SlideShare une entreprise Scribd logo

Life after the hack

OSInet
OSInet

Your Drupal site has just been hacked. Stakeholders are piled around you. What do you do now ?

Logiciels
1  sur  38
Télécharger pour lire hors ligne
Life after the hack OSInetFrédéric G. MARAND (fgm)
2/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr Topics • 1 Intro : setting the stage • 2 Snapshotting • 3 Maintaining presence • 4 Crisis communication • 5 Rebuild, don’t repair • 6 Using forensics tools • 7 Back online
4/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.1 Some fact checking first • In this room … • Who has been hacked already ? • Who feels ready to face a hacked server ? • Who actually has a contingency plan ? • Who read node 2365547 ?
5/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr
6/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.2 Can you say that again ? I.A.N.A.L. So be sure to get one !
7/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.3 Whence do I speak ? • Drupal org member since 2005 (fgm) • Drupal consultant, not a site building agency • Worked on fixing broken (in) sites since 2008 • Auditing • Fixing technical flaws • Addressing intrusions / exploits • Mostly Media and Government sites (.fr) • Provisional member of the Security Team
8/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.4 Setting the stage • 10:00 The daily scrum has just begun. • 10:01 Phones rings : someone noticed your site has been defaced and is warning you • 10:02 Twitter and Reddit start buzzing • 10:05 Phones ring all over the place, with journalists and the various C-level execs on the other end, your mailbox is filling with warnings • What is your next step ?
9/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.5 Get ready • Pad 1 : discovery log • all your work steps • all your findings / observations • with timestamps and numbers • Pad 2 : remedies ideas • cross-refer pad 1 numbers • all your ideas for fixing the breach • all your ideas for further hardening
11/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 2.1 Forensic copy : why ? • First temptation : restore and resume • But you’re still vulnerable • So you need to diagnose • Analyzing means modifying • So preserve the « crime scene » • Snapshot everything
12/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 2.2 Snapshots : pull the plug • Prevents interference • Shutdown handlers, SIGPWR • Self-destructing code on network loss • Easy on VMs But… • Bare remote servers • Further data loss • Journaled FS • Databases • Service interruption
13/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 2.3 Snapshots : what ? Not just the main DB • Reverse Proxy logs • Web fronts • DB servers • File servers And also… • External logs (SaaS) • External transactions • IDS/firewall logs The site may just be an attack vector
15/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 3.1 Maintaining presence 1 • Yes • Don’t tip off hackers • Keep generating short-term value • No • Increasing damage • Responsibility • Legal • Financial • Moral As though intrusion had not been detected
16/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 3.2 Attacker workflow Evolved • Break in • Dig for gold • Implant zombie • Wait for implant migration to archives • Activate • Profit • Alt : Need for Speed • Use exploit ASAP • While it lasts • Usually least loss • Alt : hidden steal • Valuable content • Identity data • Close the door
17/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 3.3 Maintaining presence 2 • Limited static site • Best with prior work • Minimal subset • Possibly taken from RP cache • Very little load : can run on RP heads • Working limited site • Alternate infra • Alternate tech • Updates ? • Content created during this step Safe fallback mode
18/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 3.4 Maintaining presence 3 When all else fails • Social networks • Always there • Also authoritative for audience • Still needs some preparation : • Accounts access • Include them in long-term communication
20/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 4.1 Communicating : from tech • Stakeholders • Chain up to CxO level in most cases • Prepare next steps, do not overreach • Fear of reprisal ? Gag orders, SLAPP… • Protection • France : whistleblower protection (Sapin 2) • Italy : Dec. 385 01/09/93 sect 52bis (banks) • US : Anti-SLAPP • Many other countries have similar rules
21/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 4.2 : Communication : C-level • Legal counsel (first) • Crisis Management specialists • Law enforcement • EU countries typically have specialized units for « cybercrime » • Other sites • On same server • On same network • Online business partners
22/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 4.3 Communication : privacy • In many cases personal data leaks • will happen, or... • unprovable they did not happen • Operational constraints • Commerce : PCI/DSS (12 steps etc) • Health : (US) HIPAA Subtitle D E2.80.93 • Public image damage control • A french example
24/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 5.1 Rebuild : keep, rollback or ? • Restore and restart same ? • Still just as vulnerable • Keep and fix ? • lots of time and effort reviewing • never completely trusted : not just Drupal • Throw away ? • Event sites, past lines of biz, post-M&A... • Can a static version suffice ? • From RP snapshots : recent content
25/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 5.2 Rebuild : restore • Needs backups from before the hack • Do you know when it happened ? • Remember attacker workflow « wait » • GFS, continuous incremental, 15 min ? • How much can you lose ? • FLOSS solutions : Amanda, Bacula, custom • Unprepared emergency ? • Preproduction, CI builds...
26/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 5.3 Rebuild : sources + export • Easy and reliable, but assumes : • Code-driven development process • Reliable data export system in place • Flat content exports • Content + assets repositories • Still need to add the fixes • Delay can be a problem on high-volume sites • Bulk handling, Incremental loading
27/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 5.4 Rebuild : other cases • Ad hoc « traditional » build process • Longer, less reliable • Too long to be a chance to fix the process • From scratch • Too long in most cases • Do it as a complement after the fix • Not NOW
29/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6 Forensics : switching hats
30/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.1 Forensics : first, think ! • How did you become aware of hack ? • What did it take to succeed ? • Cast your net wide, think big • « Unlikely » vs « impossible » • Priority : • Easiest attacks first • OWASP 10 • GIYF : search your Pad 1 patterns
31/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.2 Forensics : keep in mind • /anything/ may be erased after success • But most of the time, not /everything/ will • Anything you do leaves its own traces • Work on copies of the snapshots • You can restart from fresh copies anytime • There maybe more than one exploit
32/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.3 Forensics : classics • Code files : • lax permissions • filesystem traversal issues • Remote payload execution by upload • Nginx without extra hardening • .htaccess won’t do much good • In-DB PHP • PHP module • Eval-uated code
33/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.4 Forensics : non-Drupal • Filesystem : • <user>/www-data outside /sites • www-data/www-data suspicious • x bit on files below docroot • timestamps • outside sites/*/files = install • exploits > install • meld with fresh build from sources • Also check outside docroot
34/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.5 Forensics : Drupal modules • Code signing/diffing : • Hacked! • D7 : md5check, file_integrity • Finding DB PHP • QA (github) • Misc • security_review
35/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.6 Forensics : DB • Quick wins : • users.email!= users.init • review roles, accounts with admin roles • On corp. sites, users.email domains • match users accounts with SSO data • Diff DB snapshot with live • Especially menu_router : file_put_contents, assert • Altova DatabaseSpy content compare
36/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.7 Forensics : sessions • Sessions should be in persistent storage • Remember when you pulled the plug • Were your sessions in Memcache ? • sessions.timestamp vs users_field_data : created/changed/access/login • for intranets : sessions.hostname
37/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.8 Forensics : logs • You use off-site logs, right ? • SaaS : Loggly, Logmatic, Logsene, Logz.io, Papertrail, Scalyr…. • Remote ELK • On site ? • dblog {watchdog} • syslog → follow the redirects • mongodb_watchdog • Application/WS logs
38/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.9 Forensics : sleuth tools • Software • Guidance Software : Encase • AccessData : Ultimate Forensics Toolkit (FTK) • Consider certified consultants
40/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.1 Live again : restoring prod • Recheck Pad 1 findings vs new build • Usually, reset passwords. On D7 : • update users set pass = concat('ZZZ', sha(concat(pass, md5(rand()))) ); • Prepare marketing/social copy
41/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.2 L8R : future-readiness
42/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.3 L8R : disaster prevention • Developer education on security • Security Team mailing list • https://twitter.com/drupalsecurity • https://www.drupal.org/security/rss.xml • http://crackingdrupal.com/
43/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.4 L8R : disaster prevention • Security process • Analyse sec. releases to understand fixes • Look for similar flaw in custom code • Take part in contrib for more expertise • Quality process • Systematic peer code reviews • Code-driver maintenance + dev process • Automatic quality tools in CI • Contrib updates scheduling
44/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.5 Continuous improvement • You can’t improve what you don’t measure • Get time metrics from Pad 1 • Build contigency plan from Pad 2 • Plan for periodic intrusion simulations
45/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr

Recommandé

Faster Drupal sites using Queue API
Faster Drupal sites using Queue APIFaster Drupal sites using Queue API
Faster Drupal sites using Queue API
OSInet
 
A Match Made In The Cloud
A Match Made In The CloudA Match Made In The Cloud
A Match Made In The Cloud
Chapter Three
 
Contributing to drupal
Contributing to drupalContributing to drupal
Contributing to drupal
Christian López Espínola
 
Workflow Initiative
Workflow InitiativeWorkflow Initiative
Workflow Initiative
timmillwood
 
Alfresco from an agile framework perspective
Alfresco from an agile framework perspectiveAlfresco from an agile framework perspective
Alfresco from an agile framework perspective
Jeff Potts
 
Drupal Single Page Website
Drupal Single Page WebsiteDrupal Single Page Website
Drupal Single Page Website
vasilyyaremchuk
 
More better core profiles
More better core profilesMore better core profiles
More better core profiles
Roy Scholten
 
Using Empathy Maps to Better Understand your Jury - Drupal Camp London 2015
Using Empathy Maps to Better Understand your Jury - Drupal Camp London 2015Using Empathy Maps to Better Understand your Jury - Drupal Camp London 2015
Using Empathy Maps to Better Understand your Jury - Drupal Camp London 2015
Kubair Shirazee
 

Recommandé

Faster Drupal sites using Queue API
Faster Drupal sites using Queue APIFaster Drupal sites using Queue API
Faster Drupal sites using Queue API
OSInet
 
A Match Made In The Cloud
A Match Made In The CloudA Match Made In The Cloud
A Match Made In The Cloud
Chapter Three
 
Contributing to drupal
Contributing to drupalContributing to drupal
Contributing to drupal
Christian López Espínola
 
Workflow Initiative
Workflow InitiativeWorkflow Initiative
Workflow Initiative
timmillwood
 
Alfresco from an agile framework perspective
Alfresco from an agile framework perspectiveAlfresco from an agile framework perspective
Alfresco from an agile framework perspective
Jeff Potts
 
Drupal Single Page Website
Drupal Single Page WebsiteDrupal Single Page Website
Drupal Single Page Website
vasilyyaremchuk
 
More better core profiles
More better core profilesMore better core profiles
More better core profiles
Roy Scholten
 
Using Empathy Maps to Better Understand your Jury - Drupal Camp London 2015
Using Empathy Maps to Better Understand your Jury - Drupal Camp London 2015Using Empathy Maps to Better Understand your Jury - Drupal Camp London 2015
Using Empathy Maps to Better Understand your Jury - Drupal Camp London 2015
Kubair Shirazee
 
Multilenguaje en Drupal 8
Multilenguaje en Drupal 8Multilenguaje en Drupal 8
Multilenguaje en Drupal 8
Christian López Espínola
 
Contribuir en Drupal: Por dónde empiezo?
Contribuir en Drupal: Por dónde empiezo?Contribuir en Drupal: Por dónde empiezo?
Contribuir en Drupal: Por dónde empiezo?
Christian López Espínola
 
Drupal and Devops , the Survey Results
Drupal and Devops , the Survey ResultsDrupal and Devops , the Survey Results
Drupal and Devops , the Survey Results
Kris Buytaert
 
Crowds and Creativity
Crowds and CreativityCrowds and Creativity
Crowds and Creativity
Mike Krieger
 
Using Drupal to power SaaS
Using Drupal to power SaaSUsing Drupal to power SaaS
Using Drupal to power SaaS
Qasim Virjee
 
Better understanding your prospects, clients, stakeholders and end users usin...
Better understanding your prospects, clients, stakeholders and end users usin...Better understanding your prospects, clients, stakeholders and end users usin...
Better understanding your prospects, clients, stakeholders and end users usin...
Kubair Shirazee
 
Introducing Assetic: Asset Management for PHP 5.3
Introducing Assetic: Asset Management for PHP 5.3Introducing Assetic: Asset Management for PHP 5.3
Introducing Assetic: Asset Management for PHP 5.3
Kris Wallsmith
 
Building Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIBuilding Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco API
Jeff Potts
 
The Power of Drupal and Alfresco Together
The Power of Drupal and Alfresco TogetherThe Power of Drupal and Alfresco Together
The Power of Drupal and Alfresco Together
Jeff Potts
 
Intro to Alfresco for Developers
Intro to Alfresco for DevelopersIntro to Alfresco for Developers
Intro to Alfresco for Developers
Jeff Potts
 
Getting Started with CMIS
Getting Started with CMISGetting Started with CMIS
Getting Started with CMIS
Jeff Potts
 
Intro To Alfresco Part 1
Intro To Alfresco Part 1Intro To Alfresco Part 1
Intro To Alfresco Part 1
Jeff Potts
 
Life of an Fluentd event
Life of an Fluentd eventLife of an Fluentd event
Life of an Fluentd event
Kiyoto Tamura
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Keep it out - How to keep Drupal Secure
Keep it out - How to keep Drupal SecureKeep it out - How to keep Drupal Secure
Keep it out - How to keep Drupal Secure
Alex Burrows
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
Felipe Prado
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
Anthony Jose
 
APT - A Pretty Trojan
APT - A Pretty TrojanAPT - A Pretty Trojan
APT - A Pretty Trojan
Iñaki Rodríguez
 
Container con toronto
Container con torontoContainer con toronto
Container con toronto
Dan Lambright
 
TypeScript no Grupo Bandeirantes
TypeScript no Grupo BandeirantesTypeScript no Grupo Bandeirantes
TypeScript no Grupo Bandeirantes
MVP Microsoft
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
Felipe Prado
 

Contenu connexe

En vedette

Life of an Fluentd event
Life of an Fluentd eventLife of an Fluentd event
Life of an Fluentd event
Kiyoto Tamura
 

En vedette (13)

Multilenguaje en Drupal 8
Multilenguaje en Drupal 8Multilenguaje en Drupal 8
Multilenguaje en Drupal 8
 
Contribuir en Drupal: Por dónde empiezo?
Contribuir en Drupal: Por dónde empiezo?Contribuir en Drupal: Por dónde empiezo?
Contribuir en Drupal: Por dónde empiezo?
 
Drupal and Devops , the Survey Results
Drupal and Devops , the Survey ResultsDrupal and Devops , the Survey Results
Drupal and Devops , the Survey Results
 
Crowds and Creativity
Crowds and CreativityCrowds and Creativity
Crowds and Creativity
 
Using Drupal to power SaaS
Using Drupal to power SaaSUsing Drupal to power SaaS
Using Drupal to power SaaS
 
Better understanding your prospects, clients, stakeholders and end users usin...
Better understanding your prospects, clients, stakeholders and end users usin...Better understanding your prospects, clients, stakeholders and end users usin...
Better understanding your prospects, clients, stakeholders and end users usin...
 
Introducing Assetic: Asset Management for PHP 5.3
Introducing Assetic: Asset Management for PHP 5.3Introducing Assetic: Asset Management for PHP 5.3
Introducing Assetic: Asset Management for PHP 5.3
 
Building Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco APIBuilding Content-Rich Java Apps in the Cloud with the Alfresco API
Building Content-Rich Java Apps in the Cloud with the Alfresco API
 
The Power of Drupal and Alfresco Together
The Power of Drupal and Alfresco TogetherThe Power of Drupal and Alfresco Together
The Power of Drupal and Alfresco Together
 
Intro to Alfresco for Developers
Intro to Alfresco for DevelopersIntro to Alfresco for Developers
Intro to Alfresco for Developers
 
Getting Started with CMIS
Getting Started with CMISGetting Started with CMIS
Getting Started with CMIS
 
Intro To Alfresco Part 1
Intro To Alfresco Part 1Intro To Alfresco Part 1
Intro To Alfresco Part 1
 
Life of an Fluentd event
Life of an Fluentd eventLife of an Fluentd event
Life of an Fluentd event
 

Similaire à Life after the hack

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
Anthony Jose
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
Marco Balduzzi
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
Trend Micro
 

Similaire à Life after the hack (20)

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Keep it out - How to keep Drupal Secure
Keep it out - How to keep Drupal SecureKeep it out - How to keep Drupal Secure
Keep it out - How to keep Drupal Secure
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
 
APT - A Pretty Trojan
APT - A Pretty TrojanAPT - A Pretty Trojan
APT - A Pretty Trojan
 
Container con toronto
Container con torontoContainer con toronto
Container con toronto
 
TypeScript no Grupo Bandeirantes
TypeScript no Grupo BandeirantesTypeScript no Grupo Bandeirantes
TypeScript no Grupo Bandeirantes
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gapDEF CON 27 - workshop - RICHARD GOLD - mind the gap
DEF CON 27 - workshop - RICHARD GOLD - mind the gap
 
Defcon 23 - David Huerta - alice and bob are really confused
Defcon 23 - David Huerta - alice and bob are really confusedDefcon 23 - David Huerta - alice and bob are really confused
Defcon 23 - David Huerta - alice and bob are really confused
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning security
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels Camp
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Angular v2 et plus : le futur du développement d'applications en entreprise
Angular v2 et plus : le futur du développement d'applications en entrepriseAngular v2 et plus : le futur du développement d'applications en entreprise
Angular v2 et plus : le futur du développement d'applications en entreprise
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
ODROID Magazine January 2015
ODROID Magazine January 2015ODROID Magazine January 2015
ODROID Magazine January 2015
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 

Plus de OSInet

Equipe drupal
Equipe drupalEquipe drupal
Equipe drupal
OSInet
 
Pourquoi choisir un CMS Open Source ?
Pourquoi choisir un CMS Open Source ?Pourquoi choisir un CMS Open Source ?
Pourquoi choisir un CMS Open Source ?
OSInet
 

Plus de OSInet (14)

Interface texte plein écran en Go avec TView
Interface texte plein écran en Go avec TViewInterface texte plein écran en Go avec TView
Interface texte plein écran en Go avec TView
 
Scaling up and accelerating Drupal 8 with NoSQL
Scaling up and accelerating Drupal 8 with NoSQLScaling up and accelerating Drupal 8 with NoSQL
Scaling up and accelerating Drupal 8 with NoSQL
 
Mon site web est hacké ! Que faire ?
Mon site web est hacké ! Que faire ?Mon site web est hacké ! Que faire ?
Mon site web est hacké ! Que faire ?
 
Delayed operations with queues for website performance
Delayed operations with queues for website performanceDelayed operations with queues for website performance
Delayed operations with queues for website performance
 
Drupal 8 : regards croisés
Drupal 8 : regards croisésDrupal 8 : regards croisés
Drupal 8 : regards croisés
 
Cache speedup with Heisencache for Drupal 7 and Drupal 8
Cache speedup with Heisencache for Drupal 7 and Drupal 8Cache speedup with Heisencache for Drupal 7 and Drupal 8
Cache speedup with Heisencache for Drupal 7 and Drupal 8
 
Recueil des mauvaises pratiques constatées lors de l'audit de sites Drupal 7
Recueil des mauvaises pratiques constatées lors de l'audit de sites Drupal 7Recueil des mauvaises pratiques constatées lors de l'audit de sites Drupal 7
Recueil des mauvaises pratiques constatées lors de l'audit de sites Drupal 7
 
Le groupe PHP-FIG et les standards PSR
Le groupe PHP-FIG et les standards PSRLe groupe PHP-FIG et les standards PSR
Le groupe PHP-FIG et les standards PSR
 
Les blocs Drupal de drop.org à Drupal 8
Les blocs Drupal de drop.org à Drupal 8Les blocs Drupal de drop.org à Drupal 8
Les blocs Drupal de drop.org à Drupal 8
 
Utiliser drupal
Utiliser drupalUtiliser drupal
Utiliser drupal
 
Equipe drupal
Equipe drupalEquipe drupal
Equipe drupal
 
Pourquoi choisir un CMS Open Source ?
Pourquoi choisir un CMS Open Source ?Pourquoi choisir un CMS Open Source ?
Pourquoi choisir un CMS Open Source ?
 
Drupal et le NoSQL - drupagora 2011
Drupal et le NoSQL - drupagora 2011Drupal et le NoSQL - drupagora 2011
Drupal et le NoSQL - drupagora 2011
 
Drupal Views development
Drupal Views developmentDrupal Views development
Drupal Views development
 

Dernier

The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Dernier (20)

The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 

Life after the hack

  • 1. Life after the hack OSInetFrédéric G. MARAND (fgm)
  • 2. 2/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr Topics • 1 Intro : setting the stage • 2 Snapshotting • 3 Maintaining presence • 4 Crisis communication • 5 Rebuild, don’t repair • 6 Using forensics tools • 7 Back online
  • 3. 4/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.1 Some fact checking first • In this room … • Who has been hacked already ? • Who feels ready to face a hacked server ? • Who actually has a contingency plan ? • Who read node 2365547 ?
  • 4. 5/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr
  • 5. 6/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.2 Can you say that again ? I.A.N.A.L. So be sure to get one !
  • 6. 7/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.3 Whence do I speak ? • Drupal org member since 2005 (fgm) • Drupal consultant, not a site building agency • Worked on fixing broken (in) sites since 2008 • Auditing • Fixing technical flaws • Addressing intrusions / exploits • Mostly Media and Government sites (.fr) • Provisional member of the Security Team
  • 7. 8/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.4 Setting the stage • 10:00 The daily scrum has just begun. • 10:01 Phones rings : someone noticed your site has been defaced and is warning you • 10:02 Twitter and Reddit start buzzing • 10:05 Phones ring all over the place, with journalists and the various C-level execs on the other end, your mailbox is filling with warnings • What is your next step ?
  • 8. 9/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 1.5 Get ready • Pad 1 : discovery log • all your work steps • all your findings / observations • with timestamps and numbers • Pad 2 : remedies ideas • cross-refer pad 1 numbers • all your ideas for fixing the breach • all your ideas for further hardening
  • 9. 11/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 2.1 Forensic copy : why ? • First temptation : restore and resume • But you’re still vulnerable • So you need to diagnose • Analyzing means modifying • So preserve the « crime scene » • Snapshot everything
  • 10. 12/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 2.2 Snapshots : pull the plug • Prevents interference • Shutdown handlers, SIGPWR • Self-destructing code on network loss • Easy on VMs But… • Bare remote servers • Further data loss • Journaled FS • Databases • Service interruption
  • 11. 13/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 2.3 Snapshots : what ? Not just the main DB • Reverse Proxy logs • Web fronts • DB servers • File servers And also… • External logs (SaaS) • External transactions • IDS/firewall logs The site may just be an attack vector
  • 12. 15/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 3.1 Maintaining presence 1 • Yes • Don’t tip off hackers • Keep generating short-term value • No • Increasing damage • Responsibility • Legal • Financial • Moral As though intrusion had not been detected
  • 13. 16/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 3.2 Attacker workflow Evolved • Break in • Dig for gold • Implant zombie • Wait for implant migration to archives • Activate • Profit • Alt : Need for Speed • Use exploit ASAP • While it lasts • Usually least loss • Alt : hidden steal • Valuable content • Identity data • Close the door
  • 14. 17/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 3.3 Maintaining presence 2 • Limited static site • Best with prior work • Minimal subset • Possibly taken from RP cache • Very little load : can run on RP heads • Working limited site • Alternate infra • Alternate tech • Updates ? • Content created during this step Safe fallback mode
  • 15. 18/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 3.4 Maintaining presence 3 When all else fails • Social networks • Always there • Also authoritative for audience • Still needs some preparation : • Accounts access • Include them in long-term communication
  • 16. 20/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 4.1 Communicating : from tech • Stakeholders • Chain up to CxO level in most cases • Prepare next steps, do not overreach • Fear of reprisal ? Gag orders, SLAPP… • Protection • France : whistleblower protection (Sapin 2) • Italy : Dec. 385 01/09/93 sect 52bis (banks) • US : Anti-SLAPP • Many other countries have similar rules
  • 17. 21/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 4.2 : Communication : C-level • Legal counsel (first) • Crisis Management specialists • Law enforcement • EU countries typically have specialized units for « cybercrime » • Other sites • On same server • On same network • Online business partners
  • 18. 22/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 4.3 Communication : privacy • In many cases personal data leaks • will happen, or... • unprovable they did not happen • Operational constraints • Commerce : PCI/DSS (12 steps etc) • Health : (US) HIPAA Subtitle D E2.80.93 • Public image damage control • A french example
  • 19. 24/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 5.1 Rebuild : keep, rollback or ? • Restore and restart same ? • Still just as vulnerable • Keep and fix ? • lots of time and effort reviewing • never completely trusted : not just Drupal • Throw away ? • Event sites, past lines of biz, post-M&A... • Can a static version suffice ? • From RP snapshots : recent content
  • 20. 25/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 5.2 Rebuild : restore • Needs backups from before the hack • Do you know when it happened ? • Remember attacker workflow « wait » • GFS, continuous incremental, 15 min ? • How much can you lose ? • FLOSS solutions : Amanda, Bacula, custom • Unprepared emergency ? • Preproduction, CI builds...
  • 21. 26/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 5.3 Rebuild : sources + export • Easy and reliable, but assumes : • Code-driven development process • Reliable data export system in place • Flat content exports • Content + assets repositories • Still need to add the fixes • Delay can be a problem on high-volume sites • Bulk handling, Incremental loading
  • 22. 27/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 5.4 Rebuild : other cases • Ad hoc « traditional » build process • Longer, less reliable • Too long to be a chance to fix the process • From scratch • Too long in most cases • Do it as a complement after the fix • Not NOW
  • 23. 29/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6 Forensics : switching hats
  • 24. 30/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.1 Forensics : first, think ! • How did you become aware of hack ? • What did it take to succeed ? • Cast your net wide, think big • « Unlikely » vs « impossible » • Priority : • Easiest attacks first • OWASP 10 • GIYF : search your Pad 1 patterns
  • 25. 31/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.2 Forensics : keep in mind • /anything/ may be erased after success • But most of the time, not /everything/ will • Anything you do leaves its own traces • Work on copies of the snapshots • You can restart from fresh copies anytime • There maybe more than one exploit
  • 26. 32/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.3 Forensics : classics • Code files : • lax permissions • filesystem traversal issues • Remote payload execution by upload • Nginx without extra hardening • .htaccess won’t do much good • In-DB PHP • PHP module • Eval-uated code
  • 27. 33/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.4 Forensics : non-Drupal • Filesystem : • <user>/www-data outside /sites • www-data/www-data suspicious • x bit on files below docroot • timestamps • outside sites/*/files = install • exploits > install • meld with fresh build from sources • Also check outside docroot
  • 28. 34/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.5 Forensics : Drupal modules • Code signing/diffing : • Hacked! • D7 : md5check, file_integrity • Finding DB PHP • QA (github) • Misc • security_review
  • 29. 35/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.6 Forensics : DB • Quick wins : • users.email!= users.init • review roles, accounts with admin roles • On corp. sites, users.email domains • match users accounts with SSO data • Diff DB snapshot with live • Especially menu_router : file_put_contents, assert • Altova DatabaseSpy content compare
  • 30. 36/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.7 Forensics : sessions • Sessions should be in persistent storage • Remember when you pulled the plug • Were your sessions in Memcache ? • sessions.timestamp vs users_field_data : created/changed/access/login • for intranets : sessions.hostname
  • 31. 37/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.8 Forensics : logs • You use off-site logs, right ? • SaaS : Loggly, Logmatic, Logsene, Logz.io, Papertrail, Scalyr…. • Remote ELK • On site ? • dblog {watchdog} • syslog → follow the redirects • mongodb_watchdog • Application/WS logs
  • 32. 38/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 6.9 Forensics : sleuth tools • Software • Guidance Software : Encase • AccessData : Ultimate Forensics Toolkit (FTK) • Consider certified consultants
  • 33. 40/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.1 Live again : restoring prod • Recheck Pad 1 findings vs new build • Usually, reset passwords. On D7 : • update users set pass = concat('ZZZ', sha(concat(pass, md5(rand()))) ); • Prepare marketing/social copy
  • 34. 41/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.2 L8R : future-readiness
  • 35. 42/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.3 L8R : disaster prevention • Developer education on security • Security Team mailing list • https://twitter.com/drupalsecurity • https://www.drupal.org/security/rss.xml • http://crackingdrupal.com/
  • 36. 43/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.4 L8R : disaster prevention • Security process • Analyse sec. releases to understand fixes • Look for similar flaw in custom code • Take part in contrib for more expertise • Quality process • Systematic peer code reviews • Code-driver maintenance + dev process • Automatic quality tools in CI • Contrib updates scheduling
  • 37. 44/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr 7.5 Continuous improvement • You can’t improve what you don’t measure • Get time metrics from Pad 1 • Build contigency plan from Pad 2 • Plan for periodic intrusion simulations
  • 38. 45/45DrupalDevDays Milan: Life After the Hack - (c) 2016 Frédéric G. MARAND for www.osinet.fr