Detecting a Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forensicmag.com/articles/2015/07/detecting-data-breach

Almost every week we learn about a data breach where attackers went
unnoticed for a significant period of time. In 2014, the average number of
days was 205. Most recently, in the Adult Friend Finder breach, there is
evidence that a third party detected the compromise at least two months
before the breach was publicly reported.

These numbers are not surprising to most seasoned incident response (IR)
professionals, many of whom have worked cases where attackers have been in
the network undetected for years — my personal record was a financial
services organization that was compromised for seven years before being
notified of the breach by a third party.

In most instances, it is not until a third-party notification that an
organization learns it has fallen victim to a breach. A common scenario is
when an organization’s machines reach out to a known nation-state
infrastructure, which in turn tips off the FBI, who then alerts the
organization that their machines have been compromised. It is at this point
that forensic examiners typically are brought on board to investigate the
cause and scope of the incident.

Given the statistics, it is no longer a question of “if” a company will be
compromised, but “when.” Through continuous monitoring and advance
preparation, incident response and forensic teams have the opportunity to
turn the tables on attackers, minimizing impact and regaining control over
their networks. Unfortunately, very few organizations do continuous
monitoring because it is viewed as too time-consuming and too expensive.
However, when attackers are left to freely roam a network, the
ramifications can prove much more costly than the cost of continuous
monitoring. For IR teams, understanding the key indicators of a compromise
is the best place to start.

Key indicators of a compromise
Determining whether a compromise has occurred is typically a complex and
time-consuming task. Fortunately there are a few key indicators to get IR
teams started. The first step is to identify whether there is just a
generic suspicion that something bad is happening on the network; or if
there is more granular information, such as an individual machine behaving
differently or a user that suspects they have opened a malicious attachment.

If it appears something weird is happening with the network, in-house IR
teams will need to look at netflow to identify any possible odd patterns in
regard to network communications. For instance, workstations talk to
servers and servers talk to servers; however, it is very rare to see
workstations making connections with other workstations. In most
environments, that would be an abnormal pattern and an indicator that
something may be wrong.

Are large amounts of data leaving the network from a particular infected
machine? If yes, this may be a sign that the machine has been compromised
and is being used for data exfiltration. While a server might send a lot of
data out of a network, it is unlikely that a workstation will send a lot of
data out. This may be an indication that a breach has occurred. At this
point the IR team will want to dig down further to identify whether the
host has indeed been compromised; and if so, what actions specifically have
been taken by the attackers.

Determining the level of a compromise
In these early stages of an investigation, memory forensics is perhaps the
best approach to determine if a particular host was compromised. In a
memory forensics investigation, responders will take an image or snapshot
of a machine’s random access memory (RAM), including all of the programs
running in RAM and stored data, and then analyze the images.

The task of acquiring memory is very straight-forward. The process for
analyzing memory, however, is a bit more difficult. Fortunately memory
forensics tools and courses are available and growing in popularity. As a
result, memory forensics, once largely an academic field, is seeing more
mainstream use during investigations today.

Once responders determine a compromise has occurred, they must determine
the severity. Memory forensics can help responders characterize the
attacker. For example, does this look like a common malware infection,
e.g., an opportunistic infection that occurs when a user simply clicked a
malicious site? Was the compromised person/machine part of a botnet (most
likely a non-targeted attack)? Or does this appear to be a targeted attack?
Memory forensics can help characterize the attacker and answer these
important questions.

Moving ahead with an investigation
At this point it is up to the IR team to decide if they have enough
information to close the investigation (i.e., they found the malware); if
they need to continue forward with the investigation; or, whether they
should hand off what they know to a forensic team. More often than not, the
decision to move forward or seek assistance from a host forensic team is
determined by the indicators derived from memory forensics and the
potential impact. In some cases, if there is no evidence of data
exfiltration and the attack does not appear targeted, the organization may
simply reimage the impacted machine(s).

If at any point during the investigation the IR team feels out of their
depth, a forensics team should be brought in immediately. If the IR team
does not have the manpower to proceed or they can’t answer questions
quickly enough because they lack the skills or tools to do so, bring in a
forensics team; otherwise, the long-term cost of the investigation can
increase significantly.

During an incident, the pressure is on to answer questions quickly. But
while working in haste or with misunderstanding, evidence might not be
preserved, and critical artifacts may be overwritten. Think of the plumber
that has two rates — the rate when the problem first occurs and another,
after an attempt to try to fix something yourself. This same analogy holds
true when working with forensic experts. If you try to “fix it yourself”
first, don’t be surprised if the overall cost of the investigation is
higher.

What could the attackers do? Who are they?
When a breach involves malicious software (or malware) running on a
machine, malware Reverse Engineering (RE) is a popular method used to
determine the capability of the malware. It helps answer the questions of
“what can the malware do?” Can it steal email, log into banking sites, or
infect office documents? Because the malware source code is only accessible
to the attacker, incident response teams and forensic experts must rely on
malware reverse engineering. Using a process called disassembly, malware
reverse engineering tools allow responders to determine what capabilities
it has, as well as any Indicators of Compromise (IOCs) that can be used to
scan for other possible variants of that malware on the network.

The IOCs gathered when conducting memory forensics and/or malware reverse
engineering will help IR teams determine where to look next. Malicious
actors tend to reuse malicious code across multiple campaigns, so IOCs can
help attribute malware from two attacks to the same threat group even if
the malware hashes aren’t identical.

Prepare for the battle

To prepare IR teams in the event of an actual attack, conducting a sand
table exercise (a mock breach) is essential. The goal of the sand table
exercise is to step through a mock breach following a team’s current IR
procedures. It will identify any critical skills or tools that may be
missing well in advance of a compromise. These exercises will help IR teams
understand what is expected of them, what to do, and who to contact and
when in the event of a breach.

If an IR team hasn’t experienced a breach and they haven’t run a sand table
exercise, how will they know whether or not they are prepared? Handling a
breach is not something IR teams want to learn on the fly. While it may
sound like a waste of time to walk through these big incident scenarios,
chances are that a compromise will occur (and sooner rather than later).
Taking the time to do a walk through and prepare up front will save time
and money later on. The amount of money saved can be significant — just
like grandma used to say “an ounce of prevention is worth a pound of cure.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!