my first incident response team - smtps · 2012. 12. 7. · my first incident response team dfir...
TRANSCRIPT
My First Incident Response Team
DFIR for Beginners
1Thursday, December 6, 2012
About Me
• Recently setup IR functions at a mid-sized business
• Not an expert by any stretch
• Goal for talk:
• Make it easier for you to start IR
2Thursday, December 6, 2012
What is DFIR?http://www.playmofriends.com/forum/index.php?topic=10703.0
3Thursday, December 6, 2012
DF to the IR
• IR is one application of DF methods
• Strange paradox of heavy human influence, yet
• utterly depends on keeping emotions in check
• There’s always an adversary
• Efficiency is absolute requirement
4Thursday, December 6, 2012
Where Do I Start?1. Consult stakeholders
1.1. Legal, HR, data owners, IT, Ops, PR
1.2. What strategy fits? Containment, etc
2. Write a plan
2.1. What’s escalation path?
2.2. When to escalate?
2.3. Contact outside IR firms
3. Acquire tools
4. Practice
4.1. VMs
4.2. Mundane infections
4.3. Table-top
5. Debrief, repeat
5Thursday, December 6, 2012
http://askswadders.blogspot.com/2012/06/hairy-tory.html
*YAWN*
6Thursday, December 6, 2012
• Not fun, but critical to success
• Do the right things for the right reasons
• Practice often and iterate
• Identify gaps and plan for contingencies before an emergency
• Making it up as you go along, not great
• especially when C-levels are watching
Borrrrrring
7Thursday, December 6, 2012
Don’t Be That Doghttp://memegenerator.net/I-Have-No-Idea-What-IM-Doing-Dog-With-Tie/
8Thursday, December 6, 2012
Lessons From chort #1• Find out what HR and legal care about,
don’t waste effort
• Train IT on collection procedure, you’ll need them later
• Stick to the plan!
• That CISSP chain-of-custody crap actually matters
• Wikis are great
• Read, read, read9Thursday, December 6, 2012
10Thursday, December 6, 2012
Don’t worry, I have links at the end
11Thursday, December 6, 2012
Tools - Hardware
• Hardware matters, a LOT
• Do your corporate systems have eSATA, or USB3?
• Go SSD. You owe me a drink for this
• Analysis system, isolated, snapshots, AV
• Storage for images and analysis sessions
12Thursday, December 6, 2012
13Thursday, December 6, 2012
Tools - Software
• What operating systems will you need to acquire from?
• Types of data to acquire: Memory, volatile, disk/filesystem
• Remote acquisition?
• Start w/free, buy when need identified
• Windows/system account for acquisition
14Thursday, December 6, 2012
Tools - Online
• https://urlquery.net/
• https://www.virustotal.com/
• https://vicheck.ca/
• http://malwr.com/
• https://www.pdfxray.com/
• http://jsunpack.jeek.org/
15Thursday, December 6, 2012
Lessons From chort #2
• Be careful what you leak!
• IPs, Referers, info in documents
• Tor, filtering proxies, private options
• Consider in-house sandboxes
16Thursday, December 6, 2012
Example Toolset
• SSD in external enclosure (eSATA + USB3)
• Sysinternals
• Memoryze
• FTK Imager
• Redline
• Volatility
• Spreadsheet (OOo, Numbers, Excel)
17Thursday, December 6, 2012
DOs and DON’Ts
• Don’t unplug
• Do consider monitoring network first
• Don’t use domain account
• Do have replacement machine for user
• Do have a plan (timestamps, file types, etc)
• Do keep good records
• Don’t spend more time than necessary
18Thursday, December 6, 2012
Finding Helpful Clues
• IDS alerts by src/dst IP, MAC address
• Dr Watson reports
• ntop, netflow, DNS query logs, span port
• Logs for VPN, Citrix, webmail, etc
• Build filesystem timeline
• Shim Cache, autoruns
19Thursday, December 6, 2012
Cuckoo Sandbox
20Thursday, December 6, 2012
21Thursday, December 6, 2012
22Thursday, December 6, 2012
23Thursday, December 6, 2012
24Thursday, December 6, 2012
APT? I don’t believe they, oh shi...
http://www.funnyjunk.com/funny_pictures/3146743/Ninja+turtles+master/33#33
25Thursday, December 6, 2012
Volatility
26Thursday, December 6, 2012
Malfind
27Thursday, December 6, 2012
shimcache
28Thursday, December 6, 2012
iehistory
29Thursday, December 6, 2012
Hopper Disassembler
30Thursday, December 6, 2012
WAT?
31Thursday, December 6, 2012
32Thursday, December 6, 2012
Mega lulz!ht
tp://
blog
.cro
wds
trik
e.co
m/2
012/
11/h
ttp-
ifram
e-in
ject
ing-
linux
-roo
tkit.
htm
l
33Thursday, December 6, 2012
http://memegenerator.net/Fuck-You-IM-An-Anteater
34Thursday, December 6, 2012
35Thursday, December 6, 2012
36Thursday, December 6, 2012
http://www.quickmeme.com/meme/3otxsn/
N
BLERGS
37Thursday, December 6, 2012
Richard Bejtlichhttp://taosecurity.blogspot.com/(bestbook, impressions, reviews)
Malware Analyst’s Cookbook and DVDhttp://www.malwarecookbook.com/
Practical Malware Analysishttp://practicalmalwareanalysis.com/
APTish Attack via Metasploithttp://www.sysforensics.org/
AlienVault Labshttp://labs.alienvault.com/labs/
FireEye Malware Intelligence Labhttp://blog.fireeye.com/research/
SEMPERSECURUShttp://sempersecurus.blogspot.com/
DeepEnd Researchhttp://www.deependresearch.org/
contagio malware dumphttp://contagiodump.blogspot.com/
Journey Into Incident Responsehttp://journeyintoir.blogspot.com/
Windows Incident Responsehttp://windowsir.blogspot.com/
Linux Sleuthinghttp://linuxsleuthing.blogspot.com/
M-UNITIONhttps://blog.mandiant.com/
Sniper Forensicshttp://blog.spiderlabs.com/(search “sniper forensics”)
38Thursday, December 6, 2012
http://www.webdesignhot.com/free-vector-graphics/electric-tools-vector-set/
39Thursday, December 6, 2012
Sysinternalshttp://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
Memoryzehttp://www.mandiant.com/resources/download/memoryze
FTK Imagerhttp://www.accessdata.com/support/product-downloads
Redlinehttp://www.mandiant.com/resources/download/redline
Immunity Debuggerhttp://debugger.immunityinc.com/
Hopper Disassemblerhttp://www.hopperapp.com/
Volatilityhttps://www.volatilesystems.com/default/volatility
Cuckoo Sandboxhttp://www.cuckoosandbox.org/
The Sleuth Kithttp://www.sleuthkit.org/
Yarahttp://code.google.com/p/yara-project/
Thug (honeyclient)http://buffer.github.com/thug/
40Thursday, December 6, 2012
http://www.flickr.com/photos/dmckechnie/3410959594/sizes/l/in/photostream/41Thursday, December 6, 2012
Forensics Wikihttp://www.forensicswiki.org/
OpenIOC (Editor & Finder)http://www.openioc.org/
VERIS (Community & Framework)http://www.veriscommunity.net/doku.php
Mandiant Forumshttps://forums.mandiant.com/
Twitteraccounts or lists with ‘4n6’
#DFIR hashtag
42Thursday, December 6, 2012
Thanks!
43Thursday, December 6, 2012
Brian Keeferhttp://rants.effu.se
https://twitter.com/chort0https://alpha.app.net/chort
http://www.SMTPS.netchort0 on Freenode
http://www.SMTPS.net/pub/presentations/Baythreat2012_DFIR.pdf
44Thursday, December 6, 2012