basics
• Understand the criteria for notification
• Procedures for notifying LE or other organizations• Have you already made a connection?
• Having a Public Relations firm on retainer
• Having an outside forensic firm on retainer
Best Practices for Victim Response and Reporting of Cyber Incidents. US DOJ Cybersecurity Unit. April 2015.
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
IR Plan – Your Data
• Where is your important data?• Methods being used to protect the data or limit its
exposure
• Logging of access to that data – how far back can you go?• Can you go 10 months?
• What other logs are being kept and for how long?
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
IR Plan – What is being logged
• Apache/IIS or other web logs
• SMTP logs
• Firewall logs
• Event Logs (are you capturing the right events?)
• IDS logs
• Others?
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
IR Planning
• Table top exercise• Where the rubber meets the road
• Should be performed periodically instead of one and done.
• Helps remove bias in the planning and putting together of your plan
• Find the “Gotchas”
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
The Breach Occurs….
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
The Response
• Follow your plan• You do have one, right?!
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
The Response – Plan B
• Strike a balance between remediation and preservation• IT wants to remediate
• Legal and IR team want and need to preserve
• Involve investigation team right away
• Will you need to bring up replacement systems?
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Importance of Preservation
• Change to 2013 HIPAA omnibus rule
[Incident] “is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised”
• Expect others to follow
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
The Response – Plan B
• Understand the genesis of the attack
• Understand what data was compromised• Is the data encrypted?
• Attempt to determine where the data went• Difficult when attack is from unknown entities
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
The Response – Plan B
• Create a signature of the threatening files• Scan environment to reveal
additional infections
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Outsourcing Breach Response
• Does the internal team have the necessary skills and experience
• Is an expedited time frame involved
• Insurance can sometimes dictate who handles the breach
• Need for third party review
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Expected Time Frame
• IR team is usually on site same day or next day• However, this is dependent on up
front planning
• “Bleeding” of data may be stopped in hours• May depend on appetite for shutting
down internet connection
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Expected Time Frame
• Days to weeks to determine:• How incident occurred
• What data was leaked
• Where data went
• Again, heavily dependent on up front work as well as number of effected systems
• Reiterative process
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Case Study: 3.5M to 11K
• The Situation: Client works in the financial arena. Client had a web based B2B application that allowed for exchanging of account records via an FTP site. Data on FTP site was found to have been indexed by Google due to the fact that anonymous access to FTP site was not removed. Data for approximately 3.5 million accounts existed on the site.
• The Solution: Information was gathered from Google searches. FTP site did have considerable logging to show what records were touched by what accounts and when. Furthermore, not all records had data that rose to the level of notification.
• The Results: A detailed analysis was performed to determine which sets of records were accessed by the anonymous account vs the authorized accounts. That analysis was combined with record contents to create a more accurate count of exposed records that could be subject to notification.
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Case Study: Breach that Lost Client
• The Situation: Client provided a news feed service to a company who in turn provided that feed to their clients. Contract had been suspended for a period of time but client found evidence that the feed was still being provided. Client suspected a break in by their client.
• The Solution: Analysis of system that provided the news feed, documentation as to how the feed worked and then scrutinizing the evidence.
• The Results: Despite contrary claims, client had not turned off the feed to their client. IT was mistaken in how the process worked. Evidence of the feed still being used, however, was faulty as well.
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Unusual Case Studies• Unusual Case 1: VM system
• Client working with phone system vendor
• Entire database was loaded to FTP site (unsecured)
• Originally thought there was no issue, but….
What is in the voicemails?
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Unusual Case Studies
• Unusual Case 2: ESXi Server• Begins with an NTP reflection
attack
• Ends in the discovery of an exposed server
• Forensics on ESXi is virtually non-existent
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Unusual Case Studies
• Unusual Case 3 – Wide open AD• Client’s IT notified by a user that they were not
restricted from entering a folder
• Review determined entire company (multi-site) had Domain Admin credentials
• Investigation revealed 6 months of failed backups hampering analysis
• “Work around” script for installing an application created the problem that wasn’t remediated
800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd
Questions?
Greg Kelley, EnCE, DFCP
Vestige Digital Investigations
Cleveland | Columbus | Pittsburgh
330.721.1205
www.vestigeltd.com