Presentation is loading. Please wait.

Presentation is loading. Please wait.

Successful Strategies in Enterprise Intrusion Investigations

Published byGervase Garrett Modified over 6 years ago

Similar presentations

Presentation on theme: "Successful Strategies in Enterprise Intrusion Investigations"— Presentation transcript:

1 Successful Strategies in Enterprise Intrusion Investigations
SANS WhatWorks in Forensics and Incident Response Summit 2008 Michael Cloppert Member Technical Staff Lockheed Martin Computer Incident Response Team

2 Phase 2: Establish a presence
Compromise Systems Steal data For years, we have wondered what Phase 2 is. Now we know! Phase 1: Compromise systems Phase 2: Establish persistent presence Phase 3: Steal data

3 But how? We got lazy, and so did our adversaries, from 2000 – Open and vulnerable internet services enabled fast-spreading worms and viruses, which rendered the careful, diligent preparation and focused effort to compromise systems unnecessary. Sloppy network architecture aggravated this problem. In this day and age, due to diligent work by everyone in the security industry, organizations are far more secure than they ever were in the past. Ports are mostly closed. Unnecessary services are usually not running. Software is, well, better in any case. This is the environment upon which classic intrusion methodology was predicated. Now that we have finally begun to enforce this operating environment, our adversaries are forced to work for their intrusions. They’re also interested in obtaining information without drawing the attention that the attack model of brought with it. Tactical, silent approaches enable re-use of effective intrusion techniques & technologies. As a result, adversaries are following classic principles of network exploitation. Principles we should all know already, and that we should all be familiar with. To give you an idea of just how old this approach is, it’s called out in chapter 1 of Hacking Exposed, Vol. 1, published in The interesting aspects of these intrusions aren’t in understanding how adversaries work, but in what tools they use, and the simplicity of their tactics. However, in processing the exposure component of our risk model, one thing is different today: we must consider that every workstation is a node on the internet. How? Two words: , and web. ALL major intrusions are happening via one of these two mechanisms, and MOST C2 is occurring via HTTP, SSL, or related means.

4 So what now? Yeah, it’s broken. We have a process!
Oh you mean this one? Let’s talk through an incident for a second: PREPARE: Okay, so we put devices in place to find “badness” DETECT: We find a compromised system using these devices and mechanisms CONTAIN/ERADICATE/RECOVER: We pull the system. There is no focus in the model on analysis! Looking at the system closely, we find indicators that we need to tune our systems to detect. Suddenly we’re back in “PREPARATION”. But then we immediately detect other systems. And by the way, as we pull systems from the network to contain the problem, the adversaries use other means to regain a foothold. Perhaps this is a means we can detect, but not prevent; or perhaps it’s a totally new mechanism. Suddenly we’re back in “PREPARATION” and “DETECTION” again for the new vector. What you come to find is that, when dealing with sophisticated adversaries who are intent on maintaining a presence on your network, your incident responders exist simultaneously in PEPARATION, DETECTION, and CONTAINMENT, and never advance to Post-Incident Activity. In addition, during the DETECTION and CONTAINMENT phases, there is a constant feedback loop that needs to happen with DETECTION that is not represented in this model. These are symptoms of a broken model. The classic incident response model has been obsoleted by the campaign-style attacks of sophisticated adversaries. I would argue that the entire notional approach to incident response must change in order to effectively posture a team to deal with sophisticated, large-scale, extended-duration attacks. NIST Special Publication : Computer Security Incident Handling Guide CMU-SEI-2004-TR-015 Defining Incident Management Processes: A Work In Progress Yeah, it’s broken.

5 Get Intelligent Various aspects of an incident can reflect drastically differing levels of understanding at any given point, and when dealing with many systems, they will likely all exist in many different knowledge states. Additionally, the incident itself is organic, with adversaries moving around, re-establishing footholds, and adjusting tactics, and network defenders are likewise constantly repositioning themselves. All of this makes the classic stateful IR diagram inapplicable. Effective incident response incorporates intelligence into detection and forensics in a constructive feedback loop to enable detection and reaction. There are no states, there is only one organic set of “analog” properties which includes indicators, compromises, and targets. Integration of intelligence acquired through analysis and collaboration is key to successfully managing incidents

6 Michael Cloppert michael.j.cloppert@lmco.com
Contact Michael Cloppert

Download ppt "Successful Strategies in Enterprise Intrusion Investigations"

Similar presentations

Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Learning and Teaching Conference 2012 Skill integration for students through in-class feedback and continuous assessment. Konstantinos Dimopoulos City.

Learning and Teaching Conference 2012 Skill integration for students through in-class feedback and continuous assessment. Konstantinos Dimopoulos City.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Security Issues at Casinos and eGaming

Information Security Issues at Casinos and eGaming
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
SALSA-NetAuth Joint Techs Vancouver, BC July 2005.

SALSA-NetAuth Joint Techs Vancouver, BC July 2005.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University.

Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University.
IS Network and Telecommunications Risks Chapter Six.

IS Network and Telecommunications Risks Chapter Six.

Similar presentations

Ads by Google