28 May, 2020

Binalyze: Incident Response from the Perspective of KVKK and ISO27001/ISMS

You can watch our webinar, which we organized by combining our experience in KVKK and BGYS/ISO27001 projects with the capabilities of Binalyze AIR, which has references such as PwC and Deloitte in the world, and we provide answers to the following questions.

  • Is it possible to ensure that the evidence is always in our hands without having to rush to collect evidence when a cyber incident occurs?
  • What is the importance of incident response in terms of KVKK and ISO27001?
  • What is the importance of incident response in the setting of working from home?
  • What is the proactive contribution of pre-incident incident response resolution?
  • What do we mean when we say incident response resolution? Are we talking about a new EDR, SIEM or SOAR solution?
  • Does SIEM only play a triggering role, or do we contribute to the enrichment of SIEM alarms?
  • Where do we record the evidence we collect? How do we prevent the deletion and modification of this evidence?

 

[mnky_heading title=”Soru-Cevap” line_color=”#dd1818″]

In case of data breach, is there any penalty if the board is not informed within 72 hours?

In accordance with the decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10, notification should be made to the board within 72 hours after the institutions learned of the data breach. required is stated. If the notification is not made, they may face administrative fines or warning penalties with the legal entity.

If no notification is made to the board within 72 hours, does the board show any initiative to the institutions?

As I mentioned in the previous question, the board's stance on this decision is clear, and notification must be made within 72 hours after the data breach is learned. We can understand this more clearly when we examine this example (https://www.kvkk.gov.tr/Icerik/6656/2019-352). In the announcement made on the website of the board, which you can access from the link;

It was determined that a bank employee sent the critical data of 3 customers to his own e-mail, and money was withdrawn from the account of one of these customers with fake documents. Later, more extensive fraud activities were carried out with the data obtained from here.

From this point of view, the mistake made by an employee seems to have cost the entire bank, but it is not. When the necessary investigations were made, it was determined that although the bank already has data leak detection / prevention systems, this inappropriate e-mail sending was not noticed by the system. As we have always stated, no matter how much cyber security investment has been made, these systems must be updated and their configurations must be constantly monitored. Otherwise, even if you have taken all the technical measures, if it is not up-to-date and does not work, the board imposes a fine on the grounds that administrative and technical measures are not taken, as seen in the example above.

As we can see from the same example, since the bank did not notify the board within 72 hours, the bank fined the bank 30,000 TL, although the data of only 6 people were leaked as a completely separate item.

From here, we can clearly see that the board does not compromise on this issue and that data breaches that are not reported within 72 hours result in fines.

Is it possible to collect evidence and analyze it in cases that have passed a long time with Binalyze? In some of the examples we have seen, we see that the attackers have been in the systems for a very long time.

Here, the distance of evidence collection and analysis to the event moment is the main factor in Cyber Attacks. Since the attackers are very careful not to trigger products such as Antivirus in deleting their traces on the systems, it is possible to detect a high rate of traces, but it is not possible to get full results in wiped data, including classical forensic methods. Nevertheless, in the report presented by AIR by collecting a wide range of evidence, there is a high probability that remains will be found even if traces have been erased.

Is there a list of all artifacts present in the product?

You can get detailed information at https://binalyze.com/faq.

I used the product as an extra. It collects artifacts quickly on a network-based basis. But opensource products can also collect. I never say the product to be bad, I don't want to be misunderstood. Can you give a detailed answer to the question "Why do we need Air in our institution?"

Although the use of open source products is also an alternative, the main purpose of AIR is rapid and comprehensive evidence collection and triage. In this way, you will not encounter processes such as user error, wrong operation or unknowingly destroying the integrity of the evidence. You can liken it to trying to open a door with a variety of tools instead of a key. AIR is the key to this business, with integration possibilities that are not available in open source products.

What solutions does Binalyze integrate with?

In addition to products commonly used in our country such as Splunk, QRadar, Cryptech, it can work integrated with all SIEM and SOAR solutions that can send RESTful post action.

How do you contribute to enriching the alarms of SIEM products?

AIR is triggered by SIEM products to take a comprehensive view of the alarm-generating machine at the time of the event. This image provides significant convenience to L1 and L2 analysts in the enrichment and false positive elimination of SIEM alarms.

How do you prevent the recorded data from being deleted or destroyed?

AIR saves the data recorded during incident response to a user name and password protected file share or local system. With the SHIELD feature, it also protects the recorded evidence at the operating system kernel level.

What are the requirements for setup and integration? Do we need to cut systems for these?

The installation process is 10 minutes, including Active Directory integration. As hardware requirements, a Windows 7 and later operating system with 4GB+ RAM and a modern processor is sufficient. System interruption does not occur in either server or agent installations. Installation can be performed by choosing one of the SCCM or manual installation methods.

When an incident occurs and the situation is detected, how is the size of the effect determined since the product agent base works? How can an answer be produced to the question of whether the hacker is still inside?

The illuminating factor in answering such questions is the report created by AIR. Thanks to this report, rapid analysis of the incident occurred on the machine in question is made possible, and other machines with which the said machine is in communication are also examined.

Is there any other way to gather evidence besides manually running the product and integrating SIEM/SOAR? Can we trigger the product automatically in the rules or periods we set?

Evidence collection is recommended as a scheduled task, especially for critical assets. Critical asset means; Domain Controller are entities such as Email Server. Taking regular logs of these assets on a daily, weekly or monthly basis, makes it possible to compare in a possible event and accelerates it.

It would be nice if the process tree exits as of the event and we can view the details of all the processes involved.

Among the collected evidence is the process tree.

In order to collect evidence at the time of the event, must the event that will make the post request (for example, SIEM) be able to be caught?

Since triggering is performed as a result of the rule entered in SIEM, an alert must be created by SIEM.

Can it detect an anomaly regarding process similarities?

Process Anomaly and its similarities are among the features provided in Cortex.AI.

Does it have a database for malware analysis? How can we detect them if they are registered as .dll or system files on a malware infected system? thanks

In such cases, Cortex.AI checks the digital signature of the malware file and generates a warning.

Doesn't the use of tree structure of processes make it easier for the analyzer?

Yes it makes it easy. For this reason, a very detailed process tree is provided in AIR.

Can we write a manual rule on Cortex?

In future versions, it will be possible to write rules with Sigma.

It would be great if it was MITER compatibility though. It will also give an idea about which group an analyst is dealing with about the APT attack.

It is planned to associate the detected methods with MITER methods.

Let's just say we got 100 or 200 licenses. But there are 1000+ clients in our institution. As you said, there is a visibility. Can triage be received on the machines where the event occurs with 100 licenses only when the event occurs? Do you have such a license model?

We have comprehensive and purposeful licensing models for licensing. You can get more information about this by contacting CyberArts in more detail.

Is AIR only used on windows?

Linux support will be possible with our recently released IREC for Linux, the most comprehensive Linux evidence gathering software on the market. It is planned to enable Linux evidence gathering and triage features in mid-Q3 2020.

[mnky_heading title=”SPEAKERS” line_color=”#dd3333″]

Moderator
Erdem Eriş
CyberArts
General Manager

Emre Tınaztepe
Binalyze
Managing Director

Neslihan Kocacık
CyberArts
Tecnical Account Manager

İlker Akyol
CyberArts
Senior Consultant

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram