1 / 31

Solving Data Breach Points of Egress with Sophisticated Analysis

Solving Data Breach Points of Egress with Sophisticated Analysis. Christopher Andrews, CFCE, EnCE Director, Kroll Advisory Solutions. About the speaker.

alvaro
Download Presentation

Solving Data Breach Points of Egress with Sophisticated Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Solving Data Breach Points of Egress with Sophisticated Analysis Christopher Andrews, CFCE, EnCE Director, Kroll Advisory Solutions

  2. About the speaker • Christopher Andrews is a Director for Kroll Advisory Solutions, formerly with Kroll Ontrack, the recognized worldwide leader in the computer forensics industry.  • Mr. Andrews conducts investigations involving the analysis of electronic media for litigation and is often called upon to provide expert testimony. • Previously, Mr. Andrews was a Special Agent with the Northern California Computer Crimes Task Force. He assisted more than 40 law enforcement agencies with the seizure and forensic examination of computers and related storage media. • Mr. Andrews is a member of many professional organizations, including IACIS and HTCIA and has been a speaker at several national conferences. He has also authored numerous articles.

  3. Agenda • A recent case study • Witness interviews • Basic forensic analysis of workstations, servers and volatile memory for evidence of unauthorized access • Log analysis • Timeline analysis • Exfiltration of data

  4. A recent case study

  5. Day One - Discovery • Victim is a health care provider • Victim customers call into help desk – unable to access the network • Victim IT finds unauthorized access to the network • Suspicious internal data traffic • Evidence of rootkits, remote access, and malware found by IT department

  6. Day Three – Partnership • Three days since problem initially discovered • Forensics experts brought in to review the problem • Forensic imaging • Log collection • Interviews with IT personnel • Determining history of known vulnerabilities

  7. Investigation - Findings • Proof of installation of malware including secure VPN tunnel used by intruders • Evidence of customized .exe files that can be used to modify the registry and gain shell access • Internet history includes visits to a Russian FTP site via intruder’s user profile • Download and launch of a Russian Virtual Server in the victim environment! • Server was leased an IP address by the victim servers without triggering any alarms

  8. Investigation - Decision • Victim password HASHES located on a Russian server • Over 2,000 files containing PHI had last accessed dates post-intrusion • These files were accessible, and the possibility that PHI was transferred could not be ruled out • Transaction logs that might establish exfiltration of data were destroyed/missing

  9. Witness interviews

  10. Response and Evidence Gathering • Goal: • Identify systems that are under attack or require analysis • Identify and document population of internal investigations and analysis • Develop a protocol / collect volatile and static evidence • Preserve other forms of data and information

  11. Identify and Interview Key Custodians, IT, and Other Witnesses • Take your time. Plan these out. This is a very important step. • Okay to gain general info in a group setting, but best to interview key witnesses individually. • Not an interrogation. Treat witnesses like victims of a crime BUT do not say anything that might get you in trouble later if the witness turns out to be a suspect! • Take lots of notes. Audio/video record?

  12. Identify and Interview Key Custodians, IT, and Other Witnesses • Ideally, have a second investigator there to take notes and to rotate questions. • Get the witnesses contact information and ask if OK to follow-up later. • Leave the witness your card and tell them OK to contact you if they think of anything else. • Transcribe notes soon after interview. Note any follow-up questions.

  13. Basic forensic analysis of workstations, servers and volatile memory for evidence of unauthorized access

  14. Back in the Lab – Some Basic First Steps • Start a tracking sheet: list all media, tasks to perform, notable findings, search terms (IP addresses, URLs, etc.) • Recover deleted files • Run scans for known and suspected malware using specialized malware scanning applications and HASHing • Run keyword searches on all data (active, deleted, slack, unallocated) for common terms associated with malware, password stealing tools, and other intrusion artifacts

  15. Windows Basics • Parse Registry files for some basic items: • Auto-run lists, MRU lists, IP addresses leased, unauthorized software, unauthorized user profiles, FTP lists, Typed URLS, Jump Lists, Drive mappings, MUICache, ShellBags, UserAssist, Compression tools used (WinZIP, WinRAR), etc. • Parse Event logs, IIS, AV and other logs • Parse Prefetch files (if applicable) • Parse shell link files and Internet History • Look for unauthorized user folders and content

  16. Linux Basics • Parse syslogs, bash history, and other logs • Once notable dates are identified, run searches against unallocated for missing log records • Look for unauthorized user folders and content • passwd, shadow, and group file review

  17. RAM Basics • Parse for running processes • Parse for registry keys • Parse for drivers • Parse for open files • Run searches for known terms such as suspicious IP addresses/URLs • Other items (file carving?)

  18. Malware • ID as much as possible. Is it known malware? • Reverse-Engineer the malware if possible • Are there unique findings that you can use as part of a search term? • Example: Hacker Defender / Hamachi • Does the malware even allow for the kind of activity that the victim is worried about? • Zeus variants, for example, will typically not allow remote access/data exfiltration other than typed URLS/passwords

  19. Malware • Example: unauthorized activity on a server in our scenario on November 22, 2011 at 0921 hours • Symantec EndPoint logs show the following activity from the suspect user profile • Changed value 'HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan\OnOff' from '1' to '0‘ • A few hours later the following files are ‘created’ on the same server.

  20. Malware

  21. Log analysis

  22. Too Much Data! • Various kinds of log findings – consider software to aggregate them all together • Generally, we want to normalize the log data • Free tools like Splunk, DAD, many others • Take into account date/time differences • Focus on known suspicious findings such as IP addresses, dates/times of suspected intrusion, etc. • DB are somewhat unique – may require special queries to get the logs you need

  23. Timeline analysis

  24. Art and Science • Aggregate your CF findings into one location, like a spreadsheet or database • Look for common dates such as created/generated, last written/modified, last accessed/opened, last run, etc. • Use some automated tools to assist such as the SIFT workstation • Be careful with overly simple interpretation! • Last Accessed – not so good in most cases • Don’t assume dates from malware and unauthorized access are 100% accurate!

  25. Exfiltration of data

  26. Two Basic Ways to Approach This Topic • Top-down approach: Start with all data and based on the CF findings start to figure out what the suspect might have accessed • Requires a lot of review and you could end up with a lot of non-relevant data • Findings can be inconclusive if Windows profiles were hijacked • Bottom-up approach: Limit the review to known data that the VM has identified as important • Examples would be PHI within an SQL database, PII records in an Excel file, etc.

  27. Direct Evidence or Circumstantial? • The more findings the better. More machines = more evidence = PATTERNS • Review all CF findings, logs, etc. Run new searches as needed. Example: IP address lists typically get longer… • Consider “Online Analytics”. You might find “the smoking gun”! • Can file(s) be ruled out? Example: consider file system metadata. Is Last Accessed an accurate date? If so can notable files be ruled out?

  28. Notification/Numbers of PHI/PII Records – 3 approaches • Known records based on solid CF findings • Extrapolated records based on solid CF findings + logs and other data • Theoretical records based on means, motive, opportunity • Top-down? Can we eliminate some records? • Bottom-up? Do we low-ball based on CF findings and hope that we are right?

  29. Questions & Discussion

More Related