This document discusses counterforensics techniques used by insiders to evade detection. It describes how counterforensics is derived from counterintelligence and aims to prevent or thwart investigations. Common tactics discussed include hiding and concealing activities and data through steganography, encryption, and destroying evidence by deleting files and overwriting data. The document also recommends tools for user behavior monitoring and activity replay to help reveal hidden insider tracks.
3. What is Counterforensics?
aka - Anti-Forensics
Derived from Counterintelligence:
“activities designed to prevent or thwart spying, intelligence
gathering, and sabotage by an enemy or other foreign entity.”
Counterforensics
“activities designed to prevent or thwart forensics
investigations through data destruction, data and activity
concealment, deception or sabotage.”
5. Hiding/Concealing
Activities and Data
Steganography
Utilize common file
formats/channels – hide in
plain sight
File concatenation
File/data encryption
Encrypted comms channels
This Photo by Unknown Author is licensed under CC BY
6. Confidential
Video and image files typically are large enough to carry
additional data (e.g. messages, files)
Casual viewer will never know message/data is present
Can transport encrypted messages/data
Intended recipient can be difficult to identify
Anti-virus and endpoint security typically do not scan for
hidden messages
Why Steganography?
7. Confidential
# ping -p feedfacedeadbeef Dest-B
# tcpdump -i eth0 host Dest-B -x
21:03:32.601102 IP Source-A > Dest-B: icmp 64: echo request seq 56
0x0000: 4500 0054 0038 4000 4001 6e1c 4655 1fe9 E..T.8@.@.n.FU..
0x0010: 4655 1fc2 0800 8120 5006 0038 e414 9942 FU......P..8...B
0x0020: 142a 0900 feed face dead beef feed face .*..............
0x0030: dead beef feed face dead beef feed face ................
0x0040: dead beef feed face dead beef feed face ................
0x0050: dead ..
IPV4 Max Size 65535 bytes - headers = 65507 bytes for messages via ICMP
Concealed message in ICMP
8. Hiding Activities in Plain Sight
Google Chrome extension -
Netflix Hangouts
Watch Netflix at work,
while appearing to be on a
conference call
9. Hiding/Concealing
Activities and Data:
Encryption
Use of non-sanctioned encryption tools
to encrypt files and data
Use encryption tools to obscure
communications
Tor Browser or Tor proxy
Command line tools: OpenSSL, cryptcat
11. Deceptive Tactics
Alter timestamps/timelines
Alter logs or other data
Obfuscation of data, URLs, commands, etc.
C:>cmd.exe /c c^^a^^l^^c^^.^^e^^x^^e
Stolen credential use
13. Deleting Alone May Not Destroy the
Data
Filesystems usually free the location of a deleted file, but do not overwrite/destro
Email servers typically free the location of a deleted email, but do not
overwrite/destroy
Secure deletion can include:
Overwriting/wiping one or more times
Defragmenting
Overwriting/wiping all free and slack space
Webmail and SaaS products are typically under the control of the service provider
15. Sabotage
Denial Of Service (DOS)
Intentional malware/ransomware infection
Logic/time bombs
16. What can you do?
Visibility into activities when they happen
Full crime scene playback
Alert on suspicious activities
malicious application use
suspect website access
Tor Browser activity
17. What can you do?
Block access to unwanted sites and network
applications
Inventory sanctioned tools - know what is
allowed and by whom
disk encryption
data deletion policies
cloud file storage
Employee Monitoring & User Behavior
Analytics tools
18. User & Entity Behavioral Analytics (UEBA)
&
User Activity Monitoring (UAM)
19. Seeing
Exactly What Happened (UAM)
• Time-Capsule DVR video review
• See all onscreen actions
• Play it back like your DVR
• Export as BMP, JPG or AVI
Video Playback
20. Confidential
The Global Leader
Technology Financial Health
8
out of 10
7
out of 10
6
out of 10
in 110+ countries
In 3,000+ enterprises & thousands of SMBs
DeployedThe Biggest & Best
use Veriato
With Veriato’s Cerebral. It’s an end to end, integrated, insider threat intelligence platform.
Cerebral’s eyes on glass technology gives you immediate visibility, so you know exactly what’s going on. If the alert comes in at 9:35 am, security can immediately go back in time and cue up video of Joey’s screen from 30 minutes before the alert and watch everything he does. Is he just working on a big report or is he encrypting the data and hiding it in a PowerPoint presentation?
Do you give him a raise for working hard… or call HR and the police?
Now you know exactly what to do within minutes!