Incident Response and Computer Crime Investigations

CyberCPR

hardened web application, locally or cloud, for incident, systems, ad evidence tracking. The brainchild of SANS instructor Steve Armstrong.

What is the benefit of a web proxy?

Reduces bandwidth usage and congestion. As well as filter out sites that are inappropriate for a business. Proxy logs can be sued to build more thorough profiles of activity and suspicious traffic.

Incident Response

Response to an incident with technical components

hexidecimal

A base-16 number system that uses sixteen distinct symbols 0-9 and A-F to represent numbers from 0 to 15.

What is the best way to handle original evidence?

Make working copies and best evidence that is reasonable available

What are DLLs

Modules that extend the functionality of an executable. allows attackers to install file less malware by injecting DLL malware.

Incident handleing

Non technical aspect of coordinating with departments and team building

What forensic tools are approved in court?

None. Popular tools are effective and tested over time

netstat -naob | more

netstat shows information on processes listening on local system -n = show ip and ports numbers only -a = show all processes -o = show owning process -b = shows the executable (or DLL)

List some examples to contain an incident

private vlans, patching, removing backdoors, applying filters on routers and FW, changing entries on DNS

What are some ways to examine services?

services.msc, net start, sc query | more, tasklist /svc

Why does context matter in incident handleing

should determine if an actual incident occurred by gathering evidence before a conclusion is made.

What are hash collisions?

when two different inputs yield the same output. Chances are of collisions are very low.

What is clock skew?

where one system is faster or slower than another

Six Step Incident Response Process

1. Preparation: Before an attack 2. Identification: Commonly called detection 3. Containment: evidence collection 4. Eradication: Mitigation efforts 5. Recovery: Damage control 6. Lesson Learned: Final report exploits and fixes

What is the philosophy of incident response?

1. Prevention, detection, and response of an attack is the primary goal 2. Not a matter of if but when 3. Offense must inform defense 4. Know TTP's for threat actors is critical to know what to look for 5. Context matters when an incident is reported

List unusual activity to examine

1. Processes 2. TCP/IP connections 3. Services 4. ASEP's 5. Accounts/Groups 6. Scheduled Tasks 7. Logs 8. Performance

What is ASEPs

autostart entry points in the registry. same few keys that are used by malware. Used for persistence. Three commonly used ones are run, runonce, runonceex

What is GRR Rapid Response

- Free open source security tool - incident response framework focused on remote live forensics. - asynchronous which pulls information from systems once back online. ie. laptops

Cyberchef Tool

- web based tool that can encode and decode data - attacker use this method to hide data - you can encode multiple times with different formats

dual-homed host

A host that resides on more than one network and posses more than one physical network card. An example could be a firewall or edge router.

What is investigative pivoting?

A strategy to investigate a new path based on the evidence found. Which can expand the scope of the investigation.

What is an incident?

A threat or actual adverse interruption or threat that has impacted "normal" IT operations

Insider Threat

A threat to an organization from an entity that has authorized access. There are intentional and unintentional threats and detection can be difficult due to legitimate activities.

How is encoded data used?

A way to safely transfer characters without encryption. Attackers may try to use this method to deliver a payload to a target discretely

Why pay attention to any running processes with what type of encoding in the command line?

Attackers will use base64 encoding to run scripts in powershell

What are some encoded data?

Base64, UTF-8, UTF-16, URL encoding, Powershell, Web apps are examples of

What is the language for TCP Dump

Berkley packet filters (BPF)

What are ways attackers can hook APIs in task manager?

DLL injection with a root kit

Define scoping

Determining where the threat actors are in an organization's network. This can be difficult as attacks pivot.

What is digital evidence?

Digital evidence proves or disproves an assertion from computing environments. It must be relevant, authentic, and reliable.

DHCP

Dynamic Host Configuration Protocol. A service used to dynamically assign TCP/IP configuration information to clients. DHCP is often used to assign IP addresses, subnet masks, default gateways, DNS server addresses, and much more.

Base 32

Encoding: - uppercase letters - 0-6 - =

RTIR

Free serires of PERL scripts by Best Practical for incident tracking system

what is the goal of recovery

Get back up and running by rebuidling

Describe chain of custody

documentation that is organized into two components a header and possession log to track evidence collected

Describe preparation in incident response methodology

Knowing the organization's critical assets and policies. Internal logging is vital to incident response. Always have a recovery plan and backups.

What is IAC

Infrastructure as Code; rebuilding systems with code

What is an event?

It can be defined as any change of state that has significance for the management of a Configuration Item or IT Service

Why are baselines important

It is a best practice to have baselines of your systems to identify deviations from normal operations

What is data reduction?

It is reducing the amount of data to examine. It focusses on artifacts of interests and ignores the known goods.

Identify suspicious processes

Look for unrecognized process, random looking, non standard paths, parent suspicious, base64 encoding

tcpdump -nn port #

Packet sniffing tool. Installed on Linux by default. - nn = do not resolve host and port names

Common problems with incident response models

Poor execution of best security practices. Lack of monitoring and threat intelligence.

Describe SEIM's

Security information and event management (SIEM) tools centralize, correlate, and analyze data across the IT network to detect security issues.

Ransomware

Software that encrypts programs and data until a ransom is paid to remove it. To pay or not to pay is a business decision.

What are user agent logs?

Strings sent in HTTP headers Used to ID the browsers that sent HTTP request. Easy to spoof But not often so look for strings that stand out. Useragent.log file

What are some methods of cyber deception in defense

This is setting up traps for the attackers. Utilizing honey pots or word web bugs. You can set up local port listening to see who is scanning which will trigger an event.

What is the goal for lessons learned

This is where the final report is produced.

Why do you want to minimize the time between when evidence is generated to the time is it collected?

To minimize risk of evidence from being overwritten and lost

What is the goal of containment?

To stop the attacker from continuing to operate in the environment. Proper scoping in critical.

What is the goal of eradication?

Undoing what the attacker did. Examples: restoring from backups rebuild Removing backdoors Vulnerability assessment Fraudulent transactions Restoring source code

Zeus Trojan

Zeus Virus (or Zeus Trojan malware) is a form of malicious software that targets Microsoft Windows and is often used to steal financial data.

base 64

a positional numeral system using only printable ASCII characters. - A-Z - a-z - 0-9 - +/=

what are some issues with network packet captures

accessibility: not every device provides information easily Fidelity: not every source records information Visibility: Encryption can reduce this Lowest practical view at L3

arp -a

command prompt that will show IP addresses and corresponding MAC addresses of remote computers.

FortiSOAR

commercial incident tracking system

URL decoding

encoding: - upper case letters - %3d

what are artifacts timelines

entries that come directly from the evidence

What is digital duplication

imaging is a copy of all of the bits from the source, usually stored as a file on a file system somewhere

what is an word web bug

it can be a document or folder that when accessed triggers a script which then produces an event or alert to the defender.

Define Detection

the ability to determine the presence of an incident. There are many sources i.e. FW, IDS, Users, 3rd parties. But your first step is to verify that there is indeed an incident.

Incident handling and response should always be aligned with what decision making process

the business goals