Incident Response and Computer Crime Investigations
CyberCPR
hardened web application, locally or cloud, for incident, systems, ad evidence tracking. The brainchild of SANS instructor Steve Armstrong.
What is the benefit of a web proxy?
Reduces bandwidth usage and congestion. As well as filter out sites that are inappropriate for a business. Proxy logs can be sued to build more thorough profiles of activity and suspicious traffic.
Incident Response
Response to an incident with technical components
hexidecimal
A base-16 number system that uses sixteen distinct symbols 0-9 and A-F to represent numbers from 0 to 15.
What is the best way to handle original evidence?
Make working copies and best evidence that is reasonable available
What are DLLs
Modules that extend the functionality of an executable. allows attackers to install file less malware by injecting DLL malware.
Incident handleing
Non technical aspect of coordinating with departments and team building
What forensic tools are approved in court?
None. Popular tools are effective and tested over time
netstat -naob | more
netstat shows information on processes listening on local system -n = show ip and ports numbers only -a = show all processes -o = show owning process -b = shows the executable (or DLL)
List some examples to contain an incident
private vlans, patching, removing backdoors, applying filters on routers and FW, changing entries on DNS
What are some ways to examine services?
services.msc, net start, sc query | more, tasklist /svc
Why does context matter in incident handleing
should determine if an actual incident occurred by gathering evidence before a conclusion is made.
What are hash collisions?
when two different inputs yield the same output. Chances are of collisions are very low.
What is clock skew?
where one system is faster or slower than another
Six Step Incident Response Process
1. Preparation: Before an attack 2. Identification: Commonly called detection 3. Containment: evidence collection 4. Eradication: Mitigation efforts 5. Recovery: Damage control 6. Lesson Learned: Final report exploits and fixes
What is the philosophy of incident response?
1. Prevention, detection, and response of an attack is the primary goal 2. Not a matter of if but when 3. Offense must inform defense 4. Know TTP's for threat actors is critical to know what to look for 5. Context matters when an incident is reported
List unusual activity to examine
1. Processes 2. TCP/IP connections 3. Services 4. ASEP's 5. Accounts/Groups 6. Scheduled Tasks 7. Logs 8. Performance
What is ASEPs
autostart entry points in the registry. same few keys that are used by malware. Used for persistence. Three commonly used ones are run, runonce, runonceex
What is GRR Rapid Response
- Free open source security tool - incident response framework focused on remote live forensics. - asynchronous which pulls information from systems once back online. ie. laptops
Cyberchef Tool
- web based tool that can encode and decode data - attacker use this method to hide data - you can encode multiple times with different formats
dual-homed host
A host that resides on more than one network and posses more than one physical network card. An example could be a firewall or edge router.
What is investigative pivoting?
A strategy to investigate a new path based on the evidence found. Which can expand the scope of the investigation.
What is an incident?
A threat or actual adverse interruption or threat that has impacted "normal" IT operations
Insider Threat
A threat to an organization from an entity that has authorized access. There are intentional and unintentional threats and detection can be difficult due to legitimate activities.
How is encoded data used?
A way to safely transfer characters without encryption. Attackers may try to use this method to deliver a payload to a target discretely
Why pay attention to any running processes with what type of encoding in the command line?
Attackers will use base64 encoding to run scripts in powershell
What are some encoded data?
Base64, UTF-8, UTF-16, URL encoding, Powershell, Web apps are examples of
What is the language for TCP Dump
Berkley packet filters (BPF)
What are ways attackers can hook APIs in task manager?
DLL injection with a root kit
Define scoping
Determining where the threat actors are in an organization's network. This can be difficult as attacks pivot.
What is digital evidence?
Digital evidence proves or disproves an assertion from computing environments. It must be relevant, authentic, and reliable.
DHCP
Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.
Base 32
Encoding: - uppercase letters - 0-6 - =
RTIR
Free serires of PERL scripts by Best Practical for incident tracking system
what is the goal of recovery
Get back up and running by rebuidling
Describe chain of custody
documentation that is organized into two components a header and possession log to track evidence collected
Describe preparation in incident response methodology
Knowing the organization's critical assets and policies. Internal logging is vital to incident response. Always have a recovery plan and backups.
What is IAC
Infrastructure as Code; rebuilding systems with code
What is an event?
It can be defined as any change of state that has significance for the management of a Configuration Item or IT Service
Why are baselines important
It is a best practice to have baselines of your systems to identify deviations from normal operations
What is data reduction?
It is reducing the amount of data to examine. It focusses on artifacts of interests and ignores the known goods.
Identify suspicious processes
Look for unrecognized process, random looking, non standard paths, parent suspicious, base64 encoding
tcpdump -nn port #
Packet sniffing tool. Installed on Linux by default. - nn = do not resolve host and port names
Common problems with incident response models
Poor execution of best security practices. Lack of monitoring and threat intelligence.
Describe SEIM's
Security information and event management (SIEM) tools centralize, correlate, and analyze data across the IT network to detect security issues.
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it. To pay or not to pay is a business decision.
What are user agent logs?
Strings sent in HTTP headers Used to ID the browsers that sent HTTP request. Easy to spoof But not often so look for strings that stand out. Useragent.log file
What are some methods of cyber deception in defense
This is setting up traps for the attackers. Utilizing honey pots or word web bugs. You can set up local port listening to see who is scanning which will trigger an event.
What is the goal for lessons learned
This is where the final report is produced.
Why do you want to minimize the time between when evidence is generated to the time is it collected?
To minimize risk of evidence from being overwritten and lost
What is the goal of containment?
To stop the attacker from continuing to operate in the environment. Proper scoping in critical.
What is the goal of eradication?
Undoing what the attacker did. Examples: restoring from backups rebuild Removing backdoors Vulnerability assessment Fraudulent transactions Restoring source code
Zeus Trojan
Zeus Virus (or Zeus Trojan malware) is a form of malicious software that targets Microsoft Windows and is often used to steal financial data.
base 64
a positional numeral system using only printable ASCII characters. - A-Z - a-z - 0-9 - +/=
what are some issues with network packet captures
accessibility: not every device provides information easily Fidelity: not every source records information Visibility: Encryption can reduce this Lowest practical view at L3
arp -a
command prompt that will show IP addresses and corresponding MAC addresses of remote computers.
FortiSOAR
commercial incident tracking system
URL decoding
encoding: - upper case letters - %3d
what are artifacts timelines
entries that come directly from the evidence
What is digital duplication
imaging is a copy of all of the bits from the source, usually stored as a file on a file system somewhere
what is an word web bug
it can be a document or folder that when accessed triggers a script which then produces an event or alert to the defender.
Define Detection
the ability to determine the presence of an incident. There are many sources i.e. FW, IDS, Users, 3rd parties. But your first step is to verify that there is indeed an incident.
Incident handling and response should always be aligned with what decision making process
the business goals