BREACH: Security Incident Handling and Response

Transcript

1. @BolderSecurity #BbWorld14 BREACH: Security Incident Handling and Response Stephanie Tan

   Senior Director, Security [email protected]

2. @BolderSecurity #BbWorld14 Stephanie

3. Have you been a victim?

4. Set the expectation. When - not if - you will

   have a breach. How will you be ready?

5. @BolderSecurity #BbWorld14 Scenario #1 Ransomware • Fictitious Hospital • Hackers

   encrypted all data, asking $100K • System lock-out • Recovery attempts crash http://hbr.org/2009/10/when-hackers-turn-to-blackmail/ar/1

6. This happened. In real life. 6 weeks ago.

7. @BolderSecurity #BbWorld14 • In business for seven years • Code

   hosting and project management solution • Touted backup strength “We have invested a great deal of time and effort in developing a real-time backup solution that allows us to keep off-site, fully functional backups of your data - at high performance. We literally backup everything you do, as soon as you do it.” https://web.archive.org/web/20140328015048/http://www.codespaces. com/features#backups

8. @BolderSecurity #BbWorld14

9. @BolderSecurity #BbWorld14

10. @BolderSecurity #BbWorld14

11. @BolderSecurity #BbWorld14 Takeaways Operational 1. Practice. Conduct Tabletop Exercises -

    even if during lunch. What needs to fail for this to happen to you? 2. Guide: Appendix A of NIST 800-61 for scenarios and scenario questions. Technical 1. Enable multi-factor authentication on ALL AWS management console accounts 2. Divide administrative duty between multiple IAM accounts with distinct credentials 3. Use IAM roles wherever possible in your deployment 4. Off-site backups through a pull method to another platform Derived from Trend Micro’s analysis http://blog.trendmicro.com/the-code-spaces-nightmare/#.U8NGQY1dW-U

12. @BolderSecurity #BbWorld14 Ponemon Institute 2014 Cost of Data Breach

13. Guidance NIST 800-61, NIST 800-86, Internet2 http://csrc.nist.gov/publications/PubsSPs.html https://wiki.internet2.edu/confluence/display/2014infosecurityguide/Incident+Checklist

14. Be Calm.

15. Forensics Collection Examination & Analysis Reporting Incident Response

16. @BolderSecurity #BbWorld14 Incident Response Tips Assess Impact 1. Functional Impact

    2. Information Impact 3. Recoverability Effort Impact

17. @BolderSecurity #BbWorld14 Incident Assessment for Code Spaces Functional Impact High

    - Organization is no longer able to provide some critical services to any users Information Impact Integrity Loss - Sensitive or proprietary information was changed or deleted Proprietary Breach - Proprietary information was exposed, infrastructure data was exfiltrated Recoverability Effort Impact Not Recoverable - Recovery from the incident is not possible Gathered based on available news data

18. @BolderSecurity #BbWorld14 Incident Response Tips Notification - POC Mapping Example

    1. Functional Impact 2. Information Impact 3. Recoverability Effort Impact PR Legal Legal PR PR Legal Legal Legal Legal PR PR

19. @BolderSecurity #BbWorld14 Legal and Disciplinary Proceedings 1. Keep a log

    of every person who had physical custody of the evidence 2. Document actions performed on the evidence and at what time 3. Store evidence in a secure location when not being used 4. Make a copy of the evidence and performing examination and analysis using only the copied evidence 5. Verify the integrity of the original and copied evidence. 6. When in doubt, preserve evidence by default. Avoid allegations of mishandling or tampering of evidence. Cases are usually lost by how you handled evidence. Not what you did/did not find.

20. @BolderSecurity #BbWorld14 Forensics Tips 1. Collection a. Prepare your systems

    in advance. Enable useful auditing, log aggregation, and backups b. Use a Forensics Toolkit (EnCase, FTK, open source) c. Prevent cross-contamination - ensure external hard drive has full-format d. Live image usually better (EnCase, FTK, dd) e. Think about shutdown impact! f. Collect volatile data using toolkit g. Preserve logs h. Preserve File Integrity - use a write-blocker during backups and imaging to prevent writing to original

21. @BolderSecurity #BbWorld14 Forensics Tips 3. Analysis a. If to be

    used towards Legal Proceedings, consider external specialist and a forensics toolkit with a good court track record b. Examine copies! Not originals. c. Rely on file headers (can still be faked) rather than file extensions to identify content types d. Determine if attacker identification is useful. Takes time and may not be relevant to recovery. Typically useful only if a criminal investigation is necessary 4. Reporting a. Hold Retrospectives

22. @BolderSecurity #BbWorld14 Scenario #2 Denial of Service • Meetup experienced

    first DoS attack in 12 years • Hackers requested $300 http://www.reuters.com/article/2014/03/03/us-meetup-cyberattack-idUSBREA221TR20140303

23. @BolderSecurity #BbWorld14 Did they pay it? Seems low enough. https://web.archive.org/web/20140625091329/http://meetupblog.meetup.com/

24. @BolderSecurity #BbWorld14 Takeaways 1. Have internal capability to scrub traffic

    and offload to third party if beyond your bandwidth 2. Exercise the cutover! 3. Site status via alternate channel - Twitter 4. Discuss policy towards ransomware - remember that from Scenario #1?

25. So much for “but it’s always been like this, nothing

    has happened”

26. This is only going to get more often

27. @BolderSecurity #BbWorld14 http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global- analysis $111 2013 Ponemon Institute 2014 Cost

    of Data Breach $294 2014

28. We’ve talked processes, let’s put it in action. Tabletop Exercises

29. @BolderSecurity #BbWorld14 http://www.fema.gov/media-library/assets/documents/26845?id=5949

30. Scenario #3 A Perfect Storm • Suspicious network activities detected

    in security console, analysis shows it was from an employee terminated the month prior • Phishing - employee went to malicious website (backdoor) • Systems started to crash and slow down • Proprietary data leakage • Extortion Scenario #4 Fallout from a Very Public Cyberattack • Customers wary of doing business • Financial stress • CEO resignation

31. @BolderSecurity #BbWorld14 So Many Questions... 1. Do we ensure that

    service providers (i.e., vendors) that have access to our systems are following appropriate personnel security procedures and/or practices? 2. What other things did that employee do? Did they have privileged access and created other accounts? 3. What are our policies towards employee termination? How do we ensure quick removal of access? What is NOT tied to the directory server? 4. What about planned notifications? How do we do this internal to our organization? External to our organization? 5. At what point would we – or should we – contact law enforcement? 6. Would this situation trigger contact with regulators? Elected officials? Why or why not? 7. How do we regain trust to our internal and external audiences? 8. How do we retain our employees in light of layoffs and financial stress? 9. How can we improve our training programs? 10. What constitutes suspicious activities or incidents?

32. Public Service Message

33. @BolderSecurity #BbWorld14 Review the Secure Configuration Checklist http://help.blackboard.com/en-us/Learn/9. 1_2014_04/Administrator/070_Server_Management_and_Integrations/Security/S ecure_Configuration_Checklist

    Monitor the Security Logs! Contact me if you need help. http://help.blackboard.com/en-us/Learn/9. 1_2014_04/Administrator/070_Server_Management_and_Integrations/Security/0 00_Key_Security_Features/Audit_and_Accountability New Event Code 1026 - Ensure Custom/Third Party B2s do not show up here • Strengthening how we handle IDs in Learn. • Misuse of the API currently logged, will later be blocked. • If using “Id” class, value should be of format _##_## ◦ OK: PkId{key=_186_1, dataType=blackboard.data.course.Course, container=blackboard.persist.DatabaseContainer@1ade7b37} ◦ NOT OK: abcde • Fix with <%= bbContext.getCourseId().toExternalString() %>

34. timestamp=Jan 01 2014 00:00:00.000 EST|app_vend=blackboard|app_name=learn|app_ver=9. 1.160147.0|evt_code=1026|evt_name=invalid input detected|sev=6|cat=inputvalidation|outcome=failure|dhost=1.1.1.1|src_ip=1.1.1.1 |suid=_1_1|suser=administrator|session_id=202|msg=Invalid PkId

    detected. May be an indicator of attempts to perform phishing or an area that requires an update to use the new API.Threw: [java.lang.IllegalArgumentException: Unable to parse provided PkId string [badvalue]. at blackboard.persist.PkId.<init>(PkId.java:171) at blackboard.persist.DatabaseContainer.generateId(DatabaseContainer.java:157) at blackboard.persist.BbPersistenceManager.generateId(BbPersistenceManager.java:470) at blackboard.persist.Id.generateId(Id.java:394) at blackboard.portal.view.service.impl. TabGroupViewClassManagerImpl.loadTabGroupViewClass(TabGroupViewClassManagerImpl. java:54) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)...|http_useragent=Mozilla/5. 0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32. 0.1700.107 Safari/537. 36|act=exception|request=/webapps/portal/execute/tabs/tabAction|requestparam=id|reque stval=badvalue

35. @BolderSecurity #BbWorld14 Resources Get Organized 1. SANS Incident Handler’s Handbook

    a. http://www.sans.org/reading-room/whitepapers/incident/incident- handlers-handbook-33901 2. NIST 800-61 Incident Handling Guide a. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 61r2.pdf 3. NIST 800-86 Forensics a. http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf 4. Internet2 Incident Checklist a. https://wiki.internet2. edu/confluence/download/attachments/20807730/Incident+Checkli st+-+April2014.pdf?version=1&modificationDate=1398369017997 5. SEI CERT Guidance a. http://www.cert.org/incident-management/publications/index.cfm

36. @BolderSecurity #BbWorld14