Real-time Forensics through Endpoint Visibility

REAL-TIME FORENSICS THROUGHENDPOINT VISIBILITY

Peter Kieseberg Sebastian Neuner, Sebastian Schrittwieser, Martin Schmiedecker, Edgar Weippl

Motivation

• Regular discussions with

o Forensics companies

o Investigators

o Legal Personal

• Additional interest

o NIS-Directive

o „Information as a resource“

Traditional forensic process

• Acquirable storage

• Manageable number of devices

• Low storage devices

2016 - SBA Research gGmbH

In the Cloud … ?


Selected Frameworks

• Selected Frameworks by big vendors

o Facebook Osquery

o Google Rapid Response - GRR

o Mozilla InvestiGator - MIG

• Developed for

o Large environments

o Cloud systems


Goal

• Theoretical analysis and comparison of capabilities

• Tests with real malware

o Study behavior

o Detection possibilities

• Practical evaluation

o Infected systems

o Target: What artifacts can be detected that could beuseful for detecting unknown malware.


Theoretical comparison


Lab Setup


Malware Selection

• F1 – Process Spawning

• F2 – Persistence

• F3 – Network Connection

• S1 – Banking Trojan retefe

• S2 – Locky Ransomware

• S3 – Win32.Viking worm


Sample Selection

ProcessSpawning

Persistence Network Connection

Retefe X X X

Locky X X (X)

Win32.Viking X X (X)


osquery

• Extraction of information from running systems

o Linux, Ubuntu, OSX, CentOS

o Since recently also for Windows

• Structure

o Abstract Layer between OS and analyst

o Info on system internals

o Querying like a DB


osquery

• Usage

o Provides „Tables“

o Interactive or deamon (for regular analysis)

o Daemon: Allows aggregation over time, fleetingchanges


Osquery - retefe

• File interactiono Generated and changed files detected

• Endpoint statisticso Creation of processes detected

• Network levelo Connections to outside world detected

• Endpoint monitoringo Windows registry changed

o New root CA


Osquery - Locky

• File interaction & Endpoint statistics

o Creation of files and processes detected

• Network level

o DNS-Lookups

o Connection to well-known distribution site

• Endpoint monitoring

o Nothing really outstanding

o Randomly generated key in Registry


Osquery – Win32.Viking

• File interaction & Endpoint statistics

o Creation of files and processes detected

• Network level

o Invisible to osquery, no direct connections, but usesmodified IE

• Endpoint monitoring

o Changes to Registry

o Creation of Windows Service


GRR

• Made to handle Google‘s internal infrastructure

• Sysadmin initiates „flow“o Sent from front-end servers

o Message containing code

o Executed on the servers

o Aggregation, Postprocessing done on front-end

• „Hunts“- many flows targeting many agents

• Live extraction, all major OSs supported

• Can check actual file content


GRR


Differences to osquery

• Retefeo Spawned processes and network connections

detectable, in principle but typically only used as ad-hoc tool

• Locky & Win32.Vikingo Also detects timelines of changes, and can check

content additional info

o Can detect registry key, still

o Same as for retefe


MIG

• Original issue: Accidental pushes of private keys toGithub

• Agents running on the servers

o Sends information to MIG master

o Support all major OS

o Even embedded systems


MIG


Differences to GRR & osquery

• Retefe

o No file timelining, still detection is possible

o Cannot access Windows Registry

• Locky

o Same os for retefe

• Win32.Viking

o Problem with Registry key

o File can be detected as filename is known


Conclusion

• Seemingly similar tools

• But: Quite different in actual investigation

o Usage

o Targets

o Detection capabilities

• Combination of tools could be reasonable

• Maybe targeting development of more specializedtools


Peter Kieseberg

SBA Research gGmbH

Favoritenstraße 16, 1040 Wien

[email protected]

Real-time Forensics through Endpoint Visibility

Internet

Transcript of Real-time Forensics through Endpoint Visibility