SlideShare a Scribd company logo

Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX

Download as PPTX, PDF
Studio Fiorenzi Security & Forensics
Studio Fiorenzi Security & Forensics

Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX

Law
1 of 38
+ ENTERPRISE DIGITAL FORENSICS AND SECURITY WITH OPEN TOOLS: AUTOMATE AUDITS, CYBER FORENSICS, AND INCIDENT RESPONSE WITH VELOCIRAPTOR AND ANSIBLE AWX
Presentations 2 Doctor of Information Science (Computer Science) I have been working in IT Security since 1997 and Digital Forensics since 2002 Register of Technical Experts of the Court of Florence Register of Experts Court of Florence Register of Technical Consultants of the Chamber of Commerce of Florence Register of Professors of the Information System of the University of Florence (SIAF) Register of Experts in Technological Innovation (former Innovation Manager) MISE List of Arbitrator Consultants of the Chamber of Commerce of Florence NATO NCAGE AT568 Rating ECEE Certification: European Certificate on Cybercrime and Electronic Evidence Information Security Auditor/Lead Auditor - ISO 27001:2013 Co-author for the aspects of computer forensics of the book "Internet and the damage to the person" published by Giappichelli in 2012 Member of the Europena Data Protection Board Expert Pool Clusit Italian Association for Information Security ONIF: National Observatory of Computer Forensics CGT: Circolo Giuristi Telematici ANRA: National Association of Risk Managers Board of Directors ONIF – National Observatory of Computer Forensics www.onif.it Promoter and manager of the DataBreach Telegram channel https://t.me/databreach Promoter and manager of the site on the IT retrieval www.repertamento.it AlessandroFiorenzi.it
What we'll talk about • IT Investigations and Incident Response • Audit Digital Forensics Applied to the Business Context: • With two "differently open" instruments • Velociraptor © Rapid7 • AWX + Ansible © RedHat How
Evolution of business contexts  Companies 10 years ago, 2012  Companies that are not fully digitized (a lot of paper)  Systems on premises, on physical servers  Small storage  Lots of small desktop disks  32G business (private) smartphones were a luxury  Poorly connected businesses 4  Companies in 2023  Digitization of companies  On-premises and/or cloud systems  Medium to large storage 20TB  Desktop and laptop with very capacitive disks  Minimum 128GB business smartphones  Hyper-connected businesses  C2S VPN for Employees, Consultants  S2S VPN for Vendors and Maintainers
Problems are also evolving  Dealing with a cyber incident meant  Identify the perimeter of the systems involved  Forensic copying of systems (disk imaging)  Start forensic copy analysis (time consuming)  Restore the last backup and remediation actions  Problems Today  The number of server and pdl systems is much greater  The size of disks/storage has grown  The amount of information on PDLs and servers has grown  Timeliness in responding to an attack/data breach  It is increasingly difficult to identify with certainty the perimeter concerned  DF with Disk Imaging and Analytics in Mid-Sized Business Settings is complex and resource-intensive 5
6 Source: https://informationisbeautiful.net/visualizations/worlds- biggest-data-breaches-hacks/ To follow the evolution of the Data Breachhttps://t.me/databreach
Data breach 7
Targets of Attacks 8
Incidenti di sicurezza 9 Data Breach • un incidente di sicurezza in cui dati sensibili, protetti o riservati vengono acceduti, consultati, copiati, trasmessi, rubati o utilizzati da un soggetto non autorizzato Incidente Informatico • qualsiasi evento che non fa parte dell'operatività standard di un servizio e che causa, o può causare, un’interruzione e una riduzione della qualità di tale servizio: un sabotaggio, una violazione dei sistemi, la sottrazione di PI sono incidenti informatici
DFIR: Digital Forensics Incident Response  The use of digital forensics tools and methods in incident response for the collection and analysis of evidence. The management of an incident is a critical event: it can have an impact on the production chain, it can lead to financial damage, reputation, it can affect customer and employee data and require notification to the police or the Privacy Guarantor  DFIR is the answer to cyber incident management  DFIR = Digital Forensics + Incident Response  Digital forensics with processes and tools to collect, store and analyze forensic evidence.  Incident Response consists of containing, blocking and preventing a cyber attack 10
Enterprises: Security Solutions  Many companies are already equipped with these security tools  Firewall  Switched Network  IDS/IPS  Proxy Browsing Protection  Protezione DNS (umbrella)  XDR/EDR  SIEM  Backup  Personal Firewall 11
Companies: Security & Security Incidents  Is it enough to have all the security solutions seen to manage a security incident or a data breach?  They are useful tools to reduce the risk of an accident  They are useful tools for restoring functionality  The Companies:  They are organized for the detection of many attack situations but not everything, and never will be 100%  In the event of a breach  They are not able to analyse, correlate, and search for elements of compromise  They are not able to acquire evidence, files, registry keys, folders, databases, etc.  They are not able to distribute evidence search, IoCs, malware, etc. On all of the company's IT systems.  They are a wake-up call but are unable to pinpoint the perimeter involved. 12
In the event of an accident & traditional DF  I would need a forensic analyst on every pc/server in the perimeter (assuming it has been identified) to collect data on processes, files, hashes, logs, build the timeline of the last 76 hours or the last 10 days.  We never had enough forensic analysts to handle a serious incident in a medium (200 pdl 50 vm) or large company: 1000-10000 pdl and 100-3000 vm  However, we have tools that allow us to systematically perform the same operations on all computers, groups, or a single computer regardless of whether they are in the next room or in the Norwegian office or in the cloud in the AWS Asian region 13
Open Solutions for DFIR 14 Velociraptor •Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints. •It was created by Michael Cohen, a contributor to Volatility, and projects Google Rekall and Google Rapid Response (GRR) •It is open but was acquired by Rapid7 in 2021. •23 Settembre 2023 “Rapid7 is excited to announce the integration of Velociraptor DFIR into the Insight Platform for InsightIDR” •Agent based AWX + Ansible •Ansible is a software that is commonly used to automate configuration and management on Unix and Windows systems •AWX is the web and console service built to enable IT teams to use Ansible. •AWX and Ansible are two Open products from RedHat •Agentless
Velociraptor: Architecture 15 Data Store & Files collections Web interface https
Velociraptor  Velociraptor is open on github https://github.com/Velocidex/velociraptor with binaries for Linux, Windows, Mac, and Freebsd  A single executable, during configuration you establish the server parameters by generating the configuration files to be used by the clients  Once the server is configured, proceed to generate the Unix and Window packages with the configuration derived from the server  During installation, an administrative user is configured, but later other users can be configured with different access profiles 16
Velociraptor: Functional pillars  VQL Velociraptor Query Language  VFS – Virtual File system  Artifacts  Hunting  Monitoring 17
Velociraptor: VQL  VQL is a SQL-like language but simpler without complex structures such as "joins" and«having»  The statements are of the type:  The statements work on the outputs of the VQL Plugins, a large set of basic plugins, which allow you to extract information from the endpoints by providing outputs in columns  Why a query language? To reduce the time it takes to discover an IoC on business systems: we design a rule to detect the IoC, then execute this query on all the systems in our infrastructure and get an output from each of them in a few seconds or minutes.  Using VQL, in case of a new IoC the forensic analyst can write the relevant VQL queries, insert them into an artifact and search for the artifact in the entire host asset in a few minutes: TIMELINESS and identification of the affected perimeter. 18
Velociraptor: VFS  The Velociraptor GUI shows the list of clients. By selecting a client, we can examine its filesystem, the VFS is the Virtual File System view of the endpoint  VFS is a server-side cache of the file system structure and file data on the endpoint. If a branch of the directory tree is empty, simply request synchronization with the endpoint to capture its contents.  Client VFS cache information is collected at regular intervals or at the first logon.  We can operate on the file system as if we were on the endpoint, also downloading the files of interest to the Velociraptor server.  In the case of NTFS file systems, it is possible to search and access ADS Alternate Data Stream data  For Windows endpoints, you can access the contents of the log file 19
Velociraptor: Artifacts  VQL is the main element of Velociraptor, queries can be used interactively on an endpoint or they can be used to constitute an Artifact by placing queries in a YAML format file with parameters to be set at run time and a comprehensible description that defines their purpose and use.  Velociraport is "vulgarly" an executor of VQL queries structured in artifacts against one or n-endpoints  Velociraptor comes with a set of Artifacts for Windows, Mac, and Linux, but you can build and define new Artifacts to identify specific needs, such as a new IoC, or you can find them in the Velociraptor community 20
Velociraptor: Hunting  Hunt Manager is a Velociraptor component responsible for scheduling the execution of a collection of "artifacts" and collections of clients that meet certain criteria  hunting, consists of retrieving information predicted by artifacts on all managed endpoints  Once an attack pattern has been identified, an ad hoc VQL can be developed, tested in interactive mode, transformed into an artifact, and used for hunting operations 21
Velociraptor:Monitoring  Endpoint monitoring is done through Hunts. For this purpose, there are some plugins, called "Event VQL Plugins", which are constantly running on the endpoint.  Starting from queries that use this type of plugin, it is then possible to define artifacts, and hunts that contain them, that remain running waiting for events that occur on clients, sending them to the server when they occur.  Through integration with third-party systems, a follow-up action can be set. 22
Velociraptor: indaghiamo  We can define queries in VQL to search for specific elements: IoCs, hashes, IPs, registry keys, file names, logs, etc. from the command line to one endpoint or to all  We can search for Linux and Mac Window artifacts with parameters, e.g. timeline construction  We can traverse the endpoint's file system, capture metadata, ADS (NTFS), and more from the files, select them, and capture them  We can browse and query the windows log file  We can Hunt, i.e. artifacts that are searched cyclically (the use of the root or administrator user, the creation of a local user)  Through Hunts, we can monitor endpoint conditions against specific artifacts 23
Velociraptor: 24  Searching for file names: One of the most common operations in DFIR is searching for files based on file names.  Content Search: YARA is a powerful keyword scanner that allows you to search for unstructured binary data based on the rules provided by the user.  Binary File Analysis: Velociraptor uses VQL to create a VQL query in order to retrieve even through binary file analysis.  Proof of execution: Velociraptor has a rich set of artifacts that we can use to infer the execution of the program in Windows and Linux.  Event Logs: Velociraptor has a set of artifacts for parsing the Windows event log as well as for Unix log files .  Server State (Memory and Other): Traditionally, volatile evidence is captured using a full dump of the system's memory (volatily), and frameworks for its analysis. Velociraptor tries to obtain the same information using the operating system's APIs.
Velociraptor: references  https://www.rapid7.com/products/velociraptor/  https://github.com/Velocidex/velociraptor  https://docs.velociraptor.app/  Discord https://discord.com/invite/YAU3vRE 25
26 AWX Ansible: cosa sono? Ansible •Ansible is an open-source IT automation tool that allows you to automate the provisioning, configuration, deployment of systems and applications. •It is normally used at the system level to install software, automate daily tasks, provision infrastructure, improve security and compliance levels, and patch systems. •Ansible connects to target systems and executes programs and commands and instructions that would have previously been done manually. •Ansible is Agentless and relies on an administrative ssh connection AWX •Provides a web-based user interface, REST API, and the engine for executing Ansible tasks. It is one of the RedHat Ansible Automation Platform projects
27 AWX Ansible architecture User • The user administers the platform and writes playbooks Playbook • The playbook defines the tasks that the automation process will have to perform, the tasks will be executed in the order in which they are reported. The playbook is written in YAML Inventory • This is the list of target systems Deploy • A job selects a playbook to apply to an inventory • A job is executed via ssh (linux+windows) or WinRM (Windows Remote Management) connection with the administrative credentials of each inventory asset
28 AWX Ansible • Free • Agentless • Through playbooks you can • Install software, delete, copy • Run bash or powershell commands • Select and collect output • A playbook can • be executed interactively on a target system • Become part of a job applied to an asset inventory. • It can be used with on-premises and cloud systems, unlike automation systems such as Terraform, which are only cloud- oriented
29 AWX Ansible With AWX and Ansible Playbooks can be defined to perform DFIR-type investigations How a forensic analyst would perform them on the server In fact: The commands that an analyst would execute in carrying out a forensic analysis of a server can become many tasks, of a playbook in which some tasks are executed only if certain conditions are met, otherwise other tasks are executed. The result is a methodological analysis as if it were done by one person but instantly distributed across all asset inventory systems
30 AWX Ansible The community already has DFIR playbook projects : • https://github.com/jgru/ansible-forensic-workstation
31 AWX Ansible • https://github.com/brian-olson/ansible-live-response (SANS2019)
DF & Audit 32 Audits are normally based on • Documentary Esame • Recordings • Interviews • Inspection findings • Samples • ecc Is that enough today?
Audit New scenarios  Internal and External Audits are used in certification according to voluntary standards  Internal audit structures are used to look for evidence of non-compliance, wrongdoing or offences to be followed up with disciplinary action or the opening of civil or criminal proceedings Auditing per cercare evidenze di inadempienze, illeciti o reati a cui dare seguito con azioni disciplinari o l’apertura di procedimenti civili o penali. 33 PCI-DSS, HIPAA, ISO 27001/27002, NIST 800-53, NIS II, DORA etc.. • The whole scope of compliance requires that audit elements and control results report objective elements acquired with methods that give certainty of source and authenticity Internal Audit hired by • Governance • HR • ODV • Legal Department
Audit New scenarios 34 The traditional methods of collecting evidence in the context of audits are not sufficient to guarantee the acceptability of evidence in court. A new approach is needed which, on the basis of the evidence collected, guarantees • Acceptability • Authenticity • Completeness • Reliability Computer Forensics is the methodological and scientific answer to manage IT evidence
Auditing Controls  If the control required by the company is vertical, such as the ex-post analysis of an employee who has left the company, it is certainly possible to operate with traditional DF :d isk imaging + analysis  If the audit or control concerns an OU or the entire organization, particularly when organizations are medium to large, tools such as Velociraptor and AWX Ansible are more suitable tools to perform a distributed control on all systems in times in the order of minutes or at most hours. 35
Security Standard compliance: enforcing, benchmarking & Audit Increasingly, during an Audit of standards such as PCI-DSS, HIPAA, ISO 27001/27002, NIST 800-53, NIS and DORA, the Auditor needs to document the results of the controls also from the point of view of the process followed in order to ensure the truthfulness and authenticity of the output data that flow into the evidence of the Audit Digital forensics processes and tools, by their nature, provide this type of guarantee. Solutions such as AWX+Ansible allow  Enforcing di security policy e configuration  Benchmarking the infrastructure against the reference standards for certifications  Audit  Control plan according to the adopted standard, and gap analysis  Remediation  Audit post remediation Compliance Certification 36
Sviluppo di un Audit 37
Infine… «Il futuro dipende da quello che facciamo nel presente» Mahatma Gandhi Dott. Alessandro Fiorenzi Email af@studiofiorenzi.it Mobile: +393487920172 https://www.studiofiorenzi.it 38

Recommended

SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
Olivier Busolini
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 

Recommended

SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
Olivier Busolini
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
CODE BLUE
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Security and Privacy of Machine Learning
Security and Privacy of Machine LearningSecurity and Privacy of Machine Learning
Security and Privacy of Machine Learning
Priyanka Aash
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
Giuliano Tavaroli
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET Journal
 

More Related Content

What's hot

[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
CODE BLUE
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 

What's hot (20)

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Security and Privacy of Machine Learning
Security and Privacy of Machine LearningSecurity and Privacy of Machine Learning
Security and Privacy of Machine Learning
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 

Similar to Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX

Application Of An Operating System Security
Application Of An Operating System SecurityApplication Of An Operating System Security
Application Of An Operating System Security
Amber Wheeler
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCEEASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
Alex Himmelberg
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
Kranthi
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
azfayel
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
Cloudera, Inc.
 

Similar to Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX (20)

Big security for big data
Big security for big dataBig security for big data
Big security for big data
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
 
Assingment 5 - ENSA
Assingment 5 - ENSAAssingment 5 - ENSA
Assingment 5 - ENSA
 
Application Of An Operating System Security
Application Of An Operating System SecurityApplication Of An Operating System Security
Application Of An Operating System Security
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCEEASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
ICPSR Data Managment
ICPSR Data ManagmentICPSR Data Managment
ICPSR Data Managment
 
Splunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentationSplunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentation
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
 
Intellinx.z watch
Intellinx.z watchIntellinx.z watch
Intellinx.z watch
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Release 16 EP6 - What's New in EnCase & Tableau
Release 16 EP6 - What's New in EnCase & Tableau Release 16 EP6 - What's New in EnCase & Tableau
Release 16 EP6 - What's New in EnCase & Tableau
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
security onion
security onionsecurity onion
security onion
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEM
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
 

Recently uploaded

一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
Airst S
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
F La
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
Airst S
 
Sanctions and types of Sanctions in Ibnternational law along with its scope a...
Sanctions and types of Sanctions in Ibnternational law along with its scope a...Sanctions and types of Sanctions in Ibnternational law along with its scope a...
Sanctions and types of Sanctions in Ibnternational law along with its scope a...
uttamuditi
 
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
ss
 
一比一原版(UC Davis毕业证书)加州大学戴维斯分校毕业证原件一模一样
一比一原版(UC Davis毕业证书)加州大学戴维斯分校毕业证原件一模一样一比一原版(UC Davis毕业证书)加州大学戴维斯分校毕业证原件一模一样
一比一原版(UC Davis毕业证书)加州大学戴维斯分校毕业证原件一模一样
doypbe
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
Airst S
 
Types of Agricultural markets LLB- SEM I
Types of Agricultural markets LLB- SEM ITypes of Agricultural markets LLB- SEM I
Types of Agricultural markets LLB- SEM I
yogita9398
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
一比一原版(Columbia毕业证书)哥伦比亚大学毕业证原件一模一样
一比一原版(Columbia毕业证书)哥伦比亚大学毕业证原件一模一样一比一原版(Columbia毕业证书)哥伦比亚大学毕业证原件一模一样
一比一原版(Columbia毕业证书)哥伦比亚大学毕业证原件一模一样
doypbe
 
Article 12 of the Indian Constitution law
Article 12 of the Indian Constitution lawArticle 12 of the Indian Constitution law
Article 12 of the Indian Constitution law
yogita9398
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
Airst S
 

Recently uploaded (20)

Jim Eiberger Rental Agreement Redacted Former Lease.docx
Jim Eiberger Rental Agreement Redacted Former Lease.docxJim Eiberger Rental Agreement Redacted Former Lease.docx
Jim Eiberger Rental Agreement Redacted Former Lease.docx
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
 
Sanctions and types of Sanctions in Ibnternational law along with its scope a...
Sanctions and types of Sanctions in Ibnternational law along with its scope a...Sanctions and types of Sanctions in Ibnternational law along with its scope a...
Sanctions and types of Sanctions in Ibnternational law along with its scope a...
 
Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?
 
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
一比一原版(UNSW毕业证书)新南威尔士大学毕业证如何办理
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
Mischief Rule of Interpretation of statutes
Mischief Rule of Interpretation of statutesMischief Rule of Interpretation of statutes
Mischief Rule of Interpretation of statutes
 
From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
 
一比一原版(UC Davis毕业证书)加州大学戴维斯分校毕业证原件一模一样
一比一原版(UC Davis毕业证书)加州大学戴维斯分校毕业证原件一模一样一比一原版(UC Davis毕业证书)加州大学戴维斯分校毕业证原件一模一样
一比一原版(UC Davis毕业证书)加州大学戴维斯分校毕业证原件一模一样
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
Types of Agricultural markets LLB- SEM I
Types of Agricultural markets LLB- SEM ITypes of Agricultural markets LLB- SEM I
Types of Agricultural markets LLB- SEM I
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
一比一原版(Columbia毕业证书)哥伦比亚大学毕业证原件一模一样
一比一原版(Columbia毕业证书)哥伦比亚大学毕业证原件一模一样一比一原版(Columbia毕业证书)哥伦比亚大学毕业证原件一模一样
一比一原版(Columbia毕业证书)哥伦比亚大学毕业证原件一模一样
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
 
Article 12 of the Indian Constitution law
Article 12 of the Indian Constitution lawArticle 12 of the Indian Constitution law
Article 12 of the Indian Constitution law
 
posts-harmful-to-secular-structure-of-the-country-539103-1.pdf
posts-harmful-to-secular-structure-of-the-country-539103-1.pdfposts-harmful-to-secular-structure-of-the-country-539103-1.pdf
posts-harmful-to-secular-structure-of-the-country-539103-1.pdf
 
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
一比一原版(JCU毕业证书)詹姆斯库克大学毕业证如何办理
 

Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX

  • 1. + ENTERPRISE DIGITAL FORENSICS AND SECURITY WITH OPEN TOOLS: AUTOMATE AUDITS, CYBER FORENSICS, AND INCIDENT RESPONSE WITH VELOCIRAPTOR AND ANSIBLE AWX
  • 2. Presentations 2 Doctor of Information Science (Computer Science) I have been working in IT Security since 1997 and Digital Forensics since 2002 Register of Technical Experts of the Court of Florence Register of Experts Court of Florence Register of Technical Consultants of the Chamber of Commerce of Florence Register of Professors of the Information System of the University of Florence (SIAF) Register of Experts in Technological Innovation (former Innovation Manager) MISE List of Arbitrator Consultants of the Chamber of Commerce of Florence NATO NCAGE AT568 Rating ECEE Certification: European Certificate on Cybercrime and Electronic Evidence Information Security Auditor/Lead Auditor - ISO 27001:2013 Co-author for the aspects of computer forensics of the book "Internet and the damage to the person" published by Giappichelli in 2012 Member of the Europena Data Protection Board Expert Pool Clusit Italian Association for Information Security ONIF: National Observatory of Computer Forensics CGT: Circolo Giuristi Telematici ANRA: National Association of Risk Managers Board of Directors ONIF – National Observatory of Computer Forensics www.onif.it Promoter and manager of the DataBreach Telegram channel https://t.me/databreach Promoter and manager of the site on the IT retrieval www.repertamento.it AlessandroFiorenzi.it
  • 3. What we'll talk about • IT Investigations and Incident Response • Audit Digital Forensics Applied to the Business Context: • With two "differently open" instruments • Velociraptor © Rapid7 • AWX + Ansible © RedHat How
  • 4. Evolution of business contexts  Companies 10 years ago, 2012  Companies that are not fully digitized (a lot of paper)  Systems on premises, on physical servers  Small storage  Lots of small desktop disks  32G business (private) smartphones were a luxury  Poorly connected businesses 4  Companies in 2023  Digitization of companies  On-premises and/or cloud systems  Medium to large storage 20TB  Desktop and laptop with very capacitive disks  Minimum 128GB business smartphones  Hyper-connected businesses  C2S VPN for Employees, Consultants  S2S VPN for Vendors and Maintainers
  • 5. Problems are also evolving  Dealing with a cyber incident meant  Identify the perimeter of the systems involved  Forensic copying of systems (disk imaging)  Start forensic copy analysis (time consuming)  Restore the last backup and remediation actions  Problems Today  The number of server and pdl systems is much greater  The size of disks/storage has grown  The amount of information on PDLs and servers has grown  Timeliness in responding to an attack/data breach  It is increasingly difficult to identify with certainty the perimeter concerned  DF with Disk Imaging and Analytics in Mid-Sized Business Settings is complex and resource-intensive 5
  • 9. Incidenti di sicurezza 9 Data Breach • un incidente di sicurezza in cui dati sensibili, protetti o riservati vengono acceduti, consultati, copiati, trasmessi, rubati o utilizzati da un soggetto non autorizzato Incidente Informatico • qualsiasi evento che non fa parte dell'operatività standard di un servizio e che causa, o può causare, un’interruzione e una riduzione della qualità di tale servizio: un sabotaggio, una violazione dei sistemi, la sottrazione di PI sono incidenti informatici
  • 10. DFIR: Digital Forensics Incident Response  The use of digital forensics tools and methods in incident response for the collection and analysis of evidence. The management of an incident is a critical event: it can have an impact on the production chain, it can lead to financial damage, reputation, it can affect customer and employee data and require notification to the police or the Privacy Guarantor  DFIR is the answer to cyber incident management  DFIR = Digital Forensics + Incident Response  Digital forensics with processes and tools to collect, store and analyze forensic evidence.  Incident Response consists of containing, blocking and preventing a cyber attack 10
  • 11. Enterprises: Security Solutions  Many companies are already equipped with these security tools  Firewall  Switched Network  IDS/IPS  Proxy Browsing Protection  Protezione DNS (umbrella)  XDR/EDR  SIEM  Backup  Personal Firewall 11
  • 12. Companies: Security & Security Incidents  Is it enough to have all the security solutions seen to manage a security incident or a data breach?  They are useful tools to reduce the risk of an accident  They are useful tools for restoring functionality  The Companies:  They are organized for the detection of many attack situations but not everything, and never will be 100%  In the event of a breach  They are not able to analyse, correlate, and search for elements of compromise  They are not able to acquire evidence, files, registry keys, folders, databases, etc.  They are not able to distribute evidence search, IoCs, malware, etc. On all of the company's IT systems.  They are a wake-up call but are unable to pinpoint the perimeter involved. 12
  • 13. In the event of an accident & traditional DF  I would need a forensic analyst on every pc/server in the perimeter (assuming it has been identified) to collect data on processes, files, hashes, logs, build the timeline of the last 76 hours or the last 10 days.  We never had enough forensic analysts to handle a serious incident in a medium (200 pdl 50 vm) or large company: 1000-10000 pdl and 100-3000 vm  However, we have tools that allow us to systematically perform the same operations on all computers, groups, or a single computer regardless of whether they are in the next room or in the Norwegian office or in the cloud in the AWS Asian region 13
  • 14. Open Solutions for DFIR 14 Velociraptor •Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints. •It was created by Michael Cohen, a contributor to Volatility, and projects Google Rekall and Google Rapid Response (GRR) •It is open but was acquired by Rapid7 in 2021. •23 Settembre 2023 “Rapid7 is excited to announce the integration of Velociraptor DFIR into the Insight Platform for InsightIDR” •Agent based AWX + Ansible •Ansible is a software that is commonly used to automate configuration and management on Unix and Windows systems •AWX is the web and console service built to enable IT teams to use Ansible. •AWX and Ansible are two Open products from RedHat •Agentless
  • 15. Velociraptor: Architecture 15 Data Store & Files collections Web interface https
  • 16. Velociraptor  Velociraptor is open on github https://github.com/Velocidex/velociraptor with binaries for Linux, Windows, Mac, and Freebsd  A single executable, during configuration you establish the server parameters by generating the configuration files to be used by the clients  Once the server is configured, proceed to generate the Unix and Window packages with the configuration derived from the server  During installation, an administrative user is configured, but later other users can be configured with different access profiles 16
  • 17. Velociraptor: Functional pillars  VQL Velociraptor Query Language  VFS – Virtual File system  Artifacts  Hunting  Monitoring 17
  • 18. Velociraptor: VQL  VQL is a SQL-like language but simpler without complex structures such as "joins" and«having»  The statements are of the type:  The statements work on the outputs of the VQL Plugins, a large set of basic plugins, which allow you to extract information from the endpoints by providing outputs in columns  Why a query language? To reduce the time it takes to discover an IoC on business systems: we design a rule to detect the IoC, then execute this query on all the systems in our infrastructure and get an output from each of them in a few seconds or minutes.  Using VQL, in case of a new IoC the forensic analyst can write the relevant VQL queries, insert them into an artifact and search for the artifact in the entire host asset in a few minutes: TIMELINESS and identification of the affected perimeter. 18
  • 19. Velociraptor: VFS  The Velociraptor GUI shows the list of clients. By selecting a client, we can examine its filesystem, the VFS is the Virtual File System view of the endpoint  VFS is a server-side cache of the file system structure and file data on the endpoint. If a branch of the directory tree is empty, simply request synchronization with the endpoint to capture its contents.  Client VFS cache information is collected at regular intervals or at the first logon.  We can operate on the file system as if we were on the endpoint, also downloading the files of interest to the Velociraptor server.  In the case of NTFS file systems, it is possible to search and access ADS Alternate Data Stream data  For Windows endpoints, you can access the contents of the log file 19
  • 20. Velociraptor: Artifacts  VQL is the main element of Velociraptor, queries can be used interactively on an endpoint or they can be used to constitute an Artifact by placing queries in a YAML format file with parameters to be set at run time and a comprehensible description that defines their purpose and use.  Velociraport is "vulgarly" an executor of VQL queries structured in artifacts against one or n-endpoints  Velociraptor comes with a set of Artifacts for Windows, Mac, and Linux, but you can build and define new Artifacts to identify specific needs, such as a new IoC, or you can find them in the Velociraptor community 20
  • 21. Velociraptor: Hunting  Hunt Manager is a Velociraptor component responsible for scheduling the execution of a collection of "artifacts" and collections of clients that meet certain criteria  hunting, consists of retrieving information predicted by artifacts on all managed endpoints  Once an attack pattern has been identified, an ad hoc VQL can be developed, tested in interactive mode, transformed into an artifact, and used for hunting operations 21
  • 22. Velociraptor:Monitoring  Endpoint monitoring is done through Hunts. For this purpose, there are some plugins, called "Event VQL Plugins", which are constantly running on the endpoint.  Starting from queries that use this type of plugin, it is then possible to define artifacts, and hunts that contain them, that remain running waiting for events that occur on clients, sending them to the server when they occur.  Through integration with third-party systems, a follow-up action can be set. 22
  • 23. Velociraptor: indaghiamo  We can define queries in VQL to search for specific elements: IoCs, hashes, IPs, registry keys, file names, logs, etc. from the command line to one endpoint or to all  We can search for Linux and Mac Window artifacts with parameters, e.g. timeline construction  We can traverse the endpoint's file system, capture metadata, ADS (NTFS), and more from the files, select them, and capture them  We can browse and query the windows log file  We can Hunt, i.e. artifacts that are searched cyclically (the use of the root or administrator user, the creation of a local user)  Through Hunts, we can monitor endpoint conditions against specific artifacts 23
  • 24. Velociraptor: 24  Searching for file names: One of the most common operations in DFIR is searching for files based on file names.  Content Search: YARA is a powerful keyword scanner that allows you to search for unstructured binary data based on the rules provided by the user.  Binary File Analysis: Velociraptor uses VQL to create a VQL query in order to retrieve even through binary file analysis.  Proof of execution: Velociraptor has a rich set of artifacts that we can use to infer the execution of the program in Windows and Linux.  Event Logs: Velociraptor has a set of artifacts for parsing the Windows event log as well as for Unix log files .  Server State (Memory and Other): Traditionally, volatile evidence is captured using a full dump of the system's memory (volatily), and frameworks for its analysis. Velociraptor tries to obtain the same information using the operating system's APIs.
  • 25. Velociraptor: references  https://www.rapid7.com/products/velociraptor/  https://github.com/Velocidex/velociraptor  https://docs.velociraptor.app/  Discord https://discord.com/invite/YAU3vRE 25
  • 26. 26 AWX Ansible: cosa sono? Ansible •Ansible is an open-source IT automation tool that allows you to automate the provisioning, configuration, deployment of systems and applications. •It is normally used at the system level to install software, automate daily tasks, provision infrastructure, improve security and compliance levels, and patch systems. •Ansible connects to target systems and executes programs and commands and instructions that would have previously been done manually. •Ansible is Agentless and relies on an administrative ssh connection AWX •Provides a web-based user interface, REST API, and the engine for executing Ansible tasks. It is one of the RedHat Ansible Automation Platform projects
  • 27. 27 AWX Ansible architecture User • The user administers the platform and writes playbooks Playbook • The playbook defines the tasks that the automation process will have to perform, the tasks will be executed in the order in which they are reported. The playbook is written in YAML Inventory • This is the list of target systems Deploy • A job selects a playbook to apply to an inventory • A job is executed via ssh (linux+windows) or WinRM (Windows Remote Management) connection with the administrative credentials of each inventory asset
  • 28. 28 AWX Ansible • Free • Agentless • Through playbooks you can • Install software, delete, copy • Run bash or powershell commands • Select and collect output • A playbook can • be executed interactively on a target system • Become part of a job applied to an asset inventory. • It can be used with on-premises and cloud systems, unlike automation systems such as Terraform, which are only cloud- oriented
  • 29. 29 AWX Ansible With AWX and Ansible Playbooks can be defined to perform DFIR-type investigations How a forensic analyst would perform them on the server In fact: The commands that an analyst would execute in carrying out a forensic analysis of a server can become many tasks, of a playbook in which some tasks are executed only if certain conditions are met, otherwise other tasks are executed. The result is a methodological analysis as if it were done by one person but instantly distributed across all asset inventory systems
  • 30. 30 AWX Ansible The community already has DFIR playbook projects : • https://github.com/jgru/ansible-forensic-workstation
  • 32. DF & Audit 32 Audits are normally based on • Documentary Esame • Recordings • Interviews • Inspection findings • Samples • ecc Is that enough today?
  • 33. Audit New scenarios  Internal and External Audits are used in certification according to voluntary standards  Internal audit structures are used to look for evidence of non-compliance, wrongdoing or offences to be followed up with disciplinary action or the opening of civil or criminal proceedings Auditing per cercare evidenze di inadempienze, illeciti o reati a cui dare seguito con azioni disciplinari o l’apertura di procedimenti civili o penali. 33 PCI-DSS, HIPAA, ISO 27001/27002, NIST 800-53, NIS II, DORA etc.. • The whole scope of compliance requires that audit elements and control results report objective elements acquired with methods that give certainty of source and authenticity Internal Audit hired by • Governance • HR • ODV • Legal Department
  • 34. Audit New scenarios 34 The traditional methods of collecting evidence in the context of audits are not sufficient to guarantee the acceptability of evidence in court. A new approach is needed which, on the basis of the evidence collected, guarantees • Acceptability • Authenticity • Completeness • Reliability Computer Forensics is the methodological and scientific answer to manage IT evidence
  • 35. Auditing Controls  If the control required by the company is vertical, such as the ex-post analysis of an employee who has left the company, it is certainly possible to operate with traditional DF :d isk imaging + analysis  If the audit or control concerns an OU or the entire organization, particularly when organizations are medium to large, tools such as Velociraptor and AWX Ansible are more suitable tools to perform a distributed control on all systems in times in the order of minutes or at most hours. 35
  • 36. Security Standard compliance: enforcing, benchmarking & Audit Increasingly, during an Audit of standards such as PCI-DSS, HIPAA, ISO 27001/27002, NIST 800-53, NIS and DORA, the Auditor needs to document the results of the controls also from the point of view of the process followed in order to ensure the truthfulness and authenticity of the output data that flow into the evidence of the Audit Digital forensics processes and tools, by their nature, provide this type of guarantee. Solutions such as AWX+Ansible allow  Enforcing di security policy e configuration  Benchmarking the infrastructure against the reference standards for certifications  Audit  Control plan according to the adopted standard, and gap analysis  Remediation  Audit post remediation Compliance Certification 36
  • 37. Sviluppo di un Audit 37
  • 38. Infine… «Il futuro dipende da quello che facciamo nel presente» Mahatma Gandhi Dott. Alessandro Fiorenzi Email af@studiofiorenzi.it Mobile: +393487920172 https://www.studiofiorenzi.it 38