Скачать презентацию Expanding Response Deeper Analysis for Incident Handlers Russ Скачать презентацию Expanding Response Deeper Analysis for Incident Handlers Russ

b8d9b156ed1851e64b8ca86afbad0fef.ppt

  • Количество слайдов: 15

Expanding Response: Deeper Analysis for Incident Handlers Russ Mc. Ree November 2011 GIAC GCIH Expanding Response: Deeper Analysis for Incident Handlers Russ Mc. Ree November 2011 GIAC GCIH Gold, GCFA, GCIA, GPEN, GWAPT, GSEC Gold SANS Technology Institute - Candidate for Master of Science Degree 1 1

Objective • Expand incident response tactics beyond common horizons • Sample Overview – Spy. Objective • Expand incident response tactics beyond common horizons • Sample Overview – Spy. Eye • Demonstrate tools for expanded toolkit • • Volatility 2. 0 Xplico Maltego Confessor • Summary SANS Technology Institute - Candidate for Master of Science Degree 2

Broaden IR perspective • Opportunities to enhance IR tactics via: • Memory analysis (Volatility) Broaden IR perspective • Opportunities to enhance IR tactics via: • Memory analysis (Volatility) • Network Forensic Analysis Tooling (Xplico) • Derive disparate entity relationships (Maltego) • Analysis of systems at scale with uniform results (Confessor, MOLE) • Review sample’s attributes with all tools SANS Technology Institute - Candidate for Master of Science Degree 3

Sample Overview • Trojan. Spy. Eye – MD 5: 00 b 77 d 6087 Sample Overview • Trojan. Spy. Eye – MD 5: 00 b 77 d 6087 f 00620508303 acd 3 fd 846 a • Modifies registry – [HKEY_CURRENT_USERSoftwareMicrosoftWindows Current. VersionRun] • cleansweep. exe = "C: cleansweep. exe" • Creates directory C: cleansweep. exe – Populates with. exe and config file SANS Technology Institute - Candidate for Master of Science Degree 4

Volatilty 2. 0 • For the extraction of digital artifacts from volatile memory image Volatilty 2. 0 • For the extraction of digital artifacts from volatile memory image • “A Python version of the Windows Internals book, since you can really learn a lot about Windows by just looking at how Volatility enumerates evidence. ” - Michael Hale Ligh SANS Technology Institute - Candidate for Master of Science Degree 5

Volatilty 2. 0 • Gather image info: – vol. py imageinfo –f HIOMALVM 02. Volatilty 2. 0 • Gather image info: – vol. py imageinfo –f HIOMALVM 02. raw • Network connections: – vol. py --profile=Win. XPSP 3 x 86 connscan -f HIOMALVM 02. raw • Active processes: – vol. py --profile=Win. XPSP 3 x 86 pslist -P -f HIOMALVM 02. raw SANS Technology Institute - Candidate for Master of Science Degree 6

Volatilty 2. 0 • Process tree: – vol. py --profile=Win. XPSP 3 x 86 Volatilty 2. 0 • Process tree: – vol. py --profile=Win. XPSP 3 x 86 pstree -f HIOMALVM 02. raw • Discover malware attributes: – vol. py --profile=Win. XPSP 3 x 86 -f HIOMALVM 02. raw malfind -p 1512 -D output/ • Demonstration SANS Technology Institute - Candidate for Master of Science Degree 7

Xplico • Xplico decodes packet captures (PCAP) extracting the likes of: • email content Xplico • Xplico decodes packet captures (PCAP) extracting the likes of: • email content (POP, IMAP, and SMTP protocols) • HTTP content • Vo. IP calls (SIP) • IM chats • FTP • TFTP SANS Technology Institute - Candidate for Master of Science Degree 8

Xplico • Demo: Spy. Eye PCAP analysis SANS Technology Institute - Candidate for Master Xplico • Demo: Spy. Eye PCAP analysis SANS Technology Institute - Candidate for Master of Science Degree 9

Maltego • Maltego: open source intelligence & forensics application offering extraordinary data mining and Maltego • Maltego: open source intelligence & forensics application offering extraordinary data mining and intelligence gathering capabilities • Results are well represented in a variety of easy to understand views • In concert with its graphing libraries, Maltego identifies key relationships between data sets and identifies previously unknown relationships between them SANS Technology Institute - Candidate for Master of Science Degree 10

Maltego • PCAPs can be converted to CSV then directly imported by Maltego • Maltego • PCAPs can be converted to CSV then directly imported by Maltego • tcpdump ‑vttttnnelr Spy. Eye. pcap | /usr/local/bin/tcpdump 2 csv. pl "sip dport" > Spy. Eye. csv produces a CSV that Maltego can consume easily SANS Technology Institute - Candidate for Master of Science Degree 11

Maltego • Demo: IP address relationships SANS Technology Institute - Candidate for Master of Maltego • Demo: IP address relationships SANS Technology Institute - Candidate for Master of Science Degree 12

Confessor • Confessor collects from hundreds or thousands of systems simultaneously via Sysinternals: • Confessor • Confessor collects from hundreds or thousands of systems simultaneously via Sysinternals: • System logs • Volatile data • User and account information • MAC times • Can run Sec. Check on 32 -bit systems • Search for reg keys and existence of specific files SANS Technology Institute - Candidate for Master of Science Degree 13

Confessor • Confessor configuration optimized for specific registry keys and file checks SANS Technology Confessor • Confessor configuration optimized for specific registry keys and file checks SANS Technology Institute - Candidate for Master of Science Degree 14

Summary • Tools offered to enhance the incident handler toolkit and address challenges • Summary • Tools offered to enhance the incident handler toolkit and address challenges • Takeaways: – Tool to scale – Seek unique opportunities to correlate – Build what you can’t buy or borrow • Q&A: russ at holisticinfosec dot org SANS Technology Institute - Candidate for Master of Science Degree 15