Author: Bill Buchanan Author: Bill Buchanan Stateful firewall Network Security Stateful firewall PIX/ASA Config Network Security PIX/ASA Author: Prof Bill Buchanan Author: Prof Bill Buchanan Incident Response Introduction. Risk Analysis. Risk Management. Outline of threats. Data Loss. Fundamentals. Alice Bob Eve Trent Bob
50
Embed
Incident Response - asecuritysite.com · Incident Response Eve ... Snort. Intrusion Detection System Alice Cloud AWS Cloudtrail. Amazon S3. Azure. Application Serv Weblogic. WebSphere.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Incident Response Introduction.
Risk Analysis.
Risk Management.
Outline of threats.
Data Loss.
Fundamentals.
Alice
Bob
EveTrent
Bob
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Types
Inc R
esponse
Author: Prof Bill Buchanan
Some data breaches
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Inc
iden
t R
es
po
ns
e
Incident Taxonomy
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Inc
iden
t R
es
po
ns
e
Data Sources/Timeline
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Incid
en
tsIn
trod
uctio
n
Author: Prof Bill Buchanan
Incidents
During IncidentBefore Incident After Incident
Intruder
Intrusion Detection
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Data
sta
tes
Inc. R
esponse
Data in-motion, data in-use and data at-rest
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
Internet
Switch
Router
Proxy
server
Email
server
Web
serverDMZ
FTP
server
Firewall
Domain name
server
Database
serverBob
Alice
Eve
Data in-
motion
Data at-
rest
Data in-
use Data at-
rest
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Incid
ents
Intr
oduction
Author: Prof Bill Buchanan
Incidents
During IncidentBefore Incident After Incident
Timeline
Data At Rest
Data In-Motion
Data In-Process
Files, Directories, File Rights,
Domain Rights, etc.
File changes, File CRUD
(Create, Delete, Update,
Delete), Thumbprints
Network packet logs, Web
logs, Security logs
Network scanners, Intrusion
Detection Systems, Firewall
logs, etc
Processes, Threads, Memory,
etc.Security Log, Application Log,
Registry, Domain Rights.
Intruder
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nIn
c R
esp
on
se
Four Vs of Big Data
Intrusion
Detection
System
Firewall
Router
Proxy
server
Email
server
Web
server
FTP
server
Switch
Alice
Management report
Sales analysis
Targeted marketing
Trending/Correlation
V- Volume
[Scale of data]
V- Variety
[Different forms of
data]
V- Velocity
[Speed of data generation]
V- Veracity
[Trustworthiness]
Incident Response
Eve
Bob
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
oduction
Inc R
esponse
Data Capture
Web
server
IT Ops
Nagios.
NetApp.
Cisco UCS.
Apache.
IIS.
Web Services
Firewall
Router
Proxy
server
Email
server
FTP
server
Switch
Eve
Bob
Microsoft
Infrastructure
Active Directory.
Exchange.
SharePoint.
Structured Data
CSV.
JSON.
XML.
Database Sys
Oracle.
My SQL.
Microsoft SQL.
Network/Security
Syslog/SNMP.
Cisco NetFlow.
Snort.
Intrusion
Detection
System
Alice
Cloud
AWS Cloudtrail.
Amazon S3.
Azure.
Application Serv
Weblogic.
WebSphere.
Tomcat
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nIn
c R
esp
on
se
Investigation sources
Web
server
Firewall
Router
Proxy
server
Email
server
FTP
server
Bob
Eve
Internal systems
Cloud service providers
Communication service
providers
Trusted partners
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nIn
c R
esp
on
se
Basic timeline
Eve
Cloud service providers
Communication service
providers
Web services
Phone
call
Wifi
connect
Tweet
Facebook
post
Email
send
Web page
access
Web logCall record
Location
record
Corporate login
Web/Domain
Log
Device
switch-on
Logs/Email
Time line
Device logs
System Log Internet cache
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
oduction
Inc R
esponse
Security Operations Centre
EveEve
Logs/alerts
Bob
SIEM Package (Splunk)
News feeds
Security alerts
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Inc
iden
t R
es
po
ns
e
Patterns of Intrusion
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Type
sIn
c R
esp
onse
Author: Prof Bill Buchanan
Typical pattern of intrusion …
Outside
reconnaissance
Inside
reconnaissance
Exploit
FootholdProfit
Intruder gains public information
about the systems, such as DNS and
IP information
Intruder gains more specific
information such as subnet layout, and
networked devices.
Intruder finds a
weakness, such as
cracking a password,
breaching
a firewall, and so on.
Once into the system, the
intruder can then advance
up the privilege levels,
Data stealing, system
damage,
user abuse, and so on.
From code yellow to code
red ...
Intrusion Detection
Intrusion Detection
Intrusion
Detection
Intrusion Detection
Eve
Bob
Intrusion
Detection
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Types
Inc R
esponse
Author: Prof Bill Buchanan
Cyber Kill Chain ®
From code yellow to
code red ...
Eve
Reconnaissance Weaponization
Preparation (hrs to mons)
Delivery
Explotation
Installation
Intrusion
(minutes)
Command and
Control
Action on
Objective
Bob
Active Breach (months)
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Inc
iden
t R
es
po
ns
e
Risk Analysis
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Ris
k a
na
lysis
Intr
od
uctio
n
Author: Prof Bill Buchanan
Risk analysis (Cost/likelihood)
Highly Likely, Low Cost
- Worth mitigating against
High Likelihood, High
Cost
- Maybe worth mitigating
against.
Low Likelihood, Low
Cost
- Maybe worth mitigating
against.
Low Likelihood, High
Cost
- Probably not worth
mitigating against
Cost
Likelihood
High
cost
Low
cost
High
likelihoodLow
likelihood
Intruder
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Inc
iden
t R
es
po
ns
e
Risk Management
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Au
tho
r:B
ill B
uchanan
Au
tho
r:B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan