Incident Investigation A day in the life of a First Responder

k1

How can it Happen

Youve Been Compromised!



An incident may involve a virus outbreak, a malicious program found on a desktop, USB Device or.. An attack on a network platform that is accessible by customers/client base Employees visiting websites that are infected Employees signing up for virus protection that is not legitimate Social Engineering

  

Slide 2 k1 visiting websites such as flicr - Monkif social engineering - calling helpdesk to ask for information for login - trick help desk and sometimes repeat call as they gather more information with each successive phone call Virus protection - under umbrella they are a christian or toher type of organization but in actuality dowload keylogger and attempt a "control and command" to upload intellectual property USB Devices - user has usb on home computer brings into work either email, website downloaded malware onto usb device infects work machine
katbra_sup, 4/6/2011

What are the first steps to being Compromised

Visiting websites such as Flickr a photo site example Monkif malware social engineering - calling helpdesk to ask for information for login - trick help desk and sometimes repeat call as they gather more information with each successive phone call Virus protection - under umbrella they are a Christian or other type of organization but in actuality downloads a keylogger and attempt a "control and command" to upload intellectual property USB Devices - user has USB on home computer brings into work either email, website downloaded malware onto USB device infects work machine

Monitor ..
Network activity Web Access with products such as Websense Application Events employee activity  Login activity - Remote RDP VPN SOLUTIONS User activity USB DEVICES, CD S VIDEOS, ETC. - AV Scans Data access and database transactions CLIENT ACTIVITY And email and data transactions

k2

What is our First Line of Defense

An alert can be received from a SEIM or other source including IDS Alerts Firewall Scans Port Scanning

Slide 5 k2 So with the safety nets, hardware and software devices - how does a network or computer become infected? When there is smoke in a room the fire alarm goes off - then the fireman take action - so it is that there are instances when malware can be contained but sometimes the alarm sounds after the payload or malware has been dropped onto the machine The first responders then use their tools and gather the forensic evidence such as the proxy logs that were retained by the system and either decide it is a false alarm or remediate
katbra_sup, 4/6/2011

JSUNPACK A Generic JavaScript Unpacker



 

CAUTION: jsunpack was designed for security researchers and computer professionals Recent Submissions Enter a single URL (or paste JavaScript to decode) Upload a PDF, pcap, HTML, or JavaScript file Private? Help: Description

Virus Total


Safety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy. Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines Analysis

FireEye


  

InfoStealer.Banker.Zbotexefile://jar_cache 52835._exe Windows Explorerwinxp-sp3 Done04/12/11 11:48:51 M4611686018427388252-31-31-2011-0412-114947.pvna.pcapSuccess (text) 04/12/11 11:48:5204/12/11 11:58:10

When smoke fills a Room



So with the safety nets, hardware and software devices - how does a network or computer become infected? When there is smoke in a room the fire alarm goes off - then the fireman take action - so it is that there are instances when malware can be contained but sometimes the alarm sounds after the payload or malware has been dropped onto the machine The first responders then use their tools and gather the forensic evidence such as the proxy logs that were retained by the system and either decide it is a false alarm or remediate

Is There any way to be Proactive?

Application layer: Provides a means for the user to access information on the network through an application. This layer is the main interface for the user to interact with the application and therefore the network. Application Firewalls - Detect Data Loss or Insider Theft Look into the contents of applications to see information within emails, web forms, instant messages, and hundreds of other applications allows for you to be immediately notified when your most valuable information is "in motion.

There is software that tracks anomalies in real time and uses indicators of risks and threats before the threat infects the system

How important is Policy

Your first challenge is the people who utilize your system Web Browsing Email such as yahoo All create an entry point! Social Networking USB Connectivity
Policy is the greatest tool that an organization can utilize which first includes employee education Focus on Critical Assets data leakage Lock down USB devices with Endpoint Protection Block website that are not necessary for business or pose a potential risk Keep current on trends by attending webinars most of which are free from many of the top companies in the industry.