My First Incident Response Team

DFIR for Beginners

1Saturday, March 2, 2013

DISCLAIMER

• Speak only for myself

• These are opinions, not facts

• I could be wrong about anything

• Use at your own risk

2Saturday, March 2, 2013

About Me

• Recently setup IR functions at a mid-sized business

• Not an expert by any stretch

• Goal for talk:

• Make it easier for you to start IR

3Saturday, March 2, 2013

About the Talk

• No l33t reversing, new tools, or shocking discoveries

• Fundamentals for new responders

• Lots of how-to videos

4Saturday, March 2, 2013

Overview

• Introduction

• Prerequisites

• Example toolset

• Using the tools (demos!)

• Links, links, links

5Saturday, March 2, 2013

Overview

• Introduction

• Prerequisites

• Example toolset

• Using the tools (demos!)

• Links, links, links

6Saturday, March 2, 2013

What is DFIR?http://www.playmofriends.com/forum/index.php?topic=10703.0

7Saturday, March 2, 2013

Deploy the Incident Response Team

http://securityreactions.tumblr.com/post/41007253406/deploy-the-incident-response-team

8Saturday, March 2, 2013

SOC when a security incident is underway

http://securityreactions.tumblr.com/post/36590251963/walking-into-the-soc-when-a-security-incident-is

9Saturday, March 2, 2013

Digital Forensics

• Traditionally criminal investigations

• Hard disk image

• Internet history/cache

• Deleted files

• Filesystem timeline

10Saturday, March 2, 2013

Incident Response

• Mitigate DoS

• Discover vector for site defacement

• Mass-virus/worm outbreaks

• Product security flaw reports (PSIRT)

11Saturday, March 2, 2013

DF to the IR

• IR is one application of DF methods

• Strange paradox of heavy human influence, yet

• utterly depends on keeping emotions in check

• There’s always an adversary

• Efficiency is absolute requirement

12Saturday, March 2, 2013

Do I Really Need It?

• Ever had a virus infection?

• Know for a fact what data exfiltrated?

• Think your AV handles rootkits?

• Do your users click phishing messages?

• Is your policy method “finger in the wind”?

13Saturday, March 2, 2013

Perhaps You’ve Heard...

http://threatpost.com/en_us/blogs/comment-crew-expos-new-level-china-attack-attribution-02191314Saturday, March 2, 2013

Perhaps You’ve Heard...

http://threatpost.com/en_us/blogs/comment-crew-expos-new-level-china-attack-attribution-02191314Saturday, March 2, 2013

Only Big Companies?

15Saturday, March 2, 2013

Only Big Companies?

http://www.bloomberg.com/news/2012-11-27/china-mafia-style-hack-attack-drives-california-firm-to-brink.html

15Saturday, March 2, 2013

Overview

• Introduction

• Prerequisites

• Example toolset

• Using the tools (demos!)

• Links, links, links

16Saturday, March 2, 2013

Where Do I Start?1. Consult stakeholders

1.1. Legal, HR, data owners, IT, Ops, PR

1.2. What strategy fits? Containment, etc

2. Write a plan

2.1. What’s escalation path?

2.2. When to escalate?

2.3. Contact outside IR firms

3. Acquire tools

4. Practice

4.1. VMs

4.2. Mundane infections

4.3. Table-top

5. Debrief, repeat

17Saturday, March 2, 2013

http://askswadders.blogspot.com/2012/06/hairy-tory.html

*YAWN*

18Saturday, March 2, 2013

Why plan ahead?

• Align focus with organizational goals

• Define roles & responsibilities

• List capability requirements

• Identify potentially flawed assumptions

• Look all professional and stuff

19Saturday, March 2, 2013

Don’t Be That Doghttp://memegenerator.net/I-Have-No-Idea-What-IM-Doing-Dog-With-Tie/

20Saturday, March 2, 2013

Lessons From chort #1• Find out what HR and legal care about,

don’t waste effort

• Train IT on collection procedure, you’ll need them later

• Stick to the plan!

• That CISSP chain-of-custody crap actually matters

• Wikis are great

• Read, read, read21Saturday, March 2, 2013

22Saturday, March 2, 2013

Don’t worry, I have links at the end

23Saturday, March 2, 2013

Network Essentials

• TCP/IP literate

• Read ASAP: ISBN 0201633469 (1st ed)

• How & why src/dst ports used

• DNS (authority vs. recursive, glue, etc)

• WHOIS (web tools & CLI)

• HTTP (headers, manual manipulation)

24Saturday, March 2, 2013

25Saturday, March 2, 2013

Network Essentials

• PCAP (tcpdump, Wireshark, etc)

• IDS/IPS

• Not great, but often initial notification

• How to determine false positive

• Impossible OS, sw version, or doesn’t resemble PoC exploit

26Saturday, March 2, 2013

OS Essentials

• How do services register

• Where are start-up items stored

• How is command history saved

• How can files be hidden/restricted

• What are normal/expected services/procs

27Saturday, March 2, 2013

Essentials

• Only way to learn is a lot of practice

• Create virtual machines and analyze them

• As you progress, attack the VMs

• and see if you can detect the attacks

28Saturday, March 2, 2013

Detecting Incidents

29Saturday, March 2, 2013

Detection

• DNS anomalies

• Netflow

• IPS, proxies, email gateway, sandbox appliance

• Agents (Bit9, GRR, HBGary, MIR, OSSEC, AV?)

• SIEM/log analysis (Splunk, ELSA, etc)

30Saturday, March 2, 2013

Overview

• Introduction

• Prerequisites

• Example toolset

• Using the tools (demos!)

• Links, links, links

31Saturday, March 2, 2013

Tools - Hardware

• Hardware matters, a LOT

• Do your corporate systems have eSATA, or USB3 (& Firewire)?

• Go SSD. You owe me a drink for this

• Analysis system, isolated, snapshots, AV

• Storage for images and analysis sessions

32Saturday, March 2, 2013

Hardware Setup

• Don’t skimp on RAM, CPU, storage

• Consider adding GPUs for badass password auditing (just sayin)

• Don’t connect to domain

• Consider VMs

• Monster host could support sandbox VMs too

33Saturday, March 2, 2013

34Saturday, March 2, 2013

35Saturday, March 2, 2013

Tools - Software

• What operating systems will you need to acquire from?

• Types of data to acquire: Memory, volatile, disk/filesystem

• Remote acquisition?

• Start w/free, buy when need identified

• Windows/system account for acquisition

36Saturday, March 2, 2013

Tools - Online

• https://urlquery.net/

• https://www.virustotal.com/

• https://vicheck.ca/

• http://malwr.com/

• https://www.pdfxray.com/

• http://jsunpack.jeek.org/

37Saturday, March 2, 2013

Lessons From chort #2

• Be careful what you leak!

• IPs, Referers, info in documents

• Tor, filtering proxies, private options

• Consider analysis jumphost

• External VPS or EC2 instances

• Consider in-house sandboxes

38Saturday, March 2, 2013

Leak Example2013-01-03 17:15:42 66.249.16.211 42114 www.evildomain.com / Mozilla/5.0 (Windows NT 5.2; rv:12.0) Gecko/20100101 Firefox/12.0 en GET 0 0--Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en,en-us;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: UTF-8,*Keep-Alive: 300Connection: keep-aliveX-Forwarded-For: 198.51.100.2Via: 1.1 www.domaintools.comHost: www.evildomain.com

(Now fixed)

39Saturday, March 2, 2013

Example Toolset

• SSD in external enclosure (eSATA + USB3)

• Sysinternals

• Memoryze

• FTK Imager

• Redline

• Volatility

• Spreadsheet (OOo, Numbers, Excel)

40Saturday, March 2, 2013

Overview

• Introduction

• Prerequisites

• Example toolset

• Using the tools (demos!)

• Links, links, links

41Saturday, March 2, 2013

DOs and DON’Ts

• Don’t unplug

• Do consider monitoring network first

• Don’t use domain account

• Do have replacement machine for user

• Do have a plan (timestamps, file types, etc)

• Do keep good records

• Don’t spend more time than necessary

42Saturday, March 2, 2013

Finding Helpful Clues

• IDS alerts by src/dst IP, MAC address

• Dr Watson reports

• ntop, netflow, DNS query logs, span port

• Logs for VPN, Citrix, webmail, etc

• Build filesystem timeline

• Shim Cache, autoruns

43Saturday, March 2, 2013

Strategy

• Collect RAM

• Collect volatile data

• Processes, sockets, history, cache

• Hiberfile?

• Collect filesystem info (MFT)

• Image disk

44Saturday, March 2, 2013

Redline

45Saturday, March 2, 2013

Redline

• Create custom collector for acquisition

• Can build for specific artifacts, IOCs, etc

• Dumps memory

• Redline can import memory from other tools

• Timeline, code signatures, suspicious procs

46Saturday, March 2, 2013

DEMO (click me!)

(Not shown: Creating the collector)

Collect artifacts to net shareImport artifacts to RedlineDiscover injected memoryLocate events in timeline

47Saturday, March 2, 2013

Volatility

48Saturday, March 2, 2013

Malfind

49Saturday, March 2, 2013

Malfind

49Saturday, March 2, 2013

shimcache

50Saturday, March 2, 2013

iehistory

51Saturday, March 2, 2013

iehistory

51Saturday, March 2, 2013

Volatility For Linux

• Dump memory over TCP with LiME

• Create profile for your kernel

• Do this ahead of time for each kernel/OS

• Don’t build LiME or profile on victim!

• Assumes gcc, gdb, make, etc

52Saturday, March 2, 2013

DEMO (click me!)Build LiMECreate Volatility profileDump memory over TCPFind bash history

53Saturday, March 2, 2013

Cuckoo Sandbox

54Saturday, March 2, 2013

55Saturday, March 2, 2013

56Saturday, March 2, 2013

57Saturday, March 2, 2013

57Saturday, March 2, 2013

58Saturday, March 2, 2013

58Saturday, March 2, 2013

58Saturday, March 2, 2013

APT? I don’t believe they, oh shi...

http://www.funnyjunk.com/funny_pictures/3146743/Ninja+turtles+master/33#33

59Saturday, March 2, 2013

Speaking of APT...

• 281 Comment Crew Samples on VirusShare

• Alienvault released Yara signatures

• Cuckoobox can now dump memory

• Volatility can scan images with Yara

• Sounding fun yet?

60Saturday, March 2, 2013

DEMO (click me!)Configure reportsImport Yara signaturesAnalyze APT malware with CuckooAnalyze memory with VolatilityWrite new Yara signature

61Saturday, March 2, 2013

Hopper Disassembler

62Saturday, March 2, 2013

63Saturday, March 2, 2013

WAT?

63Saturday, March 2, 2013

64Saturday, March 2, 2013

65Saturday, March 2, 2013

Mega lulz!ht

tp://

blog

.cro

wds

trik

e.co

m/2

012/

11/h

ttp-

ifram

e-in

ject

ing-

linux

-roo

tkit.

htm

l

65Saturday, March 2, 2013

http://memegenerator.net/Fuck-You-IM-An-Anteater

66Saturday, March 2, 2013

67Saturday, March 2, 2013

68Saturday, March 2, 2013

Extensible w/Pythonhttp://rants.effu.se/2012/12/Scripting-Hopper-Disassembler---WS2_32.dll-Ordinals-to-Names

69Saturday, March 2, 2013

Wrap Up

70Saturday, March 2, 2013

Don’t Waste A Crisis

• (Shamelessly stolen from Brad Arkin)

• Track incidents to highlight root-causes

• Change process to avoid repeats

• Add controls to mitigate or remove vectors

• *AHEM* Java

71Saturday, March 2, 2013

What Are We Missing?

• Is there something we aren’t tracking?

• Do we need a tool/capability to respond?

• Do we need more people (probably)?

72Saturday, March 2, 2013

Overview

• Introduction

• Prerequisites

• Example toolset

• Using the tools (demos!)

• Links, links, links

73Saturday, March 2, 2013

http://www.quickmeme.com/meme/3otxsn/

N

BLERGS

74Saturday, March 2, 2013

Richard Bejtlichhttp://taosecurity.blogspot.com/(bestbook, impressions, reviews)

Malware Analyst’s Cookbook and DVDhttp://www.malwarecookbook.com/

Practical Malware Analysishttp://practicalmalwareanalysis.com/

APTish Attack via Metasploithttp://www.sysforensics.org/

AlienVault Labshttp://labs.alienvault.com/labs/

FireEye Malware Intelligence Labhttp://blog.fireeye.com/research/

SEMPERSECURUShttp://sempersecurus.blogspot.com/

DeepEnd Researchhttp://www.deependresearch.org/

contagio malware dumphttp://contagiodump.blogspot.com/

Journey Into Incident Responsehttp://journeyintoir.blogspot.com/

Windows Incident Responsehttp://windowsir.blogspot.com/

Linux Sleuthinghttp://linuxsleuthing.blogspot.com/

M-UNITIONhttps://blog.mandiant.com/

Sniper Forensicshttp://blog.spiderlabs.com/(search “sniper forensics”)

75Saturday, March 2, 2013

http://www.webdesignhot.com/free-vector-graphics/electric-tools-vector-set/

76Saturday, March 2, 2013

Sysinternalshttp://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

Memoryzehttp://www.mandiant.com/resources/download/memoryze

FTK Imagerhttp://www.accessdata.com/support/product-downloads

Redlinehttp://www.mandiant.com/resources/download/redline

Immunity Debuggerhttp://debugger.immunityinc.com/

Hopper Disassemblerhttp://www.hopperapp.com/

Volatilityhttps://www.volatilesystems.com/default/volatility

Cuckoo Sandboxhttp://www.cuckoosandbox.org/

The Sleuth Kithttp://www.sleuthkit.org/

Yarahttp://code.google.com/p/yara-project/

Thug (honeyclient)http://buffer.github.com/thug/

77Saturday, March 2, 2013

http://www.flickr.com/photos/dmckechnie/3410959594/sizes/l/in/photostream/78Saturday, March 2, 2013

Forensics Wikihttp://www.forensicswiki.org/

OpenIOC (Editor & Finder)http://www.openioc.org/

VERIS (Community & Framework)http://www.veriscommunity.net/doku.php

Mandiant Forumshttps://forums.mandiant.com/

Twitteraccounts or lists with ‘4n6’

#DFIR hashtag

79Saturday, March 2, 2013

Thanks!

80Saturday, March 2, 2013

Brian Keeferhttp://rants.effu.se

https://twitter.com/chort0https://alpha.app.net/chort

http://www.SMTPS.netchort0 on Freenode

http://www.SMTPS.net/pub/presentations/BSidesSF2013_DFIR.pdf81Saturday, March 2, 2013