Tag: incident

Posted on

NASA Case Study

I believe that if NASA had been responsible for the maintenance of the system, they would have written a similar report. I did further digging into reports the Inspector General for NASA has released and overall they seem to be objective and almost like a third party. However, even with seeing these reports, I still have some skepticism that there exists some internal pressure to not completely convey NASA as incompetent or in a more than manageable negative light. Even if NASA were to put forward a report where they were at fault it would most likely be more geared to what they were doing well and include plans of how they aim to resolve the findings. Whereas, in the Cybersecurity Management and Oversight at the Jet Propulsion Laboratory, the Inspector General report creates a negative appearance of JPL and a negligence on their end putting complete fault onto their operations.

Due to there being many major findings that NASA found with JPL, there are many approaches that JPL could take to remediate their issues; however, many will take time to implement and change culture.

For incomplete inventory, this is something that many companies struggle with, but is probably the most important step. If the company does not know what devices it has on its network, then there is no way they can sufficiently defend the network. This can be remedied by using a third party software that collects identifying features of the devices and aggregates them into a single pane of glass.

For segmentation of a network, many companies also struggle with concept as well. There are many companies that have a flat network and once a device connects, it could potentially see everything else connected to that network. One way to remedy this would be to have completely separate networks for the different partner environments. This would allow for devices within certain networks to only see ones that it should. Devices should go through an approval process and require authentication to be on the specific network.

In terms of patching, many companies face this as a culture issue. The best way to combat this is to talk to leadership in different ways that highlight the level of importance patching is. Usually this will include dollar amounts of downtime for patching and potential loss time and money if a vulnerability was exploited due to not patching.

Policy should match practice for accountability and ability to audit the company’s processes. Without policies as an enforcer, the entire company could turn to chaos as some issues may be overlooked or forgotten. Additionally, promises to customers may include these policies and staying in accordance to them. Any falter could be a liability and cause for the other company to sue.

Reference

Final Report – IG-19-022 – Cybersecurity Management and Oversight at the Jet Propulsion Laboratory, Report No. IG-19-022, Office of Inspector General

Posted on

Target Case Study

Incident detection and response can allow for fast finding and triage of events to determine if there is malicious intent behind certain actions that take place on the network. When corporations work with third party vendors or acquire attributes of other businesses, there must exist some level of agreement to cooperate between the businesses. Some companies are able to respond better to incidents due to many factors and this should be taken into account when agreeing to work together. There should be some written agreement between the companies as to what access will be given to the different companies or reporting.

So for an acquisition, there may be some agreement that the company acquiring will be able to have visibility into the other company’s network and devices on the network. However, many third party agreements do not have integration between the networks, so instead there may be requirements that the company must report to each other known incidents they find or there Intrusion Detection System (IDS) must have certain levels met or response times to alerts. Business partners must have a defined agreement to be able to trust these partners as to not be attack vectors and also have a value of image, if one is compromised then the other may be pulled in whether it was actually their side or not.

I do not believe that small businesses must have a mature cyber incident detection and response capabilities within their own organization. However, I am of the opinion that if small companies want to work with these large companies that they should have some form of incident response that allows for finding potential compromises in their network, whether internal or third party. Then they should agree to having the compromise fixed and reporting that to the larger company. Additionally, the larger company should have some way to support the smaller company if requested and denoted in their contract of agreement. I believe that cyber is an area that changes rapidly and many small businesses cannot afford to have a full team dedicated to this area. However, these smaller companies still need to have something in place to account for these potential breaches.

References

United States Senate Committee on Commerce, Science, Transportation.​ A “Kill Chain” Analysis of the 2013 Target Data Breach.​ 2014

Posted on

Stuxnet Case Study Report

If I were designing security for Natanz, I would recommend many things in order to have defense in depth. I would want to implement a network prevention and detection firewall. This would allow for easily blacklisting or whitelisting IP addresses and certain ports. Additionally, I would recommend having an Endpoint Detection and Response (EDR) software implemented on all devices connecting to the internal network to allow for monitoring activity of potential unauthorized or malicious files running. I would also recommend they have a Security Information Event Management Tool (SIEM) in place to collect the logs from the network traffic and the EDR. This will allow a team to observe and have quick response if anything unusual is detected in the environment.

I believe that having an air-gapped system may still be beneficial in some situations. In cases where data should be completely offline from other things this is the best solution. However this would be a very rare case in my opinion. An example would be when writing or testing malware, a team would most likely want to be working in an air grabbed network to avoid the potential infection of other devices.

If a system is not air-gapped and is connected to the internet, then that means there is at least one device that can reach out to through the internet and in turn someone can reach in. I would argue that not being air-gapped is more likely to have a potential breach or attack occur.
I think the best way to detect a compromise of an air-gapped environment would be to have software similar to an EDR installed on each device, however there would need to be a human to check physically on each of the networks to check the EDR to see if there was any attempt of unusual activity on any of the devices. So this wouldn’t allow for a real-time response unless there was a person sitting watching the software constantly.

Usually there is not much a vendor can do to prepare for zero-day attacks. However, I would argue that because these attacks used for Stuxnet were all published before use that Microsoft should have been aware of them. I believe that companies should have a threat hunt team/ person. Part of this team’s role or doled out to a third party, should be to search in publications for compromises that may affect their systems.

References

https://en.wikipedia.org/wiki/Air_gap_%28networking%29#:~:text=Air%20gap%20%28networking%29%20An%20air%20gap%2C%20air%20wall,public%20Internet%20or%20an%20unsecured %20local%20area%20network​.

https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/ https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

Posted on

Yahoo Incident Case Study

The breach against Yahoo!, included exposing “the usernames, email addresses, phone numbers, birthdates, passwords and security questions/answers for at least 500 million Yahoo accounts” (NLR). This many accounts is a significant exposure and part of the reason the breach was hidden and minimal users were notified.

The company was fined $35 million from the SEC and $80 million from federal class action settlement (NLR). While these are significant amounts of money, I think this is a fair amount. The company was in an interesting place of knowing if they notified users that they would lose customers, but also risked that revenue in the interim and then later getting fined. I’m not sure fines will necessarily ever be effective until they become a large portion of a companies annual revenue, otherwise, they will always just be a slap on the wrist. I think there also needs to be more than fines to hold companies accountable. These types of issues are slowly being addressed in legislation like GDPR and the California Privacy Protection Act.

I do believe that Yahoo! Intentionally tried to cover up the breach. I think the sole fact that the company did not mass contact and inform it’s users of the breach shows that they were trying to hide what was occurring. The company notified 6 people of the millions of the breach. The National Law Review article states how the fines given to Yahoo! were the first time fines have been given to companies due to cyber attacks.This has been a continuing trend with the FTC holding companies accountable for breaches and privacy in general. In addition to fines, the FTC has been able to hold companies accountable for creating and maintaining security response teams.

I believe that Yahoo’s initial decision to not focus password resets was a significant mistake on their part. During the investigation process of determining if a breach has occurred or accounts have been compromised, resetting passwords is usually always a part of that process. Sometimes this is even just a good measure in the process, a “just-in-case”, try to reduce the possibility of if it is undetermined if the account was compromised, then at least a password reset reduces the chance that an attacker will be able to get in again. In this case where Yahoo! knew there were compromised accounts and stolen passwords and still did not force password resets is the epitome of a company not doing their due diligence and potential furthering their users to compromise; like if users use that same account information for other platforms.

References

https://www.natlawreview.com/article/hacked-hacker-hire-lessons-yahoo-data-breaches-so-far https://techcrunch.com/2018/09/06/alex-stamos-facebook-yahoo-security-officer/ https://fortune.com/2016/12/19/yahoo-hack-cyber-security/

Posted on

Example Cybersecurity Incident Report

Executive Summary

Timeline

On <date>, the SOC received notice from the Network Team about unusual behavior on the internal network. Upon further investigation, the SOC found successful logins after multiple brute force attempts. The SOC determined that there was malware present on the system to create a backdoor. A backdoor allows for unauthorized personnel to easily get back onto the network. After finding this malware, on <date> the internal website development team was authorized to revert the corrupted file to remove the malware.

There were multiple brute force attempted logins initially. Some of the successful logins were able to update the file in question.

TimestampIP AddressAction
06/Dec/2016:17:29:13 -0500
199.168.99.18
Brute force successful login
06/Dec/2016:1729:17 -0500
199.168.99.18
Update to the file
07/Dec/2016:11:13:22 -0500
199.168.99.18
Brute force successful login
07/Dec/2016:11:13:23 -0500
199.168.99.18
Brute force successful login
09/Dec/2016:12:30:41 -0500
142.54.189.162
Brute force successful login
09/Dec/2016:04:18:40 -0500
142.54.189.162
Update to the file
10/Dec/2016:05:00:00 -0500
142.54.189.162
Brute force successful login
10/Dec/2016:05:00:00 -0500
142.54.189.162
Update to the file
10/Dec/2016:05:00:00 -0500N/ANetwork team notifies SOC of the unusual behavior
10/Dec/2016:05:30:00 -0500N/ASOC begins investigation into logs
10/Dec/2016:14:15:00 -0500N/ASOC identifies the malicious code in the file
10/Dec/2016:15:00:00 -0500N/AThe network team receives approval for removing the infected server off the network.
11/Dec/2016:04:45:00 -0500N/AThe website development team reverts the infected file removing the malware from a version of the file from before December 6th, 2016.

Actions Taken

The SOC found the file with malware through searching the network logs. The network team removed the server hosting the infected file off of the network until restoration could commence.

The website development team took the action to restore the compromised file to a version before the first change by an unauthorized user. Then, the network team was able to place the server back online.

Based on external IP reporting tools, the IPs that successfully logged in after brute force attempts are not known blacklisted IPs. Therefore, the SOC believes these IPs are a part of a botnet, but not themselves malicious and will not be blacklisted from the network.

Financial Impact

Below is a table representing the costs associated with this incident.

ItemCost
Lost Revenue (1)
$560,000
Server Downtime for Restoration (2)
$140,000
Labor of Investigation (3)
$36,000
Total
$736,000

1 Loss of revenue is calculated by lost productivity for users and customers. This is done through average users in an hour over the timeframe the server was down (400/hour) and a flat rate of $100 per hour for productivity of customers/users. (400 x $100 x 14 hours)

2 Downtime cost is determined by a flat rate of $10,000 per hour that the server is down. The server was taken off the network for restoration for 14 hours.

3 Labor is determined through the average wage of investigators and the amount of time they worked the investigation. $45(average wage) x 20(number of investigators) x 48(number of hours worked)

Lessons Learned – Successes

  • The internal teams were able to coordinate an effective investigation and implement proper responses.
  • The Network team was able to identify the issue and alert the right parties to continue to investigate further.
  • The SOC was able to use purchased tools to determine the issue and work with the website development team to remediate.

Opportunities for Improvement

The following improvements will be tracked through JIRA to ensure completion.

Issue:​ The SOC was unable to identify the successful logins by the IPs brute force attacking. Recommendation:​ The SOC shall implement a new alert that will fire if a successful login occurs after over 5 failed logins. Additionally, the team will develop a playbook with this alert to allow team members to learn what steps to take when this alert fires. Action Item Owner: ​The SOC Manager

Issue:​ The SOC was unable to identify the successful logins by the IPs brute force attacking. Recommendation:​ The SOC team will develop a playbook with this alert to allow team members to learn what steps to take when this alert fires.
Action Item Owner: ​The SOC Manager

Issue:​ There was no immediate server backup to revert the system immediately. Recommendation:​ There should be hot and cold sites developed to have older versions of the files ready to take over when an issue arises to allow for less downtime.
Action Item Owner: ​The Network Team Manager

References

https://www.malwarebytes.com/backdoor/#:~:text=A%20backdoor%20refers%20to%20any,syst em%2C%20network%20or%20software%20application​.

https://github.com/bediger4000/php-malware-analysis/blob/master/backdoors/91.200.12.9-2018 -03-04a/README.md

Posted on

Example Security Incident Response Policy

Image sourced from https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ftse2.mm.bing.net%2Fth%3Fid%3DOIP.5wXNdnEY6i3CIN3liVFdRAHaHa%26pid%3DApi&f=1

Assumptions

These are the assumptions made for the <company name> in respect to how this incident response policy is developed.

  • There already exists employees a part of an incident response team, monitoring and response.
  • The Cyber Incident Response Team (CIRT) has a Security Information and Event Management (SIEM) tool that ingests networking traffic as well as successful/failed logins and has rules in place to create alerts.
  • There will also be an Intrusion Detection System/ Intrusion Protection System (IDS/IPS) and Endpoint Detection and Response tool (EDR) in place to help detect and prevent potential malicious activity from occurring on the network.
  • Web Servers are running onsite and are controlled internally.

Incident Response Policy

The incident response policy will include multiple parties to find and address the incident that will occur within the <company name> network. This policy will align with the SANS Institute Incident Handler’s Handbook.

The Cyber Incident Response Team will be incharge of monitoring the network activity internally and connecting points that fall on the perimeter of the company’s network. There is also a network team that is responsible for fixing internal networking issues and will be consulted if a networking issue is involved in an incident. There will also be outside contractors and vendors that may be consulted. 

The manager of the incident response team, the Chief Information Security Officer, and the CEO will be notified of an incident at different points of the investigation. The manager of the incident response team will have the authority to declare an incident and minor remediation steps, like isolating user devices from the internal network, but not removing a production server from the internal network. The CISO has authority to declare any remediation steps.

Team structure and necessary relationships

The Cybersecurity Incident response team will be composed of security operations analysts and engineers that have varying knowledge of incident handling. This incident response team will be 24/7 and have coverage at all times to respond to identifying alerts.

The executive incident response team will include the incident response manager, the CISO, the networking team manager, and for some instances the CEO.

An outside vendor may be called when the CIRT manager believes the vendor may be able to give insight into the investigation or in the recovery stage to report. Additionally, in the aftermath, the CISO may need to contact the legal team and law enforcement to report the incident. In order to determine if contact is necessary, the CISO and CIRT manager should discuss legal obligations with the internal legal team.

Incident Response Procedures

This portion of the policy follows the SANS framework highlighting steps 2 through 7 and outlines the response for a website compromise.

2. Preparation

This phase of the policy is meant to prepare the team for identifying and responding to an incident found in the company’s environment. 

  • This policy is meant to encompass procedures for the company to follow when addressing incidents.
  • This company will have periodic checking in place to scan their network and devices for potential compromises. 
  • The Cyber Incident Response Team (CIRT) has a Security Information and Event Management (SIEM) tool that ingests networking traffic as well as successful/failed logins and has rules in place to create alerts.
  • There will also be an Intrusion Detection System/ Intrusion Protection System (IDS/IPS) and Endpoint Detection and Response tool (EDR) in place to help detect and prevent potential malicious activity from occurring on the network.
  • CIRT members will have ongoing training to better learn how to respond to detections and how to perform throughout the incident.
  • There should also be periodic vulnerability scans on servers to potentially find known vulnerabilities. 

3. Identification

Identifying the indicator pointing to an attack involves knowing what is normal on the network and then being able to identify the abnormal to investigate further. This portion of the compromise may come in many forms. There may be an alert for many failed logins and then successful or network traffic to a suspicious external IP address. There may also be indicators of a malware download. These indicators may come through a SIEM, IDS, or anti-virus software. 

During this identification process, CIRT members should be documenting indicators and evidence. CIRT members should be performing research based on the indicators like file hashes and IP origins. CIRT members should escalate to the CIRT manager once they believe there is an incident.

4. Containment

Once an incident is identified, the next phase is containment. This phase is meant to prevent further damage or exposure from occurring. 

  • If a website has been compromised there is potential access has been granted to the attacker to be within the network and potentially plant malware or command and control software. 
  • If there is a known compromised laptop/device then the CIRT manager will immediately authorize isolation of the device. 
  • If there is a known compromised production server, then the CIRT manager will escalate to the CISO, who will determine based on the information provided if the server can be taken offline and remediated.
  • If the successful infiltration of the network is due to a compromised account, the account shall be disabled or forced password reset.

During the containment, forensic imaging of the device will take place to document the system as now evidence, including logs. 

5. Eradication

This phase of the plan is the process of removing or remediating the issue, like changing passwords or deleting files and restoring to previous versions. 

  • If there is an account compromise, CIRT should force password reset of the user’s account
  • If there is malware downloaded on the server or device, delete all files associated
  • If any environment variables or registry keys were modified, reset or remove the variables.
  • If restoring environment variables or registry keys or removing malware is not possible, then the computer will need to be reimagined.

6. Recovery

This part of the process includes returning the functionality of the compromised system back to normal.

  • There should exist a way to test the compromised device before returning it to the network to determine if remediation was correctly implemented and there are no other potential compromises.
  • There should also exist documentation that the testing occurred and was successful before returning the device to the network.

7. Lessons Learned

This part of the process is understanding what went right and what went wrong in the previous steps and devising steps to better the process. This part of the process is not meant to place blame on  any missteps, it is meant to understand if all the processes in places were followed and if any changes should be made to them. The CIRT manager should receive information from their subordinates that were part of the incident and consolidate the information into an easy digestible document.  

Communications Plan

This portion of the policy describes how effective communication will take place during the attack and afterwards.

3. Identification 

During this phase, there will be communication between the CIRT members to help determine if the alert is an incident. The team member will report up to the manager of identifying features of the alert. Once determined that the alert is actually an incident, the CIRT manager will report the incident to the CISO depending on how severe the impact of the incident is.

4. Containment

During this phase, there will be communication between the CIRT members and the manager determining the spread of the attack and everything that is affected. As well as how they should be containing the incident and best practice.

5. Eradication

During this phase, there will be communication about steps being taken to remove the issue causing the incident. Additionally, there should be discussion on how to collect potential logs or files from the attacker as evidence. If there is a vendor specific attack, that vendor should be notified within this period, in order for them to perform an internal analysis.

Also at this phase, there should be discussion about bringing the incident to the attention of the internal legal team or law enforcement. The CISO will be the role designated with reaching out to these outside parties.

6. Recovery

During this phase, there will be communication between the CIRT members and the manager to make sure they are following best practices and discuss how to put the affected device back onto the network. 

Additionally at this phase or within a reasonable time after identification of the incident, there should be discussion about alerting the media and customers that may have data exposed. This may need email or phone communication, even potentially retraining call center staff in preparation of the flood of concerned callers.

7. Lessons Learned

During this phase, there will be communication between the CIRT members and the manager to make sure there is documentation and evidence of all the events that occurred during the incident. The manager will add sections about lessons learned and how to improve processes. This may also be shared with the CISO and CEO.

References

Cichonski, Paul, et al. “Computer Security Incident Handling Guide.” National Institute of Standards and Technology, U.S. Department of Commerce, Aug. 2012, nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf. 

Kral, Patrick. “Incident Handler’s Handbook.” SANS Institute Information Security Reading Room, 5 Dec. 2011, http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901.&nbsp;

“SAMPLE INFORMATION SECURITY INCIDENT RESPONSE PLAN.” ISBA Mutual, EPlace Solutions, Inc., 2015, http://www.isbamutual.com/wp-content/uploads/2018/08/Cyber-Incident-Response-Plan.pdf.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.