So You've Been Breached. What Now?

Author:Jeff Propes
Date:June 10, 2016

Follow along with me at http://self2016.grimoi.re/incident_response/

Overview

Introduction to Incident Response

Three Competing Priorities

IR Lifecycle

Communication Do's and Don'ts

Introduction

Incident response (IR) is the field of computer security concerned with responding to security events

Source Material

Some of the material from this presentation comes from a really great book:

Blue Team Handbook: Incident Response Edition by Don Murdoch

If you only buy one book on this topic, make it this one

Buy more than one book please

Terms

Breach "[A] gap in a wall, barrier, or defense, especially one made by an attacking army."

Incident The nice, judgement-free word for an event. Safe to use in press releases and documentation without incurring baggage.

Blue Team Responsible for defending assets and infrastructure from harm.

Red Team Attacking infrastructure, process, etc. Sometimes innocuous, sometimes not.

Defining a Security Incident

Since the word "incident" is so generic, it can (and is) used by many people for many different things.

It's easier to define what a security incident is NOT:

However, all of these might be symptoms of a breach

The Three P's

The very soul of blue team security is three key concepts:

Preparation Maintain readiness and complete pre-work when things are quiet

Pattern Recognition Distinguishing between normal and abnormal patterns or conditions, which may require a response

Process Address identified patterns and codify responses in preparation for future events

Mapping IR to 3P

Incident Response features heavily in all three:

Preparation The success or failure of your incidence response depends upon how prepared you are

Pattern Recognition Informs you about an incident. Key component of forensics, a cousin to IR

Process Scripting responses to patterns, needs, and key events

Competing Priorities

Three fundamental priorities that are vying for attention/resources:

All three are critical. Neglect one at your peril.

Roles

"Incident response is a team sport." [1]

Witness The first person to recognize an abnormal pattern and report it. Don't let this person go home without getting a statement.

Researcher Investigates symptoms and collects evidence to make a diagnosis

Custodian Responsible for clean up in-so-far as his/her work does not interfere with the researcher

Communicator _All_ communication to any outside party not directly assisting in the response goes through this person. Period.

Additional Roles

If you have a large number of personnel (lucky you), you can subdivide out more roles as follows:

Log Keeper Record the events and times of the response. Especially critical early in the response

Coordinator Supporting primary role members with small jobs so they can stay focused

Insulator Interface to the bosses/C-levels to keep them off the team's back

Secondary Forensics Tasked with helping the researcher chase down leads

Witness

When you think you've detected a breach, what is the first thing you should do?

  1. Look at the clock. Pick up a pencil. Legibly write down the exact time (with seconds if possible)
  2. Stop. Breathe in 5s, out 5s. Do this three times. This will help counteract your natural fight-or-flight response
  3. Double-check that you haven't made a simple mistake
  4. Ask for a second opinion. Scrambling the response team for a false positive is costly
  5. Make the call

Incident Response Lifecycle

  1. Preparation Read pp. 5-9 of the handbook
  2. Identification Intake. Do we need to scramble the team? If YES, begin process and initiate comms
  3. Containment Characterize the incident and follow your decision tree. Shut the attack down.
  4. Recovery Restore to normal operations. Don't destroy evidence!
  5. Follow Up Root cause analysis. Adjust procedures as necessary. Final comms. Lessons learned.

Return to step 1

Understanding Challenges

Certain challenges show up in almost every IR:

Keys To Success

Preparation Keys To Success

Communication

As the communicator, you have the most important role on the team.

Don't fuck it up.

Communication Do's

The following is my personal guidelines on how to communicate during a crisis such as security incident

DO:

Communication Don'ts

DON'T:

Conclusions

Fin

Thanks for coming!

This presentation can be found permanently at http://self2016.grimoi.re/incident_response/

Citations

[1]Murdoch, D. W. Blue Team Handbook: Incident Response Edition: A Condensed Field Guide for the Cyber Security Incident Responder. United States: CreateSpace Independent, 2014. 4. 4. 4. 4. Print.