an academic's view to incident response
TRANSCRIPT
![Page 1: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/1.jpg)
![Page 2: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/2.jpg)
An academic’s view toincident response
Mar�n Schmiedecker, fr333k
![Page 3: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/3.jpg)
OverviewChallengesDo’s and Don’tsWhat can I do to be prepared?peekaTorrent
2/64
![Page 4: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/4.jpg)
Mar�n who?$whoami:
• Mar�n Schmiedecker• researcher at SBA Research, Vienna• digital forensics!• online privacy & network security• @Fr333k
3/64
![Page 5: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/5.jpg)
Goals of this talk• introduc�on to incident response• (past &) current challenges• talk about things that work• also, how things can blow up in your face
4/64
![Page 6: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/6.jpg)
What is Incident Response?Companies fail to detect intrusions:
• Ashley Madison• Hacking Team• RSA• Google, Opera�on Aurora• (Stuxnet)
5/64
![Page 7: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/7.jpg)
What is Incident Response?
6/64
![Page 8: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/8.jpg)
What is Incident Response?
Things like:• something happened, no clue what exactly• got an alert from some box• this is weird ...
7/64
![Page 9: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/9.jpg)
What is Incident ResponseGoals:
• react to security-related events• containment, preven�on
Ideally:• Live forensics under �me preassure• move faster than the a�acker• remotely, without the need to physically get there
8/64
![Page 10: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/10.jpg)
What is Incident ResponseGoals:
• react to security-related events• containment, preven�on
Ideally:• Live forensics under �me preassure• move faster than the a�acker• remotely, without the need to physically get there
8/64
![Page 11: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/11.jpg)
What is Incident Response
9/64
![Page 12: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/12.jpg)
Context of Academia
![Page 13: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/13.jpg)
Academia
10/64
![Page 14: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/14.jpg)
Academia
11/64
![Page 15: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/15.jpg)
Academia
Science vs. engineering:• reviewers in tough posi�on• where does one start, the other stop?• is scien�ficly published engineering a thing?
12/64
![Page 16: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/16.jpg)
AcademiaQues�on the security narra�ves:
• evidence-based1 science?• plenty of FUD!• fast field!
but:• crea�vity!• independence!1See also Hanno’s excellent talk on this topic at 33c3 13/64
![Page 17: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/17.jpg)
AcademiaQues�on the security narra�ves:
• evidence-based1 science?• plenty of FUD!• fast field!
but:• crea�vity!• independence!1See also Hanno’s excellent talk on this topic at 33c3 13/64
![Page 18: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/18.jpg)
Academia
14/64
![Page 19: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/19.jpg)
Academia
Standards and references:• RFC 3227: Guidelines for Evidence Collec�on and Archiving• NIST SP 800-86: Guide to Integra�ng Forensic Techniquesinto Incident Response
• things like “Order of Vola�lty’, write blocker, ...
15/64
![Page 20: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/20.jpg)
Challenges
![Page 21: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/21.jpg)
Challenges
16/64
![Page 22: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/22.jpg)
Challenges
Paper from 2010 by Simson Garfinkel:• “Golden Age of Digital Forensics” ended• has been: rather simple challenges• RAM, networks possible• focus on office and mul�media files
17/64
![Page 23: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/23.jpg)
ChallengesObserved upcoming issues:
• flash storage• lack of �me (== storage sizes)• cloud• encryp�on• mul�ple devices• broader diversity
18/64
![Page 24: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/24.jpg)
ChallengesS�ll a problem:
• storage capacity!• hash, copy, hash & hash• $$$: special hardware for that• takes ages• esp. on slow interfaces
19/64
![Page 25: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/25.jpg)
Challenges
20/64
![Page 26: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/26.jpg)
Challenges
Engineering efforts:• data de-duplica�on (NSRL RDS)• iden�fy file fragments, 2015 [1]• “si�ing collectors”, 2015 [2]• specific access op�miza�ons, 2016 [3]
21/64
![Page 27: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/27.jpg)
Challenges
Is not inspec�ng everything really an op�on?• probably not!
22/64
![Page 28: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/28.jpg)
Challenges
Encryp�on:• “Properly implemented strong crypto systems are one ofthe few things that you can rely on.”• usage is increasing• both on devices and on the wire
23/64
![Page 29: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/29.jpg)
Challenges
S�ll:• can be bypassed• can be fingerprin�ed• also, traffic analysis2
2Recent Cisco Whitepaper on “Encrypted Traffic Analysis” 24/64
![Page 30: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/30.jpg)
Challenges
Heterogeneity:• long tail is problema�c• rest is for the commercialworld
25/64
![Page 31: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/31.jpg)
ChallengesCloud Forensics is a lie!
26/64
![Page 32: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/32.jpg)
ChallengesCloud Forensics is either:
• remote access for IaaS, or• funky, non-publicly described API for SaaS
But:• both usable• APIs need fidelling• commercial tools available
27/64
![Page 33: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/33.jpg)
ChallengesCloud Forensics is either:
• remote access for IaaS, or• funky, non-publicly described API for SaaS
But:• both usable• APIs need fidelling• commercial tools available
27/64
![Page 34: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/34.jpg)
Challenges
GDPR:• May 2018!• will be interes�ng!• valid consent, right of erasure & access, ...• in par�cular for larger companies
28/64
![Page 35: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/35.jpg)
Do’s and Don’ts
![Page 36: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/36.jpg)
Incident Response
29/64
![Page 37: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/37.jpg)
Incident Response
30/64
![Page 38: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/38.jpg)
Incident Response
Why RAM?• RAM has all the juicy stuff• processes, network connec�ons, ...• non-reproducible!• vola�lity is great!
31/64
![Page 39: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/39.jpg)
Incident Response
A�erwards:• inspect machine• e.g. Sysinternal Tools• however, your milage may vary• avoid file writes!
32/64
![Page 40: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/40.jpg)
Incident Response
33/64
![Page 41: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/41.jpg)
Incident Response
34/64
![Page 42: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/42.jpg)
Incident Response
35/64
![Page 43: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/43.jpg)
Incident Response
Best-case:• one machine• no lateral movement• contained in �me
36/64
![Page 44: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/44.jpg)
Incident Response
Reality is different!• 1TB of RAM?• en�re networks? VLANs?• 10G+ network links?• terabytes of storage?
37/64
![Page 45: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/45.jpg)
Incident ResponseHow to get a RAM image:
• Windows: FTK Imager, WinPmem, Redline, De� Linux, ...• Linux: LiME• Mac OS: OSXPmem• all above: Rekall (GRR)• Android: LiME (adb)• iOS: WTF?
38/64
![Page 46: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/46.jpg)
39/64
![Page 47: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/47.jpg)
What can I do to beprepared?
![Page 48: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/48.jpg)
40/64
![Page 49: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/49.jpg)
41/64
![Page 50: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/50.jpg)
Logging
Logs help tremendously!• both network and opera�on system• log remotely & aggregate!• even ne�low informa�on can help• s�ll somewhat tedious
42/64
![Page 51: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/51.jpg)
Logging
Network:• funky hardware can do mirroring• doable on a budget, too• store as pcap or pipe into Security Onion• use stenographer from Google for 10+G
43/64
![Page 52: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/52.jpg)
44/64
![Page 53: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/53.jpg)
45/64
![Page 54: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/54.jpg)
Logging
Details ma�er:• where to place the tap?• trunks? external towards the modem?• trying to find a balance ...
46/64
![Page 55: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/55.jpg)
LoggingSystem logs:
• ELK stack: Logstash, Kibana• graylog• OSSEC• Windows Event Collector• Splunk• ...
47/64
![Page 56: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/56.jpg)
48/64
![Page 57: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/57.jpg)
RemoteRemote:
• physical access not always possibleGoogle GRR:
• built for incident response!• simple ques�ons: PowerShell? Linux Subsystem?
49/64
![Page 58: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/58.jpg)
RemoteGRR deployment:
• most logic is server-side• server generates executables with config• client simply runs it, done• easy with Puppet or others• offline clients run tasks asap when online
50/64
![Page 59: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/59.jpg)
RemoteGRR Pros:
• web GUI• scales very well• allegedly large setups with 100,000+ client machines• configura�on & roll-out easy• long-term supported project
Cons:• privacy and legal implica�ons
51/64
![Page 60: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/60.jpg)
RemoteGRR Pros:
• web GUI• scales very well• allegedly large setups with 100,000+ client machines• configura�on & roll-out easy• long-term supported project
Cons:• privacy and legal implica�ons
51/64
![Page 61: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/61.jpg)
Remote
GRR RAM capabili�es:• remote acquisi�on of RAM• use vola�lity on live RAM• = really, really cool!
52/64
![Page 62: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/62.jpg)
Remoteflow:
• basic work unit in GRR, asynchronous• used for client data acquisi�on• can use e.g. OS API, or Sleuth Kit for file access• wri�en in Python, stored on server
53/64
![Page 63: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/63.jpg)
RemoteHun�ng:
• run flows on en�re or par�al fleets• also on offline machines, once back• or any subset e.g., all machines running Windows• scaleable!• clients check for new flows every 10 mins
54/64
![Page 64: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/64.jpg)
peekaTorrent
![Page 65: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/65.jpg)
peekaTorrent
General idea:• iden�fy file(-fragments) of no interest• leverage publicly shared hash values• more granular than files, but less than sectors
55/64
![Page 66: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/66.jpg)
Soooo much DataWe’d like to ignore:
56/64
![Page 67: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/67.jpg)
peekaTorrentOur approach:
• it’s all in the .torrent• copyright-free!• torrent it, check it, done!• toolchain: bulk extrator & hashdb• published last year at DFRWS 2016 [4]
57/64
![Page 68: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/68.jpg)
peekaTorrent
58/64
![Page 69: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/69.jpg)
peekaTorrent
BitTorrent uses chunking:• all files are concatenated• then split in chunks (=pieces)• most o�en 256kb, (observed 16kb-16mb)• depending on implementa�on and user preference
59/64
![Page 70: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/70.jpg)
peekaTorrent
Benefits:• find deleted & even par�ally overwri�en files• fast! Really fast!• less false-posi�ves• hashdb files can be easily shared
60/64
![Page 71: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/71.jpg)
peekaTorrentCollected data, 1/2:
• in total: 2.65 million torrent files• crawling Piratebay & KAT• mul�ple data dumps• 3.3 billion unique chunk hashes• up to 2.6 PB of data
61/64
![Page 72: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/72.jpg)
peekaTorrentCollected data, 2/2:
• in total: 4.68 million torrent files• using 2 months of DHT crawling• really efficient• 4.5 billion unique chunk hashes• up to 6.5 PB of data
62/64
![Page 73: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/73.jpg)
Sharing is Caring
63/64
![Page 74: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/74.jpg)
Thx for the a�en�on!
![Page 75: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/75.jpg)
Ques�ons?
64/64
![Page 76: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/76.jpg)
[1] Simson L Garfinkel and Michael McCarrin.Hash-based carving: Searching media for complete filesand file fragments with sector hashing and hashdb.Digital Inves�ga�on, 14:S95–S105, 2015.
[2] Jonathan Grier and Golden G Richard.Rapid forensic imaging of large disks with si�ing collectors.Digital Inves�ga�on, 14:S34–S44, 2015.
[3] M Guido, J Bu�ner, and J Grover.Rapid differen�al forensic imaging of mobile devices.Digital Inves�ga�on, 18:S46–S54, 2016.
[4] Edgar Weippl Sebas�an Neuner, Mar�n Schmiedecker.Peekatorrent: Leveraging p2p hash values for digitalforensics. 64/64
![Page 77: An academic's view to incident response](https://reader031.vdocuments.us/reader031/viewer/2022030317/5a64a53a7f8b9a2c568b6979/html5/thumbnails/77.jpg)
Digital Inves�ga�ons, 18(7):149–156, 2016.
64/64