VERIS
Retrospective Analysis
(Or retrospective study) is a research method that is used when the outcome of an event is already known. If an outcome is known already like a malware infection, retrospective analysis could help you find the source.
Diamond model characteristics
- Adversary - Capability - Infrastructure - Victim
Four basic phases of the forensic process
- Collection - Examination - Analysis - Reporting
VERIS: Attributes
- Confidentiality - Integrity - Availability
C2M2 Targets
- Decision makers (executives) who control the allocation of resources and management of risk in organizations; these are typically senior leaders - Leaders with responsibility for managing organizational resources and operations associated with the domains of this model - Practitioners with responsibility for supporting the organization in the use of this model (planning and managing changes in the organization based on the model) - Facilitators with responsibility for leading a self-evaluation of the organization based on this model and the associated toolkit and analyzing the self-evaluation results. Someone who helps a group of people understand their common objective and assists them in planning to achieve these objectives without taking a particular position on the discussion.
VERIS: Actions
- Hacking - Social - Malware - Misuse
VERIS Incident structure
- Incident tracking - Victim demographics - Incident descriptions - Discovery and response - Impact assessment
VERIS: Actors
- Internal - External - Partner
CSIRT Types
- Internal - National - Coordination centers - Analysis centers - Vendor teams
Kill chain model
- Recon - Weaponization - Delivery - Exploitation - Installation - Command and Control - Actions on objective
Event correlation
- Relationship or connection between two or more things - Recognizing that two or more security events are related - Leveraging the relationship to further the process of analysis - IP 5-tuple to correlate events -- IPD alert provides an initial 5-tuple of interest -- data is already normalized -- query the database with the IP 5-tuple to produce a report of correlated data --
VERIS: Assets
- Server - Network - User device
Diamond model metafeatures
- Timestamp - Phase - Result - Direction - Methodology - Resources
Snort alert in ELSA
- sig_sid (1:19439:9) - sig_msg (SQL 1=1) - sig_classification (Web app attack)
Incident response phases
1: Preparation 2: Identification (detection and analysis) 3: Containment, Eradication, and recovery 4: Post-incident analysis (Lessons learned)
Forensic process: Collection
1st phase to ID,label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of data.
VERIS Schema components
ACTORS, ACTIONS, ASSETS, ATTRIBUTES
Evidence collection step 3
After the data has been acquired, its integrity should be verified. It is particularly important for an analyst to prove that the data has not been tampered with if it might be needed for legal reasons. Data integrity verification typically consists of using tools to compute the message digest of the original and copied data, then comparing the digests to make sure that they are the same.
Forensic process: Analysis
Analyse the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.
Diamond model supports
Analytical pivoting, which may start focusing on the adversary but later shift the focus to the victim.
Kill chain model: command and control
Compromised hosts must beacon outbound to an internet controller or server to establish a CnC channel via DNS, HTTP, HTTPS, and so on. Could be encrypted. Commands are sent to malicious software programs on a server that could eventually impact the entire network, IRC, messages are clue to CnC activity.
NIST.SP 800-61r2
Computer security incident handling guide
CSIRTS
Computer security incident response team come in all shapes and sizes and serve diverse constituencies.
Coordination centers
Coordinate and facilitate the handling of incidents across various CSIRTs. Example US-CERT.
Kill chain model: weaponization
Couple a remote access trojan with an exploit into a deliverable, an automated tool (weaponizer); development of a cyber weapon based on recon (viruses, code injection, email or phishing campaigns, exploits for system vulnerabilities, zero day attacks), attach it to adobe PDF or microsoft office documents.
C2M2
Cybersecurity Capability Maturity Model (C2M2) program enables organizations to evaluate cybersecurity capabilities consistently, communicate capability levels in meaningful terms, and prioritize cybersecurity investments. Model can be used by any organization, regardless of ownership, structure, size, or industry. Within the organization, various stakeholders benefit from familiarity with the model.
Evidence collection order
Data acquisition should be performed using a 3-step process: 1) develop plan to acquire data 2) acquire data 3) verify integrity of data acquired
Kill chain model: actions on objective
Data exfil, which involves collecting, encrypting, and extracting violations of data integrity or availability and possible use as a hop point, to compromise additional systems; goals include intellectual property theft, data theft, bandwidth theft/DoS, spam, botnet expansion, etc. It is tough to defeat the threat actor once they have gotten to this point.
Data integrity
Data file integrity, during backups and imaging, the integrity of the original media should be maintained. To ensure that the backup or imaging process does not alter data on the original media, an analyst can use a write-blocker while backing up or imaging the media. A write blocker is a hardware or software-based tool that prevents a computer from writing to computer storage media it is connected to. Hardware write-blockers are physically connected to the computer and the storage media being processed to prevent any writes to the disk. After a backup or imaging is performed, it is important to verify that the copied data is an exact duplicate of the original data. Computing the message digest of the copied data can be used to verify and ensure data integrity. A message digest is a hash that uniquely identifies data and has the property that changing a single bit in the data will cause a completely different hash to be generated. MD5,SHA1 are examples
Aggregation
Data mining technique where data is gathered to get info about particular variables -- all records that share a single, common variable -- ELSA may be queried with simply an IP address
Forensice process: reporting
Describing the actions used, explaining the tools, determining what other actions need to be performed. securing identified vulnerabilities, and improving existing security controls.
Evidence collection step 1
Developing a plan is an important first step in most cases because there are multiple potential data sources. The analyst should create a plan that prioritizes the sources, establishing the order in which the data should be acquired.
Security data normalization
Done by ELSA.
Analysis centers
Focus on synthesizing data from various sources to determine trends and patterns in incident activity. This information can be used to help predict future activity or to provide early warning when the activity matches a set of previously determined characteristics.
Libpcap
Format TCPdump/windump,snort, and many other network tools use. Wireshark/tshark can read but generate pcapng files by default now
Preparation phase
Goal is to get company's team and resources ready to handle a security incident. May include: 1 - Educating users and IT staff to respond to computer and network security incidents quickly and correctly 2 - Developing and maintaining all the proper documentation, such as network diagrams, configuration standards, change control documentations, and so on 3 - Planning for the logged and captured data retention period, who does what during an incident, and setting up the proper roles and responsibilities
HTTP transactions in ELSA
HTTP in ELSA is BRO_HTTP - Method (=GET) - Site (examplesite) - URL/URI (/page1/index.php) - Referer (http://examplesite/home/index.php) - User_agent (Mozilla/5.0)
Vendor teams
Handle reports of vulnerabilities in their software and hardware products. They may work within the organization to determine if their products are vulnerable and to develop remediation and mitigation strategies. A vendor team may also be the internal CSIRT for a vendor organization. For example., Cisco PSIRT is a team just for Cisco products.
Containment phase
Hardest and most important decision that is made during an incident. Decision points for containment include: - What is scope of incident - What is the type of device? - What is the network reachability of the device that has been affected by the incident? - How quickly can the incident response team get containment in place? - How quickly is containment needed?
Incident handling: Remediation=Eradication and recovery
IR team investigates to find the origin of the incident. The root cause of the problem and all traces of potentially malicious code are removed, which may also involve changing passwords for accounts, hardening systems, and so on. Data and software are restored from clean backup files, ensuring no vulnerabilities remain. After recovery, the systems are monitored for any sign of weakness and incident recurrence. Recovery may also involve tactical fixes including user account changes, patching software, and device hardening, and prioritizing strategic fixes such as process changes.
Incident handling: Reporting
IRP should include provisions concerning incident reporting. The reporting should also be immediate and occur at pre-defined intervals which are based on the incident severity. When an incident is analyzed and prioritized, the incident response team needs to notify the appropriate individuals so that all who need to be involved will play their roles. Reporting can be both internal and external teams. Exact reporting requirements vary among organizations, but parties that are typically notified include the CIO, head of information security, system owner, HR, public affairs, legal department, and law enforcement. Organizations that are trying to share information with external organizations should also consult their legal department before initiating any coordination efforts. Contracts or other agreements may need to be put into place before external discussions occur. An example is an NDA to protect the confidentiality of the organization's most sensitive information.
Data Preservation
If an analyst needs to establish an accurate timelines of events then the file times should be preserved. Nor all methods of collecting data files preserve file times. Bit stream images can. Some file times may not be accurate because: - Computer clock has incorrect time - Time may not be recorded to expected level of detail ( no seconds or minutes) - attacker may have altered records
Evidence collection step 2
If the data has not already been acquired by security tools, analysis tools, or other means, the general process for acquiring data involves using forensic tools to collect volatile data, duplicating non-volatile data sources to collect their data, and securing the original non-volatile data sources. Data acquisition can be performed either locally or over a network . Although it is generally preferable to acquire data locally because there is greater control over the system and data, local data collection is not always feasible.
Incident handling: containment
Incident containment is perhaps the hardest and most important decision that is made during an incident. Decision points: - Scope of the incident? - What is the type of advice? - What is the network reachability of the device that has been affected by the incident? - How quickly the incident response team can get containment in place? - How quickly is containment needed?
Post-incident analysis (lessons learned)
Incident response team analyzes how and why the incident happened and performs an FMEA against it.
Incident handling: scoping = analysis
Incident response team should work quickly to analyze and validate each incident, following a pre-defined process and documenting each step that is taken. When the team believes an incident has occurred, the team should rapidly perform an initial analysis to determine the incident's Scope. Initial analysis may include: - Which networks, systems, or applications are affected - Who or what originated the incident - What tools or attack methods are being used? - Which vulnerabilities are being exploited? The initial analysis should provide enough info for the team to prioritize subsequent activities such as containment of the incident and deeper analysis of the effects of the incident (if required, this deeper analysis may occur after the containment phase).
Forensic process: Examination
Involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of data.
What elements should be included in an incident response plan as outlined in NIST.SP800-61 r2?
Key elements: - Statement of management commitment - Purpose and objectives of the policy - Scope of the policy (to whom and what it applies and under what circumstances) - Definition of computer security incidents and related terms - Organizational structure and definitions of roles, responsibilities, and levels of authority; should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, the requirements for reporting certain types of incidents, the requirements and guidelines for external communications and information sharing (e.g. what can be shared with whom, when, and over what channels), and the handoff and escalation points in the incident management process - Prioritization or severity ratings of incidents - Performance measures - Reporting and contact forms
Kill chain model: installation
Maintain persistence inside the environment; establish back door to target with no alerts to defenders over a prolonged time, will survive a reboot and avoid malware and virus detection, also can create botnets.
Chain of custody
Must log every person who had physical custody of evidence, document actions that they performed on the evidence and at what time, store the evidence in a secure location when not being used, make a copy of evidence and verify the integrity of original and copied evidence.
Incident response providers
Offer incident handling services as a for-fee service to other organizations.
PCI-DSS
Payment card industry data security standard - Cardholder data refers to any information contained on a customer's payment card. The data is printed on either side of the card and is contained in digital format on the magnetic stripe embedded in the backside of the card. Some payment cards store data in chips embedded on the front side. The front size usually has the primary account number (PAN), cardholder name and expiration date. The magnetic stripe or chip holds these plus other sensitive data for authentication and authorization. In general, no payment card data should ever be stored by a merchant unless it's necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. Only the PAN, expiration date, service code, or cardholder name may be stored, and merchants must use technical precautions for safe storage.
What is PHI?
Protected health information is any information, whether oral or recorded in any form or medium that - (A) created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university, or health care clearinghouse, and: (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. (i) That ids the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual (ii) Transmitted by electronic media; Maintained in electronic media; or transmitted or maintained in any other form or medium Protected health info excludes individually identifiable health information in education records or employment records held by a covered entity in its role as employer
SOX (Sarbes Oxley act of 2002)
Protects investors of fraudulent accounting activities by corporations. Says IT must keep record of stuff.
National CSIRT
Provide incident handling services to a country. Examples include JPCERT/CC or SingCERT.
Internal CSIRT
Provide incident handling services to the parent organization, which could be a CSIRT for a bank, university, federal agency.
Volatile data collection
Ram of a system, RAM can contain frequently and recently accessed data, data files, password hashes, recent commands, residual data in slack, free space, network config, network connections, running processes, open files, login sessions, and OS time.
Kill chain model: recon
Research, identification, and selection of targets; can use websites, news articles, social media, gathering of intelligence, address lookup and whois record.
Incident handling: identification
SOC analyst performs continuous monitoring and active cyber threat hunting. When a true positive incident has been detected, the incident response team is activated. During the investigation process, the SOC analyst or the incident response team may also contact the CERT/CC, or other security intel sources, which tracks internet security activity and has the most current threat info.
Detection and analysis (identification) phase
SOC analyst performs continuous monitoring, active cyber threat hunting. Team may also contact CERT/CC or other intel sources.
Detection and analysis (analysis) phase
Team works quickly to analyze and validate each incident following a pre-defined process and documenting each step that is taken. When the team believes an incident has occurred, the team should rapidly perform an initial analysis to determine the incident's scope. Initial analysis may include: - Which networks, systems, or applications are affected? - Who or what originated the incident? - What tools or attack methods are being used? - Which vulnerabilities are being exploited? Initial analysis should provide enough info for the team to prioritize subsequent activities, such as containment of the incident and deeper analysis of the effects of the incident.
Incident handling: Lesson-based hardening=lessons learned
The IR team analyze how and why the incident happened and performs an FMEA (failure modes and effect analysis), against it. FMEA is a qualitative and systematic tool, usually created within a spreadsheet, to help practitioners anticipate what might go wrong with a product or process. This phase involves documenting how the incident was handled, recommendations for better future response, and how to prevent recurrence.
Diamond model: Victim
The adversary's target against whom vulnerabilities and exposures are exploited and capabilities are used.
Deterministic Assessment Method
The analyst should base their scenario assessment on a small or very limited set of assigned values and variables. This method relies on known data values to yield a single outcome for each proposed scenario. Due to the absolute nature of performing a deterministic assessment, minimum speculation is required in order to formulate an outcome.
Probabilistic Assessment Method
The analyst should consider a wide range of probable scenarios which provide a distribution of all possible outcomes that can assist the analyst in determining the likelihood that an exploit will impact the network. Because the probabilistic model takes into account a wider range of probable scenarios and a higher degree of speculation, the probabilistic model is generally less accurate than the deterministic model.
Diamond model: Infrastructure
The physical and/or logical communication structures the adversary uses to deliver a capability, maintain control of capabilities, and effect results from the victim ( for example, exfil data).
Normalization
The process of manipulating security data and fitting it into a common schema. Security event monitoring systems must provide parsers that are designed to work with each of the different data sources. The parsers algorithmically take the event data and extract the relevant characteristics and fill in the appropriate fields in the common schema.
Eradication and recovery phase
The team investigates to find the origin of the incident. The root cause of the problem is found and all traces of potentially malicious code are removed, which may also involve changing passwords for accounts, hardening systems, and so on. Data and software are restored from clean backup files, ensuring no vulnerabilities remain. After recovery, the systems are monitored for any sign of weakness and incident recurrence. Recovery may also involve tactical fixes including user account changes, patching software, and device hardening, and prioritizing strategic fixes such as process changes.
Diamond model: Adversary
The threat actor organization responsible for utilizing a capability against the victim to achieve their intent. The knowledge about the adversary is generally elusive, and this node is likely to be empty for most events, at least at the time of discovery.
Diamond model: Capability
The tools and or/techniques of the adversary that used in the event.
Kill chain model: delivery
Transmission of the weapon to the targeted environment via communication vector like email attachments, websites, USB removable media; to avoid detection delivery uses obfuscation (hidden or not clear data), or encryption so it is unreadable.
Kill chain model: exploitation
Triggers intruders' code, application or operating system vulnerability, users themselves, an operating system feature that auto-executes code, SQL injection.
FMEA
[FAILURE, MODE, EFFECTS, ANALYSIS] A qualitative and systematic tool, usually created within a spreadsheet, to help practitioners anticipate what might go wrong with a product or process. This phase includes documenting how the incident was handled, recommendations for future better response, and how to prevent a recurrence.