1 / 15

Expanding Response: Deeper Analysis for Incident Handlers

Expanding Response: Deeper Analysis for Incident Handlers. Russ McRee November 2011 GIAC GCIH Gold, GCFA, GCIA, GPEN, GWAPT, GSEC Gold. Objective. Expand incident response tactics beyond common horizons Sample Overview – SpyEye Demonstrate tools for expanded toolkit Volatility 2.0 Xplico

lotus
Download Presentation

Expanding Response: Deeper Analysis for Incident Handlers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Expanding Response: Deeper Analysis for Incident Handlers Russ McRee November 2011 GIAC GCIH Gold, GCFA, GCIA, GPEN, GWAPT, GSEC Gold SANS Technology Institute - Candidate for Master of Science Degree

  2. Objective • Expand incident response tactics beyond common horizons • Sample Overview – SpyEye • Demonstrate tools for expanded toolkit • Volatility 2.0 • Xplico • Maltego • Confessor • Summary SANS Technology Institute - Candidate for Master of Science Degree

  3. Broaden IR perspective • Opportunities to enhance IR tactics via: • Memory analysis (Volatility) • Network Forensic Analysis Tooling (Xplico) • Derive disparate entity relationships (Maltego) • Analysis of systems at scale with uniform results (Confessor, MOLE) • Review sample’s attributes with all tools SANS Technology Institute - Candidate for Master of Science Degree

  4. Sample Overview • Trojan.SpyEye • MD5: 00b77d6087f00620508303acd3fd846a • Modifies registry • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] • cleansweep.exe = "C:\cleansweep.exe\cleansweep.exe" • Creates directory C:\cleansweep.exe • Populates with .exe and config file SANS Technology Institute - Candidate for Master of Science Degree

  5. Volatilty 2.0 • For the extraction of digital artifacts from volatile memory image • “A Python version of the Windows Internals book, since you can really learn a lot about Windows by just looking at how Volatility enumerates evidence.”- Michael Hale Ligh SANS Technology Institute - Candidate for Master of Science Degree

  6. Volatilty 2.0 • Gather image info: • vol.py imageinfo –f HIOMALVM02.raw • Network connections: • vol.py --profile=WinXPSP3x86 connscan -f HIOMALVM02.raw • Active processes: • vol.py --profile=WinXPSP3x86 pslist -P -f HIOMALVM02.raw SANS Technology Institute - Candidate for Master of Science Degree

  7. Volatilty 2.0 • Process tree: • vol.py --profile=WinXPSP3x86 pstree -f HIOMALVM02.raw • Discover malware attributes: • vol.py --profile=WinXPSP3x86 -f HIOMALVM02.raw malfind -p 1512 -D output/ • Demonstration SANS Technology Institute - Candidate for Master of Science Degree

  8. Xplico • Xplico decodes packet captures (PCAP) extracting the likes of: • email content (POP, IMAP, and SMTP protocols) • HTTP content • VoIP calls (SIP) • IM chats • FTP • TFTP SANS Technology Institute - Candidate for Master of Science Degree

  9. Xplico • Demo: SpyEye PCAP analysis SANS Technology Institute - Candidate for Master of Science Degree

  10. Maltego • Maltego: open source intelligence & forensics application offering extraordinary data mining and intelligence gathering capabilities • Results are well represented in a variety of easy to understand views • In concert with its graphing libraries, Maltego identifies key relationships between data sets and identifies previously unknown relationships between them SANS Technology Institute - Candidate for Master of Science Degree

  11. Maltego • PCAPs can be converted to CSV then directly imported by Maltego • tcpdump ‑vttttnnelr SpyEye.pcap | /usr/local/bin/tcpdump2csv.pl "sip dip dport" > SpyEye.csv produces a CSV that Maltego can consume easily SANS Technology Institute - Candidate for Master of Science Degree

  12. Maltego • Demo: IP address relationships SANS Technology Institute - Candidate for Master of Science Degree

  13. Confessor • Confessor collects from hundreds or thousands of systems simultaneously via Sysinternals: • System logs • Volatile data • User and account information • MAC times • Can run SecCheck on 32-bit systems • Search for reg keys and existence of specific files SANS Technology Institute - Candidate for Master of Science Degree

  14. Confessor • Confessor configuration optimized for specific registry keys and file checks SANS Technology Institute - Candidate for Master of Science Degree

  15. Summary • Tools offered to enhance the incident handler toolkit and address challenges • Takeaways: • Tool to scale • Seek unique opportunities to correlate • Build what you can’t buy or borrow • Q&A: russ at holisticinfosec dot org SANS Technology Institute - Candidate for Master of Science Degree

More Related