29
Trends in Digital Forensics & Incident Response Ray Strubinger April 11, 2012
Trends in Digital Forensics & Incident Response
Ray Strubinger
April 11, 2012
Standard Disclaimer
The views, opinions, attempts at humor, and overall content of this presentation are mine and do not represent the views of my employers
past, present, or future.
Who is this guy?
Feel free to ask questions
These slides (and last year’s) are available at: raystrubinger.blogspot.com
I realize I’m the only thing between you and home, traffic, a flight or an adult beverage
I only have 60 or so slides….
General Housekeeping
Storage
Virtualization
Encryption
“Big Data”
Attack Resilience
Topics
Storage
Many types of storage
DF is commonly used on storage devices
Devices are collected, duplicated & analyzed
What if the storage device isn’t obvious?
Storage Trends and Challenges
Public Cloud storage ie Box, DropBox, SugarSync, SkyDrive, iCloud, etc
Popular, inexpensive and quick to setup
We know to check for these types of services
Collection is still challenging
Many Types of Storage
Network attached hard drives
Sold by many popular hard drive manufacturers
Inexpensive ( < $500 in many cases)
Essentially one or more hard drives with a network connection
Similar to a SAN, NAS or file server
May make their contents available over the Internet
Network Storage
Physically small devices
The size of a book or shoebox (easy to miss)
Ideally detect the device during the initial collection
Triage the host or hosts on site
Access the network AP
Scan the network and identify all devices
Network Storage
Virtualization
Technology that enables the use of multiple operating systems on a piece of hardware
Very common in data center environments
Many public clouds use this technology
Fairly common on desktops especially if involved in software development
Virtualization
BYOD (Bring Your Own Device)
Coming to mobile devices
Phones are the current targeted market
Virtual instances of a personal phone and a business phone on the same hardware
Virtualization, BYOD aka the Consumerization of IT, and Mobile devices were addressed in 2011 too.
Virtualization
Challenges may exist
Acquisition of mobile devices is more of a hassle than hard drives
Recognition of the use of virtualization
This is also an issue when acquiring desktops and servers
Unexpected or unusual instances of virtualization
Android OS virtualized on Windows or Linux
Virtualization
Encryption
Encryption was mentioned last year
Ease of use and availability (still true)
Increased use seen among private DF practitioners
Becoming more common in criminal cases
Brute forcing passwords or (maybe) defeating the encryption through a design flaw may be necessary
Court ruling suggests that a password may be testimony protected by the 5th Amendment
Things to consider about Encryption
“Big data”
Time to use a this year’s buzz word!
Big Data (from an infosec standpoint)
Information such as logs from servers, desktops, network devices, anti-virus, IDS, IPS, web applications, network flows, etc
Could be nearly anything
There’s probably a lot of it
What do we do with all that data?
Big Data
A shift in the SEIM market
So called “Big Data” is similar to the Business Intelligence market
BI tells stores crazy things such as there is a 87% chance of selling beer and diapers at store XYZ between the hours of 5pm and 7pm Monday through Friday
Businesses use this information to anticipate inventory, staffing, and sales
Managing Big Data
That’s great, what does BI have to do with infosec?
BI concepts are being applied to infosec data
The goal is to help identify unknowns and anomalies that humans should investigate
People are often good with patterns but not so much when faced with huge amounts of seemingly unrelated information – that’s where computers excel
Managing Big Data
Still in the development stage
Not “old skool” rule based SEIM technology
Pattern based detection methodology
Statistical modeling
At least two companies with deep pockets and vision are in the space
This implies more will enter the space
Managing Big Data
Attack Resilience
Your organization will be compromised
May already be compromised
Recent announcements by US Gov’t officials suggest every major organization in the US has been compromised
Hacktivists, state actors, competitors and others may find your business data “interesting”
Reality Check
Several Incident Response or Incident Handling frameworks
One popular approach has 6 steps
Steps 1 & 2 are Preparation and Identification
Cycle between these two until there is an incident
(The remaining steps are: Contain, Eradicate, Recover, and Lessons Learned)
Background
Notion of “attack resilience”
Design systems to function in spite of a compromise
Increase detection capability
Mine the “Big Data” collection
Decrease incident detection time
Use active forensics
New Approach to Incident Response
Active forensics?
Forensics techniques are typically applied after the fact
DF community is beginning to champion the notion of using forensics proactively
Active Forensics
Apply DF techniques to running systems
File hashing
RAM imaging & analysis
Differential (network) service analysis
Why should this approach be used?
Proactive
Security applications are not (*gasp*) perfect
Malicious activities and applications will be missed
Active Forensics
Virtual machines Snapshots (backups) are your friend
RAM is captured – running processes
Snapshots can be mounted for analysis
Physical hardware Image RAM
Hash files
Running process review
Network/Port differential
Active Forensics
