Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Digital Forensics and Incident Response in
Introduction
Megan Roddie◦ Cyber Threat Research at IBM◦ CFO of Mental Health Hackers◦ M.S. in Digital Forensics◦ M.S. in Information Security
Engineering (est. 2021)◦ GCFA, GCIH◦ @megan_roddie
INTRODUCTION TO G SUITE1
DON’T GET COMPROMISED2
Don’t Wait. Secure it.
◦ First Step: Don’t get compromised!◦ Many steps to be taken to prevent
a compromise◦ 2FA, 2FA, 2FA
https://blog.reconinfosec.com/securing-g-suite/
G SUITE DFIR VS. TRADITIONAL DFIR3
Map
ping
G S
uite
Att
acks
to th
e Cy
ber K
ill Ch
ain
https://www.slideshare.net/dafthack/ok-google-how-do-i-red-team-gsuite
“Traditional” DFIR
◦ Malware◦ Phishing◦ Denial of Service◦ Web attacks
(XSS, SQL Inject)
◦ Phishing◦ Information Leak◦ Account Abuse
G Suite DFIR
Incident types
“Traditional” DFIR
◦ Variety of access methods
◦ Vulnerability exploitation
◦ Publicly accessible network resources
◦ Human threat
◦ Smaller attack surface
◦ Social Engineering
◦ Phishing email◦ Brute force
G Suite DFIR
Attack vector
“Traditional” DFIR
◦ Multiple devices / device types (computers vs. servers vs. network devices)
◦ Core configuration settings might be centralized; more system independent settings
◦ Contained to single platform
◦ Core configuration settings are centralized
G Suite DFIR
Environment
“Traditional” DFIR
◦ Large attack surface
◦ Diversity of incident types
◦ Variety of sources of information
◦ Limited attack surface
◦ Specific incident types
◦ Data is centralized
G Suite DFIR
Overview
CASE SCENARIO4
The Scenario
A company’s client list seems to have leaked to an outside entity.
They suspect that the list of customers might have been found via G Suite (files, emails, contacts) but do not know of a compromise.
Cyber Experts, LLC. is contracted to find out if a compromise exists.
What we know
◦ There might be a compromise
◦ Nothing
What we need to find out
Scenario Start
What’s been done
◦ All the things
Identify suspicious activity
◦ Login Audit Logs
Identify suspicious activity
◦ whois 43.241.236.23◦ whois 52.129.23.26◦ whois 64.18.221.42◦ ...
https://blog.ecapuano.com/auditing-gsuite-login-activity/
https://blog.reconinfosec.com/auditing-gsuite-login-activity/
Containment
◦ Disable account
◦ Reset password
◦ Reset all login sessions
What we know
◦ We know whose account was compromised
◦ We know when the account was compromised
◦ No other accounts indicate same pattern of abnormal activity
◦ The known compromised account has been disabled and all active sessions have been reset
What we need to find out
How are we looking now?
What’s been done
◦ How did it happen?
◦ What was the account used for?
◦ Is there any persistence in place?
How did it happen?
Brute force?
No
So… Phishing?
What was the account used for?
ReviewAll
TheLogs
Is there any persistence in place?
◦ App passwords
◦ Authorized API
◦ Add 2FA device
◦ Email forwarding
◦ Email filters
Moral of the story...
FUTURE RESEARCH5
Incident Response (IR)
◦ Automation via G Suite API◦ Started but not my area of
expertise▫ Reach out if you want to collaborate
Digital Forensics (DF)
◦ File Metadata Analysis◦ Recreate SANS Windows Time
Rules for Google Drive
Questions?
Thank you!