Incident Response and Forensics

© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.

Incident Response and ForensicsA Call to Action for organizations


• Executive Concerns

• Legal Concerns

• Technical Concerns

Business ComplianceTechnical

2

Evolution of Incident Response


Who Is Behind Data Breaches?

Resulted from External Agents

Were Caused by Insiders

Implicated Business Partners

Involved Multiple Partners

45%

31%

17%

7%

3

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf


How Do Breaches Occur?

Involved Privileged Misuse

Resulted from Hacking

Utilized Malware

Employed Social Tactics

Comprised Physical Attacks

29%

24%

9%

16%

22%

4


Demographics By Industry

32%

23%

6%

15%

Financial Services

Hospitality

Retail

Manufacturing

Tech Services

Business Services

Government

Media

Healthcare

Other

5%

4%

4%

4%3%

5%

5


What Commonalities Exist?

98% of all breaches came from servers

85% of attacks were not considered highly difficult

61% were discovered by a third party

86% of victims had evidence of the breach in their log files

96% of breaches were avoidable through simple or intermediate controls

79% of victims subject to PCI DSS had not achieved compliance

6


Conclusions

• Attacks are being more elaborate, with custom and targeted malware being developed

• Encryption is being bypassed at different layers

• Lax host and network security

• Easy entry for attackers.

• Passwords are paramount. Defaults need to be changed before even plugging in.

7


Credit Card Breach

Why should you care if your card is compromised?• Personal liability

• Unauthorized Recurring Charges

• Potential downtime

Inconvenience? Yes.

Major Issue? Generally Not.

8


Credit Card Breach

Card Brands• Reduced consumer confidence

in the payment system– Loss of revenue– Brand damage

• Investigation costs• Litigation costs

Bank• Customer service costs– Notifications cost– Re-issue cards cost

• Investigation costs• Litigation

Who Cares?

9


Credit Card Breach

Merchants• Brand damage?

– Brick and Mortar vs. Online• Investigation costs

– $12k to well over $1M• Remediation costs

– $5k to well in the Millions• Increase in transaction fee rates

– Big ticket item• Immediate Fines from Brands• Litigation costs

– Legal, Experts

Who Cares?

10



Case Study # 1


Case Study 1

Strengths• Multi-layered Firewalls between

Corporate and the Retail locations.• Segmented POS networks.• Encryption from the Back of House

server to Payment Switch.

Weaknesses• ACL’s not well defined.• Multi-homed Servers bypassed Access

Control List (ACL)’s.• Outbound filtering was not

protocol aware.

PCI Level 1 Retail Merchant

12


Case Study 1Network Layout

13


Case Study 1Attacked Network

14


Case Study 1

• The attacker defeated the protection of encryption before the data even hit the application.

• The data was sniffed and parsed in a nice neat packaged format.

• Weak passwords were the originations downfall which allowed the attacker to fan out to several hundred systems.

• Attacker made use the publicside of the multi-homed system to exploit and explore other systems.

• Lack of protocol awareness filtering.

Examination Findings

15



Case Study # 2


Case Study 2

Strengths• Small, “should be” an easy to manage

infrastructure.• Encryption from the POS Terminals to

POS Back of House with Encryption to the Payment Switch.

Weaknesses• ACL’s not well defined.• Multi-homed Servers. One leg connected the

internet, the other to the internal LAN.• Remote support often left wide open.

(e.g. PcAnywhere, VNC, RDP).

A Level 4 Merchant & Level 1 Service Provider

17



PCI Breach Process


Identification

The Merchant ID is being identified by one of the card brands as Common Point of Purchase (CPP) based on fraudulent transactions

• Analysis leads to isolation of activity

19


Identification

• Immediately contain and limit the exposure.

• Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information.

• Alert all necessary parties immediately.

– Your internal information security group and incident response team.

– Your merchant bank.

– Your local office of the United States Secret Service.

What To Do

20


Investigation

• You need to contract with a PCI Forensic Investigator (PFI)

• 7 approved vendors in the US

• “PFI of Record”

• Forensic investigation

• Lengthy

• Expensive

• Invasive

http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf

21




PFI Onsite

• Forensic Analysis of (potentially) affected systems

• Breached internet-facing systems (for example, ecommerce sites) must not be brought online until

– QIRA report accepted by VISA

– Remediation actions completed

• Forensic Investigation can go into business partners, suppliers, service providers

22


Remediation

• Become Level 1

• Remain for one year minimum

• Perform a complete Level 1 Assessment

• Fixing the problems

• HUGE expense to organization ($MM)

• Both hard and soft costs– Major retailer replaced ½

their POS systems• 2500 stores

– Enterprise Encryption– Network Redesign

23


Litigation

• Fines

• Non-compliance fines ($5-25k/$$M)

• Increase in credit card transaction fees

• Mandates for other regulations

– FTC

• Lawsuits

• Plaintiff costs

• Trickle effect? Are others vulnerable?

– What does the trust model look like?

– Does a breach of one affect others?

24



5 Biggest Technical Mistakes In Response to a Breach



Technical Mistake # 1Delaying Actions


Delaying Actions

Time is one of the biggest enemies in responding to a breach.

• Think of the “golden hour” rule – same applies to IR and investigations.

Organizations need to pre-plan through

“what if” scenarios because at some point in time an

incident will happen.

27



Technical Mistake # 2Change


Change

• Giving the nature of electronic evidence and computing systems, data is constantly changing from second to second.

• Organizations need to adhere to a “change freeze” policy in the event of a data security breach so they may capture the best evidence possible.

• If an organization cannot hold changes then a full system backup or image should be taken.

29



Technical Mistake # 3Over / Under Reacting


Overreacting

• Organizations will move into an over reacting state rather quickly, whereby they will inadvertently change, or destroy critical evidence.

• In most cases, this is due to the lack of planning, or experience within the organization.

31


Underreacting

• Just the opposite of over reacting, some organizations will under react whereby not notifying parties in a timely fashion.

• Some will brush the event off as an anomaly.

32



Technical Mistake # 4Inexperience


Inexperience

• More often organizations will call the “IT” guy to come review the systems.

– Mainly seen to be an issue with smaller organizations.

• An experienced staff or firm needs to be ready to act in a timely manner to limit the exposure of the compromise.

• Proper training is paramount and the benefits and importance of training are especially important given the constant changes in today’s technology.

34


Inexperience

• Users can be a major source of security breaches if they are not knowledgeable concerning security policy and acceptable computer/network usage.

• The bottom line is organizations need to continuously train and educate users. Proper security awareness training should be done on a regular basis.

35



Technical Mistake # 5Inconclusive Findings


Inconclusive Findings

• More often than not, organizations will have one or more areas where data is inconclusive to support the investigation.– No supporting evidence at the border

(Firewalls, Router, or IDS/IPS)

• If logging is not enabled, an organization will have no way to detect if they are compromised. – Logging also allows the investigators

to trace back to the origin, which in some cases can aid law enforcement in a successful apprehension.

37


38

Documents

Incident Response and Forensics