BreachExchange mailing list archives
Detecting a Data Breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 22 Jul 2015 18:57:05 -0600
http://www.forensicmag.com/articles/2015/07/detecting-data-breach Almost every week we learn about a data breach where attackers went unnoticed for a significant period of time. In 2014, the average number of days was 205. Most recently, in the Adult Friend Finder breach, there is evidence that a third party detected the compromise at least two months before the breach was publicly reported. These numbers are not surprising to most seasoned incident response (IR) professionals, many of whom have worked cases where attackers have been in the network undetected for years — my personal record was a financial services organization that was compromised for seven years before being notified of the breach by a third party. In most instances, it is not until a third-party notification that an organization learns it has fallen victim to a breach. A common scenario is when an organization’s machines reach out to a known nation-state infrastructure, which in turn tips off the FBI, who then alerts the organization that their machines have been compromised. It is at this point that forensic examiners typically are brought on board to investigate the cause and scope of the incident. Given the statistics, it is no longer a question of “if” a company will be compromised, but “when.” Through continuous monitoring and advance preparation, incident response and forensic teams have the opportunity to turn the tables on attackers, minimizing impact and regaining control over their networks. Unfortunately, very few organizations do continuous monitoring because it is viewed as too time-consuming and too expensive. However, when attackers are left to freely roam a network, the ramifications can prove much more costly than the cost of continuous monitoring. For IR teams, understanding the key indicators of a compromise is the best place to start. Key indicators of a compromise Determining whether a compromise has occurred is typically a complex and time-consuming task. Fortunately there are a few key indicators to get IR teams started. The first step is to identify whether there is just a generic suspicion that something bad is happening on the network; or if there is more granular information, such as an individual machine behaving differently or a user that suspects they have opened a malicious attachment. If it appears something weird is happening with the network, in-house IR teams will need to look at netflow to identify any possible odd patterns in regard to network communications. For instance, workstations talk to servers and servers talk to servers; however, it is very rare to see workstations making connections with other workstations. In most environments, that would be an abnormal pattern and an indicator that something may be wrong. Are large amounts of data leaving the network from a particular infected machine? If yes, this may be a sign that the machine has been compromised and is being used for data exfiltration. While a server might send a lot of data out of a network, it is unlikely that a workstation will send a lot of data out. This may be an indication that a breach has occurred. At this point the IR team will want to dig down further to identify whether the host has indeed been compromised; and if so, what actions specifically have been taken by the attackers. Determining the level of a compromise In these early stages of an investigation, memory forensics is perhaps the best approach to determine if a particular host was compromised. In a memory forensics investigation, responders will take an image or snapshot of a machine’s random access memory (RAM), including all of the programs running in RAM and stored data, and then analyze the images. The task of acquiring memory is very straight-forward. The process for analyzing memory, however, is a bit more difficult. Fortunately memory forensics tools and courses are available and growing in popularity. As a result, memory forensics, once largely an academic field, is seeing more mainstream use during investigations today. Once responders determine a compromise has occurred, they must determine the severity. Memory forensics can help responders characterize the attacker. For example, does this look like a common malware infection, e.g., an opportunistic infection that occurs when a user simply clicked a malicious site? Was the compromised person/machine part of a botnet (most likely a non-targeted attack)? Or does this appear to be a targeted attack? Memory forensics can help characterize the attacker and answer these important questions. Moving ahead with an investigation At this point it is up to the IR team to decide if they have enough information to close the investigation (i.e., they found the malware); if they need to continue forward with the investigation; or, whether they should hand off what they know to a forensic team. More often than not, the decision to move forward or seek assistance from a host forensic team is determined by the indicators derived from memory forensics and the potential impact. In some cases, if there is no evidence of data exfiltration and the attack does not appear targeted, the organization may simply reimage the impacted machine(s). If at any point during the investigation the IR team feels out of their depth, a forensics team should be brought in immediately. If the IR team does not have the manpower to proceed or they can’t answer questions quickly enough because they lack the skills or tools to do so, bring in a forensics team; otherwise, the long-term cost of the investigation can increase significantly. During an incident, the pressure is on to answer questions quickly. But while working in haste or with misunderstanding, evidence might not be preserved, and critical artifacts may be overwritten. Think of the plumber that has two rates — the rate when the problem first occurs and another, after an attempt to try to fix something yourself. This same analogy holds true when working with forensic experts. If you try to “fix it yourself” first, don’t be surprised if the overall cost of the investigation is higher. What could the attackers do? Who are they? When a breach involves malicious software (or malware) running on a machine, malware Reverse Engineering (RE) is a popular method used to determine the capability of the malware. It helps answer the questions of “what can the malware do?” Can it steal email, log into banking sites, or infect office documents? Because the malware source code is only accessible to the attacker, incident response teams and forensic experts must rely on malware reverse engineering. Using a process called disassembly, malware reverse engineering tools allow responders to determine what capabilities it has, as well as any Indicators of Compromise (IOCs) that can be used to scan for other possible variants of that malware on the network. The IOCs gathered when conducting memory forensics and/or malware reverse engineering will help IR teams determine where to look next. Malicious actors tend to reuse malicious code across multiple campaigns, so IOCs can help attribute malware from two attacks to the same threat group even if the malware hashes aren’t identical. Prepare for the battle To prepare IR teams in the event of an actual attack, conducting a sand table exercise (a mock breach) is essential. The goal of the sand table exercise is to step through a mock breach following a team’s current IR procedures. It will identify any critical skills or tools that may be missing well in advance of a compromise. These exercises will help IR teams understand what is expected of them, what to do, and who to contact and when in the event of a breach. If an IR team hasn’t experienced a breach and they haven’t run a sand table exercise, how will they know whether or not they are prepared? Handling a breach is not something IR teams want to learn on the fly. While it may sound like a waste of time to walk through these big incident scenarios, chances are that a compromise will occur (and sooner rather than later). Taking the time to do a walk through and prepare up front will save time and money later on. The amount of money saved can be significant — just like grandma used to say “an ounce of prevention is worth a pound of cure.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Detecting a Data Breach Audrey McNeil (Jul 31)