TOPIC: The Incident Response Process, - Program, Plan, Policy, Process, Playbooks, and roles

our guest will be:

         Lesley Carhart - Principal Threat Hunter at Dragos Inc.

• Twitter: @Hacks4Pancakes

• Blog: www.tisiphone.net

News-Worthy - City of Atlanta ransomware FOLLOW-Up

Atlanta Working 'Around The Clock' To Fight Off Ransomware Attack

ATLANTA SPENT $2.6M TO RECOVER FROM A $52,000 RANSOMWARE SCARE

• https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/

Atlanta government was compromised in April 2017 – well before last week’s ransomware attack

• https://www.renditioninfosec.com/2018/03/atlanta-government-was-compromised-in-april-2017-well-before-last-weeks-ransomware-attack/

Compromised Connected Fish Tank - Comes from a global threat report (2017) from Darktrace - a summary of their case studies for the year

• Compromised Connected Fish Tank (page 8)

• Zero trust model, anyone?

Malware of the Month

Sigma Ransomware - Notable artifact

• No text in the body of the message, just an image of text

• Breaks any scanning of text for passwords to use in the attached Office documents by sandbox evaluation solutions

Site-Worthy

1.  BDIR - ISO 27035 - Information security incident management

• https://www.iso.org/standard/44379.htm

2.  BDIR - NIST 800-61

• https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final/

Guest - Lesley Carhart

1. http://www.forensicmethods.com/

2. http://windowsir.blogspot.com/

3. https://forensiccontrol.com/resources/free-software/

4. https://digital-forensics.sans.org/blog

Tool-Worthy

1. BDIR - Blue Team Handbook: Incident Response Edition: A : by Don Murdoch GSE

2. BDIR - Blue Team Field Manual (by Alan J White and Ben Clark

Guest - Lesley Carhart

1.  Didier writes lots of handy tools useful for forensics and IR. I use his pdf tools

• https://blog.didierstevens.com/my-software

2.  A fair bit for inspecting suspicious attachments; rtfdump and oledump seem to do the same for OLE and RTF files.

• https://blog.didierstevens.com/programs/pdf-tools

Other tools Lesley recommends you learn:

• SANS SIFT Kit VM

• Regripper

• Volatility

• Mandiant Redline

• SysInternals

• mft2csv

• NetworkMiner

• Log2Timeline

• FTK Imager Lite

Books Lesley recommends everyone read for IR

• Blue Team Field Manual (BTFM) - by Alan White (Author), Ben Clark (Author)

• Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (7th Edition) 7th Edition - by Pavel Yosifovich (Author), Mark E. Russinovich (Author), David A. Solomon (Author), Alex Ionescu (Author)

• Windows Forensic Analysis DVD Toolkit, Second Edition 2nd Edition - by Harlan Carvey (Author)

• Digital Forensics with Open Source Tools: Using Open Source Platform Tools for Performing Computer Forensics on Target Systems: Windows, Mac, Linux, Unix, etc 1st Edition, Kindle Edition - by Cory Altheide (Author), Harlan Carvey (Author)

• The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory 1st Edition - by Michael Hale Ligh (Author), Andrew Case (Author), Jamie Levy (Author), AAron Walters (Author)

• Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious SoftwareFeb 1, 2012 - by Michael Sikorski and Andrew Honig

Topic of the Day

The Incident Response Process,  - Program, Plan, Policy, Process, Playbooks, and roles

The Program

• ISO 27035 - Information security incident management

• NIST 80-61 - Computer Security Incident Handling Guide (August 2012)

Plan

• Incident Response Plan (sample) SEI

  • https://www.cmu.edu/iso/governance/procedures/docs/incidentresponseplan1.0.pdf

Model

• PICERL - SANS

• Prep, Detect/Analysys, Contain/Eradicate/Recovery, Post Incident Activity - NIST

Playbooks: (or “What to do in the event of...”)

1. Ransomware

2. Malware infection

3. Website defacement

4. Unauthorized Domain Admin Access

5. Multiple Simultaneous Logins

6. Media call / report of an incident from external entity

7. DoS

https://ayehu.com/cyber-security-incident-response-automation/top-5-cyber-security-incident-response-playbooks/

8.  Phishing

9.  Credential Stealing phishing  

10.  Lost or stolen equipment

11.  When to use Forensics

12.  How to do forensics

IESO - Cyber Security Forum - Playbooks

CERT SOCIETE GENERALE - IRM (Incident Response Methodologies)

(From a list found on Peerlyst)

1. Phishing

2. Virus or Worm

3. Ensure that the host has an updated virus definition file

4. Traffic Flows

5. Denial of service (Network Crafted)

6. Denial of service (spam)

7. Host Compromise (Trojan)

8. Network Compromise (Cracking)

9. Host Compromise (physical Access)

10. Domain Hijacking

11. Dns Cache Poisoning

12. Suspicious User Activity

13. User Account Compromised

14. Unauthorized Access (Employee)

15. Corporate espionage

16. Internet Hoaxes

17. IP Telephony denial of service or Outage

18. Unauthorized remote access protocol

19. Suspicious website access

20. Unexpected administrative account / permissions added.

Roles:

• What is each person responsible for?

All the people add up to  and are a part of your CIRT (NOT CERT)

• Incident Responder / IR Manager

• Incident Handler

  • Project Manager

  • Communication lead

  • Documentation lead

• Security Operations Analysts / Triage Analysts

• Forensic Analysts:

• Malware Reversers

• Security Engineering

• Threat Intelligence

• Leadership

• HR

• PR / Corporate Communications

• Legal Council

• IT (Domain Admin, Help Desk, Server Admins, Client / Patch Admins)

• Audit

• GRC / Disaster Recovery / Risk Management

• Developers / AppSec / Product Engineering

War Room

• What is it and when to use it and why

Tabletop Exercises

• What should you do here

IR Firm Retainer & Fees can be used for?

• What can you use them for?

Breach Notification

• Who is involved

• What to prepare

• Whom to involve

Training:

Carnegie Mellon - SEI - CSIH

• https://www.sei.cmu.edu/education-outreach/credentials/credential.cfm?customel_datapageid_14047=14324

• SANS

-----------------------------------------------------------------------------------------------