Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX
aclpwn - Active Directory ACL exploitation with BloodHound
Similar to Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX
Preparing for the Cybersecurity RenaissanceCloudera, Inc.
Similar to Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX (20)
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX
1. +
ENTERPRISE DIGITAL FORENSICS AND SECURITY WITH
OPEN TOOLS: AUTOMATE AUDITS, CYBER FORENSICS,
AND INCIDENT RESPONSE WITH VELOCIRAPTOR AND
ANSIBLE AWX
2. Presentations
2
Doctor of Information Science (Computer Science)
I have been working in IT Security since 1997 and Digital Forensics since 2002
Register of Technical Experts of the Court of Florence
Register of Experts Court of Florence
Register of Technical Consultants of the Chamber of Commerce of Florence
Register of Professors of the Information System of the University of Florence (SIAF)
Register of Experts in Technological Innovation (former Innovation Manager) MISE
List of Arbitrator Consultants of the Chamber of Commerce of Florence
NATO NCAGE AT568 Rating
ECEE Certification: European Certificate on Cybercrime and Electronic Evidence
Information Security Auditor/Lead Auditor - ISO 27001:2013
Co-author for the aspects of computer forensics of the book "Internet and the damage to the person" published by Giappichelli in
2012
Member of the Europena Data Protection Board Expert Pool
Clusit Italian Association for Information Security
ONIF: National Observatory of Computer Forensics
CGT: Circolo Giuristi Telematici
ANRA: National Association of Risk Managers
Board of Directors ONIF – National Observatory of Computer Forensics www.onif.it
Promoter and manager of the DataBreach Telegram channel https://t.me/databreach
Promoter and manager of the site on the IT retrieval www.repertamento.it
AlessandroFiorenzi.it
4. Evolution of business contexts
Companies 10 years ago, 2012
Companies that are not fully
digitized (a lot of paper)
Systems on premises, on
physical servers
Small storage
Lots of small desktop disks
32G business (private)
smartphones were a luxury
Poorly connected businesses
4
Companies in 2023
Digitization of companies
On-premises and/or cloud systems
Medium to large storage 20TB
Desktop and laptop with very capacitive
disks
Minimum 128GB business smartphones
Hyper-connected businesses
C2S VPN for Employees,
Consultants
S2S VPN for Vendors and
Maintainers
5. Problems are also evolving
Dealing with a cyber incident meant
Identify the perimeter of the systems involved
Forensic copying of systems (disk imaging)
Start forensic copy analysis (time consuming)
Restore the last backup and remediation actions
Problems Today
The number of server and pdl systems is much greater
The size of disks/storage has grown
The amount of information on PDLs and servers has grown
Timeliness in responding to an attack/data breach
It is increasingly difficult to identify with certainty the
perimeter concerned
DF with Disk Imaging and Analytics in Mid-Sized Business
Settings is complex and resource-intensive
5
9. Incidenti di sicurezza
9
Data Breach
• un incidente di sicurezza in cui dati sensibili, protetti o
riservati vengono acceduti, consultati, copiati,
trasmessi, rubati o utilizzati da un soggetto non
autorizzato
Incidente Informatico
• qualsiasi evento che non fa parte dell'operatività
standard di un servizio e che causa, o può causare,
un’interruzione e una riduzione della qualità di tale
servizio: un sabotaggio, una violazione dei sistemi, la
sottrazione di PI sono incidenti informatici
10. DFIR: Digital Forensics Incident Response
The use of digital forensics tools and methods in incident response for
the collection and analysis of evidence. The management of an incident
is a critical event: it can have an impact on the production chain, it can
lead to financial damage, reputation, it can affect customer and employee
data and require notification to the police or the Privacy Guarantor
DFIR is the answer to cyber incident management
DFIR = Digital Forensics + Incident Response
Digital forensics with processes and tools to collect, store and analyze
forensic evidence.
Incident Response consists of containing, blocking and preventing a
cyber attack
10
11. Enterprises: Security Solutions
Many companies are already equipped with these security tools
Firewall
Switched Network
IDS/IPS
Proxy Browsing Protection
Protezione DNS (umbrella)
XDR/EDR
SIEM
Backup
Personal Firewall
11
12. Companies: Security & Security Incidents
Is it enough to have all the security solutions seen to manage a security incident or a data
breach?
They are useful tools to reduce the risk of an accident
They are useful tools for restoring functionality
The Companies:
They are organized for the detection of many attack situations but not everything, and
never will be 100%
In the event of a breach
They are not able to analyse, correlate, and search for elements of compromise
They are not able to acquire evidence, files, registry keys, folders, databases, etc.
They are not able to distribute evidence search, IoCs, malware, etc. On all of the
company's IT systems.
They are a wake-up call but are unable to pinpoint the perimeter involved.
12
13. In the event of an accident & traditional
DF
I would need a forensic analyst on every pc/server in the perimeter
(assuming it has been identified) to collect data on processes, files,
hashes, logs, build the timeline of the last 76 hours or the last 10
days.
We never had enough forensic analysts to handle a serious incident
in a medium (200 pdl 50 vm) or large company: 1000-10000 pdl and
100-3000 vm
However, we have tools that allow us to systematically perform the
same operations on all computers, groups, or a single computer
regardless of whether they are in the next room or in the Norwegian
office or in the cloud in the AWS Asian region
13
14. Open Solutions for DFIR
14
Velociraptor
•Velociraptor is an advanced digital forensic and incident response tool that
enhances your visibility into your endpoints.
•It was created by Michael Cohen, a contributor to Volatility, and projects
Google Rekall and Google Rapid Response (GRR)
•It is open but was acquired by Rapid7 in 2021.
•23 Settembre 2023 “Rapid7 is excited to announce
the integration of Velociraptor DFIR into the Insight Platform for InsightIDR”
•Agent based
AWX + Ansible
•Ansible is a software that is commonly used to automate configuration and
management on Unix and Windows systems
•AWX is the web and console service built to enable IT teams to use Ansible.
•AWX and Ansible are two Open products from RedHat
•Agentless
16. Velociraptor
Velociraptor is open on github
https://github.com/Velocidex/velociraptor with binaries for Linux,
Windows, Mac, and Freebsd
A single executable, during configuration you establish the server
parameters by generating the configuration files to be used by the
clients
Once the server is configured, proceed to generate the Unix and
Window packages with the configuration derived from the server
During installation, an administrative user is configured, but later
other users can be configured with different access profiles
16
18. Velociraptor: VQL
VQL is a SQL-like language but simpler without complex structures such as "joins"
and«having»
The statements are of the type:
The statements work on the outputs of the VQL Plugins, a large set of basic plugins,
which allow you to extract information from the endpoints by providing outputs in columns
Why a query language? To reduce the time it takes to discover an IoC on business
systems: we design a rule to detect the IoC, then execute this query on all the systems in
our infrastructure and get an output from each of them in a few seconds or minutes.
Using VQL, in case of a new IoC the forensic analyst can write the relevant VQL queries,
insert them into an artifact and search for the artifact in the entire host asset in a few
minutes: TIMELINESS and identification of the affected perimeter.
18
19. Velociraptor: VFS
The Velociraptor GUI shows the list of clients. By selecting a client, we can
examine its filesystem, the VFS is the Virtual File System view of the endpoint
VFS is a server-side cache of the file system structure and file data on the
endpoint. If a branch of the directory tree is empty, simply request synchronization
with the endpoint to capture its contents.
Client VFS cache information is collected at regular intervals or at the first logon.
We can operate on the file system as if we were on the endpoint, also downloading
the files of interest to the Velociraptor server.
In the case of NTFS file systems, it is possible to search and access ADS Alternate
Data Stream data
For Windows endpoints, you can access the contents of the log file
19
20. Velociraptor: Artifacts
VQL is the main element of Velociraptor, queries can be used
interactively on an endpoint or they can be used to constitute an
Artifact by placing queries in a YAML format file with parameters to be
set at run time and a comprehensible description that defines their
purpose and use.
Velociraport is "vulgarly" an executor of VQL queries structured in
artifacts against one or n-endpoints
Velociraptor comes with a set of Artifacts for Windows, Mac, and
Linux, but you can build and define new Artifacts to identify specific
needs, such as a new IoC, or you can find them in the Velociraptor
community
20
21. Velociraptor: Hunting
Hunt Manager is a Velociraptor component responsible for
scheduling the execution of a collection of "artifacts" and collections
of clients that meet certain criteria
hunting, consists of retrieving information predicted by artifacts on all
managed endpoints
Once an attack pattern has been identified, an ad hoc VQL can be
developed, tested in interactive mode, transformed into an artifact,
and used for hunting operations
21
22. Velociraptor:Monitoring
Endpoint monitoring is done through Hunts. For this purpose, there
are some plugins, called "Event VQL Plugins", which are constantly
running on the endpoint.
Starting from queries that use this type of plugin, it is then possible to
define artifacts, and hunts that contain them, that remain running
waiting for events that occur on clients, sending them to the server
when they occur.
Through integration with third-party systems, a follow-up action can
be set.
22
23. Velociraptor: indaghiamo
We can define queries in VQL to search for specific elements: IoCs, hashes, IPs,
registry keys, file names, logs, etc. from the command line to one endpoint or to all
We can search for Linux and Mac Window artifacts with parameters, e.g. timeline
construction
We can traverse the endpoint's file system, capture metadata, ADS (NTFS), and
more from the files, select them, and capture them
We can browse and query the windows log file
We can Hunt, i.e. artifacts that are searched cyclically (the use of the root or
administrator user, the creation of a local user)
Through Hunts, we can monitor endpoint conditions against specific artifacts
23
24. Velociraptor:
24
Searching for file names: One of the most common operations in DFIR is searching for
files based on file names.
Content Search: YARA is a powerful keyword scanner that allows you to search for
unstructured binary data based on the rules provided by the user.
Binary File Analysis: Velociraptor uses VQL to create a VQL query in order to retrieve
even through binary file analysis.
Proof of execution: Velociraptor has a rich set of artifacts that we can use to infer the
execution of the program in Windows and Linux.
Event Logs: Velociraptor has a set of artifacts for parsing the Windows event log as well
as for Unix log files .
Server State (Memory and Other): Traditionally, volatile evidence is captured using a full
dump of the system's memory (volatily), and frameworks for its analysis. Velociraptor tries
to obtain the same information using the operating system's APIs.
26. 26
AWX Ansible: cosa sono?
Ansible
•Ansible is an open-source IT automation tool that allows you to automate the
provisioning, configuration, deployment of systems and applications.
•It is normally used at the system level to install software, automate daily tasks,
provision infrastructure, improve security and compliance levels, and patch systems.
•Ansible connects to target systems and executes programs and commands and
instructions that would have previously been done manually.
•Ansible is Agentless and relies on an administrative ssh connection
AWX
•Provides a web-based user interface, REST API, and the engine for executing Ansible
tasks. It is one of the RedHat Ansible Automation Platform projects
27. 27
AWX Ansible architecture
User
• The user administers the platform and writes playbooks
Playbook
• The playbook defines the tasks that the automation process will have to
perform, the tasks will be executed in the order in which they are reported.
The playbook is written in YAML
Inventory
• This is the list of target systems
Deploy
• A job selects a playbook to apply to an inventory
• A job is executed via ssh (linux+windows) or WinRM (Windows Remote
Management) connection with the administrative credentials of each
inventory asset
28. 28
AWX Ansible
• Free
• Agentless
• Through playbooks you can
• Install software, delete, copy
• Run bash or powershell commands
• Select and collect output
• A playbook can
• be executed interactively on a target system
• Become part of a job applied to an asset inventory.
• It can be used with on-premises and cloud systems, unlike
automation systems such as Terraform, which are only cloud-
oriented
29. 29
AWX Ansible
With AWX and Ansible
Playbooks can be defined to perform DFIR-type investigations
How a forensic analyst would perform them on the server
In fact:
The commands that an analyst would execute in carrying out a forensic
analysis of a server can become many tasks, of a playbook in which
some tasks are executed only if certain conditions are met, otherwise
other tasks are executed.
The result is a methodological analysis as if it were done by one person
but instantly distributed across all asset inventory systems
30. 30
AWX Ansible
The community already has DFIR playbook projects :
• https://github.com/jgru/ansible-forensic-workstation
32. DF & Audit
32
Audits are normally based on
• Documentary Esame
• Recordings
• Interviews
• Inspection findings
• Samples
• ecc
Is that enough
today?
33. Audit New scenarios
Internal and External Audits are used in
certification according to voluntary
standards
Internal audit structures are used to look
for evidence of non-compliance,
wrongdoing or offences to be followed up
with disciplinary action or the opening of
civil or criminal proceedings
Auditing per cercare evidenze di
inadempienze, illeciti o reati a cui dare
seguito con azioni disciplinari o l’apertura di
procedimenti civili o penali.
33
PCI-DSS, HIPAA, ISO
27001/27002, NIST
800-53, NIS II, DORA
etc..
• The whole scope of
compliance requires that
audit elements and control
results report objective
elements acquired with
methods that give certainty
of source and authenticity
Internal Audit hired by
• Governance
• HR
• ODV
• Legal Department
34. Audit New scenarios
34
The traditional methods of collecting evidence in the context of
audits are not sufficient to guarantee the acceptability of
evidence in court.
A new approach is needed which, on the basis of the evidence
collected, guarantees
• Acceptability
• Authenticity
• Completeness
• Reliability
Computer Forensics is the methodological and scientific answer
to manage IT evidence
35. Auditing Controls
If the control required by the company is vertical, such as the ex-post
analysis of an employee who has left the company, it is certainly
possible to operate with traditional DF :d isk imaging + analysis
If the audit or control concerns an OU or the entire organization,
particularly when organizations are medium to large, tools such as
Velociraptor and AWX Ansible are more suitable tools to perform a
distributed control on all systems in times in the order of minutes or at
most hours.
35
36. Security Standard compliance: enforcing, benchmarking & Audit
Increasingly, during an Audit of standards such as PCI-DSS, HIPAA, ISO 27001/27002,
NIST 800-53, NIS and DORA, the Auditor needs to document the results of the controls also
from the point of view of the process followed in order to ensure the truthfulness and
authenticity of the output data that flow into the evidence of the Audit
Digital forensics processes and tools, by their nature, provide this type of guarantee.
Solutions such as AWX+Ansible allow
Enforcing di security policy e configuration
Benchmarking the infrastructure against the reference standards for certifications
Audit
Control plan according to the adopted standard, and gap analysis
Remediation
Audit post remediation Compliance Certification
36