1SANS Technology Institute - Candidate for Master of Science Degree 1

Investigative Trees – Converting Attack Trees into Guides for

Incident Response

Rodney CaudleDecember 2009

GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA

SANS Technology Institute - Candidate for Master of Science Degree 2

Objective

• Setting the Stage• Basics of Investigative Trees• Rules for Building Investigative

Trees• Example: Corporate E-Mail

Espionage• Demo: iTree.pm

Setting the Stage

• Multi-Site Corporation• Information Leakage Suspected• Insider Suspected• Factor: Outsourced IT

• You’re the objective third party

SANS Technology Institute - Candidate for Master of Science Degree 3

SANS Technology Institute - Candidate for Master of Science Degree 4

Investigative Trees

• Designed to answer one question:

Given a fixed amount of resources, what investigation will yield the results with the most confidence for a given outcome?

SANS Technology Institute - Candidate for Master of Science Degree 5

Building a Tree

• Ask a question• Split into smaller questions that can

be answered until the questions are small enough to act upon

• Build procedures to answer questions. There may be multiple ways to answer

• Add parameters to provide perspectives

Rules for iTrees

• Root node is the goal or outcome• Leaf nodes represent conditions of

meeting the parent node or goal– “OR” leaf nodes– “AND” leaf nodes

• All nodes should be Boolean in nature

SANS Technology Institute - Candidate for Master of Science Degree 6

SANS Technology Institute - Candidate for Master of Science Degree 7

Rules (cont’d.)

• Additional parameters can be added to provide perspectives

• Leaf nodes may become root nodes of a sub-tree that can be saved as a library

General Parameters

• Confidence – level of trust

• Confidencei – level of trust (impacted)

• Impacted – True or false• Weight – comparison to neighbor

nodes• Category – label for organization

SANS Technology Institute - Candidate for Master of Science Degree 8

Other Parameters

• Cost• Time• Rate• Units

• Dependency • Early Start • Early Finish • Late Start • Late Finish • Slack Time

SANS Technology Institute - Candidate for Master of Science Degree 9

Example: Corporate E-Mail

• Root Question: Can we verify the vector for delivering the e-mails?

• Need to define the leaf nodes or sub-goals

SANS Technology Institute - Candidate for Master of Science Degree 10

Leaf Nodes (OR)

• Were the e-mails sent via the Outlook-Exchange method?

• Were the e-mails sent via the web-based OWA method?

• Were the e-mails sent via a mobile device method?

• Were the e-mails sent via SMTP through a gateway?

SANS Technology Institute - Candidate for Master of Science Degree 11

Continue Expanding

• Were the e-mails sent via SMTP through a gateway?– Can we verify the presence of

SMTP headers in the original e-mail?

– Can we verify the presence of e-mail(s) in the log events from the SMTP gateway server?

SANS Technology Institute - Candidate for Master of Science Degree 12

Add Steps to Get the Answers

• Can we verify the presence of SMTP headers in the original e-mail?– Can we recover the presence of

SMTP headers in the original e-mail?• Can we recover a copy of the original e-

mail from the desktop or laptop?• Does the e-mail contain SMTP headers

(RFC821)?

SANS Technology Institute - Candidate for Master of Science Degree 13

Demo: iTree.PM

• Perl module to automate the investigation tree creation process

SANS Technology Institute - Candidate for Master of Science Degree 14

SANS Technology Institute - Candidate for Master of Science Degree 15

Summary

• Investigative Trees = good investment• Design supports KB natively• Easy to expand and share information• Perl Modules available for creation and

automation

www.investigativetrees.com