Friday, May 20, 2016

Blue Team hand book notes - Categorize Cyber attacks Effects (MITRE)

Category
Explained
Degradation
Performance impact before and after the event.
Interruption
System that is unavailable for a time period.
Modification
Things which were altered during rest or transit.
Fabrication
Planting new or fake info into a system.
Unauthorized Use
Resources used by an attacker or inappropriate use by a person in position of trust.
Interception
Information is leaked and used by an attacker.

Tuesday, May 17, 2016

Blue Team hand book notes - "Lessons Learned" - Step 6

Lessons Learned or Follow up
Key Steps
Write followup report / Conduct lessons learned meeting
IR Team writes full report by checking with SME.  They also follow up on recommendations.
Key Decisions
Is mgmt. satisfied that the incident is closed?
Proceeding  forwared from Lessons learned
Mgmt is satisfied that incident is closed.

Blue Team hand book notes - "Recovery" - Step 5

Recovery Steps
Key Steps
Validation
Verify systems, application and DB are operating and free from signs of compromise.
Restore Ops
Coordinate the restore ops time window with the business
Implement Monitoring
For eg. Snort, OS integrity check like tripwire, increase router logging, configure supplemental system and application logging.
Key decisions
Any sign of repeat events?
Proceeding forward from Recovery
No sign of events or incident to repeat.

Blue Team hand book notes - "Eradication" - Step 4

Eradication Steps
Key Steps
Root Cause Analysis
Identify and determined root cause of execution path and remove the attacker from the system.
Check for Rootkit
·         If rootkit is suspected reimage.
·         Reimage the system from the most recent clean backup.
Improve defense
Improve perimeter, DMZ, n/w, OS and application based on findings everywhere.
Perform Vulnerability scans
Do VA scans and identify and eradicate the same vulnerability if it is found.
Key decisions
Have we hardened the environment enough to reduce potential recurrences?
Proceeding forward from Eradication
IR team and business is confident that this won’t happen again.

Friday, May 6, 2016

Blue Team hand book notes - "Containment" - Step 3

NIST SP 800-61 combines Containment, Eradication & Recovery steps into one.

Characteristics which drives follow on activity
The type of incident will determine our action.
DoS/DDos
Control WAN/ISP
Virus infection
Contain LAN/system
Remote Compromise
Firewall, net trace, update ACL
Data Loss
User activity, data breach
System held hostage
Recover from backup & harden system.
Website defacement
Repair & harden
Internal/Employee
Monitor & HR
Domestic Espionage
Evidence & Civil suite
International Espionage
Govt support
Other policy violation
Evidence Support
Notification Role
Govt
Public Affairs Officer
Corporate
Media Liaison
Academic
University media relation office
·         Various parties may require notification.
·         Use caution when notification attacker may be insider.
·         Follow “need to know” principle in notification.
·         Remain factual & avoid speculation.
Immediate Action
·         Stop attacker with ACL or disabling account.
·         Avoid changing too much before collecting volatile info.
·         Maintain low profile without any tip off.
Initial data collection: What together early?
·         Collect n/w trace, logs, system volatile info & memory image.
·         If needed dd the disk.
Immediate isolation
System or n/w isolation.
Try to get memory before shutting down.
Longer term actions
If system cannot be taken offline we can start to see network activity post initial perimeter containment.
Key decision
1.       Use specific methods to stop attackers.
2.       What are the risks to continuing operations?
3.       What actions are necessary to mitigate?
Containment step exit criteria
C2 to Attacker is stopped.
Affected system identified.
Compromised system volatile data collected? HDD image collected?

Wednesday, May 4, 2016

Blue Team hand book notes - "Detection&Analysis" A.K.A Identification - Step 2

NIST SP 800-61 calls this phase as "Detection&Analysis" A.K.A Identification.

Initial determination
Try to see if the event is a possible incident to start with IR.
Assignment
If possible assign two IR people, have a start time logged.
Check identification points
Perimeter, DMZ, Internal systems, line of business apps, and notification from external sources.
Understand limitations
"No one size fits all" you need to have a baseline to see what sticks out.
Run through system checklist
OS, network devices and app specific logs to be checked for suspicious activity.  Analysis should be guided by checklist to help provide a uniform and consistent response.
Perform internal Vs External system & n/w consistency check
If netstat & tcpdump must not have discrepancy. Likewise nmap scan vs process vs memory analysts should all match up.
Key decision
1. Is the event an actual incident?
2. Do we watch and learn or pull the plug?
Identification step exit criteria
The assessment process has determined events constitutes a real incident so activate the IR process and continue.

Example question for assessment.
1. Can you give justification for the event not to be an incident like typo ?
2. Is there a deviation from the norm ?
3. How wide is the problem from an availability perspective?
4. Does RCE vulnerability have a say here ?
5. Do we have a publicly posted exploit code ?
6. Are there any compensatory controls ?

Monday, May 2, 2016

Blue Team hand book notes - Preparation - Step 1

As per US Dept of Energy and NIST SP 800-61 we will see about the six phases in more detail.

Step1: - Preparation

NTP
Enable NTP for all devices.
Policy
Need to have a login banner, How to deal with LEA, Media liaison, Get elevated user rights for IR personal.  IR Team needs to be one with compliance and monitor abuse   email ID.
Central logging
Needs to be enabled.  Incident detection should be logged locally and remotely.
Identify&User Account Mgmt
We should have one user one account policy.
Service/System account mgmt issues
Establish generic common user name and ensure that the password is rotated on that account.
Jump Bag contents
Never steal from it :-p. Clean HDD as per NIST 800-88, Incident forms, bound notebook, pens, Call tree, tools like leatherman, Kali on CD/bootable USB, Flashlight, Network tap, Earplugs for data center, spare clothes.
OOB notification capability
Every1 on the IR team needs to have a Cellphone & a secondary email address.
Helpdesk/ServiceDesk-
Train these people to identify trends and call the IR Team.
Workout IR Team issues
Determine IR team member & Rotation,  Budget to continue training, SLA,  Perodically do IR drills, Get secure room and cabinets to lock evidences.
Key decisions
1. Decide on "Watch and learn" or "Pull the plug"
2. Decide on "Contain & Clean" or preserve evidence.
3. Understand applicable data breach.
4. Determine a process for handling and reporting criminal activity.
5. Understand the organization, stakeholder and their expectiation.
6. Ensure that IRT understands and supports the organization priorities.
7. Fully understand the IR operating modle, roles and forensics capability.