My First Incident Response Team

DFIR for Beginners

1Thursday, December 6, 2012

About Me

• Recently setup IR functions at a mid-sized business

• Not an expert by any stretch

• Goal for talk:

• Make it easier for you to start IR

2Thursday, December 6, 2012

What is DFIR?http://www.playmofriends.com/forum/index.php?topic=10703.0

3Thursday, December 6, 2012

DF to the IR

• IR is one application of DF methods

• Strange paradox of heavy human influence, yet

• utterly depends on keeping emotions in check

• There’s always an adversary

• Efficiency is absolute requirement

4Thursday, December 6, 2012

Where Do I Start?1. Consult stakeholders

1.1. Legal, HR, data owners, IT, Ops, PR

1.2. What strategy fits? Containment, etc

2. Write a plan

2.1. What’s escalation path?

2.2. When to escalate?

2.3. Contact outside IR firms

3. Acquire tools

4. Practice

4.1. VMs

4.2. Mundane infections

4.3. Table-top

5. Debrief, repeat

5Thursday, December 6, 2012

http://askswadders.blogspot.com/2012/06/hairy-tory.html

*YAWN*

6Thursday, December 6, 2012

• Not fun, but critical to success

• Do the right things for the right reasons

• Practice often and iterate

• Identify gaps and plan for contingencies before an emergency

• Making it up as you go along, not great

• especially when C-levels are watching

Borrrrrring

7Thursday, December 6, 2012

Don’t Be That Doghttp://memegenerator.net/I-Have-No-Idea-What-IM-Doing-Dog-With-Tie/

8Thursday, December 6, 2012

Lessons From chort #1• Find out what HR and legal care about,

don’t waste effort

• Train IT on collection procedure, you’ll need them later

• Stick to the plan!

• That CISSP chain-of-custody crap actually matters

• Wikis are great

• Read, read, read9Thursday, December 6, 2012

10Thursday, December 6, 2012

Don’t worry, I have links at the end

11Thursday, December 6, 2012

Tools - Hardware

• Hardware matters, a LOT

• Do your corporate systems have eSATA, or USB3?

• Go SSD. You owe me a drink for this

• Analysis system, isolated, snapshots, AV

• Storage for images and analysis sessions

12Thursday, December 6, 2012

13Thursday, December 6, 2012

Tools - Software

• What operating systems will you need to acquire from?

• Types of data to acquire: Memory, volatile, disk/filesystem

• Remote acquisition?

• Start w/free, buy when need identified

• Windows/system account for acquisition

14Thursday, December 6, 2012

Tools - Online

• https://urlquery.net/

• https://www.virustotal.com/

• https://vicheck.ca/

• http://malwr.com/

• https://www.pdfxray.com/

• http://jsunpack.jeek.org/

15Thursday, December 6, 2012

Lessons From chort #2

• Be careful what you leak!

• IPs, Referers, info in documents

• Tor, filtering proxies, private options

• Consider in-house sandboxes

16Thursday, December 6, 2012

Example Toolset

• SSD in external enclosure (eSATA + USB3)

• Sysinternals

• Memoryze

• FTK Imager

• Redline

• Volatility

• Spreadsheet (OOo, Numbers, Excel)

17Thursday, December 6, 2012

DOs and DON’Ts

• Don’t unplug

• Do consider monitoring network first

• Don’t use domain account

• Do have replacement machine for user

• Do have a plan (timestamps, file types, etc)

• Do keep good records

• Don’t spend more time than necessary

18Thursday, December 6, 2012

Finding Helpful Clues

• IDS alerts by src/dst IP, MAC address

• Dr Watson reports

• ntop, netflow, DNS query logs, span port

• Logs for VPN, Citrix, webmail, etc

• Build filesystem timeline

• Shim Cache, autoruns

19Thursday, December 6, 2012

Cuckoo Sandbox

20Thursday, December 6, 2012

21Thursday, December 6, 2012

22Thursday, December 6, 2012

23Thursday, December 6, 2012

24Thursday, December 6, 2012

APT? I don’t believe they, oh shi...

http://www.funnyjunk.com/funny_pictures/3146743/Ninja+turtles+master/33#33

25Thursday, December 6, 2012

Volatility

26Thursday, December 6, 2012

Malfind

27Thursday, December 6, 2012

shimcache

28Thursday, December 6, 2012

iehistory

29Thursday, December 6, 2012

Hopper Disassembler

30Thursday, December 6, 2012

WAT?

31Thursday, December 6, 2012

32Thursday, December 6, 2012

Mega lulz!ht

tp://

blog

.cro

wds

trik

e.co

m/2

012/

11/h

ttp-

ifram

e-in

ject

ing-

linux

-roo

tkit.

htm

l

33Thursday, December 6, 2012

http://memegenerator.net/Fuck-You-IM-An-Anteater

34Thursday, December 6, 2012

35Thursday, December 6, 2012

36Thursday, December 6, 2012

http://www.quickmeme.com/meme/3otxsn/

N

BLERGS

37Thursday, December 6, 2012

Richard Bejtlichhttp://taosecurity.blogspot.com/(bestbook, impressions, reviews)

Malware Analyst’s Cookbook and DVDhttp://www.malwarecookbook.com/

Practical Malware Analysishttp://practicalmalwareanalysis.com/

APTish Attack via Metasploithttp://www.sysforensics.org/

AlienVault Labshttp://labs.alienvault.com/labs/

FireEye Malware Intelligence Labhttp://blog.fireeye.com/research/

SEMPERSECURUShttp://sempersecurus.blogspot.com/

DeepEnd Researchhttp://www.deependresearch.org/

contagio malware dumphttp://contagiodump.blogspot.com/

Journey Into Incident Responsehttp://journeyintoir.blogspot.com/

Windows Incident Responsehttp://windowsir.blogspot.com/

Linux Sleuthinghttp://linuxsleuthing.blogspot.com/

M-UNITIONhttps://blog.mandiant.com/

Sniper Forensicshttp://blog.spiderlabs.com/(search “sniper forensics”)

38Thursday, December 6, 2012

http://www.webdesignhot.com/free-vector-graphics/electric-tools-vector-set/

39Thursday, December 6, 2012

Sysinternalshttp://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

Memoryzehttp://www.mandiant.com/resources/download/memoryze

FTK Imagerhttp://www.accessdata.com/support/product-downloads

Redlinehttp://www.mandiant.com/resources/download/redline

Immunity Debuggerhttp://debugger.immunityinc.com/

Hopper Disassemblerhttp://www.hopperapp.com/

Volatilityhttps://www.volatilesystems.com/default/volatility

Cuckoo Sandboxhttp://www.cuckoosandbox.org/

The Sleuth Kithttp://www.sleuthkit.org/

Yarahttp://code.google.com/p/yara-project/

Thug (honeyclient)http://buffer.github.com/thug/

40Thursday, December 6, 2012

http://www.flickr.com/photos/dmckechnie/3410959594/sizes/l/in/photostream/41Thursday, December 6, 2012

Forensics Wikihttp://www.forensicswiki.org/

OpenIOC (Editor & Finder)http://www.openioc.org/

VERIS (Community & Framework)http://www.veriscommunity.net/doku.php

Mandiant Forumshttps://forums.mandiant.com/

Twitteraccounts or lists with ‘4n6’

#DFIR hashtag

42Thursday, December 6, 2012

Thanks!

43Thursday, December 6, 2012

Brian Keeferhttp://rants.effu.se

https://twitter.com/chort0https://alpha.app.net/chort

http://www.SMTPS.netchort0 on Freenode

http://www.SMTPS.net/pub/presentations/Baythreat2012_DFIR.pdf

44Thursday, December 6, 2012