Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Infocyte
DFIR Training
What is Infocyte?
Infocyte is a SaaS
Detection & Incident Response platform
that combines
continuous host forensics with t...
Agents
Infocyte Cloud
Architecture
HUNT™
Console
customer1.Infocyte.com
Controller Endpoints
/ Servers
Endpoints
/ Servers...
Analytics
(Conclusions)
Analysis Process
Reputation
(Lookups)
Cloud
Analysis
Engine
Metadata
Executables
Settings
Memory S...
Survey
Host
Capabilities
Extensions
Volatile Memory
ScriptedCompiled/Native
Forensic Artifacts
Applications
Registry
Logs
...
Memory Analysis
Infocyte HUNT™ - Guide to Forensic State Analysis
Process Injection (Memory)
Shellcode Injection - put a custom code stub ...
Infocyte HUNT™ - Guide to Forensic State Analysis
Finding Code in Memory - Detection Techniques
Detection Technique Descri...
Calculating Dwell Time
- Methodology
- Sources of Time
- Potential Issues
Earliest
Forensic
Timestamp
Detected on
• Dwell Time calculations require earliest
timestamp from the initial infection:
○ First system compromised (beachhead)
○ ...
Potential Issues with Time
• Anti-Forensics is a class of techniques used by hackers to dork up forensic analysis
such as ...
IR Example
Recent Event
Recently, Infocyte was utilized in the
acquisition diligence of a major foreign
technology firm.
Findings:
Me...
Memory Injects Found
Which notepad?
Malware known by some
Activity Trace - Process Timeline
Activity Trace - Host Timeline
Logs deleted every day until malware was neutralized
Compromised Account
● SQL Express account was leveraged.
● Indicates SQL Injection type entry vector.
● Malware had direct...
Response Actions
Automated Steps Selected:
● Powerforensics deployed to collect additional forensic evidence
● Full Memory...
DFIR Evidence Recovery
w/ S3 Buckets
Creating write-only AWS S3 Credentials for DFIR Evidence
Step 1. Create S3 Bucket
Link: https://s3.console.aws.amazon.com/...
Create S3 Bucket
Create Write-Only User Policies
Create an S3 Write-Only IAM User Policy:
IAM Policy Editor: https://console.aws.amazon.com...
Create Analyst and Admin Group Policies
Create a IAM User/Group Policy:
IAM Policy Editor: https://console.aws.amazon.com/...
Create an AWS User for Extensions:
https://console.aws.amazon.com/iam/home#/users$new
Access Type: Programmatic Access
Pol...
DFIR Extensions
Infocyte HUNT™ - Guide to Forensic State Analysis
Extensions
Extensions are written in LUA as an interface to our agent/su...
Infocyte HUNT™ - Guide to Forensic State Analysis
Extensions
Collection Extensions - extends what our endpoint/server is c...
Configure Extension:
1. Add your s3_region and
S3_bucket
2. Add your paths on
Endpoints
3. Save
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Upcoming SlideShare
Loading in …5
×

Infocyte - Digital Forensics and Incident Response (DFIR) Training Session

Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.

During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.

Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.

  • Be the first to comment

Infocyte - Digital Forensics and Incident Response (DFIR) Training Session

  1. 1. Infocyte DFIR Training
  2. 2. What is Infocyte? Infocyte is a SaaS Detection & Incident Response platform that combines continuous host forensics with threat intelligence and extensible response actions
  3. 3. Agents Infocyte Cloud Architecture HUNT™ Console customer1.Infocyte.com Controller Endpoints / Servers Endpoints / Servers Agentless INCYTE Threat Intel & Analytics User AWS Cloud Plugin API & UI Infocyte HUNT Agents can be installed on unmanaged endpoints -- on-prem, in the cloud, or at a coffee shop. Enable agentless workload interaction via IaaS API Infocyte HUNT Controller discovers endpoints and initiates scans (deployed inside the firewall / network) Native protocols: SSH, WMI, etc.
  4. 4. Analytics (Conclusions) Analysis Process Reputation (Lookups) Cloud Analysis Engine Metadata Executables Settings Memory Segments Logs VirusTotal Community Analytics Intel Reporting Threat & Incident Response Platform Analysis Synapse Machine Learning using Bayesian Classifiers Analysis (Detonation) Infocyte Proprietary Intel Static Analysis Sandboxing YARA Multi-AV 3rd Party Threat Intel Cloud Console Host Data
  5. 5. Survey Host Capabilities Extensions Volatile Memory ScriptedCompiled/Native Forensic Artifacts Applications Registry Logs Collection Action Remediation Extension Subsystem Detection Compliance Hardening Analytics Intel Reporting Extensions: On top of native inspection capabilities of the Infocyte agent and collector (Survey), users can extend Infocyte to many more use cases through collection and action extensions: - Custom detections - Incident Response & Forensics - Compliance Checks - Compliance Enforcement - E-Discovery - 3rd Party Software Deployment Cloud Console Threat & Incident Response Platform Host Inspection Payload
  6. 6. Memory Analysis
  7. 7. Infocyte HUNT™ - Guide to Forensic State Analysis Process Injection (Memory) Shellcode Injection - put a custom code stub into a running process and spawn an execution thread Reflective DLL Injection - force a generic library into a running process using a reflective loader In-Memory Module Injection - force an entire executable into a running process (no need for a loader) Process Hollowing - spawn a suspended process, replace entire process with new code in memory Atom Bombing - abuse Windows APC queues to inject code stored in the Windows atom tables Explorer.exe BadGuy.ps1 MZ... (code) Start Remote Thread 1 2 3 1
  8. 8. Infocyte HUNT™ - Guide to Forensic State Analysis Finding Code in Memory - Detection Techniques Detection Technique Description Enumerate Loaded Modules Ask the OS for a list of modules in the process (WMI, etc.) Inspect Import Table Inspect the process’s import table to find references to all loaded libraries Process Memory Walk Brute force a process’ private memory regions (heap) using VirtualQuery. Identify and inspect any allocated sections with executable markers (i.e. RWX or RX). Thread Walk Iterate through each executing thread within a process. Identify and inspect any threads pointed at private memory sections. Memory/Disk Comparison For disk-mapped modules. Compare the executable sections of a module on disk to what it looks like in memory. Fuzzy hash comparison will give variation %.
  9. 9. Calculating Dwell Time - Methodology - Sources of Time - Potential Issues
  10. 10. Earliest Forensic Timestamp Detected on
  11. 11. • Dwell Time calculations require earliest timestamp from the initial infection: ○ First system compromised (beachhead) ○ Best done with host-based telemetry Source Details Notes MAC File System Times File Created Time Earliest Timestamp! Infocyte uses this. Windows Event Logs Event ID 4688 (Process Creation) Logs executions but poorly formatted and almost useless for proactive detection Sysmon (or commercial EDR) Event ID 1 (Process Creation) Event ID 2 (File Creation Time Changed) Same as 4688 but Sysmon and EDR events are formatted for remote storage & analysis (e.g. includes hash) ID 2 can help detect time manipulation but is noisy Network IDS/Proxy/FW Event Exploit or C2 events Will indicate some part of the infection chain Calculating Dwell Time (Sources of Time)
  12. 12. Potential Issues with Time • Anti-Forensics is a class of techniques used by hackers to dork up forensic analysis such as timeline creation Source Potential Issues Mitigations MAC File System Times ($STANDARD_INFO) Easy to manipulate these timestamps from user-space (aka TimeStomping) 1. Compare to $FILE_INFO 2. Check for absence of sub-second resolution (timestomp doesn’t add this) MAC File System Times ($FILE_INFO) Hard to manipulate but not impossible (i.e. a kernel rootkit) Verify timestamps make sense (not before OS release date or in future) Windows Event Logs Logs can be deleted (modifying event is extremely difficult in Windows 10) Remotely store logs (easier with sysmon or EDR) Sysmon (or commercial EDR) Process Start Times may not be the earliest timestamps Telemetry != Detection Process start times are good approximations in many attacks but not all. Ensure this was actually the earliest execution Network IDS/Proxy/FW Event Most early exploit events not detected/logged (i.e. email vector) Aggregate ALL network log sources into a super timeline or central analytics store
  13. 13. IR Example
  14. 14. Recent Event Recently, Infocyte was utilized in the acquisition diligence of a major foreign technology firm. Findings: Memory-resident implant on AWS-based SQL Server -- investigation implicated competitor
  15. 15. Memory Injects Found
  16. 16. Which notepad?
  17. 17. Malware known by some
  18. 18. Activity Trace - Process Timeline
  19. 19. Activity Trace - Host Timeline Logs deleted every day until malware was neutralized
  20. 20. Compromised Account ● SQL Express account was leveraged. ● Indicates SQL Injection type entry vector. ● Malware had direct access to SQL Database but could not propagate
  21. 21. Response Actions Automated Steps Selected: ● Powerforensics deployed to collect additional forensic evidence ● Full Memory is dumped and pushed to S3 bucket ● Host is then isolated at network layer
  22. 22. DFIR Evidence Recovery w/ S3 Buckets
  23. 23. Creating write-only AWS S3 Credentials for DFIR Evidence Step 1. Create S3 Bucket Link: https://s3.console.aws.amazon.com/s3/home Name: infocyte-extensions Policy: None Encryption: Yes Step 2. Create Limited-Permission AWS User for Extensions Link: https://console.aws.amazon.com/iam/home#/users$new Name: uploader Policy: DFIR_S3_WriteOnlyPolicy Type: Programmatic Only NOTE: You can use the same credentials in all extensions – its’ a low risk account and extensions never hit disk Step 3. Create AWS Users and Groups for your Analysts Link: https://console.aws.amazon.com/iam/home#/groups Group Name: S3Analysts Policy: DFIR_S3_AnalystUserPolicy Type: Console User Group Name: S3Admins Policy: DFIR_S3_AdminUserPolicy Type: Console User Step 4. Create IAM Policies for Extension User and Analysts Policy Editor: https://console.aws.amazon.com/iam/home?region=us-east-1#/policies$new?step=edit Extensions User 🡪 Name: DFIR_S3_WriteOnlyPolicy Policy Type*: IAM User Policy (could do a bucket policy too) Analyst Group 🡪 Name: DFIR_S3_AnalystUserPolicy Policy Type: IAM User Policy Admin Group 🡪 Name: DFIR_S3_AdminUserPolicy Policy Type: IAM User Policy Permissions: - S3.putObject to your S3 bucket for uploader user - S3.getObject and S3.ListBucket for S3analysts group - S3.* for your S3admin group *https://aws.amazon.com/blogs/security/iam- policies-and-bucket-policies-and-acls-oh-my- controlling-access-to-s3-resources/
  24. 24. Create S3 Bucket
  25. 25. Create Write-Only User Policies Create an S3 Write-Only IAM User Policy: IAM Policy Editor: https://console.aws.amazon.com/iam/home?region=us-east-1#/policies$new?step=edit S3 Write-Only User Policy: Name: DFIR_S3_WriteOnlyPolicy { "Version": "2012-10-17", "Id": "DFIR_S3_WriteOnlyPolicy", "Statement": [ { "Sid": "WriteOnlyUserPolicy01", "Effect": "Allow", "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::<BUCKET_NAME>/*" ] } ] } Version: AWS Policy Engine Version (Don’t touch this) Id = Unique Policy Name Sid = Unique Statement Name Amazon Resource Names (ARNs) Resource = Your S3 Bucket ARN
  26. 26. Create Analyst and Admin Group Policies Create a IAM User/Group Policy: IAM Policy Editor: https://console.aws.amazon.com/iam/home?region=us-east-1#/policies$new?step=edit Analyst Group Policy: Name: DFIR_S3_AnalystUserPolicy { "Version": "2012-10-17", "Id": "DFIR_S3_AnalystUserPolicy", "Statement": [ { "Sid": "AnalystGroupPolicy01", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::<BUCKET_NAME>", "arn:aws:s3:::<BUCKET_NAME>/*" ] } ] } Admin Group Policy: Name: : DFIR_S3_AdminUserPolicy { "Version": "2012-10-17", "Id": "DFIR_S3_AdminUserPolicy", "Statement": [ { "Sid": “AdminGroupPolicy01", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::*", "arn:aws:s3:::<BUCKET_NAME>", "arn:aws:s3:::<BUCKET_NAME>/*", ] } ] }
  27. 27. Create an AWS User for Extensions: https://console.aws.amazon.com/iam/home#/users$new Access Type: Programmatic Access Policy: DFIR_S3_WriteOnlyPolicy Groups: None 3. Record Access Key ID & Secret 4. Record ARN Example: arn:aws:iam::485621232789:user/uploader Create AWS Users for each analyst: Access Type: AWS Management Console Access Policy: None Groups: Analysts Create Analyst and Admin Group: https://console.aws.amazon.com/iam/home#/groups 1. Create Group for your analysts who need read access to your S3 bucket. Name: S3Analysts Policy: DFIR_S3_AnalystUserPolicy Name: S3Admins Policy: DFIR_S3_AdminUserPolicy 2. Add Analyst User Accounts to Group Create Users and Groups
  28. 28. DFIR Extensions
  29. 29. Infocyte HUNT™ - Guide to Forensic State Analysis Extensions Extensions are written in LUA as an interface to our agent/survey and includes both proprietary functions and the LUA standard library embedded in. Writers can also deploy and execute arbitrary binaries or scripts written in the language of your choice (i.e. powershell, python, bash). Extension Sources: - Certified: We will provide Infocyte defined/written/tested extensions for many primary use cases - Community: Users can contribute as well to our community repo on Github - Private: Users can also maintain/create their your own based on proprietary threat intel and innovation
  30. 30. Infocyte HUNT™ - Guide to Forensic State Analysis Extensions Collection Extensions - extends what our endpoint/server is collecting - For instance, you can analyze your own registry keys, run commands, collect logs, etc. and also enables YARA scanning on the endpoint. Action Extensions - provide mechanisms for making changes to a system or sets of systems - Examples: you can isolate compromised systems, install a heavier forensic tool, or perform a memory dump. Really only limited by your imagination.
  31. 31. Configure Extension: 1. Add your s3_region and S3_bucket 2. Add your paths on Endpoints 3. Save

×