Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows Incident Response is hard, but doesn't have to be

199 views

Published on

How to prepare yourself for an incident, there are many things you can do to prepare yourself

Malware Archaeology
LOG-MD

Published in: Technology
  • Be the first to comment

Windows Incident Response is hard, but doesn't have to be

  1. 1. Incident Response is haaaaard But it doesn’t have to be Michael Gough – Founder MalwareArchaeology.com IMFSecurity.com MalwareArchaeology.com
  2. 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – CoHost - Brakeing Down Incident Response PodCast (BDIR) MalwareArchaeology.com
  3. 3. Background • I worked for a video gaming company that got pwned BAD by the Chinese Winnti group • They got by all the security tools • Like Red Teams often do • So what did we learn and How did we catch them? MalwareArchaeology.com
  4. 4. Background • I was asked by an IR consulting firm, with all the organizations I deal with, are any of them mature? • Sadly.. No. • They buy stuff, think prevention works, but lack Security 101, the basics they already have MalwareArchaeology.com
  5. 5. Prevention vs. Reduction • I do not like or believe in “Prevention” • If prevention worked.. Why are we all here learning? • Or still buying security solutions? • “Reduction” is a more realistic term • We reduce our likelihood of an incident and/or the attack surface that can be taken advantage or exploited MalwareArchaeology.com
  6. 6. PREPERATION MalwareArchaeology.com
  7. 7. Preparation • Security 101, the basics is sadly ignored, or IT and management do not understand it well enough – Maybe that includes InfoSec • If you do some basic things, that by the way are FREE, and you already have, an incident is MUCH easier and faster to deal with • It also is why we caught the WinNTI hacks, and many others since MalwareArchaeology.com
  8. 8. Prepare • Help us help YOU ! • Show of hands • How many of you have Windows Advanced Audit Policies configured to at least the CIS Benchmarks or the “Windows Logging Cheat Sheet(s)”? MalwareArchaeology.com
  9. 9. Prepare • Security 101 • Enable your logs to collect all the things • Increase the size of the local log so you can collect more than minutes • Enable Command Line Logging – PLEEEEEASE • NIX and Apple have logs too MalwareArchaeology.com
  10. 10. Prepare • Do you have a Log Management solution, EDR, or other security “prevention” solution? • EDR solutions can often collect local logs as files or add them to the triage • Log Management obviously with a good agent collecting the “right things” provides a TON of data for incident investigtion • Logs can make it easier and faster to deal with an incident, or for an IR firm to find it faster, thus cheaper for you in the long run MalwareArchaeology.com
  11. 11. Prepare Do you, or can you monitor for… – New account creation? – Admin accounts logging in to multiple systems? – New Service creations? – New Task creations? – Email, VPN, Citrix, Cloud logins? – Suspicious processes in C:Users? • Not without better logging you can’t MalwareArchaeology.com
  12. 12. Prepare • You can’t monitor for anything if you don’t enable the logging to collect the RIGHT things • Then you can collect them and monitor for all kinds of things • IF.. You have a log management solution • But still, the logging MUST be enabled or I can’t even use ARTHIR (Demo 2pm Friday) and LOG-MD-Pro (come to our booth) to hunt for artifacts of an incident MalwareArchaeology.com
  13. 13. Prepare • Have you considered a Free/Paid cloud logging solution that you can push agents out to all your assets and enable the agent IF you have an incident to get it to a Cloud Log Management solution that you or an IR firm can use to investigate? • Pay as you need it, but prepare to use it • Humio for example has a Free/Paid solution – ~5 systems, 2GB per day, 7 day retention for free MalwareArchaeology.com
  14. 14. MORE THAN LOGS MalwareArchaeology.com
  15. 15. Prepare • Local account passwords • Is anyone using LAPS? Local Administrator Password Solution • Unique password for each local admin stored in AD • Makes it harder for lateral movement • Causes failed logins if used, alerting you MalwareArchaeology.com
  16. 16. Prepare • Group Policy security • There is all kinds of things you can do • DerbyCon 2019 Sean Metcalf of ADSecurity did a great job and is coming out with a White Paper on it – http://www.irongeek.com/i.php?page=videos/derbyc on9/1-18-active-directory-security-beyond-the-easy- button-sean-metcalf • Slow them down, making noise, or break recon and other exploited things MalwareArchaeology.com
  17. 17. Prepare • 2-Factor anyone? • If you have Email, Citrix, VPN, RDP, etc. facing the Internet, you are vulnerable • MFA will cripple attacks from cred stealing campaigns and passwords harvested from other breaches, make noise too, alerting you • This will help so many things that hit organizations today, ransomware, RDP attacks, stolen or recycled creds, etc. MalwareArchaeology.com
  18. 18. Prepare • How about email… • How many are blocking the known bad file extensions? – Sept 2019 - 38 added by Microsoft • https://www.zdnet.com/article/microsoft-bans-38-file- extensions-in-outlook-for-the-web/ – These have been around a while • https://support.office.com/en-us/article/blocked- attachments-in-outlook-434752e1-02d3-4e90-9124- 8b81e49a8519 MalwareArchaeology.com
  19. 19. Prepare • Better yet, have you considered changing the way these extensions act when a user double- clicks them? • Group Policy to the rescue • Change the double-click to open say, Notepad • Anything that executes a script engine could/should be broken if double-clicked • This will not affect how scripts are properly called, just mouse happy clicking users MalwareArchaeology.com
  20. 20. Network Prep • Can you see Producer Consumer Ratio (PCR) in your network gear? – -1 to +1 range • Closer to +1 indicates exfil • Can you see it ? • How about DNS TXT records? • Length can indicate bad MalwareArchaeology.com
  21. 21. Email and Web Prep • Show of hands • How many BLOCK unregistered domains? • These domains have not been categorized, and heavily used for bad • Can you prepare to block it in the event of an incident? MalwareArchaeology.com
  22. 22. WINRM PowerShell Remoting MalwareArchaeology.com
  23. 23. Prepare • Does everyone have an enterprise solution that can run something on a remote system in your organization? • Would you believe you already have one… • It’s FREE • It’s built-in, so no agent needed • Windows Remote Management (WinRM) • PowerShell to the rescue • Come see the ARTHIR Demo Fri at 2pm ;-) MalwareArchaeology.com
  24. 24. Prepare • WinRM is a free option that you can use to get execute commands, and tools remotely • You can secure who runs it using the Windows Firewall • Again it logs things so you can monitor who does what MalwareArchaeology.com
  25. 25. Prepare • Enable the Windows Firewall !!! • Stop lateral movement • Secure WinRM • Better logging !!! MalwareArchaeology.com
  26. 26. HUNTING MalwareArchaeology.com
  27. 27. Hunting • Some say Hunting is the creation of a hypotheses and then you go searching for it • I say do that AFTER you search for obvious well known artifacts/IOCs • ~90% of attacks have several things in common MalwareArchaeology.com
  28. 28. Hunting • If you do good preparation, then IR becomes MUCH easier and faster to do • By you, us, or an IR Consultancy • It also enables you to be able to hunt as you will have a LOT more data you can use and hunt with • Remember that WinRM and ARTHIR… (Demo 2pm Friday) – It’s FREE !!!! • You can look and verify that you DON’T have certain things proactively, we call this HUNTING MalwareArchaeology.com
  29. 29. Hunting • I say hunt for things to know you DON’T have them, and eliminate them if you do – AutoRuns – Large Keys containing payloads or scripts – Null byte entries in the registry hiding entries – Suspicious WMI database entries – Suspicious PowerShell executions, obfuscation – Suspicious executions in C:Users dirs – Suspicious Admin / LOLBin executions – Injected processes – Many more MalwareArchaeology.com
  30. 30. Hunting • If you hunt for things that are found in 90% of today’s malware on your systems, you can eliminate or reduce the probability that you do not have obvious indicators • This helps you in an incident too, you can use the same tool(s) and logic to apply to an incident • Because you prepared and enabled things MalwareArchaeology.com
  31. 31. MITRE ATT&CK MalwareArchaeology.com
  32. 32. MITRE ATT&CK • You can map your preparation to MITRE ATT&CK • You can map your hunts to the ATT&CK Techniques • Help know you DON’T have these things going on in your environment • Preparation helps you do this, and will help you during an incident MalwareArchaeology.com
  33. 33. MITRE ATT&CK • ATT&CK gives you things to map your defenses to, or what you can and have, everyone will have gaps • Knowing the gaps allows you to prepare better and identify items for budget • What do your current defenses map to? • Prepare means know what you can and can NOT do, have, or do NOT have MalwareArchaeology.com
  34. 34. CONCLUSION MalwareArchaeology.com
  35. 35. Conclusion • IR is Harrrrd, but it doesn’t have to be • Preparation is key • Security 101, enable what you have • Block well known exploited file types • Disable the users double-click of bad file types • Block unknown domains, or prepare to • Unique local admin passwords • Prep your network to see things • Enable something to allow you to hunt • Map what you have to MITRE ATT&CK MalwareArchaeology.com
  36. 36. Resources LOG-MD.COM • Websites – Log-MD.com The tool – ARTHIR.com Free on GitHub • The “Windows Logging Cheat Sheet(s)” – MalwareArchaeology.com • This presentation and others on SlideShare – Search for MalwareArchaeology or LOG-MD
  37. 37. Resources • ADSecurity.org – http://www.irongeek.com/i.php?page=videos/der bycon9/1-18-active-directory-security-beyond- the-easy-button-sean-metcalf MalwareArchaeology.com
  38. 38. Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • MalwareArchaeology.com

×