Preparing for and Responding to a Breach...Preparing for and Responding to a Breach Ohio Information Security Conference March 15, 2017, Dayton Ohio

Preparing for and Responding to a Breach

Ohio Information Security Conference

March 15, 2017, Dayton Ohio

800.314.4357 | www.VestigeLtd.com | Responsiveness, Speed & Availability Reliability Knowledge | Copyright ©2016 Vestige Ltd

Before anything else, preparation is the key to success.

Alexander Graham Bell


By the Numbers• 79,000+ security incidents

• Over 700 millionrecords compromised

• The US Military Treats Cyber as one of five domains: air, sea, land, space and now cyber.-General Michael Hayden. Former Director CIA and NSA

• 260 days to detection


Cyber Statistics

• In 60% of cases, attackers compromise an organization in minutes

• 75% of attacks spread from Victim 0 to Victim 1 in 24 hours

• 23% of recipients open phishing emails and 11% click on attachments

Source: 2015 Data Breach Investigations Report, Verizon


Cyber Statistics• Finance: 350 events per week

• Insurance: 575 events per week

• Retail: 801 events per week

• Utilities: 772 events per week



More (Sickening) Stats

• 70-90% of malware samples are unique to an organization

• 99.9% of exploited vulnerabilities were more than a year after being published

• Half of the malware made to exploit a vulnerability was ready in 2 weeks



Planning for a Breach

• Getting legal involved• Protecting the analysis and results

• Seeing that notification laws are considered

• What would the technical goals of a breach response be• Handling the breach internally

• Outsourcing the investigation

• When to engage a public relations firm


Planning for a Breach

• Employee involvement• Are they trained to identify breach attempts?

• Do they know the procedure for notifying someone in the event of a breach?

• Provide reminders of what is happening• New methods of attacks/phishing


IR Plan Basics• Member and responsibilities of the following

• PR• IT• Legal

• 24x7 contact information• How to proceed if unreachable

• Prioritization of IT assets• Risk assessment if a system is down

• Preservation steps


IR Plan Basics

• When to contact the C-Suite• A balance between knowing soon and knowing the full

picture

• What is required by your insurance

• Communication when Email/VM/Messaging is compromised

• Do you have a “single voice” policy?


IR Plan Basics

• Understand the criteria for notification

• Procedures for notifying LE or other organizations• Have you already made a connection?

• Having a Public Relations firm on retainer

• Having an outside forensic firm on retainer

Best Practices for Victim Response and Reporting of Cyber Incidents. US DOJ Cybersecurity Unit. April 2015.


IR Plan – Your Data

• Where is your important data?• Methods being used to protect the data or limit its

exposure

• Logging of access to that data – how far back can you go?• Can you go 10 months?

• What other logs are being kept and for how long?


IR Plan – What is being logged

• Apache/IIS or other web logs

• SMTP logs

• Firewall logs

• Event Logs (are you capturing the right events?)

• IDS logs

• Others?


IR Planning

• Table top exercise• Where the rubber meets the road

• Should be performed periodically instead of one and done.

• Helps remove bias in the planning and putting together of your plan

• Find the “Gotchas”


The Breach Occurs….


The Response

• Follow your plan• You do have one, right?!


The Response – Plan B

• Strike a balance between remediation and preservation• IT wants to remediate

• Legal and IR team want and need to preserve

• Involve investigation team right away

• Will you need to bring up replacement systems?


Importance of Preservation

• Change to 2013 HIPAA omnibus rule

[Incident] “is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised”

• Expect others to follow



• Understand the genesis of the attack

• Understand what data was compromised• Is the data encrypted?

• Attempt to determine where the data went• Difficult when attack is from unknown entities



• Create a signature of the threatening files• Scan environment to reveal

additional infections


Outsourcing Breach Response

• Does the internal team have the necessary skills and experience

• Is an expedited time frame involved

• Insurance can sometimes dictate who handles the breach

• Need for third party review


Expected Time Frame

• IR team is usually on site same day or next day• However, this is dependent on up

front planning

• “Bleeding” of data may be stopped in hours• May depend on appetite for shutting

down internet connection


Expected Time Frame

• Days to weeks to determine:• How incident occurred

• What data was leaked

• Where data went

• Again, heavily dependent on up front work as well as number of effected systems

• Reiterative process


Case Study: 3.5M to 11K

• The Situation: Client works in the financial arena. Client had a web based B2B application that allowed for exchanging of account records via an FTP site. Data on FTP site was found to have been indexed by Google due to the fact that anonymous access to FTP site was not removed. Data for approximately 3.5 million accounts existed on the site.

• The Solution: Information was gathered from Google searches. FTP site did have considerable logging to show what records were touched by what accounts and when. Furthermore, not all records had data that rose to the level of notification.

• The Results: A detailed analysis was performed to determine which sets of records were accessed by the anonymous account vs the authorized accounts. That analysis was combined with record contents to create a more accurate count of exposed records that could be subject to notification.


Case Study: Breach that Lost Client

• The Situation: Client provided a news feed service to a company who in turn provided that feed to their clients. Contract had been suspended for a period of time but client found evidence that the feed was still being provided. Client suspected a break in by their client.

• The Solution: Analysis of system that provided the news feed, documentation as to how the feed worked and then scrutinizing the evidence.

• The Results: Despite contrary claims, client had not turned off the feed to their client. IT was mistaken in how the process worked. Evidence of the feed still being used, however, was faulty as well.


Unusual Case Studies• Unusual Case 1: VM system

• Client working with phone system vendor

• Entire database was loaded to FTP site (unsecured)

• Originally thought there was no issue, but….

What is in the voicemails?


Unusual Case Studies

• Unusual Case 2: ESXi Server• Begins with an NTP reflection

attack

• Ends in the discovery of an exposed server

• Forensics on ESXi is virtually non-existent


Unusual Case Studies

• Unusual Case 3 – Wide open AD• Client’s IT notified by a user that they were not

restricted from entering a folder

• Review determined entire company (multi-site) had Domain Admin credentials

• Investigation revealed 6 months of failed backups hampering analysis

• “Work around” script for installing an application created the problem that wasn’t remediated


Questions?

Greg Kelley, EnCE, DFCP

Vestige Digital Investigations

Cleveland | Columbus | Pittsburgh

330.721.1205

[email protected]

www.vestigeltd.com

mailto:[email protected]

Preparing for and Responding to a Breach...Preparing for and Responding to a Breach Ohio Information Security Conference March 15, 2017, Dayton Ohio

Documents