manufacturing system. • Alert • Notification that a specific attack has been directed at an organization’s information systems. • Incident • An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Credit: https://csrc.nist.gov/glossary
Degree of Dependency Technology People Process > 13 NGAV Credit: SOUNILYU Cont. Threat Expose Mgmt. SAST/DAST IDS NDR EDR NGFW/IPS Zero Trust App Access Active Directory Security Solutions Data Encryption Cyber Threat Intel. Data Leakage Prevention Vuln Assessment WAF Data Audit Phishing Simulation Identity Protection (MFA) MDR XDR Forensic Service Backup NetFlow Fuzzer Heath Check Version Control Golden Image Zero Trust Net Access Backup Line Remote Backup Net Seg.
General Data Protection Regulation Art. 33 Notification of a personal data breach to the supervisory authority • [United State Congress] Cyber Incident Reporting for Critical Infrastructure Act Public Law 117–103 ‘SEC. 2242. REQUIRED REPORTING OF CERTAIN CYBER INCIDENTS. • Vendor Contracts 15
19 Preparation Detection Analysis Containment Eradiation Recovery Report Remediation Operate Declare Isolate Cleanup Harden Rollback If unsuccessful New findings cycle into new investigation Monitoring Solutions SIEMs’ Thresholds User behavior verification, Correlation Classified the incident level with SLA False Positive, Undetermined Undetermined False Positive True Positive Alert Eradiation refer to SWGDE Escalate to War Room Lv1 & Lv2 Lv3 & Lv4 Recovery refer to SWGDE Outsourcing to qualified Forensic Lab EO, PR, LA Store the Evidences & Report To the Court Announceme nt according to contract Remediation Time to Detect (MTTD) Time to Investigate (MTTI) Time to Contain Time to Mitigate Time to Response (MTTR) Time to Resolve (MTTR) Time to Exposure
EO Level Public Relations Consultant Handles news interviews and releases required for incident. Crisis PR Legal Consultant Provides consultation on legal issues and clarification of legal regulations. Legal Expert Affected Constituency Risk manager of affected business units/lines. Risk Mgr. 3 Party Forensics Experts Outsourced incident investigation/digital forensics experts who take charge of providing professional techniques and suggestions for incident. Forensics Certified Investigator Do the matchmaking to ensure smooth communication between incident response team and external consultants. SOC Tier-3 Infrastructure Support Helps to block attack traffic, isolate the victims machines, collect evidence, and provide reserve machines for replacement. IT Professionals Access Control Handles the access control of evidences in forensics lab and do the meeting minutes. - 20
Degree of Dependency Technology People Process > 23 NGAV Credit: SOUNILYU Cont. Threat Expose Mgmt. SAST/DAST IDS NDR EDR NGFW/IPS Zero Trust App Access Active Directory Security Solutions Data Encryption Cyber Threat Intel. Data Leakage Prevention Vuln Assessment WAF Data Audit Phishing Simulation Identity Protection (MFA) MDR XDR Forensic Service Backup NetFlow Fuzzer Heath Check Version Control Golden Image Zero Trust Net Access Backup Line Remote Backup Net Seg. MSSP
Degree of Dependency Technology People Process > 24 NGAV Credit: SOUNILYU Cont. Threat Expose Mgmt. SAST/DAST IDS NDR EDR NGFW/IPS Zero Trust App Access Active Directory Security Solutions Data Encryption Cyber Threat Intel. Data Leakage Prevention Vuln Assessment WAF Data Audit Phishing Simulation Identity Protection (MFA) MDR XDR Forensic Service Backup NetFlow Fuzzer Heath Check Version Control Golden Image Zero Trust Net Access Backup Line Remote Backup Net Seg. MSSP
25 Preparation Detection Analysis Containment Eradiation Recovery Report Remediation Operate Declare Isolate Cleanup Harden Rollback If unsuccessful New findings cycle into new investigation Monitoring Solutions SIEMs’ Thresholds User behavior verification, Correlation Classified the incident level with SLA False Positive, Undetermined Undetermined False Positive True Positive Alert Eradiation refer to SWGDE Escalate to War Room Lv1 & Lv2 Lv3 & Lv4 Recovery refer to SWGDE Outsourcing to qualified Forensic Lab EO, PR, LA Store the Evidences & Report To the Court Announceme nt according to contract Remediation Time to Detect (MTTD) Time to Investigate (MTTI) Time to Contain Time to Mitigate Time to Response (MTTR) Time to Resolve (MTTR) Time to Exposure MSSP
26 Preparation Detection Analysis Containment Eradiation Recovery Report Remediation Operate Declare Isolate Cleanup Harden Rollback If unsuccessful New findings cycle into new investigation Monitoring Solutions SIEMs’ Thresholds User behavior verification, Correlation Classified the incident level with SLA False Positive, Undetermined Undetermined False Positive True Positive Alert Eradiation refer to SWGDE Escalate to War Room Lv1 & Lv2 Lv3 & Lv4 Recovery refer to SWGDE Outsourcing to qualified Forensic Lab EO, PR, LA Store the Evidences & Report To the Court Announceme nt according to contract Remediation Time to Detect (MTTD) Time to Investigate (MTTI) Time to Contain Time to Mitigate Time to Response (MTTR) Time to Resolve (MTTR) Time to Exposure MSSP
an indication of how well a team governs, documents, performs and measures their function. The maturity of a CSIRT is measured with the Security Incident Management Maturity Model, also called SIM3. • Maturity Quadrants • O-Organization • H-Human • T-Tool • P-Process • Maturity Parameters • Maturity Level • 0 = not available / undefined / unaware • 1 = implicit (known/considered but not written down, “between the ears”) • 2 = explicit, internal (written down but not formalized in any way) • 3 = explicit, formalized on authority of CSIRT head (rubberstamped or published) • 4 = explicit, audited on authority of governance levels above the CSIRT head (subject to control process/audit/enforcement) 30 Credit: https://opencsirt.org/csirt-maturity/sim3-online-tool/
assignment as derived from upper management. 3 O-2 CONSTITUENCY Description: Who the PSIRT functions are aimed at CONSTITUENCY the "clients" of the CSIRT. 3 O-3 AUTHORITY Description: What the PSIRT can do towards their constituency in order to accomplish their role. 3 O-4 RESPONSIBILITY Description: What the PSIRT is expected to do towards their constituency in order to accomplish their role. 3 O-5 SERVICE DESCRIPTION Description: Describes what the PSIRT service is and how to reach it. Minimum requirement: Contains the PSIRT contact information, service windows, concise description of the PSIRT services offered and the PSIRT’s policy on information handling and disclosure. 3 O-10 ORGANIZATIONALFRAMEWORK Description: Fits O-1 to O-9 together in a coherent framework document serving as the controlling document for the PSIRT. Minimum requirement: Describes the PSIRT’s mission and parameters O-1 to O-9. note: for FIRST application, change "O-1 to O-9" into "O-1 to O-5" 3 H – "Human" Parameters H-1 CODE OF CONDUCT / PRACTICE / ETHICS Description: A set of rules or guidelines for the PSIRT members on how to behave professionally, potentially also outside work. Clarification: E.g. the FIRST Code of Ethics. Behavior outside work is relevant, because it can be expected of CSIRT members that they behave responsibly in private as well where computers and security are concerned. 2 H-2 PERSONNEL RESILIENCE Description: How PSIRT staffing is ensured during illness, holidays, people leaving, etc. Minimum requirement: three (part-time or full-time) PSIRT members. 2 H-7 EXTERNAL NETWORKING Description: Going out and meeting other CSIRTs. Contributing to the CSIRT/PSIRT system when feasible. 2 P – "Processes" Parameters P-1 ESCALATION TO GOVERNANCE LEVEL Description: Process of escalation to upper management for PSIRTs who are a part of the same host organization as their constituency. For external constituencies: escalation to governance levels of constituents. 3 P-11 SECURE INFORMATION HANDLING PROCESS Description: Describes how the PSIRT handles confidential incident reports and/or information. Also has bearing on local legal requirements. Clarification: it is advised that this process explicitly supports the use of TLP, the Traffic Light Protocol. 2
the drill, there might be several network segmentations that are extremely sensitive, beyond controlled, or have known issues, that will waste the assessment (e.g. subsidiary, branch) • Scenario – Their might be several phases in Red Team assessment according to MITRE ATT&CK (e.g. Initial Access, Persistence, Escalation, Lateral Movement) – Set the goals(TTPs), time frame of each phases, and start point • Targets – Critical Systems/Machines – Critical Accounts – Sensitive confidential Data
the required resources Identify the risk involved Investigate the data recovered Completion of case report Critique the case • Situation of the case • Nature of the case • Specifics about the case • Type of evidence • Operating system used by the suspect • Known disk format • Location of evidence • The motive of the suspect • Have skilled professionals • Work station and data recovery lab • Alliance with a local District Attorney • Define the methodology • Document the hardware configuration of the system • Document the system date and time • Document file names, dates, and times • Document all findings • Good understanding of the technical, legal, and evidentiary aspects of computers and networks • Proper methodology • Steps for collecting and preserving the evidence • Steps for performing forensic analysis • To carry out an investigation a search warrant from a court is required • Find the evidence • Discover the relevant data • Prepare an Order of Volatility • Eradicate external avenues of alter • Gather the evidence • Prepare chain of custody • Data-recovery lab • Computer- forensic Workstation • Record all the steps (camera record & screen record) • Include what was done and results in the final report • The steps can be repeated and the result obtained are same every time • Explain the computer and network processes • Explanation should be provided for various processes and the inner working of the system and its various interrelated components
Testing and Calibration Laboratories. • ISO/IEC 17020 covers the activities of inspection bodies whose work can include the examination of materials, products, installations, plants, processes, work procedures or services, and the determination of their conformity with requirements and the subsequent reporting of results of these activities to clients and, when required, to authorities. • ASCLD/LAB-International Supplemental Requirements for the Accreditation of Forensic Science Testing and Calibration Laboratories, published by American Society of Crime Laboratory Directors (ASCLD), corresponds to ISO/IEC 17025. • Scientific Working Group on Digital Evidence (SWGDE) brings together organizations actively engaged in digital and multimedia evidence. 38
name (SPN) is a unique identifier of a service instance. • SPNs are used by Kerberos authentication to associate a service instance with a service logon account. • This allows a client application to request that the service authenticate an account even if the client does not have that service’s uing permission. KDC will still response the TGS for request, let service to judge the using permission.
TGS-REQ 3. TGS-REP – (Get Kerberos Ticket encrypted with Service Password Hash) 4. Brutal Force to decrypt the service password (Service Secret) Key Distribution Center (KDC) 1. Get SPNs TGS(A) 4. TGS-REP(A) Hacker TGS(B) 4. TGS-REP(B) TGS(C) 4. TGS-REP(C) 2. SPN list 3. TGS-REQ(A) TGT 3. TGS-REQ(B) 3. TGS-REQ(C) Service Principal Time Stamp Service Session Key Service Principal Time Stamp Service Session Key Service Ticket (TGS) TGS Session Key Service Hash TGS-REP Client Name
those accounts that run an executable, task or service, AD authentication, etc. – Use long Strong passwords – Give access to only what is needed – Try to avoid granting local administrator rights – Do not put in Domain Admins – Deny logon locally – Deny logon as a batch – Require vendors to make their software work without domain admin rights
Service Account (gMSA) • A sMSA/gMSA is a managed domain account that provides automatic password management (240 bytes, which is 120 characters, and cryptographically random), SPN management and the ability to delegate the management to other administrators. • MSA was introduced in Windows Server 2008 R2 and Windows 7. • Who can access the MSA to manage the SPN will become important.
of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.
managing digital certificates used in software security systems that employ public key technologies. Digital certificates are used to provide: • Confidentiality through encryption • Integrity through digital signatures • Authentication by associating certificate keys with computer, user, or device accounts on a computer network
- Any Proposed EKU • ESC3 – Enrollment Agent allows principal to enroll for another user • ESC4 - Misconfiguration of ACL leads to other ESC • ESC5 - Misconfiguration of PKI leads to ADCS compromised • ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 allow any user to defined SAN • ESC7 - Misconfiguration of ADCS ACL • ESC8 - NTLM Relay to AD CS HTTP Endpoints • ESC9 - No Security Extension • ESC10 - Weak Certificate Mappings • ESC11 - Relaying to AD Certificate Services over RPC • ESC12 - Shell access to ADCS CA with YubiHSM • ESC13 - Microsoft AMA abuse
is a Microsoft tool that provides management of local account password of domain joined computers. It will set a unique password for every local administrator account and store it in Active Directory for easy access. • LAPS will automatically renew the password regularly. • Just like else solution like MSA we will talk about later, who has the privilege to access and read the password is matter, this should be monitored and set up notice. AdmPwd.dll GPO Framework Managed machine Active Directory Computer account Admin Password Pwd Expiration GPO Framework
privilege for user(Admin by default) to access the LSASS memory, if disable his privilege and monitor the change can help to prevent from Credential dump.
the domain controller is unavailable Windows will check the last password hashes that has been cached in order to authenticate the user with the system. • To minimize the cache amount, set secpol.msc -> Computer Configuration -> Windows Settings -> Local Policy -> Security Options -> Interactive Logon: Number of previous logons to cache -> 0 or the number which is acceptable. • By default, only SYSTEM can access the HKEY_LOCAL_MACHINE\Security, but hacker can still add permission to the registry with Administrator privilege.
new feature • Combined with secure boot, LSA Credential Guard with UEFI lock, and Hypervisor Virtualization for security feature (VBS) • LSA in Host OS is a proxy instance that simply communicates with the isolate one • Switch all important services to VSM to secure their integrity • Configurable Code Integrity(CCI) check code is signed before it run (e.g. .ps1 .bat) • Kernel mode code integrity • Secure boot enforce EV signature on firmware and boot loader code. Credit: techcommunity.microsoft
of AppLocker, can prevent malicious script files, execute malicious scripts directly and malicious applications not in whitelist. • LSA, firmware, boot loader code and kernel code also been secured. • CVE-2018-8216 still shows that DeviceGuard might be vulnerable under targeting attack, this CVE allows attacker to inject payload into the script that CCI trusts. https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419
Admin Workstation (SAW) • PAW & SAW is a dedicated operating system used to securely access privileged resources, similar to a jump server. • PAW is a workstation that is dedicated solely to accessing sensitive tasks and information. These devices are typically locked-down and therefore insulated from Web-based attacks and other threat vectors
RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running. • Kerberos unconstrained delegation • Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman • MS-CHAP • WDigest • NTLM v1
SiteGround - Reliable hosting with speed, security, and support you can count on.
notsurprised
sakaik
sonic
icck
ry
stefafafan
shoota
ynt0485
kairim0
line_developers_tw
whisaiyo
kozy4324
jonoalderson
techseoconnect
jeffersonlam
palkan
jcasabona
rabernat
cassininazir
62gerente
garrettdimon
mfonobong
ipullrank
panda_program
![NotSurprised @ iThome [email protected]](https://files.speakerdeck.com/presentations/f1d1cfe9ed8c4591aa7ba7fd8a63b5c5/slide_0.jpg){kind=link}
![> 組織建立與通報流程制定 • [TPEX 臺灣證券櫃檯買賣中心] 上市上櫃公司資通安全管控指引 第八章第十八條 • [TPEX 臺灣證券櫃檯買賣中心]](https://files.speakerdeck.com/presentations/f1d1cfe9ed8c4591aa7ba7fd8a63b5c5/slide_6.jpg){kind=link}
![> • [TWSE 臺灣證券交易所] 臺灣證券交易所股份有限公司對有價證券上市公司重大訊息之查證暨公開處理程序 第四條 第一項第二十六款 • [European Parliament]](https://files.speakerdeck.com/presentations/f1d1cfe9ed8c4591aa7ba7fd8a63b5c5/slide_14.jpg){kind=link}
![> • [TWSE 臺灣證券交易所] 臺灣證券交易所股份有限公司對有價證券上市公司重大訊息之查證暨公開處理程序 第四條 第一項第二十六款 27](https://files.speakerdeck.com/presentations/f1d1cfe9ed8c4591aa7ba7fd8a63b5c5/slide_26.jpg){kind=link}
