Michael Gough emphasizes that incident response can be improved with proper preparation, focusing on essential security practices often overlooked by organizations. Key recommendations include enabling comprehensive logging, implementing unique local admin passwords, monitoring for suspicious activities, and utilizing tools like log management solutions. The presentation also encourages mapping defenses to the MITRE ATT&CK framework to identify and close security gaps.

1. Incident Response is haaaaard
But it doesn’t have to be
Michael Gough – Founder
MalwareArchaeology.com
IMFSecurity.com
MalwareArchaeology.com

2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– CoHost - Brakeing Down Incident Response PodCast (BDIR)
MalwareArchaeology.com

3. Background
• I worked for a video gaming company that got
pwned BAD by the Chinese Winnti group
• They got by all the security tools
• Like Red Teams often do
• So what did we learn and How did we catch
them?
MalwareArchaeology.com

4. Background
• I was asked by an IR consulting firm, with all
the organizations I deal with, are any of them
mature?
• Sadly.. No.
• They buy stuff, think prevention works, but
lack Security 101, the basics they already have
MalwareArchaeology.com

5. Prevention vs. Reduction
• I do not like or believe in “Prevention”
• If prevention worked.. Why are we all here
learning?
• Or still buying security solutions?
• “Reduction” is a more realistic term
• We reduce our likelihood of an incident
and/or the attack surface that can be taken
advantage or exploited
MalwareArchaeology.com

6. PREPERATION
MalwareArchaeology.com

7. Preparation
• Security 101, the basics is sadly ignored, or IT and
management do not understand it well enough
– Maybe that includes InfoSec
• If you do some basic things, that by the way are
FREE, and you already have, an incident is MUCH
easier and faster to deal with
• It also is why we caught the WinNTI hacks, and
many others since
MalwareArchaeology.com

8. Prepare
• Help us help YOU !
• Show of hands
• How many of you have Windows Advanced
Audit Policies configured to at least the CIS
Benchmarks or the “Windows Logging Cheat
Sheet(s)”?
MalwareArchaeology.com

9. Prepare
• Security 101
• Enable your logs to collect all the things
• Increase the size of the local log so you can
collect more than minutes
• Enable Command Line Logging – PLEEEEEASE
• NIX and Apple have logs too
MalwareArchaeology.com

10. Prepare
• Do you have a Log Management solution, EDR, or
other security “prevention” solution?
• EDR solutions can often collect local logs as files
or add them to the triage
• Log Management obviously with a good agent
collecting the “right things” provides a TON of
data for incident investigtion
• Logs can make it easier and faster to deal with an
incident, or for an IR firm to find it faster, thus
cheaper for you in the long run
MalwareArchaeology.com

11. Prepare
Do you, or can you monitor for…
– New account creation?
– Admin accounts logging in to multiple systems?
– New Service creations?
– New Task creations?
– Email, VPN, Citrix, Cloud logins?
– Suspicious processes in C:Users?
• Not without better logging you can’t
MalwareArchaeology.com

12. Prepare
• You can’t monitor for anything if you don’t
enable the logging to collect the RIGHT things
• Then you can collect them and monitor for all
kinds of things
• IF.. You have a log management solution
• But still, the logging MUST be enabled or I
can’t even use ARTHIR (Demo 2pm Friday) and
LOG-MD-Pro (come to our booth) to hunt for
artifacts of an incident
MalwareArchaeology.com

13. Prepare
• Have you considered a Free/Paid cloud logging
solution that you can push agents out to all
your assets and enable the agent IF you have
an incident to get it to a Cloud Log
Management solution that you or an IR firm
can use to investigate?
• Pay as you need it, but prepare to use it
• Humio for example has a Free/Paid solution
– ~5 systems, 2GB per day, 7 day retention for free
MalwareArchaeology.com

14. MORE THAN LOGS
MalwareArchaeology.com

15. Prepare
• Local account passwords
• Is anyone using LAPS? Local Administrator
Password Solution
• Unique password for each local admin stored
in AD
• Makes it harder for lateral movement
• Causes failed logins if used, alerting you
MalwareArchaeology.com

16. Prepare
• Group Policy security
• There is all kinds of things you can do
• DerbyCon 2019 Sean Metcalf of ADSecurity did a
great job and is coming out with a White Paper
on it
– http://www.irongeek.com/i.php?page=videos/derbyc
on9/1-18-active-directory-security-beyond-the-easy-
button-sean-metcalf
• Slow them down, making noise, or break recon
and other exploited things
MalwareArchaeology.com

17. Prepare
• 2-Factor anyone?
• If you have Email, Citrix, VPN, RDP, etc. facing
the Internet, you are vulnerable
• MFA will cripple attacks from cred stealing
campaigns and passwords harvested from
other breaches, make noise too, alerting you
• This will help so many things that hit
organizations today, ransomware, RDP attacks,
stolen or recycled creds, etc.
MalwareArchaeology.com

18. Prepare
• How about email…
• How many are blocking the known bad file
extensions?
– Sept 2019 - 38 added by Microsoft
• https://www.zdnet.com/article/microsoft-bans-38-file-
extensions-in-outlook-for-the-web/
– These have been around a while
• https://support.office.com/en-us/article/blocked-
attachments-in-outlook-434752e1-02d3-4e90-9124-
8b81e49a8519
MalwareArchaeology.com

19. Prepare
• Better yet, have you considered changing the
way these extensions act when a user double-
clicks them?
• Group Policy to the rescue
• Change the double-click to open say, Notepad
• Anything that executes a script engine
could/should be broken if double-clicked
• This will not affect how scripts are properly
called, just mouse happy clicking users
MalwareArchaeology.com

20. Network Prep
• Can you see Producer Consumer Ratio (PCR) in
your network gear?
– -1 to +1 range
• Closer to +1 indicates exfil
• Can you see it ?
• How about DNS TXT records?
• Length can indicate bad
MalwareArchaeology.com

21. Email and Web Prep
• Show of hands
• How many BLOCK unregistered domains?
• These domains have not been categorized,
and heavily used for bad
• Can you prepare to block it in the event of an
incident?
MalwareArchaeology.com

22. WINRM
PowerShell
Remoting
MalwareArchaeology.com

23. Prepare
• Does everyone have an enterprise solution that
can run something on a remote system in your
organization?
• Would you believe you already have one…
• It’s FREE
• It’s built-in, so no agent needed
• Windows Remote Management (WinRM)
• PowerShell to the rescue
• Come see the ARTHIR Demo Fri at 2pm ;-)
MalwareArchaeology.com

24. Prepare
• WinRM is a free option that you can use to get
execute commands, and tools remotely
• You can secure who runs it using the Windows
Firewall
• Again it logs things so you can monitor who
does what
MalwareArchaeology.com

25. Prepare
• Enable the Windows Firewall !!!
• Stop lateral movement
• Secure WinRM
• Better logging !!!
MalwareArchaeology.com

26. HUNTING
MalwareArchaeology.com

27. Hunting
• Some say Hunting is the creation of a
hypotheses and then you go searching for it
• I say do that AFTER you search for obvious
well known artifacts/IOCs
• ~90% of attacks have several things in
common
MalwareArchaeology.com

28. Hunting
• If you do good preparation, then IR becomes
MUCH easier and faster to do
• By you, us, or an IR Consultancy
• It also enables you to be able to hunt as you will
have a LOT more data you can use and hunt with
• Remember that WinRM and ARTHIR… (Demo
2pm Friday) – It’s FREE !!!!
• You can look and verify that you DON’T have
certain things proactively, we call this HUNTING
MalwareArchaeology.com

29. Hunting
• I say hunt for things to know you DON’T have
them, and eliminate them if you do
– AutoRuns
– Large Keys containing payloads or scripts
– Null byte entries in the registry hiding entries
– Suspicious WMI database entries
– Suspicious PowerShell executions, obfuscation
– Suspicious executions in C:Users dirs
– Suspicious Admin / LOLBin executions
– Injected processes
– Many more
MalwareArchaeology.com

30. Hunting
• If you hunt for things that are found in 90% of
today’s malware on your systems, you can
eliminate or reduce the probability that you
do not have obvious indicators
• This helps you in an incident too, you can use
the same tool(s) and logic to apply to an
incident
• Because you prepared and enabled things
MalwareArchaeology.com

31. MITRE ATT&CK
MalwareArchaeology.com

32. MITRE ATT&CK
• You can map your preparation to MITRE ATT&CK
• You can map your hunts to the ATT&CK
Techniques
• Help know you DON’T have these things going on
in your environment
• Preparation helps you do this, and will help you
during an incident
MalwareArchaeology.com

33. MITRE ATT&CK
• ATT&CK gives you things to map your defenses
to, or what you can and have, everyone will
have gaps
• Knowing the gaps allows you to prepare better
and identify items for budget
• What do your current defenses map to?
• Prepare means know what you can and can
NOT do, have, or do NOT have
MalwareArchaeology.com

34. CONCLUSION
MalwareArchaeology.com

35. Conclusion
• IR is Harrrrd, but it doesn’t have to be
• Preparation is key
• Security 101, enable what you have
• Block well known exploited file types
• Disable the users double-click of bad file types
• Block unknown domains, or prepare to
• Unique local admin passwords
• Prep your network to see things
• Enable something to allow you to hunt
• Map what you have to MITRE ATT&CK
MalwareArchaeology.com

36. Resources
LOG-MD.COM
• Websites
– Log-MD.com The tool
– ARTHIR.com Free on GitHub
• The “Windows Logging Cheat Sheet(s)”
– MalwareArchaeology.com
• This presentation and others on SlideShare
– Search for MalwareArchaeology or LOG-MD

37. Resources
• ADSecurity.org
– http://www.irongeek.com/i.php?page=videos/der
bycon9/1-18-active-directory-security-beyond-
the-easy-button-sean-metcalf
MalwareArchaeology.com

38. Questions?
LOG-MD.COM
You can find us at:
• Log-MD.com
• @HackerHurricane
• MalwareArchaeology.com