Post on 11-Jun-2018
transcript
DISCLAIMER
• Speak only for myself
• These are opinions, not facts
• I could be wrong about anything
• Use at your own risk
2Saturday, March 2, 2013
About Me
• Recently setup IR functions at a mid-sized business
• Not an expert by any stretch
• Goal for talk:
• Make it easier for you to start IR
3Saturday, March 2, 2013
About the Talk
• No l33t reversing, new tools, or shocking discoveries
• Fundamentals for new responders
• Lots of how-to videos
4Saturday, March 2, 2013
Overview
• Introduction
• Prerequisites
• Example toolset
• Using the tools (demos!)
• Links, links, links
5Saturday, March 2, 2013
Overview
• Introduction
• Prerequisites
• Example toolset
• Using the tools (demos!)
• Links, links, links
6Saturday, March 2, 2013
What is DFIR?http://www.playmofriends.com/forum/index.php?topic=10703.0
7Saturday, March 2, 2013
Deploy the Incident Response Team
http://securityreactions.tumblr.com/post/41007253406/deploy-the-incident-response-team
8Saturday, March 2, 2013
SOC when a security incident is underway
http://securityreactions.tumblr.com/post/36590251963/walking-into-the-soc-when-a-security-incident-is
9Saturday, March 2, 2013
Digital Forensics
• Traditionally criminal investigations
• Hard disk image
• Internet history/cache
• Deleted files
• Filesystem timeline
10Saturday, March 2, 2013
Incident Response
• Mitigate DoS
• Discover vector for site defacement
• Mass-virus/worm outbreaks
• Product security flaw reports (PSIRT)
11Saturday, March 2, 2013
DF to the IR
• IR is one application of DF methods
• Strange paradox of heavy human influence, yet
• utterly depends on keeping emotions in check
• There’s always an adversary
• Efficiency is absolute requirement
12Saturday, March 2, 2013
Do I Really Need It?
• Ever had a virus infection?
• Know for a fact what data exfiltrated?
• Think your AV handles rootkits?
• Do your users click phishing messages?
• Is your policy method “finger in the wind”?
13Saturday, March 2, 2013
Perhaps You’ve Heard...
http://threatpost.com/en_us/blogs/comment-crew-expos-new-level-china-attack-attribution-02191314Saturday, March 2, 2013
Perhaps You’ve Heard...
http://threatpost.com/en_us/blogs/comment-crew-expos-new-level-china-attack-attribution-02191314Saturday, March 2, 2013
Only Big Companies?
http://www.bloomberg.com/news/2012-11-27/china-mafia-style-hack-attack-drives-california-firm-to-brink.html
15Saturday, March 2, 2013
Overview
• Introduction
• Prerequisites
• Example toolset
• Using the tools (demos!)
• Links, links, links
16Saturday, March 2, 2013
Where Do I Start?1. Consult stakeholders
1.1. Legal, HR, data owners, IT, Ops, PR
1.2. What strategy fits? Containment, etc
2. Write a plan
2.1. What’s escalation path?
2.2. When to escalate?
2.3. Contact outside IR firms
3. Acquire tools
4. Practice
4.1. VMs
4.2. Mundane infections
4.3. Table-top
5. Debrief, repeat
17Saturday, March 2, 2013
http://askswadders.blogspot.com/2012/06/hairy-tory.html
*YAWN*
18Saturday, March 2, 2013
Why plan ahead?
• Align focus with organizational goals
• Define roles & responsibilities
• List capability requirements
• Identify potentially flawed assumptions
• Look all professional and stuff
19Saturday, March 2, 2013
Don’t Be That Doghttp://memegenerator.net/I-Have-No-Idea-What-IM-Doing-Dog-With-Tie/
20Saturday, March 2, 2013
Lessons From chort #1• Find out what HR and legal care about,
don’t waste effort
• Train IT on collection procedure, you’ll need them later
• Stick to the plan!
• That CISSP chain-of-custody crap actually matters
• Wikis are great
• Read, read, read21Saturday, March 2, 2013
Network Essentials
• TCP/IP literate
• Read ASAP: ISBN 0201633469 (1st ed)
• How & why src/dst ports used
• DNS (authority vs. recursive, glue, etc)
• WHOIS (web tools & CLI)
• HTTP (headers, manual manipulation)
24Saturday, March 2, 2013
Network Essentials
• PCAP (tcpdump, Wireshark, etc)
• IDS/IPS
• Not great, but often initial notification
• How to determine false positive
• Impossible OS, sw version, or doesn’t resemble PoC exploit
26Saturday, March 2, 2013
OS Essentials
• How do services register
• Where are start-up items stored
• How is command history saved
• How can files be hidden/restricted
• What are normal/expected services/procs
27Saturday, March 2, 2013
Essentials
• Only way to learn is a lot of practice
• Create virtual machines and analyze them
• As you progress, attack the VMs
• and see if you can detect the attacks
28Saturday, March 2, 2013
Detection
• DNS anomalies
• Netflow
• IPS, proxies, email gateway, sandbox appliance
• Agents (Bit9, GRR, HBGary, MIR, OSSEC, AV?)
• SIEM/log analysis (Splunk, ELSA, etc)
30Saturday, March 2, 2013
Overview
• Introduction
• Prerequisites
• Example toolset
• Using the tools (demos!)
• Links, links, links
31Saturday, March 2, 2013
Tools - Hardware
• Hardware matters, a LOT
• Do your corporate systems have eSATA, or USB3 (& Firewire)?
• Go SSD. You owe me a drink for this
• Analysis system, isolated, snapshots, AV
• Storage for images and analysis sessions
32Saturday, March 2, 2013
Hardware Setup
• Don’t skimp on RAM, CPU, storage
• Consider adding GPUs for badass password auditing (just sayin)
• Don’t connect to domain
• Consider VMs
• Monster host could support sandbox VMs too
33Saturday, March 2, 2013
Tools - Software
• What operating systems will you need to acquire from?
• Types of data to acquire: Memory, volatile, disk/filesystem
• Remote acquisition?
• Start w/free, buy when need identified
• Windows/system account for acquisition
36Saturday, March 2, 2013
Tools - Online
• https://urlquery.net/
• https://www.virustotal.com/
• https://vicheck.ca/
• http://malwr.com/
• https://www.pdfxray.com/
• http://jsunpack.jeek.org/
37Saturday, March 2, 2013
Lessons From chort #2
• Be careful what you leak!
• IPs, Referers, info in documents
• Tor, filtering proxies, private options
• Consider analysis jumphost
• External VPS or EC2 instances
• Consider in-house sandboxes
38Saturday, March 2, 2013
Leak Example2013-01-03 17:15:42 66.249.16.211 42114 www.evildomain.com / Mozilla/5.0 (Windows NT 5.2; rv:12.0) Gecko/20100101 Firefox/12.0 en GET 0 0--Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en,en-us;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: UTF-8,*Keep-Alive: 300Connection: keep-aliveX-Forwarded-For: 198.51.100.2Via: 1.1 www.domaintools.comHost: www.evildomain.com
(Now fixed)
39Saturday, March 2, 2013
Example Toolset
• SSD in external enclosure (eSATA + USB3)
• Sysinternals
• Memoryze
• FTK Imager
• Redline
• Volatility
• Spreadsheet (OOo, Numbers, Excel)
40Saturday, March 2, 2013
Overview
• Introduction
• Prerequisites
• Example toolset
• Using the tools (demos!)
• Links, links, links
41Saturday, March 2, 2013
DOs and DON’Ts
• Don’t unplug
• Do consider monitoring network first
• Don’t use domain account
• Do have replacement machine for user
• Do have a plan (timestamps, file types, etc)
• Do keep good records
• Don’t spend more time than necessary
42Saturday, March 2, 2013
Finding Helpful Clues
• IDS alerts by src/dst IP, MAC address
• Dr Watson reports
• ntop, netflow, DNS query logs, span port
• Logs for VPN, Citrix, webmail, etc
• Build filesystem timeline
• Shim Cache, autoruns
43Saturday, March 2, 2013
Strategy
• Collect RAM
• Collect volatile data
• Processes, sockets, history, cache
• Hiberfile?
• Collect filesystem info (MFT)
• Image disk
44Saturday, March 2, 2013
Redline
• Create custom collector for acquisition
• Can build for specific artifacts, IOCs, etc
• Dumps memory
• Redline can import memory from other tools
• Timeline, code signatures, suspicious procs
46Saturday, March 2, 2013
DEMO (click me!)
(Not shown: Creating the collector)
Collect artifacts to net shareImport artifacts to RedlineDiscover injected memoryLocate events in timeline
47Saturday, March 2, 2013
Volatility For Linux
• Dump memory over TCP with LiME
• Create profile for your kernel
• Do this ahead of time for each kernel/OS
• Don’t build LiME or profile on victim!
• Assumes gcc, gdb, make, etc
52Saturday, March 2, 2013
DEMO (click me!)Build LiMECreate Volatility profileDump memory over TCPFind bash history
53Saturday, March 2, 2013
APT? I don’t believe they, oh shi...
http://www.funnyjunk.com/funny_pictures/3146743/Ninja+turtles+master/33#33
59Saturday, March 2, 2013
Speaking of APT...
• 281 Comment Crew Samples on VirusShare
• Alienvault released Yara signatures
• Cuckoobox can now dump memory
• Volatility can scan images with Yara
• Sounding fun yet?
60Saturday, March 2, 2013
DEMO (click me!)Configure reportsImport Yara signaturesAnalyze APT malware with CuckooAnalyze memory with VolatilityWrite new Yara signature
61Saturday, March 2, 2013
Mega lulz!ht
tp://
blog
.cro
wds
trik
e.co
m/2
012/
11/h
ttp-
ifram
e-in
ject
ing-
linux
-roo
tkit.
htm
l
65Saturday, March 2, 2013
http://memegenerator.net/Fuck-You-IM-An-Anteater
66Saturday, March 2, 2013
Extensible w/Pythonhttp://rants.effu.se/2012/12/Scripting-Hopper-Disassembler---WS2_32.dll-Ordinals-to-Names
69Saturday, March 2, 2013
Don’t Waste A Crisis
• (Shamelessly stolen from Brad Arkin)
• Track incidents to highlight root-causes
• Change process to avoid repeats
• Add controls to mitigate or remove vectors
• *AHEM* Java
71Saturday, March 2, 2013
What Are We Missing?
• Is there something we aren’t tracking?
• Do we need a tool/capability to respond?
• Do we need more people (probably)?
72Saturday, March 2, 2013
Overview
• Introduction
• Prerequisites
• Example toolset
• Using the tools (demos!)
• Links, links, links
73Saturday, March 2, 2013
http://www.quickmeme.com/meme/3otxsn/
N
BLERGS
74Saturday, March 2, 2013
Richard Bejtlichhttp://taosecurity.blogspot.com/(bestbook, impressions, reviews)
Malware Analyst’s Cookbook and DVDhttp://www.malwarecookbook.com/
Practical Malware Analysishttp://practicalmalwareanalysis.com/
APTish Attack via Metasploithttp://www.sysforensics.org/
AlienVault Labshttp://labs.alienvault.com/labs/
FireEye Malware Intelligence Labhttp://blog.fireeye.com/research/
SEMPERSECURUShttp://sempersecurus.blogspot.com/
DeepEnd Researchhttp://www.deependresearch.org/
contagio malware dumphttp://contagiodump.blogspot.com/
Journey Into Incident Responsehttp://journeyintoir.blogspot.com/
Windows Incident Responsehttp://windowsir.blogspot.com/
Linux Sleuthinghttp://linuxsleuthing.blogspot.com/
M-UNITIONhttps://blog.mandiant.com/
Sniper Forensicshttp://blog.spiderlabs.com/(search “sniper forensics”)
75Saturday, March 2, 2013
http://www.webdesignhot.com/free-vector-graphics/electric-tools-vector-set/
76Saturday, March 2, 2013
Sysinternalshttp://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
Memoryzehttp://www.mandiant.com/resources/download/memoryze
FTK Imagerhttp://www.accessdata.com/support/product-downloads
Redlinehttp://www.mandiant.com/resources/download/redline
Immunity Debuggerhttp://debugger.immunityinc.com/
Hopper Disassemblerhttp://www.hopperapp.com/
Volatilityhttps://www.volatilesystems.com/default/volatility
Cuckoo Sandboxhttp://www.cuckoosandbox.org/
The Sleuth Kithttp://www.sleuthkit.org/
Yarahttp://code.google.com/p/yara-project/
Thug (honeyclient)http://buffer.github.com/thug/
77Saturday, March 2, 2013
http://www.flickr.com/photos/dmckechnie/3410959594/sizes/l/in/photostream/78Saturday, March 2, 2013
Forensics Wikihttp://www.forensicswiki.org/
OpenIOC (Editor & Finder)http://www.openioc.org/
VERIS (Community & Framework)http://www.veriscommunity.net/doku.php
Mandiant Forumshttps://forums.mandiant.com/
Twitteraccounts or lists with ‘4n6’
#DFIR hashtag
79Saturday, March 2, 2013
Brian Keeferhttp://rants.effu.se
https://twitter.com/chort0https://alpha.app.net/chort
http://www.SMTPS.netchort0 on Freenode
http://www.SMTPS.net/pub/presentations/BSidesSF2013_DFIR.pdf81Saturday, March 2, 2013