150 likes | 271 Views
Investigative Trees – Converting Attack Trees into Guides for Incident Response. Rodney Caudle December 2009 GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA. Objective. Setting the Stage Basics of Investigative Trees Rules for Building Investigative Trees
E N D
Investigative Trees – Converting Attack Trees into Guides for Incident Response Rodney Caudle December 2009 GIAC GSEC, GCIA, GCIH, GCFA, GSNA, GCPM, GLDR, GSLC, GSPA SANS Technology Institute - Candidate for Master of Science Degree
Objective • Setting the Stage • Basics of Investigative Trees • Rules for Building Investigative Trees • Example: Corporate E-Mail Espionage • Demo: iTree.pm SANS Technology Institute - Candidate for Master of Science Degree
Setting the Stage • Multi-Site Corporation • Information Leakage Suspected • Insider Suspected • Factor: Outsourced IT • You’re the objective third party SANS Technology Institute - Candidate for Master of Science Degree
Investigative Trees • Designed to answer one question: Given a fixed amount of resources, what investigation will yield the results with the most confidence for a given outcome? SANS Technology Institute - Candidate for Master of Science Degree
Building a Tree • Ask a question • Split into smaller questions that can be answered until the questions are small enough to act upon • Build procedures to answer questions. There may be multiple ways to answer • Add parameters to provide perspectives SANS Technology Institute - Candidate for Master of Science Degree
Rules for iTrees • Root node is the goal or outcome • Leaf nodes represent conditions of meeting the parent node or goal • “OR” leaf nodes • “AND” leaf nodes • All nodes should be Boolean in nature SANS Technology Institute - Candidate for Master of Science Degree
Rules (cont’d.) • Additional parameters can be added to provide perspectives • Leaf nodes may become root nodes of a sub-tree that can be saved as a library SANS Technology Institute - Candidate for Master of Science Degree
General Parameters • Confidence – level of trust • Confidencei – level of trust (impacted) • Impacted – True or false • Weight – comparison to neighbor nodes • Category – label for organization SANS Technology Institute - Candidate for Master of Science Degree
Other Parameters • Cost • Time • Rate • Units • Dependency • Early Start • Early Finish • Late Start • Late Finish • Slack Time SANS Technology Institute - Candidate for Master of Science Degree
Example: Corporate E-Mail • Root Question: Can we verify the vector for delivering the e-mails? • Need to define the leaf nodes or sub-goals SANS Technology Institute - Candidate for Master of Science Degree
Leaf Nodes (OR) • Were the e-mails sent via the Outlook-Exchange method? • Were the e-mails sent via the web-based OWA method? • Were the e-mails sent via a mobile device method? • Were the e-mails sent via SMTP through a gateway? SANS Technology Institute - Candidate for Master of Science Degree
Continue Expanding • Were the e-mails sent via SMTP through a gateway? • Can we verify the presence of SMTP headers in the original e-mail? • Can we verify the presence of e-mail(s) in the log events from the SMTP gateway server? SANS Technology Institute - Candidate for Master of Science Degree
Add Steps to Get the Answers • Can we verify the presence of SMTP headers in the original e-mail? • Can we recover the presence of SMTP headers in the original e-mail? • Can we recover a copy of the original e-mail from the desktop or laptop? • Does the e-mail contain SMTP headers (RFC821)? SANS Technology Institute - Candidate for Master of Science Degree
Demo: iTree.PM • Perl module to automate the investigation tree creation process SANS Technology Institute - Candidate for Master of Science Degree
Summary • Investigative Trees = good investment • Design supports KB natively • Easy to expand and share information • Perl Modules available for creation and automation www.investigativetrees.com SANS Technology Institute - Candidate for Master of Science Degree