Preparation is the key to successful incident response. You can never stop all attempts to breach your company, and in real situations, people are bound to make mistakes. Therefore, you need to have the proper processes in place, and of course, try to stop as many of the attempted attacks as possible to leave less room for human error. Learn more about the six steps to properly respond to a security incident from the recording video in the following link and presentation slides at this page. https://business.f-secure.com/responding-to-an-incident-recording-from-cyber-security-webinar/

1. 1
RESPONDINGTO
ANINCIDENT
CYBERSECURITY
WEBINARPART5
JARNONIEMELÄ
F-SECURE
9th ofNovember2015

2. CYBERSECURITY WEBINAR
SERIES-PART5
© F-Secure2
• INTRODUCTION TO CYBERSECURITY
• DEFENDING WORKSTATIONS
• DEFENDING SERVERS
• DEFENDING NETWORKS - NOW
• RESPONDING TO AN INCIDENT NOW
• BUILDING SECURE SYSTEMS 3RD DECEMBER 2015
RECORDINGS:
HTTPS://BUSINESS.F-SECURE.COM

3. 3
RESPONDING
TOAN
INCIDENTJARNONIEMELÄ
SENIORRESEARCHER
F-SECURE

4. RESPONDING TOANINCIDENT
Steps to proper incident response
 Prepare your systems and people
 Discover incidents
 Do initial response and gather data
 Analyze data and contain incident
 Recover affected systems and implement security improvements
 Check IT infrastructure for tampering
 Handle PR
 Make a root cause analysis and learn from the incident
© F-Secure4

5. Preparation
Do things mentioned in the previous webinars
 Make sure your logging covers both system and network events and network supports it
 Make sure you keep logs at least for 12 months and in a separate system
 Make sure that all logs are time synchronized and in same time zone (UTC preferred)
 Make sure systems are isolated from each other
 Make sure you have integrity logs of servers and OS master images
Prepare your people
 Administration and security staff need to have IR training
Know who to call
 When it hits the fan, there’s no time to start negotiations with IR consultants
© F-Secure5

6. Discovery
Make sure you are reachable
 A significant portion of incidents are discovered because of outside report or clue
 List incident contact email and phone number publicly in your web page
 Create abuse@company.com, incident@, security@, email addresses
 List contact information in WHOIS information of your domain
 Make sure your ISP and local cert have your security contact information
 Register at well known incident reporting clearinghouses
 www.shadowserver.org
Keep notes of everything
 This is important both for learning and legal
© F-Secure6
https://www.viestintavirasto.fi/attachments/certesitykset/5
wf8GRFeM/Nordsec_2010_Erka_Koivunen_v2.0_web.pdf

7. InitialResponse
If you have IR consultants on retainer, now it is time to call them
 Also contact the police in case you want to press charges later
Don’t panic. Stop, think, think again and then act
Start by collecting volatile information
 Processes running in suspected system, get memory dump of full system, or VM snapshot
 Network connections
 WHOIS information of any discovered network connections
 Users who have logged into the system
 All logs on the system, also make sure that remote logging is not overwritten
Do not alert attacker by poking around blindly
 Do not use any tools installed in the system
 Rename all investigation tools, as attack may self-terminate on Sysinternals
© F-Secure7

8. DeeperAnalysis
Try to establish when attack happened
 If attack is fresh, you may want to disconnect net. If it’s year old, there’s no rush
Compare system against integrity check data or image master
 If you lack that, get as identical system as possible for comparison
Look for unusual files in the file system
 Look especially into places covered in webinar 2 slide 5
Look for unusual registry launch points
 Sysinternals autoruns is a very good tool for this
© F-Secure8
http://www.sysforensics.org/2014/01/know-your-windows-
processes/

9. LookForSigns OfLateral
Movement
Check the network and system logs for signs moving to other systems
 Build a map of all network connections from the infected system
 Pay attention to RPC, RDP, Windows remote management and logon scripts
Check user account and login histories
 Any user logged into system that they haven’t used ever before?
 Have any users been added or elevated to administrator level?
Check prefetch or amcache for executed processes, anything unusual there?
 Note Prefetch/superfetch is often disabled for SSD drives
© F-Secure9
https://attack.mitre.org/wiki/Lateral_Movement
http://sysforensics.org/2014/01/lateral-movement
http://www.swiftforensics.com/2013/12/amcachehve-in-
windows-8-goldmine-for.html

10. AssessTheDamages
Use logs to identify if any information has been stolen or modified
 Pay attention to personal information, user accounts, source code, documents, etc
Pay special attention to customer facing services
 The actual target might be your customers
 Make sure that every web page and file you serve to users is intact
 Also verify that there are no backdoors left in internet facing servers
Try to find out if the attack is already in public knowledge
© F-Secure10

11. Containment AndRecovery
 Using the IOCs (clues) found, investigate all other systems
 The attacker may have moved without leaving noticeable network traces
 Reinstall or restore from backup any affected systems
 Remember to double check that the backup is clean
 Review permissions of affected users, in case they have been modified
 Issue password changes for affected parts of the organization
© F-Secure11

12. HandlePR
Internal communication is vital
 Incident can be traumatic for the organization, make sure the people are kept up to date
Information has a habit of getting out
 Be in control, release suitable information before it leaks
 Be boring, dry information does not make good news
If incident was visible or affected users, inform the users and apologize
 Tell what happened and what are the effects for the user
 Tell how situation was corrected
If incident has potential high media value, make a press release
 But in most cases it’s enough to inform users and publish on company web page
© F-Secure12

13. Report, LearnAndImprove
Create a root cause analysis of the incident
 How the incident was detected-> can detection speed be improved?
 How the incident was possible->can future incidents be prevented?
 How the incident was investigated-> can we improve the investigation?
 How the incident was recovered-> can we make recovery faster?
 What went wrong->how we can make it right?
 What went right->celebrate and give credit for good work!
Incidents happen, but try avoid repeating them
© F-Secure13

14. CONCLUSIONS
 Preparation is key to successful incident response
 Verify that logging is on sufficient level
 In real situations people will get excited and make mistakes
 So doing a practice once per couple years might be a good idea
 Prepare, Detect, Respond, Analyze, Learn, Improve
© F-Secure14

15. THANK YOUFORYOUR
PARTICIPATION!
15
STAY TUNED FOR THE LAST TOPIC OF THE CYBER SECURITY WEBINAR
SERIES:
3 December 2015 at 11.00 EET: “Building secure systems”
The Recording will be available at the BUSINESS SECURITY INSIDER
https://business.f-secure.com