first_2014_-_arends-_pascal_-_prs_20140626

8/16/2019 first_2014_-_arends-_pascal_-_prs_20140626

1/33

Investigator of Interest –Our Philosophy of Adaptive Incident Response Pascal Arends, FoxCERT


2/33

• Pascal Arends

• [email protected]

• [email protected]

• +31 15 284 79 99

• +31 800 FOXCERT (24/7)

FIRST 2014


3/33

Topic:

FIRST 2014

• Why Adaptive Incident response

• What is Adaptive Incident Response

• Defining your investigation strategy

• Tips and Tricks


4/33

The spying program

FIRST 2014


5/33

They know everything

• Your mail server is being tapped!

• They have access to your chat server!

• They are listening on your system!

FIRST 2014


6/33

Nothing to see here move along

FIRST 2014

• A lot of communication before theinvestigation

• Attacker can easily monitor this with anautomated system

• He knows the indicators you are looking forand use these as keywords for spying onyou


7/33

Adaptive IncidentResponse

FIRST 2014


8/33

Adaptive Incident Response

FIRST 2014

• Cyber threat landscape

• Incident information

• Attacker profile• Business impact


9/33

Running scared

FIRST 2014

• Keep the investigation noise down

• The attacker will not run at first sight of an

investigation• Advanced attackers are in your network for

the long run

• He has to maintain a lot of systems to.• The investigator and attacker have a

information gap, speculation is needed.


10/33

Adaptive IR definingyour investigation

strategy

FIRST 2014


11/33

Scoping

• Fact finding

– Investigation motivation

– Investigation leads

FIRST 2014


12/33

Scoping

• Attacker profiling

– Analyze all the facts/ information

– Make hypotheses

• Which is the more likely hypothesis

– Bored kid or Espionage

– Could it be an activist/ hacktivist

FIRST 2014


13/33

Scoping

• Threat landscape

– Who are your enemies

– What can they get (Crown-Jewels) – External exposure

FIRST 2014


14/33

Investigation questions

• What happened

• Is it targeted

• What has been stolen• Who did it

• How return to business-as-usual (fast)

FIRST 2014


15/33

Business-as-usual considerations

•Management Doesn’t want to hear anythingabout BAU not being top priority

•With BAU being highest priority they don’t seethe full extend of the breach, what informationthe attacker has, in what stage the attacker is.

•At the end the business cannot give a completepicture to the stake-holders

FIRST 2014


16/33


(Short term) Reasons not going back to BAU:

• (Better) Attacker profiling

• What is the attacker searching for• What does the attacker know

• In what stage of the attack are they

• Targeted or not

FIRST 2014


17/33

(Long term) Reasons not going back to BAU:

• Better remediation

• More lessons learned• Better defenses for possible upcoming

breaches



18/33

Determining the strategy

• Combine the gathered information

– Investigation facts

– Attacker profile – Hypotheses

– Threat landscape

– Business impact

FIRST 2014


19/33

Intrusive VS Non-Intrusive investigation

• Intrusive advantages:

• Faster

• Smaller group has to know details

• Intrusive disadvantages:

• Attacker can easily detect theinvestigation


20/33

Intrusive VS Non-Intrusive investigation

• Non-intrusive advantages:

• Monitor the attacker

• Better remediation• More lessons learned/ better prepared next

time.

• Non-intrusive disadvantages:

• Slower

• More employees need to know details


21/33

Noise level Non-intrusive investigation

FIRST 2014


22/33

Noise level (typical) breach

FIRST 2014


23/33

Turn the table

FIRST 2014


24/33

Out-Of-Band communication

• Don’t use production communicationchannels

• Use separate investigation machines

• Use a back-up internet line?

• Use a an out of band document exchangeportal

FIRST 2014


25/33

Hide the noise

• The idea is to make as little noise as possibleduring the investigation, hide in normal day-to-day routines.

– Use out-of-band sources

– Use admin tools

– Use maintenance windows

– Pull disks (RAID setup?)

– Use passive network monitoring

FIRST 2014


26/33

Network investigation

High noise

• Software on the host

Medium noise

• TAP/HUB

Low noise• Switch SPAN

FIRST 2014


27/33

Host acquisition

High noise • Live acquisition• Installing agents• Running scripts

Medium noise• Offline acquisition• Using installed agent

Low noise• Pulling disks (RAID1)• Make VM snapshots• Getting information out of backups• Using maintenance window

FIRST 2014


28/33

Host investigation

High noise

• Live investigation

Medium noise

• Using installed agent

• Retire a system (for live investigation)

Low noise

• Offline investigation

FIRST 2014


29/33

Malware investigation

High noise

• Online research

• Dynamic analysis w. Internet

Low noise

• Static analysis

• Dynamic analysis no internet

FIRST 2014


30/33

Log investigation

High noise

• Live log investigation

• Collect logs through scripting/agents

Low noise

• Pre installed central log collector

FIRST 2014


31/33

Readiness

• Have a data acquisition plan

• Have a central log collector

• Have the backup schema• Have a SPAN-port available on switches

• Know your Threat landscape

• Talk with the MT about investigation strategies

• Have out-of-band communication channels

FIRST 2014


32/33

If you want to stay off your attackers radar,

hide!!

And make the attacker become the defender

FIRST 2014


33/33

Questions?

• [email protected] • [email protected]

• +31 15 284 79 99

• +31 800 369 23 78 (24/7)

FIRST 2014

first_2014_-_arends-_pascal_-_prs_20140626

Documents

Transcript of first_2014_-_arends-_pascal_-_prs_20140626