http://www.securityorb.com/2013/05/3-big-mistakes-incident-response/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityorbcom+%28SecurityOrb.com%29#utm_source=feed&utm_medium=feed&utm_campaign=feed?utm_source=rss&utm_medium=rss&utm_campaign=3-big-mistakes-incident-response
Wednesday, May 15, 2013
Saturday, April 20, 2013
8 tips for a security incident handling plan
8 tips for a security
incident handling plan
Incident handling is a vast topic, but here are
a few tips for you to consider in your incident response
1. Have an incident
response plan. It is, of course, the most obvious advice, however you would be
amazed at the number of organisations that "haven't quite got around to it
yet".
It doesn't need to
be 400 pages long (nor should it be half a page most likely) but documenting
your incident response plan and distributing it up front can make a massive
difference when the inevitable occurs.
2. Pre-define your
incident response team and make sure it draws from multiple
disciplines. A good incident response team should not just consist of IT or
security people (though they undoubtedly need to be a strong core), but should
also include PR, HR, Legal and executives to name just a few.
For instance, not involving the PR team could result in external
communications that are more damaging than the breach in the first place.
Make sure each member of the team is briefed on their involvement and
expectations. Watch that list of team members, however. It gets old quickly as
people leave, go on vacation or just forget what they signed up for.
3. Define your
approach: watch and learn or contain and recover. We have seen
great examples of this in the news recently. When an incident occurs and is
verified - for instance a hacker compromising one of your web servers - you
need to make the call on whether to recover as quickly as possible or to watch
the attacker and learn.
You need to make
this policy decision upfront because it requires good preparation, executive
support and a skilled team to manage the risk. Most organisations will (and
should) focus on containing the damage and recovering business systems.
Detailed forensics
and observing the attackers is often too great a business expense for many
firms, but don't give up entirely on capturing evidence - you never know when
you may need it later.
If you are a target
likely to come under persistent long term attacks from adversaries (perhaps a
nation state, a competitor or a hacking gang that you have riled somehow)
learning more about your adversary to help build future defences can make a lot
of sense.
You should not
venture down this path unless you have the resources (people, duplicate
systems, network infrastructure for suitable containment) to execute it
successfully and it absolutely requires executive buy-in or you will find
yourself out of a job very quickly if it goes wrong.
Make this decision
up front, discuss the risk attitude of the business and alter your incident
response process appropriately. Of course, you won't watch and learn on every
attack, so identify the two paths and when you will use them.
4. Pre-distribute call
cards. Another common mistake is to depend upon your normal communication
infrastructure in the event of an incident.
Imagine that the
LAN stops working, no-one knows anyone else's number and email doesn't work. It
will be pretty tough to handle an incident in that situation.
Decide up front
communication methods, choose a call bridge or similar and then distribute
details to each of the stakeholders.
5. Forensic and incident
response data capture. This goes wrong a lot. During and after
security incidents, pressure can be high and there is a tendency to rush, which
- of course - means mistakes are made.
In particular,
define how you will capture notes (I like a lined, dated paper notebook which
is easy for courts to get their heads around) and evidence.
Do you run
Volatility to capture memory? Do you power off the machine and take an image of
the disk to capture as much as you can before the attack shuts down? Decide in
which instances you will follow each path and build a toolkit ready to go.
6. Get your users
on-side. Incident response is not just an 'IT thing'. Make sure your
incident response links up with your organisation's acceptable use policy and
security awareness program.
You want your users
to know how to tell you if they think an incident is occurring. In particular,
system administrators, application owners and data owners should know how to
contact you if they spot something unusual. The incident response process can
then be spun up (or spun down if it's a false alarm) quickly. Don't just write
the policy and leave it on the intranet somewhere.
7. Know how to report
crimes and engage law enforcement. Certain types of incident may
require you to report to law enforcement but often when such an opportunity
arises no-one knows exactly how to do it.
From having your web server hacked to the theft of credit card details
or IP it pays to understand the process and requirements in advance. Check out
Naked Security's quick guides on reporting
computer crimes and find out who your representative is before
you need them.
8. Practice makes
perfect. The process can be documented but when it comes time to use it the
bridge is enabled and no one connects or knows what to do. Stage an incident
and have your team dial in and work through the mock scenario.
Wednesday, April 10, 2013
Industrial Control System Standard of Practice
Industrial Control System Standard of Practice
All.Net presents our standards of practice decision framework for securing industrial control systems. These decisions provide an overarching basis and many specifics surrounding what we currently view as a reasonable and prudent approach to addressing information protection for industrial control systems. While there may be many other approaches that might also meet the need, we hope that these will provide guidance and discussion within the community, and we use them as a starting point in our practice to help guide consistent quality and performance within our own team and in customer engagements.
This content is part of a process used by our affiliated companies as developed over many years. We identify these issues, characterize the environment, and apply these decision points by interacting with clients and applying our expertise to help form overall architecture and its component parts. Typically, decisions are reviewed both internally and externally in an iterative fashion so that as we discover things that require changes, those changes ripple through the overall standard to keep it up to date and relevant.
In many cases, this standard of practice is used starting with an as-is review, identifying a desired future state, doing what, by then, is a relatively straight forward gap analysis, and then characterizing a workable transition plan for the organization. In our more agile approach, we undertake only an initial and periodic as-is and future state analysis, understanding that the reduced time and cost in assessment leads to more resources available for acting on the results, and that planning is less certain and less permanent when we are moving at a faster pace.
Tuesday, April 9, 2013
A peek inside the ‘Zerokit/0kit/ring0 bundle’ bootkit
Features:
- Start of *.exe, *.dll (*.dll is in a pre-alpha stage) and shellcodes in a context of the chosen process.
- Start of files from a disk and from the memory* (start from memory is in a pre-alpha stage).
- Start of files with specified privileges: CurrentUser and NT SYSTEM/AUTHORITY.
- Granting the protected storehouse** for off-site (your) ring3-solutions for permanent existence in the system without need of crypt.
- Survivability of the bundle, down to a reinstallation of the system.
- All the components are stored outside of a file system and are invisible to OS.
- Intuitively clear interface of admin-panel.
- Protection against the abstraction of Admin Panel.
- Impossibility of detection of the bundle in the working system by any of known AV/rootkit scanner, owing to the use of author’s technologies of concealment. The unique opportunity of detection exists only at loading with livecd or scanning of a disk from the other computer. Thus the opportunity of detection is also extremely improbable, as own algorithms of a mutation are used.
- Start of *.exe, *.dll (*.dll is in a pre-alpha stage) and shellcodes in a context of the chosen process.
- Start of files from a disk and from the memory* (start from memory is in a pre-alpha stage).
- Start of files with specified privileges: CurrentUser and NT SYSTEM/AUTHORITY.
- Granting the protected storehouse** for off-site (your) ring3-solutions for permanent existence in the system without need of crypt.
- Survivability of the bundle, down to a reinstallation of the system.
- All the components are stored outside of a file system and are invisible to OS.
- Intuitively clear interface of admin-panel.
- Protection against the abstraction of Admin Panel.
- Impossibility of detection of the bundle in the working system by any of known AV/rootkit scanner, owing to the use of author’s technologies of concealment. The unique opportunity of detection exists only at loading with livecd or scanning of a disk from the other computer. Thus the opportunity of detection is also extremely improbable, as own algorithms of a mutation are used.
* Start of a file from the memory allows to
bypass all modern proactive protection and AV-scanners, that is, there is no
necessity to crypt a file.
** Protected storehouse is the original ciphered file system in which the certain quantity of files which will be started from the memory at each start of the OS can be stored.
** Protected storehouse is the original ciphered file system in which the certain quantity of files which will be started from the memory at each start of the OS can be stored.
The bundle consists of:
- Bootkit. It is responsible for the start of the basic modules at a stage of loading of OS.
- Driver. It is responsible for all infrastructure and implements componential business-logic on the basis of so-called mod (functional unit). That is, the driver is not a legacy driver (monolithic), and consists of the set of mods that allows to operate the bundle with maximum of flexibility, and to protect (hard to reverse), update and expand it.
- Dropper. At the current moment it brake out all machines with the patches till January, 8th, 2011, except for XP x32/x64 where reloading is initiated. If the systems distinct from XP have latest updates reloading is initiated as well.
- User friendly Admin Panel.
- Bootkit. It is responsible for the start of the basic modules at a stage of loading of OS.
- Driver. It is responsible for all infrastructure and implements componential business-logic on the basis of so-called mod (functional unit). That is, the driver is not a legacy driver (monolithic), and consists of the set of mods that allows to operate the bundle with maximum of flexibility, and to protect (hard to reverse), update and expand it.
- Dropper. At the current moment it brake out all machines with the patches till January, 8th, 2011, except for XP x32/x64 where reloading is initiated. If the systems distinct from XP have latest updates reloading is initiated as well.
- User friendly Admin Panel.
Also I will give support to clients within the subscription fee. I
provide them with:
- Development of new functionality and
- Development of new exploits for the dropper.
- Perfection of algorithms of concealment and penetration of the system.
- Development of new functionality and
- Development of new exploits for the dropper.
- Perfection of algorithms of concealment and penetration of the system.
High scalability of zerokit allow to develop additional mods and
to complicate business-logic of all infrastructure.
Zer0kit have flexible update subsystem and can live in system as
long as possible. Also zerokit has considered and provable logic to prevent the
lost of bots.
Supported OSes:
– Windows XP SP1-SP3 (x32, x64)
– Windows Vista SP1-SP2 (x32, x64)
– Windows 7 SP0-SP1 (x32, x64)
– Windows XP SP1-SP3 (x32, x64)
– Windows Vista SP1-SP2 (x32, x64)
– Windows 7 SP0-SP1 (x32, x64)
Tuesday, March 26, 2013
SIEM- Used Cases
I was trying to creates a list of used cases to be deployed across any type of SIEM in any line of business-
Below is a brief list..... Let me know your inputs.
Wednesday, March 20, 2013
Mandiant APT1 Report Appendix F Update: SSL Certificate Hashes
Mandiant APT1 Report Appendix F Update: SSL Certificate Hashes:
The following are MD5 and SHA1 hashes for the DER encoded SSL certificates released in Appendix F of the recent Mandiant APT1 report. We are releasing these to aid network detection of APT1 SSL-encrypted malware traffic.
The following are MD5 and SHA1 hashes for the DER encoded SSL certificates released in Appendix F of the recent Mandiant APT1 report. We are releasing these to aid network detection of APT1 SSL-encrypted malware traffic.
| SIGNATURES | MD5 | SHA1 |
| ALPHA | 6b4475ce9f9c5c4b9d2e7edc8bdbf849 | b054e26ef827fbbf5829f84a9bdbb697a5b042fc |
| AOL | 9588bf142248bb8ddda05567f159b1a7 | 7bc0cc2cf7c3a996c32dbe7e938993f7087105b4 |
| AOL | 455f8979143415b9eed0e0d6fc153c1c | 7855c132af1390413d4e4ff4ead321f8802d8243 |
| AOL | 80c982508b78d4b5bf1d64a181d477f9 | f3e3c590d7126bd227733e9d8313d2575c421243 |
| AOL | 98153da6e11ee7c6132345ac8b716679 | d4d4e896ce7d73b573f0a0006080a246aec61fe7 |
| AOL | 8d9ef1704857fcefc6f476abc3690597 | bcdf4809c1886ac95478bbafde246d0603934298 |
| AOL | 3d3d57b3c4ceea9985f4e00daef40239 | 6b4855df8afc8d57a671fe5ed628f6d88852a922 |
| AOL | 62e1450f0ce0d80d1148ca25d805537b | d50fdc82c328319ac60f256d3119b8708cd5717b |
| AOL | 428584cbf6c150f794e1eb505f0ae03c | 70b48d5177eebe9c762e9a37ecabebfd10e1b7e9 |
| AOL | d50189fd73a18bd9af3b5a7208c3a353 | 3a6a299b764500ce1b6e58a32a257139d61a3543 |
| AOL | 2dece470908e49b7dfc067a7371b0f83 | bf4f90e0029b2263af1141963ddf2a0c71a6b5fb |
| AOL | 039d81836dfb02f5299a7053f8908207 | b21139583dec0dae344cca530690ec1f344acc79 |
| 0189e307c3abe5dd56937eeb06badaea | 21971ffef58baf6f638df2f7e2cceb4c58b173c8 | |
| IBM | 22da947f2df649c802ed496b2ccf4bc1 | 04ecff66973c92a1c348666d5a4738557cce0cfc |
| IBM | 38e7c187b6dbbc329ad70d23c92f51ef | f97d1a703aec44d0f53a3a294e33acda43a49de1 |
| IBM | e179aa7e3e1a3dbb3f56ee9ecc1b23a8 | c0d32301a7c96ecb0bc8e381ec19e6b4eaf5d2fe |
| LAME | 773ec2b9047beb82497e499c1be2c2fd | 1b27a897cda019da2c3a6dc838761871e8bf5b5d |
| MOON-NIGHT | 2d3c66e46930fe1d959f28c8a45f0282 | d515996e8696612dc78fc6db39006466fc6550df |
| NONAME | 0ef1386ec78e966beb4e6a199ca5abf0 | 8f79315659e59c79f1301ef4aee67b18ae2d9f1c |
| NS | 9619fa9d77e7e1daddf677085ed6e27e | a57a84975e31e376e3512da7b05ad06ef6441f53 |
| SERVER (PEM) | 249d75f0d70818204f9130be59c95cad | b3db37a0edde97b3c3c15da5f2d81d27af82f583 |
| SUR | 71cdf4068e9ea76c853bec4701700da6 | 6d8f1454f6392361fb2464b744d4fc09eee5fcfd |
| VIRTUALLYTHERE | bc1fc00b050d812eac595e802b363fa7 | b66e230f404b2cc1c033ccacda5d0a14b74a2752 |
| WEBMAIL | cc9893cdc79c15127ff52ee0ee85a771 | 4acbadb86a91834493dde276736cdf8f7ef5d497 |
| YAHOO | 596f3e7660e0a5bd79c33f7a50c17565 | 86a48093d9b577955c4c9bd19e30536aae5543d4 |
Wednesday, February 20, 2013
Exposing One of China's Cyber Espionage Units
Analysis has led us to conclude that APT1 is likely government-sponsored
and one of the most persistent of China's cyber threat actors. The scale and
impact of APT1's operations compelled us to write this report. In an attempt to
bolster defenses against APT1 operations Mandiant is also releasing more than
3,000 indicators as part of the appendix to this report, which can be used with
our free tools and
our commercial products to search for signs
of APT attack activity.
Highlights of the report include:
·
APT1 is believed to be the 2nd Bureau of the People’s Liberation Army
(PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly
known by its Military Unit Cover Designator (MUCD) as Unit 61398.
·
APT1 has systematically stolen hundreds of terabytes of data from at
least 141 organizations.
·
APT1 focuses on compromising organizations across a broad range of
industries in English-speaking countries.
·
APT1 maintains an extensive infrastructure of computer systems around
the world.
·
In over 97% of the 1,905 times Mandiant observed APT1 intruders
connecting to their attack infrastructure, APT1 used IP addresses registered in
Shanghai and systems set to use the Simplified Chinese language.
·
The size of APT1’s infrastructure implies a large organization with at
least dozens, but potentially hundreds of human operators.
·
In an effort to underscore that there are actual individuals behind the
keyboard, Mandiant is revealing three personas that are associated with APT1
activity.
·
Mandiant is releasing more than 3,000 indicators to bolster defenses
against APT1 operations.
Mandiant_APT1_Report.pdf
MD5: 936FEB234F60CFBF6916BA61FBAB2781
SHA-1: 3974687624EB85CDCF1FC9CCFB68EEA052971E84
MD5: 936FEB234F60CFBF6916BA61FBAB2781
SHA-1: 3974687624EB85CDCF1FC9CCFB68EEA052971E84
Mandiant_APT1_Report_Appendix.zip
MD5: FD103F16BBBB28162C23BE3A47371AA9
SHA-1: ABF9D09A991E56393D18433644FF0DBA907A9154
MD5: FD103F16BBBB28162C23BE3A47371AA9
SHA-1: ABF9D09A991E56393D18433644FF0DBA907A9154
Subscribe to:
Posts (Atom)