Cyber Incident Response & Digital Forensics Lecture
-
Upload
ollie-whitehouse -
Category
Technology
-
view
430 -
download
4
Transcript of Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital
Forensics Lecture
NCC Group Cyber Defence Operations
NCC Group Cyber Incident Response
Agenda
Non Law Enforcement Agency Use of DFIR Tools
DFIR Tools in a Cyber Security & Incident Response Context
BREAK
Open Source & Free DFIR Tools
Memory Forensics
eDiscovery
10 minute comfort / tea break
Before we begin… Who is NCC?
• 110 million GBP revenue FTSE company
• Cyber Security Assurance Practice
• > 200 UK technical assurance consultants
• applied research (.gov.uk / .co.uk)
• technical security assessments
• cyber incident response / operations
• 50 UK risk / audit consultants
• > 2000 US technical assurance consultants
• Escrow & Software Assurance = sister BUs
Acronyms
Acronyms
LEA – Law Enforcement Agency
ACPO – Association of Chief Police Officers (UK)
DFIR – Digital Forensics and Incident Repose
CIR – Cyber Incident Response
CDO – Cyber Defence Operations
IoT – Internet of Things
BAU – Business As Usual
OSINT – Open Source Intelligence
HUMINT – Human Intelligence
TI – Threat Intelligence
Acronyms
ICT – Information and Communications Technology
APT – Advanced Persistent Threat
IOC – Indicator of Compromise
DRM – Digital Rights Management
OS – Operating System
FS – File System
FPC – Full Packet Capture
IDS – Intrusion Detection System
IPS – Intrusion Prevention System
AV – Anti-Virus
C2 – Command and Control
Recap LEA Digital Forensics
Recap LEA Digital Forensics
Mission: Understand and ultimately successfully prosecute a
criminal for a crime.
Requirements:
• Chain of custody
• Proof best practice was followed
• Proof reputable tools were used
• Proof skilled personnel were used
• Proof reputable personnel were used
• Proof a crime was committed
• Proof linking an individual or
group to said crime
Recap LEA Digital Forensics
Typical process for equipment / devices:
• Physical acquisition of hardware
• Duplication of source media (with write blockers)
• Extraction
• Time lining
• Analysis
• Illegal material (hashes often in the case of images)
• Illegal activity
Recap LEA Digital Forensics
Typical process for cloud / hosted services:
• Suspect identified
• Court order
• Lawful access or lawful assistance order to service provider
• Logs (meta data) and / or content supplier
• Time lining
• Analysis
• Cross reference with physically acquired data
Recap LEA Digital Forensics
Considerations for equipment / devices:
• Making sure they don’t lock
• Making sure they aren’t shutdown
• Crypto
• Lost opportunity to use FireWire and similar for acquisition
• Making sure you get everything with a browser / than can run apps
• BluRay Players
• Games Consoles
• etc (aka hard nowadays)
Recap LEA Digital Forensics
Considerations for cloud / hosted services:
• Jurisdiction of provider
• Their lawful assistance requirements (i.e. which courts do they
recognize)
• What information they’ll likely hold
Recap LEA Digital Forensics
Typical tools
etc..
Recap LEA Digital Forensics
Example:
Digital Forensics Policy and Procedure for West Yorkshire
References:
ACPO Guidelines which is based on four principals
Recap LEA Digital Forensics
But ACPO guidelines are not just followed by the Police
Source: http://www.nottinghamshirehealthcare.nhs.uk/EasySiteWeb/GatewayLink.aspx?alId=15004
Recap LEA Digital Forensics
LEAs by their nature exercise extreme care and diligence
Conjecture and thus short cuts have no place
They are facing a near impossible problem in relation to scale,
complexity and rate of change leading to focus on only on
highly organized or impactful cyber crimes
Lots of crimes involve a digital element even when the crimes is
non cyber (i.e. kidnap etc.)
Non Law Enforcement Use of DFIR Tools
Non Law Enforcement Use of DFIR Tools
Lots of organizations don’t want to involve law enforcement or
ever take a case to court. Reasons may include:
• Feel the likelihood of prosecution is low / no desire to prosecute
• Cyber security incidents are a business as usual event
• Don’t want to be slowed down by chain of evidence requirements
• Want to resume service / get back to BAU as quick as possible
• Secrecy, privacy and liability concerns
• Sophistication of the attack
• Internal HR matter
… other
Non Law Enforcement Use of DFIR Tools
So what types of organizations are we talking about?
Most large organizations
if they are mature / sophisticated enough to detect they have been
hacked they are likely mature enough to either have internal teams or
external providers (such as NCC Group) who use DFIR like
techniques.
Non Law Enforcement Use of DFIR Tools
What do they want to know?
• What was hacked, compromised, stolen, accessed, looked at etc.
• By whom (caution: attribution is hard!)
• When
• How
• Impact (technical and business)
• Likely motives
• Capabilities
• Remediation steps
• Future mitigation to avoid repeats
• Liability
Non Law Enforcement Use of DFIR Tools
Well some times…
Knowing what you have lost may mean you
have a ‘disclosure issue on your hands’..
simply knowing what you lost was encrypted
may be the ideal outcome
Non Law Enforcement Use of DFIR Tools
Types of scenarios – Employees / Contractors etc.
• Employee accessed inappropriate but not illegal internet material
• Employee accessed internal data they were not authorised to
• Employee committed an internally focused financial crime
• Employee disclosed intellectual property to an unauthorised third
party
• Employee is soon to depart and stole intellectual property for
personal benefit
• Employee used work resources
for personal enterprise
• Other disciplinary issue..
Non Law Enforcement Use of DFIR Tools
Types of scenarios – External Threat Actors
• Malicious phishing / spear phishing e-mails sent into an
organization
• Malicious code present on a system
• Credentials compromised
• Host, System, Network was compromised
• Data was stolen / exfiltrated (taken out)
• Data was changed
• Data was added
• Theft / fraud
• Mobile devices tampered with (evil maid)
Non Law Enforcement Use of DFIR Tools
This sounds scary scale right?
But it happens every day
in most organizations of a moderate size you’d expect at least one
such incident a day/week (you pick) if you could detect them all.
Non Law Enforcement Use of DFIR Tools
The good news?
A growing army of professionals
researchers, developers and practitioners working together sharing
knowledge, tools and intelligence …
Non Law Enforcement Use of DFIR Tools
The bad news?
Technical evolution speed and
improving security
DRM, encryption, platform security, sandboxes, code signing and the
rate at which technology is changing plus diversifying computing base
(cloud / IoT / embedded) all present challenges to forensics
Non Law Enforcement Use of DFIR Tools
So how do we approach this in the real-world?
We normally start with a suspicion or indicator
of compromise
knowing there is something to be found versus aimlessly looking for
something that might not be there leads to a more focused approach
Non Law Enforcement Use of DFIR Tools
We do a lot of work at the logical acquisition layer due to the
data volumes we now deal with. Why?
• Doing bit by bit copies of multi terabyte systems are slow and
challenging in a lot of cases.
• We don’t need to in a lot of cases as we know where we want to
look to confirm suspicions (generally).
• We are interested a lot of the time in rich data sources rather than
looking for one elusive deleted file
• Attacks/threat actors are often sloppy
Non Law Enforcement Use of DFIR Tools
There are different types of forensics and analysis which
support each other which are often used
Non Law Enforcement Use of DFIR Tools
Why types of tools do we commonly use?
• Data Acquisition (i.e. copying / dumping / extracting etc.)
• Disk Forensics (searching, carving, time lining)
• Memory Forensics (interpreting, analyzing)
• Network Forensics (capturing, processing, alerting)
• Time lining (plotting the course of events)
• Data searching (ability to search for ad-hoc thing)
• Data matching (ability to search for known bad)
• Data visualization (show you)
• Malware analysis (further understand)
• OS / development tools and utilities
DFIR Tools in a CIR Context
Firstly: What is Cyber?
A word people understand to encompass all facets of
technology use with regards to security and resilience.
Originally adopted by the military but now a word understood in
boardrooms as the thing that isn’t easy but should be a
concern..
Secondly: A Very Typical Scenario
Secondly: A Very Typical Scenario
Secondly: A Very Typical Scenario
DFIR Tools in This Cyber Context
5pm on Friday afternoon the phone rings… you get told:
“we had a support call from someone in R&D their Windows
machine was behaving oddly. We ran AV it didn’t find anything
but after our latest cyber briefing from a competitor we think we
may have been targeted by a sophisticated threat actor can
come and have a look?”
DFIR Tools in This Cyber Context
7pm you are at the client… on a Friday evening … you get told:
“we don’t want to involve law enforcement we simply want to
know if we have been compromised, if we have what were they
likely after and how sophisticated are they?”
You clarify with them the need not to maintain chain of custody
which they confirm.
DFIR Tools in This Cyber Context
Stage 1: Network Sensor Deployment
Client has no IDS/IPS or FPC capabilities.. So you deploy a FPC node
at the Internet ingress / egress point so that
1. Full packet captures are produced for the next two weeks
2. IOC signature can be deployed to detect known threats
3. Provide a platform upon which custom IOC signatures can be
deployed as the investigation continues
DFIR Tools in This Cyber Context
Stage 2: Network Log Acquisition
You work with the I.T. team to acquire logs from as far back as
possible:
1. Firewalls
2. Proxy Servers
3. DNS
4. DHCP
5. VPN
6. Webmail and other internet facing systems
7. Windows Domain Controllers
8. Inbound content AV scanners
DFIR Tools in This Cyber Context
Stage 3: Live Host Acquisition
Before turning off Patient 0:
1. Dump RAM (all of the below will be here but we also do it live)
2. Dump process list including models
3. Dump kernel drivers loaded
4. Dump session information
5. Dump active network connections
6. Dump event log
7. Copy key files to removable media
tip: try to dump to a remote host or
removable media
DFIR Tools in This Cyber Context
Stage 4: Review Captured Network Sensor Data and Patient 0
Review the logs of the network sensors for any suspicious activity
between Patient 0 and the internet during live host acquisition.
Look at the captured data from Patient 0 for any indicators of
compromise (rootkit like behaviour, weird services, things running with
abnormal privileges)
Now you have a choice:
1. Turn off and store Patient 0
2. Keep it running and monitor heavily
DFIR Tools in This Cyber Context
You observe in the captured data
1. Network connection to Jersey which you know to be a nation state
with formidable cyber espionage capabilities
2. A large stash of files in the recycle bin which was nothing to do
with the R&D department
3. A new kernel driver which on the face of it appears to come from
Microsoft but in actual fact is signed by a Swiss electronics
manufacturer from whom you have no hardware
4. A repackaged version of VNC running as SYSTEM but with
reverse tunnel support
DFIR Tools in This Cyber Context
is the client compromised?
of course they are..
DFIR Tools in This Cyber Context
You next
1. Dump the e-mails received by the person in R&D on the date the
driver and new VNC files were installed
2. You find 50 attachments received that day
3. You find 20 were received from external sources
4. You submit the SHA1 hashes for the 20 attachments to VirusTotal
5. You the 20 attachments in a deployment of Cuckoo sandbox with
matching software configuration
6. One exhibits odd behaviour
DFIR Tools in This Cyber Context
You next
1. Query all the machines on the network for the same repackaged
VNC and new kernel driver
2. Develop a signature to alert on hosts connecting to the IP address
in Jersey
You find connections from the domain controllers, finance, HR and the
CEO to the IP
DFIR Tools in This Cyber Context
is the client really badly compromised?
of course they are..
DFIR Tools in This Cyber Context
it’s now 7pm on Sunday
DFIR Tools in This Cyber Context
So what have we done from a DFIR perspective?
1. Client had a suspicion
2. We used our experience to look for things out of place
3. We deployed new capability to provide us better insight
4. We captured what was available from host and network already
5. We started building a time line
6. We analysed what we had
7. We found the threat actor
8. We found out where else they were
9. We found sample of data they took
DFIR Tools in This Cyber Context
clean up begins..
.. staff are educated about phishing
Break
Open Source & Free DFIR Tools
Open Source & Free DFIR Tools
SANS Investigative Forensic Toolkit (SIFT)
Linux based VM with a huge collection of tools for acquisition and
analysis
http://digital-forensics.sans.org/community/downloads
Open Source & Free DFIR Tools
The Sleuth Kit & Autopsy
http://www.sleuthkit.org/
Open Source & Free DFIR Tools
FTK Imager
http://accessdata.com/product-download
Open Source & Free DFIR Tools
National Software Reference Library
Known good hashes for software so they can be excludedf rom
analysis
http://www.nsrl.nist.gov/
Open Source & Free DFIR Tools
Volatility
Defacto open source memory forensics tool
Windows, Mac and Linux support
http://www.volatilityfoundation.org/
Open Source & Free DFIR Tools
Mandiant Redline
https://www.mandiant.com/resources/download/redline
Open Source & Free DFIR Tools
NetworkMiner
http://www.netresec.com/?page=NetworkMiner
Open Source & Free DFIR Tools
WireShark
https://www.wireshark.org/
Open Source & Free DFIR Tools
Cuckoo Sandbox
http://www.cuckoosandbox.org/about.html
Open Source & Free DFIR Tools
Yara
http://plusvic.github.io/yara/
Open Source & Free DFIR Tools
RegRipper
https://regripper.wordpress.com/
Open Source & Free DFIR Tools
NirSoft Utilities
Too many wonderful features to list…
http://www.nirsoft.net/
Open Source & Free DFIR Tools
Microsoft Sysinternals
Some highlights
• Process Explorer
• Process Monitor
https://technet.microsoft.com/en-gb/sysinternals/bb545021.aspx
Open Source & Free DFIR Tools
Bulk Extractor
https://github.com/simsong/bulk_extractor
Open Source & Free DFIR Tools
Log2timeline / Plaso
http://plaso.kiddaland.net/usage/log2timeline
Memory Forensics
Memory Forensics
What is memory forensics?
In short the reconstruction from typically a physical RAM dump
a representation of the system that was running at the time that
can be queried and otherwise interrogated as part of a forensics
exercise.
It allows us to capture transient or ephemeral aspects such as
some aspects of screen layout or connections and other non
persisting malware / exploits
Memory Forensics
How does it work?
Dump physical contiguous RAM
OR get hibernation file
Then:
1. Parse the physical image for key structures for OS version
2. Rebuild kernel and user space virtual memory layout
3. Overlay OS concepts
Sounds easy.. It isn’t look at the Volatility source
Memory Forensics
What tool?
VOLATILITY
Python but binary distributions available
Open source
Plugin architecture (we wrote one – it was easy)
Awesome
Memory Forensics
Demo
eDiscovery
eDiscovery
“Electronic discovery (also called e-discovery
or ediscovery) refers to any process in which
electronic data is sought, located, secured,
and searched with the intent of using it as
evidence in a civil or criminal legal case.”
eDiscovery
eDiscovery
Source: http://www.slideshare.net/mikealsup/arma-san-antonio-02-82012
eDiscovery
So what is eDiscovery in reality:
• Traditional digital forensics
• in less sophisticated / organised environments
• where data has been destroyed
• where data is distributed (e.g. mobile devices)
• Expensive specialised software
• Discovery across corporate assets
• Workflow
• Reporting
Wrapping up
Conclusions
We have only scratched the surface
Focus on:
• Being able to acquire
• Being able to analyse
• Being able to question things that are a-typical
• Being able to draw conclusions based on fact
• Being able to deal with more than porn
Europe
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Milton Keynes
Amsterdam
Copenhagen
Munich
Zurich
North America
Atlanta
Austin
Chicago
Mountain View
New York
San Francisco
Seattle
Australia
Sydney