1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees –...
-
Upload
cecily-marsh -
Category
Documents
-
view
212 -
download
0
Transcript of 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Investigative Trees –...
1SANS Technology Institute - Candidate for Master of Science Degree 1
Investigative Trees – Converting Attack Trees into Guides for
Incident Response
Rodney CaudleDecember 2009
GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA
SANS Technology Institute - Candidate for Master of Science Degree 2
Objective
• Setting the Stage• Basics of Investigative Trees• Rules for Building Investigative
Trees• Example: Corporate E-Mail
Espionage• Demo: iTree.pm
Setting the Stage
• Multi-Site Corporation• Information Leakage Suspected• Insider Suspected• Factor: Outsourced IT
• You’re the objective third party
SANS Technology Institute - Candidate for Master of Science Degree 3
SANS Technology Institute - Candidate for Master of Science Degree 4
Investigative Trees
• Designed to answer one question:
Given a fixed amount of resources, what investigation will yield the results with the most confidence for a given outcome?
SANS Technology Institute - Candidate for Master of Science Degree 5
Building a Tree
• Ask a question• Split into smaller questions that can
be answered until the questions are small enough to act upon
• Build procedures to answer questions. There may be multiple ways to answer
• Add parameters to provide perspectives
Rules for iTrees
• Root node is the goal or outcome• Leaf nodes represent conditions of
meeting the parent node or goal– “OR” leaf nodes– “AND” leaf nodes
• All nodes should be Boolean in nature
SANS Technology Institute - Candidate for Master of Science Degree 6
SANS Technology Institute - Candidate for Master of Science Degree 7
Rules (cont’d.)
• Additional parameters can be added to provide perspectives
• Leaf nodes may become root nodes of a sub-tree that can be saved as a library
General Parameters
• Confidence – level of trust
• Confidencei – level of trust (impacted)
• Impacted – True or false• Weight – comparison to neighbor
nodes• Category – label for organization
SANS Technology Institute - Candidate for Master of Science Degree 8
Other Parameters
• Cost• Time• Rate• Units
• Dependency • Early Start • Early Finish • Late Start • Late Finish • Slack Time
SANS Technology Institute - Candidate for Master of Science Degree 9
Example: Corporate E-Mail
• Root Question: Can we verify the vector for delivering the e-mails?
• Need to define the leaf nodes or sub-goals
SANS Technology Institute - Candidate for Master of Science Degree 10
Leaf Nodes (OR)
• Were the e-mails sent via the Outlook-Exchange method?
• Were the e-mails sent via the web-based OWA method?
• Were the e-mails sent via a mobile device method?
• Were the e-mails sent via SMTP through a gateway?
SANS Technology Institute - Candidate for Master of Science Degree 11
Continue Expanding
• Were the e-mails sent via SMTP through a gateway?– Can we verify the presence of
SMTP headers in the original e-mail?
– Can we verify the presence of e-mail(s) in the log events from the SMTP gateway server?
SANS Technology Institute - Candidate for Master of Science Degree 12
Add Steps to Get the Answers
• Can we verify the presence of SMTP headers in the original e-mail?– Can we recover the presence of
SMTP headers in the original e-mail?• Can we recover a copy of the original e-
mail from the desktop or laptop?• Does the e-mail contain SMTP headers
(RFC821)?
SANS Technology Institute - Candidate for Master of Science Degree 13
Demo: iTree.PM
• Perl module to automate the investigation tree creation process
SANS Technology Institute - Candidate for Master of Science Degree 14
SANS Technology Institute - Candidate for Master of Science Degree 15
Summary
• Investigative Trees = good investment• Design supports KB natively• Easy to expand and share information• Perl Modules available for creation and
automation
www.investigativetrees.com