Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows Incident Response is hard, but doesn't have to be


Published on

How to prepare yourself for an incident, there are many things you can do to prepare yourself

Malware Archaeology

Published in: Technology
  • Be the first to comment

Windows Incident Response is hard, but doesn't have to be

  1. 1. Incident Response is haaaaard But it doesn’t have to be Michael Gough – Founder
  2. 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – CoHost - Brakeing Down Incident Response PodCast (BDIR)
  3. 3. Background • I worked for a video gaming company that got pwned BAD by the Chinese Winnti group • They got by all the security tools • Like Red Teams often do • So what did we learn and How did we catch them?
  4. 4. Background • I was asked by an IR consulting firm, with all the organizations I deal with, are any of them mature? • Sadly.. No. • They buy stuff, think prevention works, but lack Security 101, the basics they already have
  5. 5. Prevention vs. Reduction • I do not like or believe in “Prevention” • If prevention worked.. Why are we all here learning? • Or still buying security solutions? • “Reduction” is a more realistic term • We reduce our likelihood of an incident and/or the attack surface that can be taken advantage or exploited
  7. 7. Preparation • Security 101, the basics is sadly ignored, or IT and management do not understand it well enough – Maybe that includes InfoSec • If you do some basic things, that by the way are FREE, and you already have, an incident is MUCH easier and faster to deal with • It also is why we caught the WinNTI hacks, and many others since
  8. 8. Prepare • Help us help YOU ! • Show of hands • How many of you have Windows Advanced Audit Policies configured to at least the CIS Benchmarks or the “Windows Logging Cheat Sheet(s)”?
  9. 9. Prepare • Security 101 • Enable your logs to collect all the things • Increase the size of the local log so you can collect more than minutes • Enable Command Line Logging – PLEEEEEASE • NIX and Apple have logs too
  10. 10. Prepare • Do you have a Log Management solution, EDR, or other security “prevention” solution? • EDR solutions can often collect local logs as files or add them to the triage • Log Management obviously with a good agent collecting the “right things” provides a TON of data for incident investigtion • Logs can make it easier and faster to deal with an incident, or for an IR firm to find it faster, thus cheaper for you in the long run
  11. 11. Prepare Do you, or can you monitor for… – New account creation? – Admin accounts logging in to multiple systems? – New Service creations? – New Task creations? – Email, VPN, Citrix, Cloud logins? – Suspicious processes in C:Users? • Not without better logging you can’t
  12. 12. Prepare • You can’t monitor for anything if you don’t enable the logging to collect the RIGHT things • Then you can collect them and monitor for all kinds of things • IF.. You have a log management solution • But still, the logging MUST be enabled or I can’t even use ARTHIR (Demo 2pm Friday) and LOG-MD-Pro (come to our booth) to hunt for artifacts of an incident
  13. 13. Prepare • Have you considered a Free/Paid cloud logging solution that you can push agents out to all your assets and enable the agent IF you have an incident to get it to a Cloud Log Management solution that you or an IR firm can use to investigate? • Pay as you need it, but prepare to use it • Humio for example has a Free/Paid solution – ~5 systems, 2GB per day, 7 day retention for free
  14. 14. MORE THAN LOGS
  15. 15. Prepare • Local account passwords • Is anyone using LAPS? Local Administrator Password Solution • Unique password for each local admin stored in AD • Makes it harder for lateral movement • Causes failed logins if used, alerting you
  16. 16. Prepare • Group Policy security • There is all kinds of things you can do • DerbyCon 2019 Sean Metcalf of ADSecurity did a great job and is coming out with a White Paper on it – on9/1-18-active-directory-security-beyond-the-easy- button-sean-metcalf • Slow them down, making noise, or break recon and other exploited things
  17. 17. Prepare • 2-Factor anyone? • If you have Email, Citrix, VPN, RDP, etc. facing the Internet, you are vulnerable • MFA will cripple attacks from cred stealing campaigns and passwords harvested from other breaches, make noise too, alerting you • This will help so many things that hit organizations today, ransomware, RDP attacks, stolen or recycled creds, etc.
  18. 18. Prepare • How about email… • How many are blocking the known bad file extensions? – Sept 2019 - 38 added by Microsoft • extensions-in-outlook-for-the-web/ – These have been around a while • attachments-in-outlook-434752e1-02d3-4e90-9124- 8b81e49a8519
  19. 19. Prepare • Better yet, have you considered changing the way these extensions act when a user double- clicks them? • Group Policy to the rescue • Change the double-click to open say, Notepad • Anything that executes a script engine could/should be broken if double-clicked • This will not affect how scripts are properly called, just mouse happy clicking users
  20. 20. Network Prep • Can you see Producer Consumer Ratio (PCR) in your network gear? – -1 to +1 range • Closer to +1 indicates exfil • Can you see it ? • How about DNS TXT records? • Length can indicate bad
  21. 21. Email and Web Prep • Show of hands • How many BLOCK unregistered domains? • These domains have not been categorized, and heavily used for bad • Can you prepare to block it in the event of an incident?
  22. 22. WINRM PowerShell Remoting
  23. 23. Prepare • Does everyone have an enterprise solution that can run something on a remote system in your organization? • Would you believe you already have one… • It’s FREE • It’s built-in, so no agent needed • Windows Remote Management (WinRM) • PowerShell to the rescue • Come see the ARTHIR Demo Fri at 2pm ;-)
  24. 24. Prepare • WinRM is a free option that you can use to get execute commands, and tools remotely • You can secure who runs it using the Windows Firewall • Again it logs things so you can monitor who does what
  25. 25. Prepare • Enable the Windows Firewall !!! • Stop lateral movement • Secure WinRM • Better logging !!!
  26. 26. HUNTING
  27. 27. Hunting • Some say Hunting is the creation of a hypotheses and then you go searching for it • I say do that AFTER you search for obvious well known artifacts/IOCs • ~90% of attacks have several things in common
  28. 28. Hunting • If you do good preparation, then IR becomes MUCH easier and faster to do • By you, us, or an IR Consultancy • It also enables you to be able to hunt as you will have a LOT more data you can use and hunt with • Remember that WinRM and ARTHIR… (Demo 2pm Friday) – It’s FREE !!!! • You can look and verify that you DON’T have certain things proactively, we call this HUNTING
  29. 29. Hunting • I say hunt for things to know you DON’T have them, and eliminate them if you do – AutoRuns – Large Keys containing payloads or scripts – Null byte entries in the registry hiding entries – Suspicious WMI database entries – Suspicious PowerShell executions, obfuscation – Suspicious executions in C:Users dirs – Suspicious Admin / LOLBin executions – Injected processes – Many more
  30. 30. Hunting • If you hunt for things that are found in 90% of today’s malware on your systems, you can eliminate or reduce the probability that you do not have obvious indicators • This helps you in an incident too, you can use the same tool(s) and logic to apply to an incident • Because you prepared and enabled things
  31. 31. MITRE ATT&CK
  32. 32. MITRE ATT&CK • You can map your preparation to MITRE ATT&CK • You can map your hunts to the ATT&CK Techniques • Help know you DON’T have these things going on in your environment • Preparation helps you do this, and will help you during an incident
  33. 33. MITRE ATT&CK • ATT&CK gives you things to map your defenses to, or what you can and have, everyone will have gaps • Knowing the gaps allows you to prepare better and identify items for budget • What do your current defenses map to? • Prepare means know what you can and can NOT do, have, or do NOT have
  34. 34. CONCLUSION
  35. 35. Conclusion • IR is Harrrrd, but it doesn’t have to be • Preparation is key • Security 101, enable what you have • Block well known exploited file types • Disable the users double-click of bad file types • Block unknown domains, or prepare to • Unique local admin passwords • Prep your network to see things • Enable something to allow you to hunt • Map what you have to MITRE ATT&CK
  36. 36. Resources LOG-MD.COM • Websites – The tool – Free on GitHub • The “Windows Logging Cheat Sheet(s)” – • This presentation and others on SlideShare – Search for MalwareArchaeology or LOG-MD
  37. 37. Resources • – bycon9/1-18-active-directory-security-beyond- the-easy-button-sean-metcalf
  38. 38. Questions? LOG-MD.COM You can find us at: • • @HackerHurricane •