Cyber Forensics: Collecting evidence for today’s data breaches - Eric Vanderburg - ISACA

1,465
-1

Published on

Many forensic techniques focus on obtaining data from local machines, servers or data storage equipment but evidence for modern attacks often resides in many places and the techniques for obtaining this data go beyond those used in the typical forensic investigation. In this presentation, you will learn about:

· Detecting intrusions
· Network evidence
· Attack pattern analysis
· Statistical flow analysis
· Traffic analysis

Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "Cyber Forensics: Collecting evidence for today’s data breaches" for ISACA at Progressive Field.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,465
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cyber Forensics: Collecting evidence for today’s data breaches - Eric Vanderburg - ISACA

  1. 1. Cyber Forensics:Collecting evidence for today’s data breaches ISACA March 20, 2013 Eric A. Vanderburg, MBA, CISSP Director, Cyber Security, Information Systems and Computer Forensic and Investigation Services
  2. 2. Who Are We? JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI). – Computer Forensics – Cyber Security – Electronic Discovery – Document and Case Management © 2013 Property of JurInnov Ltd. All Rights Reserved
  3. 3. JurInnov Ltd. • Microsoft Certified Partner 2003 – 2012 • Ringtail Legal Volume Matters Award 2009, most data hosted • Ringtail Legal 2010 Partner Consultants of the Year • Industry Partners: • Ringtail – 10 Year Partner • Viewpoint • Venio • OrcaTec • Honored by Inc. 5000 as One of the Fastest-Growing Private Companies, 2010 © 2013 Property of JurInnov Ltd. All Rights Reserved
  4. 4. Blogs & Podcasts• 50,000 Medicaid providers’ data breached• Data breach threats of 2013• Ignorance of the breach is no excuse• Over processing of ESI and the Microsoft letter• Predictive coding gets a glossary• LegalTech 2013 © 2013 Property of JurInnov Ltd. All Rights Reserved
  5. 5. Overview• Computer Forensics• Cyber Forensics – Detecting intrusions – Network evidence – Traffic analysis – Statistical flow analysis – Attack pattern analysis © 2013 Property of JurInnov Ltd. All Rights Reserved
  6. 6. What is Computer Forensics?• Computer Forensics involves the preservation, identification, extraction, documentation and interpretation of computer data – Kruse and Heiser, 2002 © 2013 Property of JurInnov Ltd. All Rights Reserved
  7. 7. Why Computer Forensics?• Reasons to use Computer Forensics – Internal Company Investigations • Alleged criminal activity • Civil or Regulatory Preservation – Receivership, Bankruptcy – EEO issues – Improper use of company assets – Recovery of Accidentally or Intentionally Deleted Data • Deleted is not necessarily deleted • Recovery from Improper shutdowns © 2013 Property of JurInnov Ltd. All Rights Reserved
  8. 8. Collecting “ESI”• Forensic Harvesting - Logical v Physical – Logical copy (Active Files) • Data that is visible via the O.S. – Physical • Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT) 9 © 2013 Property of JurInnov Ltd. All Rights Reserved
  9. 9. Types of “ESI”• E-mail• Office Files• Database• Volatile• Legacy Systems• Metadata © 2013 Property of JurInnov Ltd. All Rights Reserved
  10. 10. Sources of “ESI”• Desktops • E-Mail• Laptops • Archives• CDs/DVDs • Cell Phones/PDAs• Network Attached Storage • Thumb Drives Devices (NAS)• Storage Area Networks • Memory Cards (SAN) • External Storage Devices• Servers • Cameras• Databases • Printers• Backup Tapes • GPS Devices © 2013 Property of JurInnov Ltd. All Rights Reserved
  11. 11. First Response• First Steps Taken – Identify users/custodians, electronic devices and begin Chain of Custody – Photograph and document full environment and condition/state of devices – Determine next steps depending on device(s) and situation 1 © 2013 Property of JurInnov Ltd. All Rights Reserved 2
  12. 12. Computer Imaging• Photograph, document and begin Chain of Custody• Acquire live RAM (if possible/necessary)• Shut down computer – Pull plug (Windows/Mac) – Properly shut down (Server/Linux/Unix)• Determine imaging method and format – Write Blocker – Boot Disk • USB / eSata / FireWire • Crossover Cable 1 © 2013 Property of JurInnov Ltd. All Rights Reserved 3
  13. 13. Microsoft Exchange Cont.• Select Mailbox Collection – Exchange 2003 • ExMerge – Exchange 2007 & 2010 • Command Line/Power Shell © 2013 Property of JurInnov Ltd. All Rights Reserved
  14. 14. Registry Overview• Windows Registry – central database of the configuration data for the OS and applications.• Registry Keys – Software – System – SAM (Security Account Manager) – NTUSER.dat © 2013 Property of JurInnov Ltd. All Rights Reserved
  15. 15. Software Key• What Operating System Installed?• Date/Time OS Installed• Product ID For Installed OS• Installed software• Programs That Run Automatically at Startup (Place to Hide Virus)• User Profiles © 2013 Property of JurInnov Ltd. All Rights Reserved
  16. 16. System Key• Mounted Devices• Computer Name• USB Plugged-In Devices (USBSTOR)• Last System SHUT DOWN Time• Time Zone © 2013 Property of JurInnov Ltd. All Rights Reserved
  17. 17. SAM & NTUSER.DAT Keys• SAM – Domain Accounts• NTUSER.DAT – Network Assigned Drive Letters – Last Clean Shutdown Date/Time – Recent Documents – Program settings © 2013 Property of JurInnov Ltd. All Rights Reserved
  18. 18. Forensic Analysis• Registry Analysis – OS Install date/time – Installed Software – Startup programs – Time Zone settings – Last Shutdown time – User information / Accounts – Recently opened files – Connected USB Devices – Mounted Drives – Recently used programs © 2013 Property of JurInnov Ltd. All Rights Reserved
  19. 19. Registry – OS Install Date © 2013 Property of JurInnov Ltd. All Rights Reserved
  20. 20. Registry – Installed Software © 2013 Property of JurInnov Ltd. All Rights Reserved
  21. 21. Registry – Startup Programs © 2013 Property of JurInnov Ltd. All Rights Reserved
  22. 22. Registry – Time Zone Settings © 2013 Property of JurInnov Ltd. All Rights Reserved
  23. 23. Registry – Last Shutdown Time © 2013 Property of JurInnov Ltd. All Rights Reserved
  24. 24. Registry – User Info/Accounts © 2013 Property of JurInnov Ltd. All Rights Reserved
  25. 25. Registry – User Info/Accounts © 2013 Property of JurInnov Ltd. All Rights Reserved
  26. 26. Registry – Recently Opened © 2013 Property of JurInnov Ltd. All Rights Reserved
  27. 27. Registry – USB Devices © 2013 Property of JurInnov Ltd. All Rights Reserved
  28. 28. Registry – Mounted Drives © 2013 Property of JurInnov Ltd. All Rights Reserved
  29. 29. Registry – Recent Programs © 2013 Property of JurInnov Ltd. All Rights Reserved
  30. 30. Forensic Analysis• USB / External HDD Analysis – Serial Number – Volume Serial Number – Model – First Connected – Last Connected – Friendly Name – User who connected drive – .LNK Files © 2013 Property of JurInnov Ltd. All Rights Reserved
  31. 31. USB/External HDD Analysis © 2013 Property of JurInnov Ltd. All Rights Reserved
  32. 32. Forensic Analysis• Internet History – Default internet browser – Sites visited and frequency – Date and time of last visit• Recent Folder – Recently accessed files/programs• My Documents / User Folder(s) – Usually where most user created data is located © 2013 Property of JurInnov Ltd. All Rights Reserved
  33. 33. Internet History Analysis © 2013 Property of JurInnov Ltd. All Rights Reserved
  34. 34. Internet History Analysis © 2013 Property of JurInnov Ltd. All Rights Reserved
  35. 35. Forensic Analysis• Deletion – Recycle Bin • Examine INFO2 records if file was sent to the recycle bin – Contains the date & time the file was sent to the recycle bin – Shows where the file resided before being sent to the recycle bin – Data Carving – Evidence of wiping or wiping software • Hex Editor sometimes helps to see wiping pattern if one exists – Example recovery of deleted document….. © 2013 Property of JurInnov Ltd. All Rights Reserved
  36. 36. “deleted.txt” exists on a disk © 2013 Property of JurInnov Ltd. All Rights Reserved
  37. 37. The file has been deleted © 2013 Property of JurInnov Ltd. All Rights Reserved
  38. 38. The directory listing… Note the sigma character © 2013 Property of JurInnov Ltd. All Rights Reserved
  39. 39. Is the data really gone??? 4 © 2013 Property of JurInnov Ltd. All Rights Reserved
  40. 40. Sigma changed to Underscore 4 © 2013 Property of JurInnov Ltd. All Rights Reserved
  41. 41. Hey … it’s back! © 2013 Property of JurInnov Ltd. All Rights Reserved
  42. 42. VOILA… © 2013 Property of JurInnov Ltd. All Rights Reserved
  43. 43. Deleted & Overwritten File © 2013 Property of JurInnov Ltd. All Rights Reserved
  44. 44. Recycle Bin Info Record Finder• These files were recovered by searching for recycle bin header signatures in unallocated and slack space. These records represent files that were contained in the recycle bin before it was emptied.• Info records for file:• Demo caseRevised demo imagesCRECYCLERS-1-5-21-1229272821-1592454029-839522115-1003INFO2• Index :2• Deleted : 11/06/07 03:30:54PM• FileSize : 20480 bytes (20 KB)• FilePath : C:Documents and SettingsDemoMy DocumentsABC Sports Agency - DeletedRec• ycle Bin - ABC Balance Sheet.xls• Offset : 820• Index :2• Deleted : 11/06/07 10:30:54AM• FileSize : 20480 bytes (20 KB)• FilePath : C:Documents and SettingsDemoMy DocumentsABC Sports Agency - DeletedRec• ycle Bin - ABC Balance Sheet.xls• Offset : 1080 © 2013 Property of JurInnov Ltd. All Rights Reserved
  45. 45. Forensic Analysis• File Signature Analysis• File Hash Analysis• Analysis Examples … 4 © 2013 Property of JurInnov Ltd. All Rights Reserved 6
  46. 46. Signature Analysis© 2012 Property of JurInnov Ltd. All Rights Reserved © 2013 Property of JurInnov Ltd. All Rights Reserved
  47. 47. Signature Analysis© 2012 Property of JurInnov Ltd. All Rights Reserved
  48. 48. Open the picture © 2013 Property of JurInnov Ltd. All Rights Reserved
  49. 49. Hash Analysis© 2012 Property of JurInnov Ltd. All Rights Reserved © 2013 Property of JurInnov Ltd. All Rights Reserved
  50. 50. Forensic Analysis • Key Term Searching – Index full contents of the image for searching – Tips for this method • File Filtering – Date ranges – File type(s) – Duplicates – Known Files (KFF) – Even combinations of multiple filters 5 © 2013 Property of JurInnov Ltd. All Rights Reserved 1
  51. 51. Forensic Analysis • Email Activity • Printing Activity – Look for printing spool/shadow files • Can possibly contain the data that was sent to a printer • Network Activity • Network connections • Wireless access points • Shared network folders/files 5 © 2013 Property of JurInnov Ltd. All Rights Reserved 2
  52. 52. Forensic Analysis • Hiberfil.sys Analysis – Data is written to “hiberfil.sys” file when a machine is put in hibernation mode on the Windows OS • Usually recent data – May contain passwords, login information, temporary data, whole or partial documents • RAM Analysis – Can only be acquired on a live system • Analyst will change data on the system – May contain passwords, login information, temporary data, whole or partial documents, currently running processes 5 © 2013 Property of JurInnov Ltd. All Rights Reserved 3
  53. 53. Forensic Analysis • Unallocated Space – Partial documents – Overwritten files • Drive Free Space • File Slack 5 © 2013 Property of JurInnov Ltd. All Rights Reserved 4
  54. 54. Mobile Device Acquisition• Photograph, document and begin Chain of Custody• Obtain password if enabled• Obtain charger and maintain power to the device• Cut off network communications – Faraday bag or Airplane Mode• Determine acquisition/data extraction method – Device • Cellebrite • CellDek • Device Seizure • MPE+ – SIM Card – CellDek, Device Seizure or MPE+ – Media/SD Card - EnCase 5 © 2013 Property of JurInnov Ltd. All Rights Reserved 5
  55. 55. Mobile Device Analysis • Not to be considered an “Image” – Extraction of artifacts from device’s databases • Some Items That Can Be Acquired – SMS/MMS – Email – Contacts – Calendar • Searching – Able to search within the device’s extracted data for key terms. – Bookmark items that are relevant to the case 5 © 2013 Property of JurInnov Ltd. All Rights Reserved 6
  56. 56. Mobile Device Analysis • Reporting – Tools include report generators • HTML • CSV / XLS • PDF – Include ALL items or only Bookmarked items • Helps to limit amount of irrelevant data in the reports 5 © 2013 Property of JurInnov Ltd. All Rights Reserved 7
  57. 57. Detecting Intrusions• Validate authenticity of incident – Indicators – Automated identification and notification• Detecting malware © 2013 Property of JurInnov Ltd. All Rights Reserved
  58. 58. Indicators• Possible Indicators – Presence of unfamiliar files – Execution of unknown programs – Unusual consumption of computing resources – Unusual network activity – System crashes © 2013 Property of JurInnov Ltd. All Rights Reserved
  59. 59. Indicators• Probable indicators – Unknown accounts – Use of dormant accounts – Reported attacks – Activity at unexpected times – Unusual email traffic © 2013 Property of JurInnov Ltd. All Rights Reserved
  60. 60. Indicators• Most likely indicators – Log alteration – Presence of malicious code – Presence of hacker tools – Notification by partner or peer – Notification by hacker – Loss of availability – Corrupt files – Data breach – Violation of policy – Violation of law © 2013 Property of JurInnov Ltd. All Rights Reserved
  61. 61. Detecting Malware• Virus – piggybacks on other files or media. Virus Replicates when loaded. Worm• Worm – Self replicating, multi-vector propagation Bot• Trojan - opens back doors• Bot Trojan © 2013 Property of JurInnov Ltd. All Rights Reserved
  62. 62. Life Cycle Await CleanExploit Rally Preserve Inventory instructions Update Execute Report up• Exploit – Malicious code – Unpatched vulnerabilities – Trojan – Password guessing – Phish• Rally - Reporting in – Log into designated IRC channel and PM master – Make connection to http server – Post data to FTP or http form © 2013 Property of JurInnov Ltd. All Rights Reserved
  63. 63. Life Cycle Await CleanExploit Rally Preserve Inventory instructions Update Execute Report up• Preserve – Alter A/V dll’s – Modify Hosts file to prevent A/V updates – Remove default shares (IPC$, ADMIN$, C$) – Rootkit – Encrypt – Polymorph – Retrieve Anti-A/V module – Turn off A/V or firewall services – Kill A/V, firewall or debugging processes © 2013 Property of JurInnov Ltd. All Rights Reserved
  64. 64. Life Cycle Await CleanExploit Rally Preserve Inventory instructions Update Execute Report up• Inventory – determine capabilities such as RAM, HDD, Processor, Bandwidth, and pre-installed tools• Await instructions from C&C server• Update – Download payload/exploit – Update C&C lists © 2013 Property of JurInnov Ltd. All Rights Reserved
  65. 65. Life Cycle Await CleanExploit Rally Preserve Inventory instructions Update Execute Report up• Execute commands – DDoS – Spam – Harvest emails – Keylog – Screen capture – Webcam stream – Steal data• Report back to C&C server• Clean up - Erase evidence © 2013 Property of JurInnov Ltd. All Rights Reserved
  66. 66. Detecting malware• Look for their activity – Monitor traffic and directionality – Look for IRC traffic – Monitor A/V service states – Look for modified A/V files – Search for known bot file signatures offline © 2013 Property of JurInnov Ltd. All Rights Reserved
  67. 67. Network Evidence• Volatile evidence – Users logged on – Open ports – Active network connections – Running processes – Open files• Network data• Event logs © 2013 Property of JurInnov Ltd. All Rights Reserved
  68. 68. Command line• Netstat –an lists active connections/open ports• Netstat –rn Lists the local routing table• Pslist Lists running processes• Psloggedon List user logged on (local & remote)• Now Displays current date and time• Nlsinfo Lists system name and time zone• Psfile Lists files opened remotely• Ipconfig /all Shows adapter configuration• Autorunsc Lists programs that run at startup• Diskmap Lists drive information © 2013 Property of JurInnov Ltd. All Rights Reserved
  69. 69. Tools• EnCase Portable• FTK Imager• Both tools can: – Collect users, ports, processes, network interfaces, ARP and routes – Data carving © 2013 Property of JurInnov Ltd. All Rights Reserved
  70. 70. Equipment• Network equipment storage – Dynamic Random Access Memory (DRAM) – OS config, process memory, routing tables, firewall stats – Content Addressable Memory (CAM) – MAC address table – Nonvolatile Random Access Memory (NVRAM) – OS and startup config – Read Only Memory (ROM) – boot loader © 2013 Property of JurInnov Ltd. All Rights Reserved
  71. 71. Switches• Volatile evidence – Stored packets before they are forwarded – CAM tables – MAC to port mapping – ARP table – MAC to IP mapping – ACL – I/O Memory – Running configuration – Processor memory © 2013 Property of JurInnov Ltd. All Rights Reserved
  72. 72. Switches• Persistent evidence – OS Image – Boot loader – Startup configuration• Off-system evidence – Automatic configuration backups – Compare running config or existing startup config to backup and change mgmt © 2013 Property of JurInnov Ltd. All Rights Reserved
  73. 73. Routers• Investigate routers to… – Determine traffic flow – Identify compromised routers – Obtain log data from a choke point © 2013 Property of JurInnov Ltd. All Rights Reserved
  74. 74. Routers• Volatile evidence – Routing tables – Stored packets before they are forwarded – Packet counts and statistics – ARP table – DHCP lease assignments – ACL – Running configuration © 2013 Property of JurInnov Ltd. All Rights Reserved
  75. 75. Routers• Persistent evidence – OS image – Boot loader – Startup configuration – If internal HDD, logs• Off-system evidence – Alerts and logs from: Syslog, TFTP, SNMP © 2013 Property of JurInnov Ltd. All Rights Reserved
  76. 76. Firewalls• Investigate firewalls to… – Identify connection attempts – Determine data volumes – Open ports – Allowed protocols – Network segmentation (DMZ) © 2013 Property of JurInnov Ltd. All Rights Reserved
  77. 77. Firewalls• Volatile evidence – Interface configurations – ACLs – VPN tunnels – Routing table – ARP cache – Packet and frame statistics – Command history © 2013 Property of JurInnov Ltd. All Rights Reserved
  78. 78. Firewalls• Persistent evidence – OS image – Boot loader – Startup configuration – If internal HDD, logs• Off-system evidence – Config will show exported items – Alerts and logs from: Syslog, TFTP, SNMP – Access history – Backup configurations © 2013 Property of JurInnov Ltd. All Rights Reserved
  79. 79. Web proxy• Investigate web proxies to… – View browsing history for the site – Blocked web requests – Attempts to circumvent monitoring – Browsing baselines – View pages as they were viewed by the individual © 2013 Property of JurInnov Ltd. All Rights Reserved
  80. 80. Web proxy• Volatile evidence – Cached content in RAM – Authentication information for web sites• Persistent evidence – HTTP/HTTPS traffic history • Blogs • IM • Web mail • Web sites – Blocked requests © 2013 Property of JurInnov Ltd. All Rights Reserved
  81. 81. Equipment• Physical devices – Video cameras – Access control systems © 2013 Property of JurInnov Ltd. All Rights Reserved
  82. 82. Windows logs– Windows NT – 2003 – Server 2008 - 2012• Application • Includes 2003 logs plus:• Security – Administrative events• System – Setup• Special – Server roles – Directory Service • Organized by – DNS Server installed roles with – File Replication custom filters Service – Powershell © 2013 Property of JurInnov Ltd. All Rights Reserved
  83. 83. Linux Logs• Logs based on syslog• Organized by facility such as mail or web• Syslog-ng – supports TLS encryption for shipped logs• Rsyslogd – Supports IPv6, RELP (Reliable Event Logging Protocol), TLS, time stamping and zone logging © 2013 Property of JurInnov Ltd. All Rights Reserved
  84. 84. Mac Logs• Stored in library/logs• Over 100 logs including: – System.log – Mail.log – Appfirewall.log – Install.log © 2013 Property of JurInnov Ltd. All Rights Reserved
  85. 85. Event Log Sources• What logs exist?• Where are they stored?• What are our technical options for accessing them?• Who controls the event logs?• How do we get permission to access and collect them?• How forensically sound are the event logs?• Are the target systems capable of additional logging? © 2013 Property of JurInnov Ltd. All Rights Reserved
  86. 86. Event Log Resources• How much storage space will we need?• How much time do we have for collection and analysis?• What tools, systems and staff are available for collection and analysis? © 2013 Property of JurInnov Ltd. All Rights Reserved
  87. 87. Event Log Sensitivity• How critical are the systems that store event logs?• Can they be removed from the network?• Can they be powered off?• Can they be accessed remotely? © 2013 Property of JurInnov Ltd. All Rights Reserved
  88. 88. Event Log Sensitivity• Would copying logs from these systems have a detrimental impact on equipment or network performance or availability? – If so, can we minimize the impact by collecting evidence at specific times? – Will a delay in collection reduce the quality of the evidence? – Will a delay in collection reduce the likelihood of containing and resolving the incident? © 2013 Property of JurInnov Ltd. All Rights Reserved
  89. 89. Log Collection - Summary• Physical• Manual remote• Central log aggregation © 2013 Property of JurInnov Ltd. All Rights Reserved
  90. 90. Log Collection - Physical• Make bit-for-bit forensic HDD copy• Extract logs from copy – Pros: – Cons: • Exact copy available for • Potentially need to touch court many machines • Well-established forensic • Forensic image takes time process • Forensic image impacts production • Direct access needed – potential travel and increased time for data to grow stale © 2013 Property of JurInnov Ltd. All Rights Reserved
  91. 91. Network Data Collection• Photograph and document• Coordinate with IT to determine location of desired shares/folders• Obtain proper credentials to access target data• Attach forensically wiped hard drive to server or workstation with local network access• Run FTK Imager Lite from attached hard drive• Create Custom Content Image (.AD1) of target shares/folders• Verify image MD5 hash value 9 © 2013 Property of JurInnov Ltd. All Rights Reserved 2
  92. 92. Network Data AD1 Image Add Contents of a Folder 9 © 2013 Property of JurInnov Ltd. All Rights Reserved 3
  93. 93. Network Data AD1 ImageCreate Custom ContentImage Verify Hash Value of AD1 9 © 2013 Property of JurInnov Ltd. All Rights Reserved 4
  94. 94. Log Collection – Manual Remote• Collect through: RDP, SSH, SMB, or HTTP• Hash log on source• Copy log to remote media• Hash log on remote media and verify – Pros: – Cons: • Fast collection of logs • Increased network activity • System is modified through logon © 2013 Property of JurInnov Ltd. All Rights Reserved
  95. 95. Log Collection - Central Log• Logs automatically synced or shipped to central server• Make bit-for-bit forensic HDD copy of collection server• Extract logs from copy – Pros: – Cons: • Avoids log rollover • Possibly a huge forensic • Fastest collection image • Forensic image can be taken • Logs could be incomplete offline w/o production due to network congestion impact or corruption • Original systems not changed © 2013 Property of JurInnov Ltd. All Rights Reserved
  96. 96. Traffic Analysis• Where to start• Collection © 2013 Property of JurInnov Ltd. All Rights Reserved
  97. 97. Starting point• Network schematic• Server roles• Baselining – normal profile – Destination IP addresses – Ports – Protocols – Volume of data and directionality © 2013 Property of JurInnov Ltd. All Rights Reserved
  98. 98. Collection• Packet analysis – Libpcap and WinPcap – Wireshark• Traffic analysis – Networkminer• Persistent packet sniffing – Data available when needed – High disk and CPU requirement – Must be highly secure• Activity pattern matching © 2013 Property of JurInnov Ltd. All Rights Reserved
  99. 99. Wireshark - InterfacePacket list Packet details Packet bytes  © 2013 Property of JurInnov Ltd. All Rights Reserved
  100. 100. Wireshark• Filtering – Frame contains “search term”• Flow – sequence of packets comprising a single communication segment. – EX: Connection, Negotiation, File Request, File delivery, checksum, acknowledgment, termination – Flow record – subset of information from a flow such as source and destination IP, protocol, date or time © 2013 Property of JurInnov Ltd. All Rights Reserved
  101. 101. Networkminer• Traffic analysis tool• Graphical breakdown of… – Hosts – Images – Files – Email – DNS – Sessions © 2013 Property of JurInnov Ltd. All Rights Reserved
  102. 102. Statistical Flow Analysis• Analyze for trends and anomalies• Flow record• Forensic steps• Tools © 2013 Property of JurInnov Ltd. All Rights Reserved
  103. 103. Flow record• Information on communication• Source and destination IP• Source and destination port• Protocol• Date and time• Size 1 © 2013 Property of JurInnov Ltd. All Rights Reserved 0
  104. 104. Forensic steps• Identify suspicious: – IP addresses – Ports – Dates and times• Were lots of packets denied?• Was more traffic than normal sent?• Were protocols used that are not normally used?• Was the directionality of the flow different? © 2013 Property of JurInnov Ltd. All Rights Reserved
  105. 105. Quick and Fast Rules• Compromised hosts generally send out more information• Patterns (sending perspective) – Many-to-one – DDoS, Syslog, data repository, email server – One-to-many – web server, email server, SPAM bot, warez, port scanning – Many-to-many – P2P, virus infection – One-to-one – normal communication, targeted attack © 2013 Property of JurInnov Ltd. All Rights Reserved
  106. 106. Flow record export protocols• Netflow• sFlow• IPFIX (IP Flow Information Export) – Push protocol © 2013 Property of JurInnov Ltd. All Rights Reserved
  107. 107. Tools• Graphical • Command Line – EtherApe – Iperf – FlowTraq – Argus – Cacti – Nfdump – FlowMon – SiLK – MTRG – NetLimiter – OmniPeek © 2013 Property of JurInnov Ltd. All Rights Reserved
  108. 108. EtherApe• Network traffic is displayed graphically• Node and link color shows the most used protocol• View protocol stack• Shows within your network, end to end IP, or even port to port TCP• Data can be captured "off the wire" from a live network connection, or read from a capture file © 2013 Property of JurInnov Ltd. All Rights Reserved
  109. 109. FlowTraq• Alerting• Scheduled Reports• Support for IPv6• Supports NetFlow, Sflow, Cflow, Jflow• Dashboard © 2013 Property of JurInnov Ltd. All Rights Reserved
  110. 110. Cacti• Great graphs that can be modified to show time periods, protocols, devices and more © 2013 Property of JurInnov Ltd. All Rights Reserved
  111. 111. FlowMon• Can handle large amounts of data (up to 10Gbps)• Supports NefFlow v5/v9 and IPFIX © 2013 Property of JurInnov Ltd. All Rights Reserved
  112. 112. Attack Pattern Analysis• Using an IDS to analyze data• Scan for viruses on images• Review darknet or honeynet data © 2013 Property of JurInnov Ltd. All Rights Reserved
  113. 113. Snort Architecture Determine actions • Drop and logCapture Anomaly (pcap)packets detection • Drop, no log Reassemble Passed on and analyze • protocol to rule • Accept bound protocol • frame engine • Accept and loginterfac e(s) • packet (pcap) • Notify 114 © 2013 Property of JurInnov Ltd. All Rights Reserved
  114. 114. Send pcap to snort• Install snort on analysis machine• Update rules• snort -c C:snortetcsnort.conf -l c:snortlog -y -r c:sample-pcap_3-19-2013.pcap © 2013 Property of JurInnov Ltd. All Rights Reserved
  115. 115. Snort output from pcap Source: https://sickbits.net/snort-offline-analysis/ © 2013 Property of JurInnov Ltd. All Rights Reserved
  116. 116. Prioritize• Determine impact – Productivity loss – Reputation loss – Damage to customers or partners – Competitive advantage loss• Determine regulatory requirements• Determine whether legal action is required or desired © 2013 Property of JurInnov Ltd. All Rights Reserved
  117. 117. Notify• Contact key individuals• Provide each with information on need to know basis• Involve necessary outside parties © 2013 Property of JurInnov Ltd. All Rights Reserved
  118. 118. Strategize • Follow IRP steps if it exists • Determine preservation need – Computers – Network data – Email accounts – System logs – Volatile data • Rapid containment vs. monitoring/tracking • Outline data necessary for regulatory notification requirements • Document preservation and remediation steps • Assign specific responsibilities and due dates © 2013 Property of JurInnov Ltd. All Rights Reserved
  119. 119. Analyze• Analyze data• Provide evidence to attorneys• Testify if necessary• Keep data until destruction or return is requested © 2013 Property of JurInnov Ltd. All Rights Reserved
  120. 120. Remediate• Notify external parties such as customers, government agencies or shareholders• Perform remediation steps – Server hardening – Patch deployment – Data removal request – Disable accounts – Change permissions – Modify security settings• Validate that remediation was successful © 2013 Property of JurInnov Ltd. All Rights Reserved
  121. 121. Reflect• Debrief (After-action review) – Rank less discussion – What was the goal? – Were goals achievable? – Successes – Pitfalls – Lessons learned – Action items and responsibilities• Refine plans and processes• Create new IRPs © 2013 Property of JurInnov Ltd. All Rights Reserved
  122. 122. Questions
  123. 123. For assistance or additional information • Phone: 216-664-1100 • Web: www.jurinnov.com • Email: eric.vanderburg@jurinnov.com JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115 © 2013 Property of JurInnov Ltd. All Rights Reserved

×