SlideShare a Scribd company logo

Cyber security webinar 5 - Responding to an incident

F-Secure Corporation
F-Secure Corporation

Preparation is the key to successful incident response. You can never stop all attempts to breach your company, and in real situations, people are bound to make mistakes. Therefore, you need to have the proper processes in place, and of course, try to stop as many of the attempted attacks as possible to leave less room for human error. Learn more about the six steps to properly respond to a security incident from the recording video in the following link and presentation slides at this page. https://business.f-secure.com/responding-to-an-incident-recording-from-cyber-security-webinar/

Technology
1 of 15
Download to read offline
1 RESPONDINGTO ANINCIDENT CYBERSECURITY WEBINARPART5 JARNONIEMELÄ F-SECURE 9th ofNovember2015
CYBERSECURITY WEBINAR SERIES-PART5 © F-Secure2 • INTRODUCTION TO CYBERSECURITY • DEFENDING WORKSTATIONS • DEFENDING SERVERS • DEFENDING NETWORKS - NOW • RESPONDING TO AN INCIDENT NOW • BUILDING SECURE SYSTEMS 3RD DECEMBER 2015 RECORDINGS: HTTPS://BUSINESS.F-SECURE.COM
3 RESPONDING TOAN INCIDENTJARNONIEMELÄ SENIORRESEARCHER F-SECURE
RESPONDING TOANINCIDENT Steps to proper incident response  Prepare your systems and people  Discover incidents  Do initial response and gather data  Analyze data and contain incident  Recover affected systems and implement security improvements  Check IT infrastructure for tampering  Handle PR  Make a root cause analysis and learn from the incident © F-Secure4
Preparation Do things mentioned in the previous webinars  Make sure your logging covers both system and network events and network supports it  Make sure you keep logs at least for 12 months and in a separate system  Make sure that all logs are time synchronized and in same time zone (UTC preferred)  Make sure systems are isolated from each other  Make sure you have integrity logs of servers and OS master images Prepare your people  Administration and security staff need to have IR training Know who to call  When it hits the fan, there’s no time to start negotiations with IR consultants © F-Secure5
Discovery Make sure you are reachable  A significant portion of incidents are discovered because of outside report or clue  List incident contact email and phone number publicly in your web page  Create abuse@company.com, incident@, security@, email addresses  List contact information in WHOIS information of your domain  Make sure your ISP and local cert have your security contact information  Register at well known incident reporting clearinghouses  www.shadowserver.org Keep notes of everything  This is important both for learning and legal © F-Secure6 https://www.viestintavirasto.fi/attachments/certesitykset/5 wf8GRFeM/Nordsec_2010_Erka_Koivunen_v2.0_web.pdf
InitialResponse If you have IR consultants on retainer, now it is time to call them  Also contact the police in case you want to press charges later Don’t panic. Stop, think, think again and then act Start by collecting volatile information  Processes running in suspected system, get memory dump of full system, or VM snapshot  Network connections  WHOIS information of any discovered network connections  Users who have logged into the system  All logs on the system, also make sure that remote logging is not overwritten Do not alert attacker by poking around blindly  Do not use any tools installed in the system  Rename all investigation tools, as attack may self-terminate on Sysinternals © F-Secure7
DeeperAnalysis Try to establish when attack happened  If attack is fresh, you may want to disconnect net. If it’s year old, there’s no rush Compare system against integrity check data or image master  If you lack that, get as identical system as possible for comparison Look for unusual files in the file system  Look especially into places covered in webinar 2 slide 5 Look for unusual registry launch points  Sysinternals autoruns is a very good tool for this © F-Secure8 http://www.sysforensics.org/2014/01/know-your-windows- processes/
LookForSigns OfLateral Movement Check the network and system logs for signs moving to other systems  Build a map of all network connections from the infected system  Pay attention to RPC, RDP, Windows remote management and logon scripts Check user account and login histories  Any user logged into system that they haven’t used ever before?  Have any users been added or elevated to administrator level? Check prefetch or amcache for executed processes, anything unusual there?  Note Prefetch/superfetch is often disabled for SSD drives © F-Secure9 https://attack.mitre.org/wiki/Lateral_Movement http://sysforensics.org/2014/01/lateral-movement http://www.swiftforensics.com/2013/12/amcachehve-in- windows-8-goldmine-for.html
AssessTheDamages Use logs to identify if any information has been stolen or modified  Pay attention to personal information, user accounts, source code, documents, etc Pay special attention to customer facing services  The actual target might be your customers  Make sure that every web page and file you serve to users is intact  Also verify that there are no backdoors left in internet facing servers Try to find out if the attack is already in public knowledge © F-Secure10
Containment AndRecovery  Using the IOCs (clues) found, investigate all other systems  The attacker may have moved without leaving noticeable network traces  Reinstall or restore from backup any affected systems  Remember to double check that the backup is clean  Review permissions of affected users, in case they have been modified  Issue password changes for affected parts of the organization © F-Secure11
HandlePR Internal communication is vital  Incident can be traumatic for the organization, make sure the people are kept up to date Information has a habit of getting out  Be in control, release suitable information before it leaks  Be boring, dry information does not make good news If incident was visible or affected users, inform the users and apologize  Tell what happened and what are the effects for the user  Tell how situation was corrected If incident has potential high media value, make a press release  But in most cases it’s enough to inform users and publish on company web page © F-Secure12
Report, LearnAndImprove Create a root cause analysis of the incident  How the incident was detected-> can detection speed be improved?  How the incident was possible->can future incidents be prevented?  How the incident was investigated-> can we improve the investigation?  How the incident was recovered-> can we make recovery faster?  What went wrong->how we can make it right?  What went right->celebrate and give credit for good work! Incidents happen, but try avoid repeating them © F-Secure13
CONCLUSIONS  Preparation is key to successful incident response  Verify that logging is on sufficient level  In real situations people will get excited and make mistakes  So doing a practice once per couple years might be a good idea  Prepare, Detect, Respond, Analyze, Learn, Improve © F-Secure14
THANK YOUFORYOUR PARTICIPATION! 15 STAY TUNED FOR THE LAST TOPIC OF THE CYBER SECURITY WEBINAR SERIES: 3 December 2015 at 11.00 EET: “Building secure systems” The Recording will be available at the BUSINESS SECURITY INSIDER https://business.f-secure.com

Recommended

Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
DHS Cybersecurity Webinar
DHS Cybersecurity Webinar DHS Cybersecurity Webinar
DHS Cybersecurity Webinar businessforward
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart ThemIBM Security
 
Security Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeSecurity Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeWP Engine
 
Webinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity RiskWebinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity RiskWPICPE
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
 

Recommended

Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
DHS Cybersecurity Webinar
DHS Cybersecurity Webinar DHS Cybersecurity Webinar
DHS Cybersecurity Webinar businessforward
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart Them3 Enablers of Successful Cyber Attacks and How to Thwart Them
3 Enablers of Successful Cyber Attacks and How to Thwart ThemIBM Security
 
Security Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeSecurity Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeWP Engine
 
Webinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity RiskWebinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity RiskWPICPE
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
 
Incident Response
Incident ResponseIncident Response
Incident Responseprimeteacher32
 
ICS Review & Response
ICS Review & ResponseICS Review & Response
ICS Review & Responsedwoodwoody
 
Training Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarTraining Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarOutSystems
 
Reading and Writing Files
Reading and Writing FilesReading and Writing Files
Reading and Writing Filesprimeteacher32
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace ViolenceCase IQ
 
RT and RT for Incident Response
RT and RT for Incident ResponseRT and RT for Incident Response
RT and RT for Incident ResponseBest Practical Solutions
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
NYU Tandon Online M.S. In Cybersecurity Webinar
NYU Tandon Online M.S. In Cybersecurity WebinarNYU Tandon Online M.S. In Cybersecurity Webinar
NYU Tandon Online M.S. In Cybersecurity WebinarNYU Tandon Online
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic SoftwaresDhruv Seth
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsShreya Singireddy
 
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingVi Tính Hoàng Nam
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensicsKabul Education University
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Post-mortem of a data breach
Post-mortem of a data breachPost-mortem of a data breach
Post-mortem of a data breachF-Secure Corporation
 
How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?F-Secure Corporation
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!F-Secure Corporation
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceF-Secure Corporation
 

More Related Content

Viewers also liked

ICS Review & Response
ICS Review & ResponseICS Review & Response
ICS Review & Responsedwoodwoody
 
Training Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarTraining Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarOutSystems
 
Reading and Writing Files
Reading and Writing FilesReading and Writing Files
Reading and Writing Filesprimeteacher32
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace ViolenceCase IQ
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
NYU Tandon Online M.S. In Cybersecurity Webinar
NYU Tandon Online M.S. In Cybersecurity WebinarNYU Tandon Online M.S. In Cybersecurity Webinar
NYU Tandon Online M.S. In Cybersecurity WebinarNYU Tandon Online
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic SoftwaresDhruv Seth
 
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingVi Tính Hoàng Nam
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays Worldgueste0d962
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 

Viewers also liked (18)

Incident Response
Incident ResponseIncident Response
Incident Response
 
ICS Review & Response
ICS Review & ResponseICS Review & Response
ICS Review & Response
 
Training Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarTraining Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinar
 
Reading and Writing Files
Reading and Writing FilesReading and Writing Files
Reading and Writing Files
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence6 Keys to Preventing and Responding to Workplace Violence
6 Keys to Preventing and Responding to Workplace Violence
 
RT and RT for Incident Response
RT and RT for Incident ResponseRT and RT for Incident Response
RT and RT for Incident Response
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
NYU Tandon Online M.S. In Cybersecurity Webinar
NYU Tandon Online M.S. In Cybersecurity WebinarNYU Tandon Online M.S. In Cybersecurity Webinar
NYU Tandon Online M.S. In Cybersecurity Webinar
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handling
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensics
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 

More from F-Secure Corporation

How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?F-Secure Corporation
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!F-Secure Corporation
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceF-Secure Corporation
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsF-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace F-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceLes attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceF-Secure Corporation
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF-Secure Corporation
 
F-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Corporation
 
Best business protection for windows
Best business protection for windowsBest business protection for windows
Best business protection for windowsF-Secure Corporation
 
Six things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsSix things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsF-Secure Corporation
 
Small and midsize business security is big business
Small and midsize business security is big businessSmall and midsize business security is big business
Small and midsize business security is big businessF-Secure Corporation
 
大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業F-Secure Corporation
 
Why should you care about government surveillance?
Why should you care about government surveillance?Why should you care about government surveillance?
Why should you care about government surveillance?F-Secure Corporation
 
Arbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetArbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetF-Secure Corporation
 

More from F-Secure Corporation (20)

Post-mortem of a data breach
Post-mortem of a data breachPost-mortem of a data breach
Post-mortem of a data breach
 
How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security Service
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important terms
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceLes attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat Landscape
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and management
 
F-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior control
 
The State of the Net in India
The State of the Net in IndiaThe State of the Net in India
The State of the Net in India
 
Best business protection for windows
Best business protection for windowsBest business protection for windows
Best business protection for windows
 
Six things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsSix things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutions
 
Small and midsize business security is big business
Small and midsize business security is big businessSmall and midsize business security is big business
Small and midsize business security is big business
 
大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業
 
Why should you care about government surveillance?
Why should you care about government surveillance?Why should you care about government surveillance?
Why should you care about government surveillance?
 
Arbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetArbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitet
 
Psb mobile security
Psb mobile securityPsb mobile security
Psb mobile security
 

Recently uploaded

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Cyber security webinar 5 - Responding to an incident

  • 2. CYBERSECURITY WEBINAR SERIES-PART5 © F-Secure2 • INTRODUCTION TO CYBERSECURITY • DEFENDING WORKSTATIONS • DEFENDING SERVERS • DEFENDING NETWORKS - NOW • RESPONDING TO AN INCIDENT NOW • BUILDING SECURE SYSTEMS 3RD DECEMBER 2015 RECORDINGS: HTTPS://BUSINESS.F-SECURE.COM
  • 4. RESPONDING TOANINCIDENT Steps to proper incident response  Prepare your systems and people  Discover incidents  Do initial response and gather data  Analyze data and contain incident  Recover affected systems and implement security improvements  Check IT infrastructure for tampering  Handle PR  Make a root cause analysis and learn from the incident © F-Secure4
  • 5. Preparation Do things mentioned in the previous webinars  Make sure your logging covers both system and network events and network supports it  Make sure you keep logs at least for 12 months and in a separate system  Make sure that all logs are time synchronized and in same time zone (UTC preferred)  Make sure systems are isolated from each other  Make sure you have integrity logs of servers and OS master images Prepare your people  Administration and security staff need to have IR training Know who to call  When it hits the fan, there’s no time to start negotiations with IR consultants © F-Secure5
  • 6. Discovery Make sure you are reachable  A significant portion of incidents are discovered because of outside report or clue  List incident contact email and phone number publicly in your web page  Create abuse@company.com, incident@, security@, email addresses  List contact information in WHOIS information of your domain  Make sure your ISP and local cert have your security contact information  Register at well known incident reporting clearinghouses  www.shadowserver.org Keep notes of everything  This is important both for learning and legal © F-Secure6 https://www.viestintavirasto.fi/attachments/certesitykset/5 wf8GRFeM/Nordsec_2010_Erka_Koivunen_v2.0_web.pdf
  • 7. InitialResponse If you have IR consultants on retainer, now it is time to call them  Also contact the police in case you want to press charges later Don’t panic. Stop, think, think again and then act Start by collecting volatile information  Processes running in suspected system, get memory dump of full system, or VM snapshot  Network connections  WHOIS information of any discovered network connections  Users who have logged into the system  All logs on the system, also make sure that remote logging is not overwritten Do not alert attacker by poking around blindly  Do not use any tools installed in the system  Rename all investigation tools, as attack may self-terminate on Sysinternals © F-Secure7
  • 8. DeeperAnalysis Try to establish when attack happened  If attack is fresh, you may want to disconnect net. If it’s year old, there’s no rush Compare system against integrity check data or image master  If you lack that, get as identical system as possible for comparison Look for unusual files in the file system  Look especially into places covered in webinar 2 slide 5 Look for unusual registry launch points  Sysinternals autoruns is a very good tool for this © F-Secure8 http://www.sysforensics.org/2014/01/know-your-windows- processes/
  • 9. LookForSigns OfLateral Movement Check the network and system logs for signs moving to other systems  Build a map of all network connections from the infected system  Pay attention to RPC, RDP, Windows remote management and logon scripts Check user account and login histories  Any user logged into system that they haven’t used ever before?  Have any users been added or elevated to administrator level? Check prefetch or amcache for executed processes, anything unusual there?  Note Prefetch/superfetch is often disabled for SSD drives © F-Secure9 https://attack.mitre.org/wiki/Lateral_Movement http://sysforensics.org/2014/01/lateral-movement http://www.swiftforensics.com/2013/12/amcachehve-in- windows-8-goldmine-for.html
  • 10. AssessTheDamages Use logs to identify if any information has been stolen or modified  Pay attention to personal information, user accounts, source code, documents, etc Pay special attention to customer facing services  The actual target might be your customers  Make sure that every web page and file you serve to users is intact  Also verify that there are no backdoors left in internet facing servers Try to find out if the attack is already in public knowledge © F-Secure10
  • 11. Containment AndRecovery  Using the IOCs (clues) found, investigate all other systems  The attacker may have moved without leaving noticeable network traces  Reinstall or restore from backup any affected systems  Remember to double check that the backup is clean  Review permissions of affected users, in case they have been modified  Issue password changes for affected parts of the organization © F-Secure11
  • 12. HandlePR Internal communication is vital  Incident can be traumatic for the organization, make sure the people are kept up to date Information has a habit of getting out  Be in control, release suitable information before it leaks  Be boring, dry information does not make good news If incident was visible or affected users, inform the users and apologize  Tell what happened and what are the effects for the user  Tell how situation was corrected If incident has potential high media value, make a press release  But in most cases it’s enough to inform users and publish on company web page © F-Secure12
  • 13. Report, LearnAndImprove Create a root cause analysis of the incident  How the incident was detected-> can detection speed be improved?  How the incident was possible->can future incidents be prevented?  How the incident was investigated-> can we improve the investigation?  How the incident was recovered-> can we make recovery faster?  What went wrong->how we can make it right?  What went right->celebrate and give credit for good work! Incidents happen, but try avoid repeating them © F-Secure13
  • 14. CONCLUSIONS  Preparation is key to successful incident response  Verify that logging is on sufficient level  In real situations people will get excited and make mistakes  So doing a practice once per couple years might be a good idea  Prepare, Detect, Respond, Analyze, Learn, Improve © F-Secure14
  • 15. THANK YOUFORYOUR PARTICIPATION! 15 STAY TUNED FOR THE LAST TOPIC OF THE CYBER SECURITY WEBINAR SERIES: 3 December 2015 at 11.00 EET: “Building secure systems” The Recording will be available at the BUSINESS SECURITY INSIDER https://business.f-secure.com