Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Real-time Forensics through Endpoint Visibility

1,290 views

Published on

Presentation from our paper at ICDF2C

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Real-time Forensics through Endpoint Visibility

  1. 1. REAL-TIME FORENSICS THROUGH ENDPOINT VISIBILITY Peter Kieseberg Sebastian Neuner, Sebastian Schrittwieser, Martin Schmiedecker, Edgar Weippl
  2. 2. Motivation • Regular discussions with o Forensics companies o Investigators o Legal Personal • Additional interest o NIS-Directive o „Information as a resource“
  3. 3. Traditional forensic process • Acquirable storage • Manageable number of devices • Low storage devices 2016 - SBA Research gGmbH
  4. 4. In the Cloud … ? 2016 - SBA Research gGmbH
  5. 5. Selected Frameworks • Selected Frameworks by big vendors o Facebook Osquery o Google Rapid Response - GRR o Mozilla InvestiGator - MIG • Developed for o Large environments o Cloud systems 2016 - SBA Research gGmbH
  6. 6. Goal • Theoretical analysis and comparison of capabilities • Tests with real malware o Study behavior o Detection possibilities • Practical evaluation o Infected systems o Target: What artifacts can be detected that could be useful for detecting unknown malware. 2016 - SBA Research gGmbH
  7. 7. Theoretical comparison 2016 - SBA Research gGmbH
  8. 8. Lab Setup 2016 - SBA Research gGmbH
  9. 9. Malware Selection • F1 – Process Spawning • F2 – Persistence • F3 – Network Connection • S1 – Banking Trojan retefe • S2 – Locky Ransomware • S3 – Win32.Viking worm 2016 - SBA Research gGmbH
  10. 10. Sample Selection Process Spawning Persistence Network Connection Retefe X X X Locky X X (X) Win32.Viking X X (X) 2016 - SBA Research gGmbH
  11. 11. osquery • Extraction of information from running systems o Linux, Ubuntu, OSX, CentOS o Since recently also for Windows • Structure o Abstract Layer between OS and analyst o Info on system internals o Querying like a DB 2016 - SBA Research gGmbH
  12. 12. osquery • Usage o Provides „Tables“ o Interactive or deamon (for regular analysis) o Daemon: Allows aggregation over time, fleeting changes 2016 - SBA Research gGmbH
  13. 13. Osquery - retefe • File interaction o Generated and changed files detected • Endpoint statistics o Creation of processes detected • Network level o Connections to outside world detected • Endpoint monitoring o Windows registry changed o New root CA 2016 - SBA Research gGmbH
  14. 14. Osquery - Locky • File interaction & Endpoint statistics o Creation of files and processes detected • Network level o DNS-Lookups o Connection to well-known distribution site • Endpoint monitoring o Nothing really outstanding o Randomly generated key in Registry 2016 - SBA Research gGmbH
  15. 15. Osquery – Win32.Viking • File interaction & Endpoint statistics o Creation of files and processes detected • Network level o Invisible to osquery, no direct connections, but uses modified IE • Endpoint monitoring o Changes to Registry o Creation of Windows Service 2016 - SBA Research gGmbH
  16. 16. GRR • Made to handle Google‘s internal infrastructure • Sysadmin initiates „flow“ o Sent from front-end servers o Message containing code o Executed on the servers o Aggregation, Postprocessing done on front-end • „Hunts“- many flows targeting many agents • Live extraction, all major OSs supported • Can check actual file content 2016 - SBA Research gGmbH
  17. 17. GRR 2016 - SBA Research gGmbH
  18. 18. Differences to osquery • Retefe o Spawned processes and network connections detectable, in principle but typically only used as ad- hoc tool • Locky & Win32.Viking o Also detects timelines of changes, and can check content  additional info o Can detect registry key, still o Same as for retefe 2016 - SBA Research gGmbH
  19. 19. MIG • Original issue: Accidental pushes of private keys to Github • Agents running on the servers o Sends information to MIG master o Support all major OS o Even embedded systems 2016 - SBA Research gGmbH
  20. 20. MIG 2016 - SBA Research gGmbH
  21. 21. Differences to GRR & osquery • Retefe o No file timelining, still detection is possible o Cannot access Windows Registry • Locky o Same os for retefe • Win32.Viking o Problem with Registry key o File can be detected as filename is known 2016 - SBA Research gGmbH
  22. 22. Conclusion • Seemingly similar tools • But: Quite different in actual investigation o Usage o Targets o Detection capabilities • Combination of tools could be reasonable • Maybe targeting development of more specialized tools 2016 - SBA Research gGmbH
  23. 23. Peter Kieseberg SBA Research gGmbH Favoritenstraße 16, 1040 Wien pkieseberg@sba-research.org

×