Tag: cyber

Posted on

Example Security Incident Response Policy

Image sourced from https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ftse2.mm.bing.net%2Fth%3Fid%3DOIP.5wXNdnEY6i3CIN3liVFdRAHaHa%26pid%3DApi&f=1

Assumptions

These are the assumptions made for the <company name> in respect to how this incident response policy is developed.

  • There already exists employees a part of an incident response team, monitoring and response.
  • The Cyber Incident Response Team (CIRT) has a Security Information and Event Management (SIEM) tool that ingests networking traffic as well as successful/failed logins and has rules in place to create alerts.
  • There will also be an Intrusion Detection System/ Intrusion Protection System (IDS/IPS) and Endpoint Detection and Response tool (EDR) in place to help detect and prevent potential malicious activity from occurring on the network.
  • Web Servers are running onsite and are controlled internally.

Incident Response Policy

The incident response policy will include multiple parties to find and address the incident that will occur within the <company name> network. This policy will align with the SANS Institute Incident Handler’s Handbook.

The Cyber Incident Response Team will be incharge of monitoring the network activity internally and connecting points that fall on the perimeter of the company’s network. There is also a network team that is responsible for fixing internal networking issues and will be consulted if a networking issue is involved in an incident. There will also be outside contractors and vendors that may be consulted. 

The manager of the incident response team, the Chief Information Security Officer, and the CEO will be notified of an incident at different points of the investigation. The manager of the incident response team will have the authority to declare an incident and minor remediation steps, like isolating user devices from the internal network, but not removing a production server from the internal network. The CISO has authority to declare any remediation steps.

Team structure and necessary relationships

The Cybersecurity Incident response team will be composed of security operations analysts and engineers that have varying knowledge of incident handling. This incident response team will be 24/7 and have coverage at all times to respond to identifying alerts.

The executive incident response team will include the incident response manager, the CISO, the networking team manager, and for some instances the CEO.

An outside vendor may be called when the CIRT manager believes the vendor may be able to give insight into the investigation or in the recovery stage to report. Additionally, in the aftermath, the CISO may need to contact the legal team and law enforcement to report the incident. In order to determine if contact is necessary, the CISO and CIRT manager should discuss legal obligations with the internal legal team.

Incident Response Procedures

This portion of the policy follows the SANS framework highlighting steps 2 through 7 and outlines the response for a website compromise.

2. Preparation

This phase of the policy is meant to prepare the team for identifying and responding to an incident found in the company’s environment. 

  • This policy is meant to encompass procedures for the company to follow when addressing incidents.
  • This company will have periodic checking in place to scan their network and devices for potential compromises. 
  • The Cyber Incident Response Team (CIRT) has a Security Information and Event Management (SIEM) tool that ingests networking traffic as well as successful/failed logins and has rules in place to create alerts.
  • There will also be an Intrusion Detection System/ Intrusion Protection System (IDS/IPS) and Endpoint Detection and Response tool (EDR) in place to help detect and prevent potential malicious activity from occurring on the network.
  • CIRT members will have ongoing training to better learn how to respond to detections and how to perform throughout the incident.
  • There should also be periodic vulnerability scans on servers to potentially find known vulnerabilities. 

3. Identification

Identifying the indicator pointing to an attack involves knowing what is normal on the network and then being able to identify the abnormal to investigate further. This portion of the compromise may come in many forms. There may be an alert for many failed logins and then successful or network traffic to a suspicious external IP address. There may also be indicators of a malware download. These indicators may come through a SIEM, IDS, or anti-virus software. 

During this identification process, CIRT members should be documenting indicators and evidence. CIRT members should be performing research based on the indicators like file hashes and IP origins. CIRT members should escalate to the CIRT manager once they believe there is an incident.

4. Containment

Once an incident is identified, the next phase is containment. This phase is meant to prevent further damage or exposure from occurring. 

  • If a website has been compromised there is potential access has been granted to the attacker to be within the network and potentially plant malware or command and control software. 
  • If there is a known compromised laptop/device then the CIRT manager will immediately authorize isolation of the device. 
  • If there is a known compromised production server, then the CIRT manager will escalate to the CISO, who will determine based on the information provided if the server can be taken offline and remediated.
  • If the successful infiltration of the network is due to a compromised account, the account shall be disabled or forced password reset.

During the containment, forensic imaging of the device will take place to document the system as now evidence, including logs. 

5. Eradication

This phase of the plan is the process of removing or remediating the issue, like changing passwords or deleting files and restoring to previous versions. 

  • If there is an account compromise, CIRT should force password reset of the user’s account
  • If there is malware downloaded on the server or device, delete all files associated
  • If any environment variables or registry keys were modified, reset or remove the variables.
  • If restoring environment variables or registry keys or removing malware is not possible, then the computer will need to be reimagined.

6. Recovery

This part of the process includes returning the functionality of the compromised system back to normal.

  • There should exist a way to test the compromised device before returning it to the network to determine if remediation was correctly implemented and there are no other potential compromises.
  • There should also exist documentation that the testing occurred and was successful before returning the device to the network.

7. Lessons Learned

This part of the process is understanding what went right and what went wrong in the previous steps and devising steps to better the process. This part of the process is not meant to place blame on  any missteps, it is meant to understand if all the processes in places were followed and if any changes should be made to them. The CIRT manager should receive information from their subordinates that were part of the incident and consolidate the information into an easy digestible document.  

Communications Plan

This portion of the policy describes how effective communication will take place during the attack and afterwards.

3. Identification 

During this phase, there will be communication between the CIRT members to help determine if the alert is an incident. The team member will report up to the manager of identifying features of the alert. Once determined that the alert is actually an incident, the CIRT manager will report the incident to the CISO depending on how severe the impact of the incident is.

4. Containment

During this phase, there will be communication between the CIRT members and the manager determining the spread of the attack and everything that is affected. As well as how they should be containing the incident and best practice.

5. Eradication

During this phase, there will be communication about steps being taken to remove the issue causing the incident. Additionally, there should be discussion on how to collect potential logs or files from the attacker as evidence. If there is a vendor specific attack, that vendor should be notified within this period, in order for them to perform an internal analysis.

Also at this phase, there should be discussion about bringing the incident to the attention of the internal legal team or law enforcement. The CISO will be the role designated with reaching out to these outside parties.

6. Recovery

During this phase, there will be communication between the CIRT members and the manager to make sure they are following best practices and discuss how to put the affected device back onto the network. 

Additionally at this phase or within a reasonable time after identification of the incident, there should be discussion about alerting the media and customers that may have data exposed. This may need email or phone communication, even potentially retraining call center staff in preparation of the flood of concerned callers.

7. Lessons Learned

During this phase, there will be communication between the CIRT members and the manager to make sure there is documentation and evidence of all the events that occurred during the incident. The manager will add sections about lessons learned and how to improve processes. This may also be shared with the CISO and CEO.

References

Cichonski, Paul, et al. “Computer Security Incident Handling Guide.” National Institute of Standards and Technology, U.S. Department of Commerce, Aug. 2012, nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf. 

Kral, Patrick. “Incident Handler’s Handbook.” SANS Institute Information Security Reading Room, 5 Dec. 2011, http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901.&nbsp;

“SAMPLE INFORMATION SECURITY INCIDENT RESPONSE PLAN.” ISBA Mutual, EPlace Solutions, Inc., 2015, http://www.isbamutual.com/wp-content/uploads/2018/08/Cyber-Incident-Response-Plan.pdf.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Posted on

Understanding The Diamond Model with Target Breach Example

The Diamond Model in cybersecurity is a concept used for intrusion analysis. There are four main aspects adversary, capability, infrastructure, and victim. Every cybersecurity incident will have at a minimum these four factors.

http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

Background of the Target Breach

I will be examining the Target Corporation data breach that occurred in 2013. During this time, it was “estimated 70 million pieces of personally identifiable information” (Rowe) were stolen from the Target Corporation. In many cases, Target has been made an example of how security can impact a corporation; however, there is still only minor changes occurring to remedy cyber security threats. The following is an overview of what happened during the breach. A third-party vendor was working with Target on their refrigeration services for incorporating food into their sales. The third-party vendor was vulnerable to poor password security and an adversary was able to get into their system. The adversary was able to traverse the network and install malware on the cash registers that sent the credit card data to the adversary before being sent to be processed for purchase. The malware was on the network during the busy season around Thanksgiving. The breach was reported in December of 2013 and following there was an investigation as to what part of their system was vulnerable and was to prevent a similar cyber-attack in the future.

Applying the Diamond Model

Within the Diamond Model, there are four vertices, adversary, victim, infrastructure and capability. Additionally, there are two edges that exist, the connection between the adversary and victim, called the social-political meta-features, and then the connection between the infrastructure and the capability, called the technology meta-feature.

When applying the Target data breach to the Diamond Model, the necessary terminology can be given values. The adversary is unknown. During the investigation, the root cause of the breach, the capability, was the concern not the adversary. The victim is the organization Target and the customers who provided their credit card data to Target during their purchases. The social-political meta-features was the adversary drive to sell the information they were able to gather for money on the black market. The capability is the “stemmed from hijacked credentials stolen from Fazio Mechanical Services, a third party service provider.” (Plachkinova) Once inside the network there was not much network segregation, so the adversary would have been able to jump from the “point of sale terminals to mission critical back-end systems.” (Plachkinova)

The adversary was able to install malware on the point of sale terminals and pull the credit card data as it passed through the system during a sale. The infrastructure is then the ability to get the data off the infected machines. Due to the malware being installed on the point of sale machines and having insufficient whitelisting and malware detection, the adversary was able to have command and control over the systems to be able to send the credit card data out of the network, where they were able to retrieve it. (Rowe)

Policy Assessment

This incident occurred during a time when not many cyber security attacks had occurred yet, it was basically the beginning. At this time, Target did not have a Chief Information Security Officer employed or anything similar. They had no one in place on staff to be making decisions on how to make the information and network safe and secure from the possibility of cyber security attacks.

There could be many ways to try to regulate cyber security for organizations, but when looking at how to solve the solution we have to look at many different aspects. Many cyber security issues could be corrected through legislation on the international level; however, this is not feasible for many situations. It is unlikely to make all nations work together when many may want to allow such attacks to occur.

I believe this type of incident that occurred against Target could be handled on the organizational, industry, or the national level. The fastest way would be internal to the organization, which is how this was resolved in reality. An investigation occurred and Target made changes within their organization to improve their cyber security and try to prevent this from occurring again. This would allow them to make their own policy swiftly; however, that policy still may not be up to a certain standard the industry or nation would have. Part of this attack, the best option would be on the organization level, specifically the ability to define password regulations. Since this aspect was how the adversary was able to get into the Target network, Target should create password policy and phishing prevention techniques for their network and any third parties that connect into their network. Additionally, employees can be the company’s weakest leak. (Manworren) This can be addressed with an organizational policy and training developed to help prevent phishing attacks or knowing signs of an insider threat.

At the industry level, there can be more collaboration to define industry standards. At this level there is still no way to enforce these standards, but corporations involved are usually wanting to participate in was is decided. The other part of the adversary being able to install the malware and send back out, was due to not having network segregation and not enforcing strict whitelists for their point of sale devices. This is something that can be solved by being included in industry standards of when and how to use whitelists in certain situations as well as how an organization should implement network segregation to different areas.cyber

When analyzing a solution at the national level, this level would do a good job to be able to enforce consequences if an organization wasn’t in compliance. This level of action needed would take a lot of time and work to make happen. There is also the possibility of the politicians being incompetent and not including experts when creating the legislation that could create loopholes and work around.

References

Click to access diamond.pdf

https://landing.joinbrix.com/posts/target-security-breach-overview.html

https://cyware.com/educational-guides/cyber-threat-intelligence/what-is-the-diamond-model-of-intrusion-analysis-5f02/

https://jise.org/Volume29/n1/JISEv29n1p11.html

https://www.researchgate.net/publication/295394659_Why_you_should_care_about_the_Target_data_breach


This work is licensed under a Creative Commons Attribution 4.0 International License.

Posted on

Getting Started with Capture the Flag (CTF) Events

Let’s start off with some background. Capture the Flags in the cybersecurity industry are usually put on by companies to help find talent and to allow for hackers to practice their skills. These events usually have awards or prizes associated with completing the most tasks or finding the most “flags”. In my opinion, CTFs are more like scavenger hunts than the actual game of capture the flag. A player is given clues and must find the answers to get them to a hidden flag.

There are different styles of CTFs that can be played. One is Jeopardy where the board looks like the show Jeopardy and teams try to solves the questions to get points. Another is Question and Answer, where there can be different sections with questions related to that topic. An example of this may be having a section of reconnaissance and asking questions about certain organizations that can be found on the internet or company website. Another more rare style is what I would call immersive game play. This is where the people putting on the CTF have created a little world where you must travel around and be interactive with characters to solve different steps. Almost all CTFs have points associated with the different steps or answers and when a player completes a task they get the points and can move up in the ranking.

Starting out with one of these Capture the Flags can be daunting, especially not knowing anyone else or really what to expect. However, these are usually really great ways to learn more about your skills and grow them. As you play more, you can enhance you knowledge and learn more tools. Any one can sign up for these events so joining is the first step! Many events are set up for college students and entry-level professionals, but some event for high school students.

Some examples of the sections are like I mentioned before reconnaissance, this mainly includes being able to find information about a person or company that could be relevant to finding a weakness. Also, there may be topics on network scanning, which may include command line tools and correct flags like NMAP or searching through Wireshark files. Another topic could be stenography, where you may get files: sound, picture or video; and finding hidden messages. Finally, there may be converting messages from different encryption or bases (base 64).

Now this may sound overwhelming, but a lot of these actions, they can be solved using publicly available tools that you can download. Wireshark can be download and there exist tutorials of how to read the traffic captured. Cyber Chef is a tools that can decrypt or convert files.

https://www.wireshark.org/
https://gchq.github.io/CyberChef/

Cybersecurity companies sponsor these events or put them on to find people who may have the skills they want to hire. Additionally, some cybersecurity conferences have CTF events for attendees to participate. These are great ways to play in a CTF, but also attend different talks and learn more about cybersecurity topics.

As you participate in these events, don’t forget to add them to your resume! These show that you take time outside of work and classes to continue education and active community participation in cybersecurity.

Many CTF events have an introduction videos or talks to help get newcomers set up with how the game is set up. Additionally, depending on who is putting on the event, they may walk through a couple of the questions and answers to help you see how they solve the puzzle and get to the right answer. This can be great for those who have never been involved in one yet.

References

https://blogs.cisco.com/perspectives/cyber-security-capture-the-flag-ctf-what-is-it

https://startacybercareer.com/what-is-a-cybersecurity-capture-the-flag

Posted on

KringleCon 2020 Partial Write Up

KringleCon is a conference that is held yearly since 2010. It is put on by SANS Institute, which if you don’t know, is a really great company that develops educational material for certification courses. They are usually very expensive so most people try to have their companies sponsor their prep courses and exam fees.

This was my first year participating in this hack challenge and two things stood out to me as really great and enjoyable. One being that they have a discord channel with moderators. This allows for participants to join and ask questions as well as get hints and progress when they get stuck. I am one of those people where when I get stuck, I like encouragement after some research time. This feature gave me the desire to want to continue going through the different content. With that said, there is a lot of content and I was not able to get through all of the challenges. The second feature is they have their own music! It’s all on Spotify here. My favorite songs being “I Could Be Santa” and “I Saw Mommy Kissing Santa Claus”.

So follow along and I’m going to walk through some of the content that I was able to complete. All of the writing in blue are the commands I entered into the different terminals in the challenges.

WARNING: SPOILERS AHEAD

This image has an empty alt attribute; its file name is openingpage.png
https://2020.kringlecon.com/

First, make an account with a user name and create your character from the preset selection of different options. There is also an informational video for getting started with some helpful tips here. Then we can get started with some of the objectives and things found along the way.

Objective One: Uncover Santa’s Gift List

There is a photo of Santa’s Desk on that billboard with his personal gift list. What gift is Santa planning on getting Josh Wright for the holidays? Talk to Jingle Ringford at the bottom of the mountain for advice.

When you first appear in the KringleCon world, there is an elf that when clicked gives you some hints to download the billboard picture in the distance. This will pop open a new tab with the picture and on the desk there is a list with swirled writing. There is also a hint I found indicating to use a tool called Photopea. With is tool you can choose the “lasso” function to draw a circle ish shape around the spiraled writing and then use the “twirl” feature to make it readable.

We are looking for what John Wright wants for a present and we learn that he wants a Proxmark3. We can then input this into the object one in the settings and pass onto the next objective.

Objective Two: Investigate S3 Bucket

When you unwrap the over-wrapped file, what text string is inside the package? Talk to Shinny Upatree in front of the castle for hints on this challenge.

This objective starts in the area outside of the castle talking with Shinny Upatree.

This image has an empty alt attribute; its file name is outsidecastle_2.png

Starting with the Kringle Kiosk; it opens into the menu and you can go through the options and see what is exists. I liked being able to see where the different elves were located. Then there is a hint that option 4 is where the command line vulnerability exists and to use /bin/bash to find it.

Took me a couple tries to realize that the ampersand operator is needed for the interpreter to continue to execute the command.

& /bin/bash

This completes the mini task and we get a couple more hints from Shinny Upatree to complete the Investigate S3 Bucket.

This one I needed a lot of help from the discord channel. It took me a while to figure out how to even download the file needed. The gist of this objective is to use a script already created by changing input values to search for a hosted S3 bucket to automatically download a file. Then working through all the extensions to unzip all the way to the base txt file and read the note.

I added the word “wrapper3000” as indicated in the notes of what to do by using the vi interface tool. This is a command line tool that opens txt or other files in the terminal and you can edit them and save them if you need to make quick changes. I spent a lot of time trying different potential words because I didn’t realize that it was case sensitive. I had tried “Wrapper3000”, but not the same as that with a lowercase ‘W’. So once the new word is added, I was able to run the script and auto download the file.

./bucket_finder.rb wordlist –download

From here I ran a multiple of inherent command line tools to completely unzip the file: package.txt.Z.xz.xxd.tar.bz2

base64 –decode package > newpackage

unzip newpackage

bzip2 -d package.txt.Z.xz.xxd.tar.bz2

tar xopf package.txt.Z.xz.xxd.tar

xxd -r package.txt.Z.xz.xxd package.txt.Z.xz

xz –decompress package.txt.Z.xz

uncompress package.txt.Z

All of these steps were found by searching for the extension and how to unzip it and finding the command online. From here we can cat the file to read it.

cat package.txt

It prints to the terminal: “North Pole: The Frostiest Place on Earth”. Then we can input this as the answer to objective 2 in the settings.

Objective Three: Point-of-Sale Password Recovery

Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What’s the password?

The courtyard is in the back of the castle. Once getting back there, I started with theLinux Primer challenge. This challenge included finding munchkins and going through linux command lines like removing files and traversing folders. I forgot to take notes on this part, but overall decently easy steps and when I didn’t know a specific command, I looked it up.

Once done, Sugarplum Mary gives you a couple more hints to complete the objective.

This image has an empty alt attribute; its file name is courtyard_surgarplum.png

Then we can download “santa-shop.exe”. With this, we want to be able to get the source code to see if there is a hard-coded password. To do this, we need to extract the files from the exe. I had read through some of the discord, so I had a decent idea of what I needed to do. I searched online for the specifics of how to for a mac os.

I needed the command line tool npm to install the asar extension, which I only have brew installed on for my command line. This is another command line helper installer tool.

brew update

brew install node

Install asar globally

npm install -g asar

Make a directory to put the source folder

mkdir obj3-sourcecode

I then traversed to where the “app.asar” file existed, for me it was in the “app-64/resources/” folder. In this directory from the command line I could run the given command.

asar extract app.asar [insert full path to obj3-sourcecode folder]

I could then open the “main.js” file and right in it was the password.

“const SANTA_PASSWORD = ‘santapass’;”

Then we can enter “santapass” for the answer for objective 3.

Objective Four: Operate the Santavator

Talk to Pepper Minstix in the entryway to get some hints about the Santavator.

This objective is completed by wondering around the castle and picking up random objects and light bulbs to power the elevator. Not everything is going to be found on the bottom level. so you have to collect what you find on the bottom floor and then get to the other levels and get more.

There are three different light bulbs, red, yellow, and green and a key to access the back panel. directly the energy to the different colors allows for different buttons to become used. This is what mine ended up looking like – not the prettiest, but functional.

This image has an empty alt attribute; its file name is elevator_hiddenpanel-1.png

This allowed be to get to the different levels. However, I did not get far enough to get the finger print to access Santa’s office.

Now completing Objectives 1-4 was as far as I got in the Objectives. There were a couple other areas to play around.

This image has an empty alt attribute; its file name is diningroom.png

In the Dining Hall, there was an arcade game called The Elf Code to gather lollipops on each level and evade other objects. This was accomplished by using javascript to move your elf around the screen.

This image has an empty alt attribute; its file name is dininigroom_elfcode_1-1.png
This image has an empty alt attribute; its file name is dininigroom_elfcode_0.png

It gave you some hints of what it was expecting as input and then you would write the javascript code as the bottom and then run it. If successful, you could move on to the next round with increasing difficulty.

Another arcade game was on the Kringle Talks floor. To find it, you had to talk to Bushy Evergreen and open the UNprep door for the speakers. There was a hint to fun the strings command against the binary file found in the terminal next to Bushy Evergreen.

strings door

Then when scrolling through the output there is wording identifying the plaintext password:

This image has an empty alt attribute; its file name is unprep_terminal_doorpassword.png

So we run the door executable and enter the password when asked.

./door

Op3nTheD00r

And presto – the door is now open to enter the UNprep room. There were a couple other tasks that I did not complete like turning on the lights and getting the vending machine to work.

In here is the arcade game Snowball Fight.

This image has an empty alt attribute; its file name is snowballfight_battleship.png

This was basically the game Battleship that you could play with an AI at the difficulty level you chose. I played the old fashioned way – not trying to hack the AI and man I was not good!

Verdict

Overall, I thoroughly enjoyed this hack challenge! I wish I had taken more time to get through even more objectives and side plots. There was so much content that even spending many hours playing, there was still plenty more to keep enthused. Additionally, there were many learning opportunities to be able to search for where I was stuck on certain concepts through the internet or gain insight with the other players on discord.

I will definitely be playing again next year to continue learning new skills and engage with new content!