An incident response team is like the Avengers

Today, after leaving a meeting, one of my junior analysts said “I guess we need to lower the threshold for declaring an incident.” Intrigued, I asked what brought him to that conclusion. He said “well, our incident response plan says that we organize the team if more than ten computers are affected, but you just said that an incident is any event that indicates harm or malice.” Realizing that further clarification was required, I resorted to my favorite tools: analogies and metaphors.

Captain AmericaI gave the example of Captain America hearing a car alarm going off. This is just an event, and not yet an incident. Why? Surely if a car alarm is going off, something bad is happening, right? No, not necessarily. It could have been set off by the owner by accident, by a teenager zipping by on his skateboard and accidentally slamming into the car, or another car bumping into it while parking. While these are all (noteworthy?) events, none of them represent an incident in the security context because nothing really bad was happening, and there was no evil intent.

This is the equivalent of an analyst detecting an alert on the corporate SIEM. The analyst notes that there are a large number of failed logons occurring on a system. Investigating, he finds that they are all originating from a single workstation, which was unable to log on due to a recent password change. Is this an incident? No.

Taking it to the next phase, let’s say that Cap does investigate, and he sees that the alarm was set off not by some passing skateboarder, but by a common street thug. Does Cap yell “AVENGERS, ASSEMBLE!?” No, not yet. Some two-bit thug trying to jack a car is well within Captain America’s ability to cope with without needing to call upon other members; you don’t call for Thor and Iron Man just because you’ve got them on speed dial, and Cap knows that.

This could be likened to the analyst detecting malware on the affected system. Perhaps this malware was trying a brute force attack against a random system on the network. The analyst tasks the antivirus software to re-scan the system and do a cleanup, which it does successfully. Problem solved, with no need to bring on additional help.

Batroc the LeaperEven if the guy breaking into the car turns out to be Batroc, Cap doesn’t go crying for help, because he can has handled the likes on his own many times in his extensive career. But what if Batroc is not alone, and is accompanied by his brigade of super villains? This is where it gets a bit subjective. Being a seasoned incident responder, Cap is likely to attempt an immediate intervention in their nefarious activities, even though he’s outnumbered. However, if he starts to realize he’s being overwhelmed, Captain America is not too proud to reach out to a nearby resource like Bucky, the Falcon, or Spider-Man if he’s nearby. Since he has an established relationship with many other super-powered resources around the world, help is just a quick call away.

The analyst continues to investigate, and finds that there is malware on the affected system, and also notices alert that other nearby systems are apparently infected with the same malware. Contacting the department IT liaison, he finds that they are aware of the infection, which was passed around by a shared USB drive. Working together, the department contact and the analyst are able to clean up the malware before it spreads beyond the handful of machines.

UltronBut, let’s say that Cap notices it’s not just an ordinary thug, and not even just Batroc’s Brigade, but it turns out that, for some reason – don’t ask why – it’s Ultron who has decided to steal this car. As a villain who has tried to destroy the world, and come awfully close to doing so, this is immediately dubbed a very serious incident.

Further investigation reveals that multiple systems have been infected, and are communicating to an external IP address in a remote location. There is now evidence that classified data is being exfiltrated from the network. It’s time to call on extra help. The incident response team, consiting of members of the networking, server administration, and department IT teams, are notified, and a command center is established. The team immediately begins to compare notes to determine what is going on, and how to contain the threat.

This is why Captain America’s got not just Bruce Banner’s cell phone, Nick Fury’s SUV phone, and Tony Stark’s office number, but also Pepper Potts’ pager (because she’ll be able to get a hold of Tony, regardless of what lady has caught his attention this evening). Cap also has a plan, which directs him to notify the regular members of the team.

This is why the incident response plan must be regularly updated to include a current list of contacts, the systems for which they are responsible, and their best contact methods.

Black Panther (Ultimate)If it turns out that things are getting really bad, he may need to call upon a specialist. For example, since Ultron is (these days, anyway) made largely of vibranium, it may make sense to call upon someone with extensive knowledge of the precious metal – good thing Cap kept T’Challa’s Whatsapp handle at the top of his favorites! Now the Black Panther is only a hop, skip, and a jump away from joining the team. If other threats are encountered along the way, say, it’s found that Doctor Doom may be collaborating with Ultron, more help – in the form of the Fantastic Four – may be called upon, as they have extensive experience dealing with Victor von Doom, and can likely help contain the threat in a timely fashion. 

The organization maintains relationships with law enforcement, their ISP, and outside security firms who can supplement the incident response team if required. Calling on a professional services firm to assist with containing an advanced persistent threat may be called for, as well as notifying law enforcement or various government agencies, depending on the nature and scope of the breach that has occurred.

Is every day in the life of a security analyst as exciting as that of an Avenger? Probably not. But it can be fun, at times, especially if you like being a hero. If you think you have relevant skills or information that could be useful in a security incident, let your local security team know, and ask how you could be of help during a crisis. Who knows? You may just get a snazzy, new ID card to carry around.

Deadpool, Captain America, Black Panther, The Thing, Invisible Woman, Mister Fantastic, The Human torch, Iron Man, Thor, Hawkeye, The Incredible Hulk, Black Widow, Falcon, Ultron, and Batroc are property of Marvel Comics.

Today’s Spam/Scam Brought to You by…

What would my inbox be like without my old AOL account?

How are you doing? I am Anastasya. i look for a gentleman. i commonly am tidy, paint… Reply me email in [email protected] Yours, Anastasya…

That’s great! I am looking for a woman who commonly is tidy, paint…

Seriously, it scares me to think that things like this work as openers to social engineering and Nigerian scams that end up robbing people of not only time and money, but sometimes even their lives. Be careful out there.

FINAL WARNING: YOU WILL BE ARRESTED AND JAILED IF YOU FAIL TO READ THE ATTACHED E-MAIL AND COMPLY

Anti-Terrorist and Monetary Crimes Division
FBI Headquarters In Washington, D.C.
Federal Bureau Of Investigation
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW Washington, D.C. 20535-0001

Attention: Beneficiary

This is the final warning you are going to receive from me, do you get me? I hope you understand how many times this message has been sent to you.

We have warned you so many times and you have decided to ignore our e-mails or because you believe we have not been instructed to get you arrested and today if you fail to respond back to us with the payment details below, then we would first send a letter to the MAYOR of the city where you reside and direct them to close your bank account until you have been jailed and all your properties will be confiscated by the FBI, CIA and other enforcement agency. We would also send a letter to the company/agency that you are working for so that they could get you fired until we are through with our investigations because a suspect is not supposed to be working for the government or any private organization.

Your ID which we have in our database have been sent to all the crimes agencies in America for them to inset you in their website as an internet fraudsters and to warn people from having any deals with you. This would have been solved all this while if you had gotten the CERTIFICATE ENDORSED AND STAMPED as you were instructed in the e-mail below. This is the federal bureau of investigation (FBI) am writing in response to the e-mail you sent to us and am using this medium to inform you that there is no more time left to waste because you have been given a mandate. As stated earlier to have the document endorsed, signed and stamped without failure and you must adhere to this directives to avoid you blaming yourself at last when we must have arrested and jailed you for life and all your properties will be seized and bank account will be confiscated too.

You failed to comply with our directives/instruction and that was the reason why we didn’t hear from you, as our director has already been notified about you get the process completed yesterday and right now the WARRANT OF ARREST has been signed against you and it will be carried out in the next 48hours as strictly signed by the FBI director. We have investigated and found out that you didn’t have any idea when the fraudulent deal was committed with your information’s/identity and right now your ID is placed on our website as a wanted person, I believe you know that it will be a shame to you and your entire family because after then it will be announce in all the local channels that you are wanted by the FBI.

As a good Christian and a Honest man, I decided to see how i could be of help to you because i would not be happy to see you end up in jail and all your properties confiscated all because your information’s was used to carry out a fraudulent transactions, i called the EFCC and they directed me to a private attorney who can help you get the process done and he stated that he will endorse and stamp the document at the sum of $98 usd only and i believe this process is cheaper for you.

You need to do every possible thing today and tomorrow to get this process done because our director has called to inform me that the warrant of arrest has been signed against you and once it has been approved, then the arrest will be carried out, and from our investigations we learnt that you were the person that forwarded your identity to one impostor/fraudsters in Nigeria when he had a deal with you about the transfer of some illegal funds into your bank account which is valued at the sum of $10,500,000.00 only.

I pleaded on your behalf so that this agency could give you till 6/20/2012 so that you could get this process done because i learnt that you were sent several e-mails without getting a response from you. Bear it in mind that this is the only way that i can be able to help you at this moment or you would have to face the law and its consequences once it had befallen on you. You would make the payment through western union money transfer with the below details.

NAME: VINCE DURU

ADDRESS: LAGOS, NIGERIA

TEXT QUESTION: BETTER

ANSWER: BEST

AMOUNT: $98

Senders Full Name:

Sender Full Address:

Direct Phone Number:

MTCN:

Send the payment details to me as stated above and make sure that you didn’t hesitate making the payment down to the agency by today so that they could have the certificate endorsed, signed and stamped immediately without any further delay. After all this process has been carried out, then we would have to proceed to the bank for the transfer of your compensation funds which is valued at the sum of $10.500,000.00 usd which was supposed to have been transferred to you all this while.

Note: All the crimes agencies have been contacted on this regards and we shall trace and arrest you if you disregard this instructions. You are given a grace today to make the payment for the document after which your failure to do that will attract a maximum arrest and finally you will be appearing in court for act of terrorism, money laundering and drug trafficking charges, so be warned not to try anything funny because you are been watched.

Expecting your anticipated- Co-operation.

Yours in service,

Robert S. Mueller
FBI DIRECTOR

Passware Password Kit Forensic 11.5 – Software Review

Passware Password Kit Forensic 11.5
Publisher: Passware, Inc.
Price: $995
Product Page

This month, I obtained a review copy of Passware’s “Passware Password Kit Forensic 11.5”. For brevity’s sake, I’ll refer to it as “Passware” for the rest of this review. Passware is a password recovery/cracking system which has the ability to work on multiple file types. The Forensic Kit version adds more features, such as cracking of filesystem passwords and resetting Windows user account passwords. Continue reading “Passware Password Kit Forensic 11.5 – Software Review”